ei
/
mtg
mirror da https://github.com/9seconds/mtg
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Rilasci 48 Wiki Attività
Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram. If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1094 Commit
8 Rami (Branch)
Albero (Tree): ab39fbb441
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'ab39fbb441'
${ noResults }
mtg/mtglib/internal/tls/fake/client_side.go

client_side.go 13KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440 
  1. package fake

  2. 

  3. import (

  4. 	"bytes"

  5. 	"crypto/hmac"

  6. 	"crypto/sha256"

  7. 	"crypto/subtle"

  8. 	"encoding/binary"

  9. 	"errors"

  10. 	"fmt"

  11. 	"io"

  12. 	"net"

  13. 	"slices"

  14. 	"time"

  15. 

  16. 	"github.com/dolonet/mtg-multi/mtglib/internal/tls"

  17. )

  18. 

  19. const (

  20. 	TypeHandshakeClient = 0x01

  21. 

  22. 	RandomLen = 32

  23. 	// record_type(1) + version(2) + size(2) + handshake_type(1) + uint24_length(3) + client_version(2)

  24. 	RandomOffset = 1 + 2 + 2 + 1 + 3 + 2

  25. 

  26. 	sniDNSNamesListType = 0

  27. 

  28. 	// maxContinuationRecords limits the number of continuation TLS records

  29. 	// that reassembleTLSHandshake will read. This prevents resource exhaustion

  30. 	// from adversarial fragmentation.

  31. 	maxContinuationRecords = 10

  32. )

  33. 

  34. var (

  35. 	emptyRandom = [RandomLen]byte{}

  36. 	extTypeSNI  = [2]byte{}

  37. )

  38. 

  39. type ClientHello struct {

  40. 	Random      [RandomLen]byte

  41. 	SessionID   []byte

  42. 	CipherSuite uint16

  43. }

  44. 

  45. // ReadClientHelloResult contains the parsed ClientHello and the index of the

  46. // secret that matched the HMAC validation.

  47. type ReadClientHelloResult struct {

  48. 	Hello        *ClientHello

  49. 	MatchedIndex int

  50. }

  51. 

  52. func ReadClientHello(

  53. 	conn net.Conn,

  54. 	secret []byte,

  55. 	hostname string,

  56. 	tolerateTimeSkewness time.Duration,

  57. ) (*ClientHello, error) {

  58. 	result, err := ReadClientHelloMulti(conn, [][]byte{secret}, hostname, tolerateTimeSkewness)

  59. 	if err != nil {

  60. 		return nil, err

  61. 	}

  62. 

  63. 	return result.Hello, nil

  64. }

  65. 

  66. // ReadClientHelloMulti is like ReadClientHello but accepts multiple secrets.

  67. // It tries each secret until one validates the HMAC. On success it returns

  68. // the ClientHello and the index of the matched secret.

  69. func ReadClientHelloMulti(

  70. 	conn net.Conn,

  71. 	secrets [][]byte,

  72. 	hostname string,

  73. 	tolerateTimeSkewness time.Duration,

  74. ) (*ReadClientHelloResult, error) {

  75. 	if err := conn.SetReadDeadline(time.Now().Add(ClientHelloReadTimeout)); err != nil {

  76. 		return nil, fmt.Errorf("cannot set read deadline: %w", err)

  77. 	}

  78. 	defer conn.SetReadDeadline(resetDeadline) //nolint: errcheck

  79. 

  80. 	reassembled, err := reassembleTLSHandshake(conn)

  81. 	if err != nil {

  82. 		return nil, fmt.Errorf("cannot reassemble TLS records: %w", err)

  83. 	}

  84. 

  85. 	handshakeCopyBuf := &bytes.Buffer{}

  86. 	reader := io.TeeReader(reassembled, handshakeCopyBuf)

  87. 

  88. 	// Skip the TLS record header (validated during reassembly).

  89. 	// The header still flows through TeeReader into handshakeCopyBuf for HMAC.

  90. 	if _, err = io.CopyN(io.Discard, reader, tls.SizeHeader); err != nil {

  91. 		return nil, fmt.Errorf("cannot skip tls header: %w", err)

  92. 	}

  93. 

  94. 	reader, err = parseHandshakeHeader(reader)

  95. 	if err != nil {

  96. 		return nil, fmt.Errorf("cannot parse handshake header: %w", err)

  97. 	}

  98. 

  99. 	hello, err := parseHandshake(reader)

  100. 	if err != nil {

  101. 		return nil, fmt.Errorf("cannot parse handshake: %w", err)

  102. 	}

  103. 

  104. 	sniHostnames, err := parseSNI(reader)

  105. 	if err != nil {

  106. 		return nil, fmt.Errorf("cannot parse SNI: %w", err)

  107. 	}

  108. 

  109. 	if !slices.Contains(sniHostnames, hostname) {

  110. 		return nil, fmt.Errorf("cannot find %s in %v", hostname, sniHostnames)

  111. 	}

  112. 

  113. 	// Save the handshake bytes so we can reuse them for each secret attempt.

  114. 	handshakeBytes := handshakeCopyBuf.Bytes()

  115. 

  116. 	for idx, secret := range secrets {

  117. 		digest := hmac.New(sha256.New, secret)

  118. 

  119. 		// Write the handshake with client random all nullified.

  120. 		digest.Write(handshakeBytes[:RandomOffset])

  121. 		digest.Write(emptyRandom[:])

  122. 		digest.Write(handshakeBytes[RandomOffset+RandomLen:])

  123. 

  124. 		computed := digest.Sum(nil)

  125. 

  126. 		for i := range RandomLen {

  127. 			computed[i] ^= hello.Random[i]

  128. 		}

  129. 

  130. 		if subtle.ConstantTimeCompare(emptyRandom[:RandomLen-4], computed[:RandomLen-4]) != 1 {

  131. 			continue

  132. 		}

  133. 

  134. 		timestamp := int64(binary.LittleEndian.Uint32(computed[RandomLen-4:]))

  135. 		createdAt := time.Unix(timestamp, 0)

  136. 

  137. 		if tdiff := time.Since(createdAt).Abs(); tdiff > tolerateTimeSkewness {

  138. 			continue

  139. 		}

  140. 

  141. 		return &ReadClientHelloResult{

  142. 			Hello:        hello,

  143. 			MatchedIndex: idx,

  144. 		}, nil

  145. 	}

  146. 

  147. 	return nil, ErrBadDigest

  148. }

  149. 

  150. // reassembleTLSHandshake reads one or more TLS records from conn,

  151. // validates the record type and version, and reassembles fragmented

  152. // handshake payloads into a single TLS record.

  153. //

  154. // Per RFC 5246 Section 6.2.1, handshake messages may be fragmented

  155. // across multiple TLS records. DPI bypass tools like ByeDPI use this

  156. // to evade censorship.

  157. //

  158. // The returned buffer contains the full TLS record (header + payload)

  159. // so that callers can include the header in HMAC computation.

  160. func reassembleTLSHandshake(conn io.Reader) (*bytes.Buffer, error) {

  161. 	header := [tls.SizeHeader]byte{}

  162. 

  163. 	if _, err := io.ReadFull(conn, header[:]); err != nil {

  164. 		return nil, fmt.Errorf("cannot read record header: %w", err)

  165. 	}

  166. 

  167. 	length := int64(binary.BigEndian.Uint16(header[3:]))

  168. 	payload := &bytes.Buffer{}

  169. 

  170. 	if _, err := io.CopyN(payload, conn, length); err != nil {

  171. 		return nil, fmt.Errorf("cannot read record payload: %w", err)

  172. 	}

  173. 

  174. 	if header[0] != tls.TypeHandshake {

  175. 		return nil, fmt.Errorf("unexpected record type %#x", header[0])

  176. 	}

  177. 

  178. 	if header[1] != 3 || header[2] != 1 {

  179. 		return nil, fmt.Errorf("unexpected protocol version %#x %#x", header[1], header[2])

  180. 	}

  181. 

  182. 	// Reassemble fragmented payload. continuationCount caps the total

  183. 	// number of continuation records across both phases below.

  184. 	continuationCount := 0

  185. 

  186. 	// Phase 1: read continuation records until we have at least the

  187. 	// 4-byte handshake header (type + uint24 length) to determine the

  188. 	// expected total size.

  189. 	for ; payload.Len() < 4 && continuationCount < maxContinuationRecords; continuationCount++ {

  190. 		prevLen := payload.Len()

  191. 

  192. 		if err := readContinuationRecord(conn, payload); err != nil {

  193. 			payload.Truncate(prevLen) // discard partial data on error

  194. 

  195. 			if errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF) {

  196. 				break // no more records — let downstream parsing handle what we have

  197. 			}

  198. 

  199. 			return nil, err

  200. 		}

  201. 	}

  202. 

  203. 	// Phase 2: we know the expected handshake size — read remaining

  204. 	// continuation records until the payload is complete.

  205. 	if payload.Len() >= 4 {

  206. 		p := payload.Bytes()

  207. 		expectedTotal := 4 + (int(p[1])<<16 | int(p[2])<<8 | int(p[3]))

  208. 

  209. 		if expectedTotal > 0xFFFF {

  210. 			return nil, fmt.Errorf("handshake message too large: %d bytes", expectedTotal)

  211. 		}

  212. 

  213. 		for ; payload.Len() < expectedTotal && continuationCount < maxContinuationRecords; continuationCount++ {

  214. 			if err := readContinuationRecord(conn, payload); err != nil {

  215. 				return nil, err

  216. 			}

  217. 		}

  218. 

  219. 		if payload.Len() < expectedTotal {

  220. 			return nil, fmt.Errorf("cannot reassemble handshake: too many continuation records")

  221. 		}

  222. 

  223. 		payload.Truncate(expectedTotal)

  224. 	}

  225. 

  226. 	if payload.Len() > 0xFFFF {

  227. 		return nil, fmt.Errorf("reassembled payload too large: %d bytes", payload.Len())

  228. 	}

  229. 

  230. 	// Reconstruct a single TLS record with the reassembled payload.

  231. 	result := &bytes.Buffer{}

  232. 	result.Grow(tls.SizeHeader + payload.Len())

  233. 	result.Write(header[:3])

  234. 	binary.Write(result, binary.BigEndian, uint16(payload.Len())) //nolint:errcheck // bytes.Buffer.Write never fails

  235. 	result.Write(payload.Bytes())

  236. 

  237. 	return result, nil

  238. }

  239. 

  240. // readContinuationRecord reads the next TLS record header and appends its

  241. // full payload to dst. It returns an error if the record is not a handshake

  242. // record.

  243. func readContinuationRecord(conn io.Reader, dst *bytes.Buffer) error {

  244. 	nextHeader := [tls.SizeHeader]byte{}

  245. 

  246. 	if _, err := io.ReadFull(conn, nextHeader[:]); err != nil {

  247. 		return fmt.Errorf("cannot read continuation record header: %w", err)

  248. 	}

  249. 

  250. 	if nextHeader[0] != tls.TypeHandshake {

  251. 		return fmt.Errorf("unexpected continuation record type %#x", nextHeader[0])

  252. 	}

  253. 

  254. 	if nextHeader[1] != 3 || nextHeader[2] != 1 {

  255. 		return fmt.Errorf("unexpected continuation record version %#x %#x", nextHeader[1], nextHeader[2])

  256. 	}

  257. 

  258. 	nextLength := int64(binary.BigEndian.Uint16(nextHeader[3:]))

  259. 

  260. 	if nextLength == 0 {

  261. 		return fmt.Errorf("zero-length continuation record")

  262. 	}

  263. 

  264. 	if _, err := io.CopyN(dst, conn, nextLength); err != nil {

  265. 		return fmt.Errorf("cannot read continuation record payload: %w", err)

  266. 	}

  267. 

  268. 	return nil

  269. }

  270. 

  271. func parseHandshakeHeader(r io.Reader) (io.Reader, error) {

  272. 	// type(1) + size(3 / uint24)

  273. 	// 01 - handshake message type 0x01 (client hello)

  274. 	// 00 00 f4 - 0xF4 (244) bytes of client hello data follows

  275. 	header := [1 + 3]byte{}

  276. 

  277. 	if _, err := io.ReadFull(r, header[:]); err != nil {

  278. 		return nil, fmt.Errorf("cannot read handshake header: %w", err)

  279. 	}

  280. 

  281. 	if header[0] != TypeHandshakeClient {

  282. 		return nil, fmt.Errorf("incorrect handshake type: %#x", header[0])

  283. 	}

  284. 

  285. 	// unfortunately there is not uint24 in golang, so we just reust header

  286. 	header[0] = 0

  287. 

  288. 	length := int64(binary.BigEndian.Uint32(header[:]))

  289. 	buf := &bytes.Buffer{}

  290. 

  291. 	_, err := io.CopyN(buf, r, length)

  292. 

  293. 	return buf, err

  294. }

  295. 

  296. func parseHandshake(r io.Reader) (*ClientHello, error) {

  297. 	//  A protocol version of "3,3" (meaning TLS 1.2) is given.

  298. 	header := [2]byte{}

  299. 

  300. 	if _, err := io.ReadFull(r, header[:]); err != nil {

  301. 		return nil, fmt.Errorf("cannot read client version: %w", err)

  302. 	}

  303. 

  304. 	hello := &ClientHello{}

  305. 

  306. 	if _, err := io.ReadFull(r, hello.Random[:]); err != nil {

  307. 		return nil, fmt.Errorf("cannot read client random: %w", err)

  308. 	}

  309. 

  310. 	if _, err := io.ReadFull(r, header[:1]); err != nil {

  311. 		return nil, fmt.Errorf("cannot read session ID length: %w", err)

  312. 	}

  313. 

  314. 	hello.SessionID = make([]byte, int(header[0]))

  315. 

  316. 	if _, err := io.ReadFull(r, hello.SessionID); err != nil {

  317. 		return nil, fmt.Errorf("cannot read session id: %w", err)

  318. 	}

  319. 

  320. 	if _, err := io.ReadFull(r, header[:]); err != nil {

  321. 		return nil, fmt.Errorf("cannot read cipher suite length: %w", err)

  322. 	}

  323. 

  324. 	cipherSuiteLen := int64(binary.BigEndian.Uint16(header[:]))

  325. 

  326. 	// we do not care about picking up any cipher. we pick the first one,

  327. 	// so it is always should be present.

  328. 	if _, err := io.ReadFull(r, header[:]); err != nil {

  329. 		return nil, fmt.Errorf("cannot read first cipher suite: %w", err)

  330. 	}

  331. 

  332. 	hello.CipherSuite = binary.BigEndian.Uint16(header[:])

  333. 

  334. 	if _, err := io.CopyN(io.Discard, r, cipherSuiteLen-2); err != nil {

  335. 		return nil, fmt.Errorf("cannot skip remaining cipher suites: %w", err)

  336. 	}

  337. 

  338. 	if _, err := io.ReadFull(r, header[:1]); err != nil {

  339. 		return nil, fmt.Errorf("cannot read compression methods length: %w", err)

  340. 	}

  341. 

  342. 	if _, err := io.CopyN(io.Discard, r, int64(header[0])); err != nil {

  343. 		return nil, fmt.Errorf("cannot skip compression methods: %w", err)

  344. 	}

  345. 

  346. 	return hello, nil

  347. }

  348. 

  349. func parseSNI(r io.Reader) ([]string, error) {

  350. 	header := [2]byte{}

  351. 

  352. 	if _, err := io.ReadFull(r, header[:]); err != nil {

  353. 		return nil, fmt.Errorf("cannot read length of TLS extensions: %w", err)

  354. 	}

  355. 

  356. 	extensionsLength := int64(binary.BigEndian.Uint16(header[:]))

  357. 	buf := &bytes.Buffer{}

  358. 	buf.Grow(int(extensionsLength))

  359. 

  360. 	if _, err := io.CopyN(buf, r, extensionsLength); err != nil {

  361. 		return nil, fmt.Errorf("cannot read extensions: %w", err)

  362. 	}

  363. 

  364. 	for buf.Len() > 0 {

  365. 		// 00 00 - assigned value for extension "server name"

  366. 		// 00 18 - 0x18 (24) bytes of "server name" extension data follows

  367. 		// 00 16 - 0x16 (22) bytes of first (and only) list entry follows

  368. 		// 00 - list entry is type 0x00 "DNS hostname"

  369. 		// 00 13 - 0x13 (19) bytes of hostname follows

  370. 		// 65 78 61 ... 6e 65 74 - "example.ulfheim.net"

  371. 

  372. 		// 00 00 - assigned value for extension "server name"

  373. 		extTypeB := buf.Next(2)

  374. 		if len(extTypeB) != 2 {

  375. 			return nil, fmt.Errorf("cannot read extension type: %v", extTypeB)

  376. 		}

  377. 

  378. 		// 00 18 - 0x18 (24) bytes of "server name" extension data follows

  379. 		lengthB := buf.Next(2)

  380. 		if len(lengthB) != 2 {

  381. 			return nil, fmt.Errorf("cannot read extension %v length: %v", extTypeB, lengthB)

  382. 		}

  383. 		length := int(binary.BigEndian.Uint16(lengthB))

  384. 

  385. 		extDataB := buf.Next(length)

  386. 		if len(extDataB) != length {

  387. 			return nil, fmt.Errorf("cannot read extension %v data: len %d != %d", extTypeB, length, len(extDataB))

  388. 		}

  389. 

  390. 		if !bytes.Equal(extTypeB, extTypeSNI[:]) {

  391. 			continue

  392. 		}

  393. 

  394. 		buf.Reset()

  395. 		buf.Write(extDataB)

  396. 

  397. 		// 00 16 - 0x16 (22) bytes of first (and only) list entry follows

  398. 		lengthB = buf.Next(2)

  399. 		if len(lengthB) != 2 {

  400. 			return nil, fmt.Errorf("cannot read the length of the SNI record: %v", lengthB)

  401. 		}

  402. 

  403. 		length = int(binary.BigEndian.Uint16(lengthB))

  404. 		if length == 0 {

  405. 			return nil, nil

  406. 		}

  407. 

  408. 		listType, err := buf.ReadByte()

  409. 		if err != nil {

  410. 			return nil, fmt.Errorf("cannot read SNI list type: %w", err)

  411. 		}

  412. 

  413. 		// 00 - list entry is type 0x00 "DNS hostname"

  414. 		if listType != sniDNSNamesListType {

  415. 			return nil, fmt.Errorf("incorrect SNI list type %#x", listType)

  416. 		}

  417. 

  418. 		names := []string{}

  419. 

  420. 		for buf.Len() > 0 {

  421. 			// 00 13 - 0x13 (19) bytes of hostname follows

  422. 			lengthB = buf.Next(2)

  423. 			if len(lengthB) != 2 {

  424. 				return nil, fmt.Errorf("incorrect length of the hostname: %v", lengthB)

  425. 			}

  426. 			length = int(binary.BigEndian.Uint16(lengthB))

  427. 

  428. 			name := buf.Next(length)

  429. 			if len(name) != length {

  430. 				return nil, fmt.Errorf("incorrect length of SNI hostname: len %d != %d", length, len(name))

  431. 			}

  432. 

  433. 			names = append(names, string(name))

  434. 		}

  435. 

  436. 		return names, nil

  437. 	}

  438. 

  439. 	return nil, nil

  440. }