2020-11-25 11:01:53 +00:00
|
|
|
package tcp
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2025-02-08 12:11:25 +00:00
|
|
|
"slices"
|
2025-02-04 15:10:08 +00:00
|
|
|
"strings"
|
2020-11-25 11:01:53 +00:00
|
|
|
|
2020-12-04 01:36:16 +00:00
|
|
|
"github.com/xtls/xray-core/common"
|
2024-06-29 18:32:57 +00:00
|
|
|
"github.com/xtls/xray-core/common/errors"
|
2020-12-04 01:36:16 +00:00
|
|
|
"github.com/xtls/xray-core/common/net"
|
2025-02-04 15:10:08 +00:00
|
|
|
"github.com/xtls/xray-core/common/session"
|
2020-12-04 01:36:16 +00:00
|
|
|
"github.com/xtls/xray-core/transport/internet"
|
2023-02-15 16:07:12 +00:00
|
|
|
"github.com/xtls/xray-core/transport/internet/reality"
|
2021-12-15 00:28:47 +00:00
|
|
|
"github.com/xtls/xray-core/transport/internet/stat"
|
2020-12-04 01:36:16 +00:00
|
|
|
"github.com/xtls/xray-core/transport/internet/tls"
|
2020-11-25 11:01:53 +00:00
|
|
|
)
|
|
|
|
|
|
2025-02-06 07:37:30 +00:00
|
|
|
func IsFromMitm(str string) bool {
|
|
|
|
|
return strings.ToLower(str) == "frommitm"
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-25 11:01:53 +00:00
|
|
|
// Dial dials a new TCP connection to the given destination.
|
2021-09-20 12:11:21 +00:00
|
|
|
func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {
|
2024-06-29 18:32:57 +00:00
|
|
|
errors.LogInfo(ctx, "dialing TCP to ", dest)
|
2020-11-25 11:01:53 +00:00
|
|
|
conn, err := internet.DialSystem(ctx, dest, streamSettings.SocketSettings)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {
|
2025-02-06 07:37:30 +00:00
|
|
|
mitmServerName := session.MitmServerNameFromContext(ctx)
|
|
|
|
|
mitmAlpn11 := session.MitmAlpn11FromContext(ctx)
|
2020-11-25 11:01:53 +00:00
|
|
|
tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))
|
2025-02-06 07:37:30 +00:00
|
|
|
if IsFromMitm(tlsConfig.ServerName) {
|
|
|
|
|
tlsConfig.ServerName = mitmServerName
|
|
|
|
|
}
|
2025-02-08 12:11:25 +00:00
|
|
|
isFromMitmVerify := false
|
|
|
|
|
if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 {
|
|
|
|
|
for i, name := range r.VerifyPeerCertInNames {
|
|
|
|
|
if IsFromMitm(name) {
|
|
|
|
|
isFromMitmVerify = true
|
|
|
|
|
r.VerifyPeerCertInNames[0], r.VerifyPeerCertInNames[i] = r.VerifyPeerCertInNames[i], r.VerifyPeerCertInNames[0]
|
|
|
|
|
r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]
|
|
|
|
|
after := mitmServerName
|
|
|
|
|
for {
|
|
|
|
|
if len(after) > 0 {
|
|
|
|
|
r.VerifyPeerCertInNames = append(r.VerifyPeerCertInNames, after)
|
|
|
|
|
}
|
|
|
|
|
_, after, _ = strings.Cut(after, ".")
|
|
|
|
|
if !strings.Contains(after, ".") {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
slices.Reverse(r.VerifyPeerCertInNames)
|
2025-02-06 07:37:30 +00:00
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-02-07 08:15:40 +00:00
|
|
|
isFromMitmAlpn := len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0])
|
|
|
|
|
if isFromMitmAlpn {
|
|
|
|
|
if mitmAlpn11 {
|
|
|
|
|
tlsConfig.NextProtos[0] = "http/1.1"
|
|
|
|
|
} else {
|
|
|
|
|
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-01 12:58:17 +00:00
|
|
|
if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil {
|
2021-04-01 09:15:18 +00:00
|
|
|
conn = tls.UClient(conn, tlsConfig, fingerprint)
|
2025-02-07 08:15:40 +00:00
|
|
|
if len(tlsConfig.NextProtos) == 1 && tlsConfig.NextProtos[0] == "http/1.1" { // allow manually specify
|
|
|
|
|
err = conn.(*tls.UConn).WebsocketHandshakeContext(ctx)
|
2025-01-25 11:15:42 +00:00
|
|
|
} else {
|
2025-02-07 08:15:40 +00:00
|
|
|
err = conn.(*tls.UConn).HandshakeContext(ctx)
|
2021-04-01 09:15:18 +00:00
|
|
|
}
|
2021-03-29 10:08:29 +00:00
|
|
|
} else {
|
|
|
|
|
conn = tls.Client(conn, tlsConfig)
|
2025-02-07 08:15:40 +00:00
|
|
|
err = conn.(*tls.Conn).HandshakeContext(ctx)
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
if isFromMitmVerify {
|
|
|
|
|
return nil, errors.New("MITM freedom RAW TLS: failed to verify Domain Fronting certificate from " + mitmServerName).Base(err).AtWarning()
|
2025-02-06 07:37:30 +00:00
|
|
|
}
|
2025-02-07 08:15:40 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
negotiatedProtocol := conn.(tls.Interface).NegotiatedProtocol()
|
|
|
|
|
if isFromMitmAlpn && !mitmAlpn11 && negotiatedProtocol != "h2" {
|
|
|
|
|
conn.Close()
|
|
|
|
|
return nil, errors.New("MITM freedom RAW TLS: unexpected Negotiated Protocol (" + negotiatedProtocol + ") with " + mitmServerName).AtWarning()
|
2021-03-29 10:08:29 +00:00
|
|
|
}
|
2023-02-15 16:07:12 +00:00
|
|
|
} else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil {
|
|
|
|
|
if conn, err = reality.UClient(conn, config, ctx, dest); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-11-25 11:01:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tcpSettings := streamSettings.ProtocolSettings.(*Config)
|
|
|
|
|
if tcpSettings.HeaderSettings != nil {
|
|
|
|
|
headerConfig, err := tcpSettings.HeaderSettings.GetInstance()
|
|
|
|
|
if err != nil {
|
2024-06-29 18:32:57 +00:00
|
|
|
return nil, errors.New("failed to get header settings").Base(err).AtError()
|
2020-11-25 11:01:53 +00:00
|
|
|
}
|
|
|
|
|
auth, err := internet.CreateConnectionAuthenticator(headerConfig)
|
|
|
|
|
if err != nil {
|
2024-06-29 18:32:57 +00:00
|
|
|
return nil, errors.New("failed to create header authenticator").Base(err).AtError()
|
2020-11-25 11:01:53 +00:00
|
|
|
}
|
|
|
|
|
conn = auth.Client(conn)
|
|
|
|
|
}
|
2021-09-20 12:11:21 +00:00
|
|
|
return stat.Connection(conn), nil
|
2020-11-25 11:01:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
common.Must(internet.RegisterTransportDialer(protocolName, Dial))
|
|
|
|
|
}
|
