wip: staging work

2025-04-03 20:17:36 +03:00 · 2023-03-12 22:36:57 -06:00 · 2023-03-12 22:36:57 -06:00 · 7ec8b3a298
commit 7ec8b3a298
parent 17e2929ff7
4 changed files with 260 additions and 88 deletions
--- a/u_clienthello_json.go
+++ b/u_clienthello_json.go
@ -0,0 +1,112 @@
+package tls
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+)
+
+var ErrNoExtensionID = errors.New("no extension ID in JSON object")
+
+type JSONClientHelloSpec struct {
+	CipherSuites []struct {
+		ID   uint16 `json:"id"`
+		Name string `json:"name,omitempty"` // optional
+	} `json:"cipher_suites"`
+	CompressionMethods []struct {
+		ID   uint8  `json:"id"`
+		Name string `json:"name,omitempty"` // optional
+	} `json:"compression_methods"`
+	Extensions []TLSExtensionJSONUnmarshaler `json:"extensions"`
+	TLSVersMin uint16                        `json:"min_vers,omitempty"` // optional
+	TLSVersMax uint16                        `json:"max_vers,omitempty"` // optional
+}
+
+type TLSExtensionJSONUnmarshaler struct {
+	id             uint16
+	name           string // optional
+	data           []byte // unknown ext
+	unmarshalInput []byte // debug
+	tlsExtension   TLSExtension
+}
+
+func (e *TLSExtensionJSONUnmarshaler) UnmarshalJSON(raw []byte) error {
+	e.unmarshalInput = raw
+
+	// First unmarshal the ID and Name (metadata)
+	var metadata struct {
+		ID   uint16 `json:"id"`
+		Name string `json:"name,omitempty"` // optional
+		Data []byte `json:"data,omitempty"` // optional, for UNKNOWN extensions
+	}
+	metadata.ID = 0xFFFF // invalid ID to detect if set
+
+	if err := json.Unmarshal(raw, &metadata); err != nil {
+		return err
+	}
+
+	if metadata.ID == 0xFFFF {
+		return ErrNoExtensionID // no ID in JSON object (so default value was used)
+	}
+	e.id = metadata.ID
+	e.name = metadata.Name
+	e.data = metadata.Data
+
+	// get extension type from ID
+	ext := ExtensionFromID(e.id)
+	if ext == nil {
+		return fmt.Errorf("unknown extension ID: %d", e.id)
+	}
+
+	if e.tlsExtension == nil {
+		e.fallbackToGenericExtension()
+	}
+
+	return nil
+}
+
+func (e *TLSExtensionJSONUnmarshaler) fallbackToGenericExtension() {
+	var warningMsg string = "WARNING: extension "
+	warningMsg += fmt.Sprintf("%d ", e.id)
+	if len(e.name) > 0 {
+		warningMsg += fmt.Sprintf("(%s) ", e.name)
+	}
+	warningMsg += "is falling back to generic extension"
+	if len(e.data) == 0 {
+		warningMsg += " with no data"
+	}
+	warningMsg += "\n"
+
+	// fallback to generic extension
+	genericExt := &GenericExtension{e.id, e.data}
+	e.tlsExtension = genericExt
+}
+
+/*
+{
+	"cipher_suites": [
+		{"id": 0x1301, "name": "TLS_AES_128_GCM_SHA256"},
+		{"id": 0x1302, "name": "TLS_AES_256_GCM_SHA384"}
+	],
+	"compression_methods": [
+		{"id": 0x00, "name": "null"}
+	],
+	"extensions": [
+		{"id": 0x7a7a, "name": "GREASE"}, // grease, id could be any 0xNaNa where N in 0~f
+		{"id": 0x0000, "name": "server_name"}, // don't use SNI's data
+		{"id": 0x0017, "name": "extended_master_secret"}, // no data
+		{"id": 0xff01, "name": "renegotiation_info", "renegotiation": 1},
+		{"id": 0x000a, "name": "supported_groups", "named_group_list": [
+			{"id": 0x1a1a, "name": "GREASE"},
+			{"id": 0x001d, "name": "x25519"},
+			{"id": 0x0017, "name": "secp256r1"},
+			{"id": 0x0018, "name": "secp384r1"}
+		]},
+		{"id": 0x0010, "name": "application_layer_protocol_negotiation", "protocol_name_list": [
+			"h2",
+			"http/1.1"
+		]},
+		...
+	]
+}
+*/
--- a/u_common.go
+++ b/u_common.go
@ -210,8 +210,9 @@ func (chs *ClientHelloSpec) ReadTLSExtensions(b []byte, allowBluntMimicry bool)
 			return fmt.Errorf("unable to read data for extension %x", extension)
 		}

-		extWriter := ExtensionIDToExtension(extension)
-		if extWriter != nil {
+		ext := ExtensionFromID(extension)
+		extWriter, ok := ext.(TLSExtensionWriter)
+		if ext != nil && ok { // known extension and implements TLSExtensionWriter properly
 			if extension == extensionSupportedVersions {
 				chs.TLSVersMin = 0
 				chs.TLSVersMax = 0
@ -293,8 +294,12 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 	}

 	for _, extType := range tlsExtensionTypes {
-		extension := ExtensionIDToExtension(extType)
-		if extension == nil {
+		extension := ExtensionFromID(extType)
+		extWriter, ok := extension.(TLSExtensionWriter)
+		if !ok {
+			return fmt.Errorf("unsupported extension %d", extType)
+		}
+		if extension == nil || !ok {
 			log.Printf("[Warning] Unsupported extension %d added as a &GenericExtension without Data", extType)
 			chs.Extensions = append(chs.Extensions, &GenericExtension{extType, []byte{}})
 		} else {
@ -303,7 +308,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				if data["pt_fmts"] == nil {
 					return errors.New("pt_fmts is required")
 				}
-				_, err = extension.Write(data["pt_fmts"])
+				_, err = extWriter.Write(data["pt_fmts"])
 				if err != nil {
 					return err
 				}
@ -311,7 +316,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				if data["sig_algs"] == nil {
 					return errors.New("sig_algs is required")
 				}
-				_, err = extension.Write(data["sig_algs"])
+				_, err = extWriter.Write(data["sig_algs"])
 				if err != nil {
 					return err
 				}
@ -327,7 +332,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				fixedData := make([]byte, len(data["supported_versions"])+1)
 				fixedData[0] = uint8(len(data["supported_versions"]) & 0xff)
 				copy(fixedData[1:], data["supported_versions"])
-				_, err = extension.Write(fixedData)
+				_, err = extWriter.Write(fixedData)
 				if err != nil {
 					return err
 				}
@ -336,7 +341,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 					return errors.New("curves is required")
 				}

-				_, err = extension.Write(data["curves"])
+				_, err = extWriter.Write(data["curves"])
 				if err != nil {
 					return err
 				}
@ -345,7 +350,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 					return errors.New("alpn is required")
 				}

-				_, err = extension.Write(data["alpn"])
+				_, err = extWriter.Write(data["alpn"])
 				if err != nil {
 					return err
 				}
@ -365,7 +370,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				// add uint16 length prefix
 				fixedData = append([]byte{uint8(len(fixedData) >> 8), uint8(len(fixedData) & 0xff)}, fixedData...)

-				_, err = extension.Write(fixedData)
+				_, err = extWriter.Write(fixedData)
 				if err != nil {
 					return err
 				}
@ -378,7 +383,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				fixedData := make([]byte, len(data["psk_key_exchange_modes"])+1)
 				fixedData[0] = uint8(len(data["psk_key_exchange_modes"]) & 0xff)
 				copy(fixedData[1:], data["psk_key_exchange_modes"])
-				_, err = extension.Write(fixedData)
+				_, err = extWriter.Write(fixedData)
 				if err != nil {
 					return err
 				}
@ -391,7 +396,7 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 				fixedData := make([]byte, len(data["cert_compression_algs"])+1)
 				fixedData[0] = uint8(len(data["cert_compression_algs"]) & 0xff)
 				copy(fixedData[1:], data["cert_compression_algs"])
-				_, err = extension.Write(fixedData)
+				_, err = extWriter.Write(fixedData)
 				if err != nil {
 					return err
 				}
@ -400,13 +405,13 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 					return errors.New("record_size_limit is required")
 				}

-				_, err = extension.Write(data["record_size_limit"]) // uint16 as []byte
+				_, err = extWriter.Write(data["record_size_limit"]) // uint16 as []byte
 				if err != nil {
 					return err
 				}
 			case utlsExtensionApplicationSettings:
 				// TODO: tlsfingerprint.io should record/provide application settings data
-				extension.(*ApplicationSettingsExtension).SupportedProtocols = []string{"h2"}
+				extWriter.(*ApplicationSettingsExtension).SupportedProtocols = []string{"h2"}
 			case fakeExtensionPreSharedKey:
 				log.Printf("[Warning] PSK extension added without data")
 			default:
@ -416,12 +421,15 @@ func (chs *ClientHelloSpec) ImportTLSClientHello(data map[string][]byte) error {
 					log.Printf("[Warning] GREASE extension added but ID/Data discarded. They will be automatically re-GREASEd on ApplyPreset() call.")
 				}*/
 			}
-			chs.Extensions = append(chs.Extensions, extension)
+			chs.Extensions = append(chs.Extensions, extWriter)
 		}
 	}
 	return nil
 }

+// ImportTLSClientHelloFromJSON imports ClientHelloSpec from JSON data from client.tlsfingerprint.io format
+//
+// It calls ImportTLSClientHello internally after unmarshaling JSON data into map[string][]byte
 func (chs *ClientHelloSpec) ImportTLSClientHelloFromJSON(jsonB []byte) error {
 	var data map[string][]byte
 	err := json.Unmarshal(jsonB, &data)
@ -431,6 +439,93 @@ func (chs *ClientHelloSpec) ImportTLSClientHelloFromJSON(jsonB []byte) error {
 	return chs.ImportTLSClientHello(data)
 }

+// FromRaw converts a ClientHello message in the form of raw bytes into a ClientHelloSpec.
+func (chs *ClientHelloSpec) FromRaw(raw []byte, allowBluntMimicry ...bool) error {
+	if chs == nil {
+		return errors.New("cannot unmarshal into nil ClientHelloSpec")
+	}
+
+	var bluntMimicry = false
+	if len(allowBluntMimicry) == 1 {
+		bluntMimicry = allowBluntMimicry[0]
+	}
+
+	*chs = ClientHelloSpec{} // reset
+	s := cryptobyte.String(raw)
+
+	var contentType uint8
+	var recordVersion uint16
+	if !s.ReadUint8(&contentType) || // record type
+		!s.ReadUint16(&recordVersion) || !s.Skip(2) { // record version and length
+		return errors.New("unable to read record type, version, and length")
+	}
+
+	if recordType(contentType) != recordTypeHandshake {
+		return errors.New("record is not a handshake")
+	}
+
+	var handshakeVersion uint16
+	var handshakeType uint8
+
+	if !s.ReadUint8(&handshakeType) || !s.Skip(3) || // message type and 3 byte length
+		!s.ReadUint16(&handshakeVersion) || !s.Skip(32) { // 32 byte random
+		return errors.New("unable to read handshake message type, length, and random")
+	}
+
+	if handshakeType != typeClientHello {
+		return errors.New("handshake message is not a ClientHello")
+	}
+
+	chs.TLSVersMin = recordVersion
+	chs.TLSVersMax = handshakeVersion
+
+	var ignoredSessionID cryptobyte.String
+	if !s.ReadUint8LengthPrefixed(&ignoredSessionID) {
+		return errors.New("unable to read session id")
+	}
+
+	// CipherSuites
+	var cipherSuitesBytes cryptobyte.String
+	if !s.ReadUint16LengthPrefixed(&cipherSuitesBytes) {
+		return errors.New("unable to read ciphersuites")
+	}
+
+	if err := chs.ReadCipherSuites(cipherSuitesBytes); err != nil {
+		return err
+	}
+
+	// CompressionMethods
+	var compressionMethods cryptobyte.String
+	if !s.ReadUint8LengthPrefixed(&compressionMethods) {
+		return errors.New("unable to read compression methods")
+	}
+
+	if err := chs.ReadCompressionMethods(compressionMethods); err != nil {
+		return err
+	}
+
+	if s.Empty() {
+		// Extensions are optional
+		return nil
+	}
+
+	var extensions cryptobyte.String
+	if !s.ReadUint16LengthPrefixed(&extensions) {
+		return errors.New("unable to read extensions data")
+	}
+
+	if err := chs.ReadTLSExtensions(extensions, bluntMimicry); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// UnmarshalJSON unmarshals a ClientHello message in the form of JSON into a ClientHelloSpec.
+func (chs *ClientHelloSpec) UnmarshalJSON(jsonB []byte) error {
+	return errors.New("unimplemented")
+}
+
 var (
 	// HelloGolang will use default "crypto/tls" handshake marshaling codepath, which WILL
 	// overwrite your changes to Hello(Config, Session are fine).
--- a/u_fingerprinter.go
+++ b/u_fingerprinter.go
@ -4,12 +4,6 @@

 package tls

-import (
-	"errors"
-
-	"golang.org/x/crypto/cryptobyte"
-)
-
 // Fingerprinter is a struct largely for holding options for the FingerprintClientHello func
 type Fingerprinter struct {
 	// AllowBluntMimicry will ensure that unknown extensions are
@ -36,72 +30,36 @@ type Fingerprinter struct {
 // as well as the handshake type/length/version header
 // https://tools.ietf.org/html/rfc5246#section-6.2
 // https://tools.ietf.org/html/rfc5246#section-7.4
+//
+// It calls UnmarshalClientHello internally, and is kept for backwards compatibility
 func (f *Fingerprinter) FingerprintClientHello(data []byte) (clientHelloSpec *ClientHelloSpec, err error) {
+	return f.RawClientHello(data)
+}
+
+// RawClientHello returns a ClientHelloSpec which is based on the
+// ClientHello raw bytes that is passed in as the raw argument.
+//
+// It was renamed from FingerprintClientHello in v1.3.1 and earlier versions
+// as a more precise name for the function
+func (f *Fingerprinter) RawClientHello(raw []byte) (clientHelloSpec *ClientHelloSpec, err error) {
 	clientHelloSpec = &ClientHelloSpec{}
-	s := cryptobyte.String(data)
-
-	var contentType uint8
-	var recordVersion uint16
-	if !s.ReadUint8(&contentType) || // record type
-		!s.ReadUint16(&recordVersion) || !s.Skip(2) { // record version and length
-		return nil, errors.New("unable to read record type, version, and length")
-	}
-
-	if recordType(contentType) != recordTypeHandshake {
-		return nil, errors.New("record is not a handshake")
-	}
-
-	var handshakeVersion uint16
-	var handshakeType uint8
-
-	if !s.ReadUint8(&handshakeType) || !s.Skip(3) || // message type and 3 byte length
-		!s.ReadUint16(&handshakeVersion) || !s.Skip(32) { // 32 byte random
-		return nil, errors.New("unable to read handshake message type, length, and random")
-	}
-
-	if handshakeType != typeClientHello {
-		return nil, errors.New("handshake message is not a ClientHello")
-	}
-
-	clientHelloSpec.TLSVersMin = recordVersion
-	clientHelloSpec.TLSVersMax = handshakeVersion
-
-	var ignoredSessionID cryptobyte.String
-	if !s.ReadUint8LengthPrefixed(&ignoredSessionID) {
-		return nil, errors.New("unable to read session id")
-	}
-
-	// CipherSuites
-	var cipherSuitesBytes cryptobyte.String
-	if !s.ReadUint16LengthPrefixed(&cipherSuitesBytes) {
-		return nil, errors.New("unable to read ciphersuites")
-	}
-	err = clientHelloSpec.ReadCipherSuites(cipherSuitesBytes)
-	if err != nil {
-		return nil, err
-	}
-
-	// CompressionMethods
-	var compressionMethods cryptobyte.String
-	if !s.ReadUint8LengthPrefixed(&compressionMethods) {
-		return nil, errors.New("unable to read compression methods")
-	}
-	err = clientHelloSpec.ReadCompressionMethods(compressionMethods)
-	if err != nil {
-		return nil, err
-	}
-
-	if s.Empty() {
-		// ClientHello is optionally followed by extension data
-		return clientHelloSpec, nil
-	}
-
-	var extensions cryptobyte.String
-	if !s.ReadUint16LengthPrefixed(&extensions) {
-		return nil, errors.New("unable to read extensions data")
-	}
-
-	err = clientHelloSpec.ReadTLSExtensions(extensions, f.AllowBluntMimicry)
+	err = clientHelloSpec.FromRaw(raw, f.AllowBluntMimicry)
+	if err != nil {
+		return nil, err
+	}
+
+	if f.AlwaysAddPadding {
+		clientHelloSpec.AlwaysAddPadding()
+	}
+
+	return clientHelloSpec, nil
+}
+
+// UnmarshalJSONClientHello returns a ClientHelloSpec which is based on the
+// ClientHello JSON bytes that is passed in as the json argument.
+func (f *Fingerprinter) UnmarshalJSONClientHello(json []byte) (clientHelloSpec *ClientHelloSpec, err error) {
+	clientHelloSpec = &ClientHelloSpec{}
+	err = clientHelloSpec.UnmarshalJSON(json)
 	if err != nil {
 		return nil, err
 	}
--- a/u_tls_extensions.go
+++ b/u_tls_extensions.go
@ -12,8 +12,8 @@ import (
 	"golang.org/x/crypto/cryptobyte"
 )

-// ExtensionIDToExtension returns a TLSExtension for the given extension ID.
-func ExtensionIDToExtension(id uint16) TLSExtensionWriter {
+// ExtensionFromID returns a TLSExtension for the given extension ID.
+func ExtensionFromID(id uint16) TLSExtension {
 	// deep copy
 	switch id {
 	case extensionServerName:
@ -100,6 +100,13 @@ type TLSExtensionWriter interface {
 	Write(b []byte) (n int, err error)
 }

+type TLSExtensionJSON interface {
+	TLSExtension
+
+	// UnmarshalJSON unmarshals the JSON-encoded data into the extension.
+	UnmarshalJSON([]byte) error
+}
+
 type NPNExtension struct {
 	NextProtos []string
 }
@ -554,7 +561,7 @@ func (e *RenegotiationInfoExtension) Read(b []byte) (int, error) {
 }

 func (e *RenegotiationInfoExtension) Write(_ []byte) (int, error) {
-	e.Renegotiation = RenegotiateOnceAsClient
+	e.Renegotiation = RenegotiateOnceAsClient // none empty or other modes are unsupported
 	return 0, nil
 }