Add TLS spoof support

Author: nekohasekai

.github/workflows/test.yml

@@ -0,0 +1,55 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - stable
+      - testing
+      - unstable
+    paths-ignore:
+      - '**.md'
+      - '.github/**'
+      - '!.github/workflows/test.yml'
+  pull_request:
+    branches:
+      - stable
+      - testing
+      - unstable
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Test
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+          - macos-latest
+        go:
+          - ~1.24
+          - ~1.25
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+      - name: Set build tags and ldflags
+        shell: bash
+        run: |
+          echo "BUILD_TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)" >> "$GITHUB_ENV"
+          echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "$GITHUB_ENV"
+      - name: Test (unix)
+        if: matrix.os != 'windows-latest'
+        run: go test -v -exec sudo -tags "$BUILD_TAGS" -ldflags "$LDFLAGS_SHARED" ./...
+      - name: Test (windows)
+        if: matrix.os == 'windows-latest'
+        shell: bash
+        run: go test -v -tags "$BUILD_TAGS" -ldflags "$LDFLAGS_SHARED" ./...

.golangci.yml

@@ -19,7 +19,6 @@ linters:
   enable:
     - govet
     - ineffassign
-    - paralleltest
     - staticcheck
   settings:
     staticcheck:

Makefile

@@ -52,7 +52,7 @@ lint:
 	GOOS=android golangci-lint run ./...
 	GOOS=windows golangci-lint run ./...
 	GOOS=darwin golangci-lint run ./...
-	GOOS=freebsd golangci-lint run ./...
+	# GOOS=freebsd golangci-lint run ./...
 
 lint_install:
 	go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest

common/tls/apple_client.go

@@ -155,6 +155,9 @@ func ValidateAppleTLSOptions(ctx context.Context, options option.OutboundTLSOpti
 	if options.KernelTx || options.KernelRx {
 		return AppleTLSValidated{}, E.New("ktls is unsupported in ", engineName)
 	}
+	if options.Spoof != "" || options.SpoofMethod != "" {
+		return AppleTLSValidated{}, E.New("spoof is unsupported in ", engineName)
+	}
 	if len(options.CertificatePublicKeySHA256) > 0 && (len(options.Certificate) > 0 || options.CertificatePath != "") {
 		return AppleTLSValidated{}, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path")
 	}

common/tls/client.go

@@ -8,6 +8,7 @@ import (
 	"os"
 
 	"github.com/sagernet/sing-box/common/badtls"
+	"github.com/sagernet/sing-box/common/tlsspoof"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -19,6 +20,37 @@ import (
 
 var errMissingServerName = E.New("missing server_name or insecure=true")
 
+func parseTLSSpoofOptions(serverName string, options option.OutboundTLSOptions) (string, tlsspoof.Method, error) {
+	if options.Spoof == "" {
+		if options.SpoofMethod != "" {
+			return "", 0, E.New("`spoof_method` requires `spoof`")
+		}
+		return "", 0, nil
+	}
+	if !tlsspoof.PlatformSupported {
+		return "", 0, E.New("`spoof` is not supported on this platform")
+	}
+	if options.DisableSNI || serverName == "" {
+		return "", 0, E.New("`spoof` requires TLS ClientHello with SNI")
+	}
+	method, err := tlsspoof.ParseMethod(options.SpoofMethod)
+	if err != nil {
+		return "", 0, err
+	}
+	return options.Spoof, method, nil
+}
+
+func applyTLSSpoof(conn net.Conn, spoof string, method tlsspoof.Method) (net.Conn, error) {
+	if spoof == "" {
+		return conn, nil
+	}
+	spoofer, err := tlsspoof.NewSpoofer(conn, method)
+	if err != nil {
+		return nil, err
+	}
+	return tlsspoof.NewConn(conn, spoofer, spoof), nil
+}
+
 func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil

common/tls/reality_client.go

@@ -59,6 +59,9 @@ func newRealityClient(ctx context.Context, logger logger.ContextLogger, serverAd
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
+	if options.Spoof != "" || options.SpoofMethod != "" {
+		return nil, E.New("spoof is unsupported in reality")
+	}
 
 	uClient, err := newUTLSClient(ctx, logger, serverAddress, options, allowEmptyServerName)
 	if err != nil {

common/tls/std_client.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
+	"github.com/sagernet/sing-box/common/tlsspoof"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -31,6 +32,8 @@ type STDClientConfig struct {
 	fragment              bool
 	fragmentFallbackDelay time.Duration
 	recordFragment        bool
+	spoof                 string
+	spoofMethod           tlsspoof.Method
 }
 
 func (c *STDClientConfig) ServerName() string {
@@ -75,6 +78,10 @@ func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
 	if c.recordFragment {
 		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 	}
+	conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod)
+	if err != nil {
+		return nil, err
+	}
 	return tls.Client(conn, c.config), nil
 }
 
@@ -89,6 +96,8 @@ func (c *STDClientConfig) Clone() Config {
 		fragment:              c.fragment,
 		fragmentFallbackDelay: c.fragmentFallbackDelay,
 		recordFragment:        c.recordFragment,
+		spoof:                 c.spoof,
+		spoofMethod:           c.spoofMethod,
 	}
 	cloned.SetServerName(cloned.serverName)
 	return cloned
@@ -218,6 +227,10 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 	} else {
 		handshakeTimeout = C.TCPTimeout
 	}
+	spoof, spoofMethod, err := parseTLSSpoofOptions(serverName, options)
+	if err != nil {
+		return nil, err
+	}
 	var config Config = &STDClientConfig{
 		ctx:                   ctx,
 		config:                &tlsConfig,
@@ -228,6 +241,8 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres
 		fragment:              options.Fragment,
 		fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay),
 		recordFragment:        options.RecordFragment,
+		spoof:                 spoof,
+		spoofMethod:           spoofMethod,
 	}
 	config.SetServerName(serverName)
 	if options.ECH != nil && options.ECH.Enabled {

common/tls/utls_client.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tlsfragment"
+	"github.com/sagernet/sing-box/common/tlsspoof"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
@@ -36,6 +37,8 @@ type UTLSClientConfig struct {
 	fragment              bool
 	fragmentFallbackDelay time.Duration
 	recordFragment        bool
+	spoof                 string
+	spoofMethod           tlsspoof.Method
 }
 
 func (c *UTLSClientConfig) ServerName() string {
@@ -83,6 +86,10 @@ func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
 	if c.recordFragment {
 		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
 	}
+	conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod)
+	if err != nil {
+		return nil, err
+	}
 	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, c.config.Clone(), c.id)}, c.config.NextProtos}, nil
 }
 
@@ -102,6 +109,8 @@ func (c *UTLSClientConfig) Clone() Config {
 		fragment:              c.fragment,
 		fragmentFallbackDelay: c.fragmentFallbackDelay,
 		recordFragment:        c.recordFragment,
+		spoof:                 c.spoof,
+		spoofMethod:           c.spoofMethod,
 	}
 	cloned.SetServerName(cloned.serverName)
 	return cloned
@@ -290,6 +299,10 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 	} else {
 		handshakeTimeout = C.TCPTimeout
 	}
+	spoof, spoofMethod, err := parseTLSSpoofOptions(serverName, options)
+	if err != nil {
+		return nil, err
+	}
 	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
 	if err != nil {
 		return nil, err
@@ -305,6 +318,8 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre
 		fragment:              options.Fragment,
 		fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay),
 		recordFragment:        options.RecordFragment,
+		spoof:                 spoof,
+		spoofMethod:           spoofMethod,
 	}
 	config.SetServerName(serverName)
 	if options.ECH != nil && options.ECH.Enabled {

common/tlsfragment/index.go

@@ -23,9 +23,10 @@ const (
 )
 
 type MyServerName struct {
-	Index      int
-	Length     int
-	ServerName string
+	Index                     int
+	Length                    int
+	ServerName                string
+	ExtensionsListLengthIndex int
 }
 
 func IndexTLSServerName(payload []byte) *MyServerName {
@@ -41,6 +42,7 @@ func IndexTLSServerName(payload []byte) *MyServerName {
 		return nil
 	}
 	serverName.Index += recordLayerHeaderLen
+	serverName.ExtensionsListLengthIndex += recordLayerHeaderLen
 	return serverName
 }
 
@@ -82,6 +84,7 @@ func indexTLSServerNameFromHandshake(handshake []byte) *MyServerName {
 		return nil
 	}
 	serverName.Index += currentIndex
+	serverName.ExtensionsListLengthIndex = currentIndex
 	return serverName
 }
 

common/tlsspoof/client_hello.go

@@ -0,0 +1,86 @@
+package tlsspoof
+
+import (
+	"encoding/binary"
+
+	tf "github.com/sagernet/sing-box/common/tlsfragment"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+const (
+	recordLengthOffset    = 3
+	handshakeLengthOffset = 6
+)
+
+// server_name extension layout (RFC 6066 §3). Offsets are relative to the
+// SNI host name (index returned by the parser):
+//
+//	...    uint16 extension_type = 0x0000     (host_name - 9)
+//	...    uint16 extension_data_length       (host_name - 7)
+//	...    uint16 server_name_list_length     (host_name - 5)
+//	...    uint8  name_type = host_name       (host_name - 3)
+//	...    uint16 host_name_length            (host_name - 2)
+//	sni    host_name                          (host_name)
+const (
+	extensionDataLengthOffsetFromSNI = -7
+	listLengthOffsetFromSNI          = -5
+	hostNameLengthOffsetFromSNI      = -2
+)
+
+func rewriteSNI(record []byte, fakeSNI string) ([]byte, error) {
+	if len(fakeSNI) > 0xFFFF {
+		return nil, E.New("fake SNI too long: ", len(fakeSNI), " bytes")
+	}
+	serverName := tf.IndexTLSServerName(record)
+	if serverName == nil {
+		return nil, E.New("not a ClientHello with SNI")
+	}
+
+	delta := len(fakeSNI) - serverName.Length
+	out := make([]byte, len(record)+delta)
+	copy(out, record[:serverName.Index])
+	copy(out[serverName.Index:], fakeSNI)
+	copy(out[serverName.Index+len(fakeSNI):], record[serverName.Index+serverName.Length:])
+
+	err := patchUint16(out, recordLengthOffset, delta)
+	if err != nil {
+		return nil, E.Cause(err, "patch record length")
+	}
+	err = patchUint24(out, handshakeLengthOffset, delta)
+	if err != nil {
+		return nil, E.Cause(err, "patch handshake length")
+	}
+	for _, off := range []int{
+		serverName.ExtensionsListLengthIndex,
+		serverName.Index + extensionDataLengthOffsetFromSNI,
+		serverName.Index + listLengthOffsetFromSNI,
+		serverName.Index + hostNameLengthOffsetFromSNI,
+	} {
+		err = patchUint16(out, off, delta)
+		if err != nil {
+			return nil, E.Cause(err, "patch length at offset ", off)
+		}
+	}
+	return out, nil
+}
+
+func patchUint16(data []byte, offset, delta int) error {
+	patched := int(binary.BigEndian.Uint16(data[offset:])) + delta
+	if patched < 0 || patched > 0xFFFF {
+		return E.New("uint16 out of range: ", patched)
+	}
+	binary.BigEndian.PutUint16(data[offset:], uint16(patched))
+	return nil
+}
+
+func patchUint24(data []byte, offset, delta int) error {
+	original := int(data[offset])<<16 | int(data[offset+1])<<8 | int(data[offset+2])
+	patched := original + delta
+	if patched < 0 || patched > 0xFFFFFF {
+		return E.New("uint24 out of range: ", patched)
+	}
+	data[offset] = byte(patched >> 16)
+	data[offset+1] = byte(patched >> 8)
+	data[offset+2] = byte(patched)
+	return nil
+}