github.com/metacubex/mihomo@v1.18.5/component/sniffer/quic_sniffer.go (about) 1 package sniffer 2 3 import ( 4 "crypto" 5 "crypto/aes" 6 "crypto/cipher" 7 "encoding/binary" 8 "errors" 9 "io" 10 11 "github.com/metacubex/mihomo/common/buf" 12 "github.com/metacubex/mihomo/common/utils" 13 C "github.com/metacubex/mihomo/constant" 14 15 "github.com/metacubex/quic-go/quicvarint" 16 "golang.org/x/crypto/hkdf" 17 ) 18 19 // Modified from https://github.com/v2fly/v2ray-core/blob/master/common/protocol/quic/sniff.go 20 21 const ( 22 versionDraft29 uint32 = 0xff00001d 23 version1 uint32 = 0x1 24 ) 25 26 var ( 27 quicSaltOld = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99} 28 quicSalt = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a} 29 errNotQuic = errors.New("not QUIC") 30 errNotQuicInitial = errors.New("not QUIC initial packet") 31 ) 32 33 type QuicSniffer struct { 34 *BaseSniffer 35 } 36 37 func NewQuicSniffer(snifferConfig SnifferConfig) (*QuicSniffer, error) { 38 ports := snifferConfig.Ports 39 if len(ports) == 0 { 40 ports = utils.IntRanges[uint16]{utils.NewRange[uint16](443, 443)} 41 } 42 return &QuicSniffer{ 43 BaseSniffer: NewBaseSniffer(ports, C.UDP), 44 }, nil 45 } 46 47 func (quic QuicSniffer) Protocol() string { 48 return "quic" 49 } 50 51 func (quic QuicSniffer) SupportNetwork() C.NetWork { 52 return C.UDP 53 } 54 55 func (quic QuicSniffer) SniffData(b []byte) (string, error) { 56 buffer := buf.As(b) 57 typeByte, err := buffer.ReadByte() 58 if err != nil { 59 return "", errNotQuic 60 } 61 isLongHeader := typeByte&0x80 > 0 62 if !isLongHeader || typeByte&0x40 == 0 { 63 return "", errNotQuicInitial 64 } 65 66 vb, err := buffer.ReadBytes(4) 67 if err != nil { 68 return "", errNotQuic 69 } 70 71 versionNumber := binary.BigEndian.Uint32(vb) 72 73 if versionNumber != 0 && typeByte&0x40 == 0 { 74 return "", errNotQuic 75 } else if versionNumber != versionDraft29 && versionNumber != version1 { 76 return "", errNotQuic 77 } 78 79 if (typeByte&0x30)>>4 != 0x0 { 80 return "", errNotQuicInitial 81 } 82 83 var destConnID []byte 84 if l, err := buffer.ReadByte(); err != nil { 85 return "", errNotQuic 86 } else if destConnID, err = buffer.ReadBytes(int(l)); err != nil { 87 return "", errNotQuic 88 } 89 90 if l, err := buffer.ReadByte(); err != nil { 91 return "", errNotQuic 92 } else if _, err := buffer.ReadBytes(int(l)); err != nil { 93 return "", errNotQuic 94 } 95 96 tokenLen, err := quicvarint.Read(buffer) 97 if err != nil || tokenLen > uint64(len(b)) { 98 return "", errNotQuic 99 } 100 101 if _, err = buffer.ReadBytes(int(tokenLen)); err != nil { 102 return "", errNotQuic 103 } 104 105 packetLen, err := quicvarint.Read(buffer) 106 if err != nil { 107 return "", errNotQuic 108 } 109 110 hdrLen := len(b) - buffer.Len() 111 112 var salt []byte 113 if versionNumber == version1 { 114 salt = quicSalt 115 } else { 116 salt = quicSaltOld 117 } 118 initialSecret := hkdf.Extract(crypto.SHA256.New, destConnID, salt) 119 secret := hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size()) 120 hpKey := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16) 121 block, err := aes.NewCipher(hpKey) 122 if err != nil { 123 return "", err 124 } 125 126 cache := buf.NewPacket() 127 defer cache.Release() 128 129 mask := cache.Extend(block.BlockSize()) 130 block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16]) 131 firstByte := b[0] 132 // Encrypt/decrypt first byte. 133 if isLongHeader { 134 // Long header: 4 bits masked 135 // High 4 bits are not protected. 136 firstByte ^= mask[0] & 0x0f 137 } else { 138 // Short header: 5 bits masked 139 // High 3 bits are not protected. 140 firstByte ^= mask[0] & 0x1f 141 } 142 packetNumberLength := int(firstByte&0x3 + 1) // max = 4 (64-bit sequence number) 143 extHdrLen := hdrLen + packetNumberLength 144 145 // copy to avoid modify origin data 146 extHdr := cache.Extend(extHdrLen) 147 copy(extHdr, b) 148 extHdr[0] = firstByte 149 150 packetNumber := extHdr[hdrLen:extHdrLen] 151 // Encrypt/decrypt packet number. 152 for i := range packetNumber { 153 packetNumber[i] ^= mask[1+i] 154 } 155 156 if packetNumber[0] != 0 && packetNumber[0] != 1 { 157 return "", errNotQuicInitial 158 } 159 160 data := b[extHdrLen : int(packetLen)+hdrLen] 161 162 key := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16) 163 iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12) 164 aesCipher, err := aes.NewCipher(key) 165 if err != nil { 166 return "", err 167 } 168 aead, err := cipher.NewGCM(aesCipher) 169 if err != nil { 170 return "", err 171 } 172 // We only decrypt once, so we do not need to XOR it back. 173 // https://github.com/quic-go/qtls-go1-20/blob/e132a0e6cb45e20ac0b705454849a11d09ba5a54/cipher_suites.go#L496 174 for i, b := range packetNumber { 175 iv[len(iv)-len(packetNumber)+i] ^= b 176 } 177 dst := cache.Extend(len(data)) 178 decrypted, err := aead.Open(dst[:0], iv, data, extHdr) 179 if err != nil { 180 return "", err 181 } 182 buffer = buf.As(decrypted) 183 184 cryptoLen := uint(0) 185 cryptoData := cache.Extend(buffer.Len()) 186 for i := 0; !buffer.IsEmpty(); i++ { 187 frameType := byte(0x0) // Default to PADDING frame 188 for frameType == 0x0 && !buffer.IsEmpty() { 189 frameType, _ = buffer.ReadByte() 190 } 191 switch frameType { 192 case 0x00: // PADDING frame 193 case 0x01: // PING frame 194 case 0x02, 0x03: // ACK frame 195 if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged 196 return "", io.ErrUnexpectedEOF 197 } 198 if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay 199 return "", io.ErrUnexpectedEOF 200 } 201 ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count 202 if err != nil { 203 return "", io.ErrUnexpectedEOF 204 } 205 if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range 206 return "", io.ErrUnexpectedEOF 207 } 208 for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range 209 if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap 210 return "", io.ErrUnexpectedEOF 211 } 212 if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length 213 return "", io.ErrUnexpectedEOF 214 } 215 } 216 if frameType == 0x03 { 217 if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count 218 return "", io.ErrUnexpectedEOF 219 } 220 if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count 221 return "", io.ErrUnexpectedEOF 222 } 223 if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count 224 return "", io.ErrUnexpectedEOF 225 } 226 } 227 case 0x06: // CRYPTO frame, we will use this frame 228 offset, err := quicvarint.Read(buffer) // Field: Offset 229 if err != nil { 230 return "", io.ErrUnexpectedEOF 231 } 232 length, err := quicvarint.Read(buffer) // Field: Length 233 if err != nil || length > uint64(buffer.Len()) { 234 return "", io.ErrUnexpectedEOF 235 } 236 if cryptoLen < uint(offset+length) { 237 cryptoLen = uint(offset + length) 238 } 239 if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data 240 return "", io.ErrUnexpectedEOF 241 } 242 case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet 243 if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code 244 return "", io.ErrUnexpectedEOF 245 } 246 if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type 247 return "", io.ErrUnexpectedEOF 248 } 249 length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length 250 if err != nil { 251 return "", io.ErrUnexpectedEOF 252 } 253 if _, err := buffer.ReadBytes(int(length)); err != nil { // Field: Reason Phrase 254 return "", io.ErrUnexpectedEOF 255 } 256 default: 257 // Only above frame types are permitted in initial packet. 258 // See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8 259 return "", errNotQuicInitial 260 } 261 } 262 263 domain, err := ReadClientHello(cryptoData[:cryptoLen]) 264 if err != nil { 265 return "", err 266 } 267 268 return *domain, nil 269 } 270 271 func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte { 272 b := make([]byte, 3, 3+6+len(label)+1+len(context)) 273 binary.BigEndian.PutUint16(b, uint16(length)) 274 b[2] = uint8(6 + len(label)) 275 b = append(b, []byte("tls13 ")...) 276 b = append(b, []byte(label)...) 277 b = b[:3+6+len(label)+1] 278 b[3+6+len(label)] = uint8(len(context)) 279 b = append(b, context...) 280 281 out := make([]byte, length) 282 n, err := hkdf.Expand(hash.New, secret, b).Read(out) 283 if err != nil || n != length { 284 panic("quic: HKDF-Expand-Label invocation failed unexpectedly") 285 } 286 return out 287 }