Add TLS fragment support

2025-04-05 21:07:38 +03:00 · 2025-01-26 09:01:00 +08:00 · 2025-01-26 09:01:00 +08:00 · 766e3a1e8d
commit 766e3a1e8d
parent 291a4f1854
18 changed files with 476 additions and 189 deletions
--- a/common/tlsfragment/conn.go
+++ b/common/tlsfragment/conn.go
@ -0,0 +1,107 @@
+package tf
+
+import (
+	"context"
+	"math/rand"
+	"net"
+	"strings"
+	"time"
+
+	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/net/publicsuffix"
+)
+
+type Conn struct {
+	net.Conn
+	tcpConn            *net.TCPConn
+	ctx                context.Context
+	firstPacketWritten bool
+	fallbackDelay      time.Duration
+}
+
+func NewConn(conn net.Conn, ctx context.Context, fallbackDelay time.Duration) (*Conn, error) {
+	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
+	return &Conn{
+		Conn:          conn,
+		tcpConn:       tcpConn,
+		ctx:           ctx,
+		fallbackDelay: fallbackDelay,
+	}, nil
+}
+
+func (c *Conn) Write(b []byte) (n int, err error) {
+	if !c.firstPacketWritten {
+		defer func() {
+			c.firstPacketWritten = true
+		}()
+		serverName := indexTLSServerName(b)
+		if serverName != nil {
+			if c.tcpConn != nil {
+				err = c.tcpConn.SetNoDelay(true)
+				if err != nil {
+					return
+				}
+			}
+			splits := strings.Split(serverName.ServerName, ".")
+			currentIndex := serverName.Index
+			if publicSuffix := publicsuffix.List.PublicSuffix(serverName.ServerName); publicSuffix != "" {
+				splits = splits[:len(splits)-strings.Count(serverName.ServerName, ".")]
+			}
+			if len(splits) > 1 && splits[0] == "..." {
+				currentIndex += len(splits[0]) + 1
+				splits = splits[1:]
+			}
+			var splitIndexes []int
+			for i, split := range splits {
+				splitAt := rand.Intn(len(split))
+				splitIndexes = append(splitIndexes, currentIndex+splitAt)
+				currentIndex += len(split)
+				if i != len(splits)-1 {
+					currentIndex++
+				}
+			}
+			for i := 0; i <= len(splitIndexes); i++ {
+				var payload []byte
+				if i == 0 {
+					payload = b[:splitIndexes[i]]
+				} else if i == len(splitIndexes) {
+					payload = b[splitIndexes[i-1]:]
+				} else {
+					payload = b[splitIndexes[i-1]:splitIndexes[i]]
+				}
+				if c.tcpConn != nil && i != len(splitIndexes) {
+					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
+					if err != nil {
+						return
+					}
+				} else {
+					_, err = c.Conn.Write(payload)
+					if err != nil {
+						return
+					}
+				}
+			}
+			if c.tcpConn != nil {
+				err = c.tcpConn.SetNoDelay(false)
+				if err != nil {
+					return
+				}
+			}
+			return len(b), nil
+		}
+	}
+	return c.Conn.Write(b)
+}
+
+func (c *Conn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *Conn) WriterReplaceable() bool {
+	return c.firstPacketWritten
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
--- a/common/tlsfragment/index.go
+++ b/common/tlsfragment/index.go
@ -0,0 +1,131 @@
+package tf
+
+import (
+	"encoding/binary"
+)
+
+const (
+	recordLayerHeaderLen    int    = 5
+	handshakeHeaderLen      int    = 6
+	randomDataLen           int    = 32
+	sessionIDHeaderLen      int    = 1
+	cipherSuiteHeaderLen    int    = 2
+	compressMethodHeaderLen int    = 1
+	extensionsHeaderLen     int    = 2
+	extensionHeaderLen      int    = 4
+	sniExtensionHeaderLen   int    = 5
+	contentType             uint8  = 22
+	handshakeType           uint8  = 1
+	sniExtensionType        uint16 = 0
+	sniNameDNSHostnameType  uint8  = 0
+	tlsVersionBitmask       uint16 = 0xFFFC
+	tls13                   uint16 = 0x0304
+)
+
+type myServerName struct {
+	Index      int
+	Length     int
+	ServerName string
+}
+
+func indexTLSServerName(payload []byte) *myServerName {
+	if len(payload) < recordLayerHeaderLen || payload[0] != contentType {
+		return nil
+	}
+	segmentLen := binary.BigEndian.Uint16(payload[3:5])
+	if len(payload) < recordLayerHeaderLen+int(segmentLen) {
+		return nil
+	}
+	serverName := indexTLSServerNameFromHandshake(payload[recordLayerHeaderLen : recordLayerHeaderLen+int(segmentLen)])
+	if serverName == nil {
+		return nil
+	}
+	serverName.Length += recordLayerHeaderLen
+	return serverName
+}
+
+func indexTLSServerNameFromHandshake(hs []byte) *myServerName {
+	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen {
+		return nil
+	}
+	if hs[0] != handshakeType {
+		return nil
+	}
+	handshakeLen := uint32(hs[1])<<16 | uint32(hs[2])<<8 | uint32(hs[3])
+	if len(hs[4:]) != int(handshakeLen) {
+		return nil
+	}
+	tlsVersion := uint16(hs[4])<<8 | uint16(hs[5])
+	if tlsVersion&tlsVersionBitmask != 0x0300 && tlsVersion != tls13 {
+		return nil
+	}
+	sessionIDLen := hs[38]
+	if len(hs) < handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen) {
+		return nil
+	}
+	cs := hs[handshakeHeaderLen+randomDataLen+sessionIDHeaderLen+int(sessionIDLen):]
+	if len(cs) < cipherSuiteHeaderLen {
+		return nil
+	}
+	csLen := uint16(cs[0])<<8 | uint16(cs[1])
+	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen {
+		return nil
+	}
+	compressMethodLen := uint16(cs[cipherSuiteHeaderLen+int(csLen)])
+	if len(cs) < cipherSuiteHeaderLen+int(csLen)+compressMethodHeaderLen+int(compressMethodLen) {
+		return nil
+	}
+	currentIndex := cipherSuiteHeaderLen + int(csLen) + compressMethodHeaderLen + int(compressMethodLen)
+	serverName := indexTLSServerNameFromExtensions(cs[currentIndex:])
+	if serverName == nil {
+		return nil
+	}
+	serverName.Index += currentIndex
+	return serverName
+}
+
+func indexTLSServerNameFromExtensions(exs []byte) *myServerName {
+	if len(exs) == 0 {
+		return nil
+	}
+	if len(exs) < extensionsHeaderLen {
+		return nil
+	}
+	exsLen := uint16(exs[0])<<8 | uint16(exs[1])
+	exs = exs[extensionsHeaderLen:]
+	if len(exs) < int(exsLen) {
+		return nil
+	}
+	for currentIndex := extensionsHeaderLen; len(exs) > 0; {
+		if len(exs) < extensionHeaderLen {
+			return nil
+		}
+		exType := uint16(exs[0])<<8 | uint16(exs[1])
+		exLen := uint16(exs[2])<<8 | uint16(exs[3])
+		if len(exs) < extensionHeaderLen+int(exLen) {
+			return nil
+		}
+		sex := exs[extensionHeaderLen : extensionHeaderLen+int(exLen)]
+
+		switch exType {
+		case sniExtensionType:
+			if len(sex) < sniExtensionHeaderLen {
+				return nil
+			}
+			sniType := sex[2]
+			if sniType != sniNameDNSHostnameType {
+				return nil
+			}
+			sniLen := uint16(sex[3])<<8 | uint16(sex[4])
+			sex = sex[sniExtensionHeaderLen:]
+			return &myServerName{
+				Index:      currentIndex + extensionHeaderLen + sniExtensionHeaderLen,
+				Length:     int(sniLen),
+				ServerName: string(sex),
+			}
+		}
+		exs = exs[4+exLen:]
+		currentIndex += 4 + int(exLen)
+	}
+	return nil
+}
--- a/common/tlsfragment/wait_darwin.go
+++ b/common/tlsfragment/wait_darwin.go
@ -0,0 +1,93 @@
+package tf
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+
+	"golang.org/x/sys/unix"
+)
+
+/*
+const tcpMaxNotifyAck = 10
+
+type tcpNotifyAckID uint32
+
+	type tcpNotifyAckComplete struct {
+		NotifyPending       uint32
+		NotifyCompleteCount uint32
+		NotifyCompleteID    [tcpMaxNotifyAck]tcpNotifyAckID
+	}
+
+var sizeOfTCPNotifyAckComplete = int(unsafe.Sizeof(tcpNotifyAckComplete{}))
+
+	func getsockoptTCPNotifyAckComplete(fd, level, opt int) (*tcpNotifyAckComplete, error) {
+		var value tcpNotifyAckComplete
+		vallen := uint32(sizeOfTCPNotifyAckComplete)
+		err := getsockopt(fd, level, opt, unsafe.Pointer(&value), &vallen)
+		return &value, err
+	}
+
+//go:linkname getsockopt golang.org/x/sys/unix.getsockopt
+func getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *uint32) error
+
+	func waitAck(ctx context.Context, conn *net.TCPConn, _ time.Duration) error {
+		const TCP_NOTIFY_ACKNOWLEDGEMENT = 0x212
+		return control.Conn(conn, func(fd uintptr) error {
+			err := unix.SetsockoptInt(int(fd), unix.IPPROTO_TCP, TCP_NOTIFY_ACKNOWLEDGEMENT, 1)
+			if err != nil {
+				if errors.Is(err, unix.EINVAL) {
+					return waitAckFallback(ctx, conn, 0)
+				}
+				return err
+			}
+			for {
+				select {
+				case <-ctx.Done():
+					return ctx.Err()
+				default:
+				}
+				var ackComplete *tcpNotifyAckComplete
+				ackComplete, err = getsockoptTCPNotifyAckComplete(int(fd), unix.IPPROTO_TCP, TCP_NOTIFY_ACKNOWLEDGEMENT)
+				if err != nil {
+					return err
+				}
+				if ackComplete.NotifyPending == 0 {
+					return nil
+				}
+				time.Sleep(10 * time.Millisecond)
+			}
+		})
+	}
+*/
+
+func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
+	_, err := conn.Write(payload)
+	if err != nil {
+		return err
+	}
+	return control.Conn(conn, func(fd uintptr) error {
+		start := time.Now()
+		for {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			default:
+			}
+			unacked, err := unix.GetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_NWRITE)
+			if err != nil {
+				return err
+			}
+			if unacked == 0 {
+				if time.Since(start) <= 20*time.Millisecond {
+					// under transparent proxy
+					time.Sleep(fallbackDelay)
+				}
+				return nil
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+	})
+}
--- a/common/tlsfragment/wait_linux.go
+++ b/common/tlsfragment/wait_linux.go
@ -0,0 +1,40 @@
+package tf
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+
+	"golang.org/x/sys/unix"
+)
+
+func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
+	_, err := conn.Write(payload)
+	if err != nil {
+		return err
+	}
+	return control.Conn(conn, func(fd uintptr) error {
+		start := time.Now()
+		for {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			default:
+			}
+			tcpInfo, err := unix.GetsockoptTCPInfo(int(fd), unix.IPPROTO_TCP, unix.TCP_INFO)
+			if err != nil {
+				return err
+			}
+			if tcpInfo.Unacked == 0 {
+				if time.Since(start) <= 20*time.Millisecond {
+					// under transparent proxy
+					time.Sleep(fallbackDelay)
+				}
+				return nil
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+	})
+}
--- a/common/tlsfragment/wait_stub.go
+++ b/common/tlsfragment/wait_stub.go
@ -0,0 +1,14 @@
+//go:build !(linux || darwin || windows)
+
+package tf
+
+import (
+	"context"
+	"net"
+	"time"
+)
+
+func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
+	time.Sleep(fallbackDelay)
+	return nil
+}
--- a/common/tlsfragment/wait_windows.go
+++ b/common/tlsfragment/wait_windows.go
@ -0,0 +1,28 @@
+package tf
+
+import (
+	"context"
+	"errors"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/winiphlpapi"
+
+	"golang.org/x/sys/windows"
+)
+
+func writeAndWaitAck(ctx context.Context, conn *net.TCPConn, payload []byte, fallbackDelay time.Duration) error {
+	start := time.Now()
+	err := winiphlpapi.WriteAndWaitAck(ctx, conn, payload)
+	if err != nil {
+		if errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+			time.Sleep(fallbackDelay)
+			return nil
+		}
+		return err
+	}
+	if time.Since(start) <= 20*time.Millisecond {
+		time.Sleep(fallbackDelay)
+	}
+	return nil
+}