feat: Add utls for modifying client's fingerprint.

Currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan-grpc.
2023-02-01 22:16:06 +08:00
parent 61b3b4f775
commit 2ee0f634e6
11 changed files with 285 additions and 104 deletions
--- a/transport/gun/gun.go
+++ b/transport/gun/gun.go
@ -19,6 +19,8 @@ import (

 	"github.com/Dreamacro/clash/common/buf"
 	"github.com/Dreamacro/clash/common/pool"
+	U "github.com/Dreamacro/clash/transport/vmess"
+	utls "github.com/refraction-networking/utls"

 	"go.uber.org/atomic"
 	"golang.org/x/net/http2"
@ -51,8 +53,9 @@ type Conn struct {
 }

 type Config struct {
-	ServiceName string
-	Host        string
+	ServiceName       string
+	Host              string
+	ClientFingerprint string
 }

 func (g *Conn) initRequest() {
@ -188,8 +191,9 @@ func (g *Conn) SetDeadline(t time.Time) error {
 	return nil
 }

-func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config) *TransportWrap {
+func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config, Fingerprint string) *TransportWrap {
 	wrap := TransportWrap{}
+
 	dialFunc := func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) {
 		pconn, err := dialFn(network, addr)
 		if err != nil {
@ -197,17 +201,38 @@ func NewHTTP2Client(dialFn DialFn, tlsConfig *tls.Config) *TransportWrap {
 		}

 		wrap.remoteAddr = pconn.RemoteAddr()
-		cn := tls.Client(pconn, cfg)
-		if err := cn.HandshakeContext(ctx); err != nil {
+
+		if len(Fingerprint) != 0 {
+			if fingerprint, exists := U.GetFingerprint(Fingerprint); exists {
+				utlsConn := U.UClient(pconn, cfg, &utls.ClientHelloID{
+					Client:  fingerprint.Client,
+					Version: fingerprint.Version,
+					Seed:    nil,
+				})
+				if err := utlsConn.(*U.UConn).HandshakeContext(ctx); err != nil {
+					pconn.Close()
+					return nil, err
+				}
+				state := utlsConn.(*U.UConn).ConnectionState()
+				if p := state.NegotiatedProtocol; p != http2.NextProtoTLS {
+					utlsConn.Close()
+					return nil, fmt.Errorf("http2: unexpected ALPN protocol %s, want %s", p, http2.NextProtoTLS)
+				}
+				return utlsConn, nil
+			}
+		}
+
+		conn := tls.Client(pconn, cfg)
+		if err := conn.HandshakeContext(ctx); err != nil {
 			pconn.Close()
 			return nil, err
 		}
-		state := cn.ConnectionState()
+		state := conn.ConnectionState()
 		if p := state.NegotiatedProtocol; p != http2.NextProtoTLS {
-			cn.Close()
+			conn.Close()
 			return nil, fmt.Errorf("http2: unexpected ALPN protocol %s, want %s", p, http2.NextProtoTLS)
 		}
-		return cn, nil
+		return conn, nil
 	}

 	wrap.Transport = &http2.Transport{
@ -260,6 +285,6 @@ func StreamGunWithConn(conn net.Conn, tlsConfig *tls.Config, cfg *Config) (net.C
 		return conn, nil
 	}

-	transport := NewHTTP2Client(dialFn, tlsConfig)
+	transport := NewHTTP2Client(dialFn, tlsConfig, cfg.ClientFingerprint)
 	return StreamGunWithTransport(transport, cfg)
 }
--- a/transport/trojan/trojan.go
+++ b/transport/trojan/trojan.go
@ -46,13 +46,14 @@ const (
 )

 type Option struct {
-	Password       string
-	ALPN           []string
-	ServerName     string
-	SkipCertVerify bool
-	Fingerprint    string
-	Flow           string
-	FlowShow       bool
+	Password          string
+	ALPN              []string
+	ServerName        string
+	SkipCertVerify    bool
+	Fingerprint       string
+	Flow              string
+	FlowShow          bool
+	ClientFingerprint string
 }

 type WebsocketOption struct {
--- a/transport/vmess/tls.go
+++ b/transport/vmess/tls.go
@ -7,13 +7,16 @@ import (

 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
+
+	utls "github.com/refraction-networking/utls"
 )

 type TLSConfig struct {
-	Host           string
-	SkipCertVerify bool
-	FingerPrint    string
-	NextProtos     []string
+	Host              string
+	SkipCertVerify    bool
+	FingerPrint       string
+	ClientFingerprint string
+	NextProtos        []string
 }

 func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
@ -32,11 +35,27 @@ func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
 		}
 	}

+	if len(cfg.ClientFingerprint) != 0 {
+		if fingerprint, exists := GetFingerprint(cfg.ClientFingerprint); exists {
+			utlsConn := UClient(conn, tlsConfig, &utls.ClientHelloID{
+				Client:  fingerprint.Client,
+				Version: fingerprint.Version,
+				Seed:    nil,
+			})
+
+			ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+			defer cancel()
+
+			err := utlsConn.(*UConn).HandshakeContext(ctx)
+			return utlsConn, err
+		}
+	}
+
 	tlsConn := tls.Client(conn, tlsConfig)

-	// fix tls handshake not timeout
 	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 	defer cancel()
+
 	err := tlsConn.HandshakeContext(ctx)
 	return tlsConn, err
 }
--- a/transport/vmess/utls.go
+++ b/transport/vmess/utls.go
@ -0,0 +1,90 @@
+package vmess
+
+import (
+	"crypto/tls"
+	"net"
+
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/mroth/weightedrand/v2"
+	utls "github.com/refraction-networking/utls"
+)
+
+type UConn struct {
+	*utls.UConn
+}
+
+var initRandomFingerprint *utls.ClientHelloID
+
+func UClient(c net.Conn, config *tls.Config, fingerprint *utls.ClientHelloID) net.Conn {
+	utlsConn := utls.UClient(c, CopyConfig(config), *fingerprint)
+	return &UConn{UConn: utlsConn}
+}
+
+func GetFingerprint(ClientFingerprint string) (*utls.ClientHelloID, bool) {
+	if initRandomFingerprint == nil {
+		initRandomFingerprint, _ = RollFingerprint()
+	}
+	if ClientFingerprint == "random" {
+		log.Debugln("use initial random HelloID:%s", initRandomFingerprint.Client)
+		return initRandomFingerprint, true
+	}
+	fingerprint, ok := Fingerprints[ClientFingerprint]
+	log.Debugln("use specified fingerprint:%s", fingerprint.Client)
+	return fingerprint, ok
+}
+
+func RollFingerprint() (*utls.ClientHelloID, bool) {
+	chooser, _ := weightedrand.NewChooser(
+		weightedrand.NewChoice("chrome", 6),
+		weightedrand.NewChoice("safari", 3),
+		weightedrand.NewChoice("firefox", 1),
+	)
+	initClient := chooser.Pick()
+	log.Debugln("initial random HelloID:%s", initClient)
+	fingerprint, ok := Fingerprints[initClient]
+	return fingerprint, ok
+}
+
+var Fingerprints = map[string]*utls.ClientHelloID{
+	"chrome":     &utls.HelloChrome_Auto,
+	"firefox":    &utls.HelloFirefox_Auto,
+	"safari":     &utls.HelloSafari_Auto,
+	"randomized": &utls.HelloRandomized,
+}
+
+func CopyConfig(c *tls.Config) *utls.Config {
+	return &utls.Config{
+		RootCAs:               c.RootCAs,
+		ServerName:            c.ServerName,
+		InsecureSkipVerify:    c.InsecureSkipVerify,
+		VerifyPeerCertificate: c.VerifyPeerCertificate,
+	}
+}
+
+// WebsocketHandshake basically calls UConn.Handshake inside it but it will only send
+// http/1.1 in its ALPN.
+func (c *UConn) WebsocketHandshake() error {
+	// Build the handshake state. This will apply every variable of the TLS of the
+	// fingerprint in the UConn
+	if err := c.BuildHandshakeState(); err != nil {
+		return err
+	}
+	// Iterate over extensions and check for utls.ALPNExtension
+	hasALPNExtension := false
+	for _, extension := range c.Extensions {
+		if alpn, ok := extension.(*utls.ALPNExtension); ok {
+			hasALPNExtension = true
+			alpn.AlpnProtocols = []string{"http/1.1"}
+			break
+		}
+	}
+	if !hasALPNExtension { // Append extension if doesn't exists
+		c.Extensions = append(c.Extensions, &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}})
+	}
+	// Rebuild the client hello and do the handshake
+	if err := c.BuildHandshakeState(); err != nil {
+		return err
+	}
+	return c.Handshake()
+}
--- a/transport/vmess/websocket.go
+++ b/transport/vmess/websocket.go
@ -8,6 +8,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+
 	"io"
 	"math/rand"
 	"net"
@ -20,8 +21,9 @@ import (

 	"github.com/Dreamacro/clash/common/buf"
 	N "github.com/Dreamacro/clash/common/net"
-
 	"github.com/gorilla/websocket"
+
+	utls "github.com/refraction-networking/utls"
 )

 type websocketConn struct {
@ -56,6 +58,7 @@ type WebsocketConfig struct {
 	TLSConfig           *tls.Config
 	MaxEarlyData        int
 	EarlyDataHeaderName string
+	ClientFingerprint   string
 }

 // Read implements net.Conn.Read()
@ -136,15 +139,15 @@ func (wsc *websocketConn) Upstream() any {
 }

 func (wsc *websocketConn) Close() error {
-	var errors []string
+	var e []string
 	if err := wsc.conn.WriteControl(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""), time.Now().Add(time.Second*5)); err != nil {
-		errors = append(errors, err.Error())
+		e = append(e, err.Error())
 	}
 	if err := wsc.conn.Close(); err != nil {
-		errors = append(errors, err.Error())
+		e = append(e, err.Error())
 	}
-	if len(errors) > 0 {
-		return fmt.Errorf("failed to close connection: %s", strings.Join(errors, ","))
+	if len(e) > 0 {
+		return fmt.Errorf("failed to close connection: %s", strings.Join(e, ","))
 	}
 	return nil
 }
@ -316,6 +319,7 @@ func streamWebsocketWithEarlyDataConn(conn net.Conn, c *WebsocketConfig) (net.Co
 }

 func streamWebsocketConn(conn net.Conn, c *WebsocketConfig, earlyData *bytes.Buffer) (net.Conn, error) {
+
 	dialer := &websocket.Dialer{
 		NetDial: func(network, addr string) (net.Conn, error) {
 			return conn, nil
@ -329,6 +333,22 @@ func streamWebsocketConn(conn net.Conn, c *WebsocketConfig, earlyData *bytes.Buf
 	if c.TLS {
 		scheme = "wss"
 		dialer.TLSClientConfig = c.TLSConfig
+		if len(c.ClientFingerprint) != 0 {
+			if fingerprint, exists := GetFingerprint(c.ClientFingerprint); exists {
+				dialer.NetDialTLSContext = func(_ context.Context, _, addr string) (net.Conn, error) {
+					utlsConn := UClient(conn, c.TLSConfig, &utls.ClientHelloID{
+						Client:  fingerprint.Client,
+						Version: fingerprint.Version,
+						Seed:    fingerprint.Seed,
+					})
+
+					if err := utlsConn.(*UConn).WebsocketHandshake(); err != nil {
+						return nil, fmt.Errorf("parse url %s error: %w", c.Path, err)
+					}
+					return utlsConn, nil
+				}
+			}
+		}
 	}

 	u, err := url.Parse(c.Path)