netxlite: utls for TLS parroting

This is the ground work for https://github.com/ooni/probe/issues/1424.
2021-07-02 12:28:12 +02:00 · 2021-07-02 12:28:12 +02:00 · 285290a98d
commit 285290a98d
parent 17bfb052c5
3 changed files with 56 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -39,6 +39,7 @@ require (
 	github.com/sirupsen/logrus v1.7.0 // indirect
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	gitlab.com/yawning/obfs4.git v0.0.0-20210511220700-e330d1b7024b
+	gitlab.com/yawning/utls.git v0.0.12-1
 	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf // indirect
 	golang.org/x/net v0.0.0-20210510120150-4163338589ed
 	golang.org/x/sys v0.0.0-20210511113859-b0526f3d8744
--- a/internal/netxlite/tlshandshaker.go
+++ b/internal/netxlite/tlshandshaker.go
@ -5,6 +5,8 @@ import (
 	"crypto/tls"
 	"net"
 	"time"
+
+	utls "gitlab.com/yawning/utls.git"
 )

 // TLSHandshaker is the generic TLS handshaker.
@ -105,4 +107,41 @@ func (h *TLSHandshakerLogger) Handshake(
 	return tlsconn, state, nil
 }

+// UTLSConn implements TLSConn and uses a utls UConn as its underlying connection
+type UTLSConn struct {
+	*utls.UConn
+}
+
+// NewConnUTLS creates a NewConn function creating a utls connection with a specified ClientHelloID
+func NewConnUTLS(clientHello *utls.ClientHelloID) func(conn net.Conn, config *tls.Config) TLSConn {
+	return func(conn net.Conn, config *tls.Config) TLSConn {
+		uConfig := &utls.Config{
+			RootCAs:                     config.RootCAs,
+			NextProtos:                  config.NextProtos,
+			ServerName:                  config.ServerName,
+			InsecureSkipVerify:          config.InsecureSkipVerify,
+			DynamicRecordSizingDisabled: config.DynamicRecordSizingDisabled,
+		}
+		tlsConn := utls.UClient(conn, uConfig, *clientHello)
+		return &UTLSConn{tlsConn}
+	}
+}
+
+func (c *UTLSConn) ConnectionState() tls.ConnectionState {
+	uState := c.Conn.ConnectionState()
+	return tls.ConnectionState{
+		Version:                     uState.Version,
+		HandshakeComplete:           uState.HandshakeComplete,
+		DidResume:                   uState.DidResume,
+		CipherSuite:                 uState.CipherSuite,
+		NegotiatedProtocol:          uState.NegotiatedProtocol,
+		ServerName:                  uState.ServerName,
+		PeerCertificates:            uState.PeerCertificates,
+		VerifiedChains:              uState.VerifiedChains,
+		SignedCertificateTimestamps: uState.SignedCertificateTimestamps,
+		OCSPResponse:                uState.OCSPResponse,
+		TLSUnique:                   uState.TLSUnique,
+	}
+}
+
 var _ TLSHandshaker = &TLSHandshakerLogger{}
--- a/internal/netxlite/tlshandshaker_test.go
+++ b/internal/netxlite/tlshandshaker_test.go
@ -15,6 +15,7 @@ import (

 	"github.com/apex/log"
 	"github.com/ooni/probe-cli/v3/internal/netxmocks"
+	utls "gitlab.com/yawning/utls.git"
 )

 func TestTLSHandshakerConfigurableWithError(t *testing.T) {
@ -177,3 +178,18 @@ func TestTLSHandshakerLoggerFailure(t *testing.T) {
 		t.Fatal("expected zero ConnectionState here")
 	}
 }
+
+func TestUTLSHandshakerChrome(t *testing.T) {
+	h := &TLSHandshakerConfigurable{
+		NewConn: NewConnUTLS(&utls.HelloChrome_Auto),
+	}
+	cfg := &tls.Config{ServerName: "google.com"}
+	conn, err := net.Dial("tcp", "google.com:443")
+	conn, _, err = h.Handshake(context.Background(), conn, cfg)
+	if err != nil {
+		t.Fatal("unexpected error", err)
+	}
+	if conn == nil {
+		t.Fatal("nil connection")
+	}
+}