From ef230d49a00bfd4d638dd0e96efd5289079023fd Mon Sep 17 00:00:00 2001 From: wenyifan Date: Sat, 15 Oct 2022 00:30:34 +0800 Subject: [PATCH] use chrome TLS fingerprint as default --- README.md | 1 + go.mod | 2 ++ go.sum | 6 ++++ tls.go | 4 ++- ws.go | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 28e7e49..48695e2 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Evan 增强版特性 - 例子: gost -L http://:8888 -F http://evan.run:80 -NS 114.114.114.114:53/udp * 修复原版DNS解析的BUG * 修复原版websocket协议中path参数不解码后发送问题 +* TLS握手指纹增强:使用chrome的TLS指纹特征来对抗TLS指纹识别检测 初步防检测防杀毒处理脚本 ------ diff --git a/go.mod b/go.mod index 26d9d65..6e53324 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,7 @@ require ( github.com/lucas-clemente/quic-go v0.26.0 github.com/miekg/dns v1.1.43 github.com/milosgajdos/tenus v0.0.3 + github.com/refraction-networking/utls v1.1.3 github.com/ryanuber/go-glob v1.0.0 github.com/shadowsocks/go-shadowsocks2 v0.1.5 github.com/shadowsocks/shadowsocks-go v0.0.0-20200409064450-3e585ff90601 @@ -32,6 +33,7 @@ require ( require ( github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect + github.com/andybalholm/brotli v1.0.4 // indirect github.com/cheekybits/genny v1.0.0 // indirect github.com/coreos/go-iptables v0.6.0 // indirect github.com/dchest/siphash v1.2.2 // indirect diff --git a/go.sum b/go.sum index 5bbe47e..f73812d 100644 --- a/go.sum +++ b/go.sum @@ -15,6 +15,8 @@ github.com/LiamHaworth/go-tproxy v0.0.0-20190726054950-ef7efd7f24ed h1:eqa6queie github.com/LiamHaworth/go-tproxy v0.0.0-20190726054950-ef7efd7f24ed/go.mod h1:rA52xkgZwql9LRZXWb2arHEFP6qSR48KY2xOfWzEciQ= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA= +github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= +github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ= github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= @@ -171,6 +173,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1: github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/refraction-networking/utls v1.1.3 h1:K9opY+iKxcGvHOBG2019wFEVtsNFh0f5WqHyc2i3iU0= +github.com/refraction-networking/utls v1.1.3/go.mod h1:+D89TUtA8+NKVFj1IXWr0p3tSdX1+SqUB7rL0QnGqyg= github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg= github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= @@ -249,6 +253,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 h1:S25/rfnfsMVgORT4/J61MJ7rdyseOZOyvLIrZEZ7s6s= golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -282,6 +287,7 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211111160137-58aab5ef257a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220325170049-de3da57026de h1:pZB1TWnKi+o4bENlbzAgLrEbY4RMYmUIRobMcSmfeYc= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= diff --git a/tls.go b/tls.go index bb9c068..e71b431 100644 --- a/tls.go +++ b/tls.go @@ -3,6 +3,7 @@ package gost import ( "crypto/tls" "errors" + utls "github.com/refraction-networking/utls" "net" "sync" "time" @@ -277,7 +278,8 @@ func wrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) conn.SetDeadline(time.Now().Add(timeout)) defer conn.SetDeadline(time.Time{}) - tlsConn := tls.Client(conn, tlsConfig) + //tlsConn := tls.Client(conn, tlsConfig) + tlsConn := utls.UClient(conn, &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName}, utls.HelloChrome_Auto) // Otherwise perform handshake, but don't verify the domain // diff --git a/ws.go b/ws.go index 0c27399..7fe89ae 100644 --- a/ws.go +++ b/ws.go @@ -1,11 +1,13 @@ package gost import ( + "context" "crypto/rand" "crypto/sha1" "crypto/tls" "encoding/base64" "github.com/gorilla/websocket" + utls "github.com/refraction-networking/utls" "io" "net" "net/http" @@ -742,6 +744,77 @@ type websocketConn struct { rb []byte } +var wsTlsSpec = &utls.ClientHelloSpec{ + CipherSuites: []uint16{ + utls.GREASE_PLACEHOLDER, + utls.TLS_AES_128_GCM_SHA256, + utls.TLS_AES_256_GCM_SHA384, + utls.TLS_CHACHA20_POLY1305_SHA256, + utls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + utls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + utls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + utls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + utls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + utls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + utls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + utls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + utls.TLS_RSA_WITH_AES_128_GCM_SHA256, + utls.TLS_RSA_WITH_AES_256_GCM_SHA384, + utls.TLS_RSA_WITH_AES_128_CBC_SHA, + utls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + CompressionMethods: []byte{ + 0x00, // compressionNone + }, + Extensions: []utls.TLSExtension{ + &utls.UtlsGREASEExtension{}, + &utls.SNIExtension{}, + &utls.UtlsExtendedMasterSecretExtension{}, + &utls.RenegotiationInfoExtension{Renegotiation: utls.RenegotiateOnceAsClient}, + &utls.SupportedCurvesExtension{[]utls.CurveID{ + utls.GREASE_PLACEHOLDER, + utls.X25519, + utls.CurveP256, + utls.CurveP384, + }}, + &utls.SupportedPointsExtension{SupportedPoints: []byte{ + 0x00, // pointFormatUncompressed + }}, + &utls.SessionTicketExtension{}, + &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}}, + &utls.StatusRequestExtension{}, + &utls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{ + utls.ECDSAWithP256AndSHA256, + utls.PSSWithSHA256, + utls.PKCS1WithSHA256, + utls.ECDSAWithP384AndSHA384, + utls.PSSWithSHA384, + utls.PKCS1WithSHA384, + utls.PSSWithSHA512, + utls.PKCS1WithSHA512, + }}, + &utls.SCTExtension{}, + &utls.KeyShareExtension{[]utls.KeyShare{ + {Group: utls.CurveID(utls.GREASE_PLACEHOLDER), Data: []byte{0}}, + {Group: utls.X25519}, + }}, + &utls.PSKKeyExchangeModesExtension{[]uint8{ + utls.PskModeDHE, + }}, + &utls.SupportedVersionsExtension{[]uint16{ + utls.GREASE_PLACEHOLDER, + utls.VersionTLS13, + utls.VersionTLS12, + }}, + &utls.UtlsCompressCertExtension{[]utls.CertCompressionAlgo{ + utls.CertCompressionBrotli, + }}, + &utls.ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}}, + &utls.UtlsGREASEExtension{}, + &utls.UtlsPaddingExtension{GetPaddingLen: utls.BoringPaddingStyle}, + }, +} + func websocketClientConn(url string, conn net.Conn, tlsConfig *tls.Config, options *WSOptions) (net.Conn, error) { if options == nil { options = &WSOptions{} @@ -761,6 +834,15 @@ func websocketClientConn(url string, conn net.Conn, tlsConfig *tls.Config, optio NetDial: func(net, addr string) (net.Conn, error) { return conn, nil }, + NetDialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) { + client := utls.UClient(conn, &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName}, utls.HelloCustom) + client.ApplyPreset(wsTlsSpec) + err := client.Handshake() + if err != nil { + return nil, err + } + return client, nil + }, } header := http.Header{} header.Set("User-Agent", DefaultUserAgent)