Add uTLS client

2026-06-19 09:24:59 +03:00 · 2022-09-10 10:27:00 +08:00
parent 3ad4370fa5
commit 2f437a0382
15 changed files with 331 additions and 44 deletions
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -23,6 +23,8 @@ func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress
 func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if options.ECH != nil && options.ECH.Enabled {
 		return newECHClient(router, serverAddress, options)
+	} else if options.UTLS != nil && options.UTLS.Enabled {
+		return newUTLSClient(router, serverAddress, options)
 	} else {
 		return newStdClient(serverAddress, options)
 	}
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -0,0 +1,13 @@
+//go:build !with_ech
+
+package tls
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+}
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -0,0 +1,12 @@
+package tls
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+)
+
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return newSTDServer(ctx, logger, options)
+}
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -26,7 +26,7 @@ type STDServerConfig struct {
 	watcher         *fsnotify.Watcher
 }

-func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func newSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -0,0 +1,125 @@
+//go:build with_utls
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"net/netip"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	utls "github.com/refraction-networking/utls"
+)
+
+type utlsClientConfig struct {
+	config *utls.Config
+	id     utls.ClientHelloID
+}
+
+func (e *utlsClientConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for uTLS")
+}
+
+func (e *utlsClientConfig) Client(conn net.Conn) Conn {
+	return &utlsConnWrapper{utls.UClient(conn, e.config, e.id)}
+}
+
+type utlsConnWrapper struct {
+	*utls.UConn
+}
+
+func (c *utlsConnWrapper) HandshakeContext(ctx context.Context) error {
+	return c.Conn.Handshake()
+}
+
+func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	var serverName string
+	if options.ServerName != "" {
+		serverName = options.ServerName
+	} else if serverAddress != "" {
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
+	}
+	if serverName == "" && !options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
+	}
+
+	var tlsConfig utls.Config
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
+	if options.Insecure {
+		tlsConfig.InsecureSkipVerify = options.Insecure
+	} else if options.DisableSNI {
+		return nil, E.New("disable_sni is unsupported in uTLS")
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = options.ALPN
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(certificate) > 0 {
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certificate) {
+			return nil, E.New("failed to parse certificate:\n\n", certificate)
+		}
+		tlsConfig.RootCAs = certPool
+	}
+	var id utls.ClientHelloID
+	switch options.UTLS.Fingerprint {
+	case "chrome", "":
+		id = utls.HelloChrome_Auto
+	case "firefox":
+		id = utls.HelloFirefox_Auto
+	case "ios":
+		id = utls.HelloIOS_Auto
+	case "android":
+		id = utls.HelloAndroid_11_OkHttp
+	case "random":
+		id = utls.HelloRandomized
+	}
+	return &utlsClientConfig{&tlsConfig, id}, nil
+}
--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@@ -0,0 +1,13 @@
+//go:build !with_utls
+
+package tls
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
+}