mihomo/component/tls/reality.go

package tls

import (
	"bytes"
	"context"
	"crypto/aes"
	"crypto/cipher"
	"crypto/ecdh"
	"crypto/ed25519"
	"crypto/hmac"
	"crypto/sha256"
	"crypto/sha512"
	"crypto/tls"
	"crypto/x509"
	"encoding/binary"
	"errors"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/metacubex/mihomo/log"
	"github.com/metacubex/mihomo/ntp"

	"github.com/metacubex/randv2"
	utls "github.com/metacubex/utls"
	"golang.org/x/crypto/chacha20poly1305"
	"golang.org/x/crypto/hkdf"
	"golang.org/x/net/http2"
)

const RealityMaxShortIDLen = 8

type RealityConfig struct {
	PublicKey *ecdh.PublicKey
	ShortID   [RealityMaxShortIDLen]byte

	SupportX25519MLKEM768 bool
}

func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHelloID, tlsConfig *Config, realityConfig *RealityConfig) (net.Conn, error) {
	for retry := 0; ; retry++ {
		verifier := &realityVerifier{
			serverName: tlsConfig.ServerName,
		}
		uConfig := &utls.Config{
			ServerName:             tlsConfig.ServerName,
			InsecureSkipVerify:     true,
			SessionTicketsDisabled: true,
			VerifyPeerCertificate:  verifier.VerifyPeerCertificate,
		}

		if !realityConfig.SupportX25519MLKEM768 && fingerprint == HelloChrome_Auto {
			fingerprint = HelloChrome_120 // old reality server doesn't work with X25519MLKEM768
		}

		uConn := utls.UClient(conn, uConfig, fingerprint)
		verifier.UConn = uConn
		err := uConn.BuildHandshakeState()
		if err != nil {
			return nil, err
		}

		hello := uConn.HandshakeState.Hello
		rawSessionID := hello.Raw[39 : 39+32] // the location of session ID
		for i := range rawSessionID {         // https://github.com/golang/go/issues/5373
			rawSessionID[i] = 0
		}

		binary.BigEndian.PutUint64(hello.SessionId, uint64(ntp.Now().Unix()))

		copy(hello.SessionId[8:], realityConfig.ShortID[:])
		hello.SessionId[0] = 1
		hello.SessionId[1] = 8
		hello.SessionId[2] = 2

		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])

		keyShareKeys := uConn.HandshakeState.State13.KeyShareKeys
		if keyShareKeys == nil {
			// WTF???
			if retry > 2 {
				return nil, errors.New("nil keyShareKeys")
			}
			continue // retry
		}
		ecdheKey := keyShareKeys.Ecdhe
		if ecdheKey == nil {
			ecdheKey = keyShareKeys.MlkemEcdhe
		}
		if ecdheKey == nil {
			// WTF???
			if retry > 2 {
				return nil, errors.New("nil ecdheKey")
			}
			continue // retry
		}
		authKey, err := ecdheKey.ECDH(realityConfig.PublicKey)
		if err != nil {
			return nil, err
		}
		if authKey == nil {
			return nil, errors.New("nil auth_key")
		}
		verifier.authKey = authKey
		_, err = hkdf.New(sha256.New, authKey, hello.Random[:20], []byte("REALITY")).Read(authKey)
		if err != nil {
			return nil, err
		}
		var aeadCipher cipher.AEAD
		if utls.AesgcmPreferred(hello.CipherSuites) {
			aesBlock, _ := aes.NewCipher(authKey)
			aeadCipher, _ = cipher.NewGCM(aesBlock)
		} else {
			aeadCipher, _ = chacha20poly1305.New(authKey)
		}
		aeadCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
		copy(hello.Raw[39:], hello.SessionId)
		//log.Debugln("REALITY hello.sessionId: %v", hello.SessionId)
		//log.Debugln("REALITY uConn.AuthKey: %v", authKey)

		err = uConn.HandshakeContext(ctx)
		if err != nil {
			return nil, err
		}

		log.Debugln("REALITY Authentication: %v, AEAD: %T", verifier.verified, aeadCipher)

		if !verifier.verified {
			go realityClientFallback(uConn, uConfig.ServerName, fingerprint)
			return nil, errors.New("REALITY authentication failed")
		}

		return uConn, nil
	}
}

func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
	defer uConn.Close()
	client := http.Client{
		Transport: &http2.Transport{
			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
				return uConn, nil
			},
		},
	}
	request, err := http.NewRequest("GET", "https://"+serverName, nil)
	if err != nil {
		return
	}
	request.Header.Set("User-Agent", fingerprint.Client)
	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", randv2.IntN(32)+30)})
	response, err := client.Do(request)
	if err != nil {
		return
	}
	//_, _ = io.Copy(io.Discard, response.Body)
	time.Sleep(time.Duration(5+randv2.IntN(10)) * time.Second)
	response.Body.Close()
	client.CloseIdleConnections()
}

type realityVerifier struct {
	*utls.UConn
	serverName string
	authKey    []byte
	verified   bool
}

//var pOffset = utils.MustOK(reflect.TypeOf((*utls.Conn)(nil)).Elem().FieldByName("peerCertificates")).Offset

func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	//log.Debugln("REALITY localAddr: %v\t is using X25519MLKEM768 for TLS' communication: %v", c.RemoteAddr(), c.HandshakeState.ServerHello.SelectedGroup == utls.X25519MLKEM768)
	//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
	//certs := *(*[]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))
	certs := c.Conn.PeerCertificates()
	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
		h := hmac.New(sha512.New, c.authKey)
		h.Write(pub)
		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
			c.verified = true
			return nil
		}
	}
	opts := x509.VerifyOptions{
		DNSName:       c.serverName,
		Intermediates: x509.NewCertPool(),
	}
	for _, cert := range certs[1:] {
		opts.Intermediates.AddCert(cert)
	}
	if _, err := certs[0].Verify(opts); err != nil {
		return err
	}
	return nil
}
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`package tls`

			`import (`
			`"bytes"`
			`"context"`
			`"crypto/aes"`
			`"crypto/cipher"`
chore: update uTLS to 1.5.4 2023-12-09 12:28:19 +08:00			`"crypto/ecdh"`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`"crypto/ed25519"`
			`"crypto/hmac"`
			`"crypto/sha256"`
			`"crypto/sha512"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/binary"`
			`"errors"`
			`"net"`
			`"net/http"`
			`"strings"`
			`"time"`

chore: hello mihomo 2023-11-03 21:01:45 +08:00			`"github.com/metacubex/mihomo/log"`
			`"github.com/metacubex/mihomo/ntp"`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00
chore: replace zhangyunhao116/fastrand to our metacubex/randv2 2024-05-31 11:31:17 +08:00			`"github.com/metacubex/randv2"`
chore: stop using go:linkname for crypto/tls.aesgcmPreferred and update utls to 1.6.6 2024-05-19 11:31:37 +08:00			`utls "github.com/metacubex/utls"`
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`"golang.org/x/crypto/chacha20poly1305"`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`"golang.org/x/crypto/hkdf"`
			`"golang.org/x/net/http2"`
			`)`

chore: Cleanup REALITY code 2023-03-11 12:23:27 +08:00			`const RealityMaxShortIDLen = 8`

feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`type RealityConfig struct {`
chore: Remove the use of curve25519 package 2023-12-09 15:43:40 +08:00			`PublicKey *ecdh.PublicKey`
chore: Cleanup REALITY code 2023-03-11 12:23:27 +08:00			`ShortID [RealityMaxShortIDLen]byte`
feat: reality add `support-x25519mlkem768`, it only works with new version server 2025-05-15 10:14:18 +08:00
			`SupportX25519MLKEM768 bool`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`}`

feat: add `ech-opts` for anytls/shadowsocks/trojan/vmess/vless outbound 2025-05-17 13:53:21 +08:00			`func GetRealityConn(ctx context.Context, conn net.Conn, fingerprint UClientHelloID, tlsConfig Config, realityConfig RealityConfig) (net.Conn, error) {`
chore: cleanup tls clientFingerprint code 2025-04-29 21:15:48 +08:00			`for retry := 0; ; retry++ {`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`verifier := &realityVerifier{`
feat: REALITY use proxy servername 2023-03-08 20:28:12 +08:00			`serverName: tlsConfig.ServerName,`
			`}`
			`uConfig := &utls.Config{`
			`ServerName: tlsConfig.ServerName,`
			`InsecureSkipVerify: true,`
			`SessionTicketsDisabled: true,`
			`VerifyPeerCertificate: verifier.VerifyPeerCertificate,`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`}`
feat: reality add `support-x25519mlkem768`, it only works with new version server 2025-05-15 10:14:18 +08:00
chore: simplifying the old fingerprint processing method 2025-05-18 00:49:15 +08:00			`if !realityConfig.SupportX25519MLKEM768 && fingerprint == HelloChrome_Auto {`
			`fingerprint = HelloChrome_120 // old reality server doesn't work with X25519MLKEM768`
			`}`

feat: reality add `support-x25519mlkem768`, it only works with new version server 2025-05-15 10:14:18 +08:00			`uConn := utls.UClient(conn, uConfig, fingerprint)`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`verifier.UConn = uConn`
			`err := uConn.BuildHandshakeState()`
			`if err != nil {`
			`return nil, err`
			`}`

			`hello := uConn.HandshakeState.Hello`
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`rawSessionID := hello.Raw[39 : 39+32] // the location of session ID`
			`for i := range rawSessionID { // https://github.com/golang/go/issues/5373`
			`rawSessionID[i] = 0`
chore: Improve REALITY handshake 2023-03-15 15:55:18 +08:00			`}`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00
feat: ntp service 2023-09-01 03:11:35 +08:00			`binary.BigEndian.PutUint64(hello.SessionId, uint64(ntp.Now().Unix()))`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`copy(hello.SessionId[8:], realityConfig.ShortID[:])`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`hello.SessionId[0] = 1`
chore: update xray-core version 2023-03-22 23:45:26 +08:00			`hello.SessionId[1] = 8`
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`hello.SessionId[2] = 2`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00
			`//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])`

chore: update utls 2025-03-18 09:09:54 +08:00			`keyShareKeys := uConn.HandshakeState.State13.KeyShareKeys`
			`if keyShareKeys == nil {`
			`// WTF???`
			`if retry > 2 {`
			`return nil, errors.New("nil keyShareKeys")`
			`}`
			`continue // retry`
			`}`
			`ecdheKey := keyShareKeys.Ecdhe`
chore: update utls to 1.8.0 2025-07-22 15:00:25 +08:00			`if ecdheKey == nil {`
			`ecdheKey = keyShareKeys.MlkemEcdhe`
			`}`
chore: update uTLS to 1.5.4 2023-12-09 12:28:19 +08:00			`if ecdheKey == nil {`
fix: reality panic 2023-10-23 23:33:44 +08:00			`// WTF???`
			`if retry > 2 {`
chore: update uTLS to 1.5.4 2023-12-09 12:28:19 +08:00			`return nil, errors.New("nil ecdheKey")`
fix: reality panic 2023-10-23 23:33:44 +08:00			`}`
			`continue // retry`
			`}`
chore: Remove the use of curve25519 package 2023-12-09 15:43:40 +08:00			`authKey, err := ecdheKey.ECDH(realityConfig.PublicKey)`
chore: update uTLS to 1.5.4 2023-12-09 12:28:19 +08:00			`if err != nil {`
			`return nil, err`
			`}`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`if authKey == nil {`
			`return nil, errors.New("nil auth_key")`
			`}`
			`verifier.authKey = authKey`
			`_, err = hkdf.New(sha256.New, authKey, hello.Random[:20], []byte("REALITY")).Read(authKey)`
			`if err != nil {`
			`return nil, err`
			`}`
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`var aeadCipher cipher.AEAD`
chore: stop using go:linkname for crypto/tls.aesgcmPreferred and update utls to 1.6.6 2024-05-19 11:31:37 +08:00			`if utls.AesgcmPreferred(hello.CipherSuites) {`
Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`aesBlock, _ := aes.NewCipher(authKey)`
			`aeadCipher, _ = cipher.NewGCM(aesBlock)`
			`} else {`
			`aeadCipher, _ = chacha20poly1305.New(authKey)`
			`}`
			`aeadCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`copy(hello.Raw[39:], hello.SessionId)`
			`//log.Debugln("REALITY hello.sessionId: %v", hello.SessionId)`
			`//log.Debugln("REALITY uConn.AuthKey: %v", authKey)`

			`err = uConn.HandshakeContext(ctx)`
			`if err != nil {`
			`return nil, err`
			`}`

Add REALITY ChaCha20-Poly1305 auth mode support 2023-06-14 17:17:46 +08:00			`log.Debugln("REALITY Authentication: %v, AEAD: %T", verifier.verified, aeadCipher)`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00
			`if !verifier.verified {`
feat: reality add `support-x25519mlkem768`, it only works with new version server 2025-05-15 10:14:18 +08:00			`go realityClientFallback(uConn, uConfig.ServerName, fingerprint)`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`return nil, errors.New("REALITY authentication failed")`
			`}`

			`return uConn, nil`
			`}`
			`}`

			`func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {`
			`defer uConn.Close()`
chore: Cleanup REALITY code 2023-03-11 12:23:27 +08:00			`client := http.Client{`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`Transport: &http2.Transport{`
			`DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {`
			`return uConn, nil`
			`},`
			`},`
			`}`
fix: don't ignore http.NewRequest's error 2024-05-15 13:53:18 +08:00			`request, err := http.NewRequest("GET", "https://"+serverName, nil)`
			`if err != nil {`
			`return`
			`}`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`request.Header.Set("User-Agent", fingerprint.Client)`
chore: replace zhangyunhao116/fastrand to our metacubex/randv2 2024-05-31 11:31:17 +08:00			`request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", randv2.IntN(32)+30)})`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`response, err := client.Do(request)`
			`if err != nil {`
			`return`
			`}`
			`//_, _ = io.Copy(io.Discard, response.Body)`
chore: replace zhangyunhao116/fastrand to our metacubex/randv2 2024-05-31 11:31:17 +08:00			`time.Sleep(time.Duration(5+randv2.IntN(10)) * time.Second)`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`response.Body.Close()`
			`client.CloseIdleConnections()`
			`}`

			`type realityVerifier struct {`
			`*utls.UConn`
			`serverName string`
			`authKey []byte`
			`verified bool`
			`}`

chore: stop using go:linkname for crypto/tls.aesgcmPreferred and update utls to 1.6.6 2024-05-19 11:31:37 +08:00			`//var pOffset = utils.MustOK(reflect.TypeOf((*utls.Conn)(nil)).Elem().FieldByName("peerCertificates")).Offset`
chore: Cleanup REALITY code 2023-03-11 12:23:27 +08:00
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`func (c realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {`
chore: update utls to 1.8.0 2025-07-22 15:00:25 +08:00			`//log.Debugln("REALITY localAddr: %v\t is using X25519MLKEM768 for TLS' communication: %v", c.RemoteAddr(), c.HandshakeState.ServerHello.SelectedGroup == utls.X25519MLKEM768)`
chore: Cleanup REALITY code 2023-03-11 12:23:27 +08:00			`//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")`
chore: stop using go:linkname for crypto/tls.aesgcmPreferred and update utls to 1.6.6 2024-05-19 11:31:37 +08:00			`//certs := ([]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))`
			`certs := c.Conn.PeerCertificates()`
feat: Support REALITY protocol 2023-03-08 17:18:46 +08:00			`if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {`
			`h := hmac.New(sha512.New, c.authKey)`
			`h.Write(pub)`
			`if bytes.Equal(h.Sum(nil), certs[0].Signature) {`
			`c.verified = true`
			`return nil`
			`}`
			`}`
			`opts := x509.VerifyOptions{`
			`DNSName: c.serverName,`
			`Intermediates: x509.NewCertPool(),`
			`}`
			`for _, cert := range certs[1:] {`
			`opts.Intermediates.AddCert(cert)`
			`}`
			`if _, err := certs[0].Verify(opts); err != nil {`
			`return err`
			`}`
			`return nil`
			`}`