diff --git a/common/tls/utls_client.go b/common/tls/utls_client.go index ce5b8083ae..80188b79e8 100644 --- a/common/tls/utls_client.go +++ b/common/tls/utls_client.go @@ -23,6 +23,7 @@ import ( type UTLSClientConfig struct { config *utls.Config paddingSize [2]int + paddingSNI string id utls.ClientHelloID } @@ -52,13 +53,22 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) { func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) { var uConn *utls.UConn if e.id != utls.HelloCustom { - uConn = utls.UClient(conn, e.config.Clone(), e.id) } else { var err error - uConn, err = makeTLSHelloPacketWithPadding(conn, e, e.config.ServerName) - if err != nil { - return nil, err + + if e.paddingSNI != "" { + // TODO: add a flag to switch between random padding and smart padding + uConn, err = makeTLSHelloPacketWithSmartPadding(conn, e, e.config.ServerName, e.paddingSNI) + if err != nil { + return nil, err + } + } else { + + uConn, err = makeTLSHelloPacketWithPadding(conn, e, e.config.ServerName) + if err != nil { + return nil, err + } } } return &utlsALPNWrapper{utlsConnWrapper{UConn: uConn}, e.config.NextProtos}, nil @@ -205,6 +215,12 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out if err != nil { return nil, err } + + if options.PaddingSNI != "" { + // using smartpadding + return &UTLSClientConfig{config: &tlsConfig, paddingSNI: options.PaddingSNI, id: id}, nil + } + if options.PaddingSize != "" { padding_size, err := option.ParseIntRange(options.PaddingSize) if err != nil { diff --git a/common/tls/utls_padding.go b/common/tls/utls_padding.go index 7127562d93..5cbad381ab 100644 --- a/common/tls/utls_padding.go +++ b/common/tls/utls_padding.go @@ -1,4 +1,4 @@ -//go:build with_utls +// go:build with_utls package tls diff --git a/common/tls/utls_smartpadding.go b/common/tls/utls_smartpadding.go new file mode 100644 index 0000000000..c4e95e05d5 --- /dev/null +++ b/common/tls/utls_smartpadding.go @@ -0,0 +1,133 @@ +// go:build with_utls + +package tls + +import ( + "io" + "net" + + utls "github.com/sagernet/utls" +) + +// FakeSmartPaddingExtension implements padding (0x15) extension. The padding data is another TLS client hello message +type FakeSmartPaddingExtension struct { + *utls.GenericExtension + // PaddingLen int + FakeSNI string + data []byte // the actual fake bytes that will be read + // WillPad bool // set false to disable extension +} + +// Len returns the length of the FakeSmartPaddingExtension. +func (e *FakeSmartPaddingExtension) Len() int { + return 4 + len(e.data) +} + +func NewFakeSmartPaddingExtension(fakesni string) *FakeSmartPaddingExtension { + conn := new(net.TCPConn) + uConn := utls.UClient(conn, + &utls.Config{ + ServerName: fakesni, + }, + utls.HelloRandomizedALPN) + // create a new TLS client hello with a fake SNI + c := utls.ClientHelloSpec{ + TLSVersMax: utls.VersionTLS13, + TLSVersMin: utls.VersionTLS10, + CipherSuites: []uint16{ + utls.GREASE_PLACEHOLDER, // GREASE + utls.TLS_AES_128_GCM_SHA256, + utls.TLS_AES_256_GCM_SHA384, + utls.TLS_CHACHA20_POLY1305_SHA256, + utls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + utls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + utls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + utls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + utls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + utls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + }, + Extensions: []utls.TLSExtension{ + &SNIExtension{ + ServerName: fakesni, + }, + }, + } + _ = uConn.ApplyPreset(&c) + _ = uConn.MarshalClientHello() + rawHello := uConn.HandshakeState.Hello.Raw + + return &FakeSmartPaddingExtension{ + FakeSNI: fakesni, + data: rawHello, + } +} + +// Read reads the FakeSmartPaddingExtension. +func (e *FakeSmartPaddingExtension) Read(b []byte) (n int, err error) { + if len(b) < e.Len() { + return 0, io.ErrShortBuffer + } + // https://tools.ietf.org/html/rfc7627 + b[0] = byte(tlsExtensionPadding >> 8) + b[1] = byte(tlsExtensionPadding) + b[2] = byte(len(e.data) >> 8) + b[3] = byte(len(e.data)) + + copy(b[4:], e.data) + return e.Len(), io.EOF +} + +// makeTLSHelloPacketWithSmartPadding creates a TLS hello packet with padding that looks like another TLS client hello with a given fake SNI +func makeTLSHelloPacketWithSmartPadding(conn net.Conn, e *UTLSClientConfig, sni string, fakesni string) (*utls.UConn, error) { + + uConn := utls.UClient(conn, e.config.Clone(), e.id) + + spec := utls.ClientHelloSpec{ + TLSVersMax: utls.VersionTLS13, + TLSVersMin: utls.VersionTLS10, + CipherSuites: []uint16{ + utls.GREASE_PLACEHOLDER, + utls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + utls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + utls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + utls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + utls.TLS_AES_128_GCM_SHA256, // tls 1.3 + utls.FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + utls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + utls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + Extensions: []utls.TLSExtension{ + &utls.SupportedCurvesExtension{Curves: []utls.CurveID{utls.X25519, utls.CurveP256}}, + &utls.SupportedPointsExtension{SupportedPoints: []byte{0}}, // uncompressed + &utls.SessionTicketExtension{}, + &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}}, + &utls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{ + utls.ECDSAWithP256AndSHA256, + utls.ECDSAWithP384AndSHA384, + utls.ECDSAWithP521AndSHA512, + utls.PSSWithSHA256, + utls.PSSWithSHA384, + utls.PSSWithSHA512, + utls.PKCS1WithSHA256, + utls.PKCS1WithSHA384, + utls.PKCS1WithSHA512, + utls.ECDSAWithSHA1, + utls.PKCS1WithSHA1}}, + &utls.KeyShareExtension{KeyShares: []utls.KeyShare{ + {Group: utls.CurveID(utls.GREASE_PLACEHOLDER), Data: []byte{0}}, + {Group: utls.X25519}, + }}, + &utls.PSKKeyExchangeModesExtension{Modes: []uint8{1}}, // pskModeDHE + NewFakeSmartPaddingExtension(fakesni), + &SNIExtension{ + ServerName: sni, + }, + }, + GetSessionID: nil, + } + err := uConn.ApplyPreset(&spec) + if err != nil { + return nil, err + } + return uConn, nil +} diff --git a/option/tls.go b/option/tls.go index 4f6bb2dc7d..58f9867346 100644 --- a/option/tls.go +++ b/option/tls.go @@ -23,7 +23,8 @@ type OutboundTLSOptions struct { MixedCaseSNI bool `json:"mixedcase_sni,omitempty"` ServerName string `json:"server_name,omitempty"` Insecure bool `json:"insecure,omitempty"` - PaddingSize string `json:"padding_size,omitempty"` + PaddingSize string `json:"padding_size,omitempty"` // uses a random bytearray as padding. mutually exclusive with padding_sni + PaddingSNI string `json:"padding_sni,omitempty"` // uses smartpadding which creates a client hello as padding ALPN Listable[string] `json:"alpn,omitempty"` MinVersion string `json:"min_version,omitempty"` MaxVersion string `json:"max_version,omitempty"`