chore: shadowtls don't depend on trojan's code
This commit is contained in:
parent
0c9a23a53c
commit
0069513780
2 changed files with 58 additions and 31 deletions
|
@ -2,6 +2,7 @@ package outbound
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
|
@ -9,11 +10,11 @@ import (
|
|||
|
||||
"github.com/Dreamacro/clash/common/structure"
|
||||
"github.com/Dreamacro/clash/component/dialer"
|
||||
tlsC "github.com/Dreamacro/clash/component/tls"
|
||||
C "github.com/Dreamacro/clash/constant"
|
||||
"github.com/Dreamacro/clash/transport/shadowtls"
|
||||
obfs "github.com/Dreamacro/clash/transport/simple-obfs"
|
||||
"github.com/Dreamacro/clash/transport/socks5"
|
||||
"github.com/Dreamacro/clash/transport/trojan"
|
||||
v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
|
||||
|
||||
shadowsocks "github.com/metacubex/sing-shadowsocks"
|
||||
|
@ -33,7 +34,7 @@ type ShadowSocks struct {
|
|||
obfsOption *simpleObfsOption
|
||||
v2rayOption *v2rayObfs.Option
|
||||
shadowTLSOption *shadowTLSOption
|
||||
tlsConnector *trojan.Trojan
|
||||
tlsConfig *tls.Config
|
||||
}
|
||||
|
||||
type ShadowSocksOption struct {
|
||||
|
@ -66,8 +67,10 @@ type v2rayObfsOption struct {
|
|||
}
|
||||
|
||||
type shadowTLSOption struct {
|
||||
Password string `obfs:"password"`
|
||||
Host string `obfs:"host"`
|
||||
Password string `obfs:"password"`
|
||||
Host string `obfs:"host"`
|
||||
Fingerprint string `obfs:"fingerprint,omitempty"`
|
||||
SkipCertVerify bool `obfs:"skip-cert-verify,omitempty"`
|
||||
}
|
||||
|
||||
// StreamConn implements C.ProxyAdapter
|
||||
|
@ -85,10 +88,7 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
|
|||
return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
|
||||
}
|
||||
case shadowtls.Mode:
|
||||
if ss.tlsConnector == nil {
|
||||
ss.tlsConnector = trojan.New(&trojan.Option{ServerName: ss.shadowTLSOption.Host, SkipCertVerify: false})
|
||||
}
|
||||
c = shadowtls.NewShadowTls(c, ss.shadowTLSOption.Password, ss.tlsConnector)
|
||||
c = shadowtls.NewShadowTLS(c, ss.shadowTLSOption.Password, ss.tlsConfig)
|
||||
}
|
||||
if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
|
||||
return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
|
||||
|
@ -172,6 +172,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
|
|||
var v2rayOption *v2rayObfs.Option
|
||||
var obfsOption *simpleObfsOption
|
||||
var shadowTLSOpt *shadowTLSOption
|
||||
var tlsConfig *tls.Config
|
||||
obfsMode := ""
|
||||
|
||||
decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
|
||||
|
@ -213,6 +214,21 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
|
|||
if err := decoder.Decode(option.PluginOpts, shadowTLSOpt); err != nil {
|
||||
return nil, fmt.Errorf("ss %s initialize shadow-tls-plugin error: %w", addr, err)
|
||||
}
|
||||
|
||||
tlsConfig = &tls.Config{
|
||||
NextProtos: shadowtls.DefaultALPN,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
InsecureSkipVerify: shadowTLSOpt.SkipCertVerify,
|
||||
ServerName: shadowTLSOpt.Host,
|
||||
}
|
||||
|
||||
if len(shadowTLSOpt.Fingerprint) == 0 {
|
||||
tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
|
||||
} else {
|
||||
if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, shadowTLSOpt.Fingerprint); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return &ShadowSocks{
|
||||
|
@ -232,6 +248,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
|
|||
v2rayOption: v2rayOption,
|
||||
obfsOption: obfsOption,
|
||||
shadowTLSOption: shadowTLSOpt,
|
||||
tlsConfig: tlsConfig,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
package shadowtls
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/hmac"
|
||||
"crypto/sha1"
|
||||
"crypto/tls"
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"hash"
|
||||
|
@ -10,7 +12,7 @@ import (
|
|||
"net"
|
||||
|
||||
"github.com/Dreamacro/clash/common/pool"
|
||||
"github.com/Dreamacro/clash/transport/trojan"
|
||||
C "github.com/Dreamacro/clash/constant"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -20,13 +22,17 @@ const (
|
|||
tlsHeaderLen int = 5
|
||||
)
|
||||
|
||||
// TLSObfs is shadowsocks tls simple-obfs implementation
|
||||
type ShadowTls struct {
|
||||
var (
|
||||
DefaultALPN = []string{"h2", "http/1.1"}
|
||||
)
|
||||
|
||||
// ShadowTLS is shadow-tls implementation
|
||||
type ShadowTLS struct {
|
||||
net.Conn
|
||||
password []byte
|
||||
remain int
|
||||
firstRequest bool
|
||||
tlsConnector *trojan.Trojan
|
||||
tlsConfig *tls.Config
|
||||
}
|
||||
|
||||
type HashedConn struct {
|
||||
|
@ -47,9 +53,9 @@ func (h HashedConn) Read(b []byte) (n int, err error) {
|
|||
return
|
||||
}
|
||||
|
||||
func (to *ShadowTls) read(b []byte) (int, error) {
|
||||
func (s *ShadowTLS) read(b []byte) (int, error) {
|
||||
buf := pool.Get(tlsHeaderLen)
|
||||
_, err := io.ReadFull(to.Conn, buf)
|
||||
_, err := io.ReadFull(s.Conn, buf)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("shadowtls read failed %w", err)
|
||||
}
|
||||
|
@ -60,36 +66,36 @@ func (to *ShadowTls) read(b []byte) (int, error) {
|
|||
pool.Put(buf)
|
||||
|
||||
if length > len(b) {
|
||||
n, err := to.Conn.Read(b)
|
||||
n, err := s.Conn.Read(b)
|
||||
if err != nil {
|
||||
return n, err
|
||||
}
|
||||
to.remain = length - n
|
||||
s.remain = length - n
|
||||
return n, nil
|
||||
}
|
||||
|
||||
return io.ReadFull(to.Conn, b[:length])
|
||||
return io.ReadFull(s.Conn, b[:length])
|
||||
}
|
||||
|
||||
func (to *ShadowTls) Read(b []byte) (int, error) {
|
||||
if to.remain > 0 {
|
||||
length := to.remain
|
||||
func (s *ShadowTLS) Read(b []byte) (int, error) {
|
||||
if s.remain > 0 {
|
||||
length := s.remain
|
||||
if length > len(b) {
|
||||
length = len(b)
|
||||
}
|
||||
|
||||
n, err := io.ReadFull(to.Conn, b[:length])
|
||||
n, err := io.ReadFull(s.Conn, b[:length])
|
||||
if err != nil {
|
||||
return n, fmt.Errorf("shadowtls Read failed with %w", err)
|
||||
}
|
||||
to.remain -= n
|
||||
s.remain -= n
|
||||
return n, nil
|
||||
}
|
||||
|
||||
return to.read(b)
|
||||
return s.read(b)
|
||||
}
|
||||
|
||||
func (to *ShadowTls) Write(b []byte) (int, error) {
|
||||
func (s *ShadowTLS) Write(b []byte) (int, error) {
|
||||
length := len(b)
|
||||
for i := 0; i < length; i += chunkSize {
|
||||
end := i + chunkSize
|
||||
|
@ -97,7 +103,7 @@ func (to *ShadowTls) Write(b []byte) (int, error) {
|
|||
end = length
|
||||
}
|
||||
|
||||
n, err := to.write(b[i:end])
|
||||
n, err := s.write(b[i:end])
|
||||
if err != nil {
|
||||
return n, fmt.Errorf("shadowtls Write failed with %w, i=%d, end=%d, n=%d", err, i, end, n)
|
||||
}
|
||||
|
@ -105,11 +111,15 @@ func (to *ShadowTls) Write(b []byte) (int, error) {
|
|||
return length, nil
|
||||
}
|
||||
|
||||
func (s *ShadowTls) write(b []byte) (int, error) {
|
||||
func (s *ShadowTLS) write(b []byte) (int, error) {
|
||||
var hashVal []byte
|
||||
if s.firstRequest {
|
||||
hashedConn := newHashedStream(s.Conn, s.password)
|
||||
if _, err := s.tlsConnector.StreamConn(hashedConn); err != nil {
|
||||
tlsConn := tls.Client(hashedConn, s.tlsConfig)
|
||||
// fix tls handshake not timeout
|
||||
ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
|
||||
defer cancel()
|
||||
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
||||
return 0, fmt.Errorf("tls connect failed with %w", err)
|
||||
}
|
||||
hashVal = hashedConn.hasher.Sum(nil)[:hashLen]
|
||||
|
@ -131,12 +141,12 @@ func (s *ShadowTls) write(b []byte) (int, error) {
|
|||
return len(b), nil
|
||||
}
|
||||
|
||||
// NewShadowTls return a ShadowTls
|
||||
func NewShadowTls(conn net.Conn, password string, tlsConnector *trojan.Trojan) net.Conn {
|
||||
return &ShadowTls{
|
||||
// NewShadowTLS return a ShadowTLS
|
||||
func NewShadowTLS(conn net.Conn, password string, tlsConfig *tls.Config) net.Conn {
|
||||
return &ShadowTLS{
|
||||
Conn: conn,
|
||||
password: []byte(password),
|
||||
firstRequest: true,
|
||||
tlsConnector: tlsConnector,
|
||||
tlsConfig: tlsConfig,
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue