github.com/v2fly/v2ray-core/v5@v5.16.2-0.20240507031116-8191faa6e095/common/protocol/quic/sniff.go (about)

     1  package quic
     2  
     3  import (
     4  	"crypto"
     5  	"crypto/aes"
     6  	"crypto/tls"
     7  	"encoding/binary"
     8  	"io"
     9  
    10  	"github.com/quic-go/quic-go/quicvarint"
    11  	"golang.org/x/crypto/hkdf"
    12  
    13  	"github.com/v2fly/v2ray-core/v5/common"
    14  	"github.com/v2fly/v2ray-core/v5/common/buf"
    15  	"github.com/v2fly/v2ray-core/v5/common/bytespool"
    16  	"github.com/v2fly/v2ray-core/v5/common/errors"
    17  	ptls "github.com/v2fly/v2ray-core/v5/common/protocol/tls"
    18  )
    19  
    20  type SniffHeader struct {
    21  	domain string
    22  }
    23  
    24  func (s SniffHeader) Protocol() string {
    25  	return "quic"
    26  }
    27  
    28  func (s SniffHeader) Domain() string {
    29  	return s.domain
    30  }
    31  
    32  const (
    33  	versionDraft29 uint32 = 0xff00001d
    34  	version1       uint32 = 0x1
    35  )
    36  
    37  var (
    38  	quicSaltOld  = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99}
    39  	quicSalt     = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
    40  	initialSuite = &cipherSuiteTLS13{
    41  		ID:     tls.TLS_AES_128_GCM_SHA256,
    42  		KeyLen: 16,
    43  		AEAD:   aeadAESGCMTLS13,
    44  		Hash:   crypto.SHA256,
    45  	}
    46  	errNotQuic        = errors.New("not quic")
    47  	errNotQuicInitial = errors.New("not initial packet")
    48  )
    49  
    50  func SniffQUIC(b []byte) (*SniffHeader, error) {
    51  	buffer := buf.FromBytes(b)
    52  	typeByte, err := buffer.ReadByte()
    53  	if err != nil {
    54  		return nil, errNotQuic
    55  	}
    56  	isLongHeader := typeByte&0x80 > 0
    57  	if !isLongHeader || typeByte&0x40 == 0 {
    58  		return nil, errNotQuicInitial
    59  	}
    60  
    61  	vb, err := buffer.ReadBytes(4)
    62  	if err != nil {
    63  		return nil, errNotQuic
    64  	}
    65  
    66  	versionNumber := binary.BigEndian.Uint32(vb)
    67  
    68  	if versionNumber != 0 && typeByte&0x40 == 0 {
    69  		return nil, errNotQuic
    70  	} else if versionNumber != versionDraft29 && versionNumber != version1 {
    71  		return nil, errNotQuic
    72  	}
    73  
    74  	if (typeByte&0x30)>>4 != 0x0 {
    75  		return nil, errNotQuicInitial
    76  	}
    77  
    78  	var destConnID []byte
    79  	if l, err := buffer.ReadByte(); err != nil {
    80  		return nil, errNotQuic
    81  	} else if destConnID, err = buffer.ReadBytes(int32(l)); err != nil {
    82  		return nil, errNotQuic
    83  	}
    84  
    85  	if l, err := buffer.ReadByte(); err != nil {
    86  		return nil, errNotQuic
    87  	} else if common.Error2(buffer.ReadBytes(int32(l))) != nil {
    88  		return nil, errNotQuic
    89  	}
    90  
    91  	tokenLen, err := quicvarint.Read(buffer)
    92  	if err != nil || tokenLen > uint64(len(b)) {
    93  		return nil, errNotQuic
    94  	}
    95  
    96  	if _, err = buffer.ReadBytes(int32(tokenLen)); err != nil {
    97  		return nil, errNotQuic
    98  	}
    99  
   100  	packetLen, err := quicvarint.Read(buffer)
   101  	if err != nil {
   102  		return nil, errNotQuic
   103  	}
   104  
   105  	hdrLen := len(b) - int(buffer.Len())
   106  
   107  	origPNBytes := make([]byte, 4)
   108  	copy(origPNBytes, b[hdrLen:hdrLen+4])
   109  
   110  	var salt []byte
   111  	if versionNumber == version1 {
   112  		salt = quicSalt
   113  	} else {
   114  		salt = quicSaltOld
   115  	}
   116  	initialSecret := hkdf.Extract(crypto.SHA256.New, destConnID, salt)
   117  	secret := hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
   118  	hpKey := hkdfExpandLabel(initialSuite.Hash, secret, []byte{}, "quic hp", initialSuite.KeyLen)
   119  	block, err := aes.NewCipher(hpKey)
   120  	if err != nil {
   121  		return nil, err
   122  	}
   123  
   124  	cache := buf.New()
   125  	defer cache.Release()
   126  
   127  	mask := cache.Extend(int32(block.BlockSize()))
   128  	block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16])
   129  	b[0] ^= mask[0] & 0xf
   130  	for i := range b[hdrLen : hdrLen+4] {
   131  		b[hdrLen+i] ^= mask[i+1]
   132  	}
   133  	packetNumberLength := b[0]&0x3 + 1
   134  	if packetNumberLength != 1 {
   135  		return nil, errNotQuicInitial
   136  	}
   137  	var packetNumber uint32
   138  	{
   139  		n, err := buffer.ReadByte()
   140  		if err != nil {
   141  			return nil, err
   142  		}
   143  		packetNumber = uint32(n)
   144  	}
   145  
   146  	if packetNumber != 0 && packetNumber != 1 {
   147  		return nil, errNotQuicInitial
   148  	}
   149  
   150  	extHdrLen := hdrLen + int(packetNumberLength)
   151  	copy(b[extHdrLen:hdrLen+4], origPNBytes[packetNumberLength:])
   152  	data := b[extHdrLen : int(packetLen)+hdrLen]
   153  
   154  	key := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
   155  	iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
   156  	cipher := aeadAESGCMTLS13(key, iv)
   157  	nonce := cache.Extend(int32(cipher.NonceSize()))
   158  	binary.BigEndian.PutUint64(nonce[len(nonce)-8:], uint64(packetNumber))
   159  	decrypted, err := cipher.Open(b[extHdrLen:extHdrLen], nonce, data, b[:extHdrLen])
   160  	if err != nil {
   161  		return nil, err
   162  	}
   163  	buffer = buf.FromBytes(decrypted)
   164  
   165  	cryptoLen := uint(0)
   166  	cryptoData := bytespool.Alloc(buffer.Len())
   167  	defer bytespool.Free(cryptoData)
   168  	for i := 0; !buffer.IsEmpty(); i++ {
   169  		frameType := byte(0x0) // Default to PADDING frame
   170  		for frameType == 0x0 && !buffer.IsEmpty() {
   171  			frameType, _ = buffer.ReadByte()
   172  		}
   173  		switch frameType {
   174  		case 0x00: // PADDING frame
   175  		case 0x01: // PING frame
   176  		case 0x02, 0x03: // ACK frame
   177  			if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged
   178  				return nil, io.ErrUnexpectedEOF
   179  			}
   180  			if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay
   181  				return nil, io.ErrUnexpectedEOF
   182  			}
   183  			ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count
   184  			if err != nil {
   185  				return nil, io.ErrUnexpectedEOF
   186  			}
   187  			if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range
   188  				return nil, io.ErrUnexpectedEOF
   189  			}
   190  			for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range
   191  				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap
   192  					return nil, io.ErrUnexpectedEOF
   193  				}
   194  				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length
   195  					return nil, io.ErrUnexpectedEOF
   196  				}
   197  			}
   198  			if frameType == 0x03 {
   199  				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count
   200  					return nil, io.ErrUnexpectedEOF
   201  				}
   202  				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count
   203  					return nil, io.ErrUnexpectedEOF
   204  				}
   205  				if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count
   206  					return nil, io.ErrUnexpectedEOF
   207  				}
   208  			}
   209  		case 0x06: // CRYPTO frame, we will use this frame
   210  			offset, err := quicvarint.Read(buffer) // Field: Offset
   211  			if err != nil {
   212  				return nil, io.ErrUnexpectedEOF
   213  			}
   214  			length, err := quicvarint.Read(buffer) // Field: Length
   215  			if err != nil || length > uint64(buffer.Len()) {
   216  				return nil, io.ErrUnexpectedEOF
   217  			}
   218  			if cryptoLen < uint(offset+length) {
   219  				cryptoLen = uint(offset + length)
   220  			}
   221  			if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
   222  				return nil, io.ErrUnexpectedEOF
   223  			}
   224  		case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
   225  			if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code
   226  				return nil, io.ErrUnexpectedEOF
   227  			}
   228  			if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type
   229  				return nil, io.ErrUnexpectedEOF
   230  			}
   231  			length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length
   232  			if err != nil {
   233  				return nil, io.ErrUnexpectedEOF
   234  			}
   235  			if _, err := buffer.ReadBytes(int32(length)); err != nil { // Field: Reason Phrase
   236  				return nil, io.ErrUnexpectedEOF
   237  			}
   238  		default:
   239  			// Only above frame types are permitted in initial packet.
   240  			// See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8
   241  			return nil, errNotQuicInitial
   242  		}
   243  	}
   244  
   245  	tlsHdr := &ptls.SniffHeader{}
   246  	err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
   247  	if err != nil {
   248  		return nil, err
   249  	}
   250  	return &SniffHeader{domain: tlsHdr.Domain()}, nil
   251  }
   252  
   253  func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
   254  	b := make([]byte, 3, 3+6+len(label)+1+len(context))
   255  	binary.BigEndian.PutUint16(b, uint16(length))
   256  	b[2] = uint8(6 + len(label))
   257  	b = append(b, []byte("tls13 ")...)
   258  	b = append(b, []byte(label)...)
   259  	b = b[:3+6+len(label)+1]
   260  	b[3+6+len(label)] = uint8(len(context))
   261  	b = append(b, context...)
   262  
   263  	out := make([]byte, length)
   264  	n, err := hkdf.Expand(hash.New, secret, b).Read(out)
   265  	if err != nil || n != length {
   266  		panic("quic: HKDF-Expand-Label invocation failed unexpectedly")
   267  	}
   268  	return out
   269  }