git.prognetwork.ru/x0r/utls@v1.3.3/u_parrots.go (about) 1 // Copyright 2017 Google Inc. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto/sha256" 9 "encoding/binary" 10 "errors" 11 "fmt" 12 "io" 13 "math/rand" 14 "sort" 15 "strconv" 16 ) 17 18 // UTLSIdToSpec converts a ClientHelloID to a corresponding ClientHelloSpec. 19 // 20 // Exported internal function utlsIdToSpec per request. 21 func UTLSIdToSpec(id ClientHelloID) (ClientHelloSpec, error) { 22 return utlsIdToSpec(id) 23 } 24 25 func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) { 26 switch id { 27 case HelloChrome_58, HelloChrome_62: 28 return ClientHelloSpec{ 29 TLSVersMax: VersionTLS12, 30 TLSVersMin: VersionTLS10, 31 CipherSuites: []uint16{ 32 GREASE_PLACEHOLDER, 33 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 34 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 35 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 36 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 37 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 38 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 39 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 40 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 41 TLS_RSA_WITH_AES_128_GCM_SHA256, 42 TLS_RSA_WITH_AES_256_GCM_SHA384, 43 TLS_RSA_WITH_AES_128_CBC_SHA, 44 TLS_RSA_WITH_AES_256_CBC_SHA, 45 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 46 }, 47 CompressionMethods: []byte{compressionNone}, 48 Extensions: []TLSExtension{ 49 &UtlsGREASEExtension{}, 50 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 51 &SNIExtension{}, 52 &UtlsExtendedMasterSecretExtension{}, 53 &SessionTicketExtension{}, 54 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 55 ECDSAWithP256AndSHA256, 56 PSSWithSHA256, 57 PKCS1WithSHA256, 58 ECDSAWithP384AndSHA384, 59 PSSWithSHA384, 60 PKCS1WithSHA384, 61 PSSWithSHA512, 62 PKCS1WithSHA512, 63 PKCS1WithSHA1}, 64 }, 65 &StatusRequestExtension{}, 66 &SCTExtension{}, 67 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 68 &FakeChannelIDExtension{}, 69 &SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}, 70 &SupportedCurvesExtension{[]CurveID{CurveID(GREASE_PLACEHOLDER), 71 X25519, CurveP256, CurveP384}}, 72 &UtlsGREASEExtension{}, 73 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 74 }, 75 GetSessionID: sha256.Sum256, 76 }, nil 77 case HelloChrome_70: 78 return ClientHelloSpec{ 79 TLSVersMin: VersionTLS10, 80 TLSVersMax: VersionTLS13, 81 CipherSuites: []uint16{ 82 GREASE_PLACEHOLDER, 83 TLS_AES_128_GCM_SHA256, 84 TLS_AES_256_GCM_SHA384, 85 TLS_CHACHA20_POLY1305_SHA256, 86 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 87 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 88 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 89 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 90 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 91 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 92 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 93 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 94 TLS_RSA_WITH_AES_128_GCM_SHA256, 95 TLS_RSA_WITH_AES_256_GCM_SHA384, 96 TLS_RSA_WITH_AES_128_CBC_SHA, 97 TLS_RSA_WITH_AES_256_CBC_SHA, 98 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 99 }, 100 CompressionMethods: []byte{ 101 compressionNone, 102 }, 103 Extensions: []TLSExtension{ 104 &UtlsGREASEExtension{}, 105 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 106 &SNIExtension{}, 107 &UtlsExtendedMasterSecretExtension{}, 108 &SessionTicketExtension{}, 109 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 110 ECDSAWithP256AndSHA256, 111 PSSWithSHA256, 112 PKCS1WithSHA256, 113 ECDSAWithP384AndSHA384, 114 PSSWithSHA384, 115 PKCS1WithSHA384, 116 PSSWithSHA512, 117 PKCS1WithSHA512, 118 PKCS1WithSHA1, 119 }}, 120 &StatusRequestExtension{}, 121 &SCTExtension{}, 122 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 123 &FakeChannelIDExtension{}, 124 &SupportedPointsExtension{SupportedPoints: []byte{ 125 pointFormatUncompressed, 126 }}, 127 &KeyShareExtension{[]KeyShare{ 128 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 129 {Group: X25519}, 130 }}, 131 &PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}}, 132 &SupportedVersionsExtension{[]uint16{ 133 GREASE_PLACEHOLDER, 134 VersionTLS13, 135 VersionTLS12, 136 VersionTLS11, 137 VersionTLS10}}, 138 &SupportedCurvesExtension{[]CurveID{ 139 CurveID(GREASE_PLACEHOLDER), 140 X25519, 141 CurveP256, 142 CurveP384, 143 }}, 144 &UtlsCompressCertExtension{[]CertCompressionAlgo{CertCompressionBrotli}}, 145 &UtlsGREASEExtension{}, 146 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 147 }, 148 }, nil 149 case HelloChrome_72: 150 return ClientHelloSpec{ 151 CipherSuites: []uint16{ 152 GREASE_PLACEHOLDER, 153 TLS_AES_128_GCM_SHA256, 154 TLS_AES_256_GCM_SHA384, 155 TLS_CHACHA20_POLY1305_SHA256, 156 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 157 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 158 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 159 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 160 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 161 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 162 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 163 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 164 TLS_RSA_WITH_AES_128_GCM_SHA256, 165 TLS_RSA_WITH_AES_256_GCM_SHA384, 166 TLS_RSA_WITH_AES_128_CBC_SHA, 167 TLS_RSA_WITH_AES_256_CBC_SHA, 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 169 }, 170 CompressionMethods: []byte{ 171 0x00, // compressionNone 172 }, 173 Extensions: []TLSExtension{ 174 &UtlsGREASEExtension{}, 175 &SNIExtension{}, 176 &UtlsExtendedMasterSecretExtension{}, 177 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 178 &SupportedCurvesExtension{[]CurveID{ 179 CurveID(GREASE_PLACEHOLDER), 180 X25519, 181 CurveP256, 182 CurveP384, 183 }}, 184 &SupportedPointsExtension{SupportedPoints: []byte{ 185 0x00, // pointFormatUncompressed 186 }}, 187 &SessionTicketExtension{}, 188 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 189 &StatusRequestExtension{}, 190 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 191 ECDSAWithP256AndSHA256, 192 PSSWithSHA256, 193 PKCS1WithSHA256, 194 ECDSAWithP384AndSHA384, 195 PSSWithSHA384, 196 PKCS1WithSHA384, 197 PSSWithSHA512, 198 PKCS1WithSHA512, 199 PKCS1WithSHA1, 200 }}, 201 &SCTExtension{}, 202 &KeyShareExtension{[]KeyShare{ 203 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 204 {Group: X25519}, 205 }}, 206 &PSKKeyExchangeModesExtension{[]uint8{ 207 PskModeDHE, 208 }}, 209 &SupportedVersionsExtension{[]uint16{ 210 GREASE_PLACEHOLDER, 211 VersionTLS13, 212 VersionTLS12, 213 VersionTLS11, 214 VersionTLS10, 215 }}, 216 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 217 CertCompressionBrotli, 218 }}, 219 &UtlsGREASEExtension{}, 220 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 221 }, 222 }, nil 223 case HelloChrome_83: 224 return ClientHelloSpec{ 225 CipherSuites: []uint16{ 226 GREASE_PLACEHOLDER, 227 TLS_AES_128_GCM_SHA256, 228 TLS_AES_256_GCM_SHA384, 229 TLS_CHACHA20_POLY1305_SHA256, 230 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 231 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 232 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 233 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 234 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 235 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 236 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 237 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 238 TLS_RSA_WITH_AES_128_GCM_SHA256, 239 TLS_RSA_WITH_AES_256_GCM_SHA384, 240 TLS_RSA_WITH_AES_128_CBC_SHA, 241 TLS_RSA_WITH_AES_256_CBC_SHA, 242 }, 243 CompressionMethods: []byte{ 244 0x00, // compressionNone 245 }, 246 Extensions: []TLSExtension{ 247 &UtlsGREASEExtension{}, 248 &SNIExtension{}, 249 &UtlsExtendedMasterSecretExtension{}, 250 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 251 &SupportedCurvesExtension{[]CurveID{ 252 CurveID(GREASE_PLACEHOLDER), 253 X25519, 254 CurveP256, 255 CurveP384, 256 }}, 257 &SupportedPointsExtension{SupportedPoints: []byte{ 258 0x00, // pointFormatUncompressed 259 }}, 260 &SessionTicketExtension{}, 261 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 262 &StatusRequestExtension{}, 263 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 264 ECDSAWithP256AndSHA256, 265 PSSWithSHA256, 266 PKCS1WithSHA256, 267 ECDSAWithP384AndSHA384, 268 PSSWithSHA384, 269 PKCS1WithSHA384, 270 PSSWithSHA512, 271 PKCS1WithSHA512, 272 }}, 273 &SCTExtension{}, 274 &KeyShareExtension{[]KeyShare{ 275 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 276 {Group: X25519}, 277 }}, 278 &PSKKeyExchangeModesExtension{[]uint8{ 279 PskModeDHE, 280 }}, 281 &SupportedVersionsExtension{[]uint16{ 282 GREASE_PLACEHOLDER, 283 VersionTLS13, 284 VersionTLS12, 285 VersionTLS11, 286 VersionTLS10, 287 }}, 288 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 289 CertCompressionBrotli, 290 }}, 291 &UtlsGREASEExtension{}, 292 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 293 }, 294 }, nil 295 case HelloChrome_87: 296 return ClientHelloSpec{ 297 CipherSuites: []uint16{ 298 GREASE_PLACEHOLDER, 299 TLS_AES_128_GCM_SHA256, 300 TLS_AES_256_GCM_SHA384, 301 TLS_CHACHA20_POLY1305_SHA256, 302 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 303 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 304 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 305 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 306 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 307 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 308 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 309 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 310 TLS_RSA_WITH_AES_128_GCM_SHA256, 311 TLS_RSA_WITH_AES_256_GCM_SHA384, 312 TLS_RSA_WITH_AES_128_CBC_SHA, 313 TLS_RSA_WITH_AES_256_CBC_SHA, 314 }, 315 CompressionMethods: []byte{ 316 0x00, // compressionNone 317 }, 318 Extensions: []TLSExtension{ 319 &UtlsGREASEExtension{}, 320 &SNIExtension{}, 321 &UtlsExtendedMasterSecretExtension{}, 322 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 323 &SupportedCurvesExtension{[]CurveID{ 324 CurveID(GREASE_PLACEHOLDER), 325 X25519, 326 CurveP256, 327 CurveP384, 328 }}, 329 &SupportedPointsExtension{SupportedPoints: []byte{ 330 0x00, // pointFormatUncompressed 331 }}, 332 &SessionTicketExtension{}, 333 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 334 &StatusRequestExtension{}, 335 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 336 ECDSAWithP256AndSHA256, 337 PSSWithSHA256, 338 PKCS1WithSHA256, 339 ECDSAWithP384AndSHA384, 340 PSSWithSHA384, 341 PKCS1WithSHA384, 342 PSSWithSHA512, 343 PKCS1WithSHA512, 344 }}, 345 &SCTExtension{}, 346 &KeyShareExtension{[]KeyShare{ 347 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 348 {Group: X25519}, 349 }}, 350 &PSKKeyExchangeModesExtension{[]uint8{ 351 PskModeDHE, 352 }}, 353 &SupportedVersionsExtension{[]uint16{ 354 GREASE_PLACEHOLDER, 355 VersionTLS13, 356 VersionTLS12, 357 VersionTLS11, 358 VersionTLS10, 359 }}, 360 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 361 CertCompressionBrotli, 362 }}, 363 &UtlsGREASEExtension{}, 364 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 365 }, 366 }, nil 367 case HelloChrome_96: 368 return ClientHelloSpec{ 369 CipherSuites: []uint16{ 370 GREASE_PLACEHOLDER, 371 TLS_AES_128_GCM_SHA256, 372 TLS_AES_256_GCM_SHA384, 373 TLS_CHACHA20_POLY1305_SHA256, 374 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 375 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 376 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 377 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 378 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 379 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 380 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 381 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 382 TLS_RSA_WITH_AES_128_GCM_SHA256, 383 TLS_RSA_WITH_AES_256_GCM_SHA384, 384 TLS_RSA_WITH_AES_128_CBC_SHA, 385 TLS_RSA_WITH_AES_256_CBC_SHA, 386 }, 387 CompressionMethods: []byte{ 388 0x00, // compressionNone 389 }, 390 Extensions: []TLSExtension{ 391 &UtlsGREASEExtension{}, 392 &SNIExtension{}, 393 &UtlsExtendedMasterSecretExtension{}, 394 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 395 &SupportedCurvesExtension{[]CurveID{ 396 CurveID(GREASE_PLACEHOLDER), 397 X25519, 398 CurveP256, 399 CurveP384, 400 }}, 401 &SupportedPointsExtension{SupportedPoints: []byte{ 402 0x00, // pointFormatUncompressed 403 }}, 404 &SessionTicketExtension{}, 405 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 406 &StatusRequestExtension{}, 407 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 408 ECDSAWithP256AndSHA256, 409 PSSWithSHA256, 410 PKCS1WithSHA256, 411 ECDSAWithP384AndSHA384, 412 PSSWithSHA384, 413 PKCS1WithSHA384, 414 PSSWithSHA512, 415 PKCS1WithSHA512, 416 }}, 417 &SCTExtension{}, 418 &KeyShareExtension{[]KeyShare{ 419 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 420 {Group: X25519}, 421 }}, 422 &PSKKeyExchangeModesExtension{[]uint8{ 423 PskModeDHE, 424 }}, 425 &SupportedVersionsExtension{[]uint16{ 426 GREASE_PLACEHOLDER, 427 VersionTLS13, 428 VersionTLS12, 429 VersionTLS11, 430 VersionTLS10, 431 }}, 432 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 433 CertCompressionBrotli, 434 }}, 435 &ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}}, 436 &UtlsGREASEExtension{}, 437 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 438 }, 439 }, nil 440 case HelloChrome_100, HelloChrome_102: 441 return ClientHelloSpec{ 442 CipherSuites: []uint16{ 443 GREASE_PLACEHOLDER, 444 TLS_AES_128_GCM_SHA256, 445 TLS_AES_256_GCM_SHA384, 446 TLS_CHACHA20_POLY1305_SHA256, 447 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 448 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 449 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 450 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 451 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 452 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 453 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 454 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 455 TLS_RSA_WITH_AES_128_GCM_SHA256, 456 TLS_RSA_WITH_AES_256_GCM_SHA384, 457 TLS_RSA_WITH_AES_128_CBC_SHA, 458 TLS_RSA_WITH_AES_256_CBC_SHA, 459 }, 460 CompressionMethods: []byte{ 461 0x00, // compressionNone 462 }, 463 Extensions: []TLSExtension{ 464 &UtlsGREASEExtension{}, 465 &SNIExtension{}, 466 &UtlsExtendedMasterSecretExtension{}, 467 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 468 &SupportedCurvesExtension{[]CurveID{ 469 GREASE_PLACEHOLDER, 470 X25519, 471 CurveP256, 472 CurveP384, 473 }}, 474 &SupportedPointsExtension{SupportedPoints: []byte{ 475 0x00, // pointFormatUncompressed 476 }}, 477 &SessionTicketExtension{}, 478 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 479 &StatusRequestExtension{}, 480 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 481 ECDSAWithP256AndSHA256, 482 PSSWithSHA256, 483 PKCS1WithSHA256, 484 ECDSAWithP384AndSHA384, 485 PSSWithSHA384, 486 PKCS1WithSHA384, 487 PSSWithSHA512, 488 PKCS1WithSHA512, 489 }}, 490 &SCTExtension{}, 491 &KeyShareExtension{[]KeyShare{ 492 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 493 {Group: X25519}, 494 }}, 495 &PSKKeyExchangeModesExtension{[]uint8{ 496 PskModeDHE, 497 }}, 498 &SupportedVersionsExtension{[]uint16{ 499 GREASE_PLACEHOLDER, 500 VersionTLS13, 501 VersionTLS12, 502 }}, 503 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 504 CertCompressionBrotli, 505 }}, 506 &ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}}, 507 &UtlsGREASEExtension{}, 508 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 509 }, 510 }, nil 511 case HelloChrome_100_PSK: 512 return ClientHelloSpec{ 513 CipherSuites: []uint16{ 514 GREASE_PLACEHOLDER, 515 TLS_AES_128_GCM_SHA256, 516 TLS_AES_256_GCM_SHA384, 517 TLS_CHACHA20_POLY1305_SHA256, 518 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 519 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 520 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 521 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 522 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 523 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 524 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 525 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 526 TLS_RSA_WITH_AES_128_GCM_SHA256, 527 TLS_RSA_WITH_AES_256_GCM_SHA384, 528 TLS_RSA_WITH_AES_128_CBC_SHA, 529 TLS_RSA_WITH_AES_256_CBC_SHA, 530 }, 531 CompressionMethods: []byte{ 532 0x00, // compressionNone 533 }, 534 Extensions: []TLSExtension{ 535 &UtlsGREASEExtension{}, 536 &SNIExtension{}, 537 &UtlsExtendedMasterSecretExtension{}, 538 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 539 &SupportedCurvesExtension{[]CurveID{ 540 GREASE_PLACEHOLDER, 541 X25519, 542 CurveP256, 543 CurveP384, 544 }}, 545 &SupportedPointsExtension{SupportedPoints: []byte{ 546 0x00, // pointFormatUncompressed 547 }}, 548 &SessionTicketExtension{}, 549 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 550 &StatusRequestExtension{}, 551 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 552 ECDSAWithP256AndSHA256, 553 PSSWithSHA256, 554 PKCS1WithSHA256, 555 ECDSAWithP384AndSHA384, 556 PSSWithSHA384, 557 PKCS1WithSHA384, 558 PSSWithSHA512, 559 PKCS1WithSHA512, 560 }}, 561 &SCTExtension{}, 562 &KeyShareExtension{[]KeyShare{ 563 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 564 {Group: X25519}, 565 }}, 566 &PSKKeyExchangeModesExtension{[]uint8{ 567 PskModeDHE, 568 }}, 569 &SupportedVersionsExtension{[]uint16{ 570 GREASE_PLACEHOLDER, 571 VersionTLS13, 572 VersionTLS12, 573 }}, 574 &UtlsCompressCertExtension{[]CertCompressionAlgo{ 575 CertCompressionBrotli, 576 }}, 577 &ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}}, 578 &UtlsGREASEExtension{}, 579 &FakePreSharedKeyExtension{}, 580 }, 581 }, nil 582 case HelloChrome_106_Shuffle: 583 chs, err := utlsIdToSpec(HelloChrome_102) 584 if err != nil { 585 return chs, err 586 } 587 588 // Chrome 107 started shuffling the order of extensions 589 shuffleExtensions(&chs) 590 return chs, err 591 case HelloChrome_112_PSK_Shuf: 592 chs, err := utlsIdToSpec(HelloChrome_100_PSK) 593 if err != nil { 594 return chs, err 595 } 596 597 // Chrome 112 started shuffling the order of extensions 598 shuffleExtensions(&chs) 599 return chs, err 600 case HelloFirefox_55, HelloFirefox_56: 601 return ClientHelloSpec{ 602 TLSVersMax: VersionTLS12, 603 TLSVersMin: VersionTLS10, 604 CipherSuites: []uint16{ 605 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 606 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 607 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 608 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 609 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 610 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 611 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 612 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 613 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 614 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 615 FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 616 FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 617 TLS_RSA_WITH_AES_128_CBC_SHA, 618 TLS_RSA_WITH_AES_256_CBC_SHA, 619 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 620 }, 621 CompressionMethods: []byte{compressionNone}, 622 Extensions: []TLSExtension{ 623 &SNIExtension{}, 624 &UtlsExtendedMasterSecretExtension{}, 625 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 626 &SupportedCurvesExtension{[]CurveID{X25519, CurveP256, CurveP384, CurveP521}}, 627 &SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}, 628 &SessionTicketExtension{}, 629 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 630 &StatusRequestExtension{}, 631 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 632 ECDSAWithP256AndSHA256, 633 ECDSAWithP384AndSHA384, 634 ECDSAWithP521AndSHA512, 635 PSSWithSHA256, 636 PSSWithSHA384, 637 PSSWithSHA512, 638 PKCS1WithSHA256, 639 PKCS1WithSHA384, 640 PKCS1WithSHA512, 641 ECDSAWithSHA1, 642 PKCS1WithSHA1}, 643 }, 644 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 645 }, 646 GetSessionID: nil, 647 }, nil 648 case HelloFirefox_63, HelloFirefox_65: 649 return ClientHelloSpec{ 650 TLSVersMin: VersionTLS10, 651 TLSVersMax: VersionTLS13, 652 CipherSuites: []uint16{ 653 TLS_AES_128_GCM_SHA256, 654 TLS_CHACHA20_POLY1305_SHA256, 655 TLS_AES_256_GCM_SHA384, 656 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 657 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 658 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 659 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 660 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 661 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 662 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 663 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 664 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 665 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 666 FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 667 FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 668 TLS_RSA_WITH_AES_128_CBC_SHA, 669 TLS_RSA_WITH_AES_256_CBC_SHA, 670 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 671 }, 672 CompressionMethods: []byte{ 673 compressionNone, 674 }, 675 Extensions: []TLSExtension{ 676 &SNIExtension{}, 677 &UtlsExtendedMasterSecretExtension{}, 678 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 679 &SupportedCurvesExtension{[]CurveID{ 680 X25519, 681 CurveP256, 682 CurveP384, 683 CurveP521, 684 CurveID(FakeFFDHE2048), 685 CurveID(FakeFFDHE3072), 686 }}, 687 &SupportedPointsExtension{SupportedPoints: []byte{ 688 pointFormatUncompressed, 689 }}, 690 &SessionTicketExtension{}, 691 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 692 &StatusRequestExtension{}, 693 &KeyShareExtension{[]KeyShare{ 694 {Group: X25519}, 695 {Group: CurveP256}, 696 }}, 697 &SupportedVersionsExtension{[]uint16{ 698 VersionTLS13, 699 VersionTLS12, 700 VersionTLS11, 701 VersionTLS10}}, 702 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 703 ECDSAWithP256AndSHA256, 704 ECDSAWithP384AndSHA384, 705 ECDSAWithP521AndSHA512, 706 PSSWithSHA256, 707 PSSWithSHA384, 708 PSSWithSHA512, 709 PKCS1WithSHA256, 710 PKCS1WithSHA384, 711 PKCS1WithSHA512, 712 ECDSAWithSHA1, 713 PKCS1WithSHA1, 714 }}, 715 &PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}}, 716 &FakeRecordSizeLimitExtension{0x4001}, 717 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 718 }}, nil 719 case HelloFirefox_99: 720 return ClientHelloSpec{ 721 TLSVersMin: VersionTLS10, 722 TLSVersMax: VersionTLS13, 723 CipherSuites: []uint16{ 724 TLS_AES_128_GCM_SHA256, 725 TLS_CHACHA20_POLY1305_SHA256, 726 TLS_AES_256_GCM_SHA384, 727 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 728 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 729 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 730 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 731 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 732 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 733 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 734 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 735 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 736 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 737 TLS_RSA_WITH_AES_128_GCM_SHA256, 738 TLS_RSA_WITH_AES_256_GCM_SHA384, 739 TLS_RSA_WITH_AES_128_CBC_SHA, 740 TLS_RSA_WITH_AES_256_CBC_SHA, 741 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 742 }, 743 CompressionMethods: []byte{ 744 compressionNone, 745 }, 746 Extensions: []TLSExtension{ 747 &SNIExtension{}, //server_name 748 &UtlsExtendedMasterSecretExtension{}, //extended_master_secret 749 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, //extensionRenegotiationInfo 750 &SupportedCurvesExtension{[]CurveID{ //supported_groups 751 X25519, 752 CurveP256, 753 CurveP384, 754 CurveP521, 755 CurveID(FakeFFDHE2048), 756 CurveID(FakeFFDHE3072), 757 }}, 758 &SupportedPointsExtension{SupportedPoints: []byte{ //ec_point_formats 759 pointFormatUncompressed, 760 }}, 761 &SessionTicketExtension{}, 762 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, //application_layer_protocol_negotiation 763 &StatusRequestExtension{}, 764 &FakeDelegatedCredentialsExtension{ 765 SupportedSignatureAlgorithms: []SignatureScheme{ //signature_algorithms 766 ECDSAWithP256AndSHA256, 767 ECDSAWithP384AndSHA384, 768 ECDSAWithP521AndSHA512, 769 ECDSAWithSHA1, 770 }, 771 }, 772 &KeyShareExtension{[]KeyShare{ 773 {Group: X25519}, 774 {Group: CurveP256}, //key_share 775 }}, 776 &SupportedVersionsExtension{[]uint16{ 777 VersionTLS13, //supported_versions 778 VersionTLS12, 779 VersionTLS11, 780 VersionTLS10, 781 }}, 782 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ //signature_algorithms 783 ECDSAWithP256AndSHA256, 784 ECDSAWithP384AndSHA384, 785 ECDSAWithP521AndSHA512, 786 PSSWithSHA256, 787 PSSWithSHA384, 788 PSSWithSHA512, 789 PKCS1WithSHA256, 790 PKCS1WithSHA384, 791 PKCS1WithSHA512, 792 ECDSAWithSHA1, 793 PKCS1WithSHA1, 794 }}, 795 &PSKKeyExchangeModesExtension{[]uint8{ //psk_key_exchange_modes 796 PskModeDHE, 797 }}, 798 &FakeRecordSizeLimitExtension{Limit: 0x4001}, //record_size_limit 799 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, //padding 800 }}, nil 801 case HelloFirefox_102: 802 return ClientHelloSpec{ 803 TLSVersMin: VersionTLS10, 804 TLSVersMax: VersionTLS13, 805 CipherSuites: []uint16{ 806 TLS_AES_128_GCM_SHA256, 807 TLS_CHACHA20_POLY1305_SHA256, 808 TLS_AES_256_GCM_SHA384, 809 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 810 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 811 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 812 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 813 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 814 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 815 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 816 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 817 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 818 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 819 TLS_RSA_WITH_AES_128_GCM_SHA256, 820 TLS_RSA_WITH_AES_256_GCM_SHA384, 821 TLS_RSA_WITH_AES_128_CBC_SHA, 822 TLS_RSA_WITH_AES_256_CBC_SHA, 823 }, 824 CompressionMethods: []byte{ 825 compressionNone, 826 }, 827 Extensions: []TLSExtension{ 828 &SNIExtension{}, //server_name 829 &UtlsExtendedMasterSecretExtension{}, //extended_master_secret 830 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, //extensionRenegotiationInfo 831 &SupportedCurvesExtension{[]CurveID{ //supported_groups 832 X25519, 833 CurveP256, 834 CurveP384, 835 CurveP521, 836 CurveID(FakeFFDHE2048), 837 CurveID(FakeFFDHE3072), 838 }}, 839 &SupportedPointsExtension{SupportedPoints: []byte{ //ec_point_formats 840 pointFormatUncompressed, 841 }}, 842 &SessionTicketExtension{}, 843 &ALPNExtension{AlpnProtocols: []string{"h2"}}, //application_layer_protocol_negotiation 844 &StatusRequestExtension{}, 845 &FakeDelegatedCredentialsExtension{ 846 SupportedSignatureAlgorithms: []SignatureScheme{ //signature_algorithms 847 ECDSAWithP256AndSHA256, 848 ECDSAWithP384AndSHA384, 849 ECDSAWithP521AndSHA512, 850 ECDSAWithSHA1, 851 }, 852 }, 853 &KeyShareExtension{[]KeyShare{ 854 {Group: X25519}, 855 {Group: CurveP256}, //key_share 856 }}, 857 &SupportedVersionsExtension{[]uint16{ 858 VersionTLS13, //supported_versions 859 VersionTLS12, 860 }}, 861 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ //signature_algorithms 862 ECDSAWithP256AndSHA256, 863 ECDSAWithP384AndSHA384, 864 ECDSAWithP521AndSHA512, 865 PSSWithSHA256, 866 PSSWithSHA384, 867 PSSWithSHA512, 868 PKCS1WithSHA256, 869 PKCS1WithSHA384, 870 PKCS1WithSHA512, 871 ECDSAWithSHA1, 872 PKCS1WithSHA1, 873 }}, 874 &PSKKeyExchangeModesExtension{[]uint8{ //psk_key_exchange_modes 875 PskModeDHE, 876 }}, 877 &FakeRecordSizeLimitExtension{Limit: 0x4001}, //record_size_limit 878 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, //padding 879 }}, nil 880 case HelloFirefox_105: 881 return ClientHelloSpec{ 882 TLSVersMin: VersionTLS12, 883 TLSVersMax: VersionTLS13, 884 CipherSuites: []uint16{ 885 TLS_AES_128_GCM_SHA256, 886 TLS_CHACHA20_POLY1305_SHA256, 887 TLS_AES_256_GCM_SHA384, 888 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 889 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 890 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 891 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 892 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 893 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 894 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 895 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 896 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 897 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 898 TLS_RSA_WITH_AES_128_GCM_SHA256, 899 TLS_RSA_WITH_AES_256_GCM_SHA384, 900 TLS_RSA_WITH_AES_128_CBC_SHA, 901 TLS_RSA_WITH_AES_256_CBC_SHA, 902 }, 903 CompressionMethods: []uint8{ 904 0x0, // no compression 905 }, 906 Extensions: []TLSExtension{ 907 &SNIExtension{}, 908 &UtlsExtendedMasterSecretExtension{}, 909 &RenegotiationInfoExtension{ 910 Renegotiation: RenegotiateOnceAsClient, 911 }, 912 &SupportedCurvesExtension{ 913 Curves: []CurveID{ 914 X25519, 915 CurveP256, 916 CurveP384, 917 CurveP521, 918 256, 919 257, 920 }, 921 }, 922 &SupportedPointsExtension{ 923 SupportedPoints: []uint8{ 924 0x0, // uncompressed 925 }, 926 }, 927 &SessionTicketExtension{}, 928 &ALPNExtension{ 929 AlpnProtocols: []string{ 930 "h2", 931 "http/1.1", 932 }, 933 }, 934 &StatusRequestExtension{}, 935 &FakeDelegatedCredentialsExtension{ 936 SupportedSignatureAlgorithms: []SignatureScheme{ 937 ECDSAWithP256AndSHA256, 938 ECDSAWithP384AndSHA384, 939 ECDSAWithP521AndSHA512, 940 ECDSAWithSHA1, 941 }, 942 }, 943 &KeyShareExtension{ 944 KeyShares: []KeyShare{ 945 { 946 Group: X25519, 947 }, 948 { 949 Group: CurveP256, 950 }, 951 }, 952 }, 953 &SupportedVersionsExtension{ 954 Versions: []uint16{ 955 VersionTLS13, 956 VersionTLS12, 957 }, 958 }, 959 &SignatureAlgorithmsExtension{ 960 SupportedSignatureAlgorithms: []SignatureScheme{ 961 ECDSAWithP256AndSHA256, 962 ECDSAWithP384AndSHA384, 963 ECDSAWithP521AndSHA512, 964 PSSWithSHA256, 965 PSSWithSHA384, 966 PSSWithSHA512, 967 PKCS1WithSHA256, 968 PKCS1WithSHA384, 969 PKCS1WithSHA512, 970 ECDSAWithSHA1, 971 PKCS1WithSHA1, 972 }, 973 }, 974 &PSKKeyExchangeModesExtension{ 975 Modes: []uint8{ 976 PskModeDHE, 977 }, 978 }, 979 &FakeRecordSizeLimitExtension{ 980 Limit: 0x4001, 981 }, 982 &UtlsPaddingExtension{ 983 GetPaddingLen: BoringPaddingStyle, 984 }, 985 }, 986 }, nil 987 case HelloIOS_11_1: 988 return ClientHelloSpec{ 989 TLSVersMax: VersionTLS12, 990 TLSVersMin: VersionTLS10, 991 CipherSuites: []uint16{ 992 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 993 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 994 DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 995 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 996 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 997 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 998 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 999 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1000 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1001 DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 1002 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 1003 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1004 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1005 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1006 TLS_RSA_WITH_AES_256_GCM_SHA384, 1007 TLS_RSA_WITH_AES_128_GCM_SHA256, 1008 DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 1009 TLS_RSA_WITH_AES_128_CBC_SHA256, 1010 TLS_RSA_WITH_AES_256_CBC_SHA, 1011 TLS_RSA_WITH_AES_128_CBC_SHA, 1012 }, 1013 CompressionMethods: []byte{ 1014 compressionNone, 1015 }, 1016 Extensions: []TLSExtension{ 1017 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 1018 &SNIExtension{}, 1019 &UtlsExtendedMasterSecretExtension{}, 1020 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 1021 ECDSAWithP256AndSHA256, 1022 PSSWithSHA256, 1023 PKCS1WithSHA256, 1024 ECDSAWithP384AndSHA384, 1025 PSSWithSHA384, 1026 PKCS1WithSHA384, 1027 PSSWithSHA512, 1028 PKCS1WithSHA512, 1029 PKCS1WithSHA1, 1030 }}, 1031 &StatusRequestExtension{}, 1032 &NPNExtension{}, 1033 &SCTExtension{}, 1034 &ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}}, 1035 &SupportedPointsExtension{SupportedPoints: []byte{ 1036 pointFormatUncompressed, 1037 }}, 1038 &SupportedCurvesExtension{Curves: []CurveID{ 1039 X25519, 1040 CurveP256, 1041 CurveP384, 1042 CurveP521, 1043 }}, 1044 }, 1045 }, nil 1046 case HelloIOS_12_1: 1047 return ClientHelloSpec{ 1048 CipherSuites: []uint16{ 1049 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1050 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1051 DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 1052 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 1053 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1054 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1055 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1056 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1057 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1058 DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 1059 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 1060 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1061 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1062 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1063 TLS_RSA_WITH_AES_256_GCM_SHA384, 1064 TLS_RSA_WITH_AES_128_GCM_SHA256, 1065 DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 1066 TLS_RSA_WITH_AES_128_CBC_SHA256, 1067 TLS_RSA_WITH_AES_256_CBC_SHA, 1068 TLS_RSA_WITH_AES_128_CBC_SHA, 1069 0xc008, 1070 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 1071 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1072 }, 1073 CompressionMethods: []byte{ 1074 compressionNone, 1075 }, 1076 Extensions: []TLSExtension{ 1077 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 1078 &SNIExtension{}, 1079 &UtlsExtendedMasterSecretExtension{}, 1080 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 1081 ECDSAWithP256AndSHA256, 1082 PSSWithSHA256, 1083 PKCS1WithSHA256, 1084 ECDSAWithP384AndSHA384, 1085 ECDSAWithSHA1, 1086 PSSWithSHA384, 1087 PSSWithSHA384, 1088 PKCS1WithSHA384, 1089 PSSWithSHA512, 1090 PKCS1WithSHA512, 1091 PKCS1WithSHA1, 1092 }}, 1093 &StatusRequestExtension{}, 1094 &NPNExtension{}, 1095 &SCTExtension{}, 1096 &ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}}, 1097 &SupportedPointsExtension{SupportedPoints: []byte{ 1098 pointFormatUncompressed, 1099 }}, 1100 &SupportedCurvesExtension{[]CurveID{ 1101 X25519, 1102 CurveP256, 1103 CurveP384, 1104 CurveP521, 1105 }}, 1106 }, 1107 }, nil 1108 case HelloIOS_13: 1109 return ClientHelloSpec{ 1110 CipherSuites: []uint16{ 1111 TLS_AES_128_GCM_SHA256, 1112 TLS_AES_256_GCM_SHA384, 1113 TLS_CHACHA20_POLY1305_SHA256, 1114 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1115 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1116 DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 1117 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 1118 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1119 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1120 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1121 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1122 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1123 DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 1124 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 1125 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1126 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1127 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1128 TLS_RSA_WITH_AES_256_GCM_SHA384, 1129 TLS_RSA_WITH_AES_128_GCM_SHA256, 1130 DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 1131 TLS_RSA_WITH_AES_128_CBC_SHA256, 1132 TLS_RSA_WITH_AES_256_CBC_SHA, 1133 TLS_RSA_WITH_AES_128_CBC_SHA, 1134 0xc008, 1135 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 1136 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1137 }, 1138 CompressionMethods: []byte{ 1139 0x00, // compressionNone 1140 }, 1141 Extensions: []TLSExtension{ 1142 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 1143 &SNIExtension{}, 1144 &UtlsExtendedMasterSecretExtension{}, 1145 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 1146 ECDSAWithP256AndSHA256, 1147 PSSWithSHA256, 1148 PKCS1WithSHA256, 1149 ECDSAWithP384AndSHA384, 1150 ECDSAWithSHA1, 1151 PSSWithSHA384, 1152 PSSWithSHA384, 1153 PKCS1WithSHA384, 1154 PSSWithSHA512, 1155 PKCS1WithSHA512, 1156 PKCS1WithSHA1, 1157 }}, 1158 &StatusRequestExtension{}, 1159 &SCTExtension{}, 1160 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 1161 &SupportedPointsExtension{SupportedPoints: []byte{ 1162 0x00, // pointFormatUncompressed 1163 }}, 1164 &KeyShareExtension{[]KeyShare{ 1165 {Group: X25519}, 1166 }}, 1167 &PSKKeyExchangeModesExtension{[]uint8{ 1168 PskModeDHE, 1169 }}, 1170 &SupportedVersionsExtension{[]uint16{ 1171 VersionTLS13, 1172 VersionTLS12, 1173 VersionTLS11, 1174 VersionTLS10, 1175 }}, 1176 &SupportedCurvesExtension{[]CurveID{ 1177 X25519, 1178 CurveP256, 1179 CurveP384, 1180 CurveP521, 1181 }}, 1182 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 1183 }, 1184 }, nil 1185 case HelloIOS_14: 1186 return ClientHelloSpec{ 1187 // TLSVersMax: VersionTLS12, 1188 // TLSVersMin: VersionTLS10, 1189 CipherSuites: []uint16{ 1190 GREASE_PLACEHOLDER, 1191 TLS_AES_128_GCM_SHA256, 1192 TLS_AES_256_GCM_SHA384, 1193 TLS_CHACHA20_POLY1305_SHA256, 1194 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1196 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1197 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1198 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1199 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1200 DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 1201 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 1202 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1203 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1204 DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 1205 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 1206 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1207 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1208 TLS_RSA_WITH_AES_256_GCM_SHA384, 1209 TLS_RSA_WITH_AES_128_GCM_SHA256, 1210 DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 1211 TLS_RSA_WITH_AES_128_CBC_SHA256, 1212 TLS_RSA_WITH_AES_256_CBC_SHA, 1213 TLS_RSA_WITH_AES_128_CBC_SHA, 1214 0xc008, 1215 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 1216 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1217 }, 1218 CompressionMethods: []byte{ 1219 0x00, // compressionNone 1220 }, 1221 Extensions: []TLSExtension{ 1222 &UtlsGREASEExtension{}, 1223 &SNIExtension{}, 1224 &UtlsExtendedMasterSecretExtension{}, 1225 &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}, 1226 &SupportedCurvesExtension{[]CurveID{ 1227 CurveID(GREASE_PLACEHOLDER), 1228 X25519, 1229 CurveP256, 1230 CurveP384, 1231 CurveP521, 1232 }}, 1233 &SupportedPointsExtension{SupportedPoints: []byte{ 1234 0x00, // pointFormatUncompressed 1235 }}, 1236 &ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}, 1237 &StatusRequestExtension{}, 1238 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 1239 ECDSAWithP256AndSHA256, 1240 PSSWithSHA256, 1241 PKCS1WithSHA256, 1242 ECDSAWithP384AndSHA384, 1243 ECDSAWithSHA1, 1244 PSSWithSHA384, 1245 PSSWithSHA384, 1246 PKCS1WithSHA384, 1247 PSSWithSHA512, 1248 PKCS1WithSHA512, 1249 PKCS1WithSHA1, 1250 }}, 1251 &SCTExtension{}, 1252 &KeyShareExtension{[]KeyShare{ 1253 {Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}}, 1254 {Group: X25519}, 1255 }}, 1256 &PSKKeyExchangeModesExtension{[]uint8{ 1257 PskModeDHE, 1258 }}, 1259 &SupportedVersionsExtension{[]uint16{ 1260 GREASE_PLACEHOLDER, 1261 VersionTLS13, 1262 VersionTLS12, 1263 VersionTLS11, 1264 VersionTLS10, 1265 }}, 1266 &UtlsGREASEExtension{}, 1267 &UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}, 1268 }, 1269 }, nil 1270 case HelloAndroid_11_OkHttp: 1271 return ClientHelloSpec{ 1272 CipherSuites: []uint16{ 1273 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1274 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1275 0xcca9, // Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) 1276 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1277 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1278 0xcca8, // Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) 1279 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1280 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1281 TLS_RSA_WITH_AES_128_GCM_SHA256, 1282 TLS_RSA_WITH_AES_256_GCM_SHA384, 1283 TLS_RSA_WITH_AES_128_CBC_SHA, 1284 TLS_RSA_WITH_AES_256_CBC_SHA, 1285 }, 1286 CompressionMethods: []byte{ 1287 0x00, // compressionNone 1288 }, 1289 Extensions: []TLSExtension{ 1290 &SNIExtension{}, 1291 &UtlsExtendedMasterSecretExtension{}, 1292 &RenegotiationInfoExtension{}, 1293 // supported_groups 1294 &SupportedCurvesExtension{[]CurveID{ 1295 X25519, 1296 CurveP256, 1297 CurveP384, 1298 }}, 1299 &SupportedPointsExtension{SupportedPoints: []byte{ 1300 0x00, // pointFormatUncompressed 1301 }}, 1302 &StatusRequestExtension{}, 1303 &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ 1304 ECDSAWithP256AndSHA256, 1305 PSSWithSHA256, 1306 PKCS1WithSHA256, 1307 ECDSAWithP384AndSHA384, 1308 PSSWithSHA384, 1309 PKCS1WithSHA384, 1310 PSSWithSHA512, 1311 PKCS1WithSHA512, 1312 PKCS1WithSHA1, 1313 }}, 1314 }, 1315 }, nil 1316 case HelloEdge_85: 1317 return ClientHelloSpec{ 1318 CipherSuites: []uint16{ 1319 GREASE_PLACEHOLDER, 1320 TLS_AES_128_GCM_SHA256, 1321 TLS_AES_256_GCM_SHA384, 1322 TLS_CHACHA20_POLY1305_SHA256, 1323 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1324 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1325 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1326 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1327 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1328 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1329 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1330 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1331 TLS_RSA_WITH_AES_128_GCM_SHA256, 1332 TLS_RSA_WITH_AES_256_GCM_SHA384, 1333 TLS_RSA_WITH_AES_128_CBC_SHA, 1334 TLS_RSA_WITH_AES_256_CBC_SHA, 1335 }, 1336 CompressionMethods: []uint8{ 1337 0x0, // no compression 1338 }, 1339 Extensions: []TLSExtension{ 1340 &UtlsGREASEExtension{}, 1341 &SNIExtension{}, 1342 &UtlsExtendedMasterSecretExtension{}, 1343 &RenegotiationInfoExtension{ 1344 Renegotiation: RenegotiateOnceAsClient, 1345 }, 1346 &SupportedCurvesExtension{ 1347 Curves: []CurveID{ 1348 GREASE_PLACEHOLDER, 1349 X25519, 1350 CurveP256, 1351 CurveP384, 1352 }, 1353 }, 1354 &SupportedPointsExtension{ 1355 SupportedPoints: []uint8{ 1356 0x0, // pointFormatUncompressed 1357 }, 1358 }, 1359 &SessionTicketExtension{}, 1360 &ALPNExtension{ 1361 AlpnProtocols: []string{ 1362 "h2", 1363 "http/1.1", 1364 }, 1365 }, 1366 &StatusRequestExtension{}, 1367 &SignatureAlgorithmsExtension{ 1368 SupportedSignatureAlgorithms: []SignatureScheme{ 1369 ECDSAWithP256AndSHA256, 1370 PSSWithSHA256, 1371 PKCS1WithSHA256, 1372 ECDSAWithP384AndSHA384, 1373 PSSWithSHA384, 1374 PKCS1WithSHA384, 1375 PSSWithSHA512, 1376 PKCS1WithSHA512, 1377 }, 1378 }, 1379 &SCTExtension{}, 1380 &KeyShareExtension{ 1381 KeyShares: []KeyShare{ 1382 { 1383 Group: GREASE_PLACEHOLDER, 1384 Data: []byte{ 1385 0, 1386 }, 1387 }, 1388 { 1389 Group: X25519, 1390 }, 1391 }, 1392 }, 1393 &PSKKeyExchangeModesExtension{ 1394 Modes: []uint8{ 1395 PskModeDHE, 1396 }, 1397 }, 1398 &SupportedVersionsExtension{ 1399 Versions: []uint16{ 1400 GREASE_PLACEHOLDER, 1401 VersionTLS13, 1402 VersionTLS12, 1403 VersionTLS11, 1404 VersionTLS10, 1405 }, 1406 }, 1407 &UtlsCompressCertExtension{ 1408 Algorithms: []CertCompressionAlgo{ 1409 CertCompressionBrotli, 1410 }, 1411 }, 1412 &UtlsGREASEExtension{}, 1413 &UtlsPaddingExtension{ 1414 GetPaddingLen: BoringPaddingStyle, 1415 }, 1416 }, 1417 }, nil 1418 case HelloEdge_106: 1419 return ClientHelloSpec{ 1420 TLSVersMin: VersionTLS12, 1421 TLSVersMax: VersionTLS13, 1422 CipherSuites: []uint16{ 1423 GREASE_PLACEHOLDER, 1424 TLS_AES_128_GCM_SHA256, 1425 TLS_AES_256_GCM_SHA384, 1426 TLS_AES_256_GCM_SHA384, 1427 TLS_CHACHA20_POLY1305_SHA256, 1428 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1429 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1430 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1431 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1432 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1433 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1434 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1435 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1436 TLS_RSA_WITH_AES_128_GCM_SHA256, 1437 TLS_RSA_WITH_AES_256_GCM_SHA384, 1438 TLS_RSA_WITH_AES_128_CBC_SHA, 1439 TLS_RSA_WITH_AES_256_CBC_SHA, 1440 }, 1441 CompressionMethods: []uint8{ 1442 0x0, // no compression 1443 }, 1444 Extensions: []TLSExtension{ 1445 &UtlsGREASEExtension{}, 1446 &SNIExtension{}, 1447 &UtlsExtendedMasterSecretExtension{}, 1448 &RenegotiationInfoExtension{ 1449 Renegotiation: RenegotiateOnceAsClient, 1450 }, 1451 &SupportedCurvesExtension{ 1452 Curves: []CurveID{ 1453 GREASE_PLACEHOLDER, 1454 X25519, 1455 CurveP256, 1456 CurveP384, 1457 }, 1458 }, 1459 &SupportedPointsExtension{ 1460 SupportedPoints: []uint8{ 1461 0x0, // uncompressed 1462 }, 1463 }, 1464 &SessionTicketExtension{}, 1465 &ALPNExtension{ 1466 AlpnProtocols: []string{ 1467 "h2", 1468 "http/1.1", 1469 }, 1470 }, 1471 &StatusRequestExtension{}, 1472 &SignatureAlgorithmsExtension{ 1473 SupportedSignatureAlgorithms: []SignatureScheme{ 1474 ECDSAWithP256AndSHA256, 1475 PSSWithSHA256, 1476 PKCS1WithSHA256, 1477 ECDSAWithP384AndSHA384, 1478 PSSWithSHA384, 1479 PKCS1WithSHA384, 1480 PSSWithSHA512, 1481 PKCS1WithSHA512, 1482 }, 1483 }, 1484 &SCTExtension{}, 1485 &KeyShareExtension{ 1486 KeyShares: []KeyShare{ 1487 { 1488 Group: GREASE_PLACEHOLDER, 1489 Data: []byte{ 1490 0, 1491 }, 1492 }, 1493 { 1494 Group: X25519, 1495 }, 1496 }, 1497 }, 1498 &PSKKeyExchangeModesExtension{ 1499 Modes: []uint8{ 1500 PskModeDHE, 1501 }, 1502 }, 1503 &SupportedVersionsExtension{ 1504 Versions: []uint16{ 1505 GREASE_PLACEHOLDER, 1506 VersionTLS13, 1507 VersionTLS12, 1508 }, 1509 }, 1510 &UtlsCompressCertExtension{ 1511 Algorithms: []CertCompressionAlgo{ 1512 CertCompressionBrotli, 1513 }, 1514 }, 1515 &ApplicationSettingsExtension{ 1516 SupportedProtocols: []string{ 1517 "h2", 1518 }, 1519 }, 1520 &UtlsGREASEExtension{}, 1521 &UtlsPaddingExtension{ 1522 GetPaddingLen: BoringPaddingStyle, 1523 }, 1524 }, 1525 }, nil 1526 case HelloSafari_16_0: 1527 return ClientHelloSpec{ 1528 TLSVersMin: VersionTLS10, 1529 TLSVersMax: VersionTLS13, 1530 CipherSuites: []uint16{ 1531 GREASE_PLACEHOLDER, 1532 TLS_AES_128_GCM_SHA256, 1533 TLS_AES_256_GCM_SHA384, 1534 TLS_CHACHA20_POLY1305_SHA256, 1535 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1536 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1537 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1538 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1539 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1540 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1541 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1542 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1543 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1544 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1545 TLS_RSA_WITH_AES_256_GCM_SHA384, 1546 TLS_RSA_WITH_AES_128_GCM_SHA256, 1547 TLS_RSA_WITH_AES_256_CBC_SHA, 1548 TLS_RSA_WITH_AES_128_CBC_SHA, 1549 FAKE_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 1550 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 1551 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1552 }, 1553 CompressionMethods: []uint8{ 1554 0x0, // no compression 1555 }, 1556 Extensions: []TLSExtension{ 1557 &UtlsGREASEExtension{}, 1558 &SNIExtension{}, 1559 &UtlsExtendedMasterSecretExtension{}, 1560 &RenegotiationInfoExtension{ 1561 Renegotiation: RenegotiateOnceAsClient, 1562 }, 1563 &SupportedCurvesExtension{ 1564 Curves: []CurveID{ 1565 GREASE_PLACEHOLDER, 1566 X25519, 1567 CurveP256, 1568 CurveP384, 1569 CurveP521, 1570 }, 1571 }, 1572 &SupportedPointsExtension{ 1573 SupportedPoints: []uint8{ 1574 0x0, // uncompressed 1575 }, 1576 }, 1577 &ALPNExtension{ 1578 AlpnProtocols: []string{ 1579 "h2", 1580 "http/1.1", 1581 }, 1582 }, 1583 &StatusRequestExtension{}, 1584 &SignatureAlgorithmsExtension{ 1585 SupportedSignatureAlgorithms: []SignatureScheme{ 1586 ECDSAWithP256AndSHA256, 1587 PSSWithSHA256, 1588 PKCS1WithSHA256, 1589 ECDSAWithP384AndSHA384, 1590 ECDSAWithSHA1, 1591 PSSWithSHA384, 1592 PSSWithSHA384, 1593 PKCS1WithSHA384, 1594 PSSWithSHA512, 1595 PKCS1WithSHA512, 1596 PKCS1WithSHA1, 1597 }, 1598 }, 1599 &SCTExtension{}, 1600 &KeyShareExtension{ 1601 KeyShares: []KeyShare{ 1602 { 1603 Group: GREASE_PLACEHOLDER, 1604 Data: []byte{ 1605 0, 1606 }, 1607 }, 1608 { 1609 Group: X25519, 1610 }, 1611 }, 1612 }, 1613 &PSKKeyExchangeModesExtension{ 1614 Modes: []uint8{ 1615 PskModeDHE, 1616 }, 1617 }, 1618 &SupportedVersionsExtension{ 1619 Versions: []uint16{ 1620 GREASE_PLACEHOLDER, 1621 VersionTLS13, 1622 VersionTLS12, 1623 VersionTLS11, 1624 VersionTLS10, 1625 }, 1626 }, 1627 &UtlsCompressCertExtension{ 1628 Algorithms: []CertCompressionAlgo{ 1629 CertCompressionZlib, 1630 }, 1631 }, 1632 &UtlsGREASEExtension{}, 1633 &UtlsPaddingExtension{ 1634 GetPaddingLen: BoringPaddingStyle, 1635 }, 1636 }, 1637 }, nil 1638 case Hello360_7_5: 1639 return ClientHelloSpec{ 1640 CipherSuites: []uint16{ 1641 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1642 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1643 FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 1644 FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 1645 TLS_RSA_WITH_AES_256_CBC_SHA, 1646 DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 1647 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 1648 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1649 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 1650 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 1651 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1652 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 1653 FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 1654 FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 1655 FAKE_TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 1656 TLS_RSA_WITH_RC4_128_SHA, 1657 FAKE_TLS_RSA_WITH_RC4_128_MD5, 1658 TLS_RSA_WITH_AES_128_CBC_SHA, 1659 TLS_RSA_WITH_AES_128_CBC_SHA256, 1660 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1661 }, 1662 CompressionMethods: []uint8{ 1663 0x0, // no compression 1664 }, 1665 Extensions: []TLSExtension{ 1666 &SNIExtension{}, 1667 &RenegotiationInfoExtension{ 1668 Renegotiation: RenegotiateOnceAsClient, 1669 }, 1670 &SupportedCurvesExtension{ 1671 Curves: []CurveID{ 1672 CurveP256, 1673 CurveP384, 1674 CurveP521, 1675 }, 1676 }, 1677 &SupportedPointsExtension{ 1678 SupportedPoints: []uint8{ 1679 0x0, // pointFormatUncompressed 1680 }, 1681 }, 1682 &SessionTicketExtension{}, 1683 &NPNExtension{}, 1684 &ALPNExtension{ 1685 AlpnProtocols: []string{ 1686 "spdy/2", 1687 "spdy/3", 1688 "spdy/3.1", 1689 "http/1.1", 1690 }, 1691 }, 1692 &FakeChannelIDExtension{ 1693 OldExtensionID: true, 1694 }, 1695 &StatusRequestExtension{}, 1696 &SignatureAlgorithmsExtension{ 1697 SupportedSignatureAlgorithms: []SignatureScheme{ 1698 PKCS1WithSHA256, 1699 PKCS1WithSHA384, 1700 PKCS1WithSHA1, 1701 ECDSAWithP256AndSHA256, 1702 ECDSAWithP384AndSHA384, 1703 ECDSAWithSHA1, 1704 FakeSHA256WithDSA, 1705 FakeSHA1WithDSA, 1706 }, 1707 }, 1708 }, 1709 }, nil 1710 case Hello360_11_0: 1711 return ClientHelloSpec{ 1712 TLSVersMin: VersionTLS10, 1713 TLSVersMax: VersionTLS13, 1714 CipherSuites: []uint16{ 1715 GREASE_PLACEHOLDER, 1716 TLS_AES_128_GCM_SHA256, 1717 TLS_AES_256_GCM_SHA384, 1718 TLS_CHACHA20_POLY1305_SHA256, 1719 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1720 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1721 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1722 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1723 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1724 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1725 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1726 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1727 TLS_RSA_WITH_AES_128_GCM_SHA256, 1728 TLS_RSA_WITH_AES_256_GCM_SHA384, 1729 TLS_RSA_WITH_AES_128_CBC_SHA, 1730 TLS_RSA_WITH_AES_256_CBC_SHA, 1731 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1732 }, 1733 CompressionMethods: []uint8{ 1734 0x0, // no compression 1735 }, 1736 Extensions: []TLSExtension{ 1737 &UtlsGREASEExtension{}, 1738 &SNIExtension{}, 1739 &UtlsExtendedMasterSecretExtension{}, 1740 &RenegotiationInfoExtension{ 1741 Renegotiation: RenegotiateOnceAsClient, 1742 }, 1743 &SupportedCurvesExtension{ 1744 Curves: []CurveID{ 1745 GREASE_PLACEHOLDER, 1746 X25519, 1747 CurveP256, 1748 CurveP384, 1749 }, 1750 }, 1751 &SupportedPointsExtension{ 1752 SupportedPoints: []uint8{ 1753 0x0, // uncompressed 1754 }, 1755 }, 1756 &SessionTicketExtension{}, 1757 &ALPNExtension{ 1758 AlpnProtocols: []string{ 1759 "h2", 1760 "http/1.1", 1761 }, 1762 }, 1763 &StatusRequestExtension{}, 1764 &SignatureAlgorithmsExtension{ 1765 SupportedSignatureAlgorithms: []SignatureScheme{ 1766 ECDSAWithP256AndSHA256, 1767 PSSWithSHA256, 1768 PKCS1WithSHA256, 1769 ECDSAWithP384AndSHA384, 1770 PSSWithSHA384, 1771 PKCS1WithSHA384, 1772 PSSWithSHA512, 1773 PKCS1WithSHA512, 1774 PKCS1WithSHA1, 1775 }, 1776 }, 1777 &SCTExtension{}, 1778 &FakeChannelIDExtension{ 1779 OldExtensionID: false, 1780 }, 1781 &KeyShareExtension{ 1782 KeyShares: []KeyShare{ 1783 { 1784 Group: GREASE_PLACEHOLDER, 1785 Data: []byte{ 1786 0, 1787 }, 1788 }, 1789 { 1790 Group: X25519, 1791 }, 1792 }, 1793 }, 1794 &PSKKeyExchangeModesExtension{ 1795 Modes: []uint8{ 1796 PskModeDHE, 1797 }, 1798 }, 1799 &SupportedVersionsExtension{ 1800 Versions: []uint16{ 1801 GREASE_PLACEHOLDER, 1802 VersionTLS13, 1803 VersionTLS12, 1804 VersionTLS11, 1805 VersionTLS10, 1806 }, 1807 }, 1808 &UtlsCompressCertExtension{ 1809 Algorithms: []CertCompressionAlgo{ 1810 CertCompressionBrotli, 1811 }, 1812 }, 1813 &UtlsGREASEExtension{}, 1814 &UtlsPaddingExtension{ 1815 GetPaddingLen: BoringPaddingStyle, 1816 }, 1817 }, 1818 }, nil 1819 case HelloQQ_11_1: 1820 return ClientHelloSpec{ 1821 TLSVersMin: VersionTLS10, 1822 TLSVersMax: VersionTLS13, 1823 CipherSuites: []uint16{ 1824 GREASE_PLACEHOLDER, 1825 TLS_AES_128_GCM_SHA256, 1826 TLS_AES_256_GCM_SHA384, 1827 TLS_CHACHA20_POLY1305_SHA256, 1828 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1829 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1830 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 1831 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 1832 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1833 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1834 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1835 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1836 TLS_RSA_WITH_AES_128_GCM_SHA256, 1837 TLS_RSA_WITH_AES_256_GCM_SHA384, 1838 TLS_RSA_WITH_AES_128_CBC_SHA, 1839 TLS_RSA_WITH_AES_256_CBC_SHA, 1840 }, 1841 CompressionMethods: []uint8{ 1842 0x0, // no compression 1843 }, 1844 Extensions: []TLSExtension{ 1845 &UtlsGREASEExtension{}, 1846 &SNIExtension{}, 1847 &UtlsExtendedMasterSecretExtension{}, 1848 &RenegotiationInfoExtension{ 1849 Renegotiation: RenegotiateOnceAsClient, 1850 }, 1851 &SupportedCurvesExtension{ 1852 Curves: []CurveID{ 1853 GREASE_PLACEHOLDER, 1854 X25519, 1855 CurveP256, 1856 CurveP384, 1857 }, 1858 }, 1859 &SupportedPointsExtension{ 1860 SupportedPoints: []uint8{ 1861 0x0, // uncompressed 1862 }, 1863 }, 1864 &SessionTicketExtension{}, 1865 &ALPNExtension{ 1866 AlpnProtocols: []string{ 1867 "h2", 1868 "http/1.1", 1869 }, 1870 }, 1871 &StatusRequestExtension{}, 1872 &SignatureAlgorithmsExtension{ 1873 SupportedSignatureAlgorithms: []SignatureScheme{ 1874 ECDSAWithP256AndSHA256, 1875 PSSWithSHA256, 1876 PKCS1WithSHA256, 1877 ECDSAWithP384AndSHA384, 1878 PSSWithSHA384, 1879 PKCS1WithSHA384, 1880 PSSWithSHA512, 1881 PKCS1WithSHA512, 1882 }, 1883 }, 1884 &SCTExtension{}, 1885 &KeyShareExtension{ 1886 KeyShares: []KeyShare{ 1887 { 1888 Group: GREASE_PLACEHOLDER, 1889 Data: []byte{ 1890 0, 1891 }, 1892 }, 1893 { 1894 Group: X25519, 1895 }, 1896 }, 1897 }, 1898 &PSKKeyExchangeModesExtension{ 1899 Modes: []uint8{ 1900 PskModeDHE, 1901 }, 1902 }, 1903 &SupportedVersionsExtension{ 1904 Versions: []uint16{ 1905 GREASE_PLACEHOLDER, 1906 VersionTLS13, 1907 VersionTLS12, 1908 VersionTLS11, 1909 VersionTLS10, 1910 }, 1911 }, 1912 &UtlsCompressCertExtension{ 1913 Algorithms: []CertCompressionAlgo{ 1914 CertCompressionBrotli, 1915 }, 1916 }, 1917 &ApplicationSettingsExtension{ 1918 SupportedProtocols: []string{ 1919 "h2", 1920 }, 1921 }, 1922 &UtlsGREASEExtension{}, 1923 &UtlsPaddingExtension{ 1924 GetPaddingLen: BoringPaddingStyle, 1925 }, 1926 }, 1927 }, nil 1928 default: 1929 if id.Client == helloRandomized || id.Client == helloRandomizedALPN || id.Client == helloRandomizedNoALPN { 1930 // Use empty values as they can be filled later by UConn.ApplyPreset or manually. 1931 return generateRandomizedSpec(&id, "", nil, nil) 1932 } 1933 return ClientHelloSpec{}, errors.New("ClientHello ID " + id.Str() + " is unknown") 1934 } 1935 } 1936 1937 func shuffleExtensions(chs *ClientHelloSpec) error { 1938 // Shuffle extensions to avoid fingerprinting -- introduced in Chrome 106 1939 var err error = nil 1940 1941 // unshufCheck checks: 1942 // - if the exts[idx] is a GREASE extension, then it should not be shuffled 1943 // - if the exts[idx] is a padding/pre_shared_key extension, then it should be the 1944 // last extension in the list and should not be shuffled 1945 var unshufCheck = func(idx int, exts []TLSExtension) (donotshuf bool, userErr error) { 1946 switch exts[idx].(type) { 1947 case *UtlsGREASEExtension: 1948 donotshuf = true 1949 case *UtlsPaddingExtension, *FakePreSharedKeyExtension: 1950 donotshuf = true 1951 if idx != len(chs.Extensions)-1 { 1952 userErr = errors.New("UtlsPaddingExtension or FakePreSharedKeyExtension must be the last extension") 1953 } 1954 default: 1955 donotshuf = false 1956 } 1957 return 1958 } 1959 1960 // Shuffle other extensions 1961 rand.Shuffle(len(chs.Extensions), func(i, j int) { 1962 if unshuf, shuferr := unshufCheck(i, chs.Extensions); unshuf { 1963 if shuferr != nil { 1964 err = shuferr 1965 } 1966 return 1967 } 1968 1969 if unshuf, shuferr := unshufCheck(j, chs.Extensions); unshuf { 1970 if shuferr != nil { 1971 err = shuferr 1972 } 1973 return 1974 } 1975 1976 chs.Extensions[i], chs.Extensions[j] = chs.Extensions[j], chs.Extensions[i] 1977 }) 1978 1979 return err 1980 } 1981 1982 func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) { 1983 var spec ClientHelloSpec 1984 uconn.ClientHelloID = id 1985 // choose/generate the spec 1986 switch id.Client { 1987 case helloRandomized, helloRandomizedNoALPN, helloRandomizedALPN: 1988 spec, err = uconn.generateRandomizedSpec() 1989 if err != nil { 1990 return err 1991 } 1992 case helloCustom: 1993 return nil 1994 1995 default: 1996 spec, err = utlsIdToSpec(id) 1997 if err != nil { 1998 return err 1999 } 2000 } 2001 2002 return uconn.ApplyPreset(&spec) 2003 } 2004 2005 // ApplyPreset should only be used in conjunction with HelloCustom to apply custom specs. 2006 // Fields of TLSExtensions that are slices/pointers are shared across different connections with 2007 // same ClientHelloSpec. It is advised to use different specs and avoid any shared state. 2008 func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error { 2009 var err error 2010 2011 err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax, p.Extensions) 2012 if err != nil { 2013 return err 2014 } 2015 2016 privateHello, ecdheParams, err := uconn.makeClientHello() 2017 if err != nil { 2018 return err 2019 } 2020 uconn.HandshakeState.Hello = privateHello.getPublicPtr() 2021 uconn.HandshakeState.State13.EcdheParams = ecdheParams 2022 uconn.HandshakeState.State13.KeySharesEcdheParams = make(KeySharesEcdheParameters, 2) 2023 hello := uconn.HandshakeState.Hello 2024 session := uconn.HandshakeState.Session 2025 2026 switch len(hello.Random) { 2027 case 0: 2028 hello.Random = make([]byte, 32) 2029 _, err := io.ReadFull(uconn.config.rand(), hello.Random) 2030 if err != nil { 2031 return errors.New("tls: short read from Rand: " + err.Error()) 2032 } 2033 case 32: 2034 // carry on 2035 default: 2036 return errors.New("ClientHello expected length: 32 bytes. Got: " + 2037 strconv.Itoa(len(hello.Random)) + " bytes") 2038 } 2039 if len(hello.CipherSuites) == 0 { 2040 hello.CipherSuites = defaultCipherSuites 2041 } 2042 if len(hello.CompressionMethods) == 0 { 2043 hello.CompressionMethods = []uint8{compressionNone} 2044 } 2045 2046 // Currently, GREASE is assumed to come from BoringSSL 2047 grease_bytes := make([]byte, 2*ssl_grease_last_index) 2048 grease_extensions_seen := 0 2049 _, err = io.ReadFull(uconn.config.rand(), grease_bytes) 2050 if err != nil { 2051 return errors.New("tls: short read from Rand: " + err.Error()) 2052 } 2053 for i := range uconn.greaseSeed { 2054 uconn.greaseSeed[i] = binary.LittleEndian.Uint16(grease_bytes[2*i : 2*i+2]) 2055 } 2056 if GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_extension1) == GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_extension2) { 2057 uconn.greaseSeed[ssl_grease_extension2] ^= 0x1010 2058 } 2059 2060 hello.CipherSuites = make([]uint16, len(p.CipherSuites)) 2061 copy(hello.CipherSuites, p.CipherSuites) 2062 for i := range hello.CipherSuites { 2063 if isGREASEUint16(hello.CipherSuites[i]) { // just in case the user set a GREASE value instead of unGREASEd 2064 hello.CipherSuites[i] = GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_cipher) 2065 } 2066 } 2067 uconn.GetSessionID = p.GetSessionID 2068 uconn.Extensions = make([]TLSExtension, len(p.Extensions)) 2069 copy(uconn.Extensions, p.Extensions) 2070 2071 // Check whether NPN extension actually exists 2072 var haveNPN bool 2073 2074 // reGrease, and point things to each other 2075 for _, e := range uconn.Extensions { 2076 switch ext := e.(type) { 2077 case *SNIExtension: 2078 if ext.ServerName == "" { 2079 ext.ServerName = uconn.config.ServerName 2080 } 2081 case *UtlsGREASEExtension: 2082 switch grease_extensions_seen { 2083 case 0: 2084 ext.Value = GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_extension1) 2085 case 1: 2086 ext.Value = GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_extension2) 2087 ext.Body = []byte{0} 2088 default: 2089 return errors.New("at most 2 grease extensions are supported") 2090 } 2091 grease_extensions_seen += 1 2092 case *SessionTicketExtension: 2093 if session == nil && uconn.config.ClientSessionCache != nil { 2094 cacheKey := clientSessionCacheKey(uconn.RemoteAddr(), uconn.config) 2095 session, _ = uconn.config.ClientSessionCache.Get(cacheKey) 2096 // TODO: use uconn.loadSession(hello.getPrivateObj()) to support TLS 1.3 PSK-style resumption 2097 } 2098 err := uconn.SetSessionState(session) 2099 if err != nil { 2100 return err 2101 } 2102 case *SupportedCurvesExtension: 2103 for i := range ext.Curves { 2104 if isGREASEUint16(uint16(ext.Curves[i])) { 2105 ext.Curves[i] = CurveID(GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_group)) 2106 } 2107 } 2108 case *KeyShareExtension: 2109 preferredCurveIsSet := false 2110 for i := range ext.KeyShares { 2111 curveID := ext.KeyShares[i].Group 2112 if isGREASEUint16(uint16(curveID)) { // just in case the user set a GREASE value instead of unGREASEd 2113 ext.KeyShares[i].Group = CurveID(GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_group)) 2114 continue 2115 } 2116 if len(ext.KeyShares[i].Data) > 1 { 2117 continue 2118 } 2119 2120 ecdheParams, err := generateECDHEParameters(uconn.config.rand(), curveID) 2121 if err != nil { 2122 return fmt.Errorf("unsupported Curve in KeyShareExtension: %v."+ 2123 "To mimic it, fill the Data(key) field manually", curveID) 2124 } 2125 uconn.HandshakeState.State13.KeySharesEcdheParams.AddEcdheParams(curveID, ecdheParams) 2126 ext.KeyShares[i].Data = ecdheParams.PublicKey() 2127 if !preferredCurveIsSet { 2128 // only do this once for the first non-grease curve 2129 uconn.HandshakeState.State13.EcdheParams = ecdheParams 2130 preferredCurveIsSet = true 2131 } 2132 } 2133 case *SupportedVersionsExtension: 2134 for i := range ext.Versions { 2135 if isGREASEUint16(ext.Versions[i]) { // just in case the user set a GREASE value instead of unGREASEd 2136 ext.Versions[i] = GetBoringGREASEValue(uconn.greaseSeed, ssl_grease_version) 2137 } 2138 } 2139 case *NPNExtension: 2140 haveNPN = true 2141 } 2142 } 2143 2144 // The default golang behavior in makeClientHello always sets NextProtoNeg if NextProtos is set, 2145 // but NextProtos is also used by ALPN and our spec nmay not actually have a NPN extension 2146 hello.NextProtoNeg = haveNPN 2147 2148 return nil 2149 } 2150 2151 func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) { 2152 return generateRandomizedSpec(&uconn.ClientHelloID, uconn.serverName, uconn.HandshakeState.Session, uconn.config.NextProtos) 2153 } 2154 2155 func generateRandomizedSpec( 2156 id *ClientHelloID, 2157 serverName string, 2158 session *ClientSessionState, 2159 nextProtos []string, 2160 ) (ClientHelloSpec, error) { 2161 p := ClientHelloSpec{} 2162 2163 if id.Seed == nil { 2164 seed, err := NewPRNGSeed() 2165 if err != nil { 2166 return p, err 2167 } 2168 id.Seed = seed 2169 } 2170 2171 r, err := newPRNGWithSeed(id.Seed) 2172 if err != nil { 2173 return p, err 2174 } 2175 2176 if id.Weights == nil { 2177 id.Weights = &DefaultWeights 2178 } 2179 2180 var WithALPN bool 2181 switch id.Client { 2182 case helloRandomizedALPN: 2183 WithALPN = true 2184 case helloRandomizedNoALPN: 2185 WithALPN = false 2186 case helloRandomized: 2187 if r.FlipWeightedCoin(id.Weights.Extensions_Append_ALPN) { 2188 WithALPN = true 2189 } else { 2190 WithALPN = false 2191 } 2192 default: 2193 return p, fmt.Errorf("using non-randomized ClientHelloID %v to generate randomized spec", id.Client) 2194 } 2195 2196 p.CipherSuites = make([]uint16, len(defaultCipherSuites)) 2197 copy(p.CipherSuites, defaultCipherSuites) 2198 shuffledSuites, err := shuffledCiphers(r) 2199 if err != nil { 2200 return p, err 2201 } 2202 2203 if r.FlipWeightedCoin(id.Weights.TLSVersMax_Set_VersionTLS13) { 2204 p.TLSVersMin = VersionTLS10 2205 p.TLSVersMax = VersionTLS13 2206 tls13ciphers := make([]uint16, len(defaultCipherSuitesTLS13)) 2207 copy(tls13ciphers, defaultCipherSuitesTLS13) 2208 r.rand.Shuffle(len(tls13ciphers), func(i, j int) { 2209 tls13ciphers[i], tls13ciphers[j] = tls13ciphers[j], tls13ciphers[i] 2210 }) 2211 // appending TLS 1.3 ciphers before TLS 1.2, since that's what popular implementations do 2212 shuffledSuites = append(tls13ciphers, shuffledSuites...) 2213 2214 // TLS 1.3 forbids RC4 in any configurations 2215 shuffledSuites = removeRC4Ciphers(shuffledSuites) 2216 } else { 2217 p.TLSVersMin = VersionTLS10 2218 p.TLSVersMax = VersionTLS12 2219 } 2220 2221 p.CipherSuites = removeRandomCiphers(r, shuffledSuites, id.Weights.CipherSuites_Remove_RandomCiphers) 2222 2223 sni := SNIExtension{serverName} 2224 sessionTicket := SessionTicketExtension{Session: session} 2225 2226 sigAndHashAlgos := []SignatureScheme{ 2227 ECDSAWithP256AndSHA256, 2228 PKCS1WithSHA256, 2229 ECDSAWithP384AndSHA384, 2230 PKCS1WithSHA384, 2231 PKCS1WithSHA1, 2232 PKCS1WithSHA512, 2233 } 2234 2235 if r.FlipWeightedCoin(id.Weights.SigAndHashAlgos_Append_ECDSAWithSHA1) { 2236 sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithSHA1) 2237 } 2238 if r.FlipWeightedCoin(id.Weights.SigAndHashAlgos_Append_ECDSAWithP521AndSHA512) { 2239 sigAndHashAlgos = append(sigAndHashAlgos, ECDSAWithP521AndSHA512) 2240 } 2241 if r.FlipWeightedCoin(id.Weights.SigAndHashAlgos_Append_PSSWithSHA256) || p.TLSVersMax == VersionTLS13 { 2242 // https://tools.ietf.org/html/rfc8446 says "...RSASSA-PSS (which is mandatory in TLS 1.3)..." 2243 sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA256) 2244 if r.FlipWeightedCoin(id.Weights.SigAndHashAlgos_Append_PSSWithSHA384_PSSWithSHA512) { 2245 // these usually go together 2246 sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA384) 2247 sigAndHashAlgos = append(sigAndHashAlgos, PSSWithSHA512) 2248 } 2249 } 2250 2251 r.rand.Shuffle(len(sigAndHashAlgos), func(i, j int) { 2252 sigAndHashAlgos[i], sigAndHashAlgos[j] = sigAndHashAlgos[j], sigAndHashAlgos[i] 2253 }) 2254 sigAndHash := SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: sigAndHashAlgos} 2255 2256 status := StatusRequestExtension{} 2257 sct := SCTExtension{} 2258 ems := UtlsExtendedMasterSecretExtension{} 2259 points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}} 2260 2261 curveIDs := []CurveID{} 2262 if r.FlipWeightedCoin(id.Weights.CurveIDs_Append_X25519) || p.TLSVersMax == VersionTLS13 { 2263 curveIDs = append(curveIDs, X25519) 2264 } 2265 curveIDs = append(curveIDs, CurveP256, CurveP384) 2266 if r.FlipWeightedCoin(id.Weights.CurveIDs_Append_CurveP521) { 2267 curveIDs = append(curveIDs, CurveP521) 2268 } 2269 2270 curves := SupportedCurvesExtension{curveIDs} 2271 2272 padding := UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle} 2273 reneg := RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient} 2274 2275 p.Extensions = []TLSExtension{ 2276 &sni, 2277 &sessionTicket, 2278 &sigAndHash, 2279 &points, 2280 &curves, 2281 } 2282 2283 if WithALPN { 2284 if len(nextProtos) == 0 { 2285 // if user didn't specify alpn yet, choose something popular 2286 nextProtos = []string{"h2", "http/1.1"} 2287 } 2288 alpn := ALPNExtension{AlpnProtocols: nextProtos} 2289 p.Extensions = append(p.Extensions, &alpn) 2290 } 2291 2292 if r.FlipWeightedCoin(id.Weights.Extensions_Append_Padding) || p.TLSVersMax == VersionTLS13 { 2293 // always include for TLS 1.3, since TLS 1.3 ClientHellos are often over 256 bytes 2294 // and that's when padding is required to work around buggy middleboxes 2295 p.Extensions = append(p.Extensions, &padding) 2296 } 2297 if r.FlipWeightedCoin(id.Weights.Extensions_Append_Status) { 2298 p.Extensions = append(p.Extensions, &status) 2299 } 2300 if r.FlipWeightedCoin(id.Weights.Extensions_Append_SCT) { 2301 p.Extensions = append(p.Extensions, &sct) 2302 } 2303 if r.FlipWeightedCoin(id.Weights.Extensions_Append_Reneg) { 2304 p.Extensions = append(p.Extensions, &reneg) 2305 } 2306 if r.FlipWeightedCoin(id.Weights.Extensions_Append_EMS) { 2307 p.Extensions = append(p.Extensions, &ems) 2308 } 2309 if p.TLSVersMax == VersionTLS13 { 2310 ks := KeyShareExtension{[]KeyShare{ 2311 {Group: X25519}, // the key for the group will be generated later 2312 }} 2313 if r.FlipWeightedCoin(id.Weights.FirstKeyShare_Set_CurveP256) { 2314 // do not ADD second keyShare because crypto/tls does not support multiple ecdheParams 2315 // TODO: add it back when they implement multiple keyShares, or implement it oursevles 2316 // ks.KeyShares = append(ks.KeyShares, KeyShare{Group: CurveP256}) 2317 ks.KeyShares[0].Group = CurveP256 2318 } 2319 pskExchangeModes := PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}} 2320 supportedVersionsExt := SupportedVersionsExtension{ 2321 Versions: makeSupportedVersions(p.TLSVersMin, p.TLSVersMax), 2322 } 2323 p.Extensions = append(p.Extensions, &ks, &pskExchangeModes, &supportedVersionsExt) 2324 2325 // Randomly add an ALPS extension. ALPS is TLS 1.3-only and may only 2326 // appear when an ALPN extension is present 2327 // (https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-3). 2328 // ALPS is a draft specification at this time, but appears in 2329 // Chrome/BoringSSL. 2330 if WithALPN { 2331 2332 // ALPS is a new addition to generateRandomizedSpec. Use a salted 2333 // seed to create a new, independent PRNG, so that a seed used 2334 // with the previous version of generateRandomizedSpec will 2335 // produce the exact same spec as long as ALPS isn't selected. 2336 r, err := newPRNGWithSaltedSeed(id.Seed, "ALPS") 2337 if err != nil { 2338 return p, err 2339 } 2340 if r.FlipWeightedCoin(id.Weights.Extensions_Append_ALPS) { 2341 // As with the ALPN case above, default to something popular 2342 // (unlike ALPN, ALPS can't yet be specified in uconn.config). 2343 alps := &ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}} 2344 p.Extensions = append(p.Extensions, alps) 2345 } 2346 } 2347 2348 // TODO: randomly add DelegatedCredentialsExtension, once it is 2349 // sufficiently popular. 2350 } 2351 r.rand.Shuffle(len(p.Extensions), func(i, j int) { 2352 p.Extensions[i], p.Extensions[j] = p.Extensions[j], p.Extensions[i] 2353 }) 2354 2355 return p, nil 2356 } 2357 2358 func removeRandomCiphers(r *prng, s []uint16, maxRemovalProbability float64) []uint16 { 2359 // removes elements in place 2360 // probability to remove increases for further elements 2361 // never remove first cipher 2362 if len(s) <= 1 { 2363 return s 2364 } 2365 2366 // remove random elements 2367 floatLen := float64(len(s)) 2368 sliceLen := len(s) 2369 for i := 1; i < sliceLen; i++ { 2370 if r.FlipWeightedCoin(maxRemovalProbability * float64(i) / floatLen) { 2371 s = append(s[:i], s[i+1:]...) 2372 sliceLen-- 2373 i-- 2374 } 2375 } 2376 return s[:sliceLen] 2377 } 2378 2379 func shuffledCiphers(r *prng) ([]uint16, error) { 2380 ciphers := make(sortableCiphers, len(cipherSuites)) 2381 perm := r.Perm(len(cipherSuites)) 2382 for i, suite := range cipherSuites { 2383 ciphers[i] = sortableCipher{suite: suite.id, 2384 isObsolete: ((suite.flags & suiteTLS12) == 0), 2385 randomTag: perm[i]} 2386 } 2387 sort.Sort(ciphers) 2388 return ciphers.GetCiphers(), nil 2389 } 2390 2391 type sortableCipher struct { 2392 isObsolete bool 2393 randomTag int 2394 suite uint16 2395 } 2396 2397 type sortableCiphers []sortableCipher 2398 2399 func (ciphers sortableCiphers) Len() int { 2400 return len(ciphers) 2401 } 2402 2403 func (ciphers sortableCiphers) Less(i, j int) bool { 2404 if ciphers[i].isObsolete && !ciphers[j].isObsolete { 2405 return false 2406 } 2407 if ciphers[j].isObsolete && !ciphers[i].isObsolete { 2408 return true 2409 } 2410 return ciphers[i].randomTag < ciphers[j].randomTag 2411 } 2412 2413 func (ciphers sortableCiphers) Swap(i, j int) { 2414 ciphers[i], ciphers[j] = ciphers[j], ciphers[i] 2415 } 2416 2417 func (ciphers sortableCiphers) GetCiphers() []uint16 { 2418 cipherIDs := make([]uint16, len(ciphers)) 2419 for i := range ciphers { 2420 cipherIDs[i] = ciphers[i].suite 2421 } 2422 return cipherIDs 2423 } 2424 2425 func removeRC4Ciphers(s []uint16) []uint16 { 2426 // removes elements in place 2427 sliceLen := len(s) 2428 for i := 0; i < sliceLen; i++ { 2429 cipher := s[i] 2430 if cipher == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA || 2431 cipher == TLS_ECDHE_RSA_WITH_RC4_128_SHA || 2432 cipher == TLS_RSA_WITH_RC4_128_SHA { 2433 s = append(s[:i], s[i+1:]...) 2434 sliceLen-- 2435 i-- 2436 } 2437 } 2438 return s[:sliceLen] 2439 }