Fix tls-spoof

Author: nekohasekai

common/tls/client.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"net"
 	"os"
+	"strings"
 
 	"github.com/sagernet/sing-box/common/badtls"
 	"github.com/sagernet/sing-box/common/tlsspoof"
@@ -33,6 +34,9 @@ func parseTLSSpoofOptions(serverName string, options option.OutboundTLSOptions)
 	if options.DisableSNI || serverName == "" || M.ParseAddr(serverName).IsValid() {
 		return "", 0, E.New("`spoof` requires TLS ClientHello with SNI")
 	}
+	if strings.EqualFold(options.Spoof, serverName) {
+		return "", 0, E.New("`spoof` must differ from `server_name`")
+	}
 	method, err := tlsspoof.ParseMethod(options.SpoofMethod)
 	if err != nil {
 		return "", 0, err
@@ -44,11 +48,7 @@ func applyTLSSpoof(conn net.Conn, spoof string, method tlsspoof.Method) (net.Con
 	if spoof == "" {
 		return conn, nil
 	}
-	spoofer, err := tlsspoof.NewSpoofer(conn, method)
-	if err != nil {
-		return nil, err
-	}
-	return tlsspoof.NewConn(conn, spoofer, spoof), nil
+	return tlsspoof.NewConn(conn, method, spoof)
 }
 
 func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {

common/tls/client_test.go

@@ -0,0 +1,154 @@
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"testing"
+
+	tf "github.com/sagernet/sing-box/common/tlsfragment"
+	"github.com/sagernet/sing-box/common/tlsspoof"
+	"github.com/sagernet/sing-box/option"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseTLSSpoofOptions_Disabled(t *testing.T) {
+	t.Parallel()
+	spoof, method, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{})
+	require.NoError(t, err)
+	require.Empty(t, spoof)
+	require.Equal(t, tlsspoof.MethodWrongSequence, method)
+}
+
+func TestParseTLSSpoofOptions_MethodWithoutSpoof(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		SpoofMethod: tlsspoof.MethodNameWrongChecksum,
+	})
+	require.Error(t, err)
+}
+
+func TestParseTLSSpoofOptions_IPLiteralRejected(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("1.2.3.4", option.OutboundTLSOptions{
+		Spoof: "example.com",
+	})
+	require.Error(t, err)
+}
+
+func TestParseTLSSpoofOptions_EmptyServerNameRejected(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("", option.OutboundTLSOptions{
+		Spoof: "example.com",
+	})
+	require.Error(t, err)
+}
+
+func TestParseTLSSpoofOptions_DisableSNIRejected(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		Spoof:      "decoy.com",
+		DisableSNI: true,
+	})
+	require.Error(t, err)
+}
+
+// TestParseTLSSpoofOptions_RejectsSameSNI is the primary regression test for
+// the "spoofed packet contains the original SNI" bug report: when a user
+// configures spoof equal to server_name, the rewriter produces a byte-identical
+// record, so the fake and real ClientHellos on the wire look the same. Reject
+// at parse time.
+func TestParseTLSSpoofOptions_RejectsSameSNI(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		Spoof: "example.com",
+	})
+	require.Error(t, err)
+
+	_, _, err = parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		Spoof: "EXAMPLE.com",
+	})
+	require.Error(t, err, "comparison must be case-insensitive")
+}
+
+func TestParseTLSSpoofOptions_UnknownMethodRejected(t *testing.T) {
+	t.Parallel()
+	_, _, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		Spoof:       "decoy.com",
+		SpoofMethod: "nonsense",
+	})
+	require.Error(t, err)
+}
+
+func TestParseTLSSpoofOptions_DistinctSNIAccepted(t *testing.T) {
+	t.Parallel()
+	if !tlsspoof.PlatformSupported {
+		t.Skip("tlsspoof not supported on this platform")
+	}
+	spoof, method, err := parseTLSSpoofOptions("example.com", option.OutboundTLSOptions{
+		Spoof:       "decoy.com",
+		SpoofMethod: tlsspoof.MethodNameWrongSequence,
+	})
+	require.NoError(t, err)
+	require.Equal(t, "decoy.com", spoof)
+	require.Equal(t, tlsspoof.MethodWrongSequence, method)
+}
+
+// The following tests guard the wrap gate in STDClientConfig.Client():
+// tf.Conn must wrap the underlying connection whenever either `fragment` or
+// `record_fragment` is set, so that TLS fragmentation coexists with features
+// like tls_spoof that layer on top of tf.Conn.
+
+func newSTDClientConfigForGateTest(fragment, recordFragment bool) *STDClientConfig {
+	return &STDClientConfig{
+		ctx:            context.Background(),
+		config:         &tls.Config{ServerName: "example.com", InsecureSkipVerify: true},
+		fragment:       fragment,
+		recordFragment: recordFragment,
+	}
+}
+
+func TestSTDClient_Client_NoFragment_DoesNotWrap(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newSTDClientConfigForGateTest(false, false).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.False(t, isTF, "no fragment flags: must not wrap with tf.Conn")
+}
+
+func TestSTDClient_Client_FragmentOnly_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newSTDClientConfigForGateTest(true, false).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "fragment=true: must wrap with tf.Conn")
+}
+
+func TestSTDClient_Client_RecordFragmentOnly_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newSTDClientConfigForGateTest(false, true).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "record_fragment=true: must wrap with tf.Conn")
+}
+
+func TestSTDClient_Client_BothFragment_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newSTDClientConfigForGateTest(true, true).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "both fragment flags: must wrap with tf.Conn")
+}

common/tls/std_client.go

@@ -75,7 +75,7 @@ func (c *STDClientConfig) STDConfig() (*STDConfig, error) {
 }
 
 func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
+	if c.fragment || c.recordFragment {
 		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 	}
 	conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod)

common/tls/utls_client.go

@@ -83,7 +83,7 @@ func (c *UTLSClientConfig) STDConfig() (*STDConfig, error) {
 }
 
 func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
+	if c.fragment || c.recordFragment {
 		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 	}
 	conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod)

common/tls/utls_client_test.go

@@ -0,0 +1,73 @@
+//go:build with_utls
+
+package tls
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	tf "github.com/sagernet/sing-box/common/tlsfragment"
+
+	utls "github.com/metacubex/utls"
+	"github.com/stretchr/testify/require"
+)
+
+// Guards the wrap gate in UTLSClientConfig.Client(): tf.Conn must wrap the
+// underlying connection whenever either `fragment` or `record_fragment` is
+// set. Mirrors the STDClientConfig gate tests to keep both code paths in
+// lockstep.
+
+func newUTLSClientConfigForGateTest(fragment, recordFragment bool) *UTLSClientConfig {
+	return &UTLSClientConfig{
+		ctx:            context.Background(),
+		config:         &utls.Config{ServerName: "example.com", InsecureSkipVerify: true},
+		id:             utls.HelloChrome_Auto,
+		fragment:       fragment,
+		recordFragment: recordFragment,
+	}
+}
+
+func TestUTLSClient_Client_NoFragment_DoesNotWrap(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newUTLSClientConfigForGateTest(false, false).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.False(t, isTF, "no fragment flags: must not wrap with tf.Conn")
+}
+
+func TestUTLSClient_Client_FragmentOnly_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newUTLSClientConfigForGateTest(true, false).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "fragment=true: must wrap with tf.Conn")
+}
+
+func TestUTLSClient_Client_RecordFragmentOnly_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newUTLSClientConfigForGateTest(false, true).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "record_fragment=true: must wrap with tf.Conn")
+}
+
+func TestUTLSClient_Client_BothFragment_Wraps(t *testing.T) {
+	t.Parallel()
+	client, server := net.Pipe()
+	defer client.Close()
+	defer server.Close()
+	wrapped, err := newUTLSClientConfigForGateTest(true, true).Client(client)
+	require.NoError(t, err)
+	_, isTF := wrapped.NetConn().(*tf.Conn)
+	require.True(t, isTF, "both fragment flags: must wrap with tf.Conn")
+}

common/tlsspoof/client_hello.go

@@ -1,86 +1,37 @@
 package tlsspoof
 
 import (
-	"encoding/binary"
+	"bytes"
+	"context"
+	"crypto/tls"
 
-	tf "github.com/sagernet/sing-box/common/tlsfragment"
+	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-const (
-	recordLengthOffset    = 3
-	handshakeLengthOffset = 6
-)
-
-// server_name extension layout (RFC 6066 §3). Offsets are relative to the
-// SNI host name (index returned by the parser):
-//
-//	...    uint16 extension_type = 0x0000     (host_name - 9)
-//	...    uint16 extension_data_length       (host_name - 7)
-//	...    uint16 server_name_list_length     (host_name - 5)
-//	...    uint8  name_type = host_name       (host_name - 3)
-//	...    uint16 host_name_length            (host_name - 2)
-//	sni    host_name                          (host_name)
-const (
-	extensionDataLengthOffsetFromSNI = -7
-	listLengthOffsetFromSNI          = -5
-	hostNameLengthOffsetFromSNI      = -2
-)
-
-func rewriteSNI(record []byte, fakeSNI string) ([]byte, error) {
-	if len(fakeSNI) > 0xFFFF {
-		return nil, E.New("fake SNI too long: ", len(fakeSNI), " bytes")
-	}
-	serverName := tf.IndexTLSServerName(record)
-	if serverName == nil {
-		return nil, E.New("not a ClientHello with SNI")
-	}
-
-	delta := len(fakeSNI) - serverName.Length
-	out := make([]byte, len(record)+delta)
-	copy(out, record[:serverName.Index])
-	copy(out[serverName.Index:], fakeSNI)
-	copy(out[serverName.Index+len(fakeSNI):], record[serverName.Index+serverName.Length:])
-
-	err := patchUint16(out, recordLengthOffset, delta)
-	if err != nil {
-		return nil, E.Cause(err, "patch record length")
+// buildFakeClientHello drives crypto/tls against a write-only in-memory conn
+// to capture a generated ClientHello. CurvePreferences pins classical groups
+// to suppress Go's default X25519MLKEM768 hybrid key share; without this the
+// post-quantum public key alone (~1184 bytes) pushes the record past one MSS,
+// and middleboxes do not reassemble fragmented ClientHellos. The handshake
+// error is discarded because the stub conn's Read returns immediately.
+func buildFakeClientHello(sni string) ([]byte, error) {
+	if sni == "" {
+		return nil, E.New("empty sni")
 	}
-	err = patchUint24(out, handshakeLengthOffset, delta)
-	if err != nil {
-		return nil, E.Cause(err, "patch handshake length")
-	}
-	for _, off := range []int{
-		serverName.ExtensionsListLengthIndex,
-		serverName.Index + extensionDataLengthOffsetFromSNI,
-		serverName.Index + listLengthOffsetFromSNI,
-		serverName.Index + hostNameLengthOffsetFromSNI,
-	} {
-		err = patchUint16(out, off, delta)
-		if err != nil {
-			return nil, E.Cause(err, "patch length at offset ", off)
-		}
-	}
-	return out, nil
-}
-
-func patchUint16(data []byte, offset, delta int) error {
-	patched := int(binary.BigEndian.Uint16(data[offset:])) + delta
-	if patched < 0 || patched > 0xFFFF {
-		return E.New("uint16 out of range: ", patched)
-	}
-	binary.BigEndian.PutUint16(data[offset:], uint16(patched))
-	return nil
-}
-
-func patchUint24(data []byte, offset, delta int) error {
-	original := int(data[offset])<<16 | int(data[offset+1])<<8 | int(data[offset+2])
-	patched := original + delta
-	if patched < 0 || patched > 0xFFFFFF {
-		return E.New("uint24 out of range: ", patched)
+	var buf bytes.Buffer
+	tlsConn := tls.Client(bufio.NewWriteOnlyConn(&buf), &tls.Config{
+		ServerName: sni,
+		// Order matches what browsers advertised before post-quantum.
+		CurvePreferences:   []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384},
+		MinVersion:         tls.VersionTLS12,
+		MaxVersion:         tls.VersionTLS13,
+		NextProtos:         []string{"h2", "http/1.1"},
+		InsecureSkipVerify: true,
+	})
+	_ = tlsConn.HandshakeContext(context.Background())
+	if buf.Len() == 0 {
+		return nil, E.New("tls ClientHello not produced")
 	}
-	data[offset] = byte(patched >> 16)
-	data[offset+1] = byte(patched >> 8)
-	data[offset+2] = byte(patched)
-	return nil
+	return buf.Bytes(), nil
 }