Merge pull request #16 from dolonet/sync-upstream-handshake-grease

Sync upstream: handshake timeout, GREASE cipher fix, no-default TLS cipher

example.config.toml

 # means a timeout on pumping data between sockset when nothing is
 # happening.
 #
-# please be noticed that handshakes have no timeouts intentionally. You can
-# find a reasoning here:
-# https://www.ndss-symposium.org/wp-content/uploads/2020/02/23087-paper.pdf
 [network.timeout]
 tcp = "5s"
 http = "10s"
 idle = "5m"
+handshake = "10s"
 
 # mtg has to mimic real websites. It does not mean domain fronting, it also
 # means that traffic characteristics should be similar to real world traffic.

internal/cli/run_proxy.go

 		AllowFallbackOnUnknownDC: conf.AllowFallbackOnUnknownDC.Get(false),
 		TolerateTimeSkewness:     conf.TolerateTimeSkewness.Value,
 		IdleTimeout:              conf.Network.Timeout.Idle.Get(mtglib.DefaultIdleTimeout),
+		HandshakeTimeout:         conf.Network.Timeout.Handshake.Get(mtglib.DefaultHandshakeTimeout),
 
 		DoppelGangerURLs:    doppelGangerURLs,
 		DoppelGangerPerRaid: conf.Defense.Doppelganger.Repeats.Get(mtglib.DoppelGangerPerRaid),

internal/config/config.go

 	} `json:"defense"`
 	Network struct {
 		Timeout struct {
-			TCP  TypeDuration `json:"tcp"`
-			HTTP TypeDuration `json:"http"`
-			Idle TypeDuration `json:"idle"`
+			TCP       TypeDuration `json:"tcp"`
+			HTTP      TypeDuration `json:"http"`
+			Idle      TypeDuration `json:"idle"`
+			Handshake TypeDuration `json:"handshake"`
 		} `json:"timeout"`
 		DOHIP   TypeIP         `json:"dohIp"`
 		DNS     TypeDNSURI     `json:"dns"`

internal/config/parse.go

 	} `toml:"defense" json:"defense,omitempty"`
 	Network struct {
 		Timeout struct {
-			TCP  string `toml:"tcp" json:"tcp,omitempty"`
-			HTTP string `toml:"http" json:"http,omitempty"`
-			Idle string `toml:"idle" json:"idle,omitempty"`
+			TCP       string `toml:"tcp" json:"tcp,omitempty"`
+			HTTP      string `toml:"http" json:"http,omitempty"`
+			Idle      string `toml:"idle" json:"idle,omitempty"`
+			Handshake string `toml:"handshake" json:"handshake,omitempty"`
 		} `toml:"timeout" json:"timeout,omitempty"`
 		DOHIP   string   `toml:"doh-ip" json:"dohIp,omitempty"`
 		DNS     string   `toml:"dns" json:"dns,omitempty"`

mtglib/init.go

 	// avoid racing with MTProto ping_delay_disconnect (~60s interval).
 	DefaultIdleTimeout = 5 * time.Minute
 
+	// DefaultHandshakeTimeout defines a time period during which the
+	// all handshake ceremonies must be completed.
+	DefaultHandshakeTimeout = 10 * time.Second
+
 	// DefaultTolerateTimeSkewness is a default timeout for time skewness on a
 	// faketls timeout verification.
 	DefaultTolerateTimeSkewness = 3 * time.Second

mtglib/internal/tls/fake/client_side.go

 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"net"
 	// record_type(1) + version(2) + size(2) + handshake_type(1) + uint24_length(3) + client_version(2)
 	RandomOffset = 1 + 2 + 2 + 1 + 3 + 2
 
+	// https://datatracker.ietf.org/doc/html/rfc8701#name-grease-values
+	// https://medium.com/asecuritysite-when-bob-met-alice/in-cybersecurity-what-is-grease-9f8850558dea
+	GreaseMask      = 0x0f0f
+	GreaseValueType = 0x0a0a
+
 	sniDNSNamesListType = 0
 )
 
 var (
 	emptyRandom = [RandomLen]byte{}
 	extTypeSNI  = [2]byte{}
+
+	ErrCannotFindCipher = errors.New("cannot find a cipher")
 )
 
 type ClientHello struct {
 	hostname string,
 	tolerateTimeSkewness time.Duration,
 ) (*ReadClientHelloResult, error) {
-	if err := conn.SetReadDeadline(time.Now().Add(ClientHelloReadTimeout)); err != nil {
-		return nil, fmt.Errorf("cannot set read deadline: %w", err)
-	}
-	defer conn.SetReadDeadline(resetDeadline) //nolint: errcheck
-
 	clientHelloCopy, handshakeReader, err := parseClientHello(conn)
 	if err != nil {
 		return nil, fmt.Errorf("cannot read client hello: %w", err)
 
 	cipherSuiteLen := int64(binary.BigEndian.Uint16(header[:]))
 
-	// we do not care about picking up any cipher. we pick the first one,
-	// so it is always should be present.
-	if _, err := io.ReadFull(r, header[:]); err != nil {
-		return nil, fmt.Errorf("cannot read first cipher suite: %w", err)
-	}
+	// Pick the first non-GREASE cipher suite from the list.
+	// Real TLS servers never select GREASE values (RFC 8701, pattern 0x?a?a),
+	// so echoing them back is a trivial DPI fingerprint.
+	// cipherSuiteLen is in bytes; each cipher suite is 2 bytes.
+	for range cipherSuiteLen / 2 {
+		if _, err := io.ReadFull(r, header[:]); err != nil {
+			return nil, fmt.Errorf("cannot read cipher suite: %w", err)
+		}
+
+		if hello.CipherSuite != 0 {
+			// do not forget we have to scan until the end
+			continue
+		}
 
-	hello.CipherSuite = binary.BigEndian.Uint16(header[:])
+		if cs := binary.BigEndian.Uint16(header[:]); cs&GreaseMask != GreaseValueType {
+			hello.CipherSuite = cs
+		}
+	}
 
-	if _, err := io.CopyN(io.Discard, r, cipherSuiteLen-2); err != nil {
-		return nil, fmt.Errorf("cannot skip remaining cipher suites: %w", err)
+	if hello.CipherSuite == 0 {
+		return nil, ErrCannotFindCipher
 	}
 
 	if _, err := io.ReadFull(r, header[:1]); err != nil {

mtglib/internal/tls/fake/client_side_snapshot_test.go

 	"github.com/dolonet/mtg-multi/mtglib"
 	"github.com/dolonet/mtg-multi/mtglib/internal/tls/fake"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 )
 		readBuf: readBuf,
 	}
 
-	connMock.
-		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
-		Twice().
-		Return(nil)
-
 	return connMock
 }
 

mtglib/internal/tls/fake/client_side_test.go

 
 import (
 	"bytes"
+	cryptotls "crypto/tls"
 	"encoding/binary"
 	"encoding/json"
-	"errors"
 	"io"
 	"os"
 	"testing"
 	"github.com/dolonet/mtg-multi/mtglib"
 	"github.com/dolonet/mtg-multi/mtglib/internal/tls"
 	"github.com/dolonet/mtg-multi/mtglib/internal/tls/fake"
-	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 )
 	suite.connMock = &parseClientHelloConnMock{
 		readBuf: suite.readBuf,
 	}
-
-	suite.connMock.
-		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
-		Twice().
-		Return(nil)
 }
 
 func (suite *ParseClientHelloTestSuite) TearDownTest() {
 }
 
 func (suite *ParseClientHello_TLSHeaderTestSuite) TestEmpty() {
-	suite.connMock.ExpectedCalls = []*mock.Call{}
-	suite.connMock.
-		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
-		Once().
-		Return(errors.New("fail"))
-
 	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
-	suite.ErrorContains(err, "fail")
+	suite.ErrorContains(err, "cannot read client hello")
 }
 
 func (suite *ParseClientHello_TLSHeaderTestSuite) TestNothing() {
-	suite.connMock.ExpectedCalls = []*mock.Call{}
-	suite.connMock.
-		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
-		Twice().
-		Return(nil)
-
 	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
 	suite.ErrorIs(err, io.EOF)
 }
 }
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotReadFirstCipherSuite() {
-	body := make([]byte, 2+fake.RandomLen+1+2)
+	body := make([]byte, 2+fake.RandomLen+1+2+1) // cipherSuiteLen=2 but only 1 byte available
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1:], 2)
 
 	suite.writeBody(body)
 
 	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
-	suite.ErrorContains(err, "cannot read first cipher suite")
+	suite.ErrorContains(err, "cannot read cipher suite")
 }
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotSkipRemainingCipherSuites() {
 	suite.writeBody(body)
 
 	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
-	suite.ErrorContains(err, "cannot skip remaining cipher suites")
+	suite.ErrorContains(err, "cannot read cipher suite")
+}
+
+func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotFindCipher() {
+	// All cipher suites are GREASE values — must return ErrCannotFindCipher.
+	body := make([]byte, 2+fake.RandomLen+1+2+4+1)
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1:], 4)
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1+2:], 0x0a0a)
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1+2+2:], 0x1a1a)
+	body[2+fake.RandomLen+1+2+4] = 1
+
+	suite.writeBody(body)
+
+	_, err := fake.ReadClientHello(suite.connMock, suite.secret.Key[:], suite.secret.Host, TolerateTime)
+	suite.ErrorIs(err, fake.ErrCannotFindCipher)
 }
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotReadCompressionMethodsLength() {
 	body := make([]byte, 2+fake.RandomLen+1+2+2)
 	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1:], 2)
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1+2:], cryptotls.TLS_AES_128_GCM_SHA256)
 
 	suite.writeBody(body)
 
 func (suite *ParseClientHelloHandshakeBodyTestSuite) TestCannotSkipCompressionMethods() {
 	body := make([]byte, 2+fake.RandomLen+1+2+2+1)
 	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1:], 2)
+	binary.BigEndian.PutUint16(body[2+fake.RandomLen+1+2:], cryptotls.TLS_AES_128_GCM_SHA256)
 	body[2+fake.RandomLen+1+2+2] = 1
 
 	suite.writeBody(body)
 	// cipherSuite(2) + compressionLen(1) + compression(1) = 41
 	body := make([]byte, 41)
 	binary.BigEndian.PutUint16(body[35:], 2)
+	binary.BigEndian.PutUint16(body[37:], cryptotls.TLS_AES_128_GCM_SHA256)
 	body[39] = 1
 
 	suite.readBuf.Write(body)
 		readBuf: readBuf,
 	}
 
-	connMock.
-		On("SetReadDeadline", mock.AnythingOfType("time.Time")).
-		Twice().
-		Return(nil)
-
 	return connMock
 }
 

mtglib/internal/tls/fake/init.go

 package fake
 
-import (
-	"errors"
-	"time"
-)
+import "errors"
 
-const (
-	ClientHelloReadTimeout = 5 * time.Second
-)
-
-var (
-	resetDeadline time.Time
-
-	ErrBadDigest = errors.New("incorrect client random")
-)
+var ErrBadDigest = errors.New("incorrect client random")

mtglib/internal/tls/fake/server_side_test.go

 	recordType, length, err := tls.ReadRecord(suite.buf, &rec)
 	suite.NoError(err)
 	suite.Equal(byte(tls.TypeApplicationData), recordType)
-	suite.Greater(length, int64(2500))
+	suite.GreaterOrEqual(length, int64(2500))
 
 	suite.Empty(suite.buf.Bytes())
 }

mtglib/internal/tls/fake/testdata/client-hello-ok-grease-first.json

+{
+  "time": 1617181365,
+  "random": "w4TaDfYg/aUKdx1oi68vxMKvHJczRNvtRRppLETzeNE=",
+  "sessionId": "St2BZ2uHMFn3B2trD1jfdtpjoJOOg6JBeLhFcyCMCq4=",
+  "host": "storage.googleapis.com",
+  "cipherSuite": 4867,
+  "full": "FgMBAgIBAAH+AwPDhNoN9iD9pQp3HWiLry/Ewq8clzNE2+1FGmksRPN40SBK3YFna4cwWfcHa2sPWN922mOgk46DokF4uEVzIIwKrgA2WloTAxMBEwLALMArwCTAI8AKwAnMqcAwwC/AKMAnwBTAE8yoAJ0AnAA9ADwANQAvwAjAEgAKAQABf/8BAAEAAAAAGwAZAAAWc3RvcmFnZS5nb29nbGVhcGlzLmNvbQAXAAAADQAYABYEAwgEBAEFAwIDCAUIBQUBCAYGAQIBAAUABQEAAAAAM3QAAAASAAAAEAAwAC4CaDIFaDItMTYFaDItMTUFaDItMTQIc3BkeS8zLjEGc3BkeS8zCGh0dHAvMS4xAAsAAgEAADMAJgAkAB0AIAf+6C8fSRJSAC7CyUvdR9kDclNR9KLCsCFHpVZ3bC8iAC0AAgEBACsACQgDBAMDAwIDAQAKAAoACAAdABcAGAAZABUAoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+}

mtglib/proxy.go

 	allowFallbackOnUnknownDC    bool
 	tolerateTimeSkewness        time.Duration
 	idleTimeout                 time.Duration
+	handshakeTimeout            time.Duration
 	domainFrontingPort          int
 	domainFrontingIP            string
 	domainFrontingProxyProtocol bool
 	ctx := newStreamContext(p.ctx, p.logger, conn)
 	defer ctx.Close()
 
+	if err := ctx.clientConn.SetDeadline(time.Now().Add(p.handshakeTimeout)); err != nil {
+		ctx.logger.WarningError("cannot set handshake timeout", err)
+		return
+	}
+
 	stop := context.AfterFunc(ctx, func() {
 		ctx.Close()
 	})
 		return
 	}
 
+	if err := ctx.clientConn.SetDeadline(time.Time{}); err != nil {
+		ctx.logger.WarningError("cannot set deadline", err)
+		return
+	}
+
 	if err := p.doTelegramCall(ctx); err != nil {
 		ctx.logger.WarningError("cannot dial to telegram", err)
 		return
 		domainFrontingIP:         opts.DomainFrontingIP,
 		tolerateTimeSkewness:     opts.getTolerateTimeSkewness(),
 		idleTimeout:              opts.getIdleTimeout(),
+		handshakeTimeout:         opts.getHandshakeTimeout(),
 		allowFallbackOnUnknownDC: opts.AllowFallbackOnUnknownDC,
 		telegram:                 tg,
 		doppelGanger: doppel.NewGanger(

mtglib/proxy_opts.go

 	// This is an optional setting.
 	IdleTimeout time.Duration
 
+	// HandshakeTimeout is a timeout during which all handshake ceremonies must
+	// be completed, otherwise this process will be aborted
+	//
+	// This is an optional setting.
+	HandshakeTimeout time.Duration
+
 	// TolerateTimeSkewness is a time boundary that defines a time range where
 	// faketls timestamp is acceptable.
 	//
 	return p.PreferIP
 }
 
+func (p ProxyOpts) getHandshakeTimeout() time.Duration {
+	if p.HandshakeTimeout == 0 {
+		return DefaultHandshakeTimeout
+	}
+
+	return p.HandshakeTimeout
+}
+
 func (p ProxyOpts) getIdleTimeout() time.Duration {
 	if p.IdleTimeout == 0 {
 		return DefaultIdleTimeout