Integrate new fake package and doppel into proxy

mtglib/internal/tls/fake/client_side.go

 	"slices"
 	"time"
 
-	"github.com/9seconds/mtg/v2/mtglib"
 	"github.com/9seconds/mtg/v2/mtglib/internal/tls"
 )
 
 	CipherSuite uint16
 }
 
-func ReadClientHello(conn net.Conn, secret mtglib.Secret, tolerateTimeSkewness time.Duration) (*ClientHello, error) {
+func ReadClientHello(
+	conn net.Conn,
+	secret []byte,
+	hostname string,
+	tolerateTimeSkewness time.Duration,
+) (*ClientHello, error) {
 	if err := conn.SetReadDeadline(time.Now().Add(ClientHelloReadTimeout)); err != nil {
 		return nil, fmt.Errorf("cannot set read deadline: %w", err)
 	}
 		return nil, fmt.Errorf("cannot parse SNI: %w", err)
 	}
 
-	if !slices.Contains(sniHostnames, secret.Host) {
-		return nil, fmt.Errorf("cannot find %s in %v", secret.Host, sniHostnames)
+	if !slices.Contains(sniHostnames, hostname) {
+		return nil, fmt.Errorf("cannot find %s in %v", hostname, sniHostnames)
 	}
 
-	digest := hmac.New(sha256.New, secret.Key[:])
+	digest := hmac.New(sha256.New, secret)
 	// we write a copy of the handshake with client random all nullified.
 	digest.Write(handshakeCopyBuf.Next(RandomOffset))
 	handshakeCopyBuf.Next(RandomLen)

mtglib/internal/tls/fake/client_side_fuzz_test.go

 			Twice().
 			Return(nil)
 
-		_, err := fake.ReadClientHello(r, secret, time.Hour)
+		_, err := fake.ReadClientHello(r, secret.Key[:], secret.Host, time.Hour)
 		assert.Error(t, err)
 	})
 

mtglib/internal/tls/fake/client_side_snapshot_test.go

 			connMock := suite.makeConn(snapshot.GetFull())
 			defer connMock.AssertExpectations(t)
 
-			hello, err := fake.ReadClientHello(connMock, suite.secret, TolerateTime)
+			hello, err := fake.ReadClientHello(
+				connMock,
+				suite.secret.Key[:],
+				suite.secret.Host,
+				TolerateTime,
+			)
 			require.NoError(t, err)
 
 			assert.Equal(t, snapshot.GetRandom(), hello.Random[:])
 			connMock := suite.makeConn(snapshot.GetFull())
 			defer connMock.AssertExpectations(t)
 
-			_, err = fake.ReadClientHello(connMock, suite.secret, TolerateTime)
+			_, err = fake.ReadClientHello(
+				connMock,
+				suite.secret.Key[:],
+				suite.secret.Host,
+				TolerateTime,
+			)
 			assert.ErrorIs(t, err, fake.ErrBadDigest)
 		})
 	}

mtglib/internal/tls/fake/client_side_test.go

 		Once().
 		Return(errors.New("fail"))
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "fail")
 }
 
 		Twice().
 		Return(nil)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorIs(err, io.EOF)
 }
 
 	})
 	suite.readBuf.WriteByte(10)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "unexpected record type 0xa")
 }
 
 		0, 0,
 	})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "unexpected protocol version")
 }
 
 		0, 10,
 	})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorIs(err, io.EOF)
 }
 
 		10,
 	})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read handshake header")
 }
 
 		10, 0, 0, 0,
 	})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "incorrect handshake type")
 }
 
 		10, 0, 0, 0,
 	})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorIs(err, io.EOF)
 }
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotReadVersion() {
 	suite.writeBody(nil)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read client version")
 }
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotReadRandom() {
 	suite.writeBody([]byte{3, 3})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read client random")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read session ID length")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read session id")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read cipher suite length")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read first cipher suite")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot skip remaining cipher suites")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read compression methods length")
 }
 
 
 	suite.writeBody(body)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot skip compression methods")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadExtensionsLength() {
 	suite.writeExtensions(nil)
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read length of TLS extensions")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadExtensions() {
 	suite.writeExtensions([]byte{0, 10})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read extensions")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadExtensionType() {
 	suite.writeExtensions([]byte{0, 1, 0xAB})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read extension type")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadExtensionLength() {
 	suite.writeExtensions([]byte{0, 2, 0xFF, 0xFF})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "length:")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadExtensionData() {
 	suite.writeExtensions([]byte{0, 4, 0xFF, 0xFF, 0, 5})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "data: len")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadSNIRecordLength() {
 	suite.writeExtensions([]byte{0, 5, 0, 0, 0, 1, 0xAB})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read the length of the SNI record")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadSNIListType() {
 	suite.writeExtensions([]byte{0, 6, 0, 0, 0, 2, 0, 1})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "cannot read SNI list type")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestIncorrectSNIListType() {
 	suite.writeExtensions([]byte{0, 7, 0, 0, 0, 3, 0, 1, 5})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "incorrect SNI list type")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadHostnameLength() {
 	suite.writeExtensions([]byte{0, 8, 0, 0, 0, 4, 0, 2, 0, 0xAB})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "incorrect length of the hostname")
 }
 
 func (suite *ParseClientHelloSNITestSuite) TestCannotReadHostname() {
 	suite.writeExtensions([]byte{0, 9, 0, 0, 0, 5, 0, 3, 0, 0, 5})
 
-	_, err := fake.ReadClientHello(suite.connMock, suite.secret, TolerateTime)
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorContains(err, "incorrect length of SNI hostname")
 }
 

mtglib/internal/tls/fake/server_side.go

 	"encoding/binary"
 	"io"
 
-	"github.com/9seconds/mtg/v2/mtglib"
 	"github.com/9seconds/mtg/v2/mtglib/internal/tls"
 	"golang.org/x/crypto/curve25519"
 )
 	}
 )
 
-func SendServerHello(w io.Writer, secret mtglib.Secret, clientHello *ClientHello) ([]byte, error) {
+func SendServerHello(w io.Writer, secret []byte, clientHello *ClientHello) ([]byte, error) {
 	buf := &bytes.Buffer{}
 	buf.Grow(tls.MaxRecordSize)
 
 	generateNoise(noise)
 
 	packet := buf.Bytes()
-	digest := hmac.New(sha256.New, secret.Key[:])
+	digest := hmac.New(sha256.New, secret)
 
 	digest.Write(clientHello.Random[:])
 	digest.Write(packet)

mtglib/internal/tls/fake/server_side_test.go

 }
 
 func (suite *SendServerHelloTestSuite) TestRecordStructure() {
-	noise, err := fake.SendServerHello(suite.buf, suite.secret, suite.hello)
+	noise, err := fake.SendServerHello(suite.buf, suite.secret.Key[:], suite.hello)
 	suite.NoError(err)
 
 	var rec bytes.Buffer
 }
 
 func (suite *SendServerHelloTestSuite) TestHMAC() {
-	noise, err := fake.SendServerHello(suite.buf, suite.secret, suite.hello)
+	noise, err := fake.SendServerHello(suite.buf, suite.secret.Key[:], suite.hello)
 	suite.NoError(err)
 
 	packet := make([]byte, suite.buf.Len())
 }
 
 func (suite *SendServerHelloTestSuite) TestHandshakePayload() {
-	_, err := fake.SendServerHello(suite.buf, suite.secret, suite.hello)
+	_, err := fake.SendServerHello(suite.buf, suite.secret.Key[:], suite.hello)
 	suite.NoError(err)
 
 	packet := suite.buf.Bytes()
 }
 
 func (suite *SendServerHelloTestSuite) TestChangeCipherSpec() {
-	_, err := fake.SendServerHello(suite.buf, suite.secret, suite.hello)
+	_, err := fake.SendServerHello(suite.buf, suite.secret.Key[:], suite.hello)
 	suite.NoError(err)
 
 	// Skip first record

mtglib/proxy.go

 
 	"github.com/9seconds/mtg/v2/essentials"
 	"github.com/9seconds/mtg/v2/mtglib/internal/dc"
-	"github.com/9seconds/mtg/v2/mtglib/internal/faketls"
-	"github.com/9seconds/mtg/v2/mtglib/internal/faketls/record"
+	"github.com/9seconds/mtg/v2/mtglib/internal/doppel"
 	"github.com/9seconds/mtg/v2/mtglib/internal/obfuscation"
 	"github.com/9seconds/mtg/v2/mtglib/internal/relay"
+	"github.com/9seconds/mtg/v2/mtglib/internal/tls"
+	"github.com/9seconds/mtg/v2/mtglib/internal/tls/fake"
 	"github.com/panjf2000/ants/v2"
 )
 
 	workerPool                  *ants.PoolWithFunc
 	telegram                    *dc.Telegram
 	configUpdater               *dc.PublicConfigUpdater
+	doppelGanger                *doppel.Ganger
 	clientObfuscatror           obfuscation.Obfuscator
 
 	secret          Secret
 }
 
 func (p *Proxy) doFakeTLSHandshake(ctx *streamContext) bool {
-	rec := record.AcquireRecord()
-	defer record.ReleaseRecord(rec)
-
 	rewind := newConnRewind(ctx.clientConn)
 
-	if err := rec.Read(rewind); err != nil {
-		p.logger.InfoError("cannot read client hello", err)
-		p.doDomainFronting(ctx, rewind)
-
-		return false
-	}
-
-	hello, err := faketls.ParseClientHello(p.secret.Key[:], rec.Payload.Bytes())
+	clientHello, err := fake.ReadClientHello(
+		rewind,
+		p.secret.Key[:],
+		p.secret.Host,
+		p.tolerateTimeSkewness,
+	)
 	if err != nil {
-		p.logger.InfoError("cannot parse client hello", err)
-		p.doDomainFronting(ctx, rewind)
-
-		return false
-	}
-
-	if err := hello.Valid(p.secret.Host, p.tolerateTimeSkewness); err != nil {
-		p.logger.
-			BindStr("hostname", hello.Host).
-			BindStr("hello-time", hello.Time.String()).
-			InfoError("invalid faketls client hello", err)
+		p.logger.InfoError("cannot read client hello", err)
 		p.doDomainFronting(ctx, rewind)
-
 		return false
 	}
 
-	if p.antiReplayCache.SeenBefore(hello.SessionID) {
+	if p.antiReplayCache.SeenBefore(clientHello.SessionID) {
 		p.logger.Warning("replay attack has been detected!")
 		p.eventStream.Send(p.ctx, NewEventReplayAttack(ctx.streamID))
 		p.doDomainFronting(ctx, rewind)
-
 		return false
 	}
 
-	if err := faketls.SendWelcomePacket(rewind, p.secret.Key[:], hello); err != nil {
+	_, err = fake.SendServerHello(ctx.clientConn, p.secret.Key[:], clientHello)
+	if err != nil {
 		p.logger.InfoError("cannot send welcome packet", err)
-
 		return false
 	}
 
-	ctx.clientConn = &faketls.Conn{
-		Conn: ctx.clientConn,
+	ctx.clientConn = tls.New(ctx.clientConn, true, true)
+
+	ctx.clientConn, err = p.doppelGanger.NewConn(ctx.clientConn)
+	if err != nil {
+		p.logger.WarningError("cannot create connection", err)
+		return false
 	}
 
 	return true

network/v2/http.go

 package network
 
-import (
-	"crypto/tls"
-	"net/http"
-)
+import "net/http"
 
 type networkHTTPTransport struct {
 	userAgent string
 
 	return n.next.RoundTrip(req) //nolint: wrapcheck
 }
-
-func (n networkHTTPTransport) TrustTLS() {
-	tr := n.next.(*http.Transport)
-	if tr.TLSClientConfig == nil {
-		tr.TLSClientConfig = &tls.Config{}
-	}
-	tr.TLSClientConfig.InsecureSkipVerify = true
-}