Merge pull request #135 from SenseUnit/tit_countermeasures

TiT countermeasures

Author: Snawoot

README.md

@@ -380,7 +380,9 @@ Supported proxy schemes are:
   * `curves` - colon-separated list of enabled TLS key exchange curves.
   * `min-tls-version` - minimum TLS version.
   * `max-tls-version` - maximum TLS version.
+  * `fetchrandom` - request server to send random data in the first request via every new HTTP/2 connection. Useful to trick TLS-in-TLS detection. Value format: length as a number or range `x-y`. Example: `fetchrandom=100000-500000`.
 * `h2c` - HTTP/2 proxy over plaintext connection with the CONNECT method support. Examples: `h2c://example.org:8080`.
+  * `fetchrandom` - request server to send random data in the first request via every new HTTP/2 connection. Useful to trick TLS-in-TLS detection. Value format: length as a number or range `x-y`. Example: `fetchrandom=100000-500000`.
 * `socks5`, `socks5h` - SOCKS5 proxy with hostname resolving via remote proxy. Example: `socks5://127.0.0.1:9050`.
 * `set-src-hints` - not an actual proxy, but a signal to use different source IP address hints for this connection. It's useful to route traffic across multiple network interfaces, including VPN connections. URL has to have one query parameter `hints` with a comma-separated list of IP addresses. See `-ip-hints` command line option for more details. Example: `set-src-hints://?hints=10.2.0.2`
 * `cached` - pseudo-dialer which caches construction of another dialer specified by URL passed in `url` parameter of query string. Useful for dialers which are constructed dynamically from JS router script and which load certificate files. Example: `cache://?url=https%3A%2F%2Fexample.org%3Fcert%3Dcert.pem%26key%3Dkey.pem&ttl=5m`. Query string parameters are:

dialer/dialer.go

@@ -2,9 +2,13 @@ package dialer
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"math/rand/v2"
 	"net"
 	"net/url"
+	"strconv"
+	"strings"
 
 	xproxy "golang.org/x/net/proxy"
 )
@@ -76,3 +80,51 @@ func MaybeWrapWithContextDialer(d LegacyDialer) Dialer {
 	}
 	return wrappedDialer{d}
 }
+
+func garbageLenFuncFromURL(u *url.URL, paramname string) (func() int, error) {
+	params, err := url.ParseQuery(u.RawQuery)
+	if err != nil {
+		return nil, fmt.Errorf("garbage len param parse failed: %w", err)
+	}
+	if !params.Has(paramname) {
+		return nil, nil
+	}
+	left, right, found := strings.Cut(params.Get(paramname), "-")
+	if found {
+		lo, err := strconv.Atoi(left)
+		if err != nil {
+			return nil, fmt.Errorf("can't convert lower boundary for garbage length %q to int: %w", left, err)
+		}
+		if lo < 0 {
+			return nil, errors.New("negative lower boundary for garbage length is not allowed")
+		}
+		hi, err := strconv.Atoi(right)
+		if err != nil {
+			return nil, fmt.Errorf("can't convert upper boundary for garbage length %q to int: %w", right, err)
+		}
+		if hi < 0 {
+			return nil, errors.New("negative upper boundary for garbage length is not allowed")
+		}
+		if hi < lo {
+			hi, lo = lo, hi
+		}
+		if hi == lo {
+			return func() int {
+				return lo
+			}, nil
+		}
+		return func() int {
+			return lo + rand.IntN(hi-lo)
+		}, nil
+	}
+	l, err := strconv.Atoi(left)
+	if err != nil {
+		return nil, fmt.Errorf("can't convert garbage length %q to int: %w", left, err)
+	}
+	if l < 0 {
+		return nil, errors.New("negative garbage length is not allowed")
+	}
+	return func() int {
+		return l
+	}, nil
+}

dialer/h2.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"slices"
+	"strconv"
 	"strings"
 	"time"
 
@@ -34,13 +35,15 @@ func H2ProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error)
 		tlsConfig *tls.Config
 		err       error
 		h2c       bool
+		scheme    string
 	)
 	switch strings.ToLower(u.Scheme) {
 	case "h2c":
 		if port == "" {
 			port = "80"
 		}
 		h2c = true
+		scheme = "http"
 	case "h2":
 		if port == "" {
 			port = "443"
@@ -52,15 +55,60 @@ func H2ProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error)
 		if err != nil {
 			return nil, fmt.Errorf("TLS configuration failed: %w", err)
 		}
+		scheme = "https"
 	default:
 		return nil, errors.New("unsupported proxy type")
 	}
 
 	address := net.JoinHostPort(host, port)
+	garbageLenFunc, err := garbageLenFuncFromURL(u, "fetchrandom")
+	if err != nil {
+		return nil, err
+	}
 	t := &http2.Transport{
 		AllowHTTP:       h2c,
 		TLSClientConfig: tlsConfig,
 	}
+	t.ConnPool = &clientConnPool{
+		t: t,
+		prepare: func(ctx context.Context, c *http2.ClientConn) (*http2.ClientConn, error) {
+			if garbageLenFunc == nil {
+				return c, nil
+			}
+			garbageLen := garbageLenFunc()
+			req := (&http.Request{
+				Method: "GETRANDOM",
+				URL: &url.URL{
+					Scheme: scheme,
+					Host:   u.Host,
+					Path:   "/" + strconv.Itoa(garbageLen),
+				},
+				Header: http.Header{
+					"User-Agent": []string{"dumbproxy"},
+				},
+				Host: u.Host,
+			}).WithContext(ctx)
+			if u.User != nil {
+				req.Header.Set("Proxy-Authorization", basicAuthHeader(u.User))
+			}
+			if !c.ReserveNewRequest() {
+				return nil, fmt.Errorf("unable to reserve garbage fetch request")
+			}
+			resp, err := c.RoundTrip(req)
+			if err != nil {
+				return nil, fmt.Errorf("garbage fetch request failed: %w", err)
+			}
+			defer resp.Body.Close()
+			n, err := io.Copy(io.Discard, io.LimitReader(resp.Body, int64(garbageLen)))
+			if err != nil {
+				return nil, fmt.Errorf("garbage body fetch failed: %w", err)
+			}
+			if n < int64(garbageLen) {
+				return nil, errors.New("incomplete garbage read")
+			}
+			return c, nil
+		},
+	}
 	nextDialer := MaybeWrapWithContextDialer(next)
 	if h2c {
 		t.DialTLSContext = func(ctx context.Context, network, _ string, _ *tls.Config) (net.Conn, error) {