Xray-core/transport/internet/tcp/dialer.go

package tcp

import (
	"context"
	"strings"

	"github.com/xtls/xray-core/common"
	"github.com/xtls/xray-core/common/errors"
	"github.com/xtls/xray-core/common/net"
	"github.com/xtls/xray-core/common/session"
	"github.com/xtls/xray-core/transport/internet"
	"github.com/xtls/xray-core/transport/internet/reality"
	"github.com/xtls/xray-core/transport/internet/stat"
	"github.com/xtls/xray-core/transport/internet/tls"
)

func IsFromMitm(str string) bool {
	return strings.ToLower(str) == "frommitm"
}

// Dial dials a new TCP connection to the given destination.
func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {
	errors.LogInfo(ctx, "dialing TCP to ", dest)
	conn, err := internet.DialSystem(ctx, dest, streamSettings.SocketSettings)
	if err != nil {
		return nil, err
	}

	if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {
		mitmServerName := session.MitmServerNameFromContext(ctx)
		mitmAlpn11 := session.MitmAlpn11FromContext(ctx)
		tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))
		if IsFromMitm(tlsConfig.ServerName) {
			tlsConfig.ServerName = mitmServerName
		}
		if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 && IsFromMitm(r.VerifyPeerCertInNames[0]) {
			r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]
			after := mitmServerName
			for {
				if len(after) > 0 {
					r.VerifyPeerCertInNames = append(r.VerifyPeerCertInNames, after)
				}
				_, after, _ = strings.Cut(after, ".")
				if !strings.Contains(after, ".") {
					break
				}
			}
		}
		if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil {
			conn = tls.UClient(conn, tlsConfig, fingerprint)
			if len(tlsConfig.NextProtos) == 1 && (tlsConfig.NextProtos[0] == "http/1.1" || (IsFromMitm(tlsConfig.NextProtos[0]) && mitmAlpn11)) {
				if err := conn.(*tls.UConn).WebsocketHandshakeContext(ctx); err != nil {
					return nil, err
				}
			} else {
				if err := conn.(*tls.UConn).HandshakeContext(ctx); err != nil {
					return nil, err
				}
			}
		} else {
			if len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0]) {
				if mitmAlpn11 {
					tlsConfig.NextProtos[0] = "http/1.1"
				} else {
					tlsConfig.NextProtos = nil
				}
			}
			conn = tls.Client(conn, tlsConfig)
			if err := conn.(*tls.Conn).HandshakeContext(ctx); err != nil {
				return nil, err
			}
		}
	} else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil {
		if conn, err = reality.UClient(conn, config, ctx, dest); err != nil {
			return nil, err
		}
	}

	tcpSettings := streamSettings.ProtocolSettings.(*Config)
	if tcpSettings.HeaderSettings != nil {
		headerConfig, err := tcpSettings.HeaderSettings.GetInstance()
		if err != nil {
			return nil, errors.New("failed to get header settings").Base(err).AtError()
		}
		auth, err := internet.CreateConnectionAuthenticator(headerConfig)
		if err != nil {
			return nil, errors.New("failed to create header authenticator").Base(err).AtError()
		}
		conn = auth.Client(conn)
	}
	return stat.Connection(conn), nil
}

func init() {
	common.Must(internet.RegisterTransportDialer(protocolName, Dial))
}
v1.0.0 2020-11-25 11:01:53 +00:00			`package tcp`

			`import (`
			`"context"`
MITM: Allow forwarding local negotiated ALPN http/1.1 to the real website https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633656408 https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633865039 Local negotiated ALPN http/1.1 was sent by browser/app or is written in dokodemo-door RAW's `tlsSettings`. Set `"alpn": ["fromMitm"]` in freedom RAW's `tlsSettings` to forward it to the real website. 2025-02-04 15:10:08 +00:00			`"strings"`
v1.0.0 2020-11-25 11:01:53 +00:00
v1.1.0 2020-12-04 01:36:16 +00:00			`"github.com/xtls/xray-core/common"`
Refactor log (#3446) * Refactor log * Add new log methods * Fix logger test * Change all logging code * Clean up pathObj * Rebase to latest main * Remove invoking method name after the dot 2024-06-29 18:32:57 +00:00			`"github.com/xtls/xray-core/common/errors"`
v1.1.0 2020-12-04 01:36:16 +00:00			`"github.com/xtls/xray-core/common/net"`
MITM: Allow forwarding local negotiated ALPN http/1.1 to the real website https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633656408 https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633865039 Local negotiated ALPN http/1.1 was sent by browser/app or is written in dokodemo-door RAW's `tlsSettings`. Set `"alpn": ["fromMitm"]` in freedom RAW's `tlsSettings` to forward it to the real website. 2025-02-04 15:10:08 +00:00			`"github.com/xtls/xray-core/common/session"`
v1.1.0 2020-12-04 01:36:16 +00:00			`"github.com/xtls/xray-core/transport/internet"`
THE NEXT FUTURE becomes THE REALITY NOW Thank @yuhan6665 for testing 2023-02-15 16:07:12 +00:00			`"github.com/xtls/xray-core/transport/internet/reality"`
Fix some tests and format code (#830) * Increase some tls test timeout * Fix TestUserValidator * Change all tests to VMessAEAD Old VMess MD5 tests will be rejected and fail in 2022 * Chore: auto format code 2021-12-15 00:28:47 +00:00			`"github.com/xtls/xray-core/transport/internet/stat"`
v1.1.0 2020-12-04 01:36:16 +00:00			`"github.com/xtls/xray-core/transport/internet/tls"`
v1.0.0 2020-11-25 11:01:53 +00:00			`)`

MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`func IsFromMitm(str string) bool {`
			`return strings.ToLower(str) == "frommitm"`
			`}`

v1.0.0 2020-11-25 11:01:53 +00:00			`// Dial dials a new TCP connection to the given destination.`
Fix: CounterConnection with ReadV/WriteV (#720) Co-authored-by: JimhHan <50871214+JimhHan@users.noreply.github.com> 2021-09-20 12:11:21 +00:00			`func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {`
Refactor log (#3446) * Refactor log * Add new log methods * Fix logger test * Change all logging code * Clean up pathObj * Rebase to latest main * Remove invoking method name after the dot 2024-06-29 18:32:57 +00:00			`errors.LogInfo(ctx, "dialing TCP to ", dest)`
v1.0.0 2020-11-25 11:01:53 +00:00			`conn, err := internet.DialSystem(ctx, dest, streamSettings.SocketSettings)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {`
MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`mitmServerName := session.MitmServerNameFromContext(ctx)`
			`mitmAlpn11 := session.MitmAlpn11FromContext(ctx)`
v1.0.0 2020-11-25 11:01:53 +00:00			`tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))`
MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`if IsFromMitm(tlsConfig.ServerName) {`
			`tlsConfig.ServerName = mitmServerName`
			`}`
			`if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 && IsFromMitm(r.VerifyPeerCertInNames[0]) {`
			`r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]`
			`after := mitmServerName`
			`for {`
			`if len(after) > 0 {`
			`r.VerifyPeerCertInNames = append(r.VerifyPeerCertInNames, after)`
			`}`
			`_, after, _ = strings.Cut(after, ".")`
			`if !strings.Contains(after, ".") {`
			`break`
			`}`
			`}`
			`}`
Refine fingerprints Fixes https://github.com/XTLS/Xray-core/issues/1577 2023-02-01 12:58:17 +00:00			`if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil {`
Fix uTLS fingerprints support Thank @HirbodBehnam https://github.com/XTLS/Xray-core/issues/461 2021-04-01 09:15:18 +00:00			`conn = tls.UClient(conn, tlsConfig, fingerprint)`
MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`if len(tlsConfig.NextProtos) == 1 && (tlsConfig.NextProtos[0] == "http/1.1" \|\| (IsFromMitm(tlsConfig.NextProtos[0]) && mitmAlpn11)) {`
RAW: Allow setting ALPN `http/1.1` for non-REALITY uTLS https://github.com/XTLS/Xray-core/issues/4313#issuecomment-2611889517 2025-01-25 11:15:42 +00:00			`if err := conn.(*tls.UConn).WebsocketHandshakeContext(ctx); err != nil {`
			`return nil, err`
			`}`
			`} else {`
			`if err := conn.(*tls.UConn).HandshakeContext(ctx); err != nil {`
			`return nil, err`
			`}`
Fix uTLS fingerprints support Thank @HirbodBehnam https://github.com/XTLS/Xray-core/issues/461 2021-04-01 09:15:18 +00:00			`}`
Add uTLS fingerprints support (#451) 2021-03-29 10:08:29 +00:00			`} else {`
MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`if len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0]) {`
			`if mitmAlpn11 {`
			`tlsConfig.NextProtos[0] = "http/1.1"`
MITM: Allow forwarding local negotiated ALPN http/1.1 to the real website https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633656408 https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2633865039 Local negotiated ALPN http/1.1 was sent by browser/app or is written in dokodemo-door RAW's `tlsSettings`. Set `"alpn": ["fromMitm"]` in freedom RAW's `tlsSettings` to forward it to the real website. 2025-02-04 15:10:08 +00:00			`} else {`
			`tlsConfig.NextProtos = nil`
			`}`
			`}`
Add uTLS fingerprints support (#451) 2021-03-29 10:08:29 +00:00			`conn = tls.Client(conn, tlsConfig)`
MITM: Allow using local received SNI in the outgoing `serverName` & `verifyPeerCertInNames` https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate. 2025-02-06 07:37:30 +00:00			`if err := conn.(*tls.Conn).HandshakeContext(ctx); err != nil {`
			`return nil, err`
			`}`
Add uTLS fingerprints support (#451) 2021-03-29 10:08:29 +00:00			`}`
THE NEXT FUTURE becomes THE REALITY NOW Thank @yuhan6665 for testing 2023-02-15 16:07:12 +00:00			`} else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil {`
			`if conn, err = reality.UClient(conn, config, ctx, dest); err != nil {`
			`return nil, err`
			`}`
v1.0.0 2020-11-25 11:01:53 +00:00			`}`

			`tcpSettings := streamSettings.ProtocolSettings.(*Config)`
			`if tcpSettings.HeaderSettings != nil {`
			`headerConfig, err := tcpSettings.HeaderSettings.GetInstance()`
			`if err != nil {`
Refactor log (#3446) * Refactor log * Add new log methods * Fix logger test * Change all logging code * Clean up pathObj * Rebase to latest main * Remove invoking method name after the dot 2024-06-29 18:32:57 +00:00			`return nil, errors.New("failed to get header settings").Base(err).AtError()`
v1.0.0 2020-11-25 11:01:53 +00:00			`}`
			`auth, err := internet.CreateConnectionAuthenticator(headerConfig)`
			`if err != nil {`
Refactor log (#3446) * Refactor log * Add new log methods * Fix logger test * Change all logging code * Clean up pathObj * Rebase to latest main * Remove invoking method name after the dot 2024-06-29 18:32:57 +00:00			`return nil, errors.New("failed to create header authenticator").Base(err).AtError()`
v1.0.0 2020-11-25 11:01:53 +00:00			`}`
			`conn = auth.Client(conn)`
			`}`
Fix: CounterConnection with ReadV/WriteV (#720) Co-authored-by: JimhHan <50871214+JimhHan@users.noreply.github.com> 2021-09-20 12:11:21 +00:00			`return stat.Connection(conn), nil`
v1.0.0 2020-11-25 11:01:53 +00:00			`}`

			`func init() {`
			`common.Must(internet.RegisterTransportDialer(protocolName, Dial))`
			`}`