2026-02-20 12:55:26 +03:00
|
|
|
use crate::crypto::{sha256_hmac, SecureRandom};
|
|
|
|
|
use crate::protocol::constants::{
|
|
|
|
|
TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE, TLS_VERSION,
|
|
|
|
|
};
|
|
|
|
|
use crate::protocol::tls::{TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key};
|
|
|
|
|
use crate::tls_front::types::CachedTlsData;
|
|
|
|
|
|
2026-02-20 16:32:14 +03:00
|
|
|
const MIN_APP_DATA: usize = 64;
|
|
|
|
|
const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 allows up to 2^14 + 256
|
|
|
|
|
|
|
|
|
|
fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
|
|
|
|
|
sizes
|
|
|
|
|
.iter()
|
|
|
|
|
.map(|&size| {
|
|
|
|
|
let base = size.max(MIN_APP_DATA).min(MAX_APP_DATA);
|
|
|
|
|
let jitter_range = ((base as f64) * 0.03).round() as i64;
|
|
|
|
|
if jitter_range == 0 {
|
|
|
|
|
return base;
|
|
|
|
|
}
|
|
|
|
|
let mut rand_bytes = [0u8; 2];
|
|
|
|
|
rand_bytes.copy_from_slice(&rng.bytes(2));
|
|
|
|
|
let span = 2 * jitter_range + 1;
|
|
|
|
|
let delta = (u16::from_le_bytes(rand_bytes) as i64 % span) - jitter_range;
|
|
|
|
|
let adjusted = (base as i64 + delta).clamp(MIN_APP_DATA as i64, MAX_APP_DATA as i64);
|
|
|
|
|
adjusted as usize
|
|
|
|
|
})
|
|
|
|
|
.collect()
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-20 12:55:26 +03:00
|
|
|
/// Build a ServerHello + CCS + ApplicationData sequence using cached TLS metadata.
|
|
|
|
|
pub fn build_emulated_server_hello(
|
|
|
|
|
secret: &[u8],
|
|
|
|
|
client_digest: &[u8; TLS_DIGEST_LEN],
|
|
|
|
|
session_id: &[u8],
|
|
|
|
|
cached: &CachedTlsData,
|
|
|
|
|
rng: &SecureRandom,
|
|
|
|
|
) -> Vec<u8> {
|
|
|
|
|
// --- ServerHello ---
|
|
|
|
|
let mut extensions = Vec::new();
|
|
|
|
|
// KeyShare (x25519)
|
|
|
|
|
let key = gen_fake_x25519_key(rng);
|
|
|
|
|
extensions.extend_from_slice(&0x0033u16.to_be_bytes()); // key_share
|
|
|
|
|
extensions.extend_from_slice(&(2 + 2 + 32u16).to_be_bytes()); // len
|
|
|
|
|
extensions.extend_from_slice(&0x001du16.to_be_bytes()); // X25519
|
|
|
|
|
extensions.extend_from_slice(&(32u16).to_be_bytes());
|
|
|
|
|
extensions.extend_from_slice(&key);
|
|
|
|
|
// supported_versions (TLS1.3)
|
|
|
|
|
extensions.extend_from_slice(&0x002bu16.to_be_bytes());
|
|
|
|
|
extensions.extend_from_slice(&(2u16).to_be_bytes());
|
|
|
|
|
extensions.extend_from_slice(&0x0304u16.to_be_bytes());
|
|
|
|
|
|
|
|
|
|
let extensions_len = extensions.len() as u16;
|
|
|
|
|
|
|
|
|
|
let body_len = 2 + // version
|
|
|
|
|
32 + // random
|
|
|
|
|
1 + session_id.len() + // session id
|
|
|
|
|
2 + // cipher
|
|
|
|
|
1 + // compression
|
|
|
|
|
2 + extensions.len(); // extensions
|
|
|
|
|
|
|
|
|
|
let mut message = Vec::with_capacity(4 + body_len);
|
|
|
|
|
message.push(0x02); // ServerHello
|
|
|
|
|
let len_bytes = (body_len as u32).to_be_bytes();
|
|
|
|
|
message.extend_from_slice(&len_bytes[1..4]);
|
|
|
|
|
message.extend_from_slice(&cached.server_hello_template.version); // 0x0303
|
|
|
|
|
message.extend_from_slice(&[0u8; 32]); // random placeholder
|
|
|
|
|
message.push(session_id.len() as u8);
|
|
|
|
|
message.extend_from_slice(session_id);
|
2026-02-20 14:32:09 +03:00
|
|
|
let cipher = if cached.server_hello_template.cipher_suite == [0, 0] {
|
|
|
|
|
[0x13, 0x01]
|
|
|
|
|
} else {
|
|
|
|
|
cached.server_hello_template.cipher_suite
|
|
|
|
|
};
|
|
|
|
|
message.extend_from_slice(&cipher);
|
2026-02-20 12:55:26 +03:00
|
|
|
message.push(cached.server_hello_template.compression);
|
|
|
|
|
message.extend_from_slice(&extensions_len.to_be_bytes());
|
|
|
|
|
message.extend_from_slice(&extensions);
|
|
|
|
|
|
|
|
|
|
let mut server_hello = Vec::with_capacity(5 + message.len());
|
|
|
|
|
server_hello.push(TLS_RECORD_HANDSHAKE);
|
|
|
|
|
server_hello.extend_from_slice(&TLS_VERSION);
|
|
|
|
|
server_hello.extend_from_slice(&(message.len() as u16).to_be_bytes());
|
|
|
|
|
server_hello.extend_from_slice(&message);
|
|
|
|
|
|
|
|
|
|
// --- ChangeCipherSpec ---
|
|
|
|
|
let change_cipher_spec = [
|
|
|
|
|
TLS_RECORD_CHANGE_CIPHER,
|
|
|
|
|
TLS_VERSION[0],
|
|
|
|
|
TLS_VERSION[1],
|
|
|
|
|
0x00,
|
|
|
|
|
0x01,
|
|
|
|
|
0x01,
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// --- ApplicationData (fake encrypted records) ---
|
2026-02-20 14:32:09 +03:00
|
|
|
// Use the same number and sizes of ApplicationData records as the cached server.
|
|
|
|
|
let mut sizes = cached.app_data_records_sizes.clone();
|
|
|
|
|
if sizes.is_empty() {
|
|
|
|
|
sizes.push(cached.total_app_data_len.max(1024));
|
|
|
|
|
}
|
2026-02-20 16:32:14 +03:00
|
|
|
let sizes = jitter_and_clamp_sizes(&sizes, rng);
|
2026-02-20 12:55:26 +03:00
|
|
|
|
|
|
|
|
let mut app_data = Vec::new();
|
|
|
|
|
for size in sizes {
|
|
|
|
|
let mut rec = Vec::with_capacity(5 + size);
|
|
|
|
|
rec.push(TLS_RECORD_APPLICATION);
|
|
|
|
|
rec.extend_from_slice(&TLS_VERSION);
|
|
|
|
|
rec.extend_from_slice(&(size as u16).to_be_bytes());
|
2026-02-20 16:32:14 +03:00
|
|
|
if size > 17 {
|
|
|
|
|
let body_len = size - 17;
|
|
|
|
|
rec.extend_from_slice(&rng.bytes(body_len));
|
|
|
|
|
rec.push(0x16); // inner content type marker (handshake)
|
|
|
|
|
rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
|
|
|
|
|
} else {
|
|
|
|
|
rec.extend_from_slice(&rng.bytes(size));
|
|
|
|
|
}
|
2026-02-20 12:55:26 +03:00
|
|
|
app_data.extend_from_slice(&rec);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// --- Combine ---
|
|
|
|
|
let mut response = Vec::with_capacity(server_hello.len() + change_cipher_spec.len() + app_data.len());
|
|
|
|
|
response.extend_from_slice(&server_hello);
|
|
|
|
|
response.extend_from_slice(&change_cipher_spec);
|
|
|
|
|
response.extend_from_slice(&app_data);
|
|
|
|
|
|
|
|
|
|
// --- HMAC ---
|
|
|
|
|
let mut hmac_input = Vec::with_capacity(TLS_DIGEST_LEN + response.len());
|
|
|
|
|
hmac_input.extend_from_slice(client_digest);
|
|
|
|
|
hmac_input.extend_from_slice(&response);
|
|
|
|
|
let digest = sha256_hmac(secret, &hmac_input);
|
|
|
|
|
response[TLS_DIGEST_POS..TLS_DIGEST_POS + TLS_DIGEST_LEN].copy_from_slice(&digest);
|
|
|
|
|
|
|
|
|
|
response
|
|
|
|
|
}
|
