mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-03 20:17:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of github.com:refraction-networking/utls

Browse source
This commit is contained in:
Eric Wustrow 2019-04-11 16:59:26 -06:00
commit 246879ed0d
13 changed files with 1065 additions and 263 deletions
Download patch file Download diff file Expand all files Collapse all files

80
README.md
View file

@ -5,20 +5,54 @@
uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, low-level access to handshake, fake session tickets and some other features. Handshake is still performed by "crypto/tls", this library merely changes ClientHello part of it and provides low-level access.
Golang 1.11+ is required.
If you have any questions, bug reports or contributions, you are welcome to publish those on GitHub. If you want to do so in private, you can contact one of developers personally via sergey.frolov@colorado.edu
Documentation below may not keep up with all the changes and new features at all times,
so you are encouraged to use [godoc](https://godoc.org/github.com/refraction-networking/utls#UConn).
# Features
## Low-level access to handshake
* Read/write access to all bits of client hello message.
* Read access to fields of ClientHandshakeState, which, among other things, includes ServerHello and MasterSecret.
* Read keystream. Can be used, for example, to "write" something in ciphertext.
## ClientHello fingerprinting resistance
Golang's ClientHello has a very unique fingerprint, which especially sticks out on mobile clients,
where Golang is not too popular yet.
Some members of anti-censorship community are concerned that their tools could be trivially blocked based on
ClientHello with relatively small collateral damage. There are multiple solutions to this issue.
### Randomized handshake
This package can generate randomized ClientHello using only extensions and cipherSuites "crypto/tls" already supports.
This provides a solid moving target without any compatibility or parrot-is-dead attack risks.
**Feedback about opinionated implementation details of randomized handshake is appreciated.**
**It is highly recommended to use multiple fingeprints, including randomized ones to avoid relying on a single fingerprint.**
[utls.Roller](#roller) does this automatically.
### Randomized Fingerprint
Randomized Fingerprints are supposedly good at defeating blacklists, since
those fingerprints have random ciphersuites and extensions in random order.
Note that all used ciphersuites and extensions are fully supported by uTLS,
which provides a solid moving target without any compatibility or parrot-is-dead attack risks.
But note that there's a small chance that generated fingerprint won't work,
so you may want to keep generating until a working one is found,
and then keep reusing the working fingerprint to avoid suspicious behavior of constantly changing fingerprints.
[utls.Roller](#roller) reuses working fingerprint automatically.
#### Generating randomized fingerprints
To generate a randomized fingerprint, simply do:
```Golang
uTlsConn := tls.UClient(tcpConn, &config, tls.HelloRandomized)
```
you can use `helloRandomizedALPN` or `helloRandomizedNoALPN` to ensure presence or absence of
ALPN(Application-Layer Protocol Negotiation) extension.
It is recommended, but certainly not required to include ALPN (or use helloRandomized which may or may not include ALPN).
If you do use ALPN, you will want to correctly handle potential application layer protocols (likely h2 or http/1.1).
#### Reusing randomized fingerprint
```Golang
// oldConn is an old connection that worked before, so we want to reuse it
// newConn is a new connection we'd like to establish
newConn := tls.UClient(tcpConn, &config, oldConn.ClientHelloID)
```
### Parroting
This package can be used to parrot ClientHello of popular browsers.
There are some caveats to this parroting:
@ -31,9 +65,11 @@ This is not a problem, if you fully control the server and turn unsupported thin
| ------------- | -------- | ---------- | ---------------------- | --------------------------------------------- |
| Chrome 62 | no | no | ChannelID | [0a4a74aeebd1bb66](https://tlsfingerprint.io/id/0a4a74aeebd1bb66) |
| Chrome 70 | no | no | ChannelID, Encrypted Certs | [bc4c7e42f4961cd7](https://tlsfingerprint.io/id/bc4c7e42f4961cd7) |
| Chrome 72 | no | no | ChannelID, Encrypted Certs | [bbf04e5f1881f506](https://tlsfingerprint.io/id/bbf04e5f1881f506) |
| Firefox 56 | very low | no | None | [c884bad7f40bee56](https://tlsfingerprint.io/id/c884bad7f40bee56) |
| Firefox 63 | very low | no | MaxRecordSize | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
| Firefox 65 | very low | no | MaxRecordSize | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
| iOS 11.1 | low** | no | None | [71a81bafd58e1301](https://tlsfingerprint.io/id/71a81bafd58e1301) |
| iOS 12.1 | low** | no | None | [ec55e5b4136c7949](https://tlsfingerprint.io/id/ec55e5b4136c7949) |
\* Denotes very rough guesstimate of likelihood that unsupported things will get echoed back by the server in the wild,
*visibly breaking the connection*.
@ -48,10 +84,11 @@ It LGTM, but please open up Wireshark and check. If you see something — [say s
There sure are. If you found one that approaches practicality at line speed — [please tell us](issues).
#### Things to implement in Golang to make parrots better
uTLS is fundamentially limited in parroting, because Golang's "crypto/tls" doesn't support many things. Would be nice to have:
* ChannelID extension
* In general, any modern crypto is likely to be useful going forward.
However, there is a difference between this sort of parroting and techniques like SkypeMorth.
Namely, TLS is highly standardized protocol, therefore simply not that many subtle things in TLS protocol
could be different and/or suddenly change in one of mimicked implementation(potentially undermining the mimicry).
It is possible that we have a distinguisher right now, but amount of those potential distinguishers is limited.
### Custom Handshake
It is possible to create custom handshake by
1) Use `HelloCustom` as an argument for `UClient()` to get empty config
@ -63,6 +100,29 @@ If you need to manually control all the bytes on the wire(certainly not recommen
you can set UConn.HandshakeStateBuilt = true, and marshal clientHello into UConn.HandshakeState.Hello.raw yourself.
In this case you will be responsible for modifying other parts of Config and ClientHelloMsg to reflect your setup
and not confuse "crypto/tls", which will be processing response from server.
## Roller
A simple wrapper, that allows to easily use multiple latest(auto-updated) fingerprints.
```Golang
// NewRoller creates Roller object with default range of HelloIDs to cycle
// through until a working/unblocked one is found.
func NewRoller() (*Roller, error)
```
```Golang
// Dial attempts to connect to given address using different HelloIDs.
// If a working HelloID is found, it is used again for subsequent Dials.
// If tcp connection fails or all HelloIDs are tried, returns with last error.
//
// Usage examples:
//
// Dial("tcp4", "google.com:443", "google.com")
// Dial("tcp", "10.23.144.22:443", "mywebserver.org")
func (c *Roller) Dial(network, addr, serverName string) (*UConn, error)
```
## Fake Session Tickets
Fake session tickets is a very nifty trick that allows power users to hide parts of handshake, which may have some very fingerprintable features of handshake, and saves 1 RTT.
Currently, there is a simple function to set session ticket to any desired state:
@ -85,7 +145,7 @@ See full list of `clientHelloID` values [here](https://godoc.org/github.com/refr
There are different behaviors you can get, depending on your `clientHelloID`:
1. ```utls.HelloRandomized``` adds/reorders extensions, ciphersuites, etc. randomly.
`HelloRandomized` adds ALPN in 50% of cases, you may want to use `HelloRandomizedALPN` or
`HelloRandomized` adds ALPN in a percentage of cases, you may want to use `HelloRandomizedALPN` or
`HelloRandomizedNoALPN` to choose specific behavior explicitly, as ALPN might affect application layer.
2. ```utls.HelloGolang```
HelloGolang will use default "crypto/tls" handshake marshaling codepath, which WILL

38
examples/examples.go
View file

@ -52,6 +52,37 @@ func HttpGetByHelloID(hostname string, addr string, helloID tls.ClientHelloID) (
return httpGetOverConn(uTlsConn, uTlsConn.HandshakeState.ServerHello.AlpnProtocol)
}
// this example generates a randomized fingeprint, then re-uses it in a follow-up connection
func HttpGetConsistentRandomized(hostname string, addr string) (*http.Response, error) {
config := tls.Config{ServerName: hostname}
tcpConn, err := net.DialTimeout("tcp", addr, dialTimeout)
if err != nil {
return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
}
uTlsConn := tls.UClient(tcpConn, &config, tls.HelloRandomized)
defer uTlsConn.Close()
err = uTlsConn.Handshake()
if err != nil {
return nil, fmt.Errorf("uTlsConn.Handshake() error: %+v", err)
}
uTlsConn.Close()
// At this point uTlsConn.ClientHelloID holds a seed that was used to generate
// randomized fingerprint. Now we can establish second connection with same fp
tcpConn2, err := net.DialTimeout("tcp", addr, dialTimeout)
if err != nil {
return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
}
uTlsConn2 := tls.UClient(tcpConn2, &config, uTlsConn.ClientHelloID)
defer uTlsConn2.Close()
err = uTlsConn2.Handshake()
if err != nil {
return nil, fmt.Errorf("uTlsConn.Handshake() error: %+v", err)
}
return httpGetOverConn(uTlsConn2, uTlsConn2.HandshakeState.ServerHello.AlpnProtocol)
}
func HttpGetExplicitRandom(hostname string, addr string) (*http.Response, error) {
dialConn, err := net.DialTimeout("tcp", addr, dialTimeout)
if err != nil {
@ -306,7 +337,6 @@ func forgeConn() {
}
func main() {
var response *http.Response
var err error
@ -325,11 +355,11 @@ func main() {
fmt.Printf("#> HttpGetByHelloID(HelloChrome_62) response: %+s\n", dumpResponseNoBody(response))
}
response, err = HttpGetByHelloID(requestHostname, requestAddr, tls.HelloRandomizedNoALPN)
response, err = HttpGetConsistentRandomized(requestHostname, requestAddr)
if err != nil {
fmt.Printf("#> HttpGetByHelloID(Randomized) failed: %+v\n", err)
fmt.Printf("#> HttpGetConsistentRandomized() failed: %+v\n", err)
} else {
fmt.Printf("#> HttpGetByHelloID(Randomized) response: %+s\n", dumpResponseNoBody(response))
fmt.Printf("#> HttpGetConsistentRandomized() response: %+s\n", dumpResponseNoBody(response))
}
response, err = HttpGetExplicitRandom(requestHostname, requestAddr)

2
handshake_client.go
View file

@ -29,6 +29,8 @@ type clientHandshakeState struct {
finishedHash finishedHash
masterSecret []byte
session *ClientSessionState
uconn *UConn // [UTLS]
}
func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {

64
handshake_client_tls13.go
View file

@ -33,6 +33,8 @@ type clientHandshakeStateTLS13 struct {
transcript hash.Hash
masterSecret []byte
trafficSecret []byte // client_application_traffic_secret_0
uconn *UConn // [UTLS]
}
// handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and,
@ -251,6 +253,68 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
}
}
// [UTLS SECTION BEGINS]
// crypto/tls code above this point had changed crypto/tls structures in accordance with HRR, and is about
// to call default marshaller.
// Instead, we fill uTLS-specific structs and call uTLS marshaller.
// Only extensionCookie, extensionPreSharedKey, extensionKeyShare, extensionEarlyData, extensionSupportedVersions,
// and utlsExtensionPadding are supposed to change
if hs.uconn != nil {
if hs.uconn.ClientHelloID != HelloGolang {
if len(hs.hello.pskIdentities) > 0 {
// TODO: wait for someone who cares about PSK to implement
return errors.New("uTLS does not support reprocessing of PSK key triggered by HelloRetryRequest")
}
keyShareExtFound := false
for _, ext := range hs.uconn.Extensions {
// new ks seems to be generated either way
if ks, ok := ext.(*KeyShareExtension); ok {
ks.KeyShares = keyShares(hs.hello.keyShares).ToPublic()
keyShareExtFound = true
}
}
if !keyShareExtFound {
return errors.New("uTLS: received HelloRetryRequest, but keyshare not found among client's " +
"uconn.Extensions")
}
if len(hs.serverHello.cookie) > 0 {
// serverHello specified a cookie, let's echo it
cookieFound := false
for _, ext := range hs.uconn.Extensions {
if ks, ok := ext.(*CookieExtension); ok {
ks.Cookie = hs.serverHello.cookie
cookieFound = true
}
}
if !cookieFound {
// pick a random index where to add cookieExtension
// -2 instead of -1 is a lazy way to ensure that PSK is still a last extension
p, err := newPRNG()
if err != nil {
return err
}
cookieIndex := p.Intn(len(hs.uconn.Extensions) - 2)
if cookieIndex >= len(hs.uconn.Extensions) {
// this check is for empty hs.uconn.Extensions
return fmt.Errorf("cookieIndex >= len(hs.uconn.Extensions): %v >= %v",
cookieIndex, len(hs.uconn.Extensions))
}
hs.uconn.Extensions = append(hs.uconn.Extensions[:cookieIndex],
append([]TLSExtension{&CookieExtension{Cookie: hs.serverHello.cookie}},
hs.uconn.Extensions[cookieIndex:]...)...)
}
}
if err = hs.uconn.MarshalClientHello(); err != nil {
return err
}
hs.hello.raw = hs.uconn.HandshakeState.Hello.Raw
}
}
// [UTLS SECTION ENDS]
hs.transcript.Write(hs.hello.marshal())
if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
return err

181
testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70 vendored Normal file
View file

@ -0,0 +1,181 @@
>>> Flow 1 (client to server)
00000000 16 03 01 02 00 01 00 01 fc 03 03 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 22 0a 0a |............."..|
00000050 13 01 13 02 13 03 c0 2b c0 2f c0 2c c0 30 cc a9 |.......+./.,.0..|
00000060 cc a8 c0 13 c0 14 00 9c 00 9d 00 2f 00 35 00 0a |.........../.5..|
00000070 01 00 01 91 0a 0a 00 00 ff 01 00 01 00 00 00 00 |................|
00000080 05 00 03 00 00 00 00 17 00 00 00 23 00 00 00 0d |...........#....|
00000090 00 14 00 12 04 03 08 04 04 01 05 03 08 05 05 01 |................|
000000a0 08 06 06 01 02 01 00 05 00 05 01 00 00 00 00 00 |................|
000000b0 12 00 00 00 10 00 0e 00 0c 02 68 32 08 68 74 74 |..........h2.htt|
000000c0 70 2f 31 2e 31 75 50 00 00 00 0b 00 02 01 00 00 |p/1.1uP.........|
000000d0 33 00 2b 00 29 0a 0a 00 01 00 00 1d 00 20 2f e5 |3.+.)........ /.|
000000e0 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff |}.G.bC.(.._.).0.|
000000f0 f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 00 2d |........._X.;t.-|
00000100 00 02 01 01 00 2b 00 0b 0a 0a 0a 03 04 03 03 03 |.....+..........|
00000110 02 03 01 00 0a 00 0a 00 08 0a 0a 00 1d 00 17 00 |................|
00000120 18 00 1b 00 03 02 00 02 1a 1a 00 01 00 00 15 00 |................|
00000130 d4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000200 00 00 00 00 00 |.....|
>>> Flow 2 (server to client)
00000000 16 03 03 00 58 02 00 00 54 03 03 cf 21 ad 74 e5 |....X...T...!.t.|
00000010 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a |.a......e......z|
00000020 bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 20 00 00 00 00 |..^......3. ....|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................|
00000050 0c 00 2b 00 02 03 04 00 33 00 02 00 17 14 03 03 |..+.....3.......|
00000060 00 01 01 |...|
>>> Flow 3 (client to server)
00000000 14 03 03 00 01 01 16 03 03 02 00 01 00 01 fc 03 |................|
00000010 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |. ..............|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 22 0a 0a 13 01 13 02 13 03 c0 2b c0 2f |...".........+./|
00000060 c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 00 9c 00 9d |.,.0............|
00000070 00 2f 00 35 00 0a 01 00 01 91 0a 0a 00 00 ff 01 |./.5............|
00000080 00 01 00 00 00 00 05 00 03 00 00 00 00 17 00 00 |................|
00000090 00 23 00 00 00 0d 00 14 00 12 04 03 08 04 04 01 |.#..............|
000000a0 05 03 08 05 05 01 08 06 06 01 02 01 00 05 00 05 |................|
000000b0 01 00 00 00 00 00 12 00 00 00 10 00 0e 00 0c 02 |................|
000000c0 68 32 08 68 74 74 70 2f 31 2e 31 75 50 00 00 00 |h2.http/1.1uP...|
000000d0 0b 00 02 01 00 00 33 00 47 00 45 00 17 00 41 04 |......3.G.E...A.|
000000e0 1e 18 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 |..7...Q.5uq..T[.|
000000f0 2e 8f 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e |...g..$ >.V...(^|
00000100 f8 2b 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 |.+-O....lK[.V.2B|
00000110 e9 58 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |.X..I..h.A.Vk.Z.|
00000120 00 2d 00 02 01 01 00 2b 00 0b 0a 0a 0a 03 04 03 |.-.....+........|
00000130 03 03 02 03 01 00 0a 00 0a 00 08 0a 0a 00 1d 00 |................|
00000140 17 00 18 00 1b 00 03 02 00 02 1a 1a 00 01 00 00 |................|
00000150 15 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000200 00 00 00 00 00 00 00 00 00 00 00 |...........|
>>> Flow 4 (server to client)
00000000 16 03 03 00 9b 02 00 00 97 03 03 ae 07 28 f1 a3 |.............(..|
00000010 39 96 a7 38 99 f8 a5 25 6d 14 56 a1 f4 3b 65 b7 |9..8...%m.V..;e.|
00000020 5b dc 16 a8 0f bc 29 73 60 50 4e 20 00 00 00 00 |[.....)s`PN ....|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................|
00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.|
00000060 92 f1 80 7f 0f 5c 8a 9d 9c 5c d6 f1 1d 39 66 d9 |.....\...\...9f.|
00000070 03 be c3 72 b9 92 43 90 90 15 b4 1f 02 0d ee 37 |...r..C........7|
00000080 b4 21 ab bd bb 71 84 3c 55 5b 8b cb c3 fc 15 50 |.!...q.<U[.....P|
00000090 a7 33 3b c9 97 3d f0 f9 be 5a 48 a5 e4 9d 4d cc |.3;..=...ZH...M.|
000000a0 17 03 03 00 17 e7 7d 13 54 c7 0a aa 33 45 80 5d |......}.T...3E.]|
000000b0 5f 58 c9 0b ca e7 ac 58 d0 8a e8 37 17 03 03 02 |_X.....X...7....|
000000c0 6d 73 95 78 a2 69 03 17 92 b7 7a dd 7f 85 59 af |ms.x.i....z...Y.|
000000d0 55 28 93 0a 07 46 90 38 c4 d6 e5 0e 24 67 a0 68 |U(...F.8....$g.h|
000000e0 17 50 05 16 fb f2 26 74 29 27 52 95 ee 9e ca f0 |.P....&t)'R.....|
000000f0 41 77 55 a5 05 ed 50 79 7a 0f ca cc 67 1e 1f e9 |AwU...Pyz...g...|
00000100 31 48 85 ae f8 6f d2 8e f9 48 38 2d 7c 54 b4 23 |1H...o...H8-|T.#|
00000110 52 d8 9a fd 69 d9 9b 12 0c 38 77 14 41 2d 43 bd |R...i....8w.A-C.|
00000120 9d 26 31 c0 bc 2e 9a ee b3 5e f4 df 89 8c 0f 7d |.&1......^.....}|
00000130 c7 fd 80 42 a0 34 4a 5b 15 09 b6 d8 74 d8 85 36 |...B.4J[....t..6|
00000140 d0 83 ee 02 4f f4 1c 12 c2 9b 0d b7 51 48 ff 50 |....O.......QH.P|
00000150 05 8e bc a9 51 4c 9c e1 ec 81 31 0e 87 39 92 78 |....QL....1..9.x|
00000160 6d 36 62 c3 38 8b a6 10 f5 9a da d4 13 f6 1a 48 |m6b.8..........H|
00000170 a1 96 88 75 a6 d0 c8 99 8f ce 24 62 b2 20 fd e1 |...u......$b. ..|
00000180 0f d4 49 dc b9 2a b7 85 39 15 41 a8 18 99 7e 1f |..I..*..9.A...~.|
00000190 77 9c 59 7a 62 6f fd 67 69 d8 a1 c6 e8 ef a3 6a |w.Yzbo.gi......j|
000001a0 6a dd a5 9e 2a aa da 27 25 62 ef be 68 d7 3f aa |j...*..'%b..h.?.|
000001b0 59 b7 5e 1e bc 13 87 1f 50 a6 f1 18 70 86 1e 92 |Y.^.....P...p...|
000001c0 98 a4 0b 2a c0 71 65 9b 97 c7 c8 26 31 64 76 ff |...*.qe....&1dv.|
000001d0 13 eb 92 f4 ce 7e ab 6b d8 bd 5a 22 62 20 64 1e |.....~.k..Z"b d.|
000001e0 4a 57 ea d2 39 31 db 00 97 2b 6b 76 11 e4 b8 c9 |JW..91...+kv....|
000001f0 8f fe c3 54 1c f6 d8 52 a6 0d 3a f1 6b a2 cc 3f |...T...R..:.k..?|
00000200 e3 7e 7b cf 62 0e 52 e2 ea 9c 54 f3 7a 2f e4 40 |.~{.b.R...T.z/.@|
00000210 ef 5e d4 84 5f 88 90 58 cd 35 c2 07 07 cf 85 62 |.^.._..X.5.....b|
00000220 97 40 e1 09 6c cb f4 4f 6d 9a 77 62 cd f4 b1 01 |.@..l..Om.wb....|
00000230 a4 1a 9a 81 37 ab de 20 22 f1 fa 7e e0 d7 74 89 |....7.. "..~..t.|
00000240 ff b6 97 6e 38 e4 b2 05 8f 78 f0 ef 1c 3d 62 8e |...n8....x...=b.|
00000250 eb 28 ea 77 8f 8e 2b b5 e9 2f 3b 2c 06 98 41 79 |.(.w..+../;,..Ay|
00000260 49 f5 2c 91 f5 9a 96 0d 5a 05 f0 72 8c 1a d3 3c |I.,.....Z..r...<|
00000270 b1 d6 04 fa 76 f3 35 63 c9 07 f5 6a 75 ca e7 a0 |....v.5c...ju...|
00000280 13 d8 e7 ad 22 2b 27 65 c6 cc 13 f3 dc 12 9a 2a |...."+'e.......*|
00000290 07 54 d6 7f c2 66 87 7c 07 be 62 df 4a 82 8d 3a |.T...f.|..b.J..:|
000002a0 09 b5 ad 14 36 2a cd 0c 0d 21 31 9a 80 ae 14 65 |....6*...!1....e|
000002b0 42 db a8 75 33 11 eb 01 71 b8 34 c4 0d 2f 74 0b |B..u3...q.4../t.|
000002c0 c6 c0 c9 e0 99 d1 ca f4 ff 1d 74 87 a8 17 0d 90 |..........t.....|
000002d0 84 04 22 7f 91 ee 64 d3 0c 8f cd bc e4 a4 7c 4d |.."...d.......|M|
000002e0 10 cd 81 7d 29 eb 86 eb 7b ae fa d2 fc df ab c9 |...})...{.......|
000002f0 44 6a 18 47 98 04 59 b2 97 e1 08 38 5e 19 1a e1 |Dj.G..Y....8^...|
00000300 6f b5 7a 97 e7 f9 40 8f 35 f7 7f 38 7a 84 84 2e |o.z...@.5..8z...|
00000310 0f 35 5b dd e2 04 e5 fa b1 44 a6 95 a4 01 97 cd |.5[......D......|
00000320 ac 88 71 89 0b eb 1b 7d 1f 6f 0e 5b 19 e7 17 03 |..q....}.o.[....|
00000330 03 00 99 eb c7 e1 49 e2 42 25 50 25 07 80 67 3a |......I.B%P%..g:|
00000340 9a f4 bc 99 d5 49 f4 7f f6 b4 91 f6 72 ba 7b 63 |.....I......r.{c|
00000350 5a f8 11 73 91 e2 ee 81 12 34 f2 e7 9a 19 b1 06 |Z..s.....4......|
00000360 4a 1e 4f 43 ff 13 de b0 a1 cf 5a 1e 2f 92 1c 11 |J.OC......Z./...|
00000370 a6 83 22 4b 51 37 55 5b 74 ae 44 d0 5f 1f 72 f1 |.."KQ7U[t.D._.r.|
00000380 11 dd 2d f3 97 d7 af fc 9f 53 7e 02 12 98 c8 4d |..-......S~....M|
00000390 78 8a c5 92 64 f1 76 98 de 7c 59 2b 7a 10 39 7b |x...d.v..|Y+z.9{|
000003a0 e1 25 7b c3 34 b8 d5 d3 17 51 30 f2 28 03 12 1a |.%{.4....Q0.(...|
000003b0 30 20 26 6d 3f d3 59 73 d9 dd 4e 33 2a 3a a4 33 |0 &m?.Ys..N3*:.3|
000003c0 7b ab 5f 89 2f 93 2b 4a e3 72 f6 0e 17 03 03 00 |{._./.+J.r......|
000003d0 35 70 3d 70 6d 8a 69 d6 74 30 40 ec 50 1a e1 a5 |5p=pm.i.t0@.P...|
000003e0 73 23 0d 90 81 b2 dd 8b c6 0e e6 9e 11 0e 17 5b |s#.............[|
000003f0 30 d7 9c 28 e9 9d 47 32 5c a5 bb 65 86 a2 2b 24 |0..(..G2\..e..+$|
00000400 62 2f 59 f0 da 05 |b/Y...|
>>> Flow 5 (client to server)
00000000 17 03 03 00 35 dd 48 af 8f 37 e2 24 fa 34 5c c6 |....5.H..7.$.4\.|
00000010 c7 e3 29 dd ec cd 59 36 80 b4 11 be 5f 7e 90 2e |..)...Y6...._~..|
00000020 c9 e3 7e 53 34 12 5f 14 1c 38 d8 c7 49 b2 55 91 |..~S4._..8..I.U.|
00000030 df e9 2b fd 79 78 60 7a bf cd 17 03 03 00 17 bf |..+.yx`z........|
00000040 f4 06 52 2d c0 5c f8 73 32 55 13 00 52 b6 94 e5 |..R-.\.s2U..R...|
00000050 03 7b a5 92 46 35 |.{..F5|
>>> Flow 6 (server to client)
00000000 17 03 03 00 da 61 bd 0a 99 51 52 9b d6 60 b9 c6 |.....a...QR..`..|
00000010 73 74 6d e2 a8 ff c9 c3 6f 1c f8 9f 4a c0 4f 02 |stm.....o...J.O.|
00000020 0a 51 0d 47 8a 3a 5a 9c 07 8d 3e e7 6c ef 98 11 |.Q.G.:Z...>.l...|
00000030 76 89 43 9a 86 15 9a ed e4 47 57 a1 b9 ec 17 d8 |v.C......GW.....|
00000040 3a 90 85 db 95 5d 44 2a c8 4d 04 3d f1 17 ca a9 |:....]D*.M.=....|
00000050 bc 44 63 af c6 fe 88 77 ab 2e 3d 81 ca bd e4 00 |.Dc....w..=.....|
00000060 aa 6b 2f fe 75 98 c4 94 f1 92 93 40 1d a4 4c f0 |.k/.u......@..L.|
00000070 a4 3c b1 49 5b ec 27 38 e5 8f 5f 18 82 a7 b8 01 |.<.I[.'8.._.....|
00000080 d9 5a 52 ce f2 6a e0 b7 1e a4 21 fc 10 74 f7 02 |.ZR..j....!..t..|
00000090 33 0f e5 3c 77 6f 4d 68 79 9c ad 95 50 1d b8 9a |3..<woMhy...P...|
000000a0 d6 46 d3 f3 1d ee 25 ad 15 17 39 ec 50 64 04 1b |.F....%...9.Pd..|
000000b0 e1 ff 4c da d8 04 b3 9f 36 b3 43 f2 54 fe d3 dc |..L.....6.C.T...|
000000c0 bb a9 1e ef b4 06 6f 1b 47 0f f5 09 68 3f e6 58 |......o.G...h?.X|
000000d0 be 99 51 b0 8f ce 06 c3 49 d7 8b f5 37 5c 5c 17 |..Q.....I...7\\.|
000000e0 03 03 00 da c3 21 ac 77 44 d5 7b 4c 98 62 9a 98 |.....!.wD.{L.b..|
000000f0 90 e5 00 e8 61 11 40 51 d9 6b e1 b1 02 06 7b 34 |....a.@Q.k....{4|
00000100 af 80 09 74 29 06 b8 e6 78 cf 4c 62 86 e0 41 a4 |...t)...x.Lb..A.|
00000110 39 aa c7 c2 13 c9 eb 7f 9c c6 d2 51 fc 69 fd 03 |9..........Q.i..|
00000120 1b 26 45 b8 2b f0 69 31 d9 70 0f 2d 31 c3 fb f5 |.&E.+.i1.p.-1...|
00000130 af a0 a1 e8 6c 63 d3 ed 33 bc 9c 4e 41 e7 1b df |....lc..3..NA...|
00000140 3e 5d 6a b3 c2 a0 f4 21 56 14 cf f5 9f f0 7b b4 |>]j....!V.....{.|
00000150 de de 9c 8e c3 f4 81 25 20 9e ab a8 2f d0 ac 31 |.......% .../..1|
00000160 c8 97 69 b5 e6 56 b6 6d d3 9f 7e 5a b5 34 86 2c |..i..V.m..~Z.4.,|
00000170 29 23 d5 e1 84 fa 54 fd b6 09 38 58 b2 16 79 d9 |)#....T...8X..y.|
00000180 38 fd 41 d9 dd 18 ae 10 5a 1c ea 25 04 a5 fe f2 |8.A.....Z..%....|
00000190 92 ca f7 e1 eb 3c a8 10 85 2b 08 f4 42 94 79 e8 |.....<...+..B.y.|
000001a0 5b 2d ac 24 60 51 a0 27 51 02 1d b2 db 6a ad 6c |[-.$`Q.'Q....j.l|
000001b0 f6 01 06 e7 73 98 f3 cd 8c f7 51 ee a6 82 |....s.....Q...|
>>> Flow 7 (client to server)
00000000 17 03 03 00 13 8f 74 cd f2 6c 0d a0 35 03 05 84 |......t..l..5...|
00000010 cd 43 b8 2c 8f 23 18 41 |.C.,.#.A|

98
u_common.go
View file

@ -58,30 +58,53 @@ var (
FakeFFDHE3072 = uint16(0x0101)
)
type ClientHelloID struct {
Browser string
Version uint16
// TODO: consider adding OS?
}
func (p *ClientHelloID) Str() string {
return fmt.Sprintf("%s-%d", p.Browser, p.Version)
}
// https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
type CertCompressionAlgo uint16
const (
helloGolang = "Golang"
helloRandomized = "Randomized"
helloCustom = "Custom"
helloFirefox = "Firefox"
helloChrome = "Chrome"
helloIOS = "iOS"
helloAndroid = "Android"
CertCompressionZlib CertCompressionAlgo = 0x0001
CertCompressionBrotli CertCompressionAlgo = 0x0002
)
const (
helloAutoVers = iota
helloRandomizedALPN
helloRandomizedNoALPN
PskModePlain uint8 = pskModePlain
PskModeDHE uint8 = pskModeDHE
)
type ClientHelloID struct {
Client string
// Version specifies version of a mimicked clients (e.g. browsers).
// Not used in randomized, custom handshake, and default Go.
Version string
// Seed is only used for randomized fingerprints to seed PRNG.
// Must not be modified once set.
Seed *PRNGSeed
}
func (p *ClientHelloID) Str() string {
return fmt.Sprintf("%s-%s", p.Client, p.Version)
}
func (p *ClientHelloID) IsSet() bool {
return (p.Client == "") && (p.Version == "")
}
const (
// clients
helloGolang = "Golang"
helloRandomized = "Randomized"
helloRandomizedALPN = "Randomized-ALPN"
helloRandomizedNoALPN = "Randomized-NoALPN"
helloCustom = "Custom"
helloFirefox = "Firefox"
helloChrome = "Chrome"
helloIOS = "iOS"
helloAndroid = "Android"
// versions
helloAutoVers = "0"
)
type ClientHelloSpec struct {
@ -89,8 +112,8 @@ type ClientHelloSpec struct {
CompressionMethods []uint8 // nil => no compression
Extensions []TLSExtension // nil => no extensions
TLSVersMin uint16 // [1.0-1.3]
TLSVersMax uint16 // [1.2-1.3]
TLSVersMin uint16 // [1.0-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.0
TLSVersMax uint16 // [1.2-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.2
// GreaseStyle: currently only random
// sessionID may or may not depend on ticket; nil => random
@ -104,30 +127,33 @@ var (
// overwrite your changes to Hello(Config, Session are fine).
// You might want to call BuildHandshakeState() before applying any changes.
// UConn.Extensions will be completely ignored.
HelloGolang = ClientHelloID{helloGolang, helloAutoVers}
HelloGolang = ClientHelloID{helloGolang, helloAutoVers, nil}
// HelloCustom will prepare ClientHello with empty uconn.Extensions so you can fill it with
// TLSExtensions manually or use ApplyPreset function
HelloCustom = ClientHelloID{helloCustom, helloAutoVers}
HelloCustom = ClientHelloID{helloCustom, helloAutoVers, nil}
// HelloRandomized* randomly adds/reorders extensions, ciphersuites, etc.
HelloRandomized = ClientHelloID{helloRandomized, helloAutoVers}
HelloRandomizedALPN = ClientHelloID{helloRandomized, helloRandomizedALPN}
HelloRandomizedNoALPN = ClientHelloID{helloRandomized, helloRandomizedNoALPN}
HelloRandomized = ClientHelloID{helloRandomized, helloAutoVers, nil}
HelloRandomizedALPN = ClientHelloID{helloRandomizedALPN, helloAutoVers, nil}
HelloRandomizedNoALPN = ClientHelloID{helloRandomizedNoALPN, helloAutoVers, nil}
// The rest will will parrot given browser.
HelloFirefox_Auto = HelloFirefox_63
HelloFirefox_55 = ClientHelloID{helloFirefox, 55}
HelloFirefox_56 = ClientHelloID{helloFirefox, 56}
HelloFirefox_63 = ClientHelloID{helloFirefox, 63}
HelloFirefox_Auto = HelloFirefox_65
HelloFirefox_55 = ClientHelloID{helloFirefox, "55", nil}
HelloFirefox_56 = ClientHelloID{helloFirefox, "56", nil}
HelloFirefox_63 = ClientHelloID{helloFirefox, "63", nil}
HelloFirefox_65 = ClientHelloID{helloFirefox, "65", nil}
HelloChrome_Auto = HelloChrome_70
HelloChrome_58 = ClientHelloID{helloChrome, 58}
HelloChrome_62 = ClientHelloID{helloChrome, 62}
HelloChrome_70 = ClientHelloID{helloChrome, 70}
HelloChrome_Auto = HelloChrome_72
HelloChrome_58 = ClientHelloID{helloChrome, "58", nil}
HelloChrome_62 = ClientHelloID{helloChrome, "62", nil}
HelloChrome_70 = ClientHelloID{helloChrome, "70", nil}
HelloChrome_72 = ClientHelloID{helloChrome, "72", nil}
HelloIOS_Auto = HelloIOS_11_1
HelloIOS_11_1 = ClientHelloID{helloIOS, 111}
HelloIOS_Auto = HelloIOS_12_1
HelloIOS_11_1 = ClientHelloID{helloIOS, "111", nil} // legacy "111" means 11.1
HelloIOS_12_1 = ClientHelloID{helloIOS, "12.1", nil}
)
// based on spec's GreaseStyle, GREASE_PLACEHOLDER may be replaced by another GREASE value

68
u_conn.go
View file

@ -21,7 +21,7 @@ type UConn struct {
*Conn
Extensions []TLSExtension
clientHelloID ClientHelloID
ClientHelloID ClientHelloID
ClientHelloBuilt bool
HandshakeState ClientHandshakeState
@ -40,7 +40,8 @@ func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID) *UConn
}
tlsConn := Conn{conn: conn, config: config, isClient: true}
handshakeState := ClientHandshakeState{C: &tlsConn, Hello: &ClientHelloMsg{}}
uconn := UConn{Conn: &tlsConn, clientHelloID: clientHelloID, HandshakeState: handshakeState}
uconn := UConn{Conn: &tlsConn, ClientHelloID: clientHelloID, HandshakeState: handshakeState}
uconn.HandshakeState.uconn = &uconn
return &uconn
}
@ -57,7 +58,7 @@ func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID) *UConn
// amd should only be called explicitly to inspect/change fields of
// default/mimicked ClientHello.
func (uconn *UConn) BuildHandshakeState() error {
if uconn.clientHelloID == HelloGolang {
if uconn.ClientHelloID == HelloGolang {
if uconn.ClientHelloBuilt {
return nil
}
@ -73,7 +74,7 @@ func (uconn *UConn) BuildHandshakeState() error {
uconn.HandshakeState.C = uconn.Conn
} else {
if !uconn.ClientHelloBuilt {
err := uconn.applyPresetByID(uconn.clientHelloID)
err := uconn.applyPresetByID(uconn.ClientHelloID)
if err != nil {
return err
}
@ -368,7 +369,7 @@ func (c *UConn) clientHandshake() (err error) {
hs12.serverHello = serverHello
hs12.hello = hello
err = hs12.handshake()
c.HandshakeState = *hs12.toPublic13()
c.HandshakeState = *hs12.toPublic12()
if err != nil {
return err
}
@ -479,8 +480,58 @@ func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
}
// SetVersCreateState set min and max TLS version in all appropriate places.
func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16) error {
// SetTLSVers sets min and max TLS version in all appropriate places.
// Function will use first non-zero version parsed in following order:
// 1) Provided minTLSVers, maxTLSVers
// 2) specExtensions may have SupportedVersionsExtension
// 3) [default] min = TLS 1.0, max = TLS 1.2
//
// Error is only returned if things are in clearly undesirable state
// to help user fix them.
func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16, specExtensions []TLSExtension) error {
if minTLSVers == 0 && maxTLSVers == 0 {
// if version is not set explicitly in the ClientHelloSpec, check the SupportedVersions extension
supportedVersionsExtensionsPresent := 0
for _, e := range specExtensions {
switch ext := e.(type) {
case *SupportedVersionsExtension:
findVersionsInSupportedVersionsExtensions := func(versions []uint16) (uint16, uint16) {
// returns (minVers, maxVers)
minVers := uint16(0)
maxVers := uint16(0)
for _, vers := range versions {
if vers == GREASE_PLACEHOLDER {
continue
}
if maxVers < vers || maxVers == 0 {
maxVers = vers
}
if minVers > vers || minVers == 0 {
minVers = vers
}
}
return minVers, maxVers
}
supportedVersionsExtensionsPresent += 1
minTLSVers, maxTLSVers = findVersionsInSupportedVersionsExtensions(ext.Versions)
if minTLSVers == 0 && maxTLSVers == 0 {
return fmt.Errorf("SupportedVersions extension has invalid Versions field")
} // else: proceed
}
}
switch supportedVersionsExtensionsPresent {
case 0:
// if mandatory for TLS 1.3 extension is not present, just default to 1.2
minTLSVers = VersionTLS10
maxTLSVers = VersionTLS12
case 1:
default:
return fmt.Errorf("uconn.Extensions contains %v separate SupportedVersions extensions",
supportedVersionsExtensionsPresent)
}
}
if minTLSVers < VersionTLS10 || minTLSVers > VersionTLS12 {
return fmt.Errorf("uTLS does not support 0x%X as min version", minTLSVers)
}
@ -509,6 +560,9 @@ func (uconn *UConn) GetUnderlyingConn() net.Conn {
func MakeConnWithCompleteHandshake(tcpConn net.Conn, version uint16, cipherSuite uint16, masterSecret []byte, clientRandom []byte, serverRandom []byte, isClient bool) *Conn {
tlsConn := &Conn{conn: tcpConn, config: &Config{}, isClient: isClient}
cs := cipherSuiteByID(cipherSuite)
if cs == nil {
return nil
}
// This is mostly borrowed from establishKeys()
clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

17
u_conn_test.go
View file

@ -142,6 +142,23 @@ func TestUTLSHandshakeClientParrotChrome_58_setclienthello(t *testing.T) {
runUTLSClientTestTLS12(t, test, helloID)
}
// tests consistency of fingerprint after HelloRetryRequest
// chrome 70 is used, due to only specifying X25519 in keyshare, but being able to generate P-256 curve too
// openssl server, configured to use P-256, will send HelloRetryRequest
func TestUTLSHelloRetryRequest(t *testing.T) {
helloID := HelloChrome_70
config := testConfig.Clone()
config.CurvePreferences = []CurveID{X25519, CurveP256}
test := &clientTest{
name: "UTLS-HelloRetryRequest-" + helloID.Str(),
command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
config: config,
}
runUTLSClientTestTLS13(t, test, helloID)
}
/*
*
HELPER FUNCTIONS BELOW

377
u_parrots.go
View file

@ -5,16 +5,13 @@
package tls
import (
"crypto/rand"
"crypto/sha256"
"encoding/binary"
"errors"
"fmt"
"io"
"math/big"
"sort"
"strconv"
"time"
)
func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
@ -136,7 +133,81 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
CurveP256,
CurveP384,
}},
&GenericExtension{id: fakeCertCompressionAlgs, data: []byte{02, 00, 02}},
&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{CertCompressionBrotli}},
&UtlsGREASEExtension{},
&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
},
}, nil
case HelloChrome_72:
return ClientHelloSpec{
CipherSuites: []uint16{
GREASE_PLACEHOLDER,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
},
CompressionMethods: []byte{
0x00, // compressionNone
},
Extensions: []TLSExtension{
&UtlsGREASEExtension{},
&SNIExtension{},
&UtlsExtendedMasterSecretExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
&SupportedCurvesExtension{[]CurveID{
CurveID(GREASE_PLACEHOLDER),
X25519,
CurveP256,
CurveP384,
}},
&SupportedPointsExtension{SupportedPoints: []byte{
0x00, // pointFormatUncompressed
}},
&SessionTicketExtension{},
&ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
&StatusRequestExtension{},
&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
ECDSAWithP256AndSHA256,
PSSWithSHA256,
PKCS1WithSHA256,
ECDSAWithP384AndSHA384,
PSSWithSHA384,
PKCS1WithSHA384,
PSSWithSHA512,
PKCS1WithSHA512,
PKCS1WithSHA1,
}},
&SCTExtension{},
&KeyShareExtension{[]KeyShare{
{Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}},
{Group: X25519},
}},
&PSKKeyExchangeModesExtension{[]uint8{
PskModeDHE,
}},
&SupportedVersionsExtension{[]uint16{
GREASE_PLACEHOLDER,
VersionTLS13,
VersionTLS12,
VersionTLS11,
VersionTLS10,
}},
&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{
CertCompressionBrotli,
}},
&UtlsGREASEExtension{},
&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
},
@ -189,7 +260,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
},
GetSessionID: nil,
}, nil
case HelloFirefox_63:
case HelloFirefox_63, HelloFirefox_65:
return ClientHelloSpec{
TLSVersMin: VersionTLS10,
TLSVersMax: VersionTLS13,
@ -257,7 +328,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
PKCS1WithSHA1,
}},
&PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}},
&GenericExtension{id: fakeRecordSizeLimit, data: []byte{0x40, 0x01}},
&FakeRecordSizeLimitExtension{0x4001},
&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
}}, nil
case HelloIOS_11_1:
@ -319,6 +390,68 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
}},
},
}, nil
case HelloIOS_12_1:
return ClientHelloSpec{
CipherSuites: []uint16{
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
0xc008,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
},
CompressionMethods: []byte{
compressionNone,
},
Extensions: []TLSExtension{
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
&SNIExtension{},
&UtlsExtendedMasterSecretExtension{},
&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
ECDSAWithP256AndSHA256,
PSSWithSHA256,
PKCS1WithSHA256,
ECDSAWithP384AndSHA384,
ECDSAWithSHA1,
PSSWithSHA384,
PSSWithSHA384,
PKCS1WithSHA384,
PSSWithSHA512,
PKCS1WithSHA512,
PKCS1WithSHA1,
}},
&StatusRequestExtension{},
&NPNExtension{},
&SCTExtension{},
&ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}},
&SupportedPointsExtension{SupportedPoints: []byte{
pointFormatUncompressed,
}},
&SupportedCurvesExtension{[]CurveID{
X25519,
CurveP256,
CurveP384,
CurveP521,
}},
},
}, nil
default:
return ClientHelloSpec{}, errors.New("ClientHello ID " + id.Str() + " is unknown")
}
@ -326,25 +459,15 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
var spec ClientHelloSpec
uconn.ClientHelloID = id
// choose/generate the spec
switch id {
case HelloRandomized:
if tossBiasedCoin(0.5) {
return uconn.applyPresetByID(HelloRandomizedALPN)
} else {
return uconn.applyPresetByID(HelloRandomizedNoALPN)
}
case HelloRandomizedALPN:
spec, err = uconn.generateRandomizedSpec(true)
switch id.Client {
case helloRandomized, helloRandomizedNoALPN, helloRandomizedALPN:
spec, err = uconn.generateRandomizedSpec()
if err != nil {
return err
}
case HelloRandomizedNoALPN:
spec, err = uconn.generateRandomizedSpec(false)
if err != nil {
return err
}
case HelloCustom:
case helloCustom:
return nil
default:
@ -354,7 +477,6 @@ func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
}
}
uconn.clientHelloID = id
return uconn.ApplyPreset(&spec)
}
@ -363,7 +485,8 @@ func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
// same ClientHelloSpec. It is advised to use different specs and avoid any shared state.
func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
var err error
err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax, p.Extensions)
if err != nil {
return err
}
@ -441,6 +564,11 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
}
grease_extensions_seen += 1
case *SessionTicketExtension:
if session == nil && uconn.config.ClientSessionCache != nil {
cacheKey := clientSessionCacheKey(uconn.RemoteAddr(), uconn.config)
session, _ = uconn.config.ClientSessionCache.Get(cacheKey)
// TODO: use uconn.loadSession(hello.getPrivatePtr()) to support TLS 1.3 PSK-style resumption
}
err := uconn.SetSessionState(session)
if err != nil {
return err
@ -486,24 +614,52 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
return nil
}
func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, error) {
func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
p := ClientHelloSpec{}
if uconn.ClientHelloID.Seed == nil {
seed, err := NewPRNGSeed()
if err != nil {
return p, err
}
uconn.ClientHelloID.Seed = seed
}
r := newPRNGWithSeed(uconn.ClientHelloID.Seed)
id := uconn.ClientHelloID
var WithALPN bool
switch id.Client {
case helloRandomizedALPN:
WithALPN = true
case helloRandomizedNoALPN:
WithALPN = false
case helloRandomized:
if r.FlipWeightedCoin(0.7) {
WithALPN = true
} else {
WithALPN = false
}
default:
return p, fmt.Errorf("using non-randomized ClientHelloID %v to generate randomized spec", id.Client)
}
p.CipherSuites = make([]uint16, len(defaultCipherSuites()))
copy(p.CipherSuites, defaultCipherSuites())
shuffledSuites, err := shuffledCiphers()
shuffledSuites, err := shuffledCiphers(r)
if err != nil {
return p, err
}
if tossBiasedCoin(0.4) {
if r.FlipWeightedCoin(0.4) {
p.TLSVersMin = VersionTLS10
p.TLSVersMax = VersionTLS13
tls13ciphers := defaultCipherSuitesTLS13()
err = shuffleUInts16(tls13ciphers)
if err != nil {
return p, err
}
tls13ciphers := make([]uint16, len(defaultCipherSuitesTLS13()))
copy(tls13ciphers, defaultCipherSuitesTLS13())
r.rand.Shuffle(len(tls13ciphers), func(i, j int) {
tls13ciphers[i], tls13ciphers[j] = tls13ciphers[j], tls13ciphers[i]
})
// appending TLS 1.3 ciphers before TLS 1.2, since that's what popular implementations do
shuffledSuites = append(tls13ciphers, shuffledSuites...)
@ -514,7 +670,7 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
p.TLSVersMax = VersionTLS12
}
p.CipherSuites = removeRandomCiphers(shuffledSuites, 0.4)
p.CipherSuites = removeRandomCiphers(r, shuffledSuites, 0.4)
sni := SNIExtension{uconn.config.ServerName}
sessionTicket := SessionTicketExtension{Session: uconn.HandshakeState.Session}
@ -528,26 +684,25 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
PKCS1WithSHA512,
}
if tossBiasedCoin(0.63) {
if r.FlipWeightedCoin(0.63) {
sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithSHA1)
}
if tossBiasedCoin(0.59) {
if r.FlipWeightedCoin(0.59) {
sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithP521AndSHA512)
}
if tossBiasedCoin(0.51) || p.TLSVersMax == VersionTLS13 {
if r.FlipWeightedCoin(0.51) || p.TLSVersMax == VersionTLS13 {
// https://tools.ietf.org/html/rfc8446 says "...RSASSA-PSS (which is mandatory in TLS 1.3)..."
sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA256)
if tossBiasedCoin(0.9) {
if r.FlipWeightedCoin(0.9) {
// these usually go together
sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA384)
sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA512)
}
}
err = shuffleSignatures(sigAndHashAlgos)
if err != nil {
return p, err
}
r.rand.Shuffle(len(sigAndHashAlgos), func(i, j int) {
sigAndHashAlgos[i], sigAndHashAlgos[j] = sigAndHashAlgos[j], sigAndHashAlgos[i]
})
sigAndHash := SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: sigAndHashAlgos}
status := StatusRequestExtension{}
@ -556,11 +711,11 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
curveIDs := []CurveID{}
if tossBiasedCoin(0.71) || p.TLSVersMax == VersionTLS13 {
if r.FlipWeightedCoin(0.71) || p.TLSVersMax == VersionTLS13 {
curveIDs = append(curveIDs, X25519)
}
curveIDs = append(curveIDs, CurveP256, CurveP384)
if tossBiasedCoin(0.46) {
if r.FlipWeightedCoin(0.46) {
curveIDs = append(curveIDs, CurveP521)
}
@ -586,28 +741,28 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
p.Extensions = append(p.Extensions, &alpn)
}
if tossBiasedCoin(0.62) || p.TLSVersMax == VersionTLS13 {
if r.FlipWeightedCoin(0.62) || p.TLSVersMax == VersionTLS13 {
// always include for TLS 1.3, since TLS 1.3 ClientHellos are often over 256 bytes
// and that's when padding is required to work around buggy middleboxes
p.Extensions = append(p.Extensions, &padding)
}
if tossBiasedCoin(0.74) {
if r.FlipWeightedCoin(0.74) {
p.Extensions = append(p.Extensions, &status)
}
if tossBiasedCoin(0.46) {
if r.FlipWeightedCoin(0.46) {
p.Extensions = append(p.Extensions, &sct)
}
if tossBiasedCoin(0.75) {
if r.FlipWeightedCoin(0.75) {
p.Extensions = append(p.Extensions, &reneg)
}
if tossBiasedCoin(0.77) {
if r.FlipWeightedCoin(0.77) {
p.Extensions = append(p.Extensions, &ems)
}
if p.TLSVersMax == VersionTLS13 {
ks := KeyShareExtension{[]KeyShare{
{Group: X25519}, // the key for the group will be generated later
}}
if tossBiasedCoin(0.25) {
if r.FlipWeightedCoin(0.25) {
// do not ADD second keyShare because crypto/tls does not support multiple ecdheParams
// TODO: add it back when they implement multiple keyShares, or implement it oursevles
// ks.KeyShares = append(ks.KeyShares, KeyShare{Group: CurveP256})
@ -619,38 +774,14 @@ func (uconn *UConn) generateRandomizedSpec(WithALPN bool) (ClientHelloSpec, erro
}
p.Extensions = append(p.Extensions, &ks, &pskExchangeModes, &supportedVersionsExt)
}
err = shuffleTLSExtensions(p.Extensions)
if err != nil {
return p, err
}
err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
if err != nil {
return p, err
}
r.rand.Shuffle(len(p.Extensions), func(i, j int) {
p.Extensions[i], p.Extensions[j] = p.Extensions[j], p.Extensions[i]
})
return p, nil
}
func tossBiasedCoin(probability float32) bool {
// probability is expected to be in [0,1]
// this function never returns errors for ease of use
const precision = 0xffff
threshold := float32(precision) * probability
value, err := getRandInt(precision)
if err != nil {
// I doubt that this code will ever actually be used, as other functions are expected to complain
// about used source of entropy. Nonetheless, this is more than enough for given purpose
return ((time.Now().Unix() & 1) == 0)
}
if float32(value) <= threshold {
return true
} else {
return false
}
}
func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
func removeRandomCiphers(r *prng, s []uint16, maxRemovalProbability float64) []uint16 {
// removes elements in place
// probability to remove increases for further elements
// never remove first cipher
@ -659,10 +790,10 @@ func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
}
// remove random elements
floatLen := float32(len(s))
floatLen := float64(len(s))
sliceLen := len(s)
for i := 1; i < sliceLen; i++ {
if tossBiasedCoin(maxRemovalProbability * float32(i) / floatLen) {
if r.FlipWeightedCoin(maxRemovalProbability * float64(i) / floatLen) {
s = append(s[:i], s[i+1:]...)
sliceLen--
i--
@ -671,46 +802,9 @@ func removeRandomCiphers(s []uint16, maxRemovalProbability float32) []uint16 {
return s[:sliceLen]
}
func removeRC4Ciphers(s []uint16) []uint16 {
// removes elements in place
sliceLen := len(s)
for i := 0; i < sliceLen; i++ {
cipher := s[i]
if cipher == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ||
cipher == TLS_ECDHE_RSA_WITH_RC4_128_SHA ||
cipher == TLS_RSA_WITH_RC4_128_SHA {
s = append(s[:i], s[i+1:]...)
sliceLen--
i--
}
}
return s[:sliceLen]
}
func getRandInt(max int) (int, error) {
bigInt, err := rand.Int(rand.Reader, big.NewInt(int64(max)))
return int(bigInt.Int64()), err
}
func getRandPerm(n int) ([]int, error) {
permArray := make([]int, n)
for i := 1; i < n; i++ {
j, err := getRandInt(i + 1)
if err != nil {
return permArray, err
}
permArray[i] = permArray[j]
permArray[j] = i
}
return permArray, nil
}
func shuffledCiphers() ([]uint16, error) {
func shuffledCiphers(r *prng) ([]uint16, error) {
ciphers := make(sortableCiphers, len(cipherSuites))
perm, err := getRandPerm(len(cipherSuites))
if err != nil {
return nil, err
}
perm := r.Perm(len(cipherSuites))
for i, suite := range cipherSuites {
ciphers[i] = sortableCipher{suite: suite.id,
isObsolete: ((suite.flags & suiteTLS12) == 0),
@ -754,41 +848,18 @@ func (ciphers sortableCiphers) GetCiphers() []uint16 {
return cipherIDs
}
// so much for generics
func shuffleTLSExtensions(s []TLSExtension) error {
// shuffles array in place
perm, err := getRandPerm(len(s))
if err != nil {
return err
func removeRC4Ciphers(s []uint16) []uint16 {
// removes elements in place
sliceLen := len(s)
for i := 0; i < sliceLen; i++ {
cipher := s[i]
if cipher == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ||
cipher == TLS_ECDHE_RSA_WITH_RC4_128_SHA ||
cipher == TLS_RSA_WITH_RC4_128_SHA {
s = append(s[:i], s[i+1:]...)
sliceLen--
i--
}
}
for i := range s {
s[i], s[perm[i]] = s[perm[i]], s[i]
}
return nil
}
// so much for generics
func shuffleSignatures(s []SignatureScheme) error {
// shuffles array in place
perm, err := getRandPerm(len(s))
if err != nil {
return err
}
for i := range s {
s[i], s[perm[i]] = s[perm[i]], s[i]
}
return nil
}
// so much for generics
func shuffleUInts16(s []uint16) error {
// shuffles array in place
perm, err := getRandPerm(len(s))
if err != nil {
return err
}
for i := range s {
s[i], s[perm[i]] = s[perm[i]], s[i]
}
return nil
return s[:sliceLen]
}

202
u_prng.go Normal file
View file

@ -0,0 +1,202 @@
/*
* Copyright (c) 2019, Psiphon Inc.
* All rights reserved.
*
* Released under utls licence:
* https://github.com/refraction-networking/utls/blob/master/LICENSE
*/
// This code is a pared down version of:
// https://github.com/Psiphon-Labs/psiphon-tunnel-core/blob/158caea562287284cc3fa5fcd1b3c97b1addf659/psiphon/common/prng/prng.go
package tls
import (
crypto_rand "crypto/rand"
"encoding/binary"
"math"
"math/rand"
"sync"
"github.com/Yawning/chacha20"
)
const (
PRNGSeedLength = 32
)
// PRNGSeed is a PRNG seed.
type PRNGSeed [PRNGSeedLength]byte
// NewPRNGSeed creates a new PRNG seed using crypto/rand.Read.
func NewPRNGSeed() (*PRNGSeed, error) {
seed := new(PRNGSeed)
_, err := crypto_rand.Read(seed[:])
if err != nil {
return nil, err
}
return seed, nil
}
// prng is a seeded, unbiased PRNG based on chacha20. that is suitable for use
// cases such as obfuscation.
//
// Seeding is based on crypto/rand.Read and the PRNG stream is provided by
// chacha20.
//
// This PRNG is _not_ for security use cases including production cryptographic
// key generation.
//
// Limitations: there is a cycle in the PRNG stream, after roughly 2^64 * 2^38-64
// bytes.
//
// It is safe to make concurrent calls to a PRNG instance.
//
// PRNG conforms to io.Reader and math/rand.Source, with additional helper
// functions.
type prng struct {
rand *rand.Rand
randomStreamMutex sync.Mutex
randomStreamSeed *PRNGSeed
randomStream *chacha20.Cipher
randomStreamUsed uint64
randomStreamRekeyCount uint64
}
// newPRNG generates a seed and creates a PRNG with that seed.
func newPRNG() (*prng, error) {
seed, err := NewPRNGSeed()
if err != nil {
return nil, err
}
return newPRNGWithSeed(seed), nil
}
// newPRNGWithSeed initializes a new PRNG using an existing seed.
func newPRNGWithSeed(seed *PRNGSeed) *prng {
p := &prng{
randomStreamSeed: seed,
}
p.rekey()
p.rand = rand.New(p)
return p
}
// Read reads random bytes from the PRNG stream into b. Read conforms to
// io.Reader and always returns len(p), nil.
func (p *prng) Read(b []byte) (int, error) {
p.randomStreamMutex.Lock()
defer p.randomStreamMutex.Unlock()
// Re-key before reaching the 2^38-64 chacha20 key stream limit.
if p.randomStreamUsed+uint64(len(b)) >= uint64(1<<38-64) {
p.rekey()
}
p.randomStream.KeyStream(b)
p.randomStreamUsed += uint64(len(b))
return len(b), nil
}
func (p *prng) rekey() {
// chacha20 has a stream limit of 2^38-64. Before that limit is reached,
// the cipher must be rekeyed. To rekey without changing the seed, we use
// a counter for the nonce.
//
// Limitation: the counter wraps at 2^64, which produces a cycle in the
// PRNG after 2^64 * 2^38-64 bytes.
//
// TODO: this could be extended by using all 2^96 bits of the nonce for
// the counter; and even further by using the 24 byte XChaCha20 nonce.
var randomKeyNonce [12]byte
binary.BigEndian.PutUint64(randomKeyNonce[0:8], p.randomStreamRekeyCount)
var err error
p.randomStream, err = chacha20.NewCipher(
p.randomStreamSeed[:], randomKeyNonce[:])
if err != nil {
// Functions returning random values, which may call rekey, don't
// return an error. As of github.com/Yawning/chacha20 rev. e3b1f968,
// the only possible errors from chacha20.NewCipher invalid key or
// nonce size, and since we use the correct sizes, there should never
// be an error here. So panic in this unexpected case.
panic(err)
}
p.randomStreamRekeyCount += 1
p.randomStreamUsed = 0
}
// Int63 is equivilent to math/read.Int63.
func (p *prng) Int63() int64 {
i := p.Uint64()
return int64(i & (1<<63 - 1))
}
// Int63 is equivilent to math/read.Uint64.
func (p *prng) Uint64() uint64 {
var b [8]byte
p.Read(b[:])
return binary.BigEndian.Uint64(b[:])
}
// Seed must exist in order to use a PRNG as a math/rand.Source. This call is
// not supported and ignored.
func (p *prng) Seed(_ int64) {
}
// FlipWeightedCoin returns the result of a weighted
// random coin flip. If the weight is 0.5, the outcome
// is equally likely to be true or false. If the weight
// is 1.0, the outcome is always true, and if the
// weight is 0.0, the outcome is always false.
//
// Input weights > 1.0 are treated as 1.0.
func (p *prng) FlipWeightedCoin(weight float64) bool {
if weight > 1.0 {
weight = 1.0
}
f := float64(p.Int63()) / float64(math.MaxInt64)
return f > 1.0-weight
}
// Intn is equivilent to math/read.Intn, except it returns 0 if n <= 0
// instead of panicking.
func (p *prng) Intn(n int) int {
if n <= 0 {
return 0
}
return p.rand.Intn(n)
}
// Int63n is equivilent to math/read.Int63n, except it returns 0 if n <= 0
// instead of panicking.
func (p *prng) Int63n(n int64) int64 {
if n <= 0 {
return 0
}
return p.rand.Int63n(n)
}
// Intn is equivilent to math/read.Perm.
func (p *prng) Perm(n int) []int {
return p.rand.Perm(n)
}
// Range selects a random integer in [min, max].
// If min < 0, min is set to 0. If max < min, min is returned.
func (p *prng) Range(min, max int) int {
if min < 0 {
min = 0
}
if max < min {
return min
}
n := p.Intn(max - min + 1)
n += min
return n
}

12
u_public.go
View file

@ -27,6 +27,8 @@ type ClientHandshakeState struct {
State12 TLS12OnlyState
State13 TLS13OnlyState
uconn *UConn
}
// TLS 1.3 only
@ -69,6 +71,8 @@ func (chs *ClientHandshakeState) toPrivate13() *clientHandshakeStateTLS13 {
transcript: chs.State13.Transcript,
masterSecret: chs.MasterSecret,
trafficSecret: chs.State13.TrafficSecret,
uconn: chs.uconn,
}
}
}
@ -98,6 +102,8 @@ func (chs13 *clientHandshakeStateTLS13) toPublic13() *ClientHandshakeState {
MasterSecret: chs13.masterSecret,
State13: tls13State,
uconn: chs13.uconn,
}
}
}
@ -116,11 +122,13 @@ func (chs *ClientHandshakeState) toPrivate12() *clientHandshakeState {
masterSecret: chs.MasterSecret,
finishedHash: *chs.State12.FinishedHash.getPrivatePtr(),
uconn: chs.uconn,
}
}
}
func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
func (chs12 *clientHandshakeState) toPublic12() *ClientHandshakeState {
if chs12 == nil {
return nil
} else {
@ -138,6 +146,8 @@ func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
MasterSecret: chs12.masterSecret,
State12: tls12State,
uconn: chs12.uconn,
}
}
}

42
u_roller.go
View file

@ -12,21 +12,21 @@ type Roller struct {
WorkingHelloID *ClientHelloID
TcpDialTimeout time.Duration
TlsHandshakeTimeout time.Duration
r *prng
}
// NewRoller creates Roller object with default range of HelloIDs to cycle through until a
// working/unblocked one is found.
func NewRoller() (*Roller, error) {
tcpDialTimeoutInc, err := getRandInt(14)
r, err := newPRNG()
if err != nil {
return nil, err
}
tcpDialTimeoutInc := r.Intn(14)
tcpDialTimeoutInc = 7 + tcpDialTimeoutInc
tlsHandshakeTimeoutInc, err := getRandInt(20)
if err != nil {
return nil, err
}
tlsHandshakeTimeoutInc := r.Intn(20)
tlsHandshakeTimeoutInc = 11 + tlsHandshakeTimeoutInc
return &Roller{
@ -38,6 +38,7 @@ func NewRoller() (*Roller, error) {
},
TcpDialTimeout: time.Second * time.Duration(tcpDialTimeoutInc),
TlsHandshakeTimeout: time.Second * time.Duration(tlsHandshakeTimeoutInc),
r: r,
}, nil
}
@ -49,25 +50,32 @@ func NewRoller() (*Roller, error) {
// Dial("tcp4", "google.com:443", "google.com")
// Dial("tcp", "10.23.144.22:443", "mywebserver.org")
func (c *Roller) Dial(network, addr, serverName string) (*UConn, error) {
helloIDs, err := shuffleClientHelloIDs(c.HelloIDs)
if err != nil {
return nil, err
}
helloIDs := make([]ClientHelloID, len(c.HelloIDs))
copy(helloIDs, c.HelloIDs)
c.r.rand.Shuffle(len(c.HelloIDs), func(i, j int) {
helloIDs[i], helloIDs[j] = helloIDs[j], helloIDs[i]
})
c.HelloIDMu.Lock()
workingHelloId := c.WorkingHelloID // keep using same helloID, if it works
c.HelloIDMu.Unlock()
if workingHelloId != nil {
helloIDFound := false
for i, ID := range helloIDs {
if ID == *workingHelloId {
helloIDs[i] = helloIDs[0]
helloIDs[0] = *workingHelloId // push working hello ID first
helloIDFound = true
break
}
}
if !helloIDFound {
helloIDs = append([]ClientHelloID{*workingHelloId}, helloIDs...)
}
}
var tcpConn net.Conn
var err error
for _, helloID := range helloIDs {
tcpConn, err = net.DialTimeout(network, addr, c.TcpDialTimeout)
if err != nil {
@ -84,23 +92,9 @@ func (c *Roller) Dial(network, addr, serverName string) (*UConn, error) {
}
c.HelloIDMu.Lock()
c.WorkingHelloID = &helloID
c.WorkingHelloID = &client.ClientHelloID
c.HelloIDMu.Unlock()
return client, err
}
return nil, err
}
// returns a shuffled copy of input
func shuffleClientHelloIDs(helloIDs []ClientHelloID) ([]ClientHelloID, error) {
perm, err := getRandPerm(len(helloIDs))
if err != nil {
return nil, err
}
shuffled := make([]ClientHelloID, len(helloIDs))
for i, randI := range perm {
shuffled[i] = helloIDs[randI]
}
return shuffled, nil
}

147
u_tls_extensions.go
View file

@ -392,32 +392,6 @@ func (e *GenericExtension) Read(b []byte) (int, error) {
return e.Len(), io.EOF
}
/*
FAKE EXTENSIONS
*/
type FakeChannelIDExtension struct {
}
func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
return nil
}
func (e *FakeChannelIDExtension) Len() int {
return 4
}
func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() {
return 0, io.ErrShortBuffer
}
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
b[0] = byte(fakeExtensionChannelID >> 8)
b[1] = byte(fakeExtensionChannelID & 0xff)
// The length is 0
return e.Len(), io.EOF
}
type UtlsExtendedMasterSecretExtension struct {
}
@ -684,5 +658,122 @@ func (e *SupportedVersionsExtension) Read(b []byte) (int, error) {
return e.Len(), io.EOF
}
// TODO: FakeCertificateCompressionAlgorithmsExtension
// TODO: FakeRecordSizeLimitExtension
// MUST NOT be part of initial ClientHello
type CookieExtension struct {
Cookie []byte
}
func (e *CookieExtension) writeToUConn(uc *UConn) error {
return nil
}
func (e *CookieExtension) Len() int {
return 4 + len(e.Cookie)
}
func (e *CookieExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() {
return 0, io.ErrShortBuffer
}
b[0] = byte(extensionCookie >> 8)
b[1] = byte(extensionCookie)
b[2] = byte(len(e.Cookie) >> 8)
b[3] = byte(len(e.Cookie))
if len(e.Cookie) > 0 {
copy(b[4:], e.Cookie)
}
return e.Len(), io.EOF
}
/*
FAKE EXTENSIONS
*/
type FakeChannelIDExtension struct {
}
func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
return nil
}
func (e *FakeChannelIDExtension) Len() int {
return 4
}
func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() {
return 0, io.ErrShortBuffer
}
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
b[0] = byte(fakeExtensionChannelID >> 8)
b[1] = byte(fakeExtensionChannelID & 0xff)
// The length is 0
return e.Len(), io.EOF
}
type FakeCertCompressionAlgsExtension struct {
Methods []CertCompressionAlgo
}
func (e *FakeCertCompressionAlgsExtension) writeToUConn(uc *UConn) error {
return nil
}
func (e *FakeCertCompressionAlgsExtension) Len() int {
return 4 + 1 + (2 * len(e.Methods))
}
func (e *FakeCertCompressionAlgsExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() {
return 0, io.ErrShortBuffer
}
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
b[0] = byte(fakeCertCompressionAlgs >> 8)
b[1] = byte(fakeCertCompressionAlgs & 0xff)
extLen := 2 * len(e.Methods)
if extLen > 255 {
return 0, errors.New("too many certificate compression methods")
}
b[2] = byte((extLen + 1) >> 8)
b[3] = byte((extLen + 1) & 0xff)
b[4] = byte(extLen)
i := 5
for _, compMethod := range e.Methods {
b[i] = byte(compMethod >> 8)
b[i+1] = byte(compMethod)
i += 2
}
return e.Len(), io.EOF
}
type FakeRecordSizeLimitExtension struct {
Limit uint16
}
func (e *FakeRecordSizeLimitExtension) writeToUConn(uc *UConn) error {
return nil
}
func (e *FakeRecordSizeLimitExtension) Len() int {
return 6
}
func (e *FakeRecordSizeLimitExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() {
return 0, io.ErrShortBuffer
}
// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
b[0] = byte(fakeRecordSizeLimit >> 8)
b[1] = byte(fakeRecordSizeLimit & 0xff)
b[2] = byte(0)
b[3] = byte(2)
b[4] = byte(e.Limit >> 8)
b[5] = byte(e.Limit & 0xff)
return e.Len(), io.EOF
}