take cert length from the masked host

2026-03-13 23:03:09 +00:00 · 2019-08-16 20:25:23 +05:00
parent 7502d1dc31
commit 59306e6e67
1 changed files with 85 additions and 0 deletions
--- a/mtprotoproxy.py
+++ b/mtprotoproxy.py
@@ -166,6 +166,9 @@ def init_config():
    # delay in seconds between time getting, zero means disabled
    conf_dict.setdefault("GET_TIME_PERIOD", 10*60)

+    # delay in seconds between getting the length of certificate on the mask host
+    conf_dict.setdefault("GET_CERT_LEN_PERIOD", random.randrange(4*60*60, 6*60*60))
+
    # max socket buffer size to the client direction, the more the faster, but more RAM hungry
    # can be the tuple (low, users_margin, high) for the adaptive case. If no much users, use high
    conf_dict.setdefault("TO_CLT_BUFSIZE", (16384, 100, 131072))
@@ -1456,6 +1459,85 @@ async def make_https_req(url, host="core.telegram.org"):
    return headers, body


+def gen_tls_client_hello_msg(server_name):
+    msg = bytearray(b"\x16\x03\x01\x02\x00\x01\x00\x01\xfc\x03\x03")
+    msg += bytes([random.randrange(0, 256) for i in range(32)])
+    msg += b"\x20"
+    msg += bytes([random.randrange(0, 256) for i in range(32)])
+    msg += b"\x00\x22\x4a\x4a\x13\x01\x13\x02\x13\x03\xc0\x2b\xc0\x2f\xc0\x2c\xc0\x30\xcc\xa9"
+    msg += b"\xcc\xa8\xc0\x13\xc0\x14\x00\x9c\x00\x9d\x00\x2f\x00\x35\x00\x0a\x01\x00\x01\x91"
+    msg += b"\xda\xda\x00\x00\x00\x00"
+    msg += int.to_bytes(len(server_name) + 5, 2, "big")
+    msg += int.to_bytes(len(server_name) + 3, 2, "big") + b"\x00"
+    msg += int.to_bytes(len(server_name), 2, "big") + server_name.encode("ascii")
+    msg += b"\x00\x17\x00\x00\xff\x01\x00\x01\x00\x00\x0a\x00\x0a\x00\x08\xaa\xaa\x00\x1d\x00"
+    msg += b"\x17\x00\x18\x00\x0b\x00\x02\x01\x00\x00\x23\x00\x00\x00\x10\x00\x0e\x00\x0c\x02"
+    msg += b"\x68\x32\x08\x68\x74\x74\x70\x2f\x31\x2e\x31\x00\x05\x00\x05\x01\x00\x00\x00\x00"
+    msg += b"\x00\x0d\x00\x14\x00\x12\x04\x03\x08\x04\x04\x01\x05\x03\x08\x05\x05\x01\x08\x06"
+    msg += b"\x06\x01\x01\x01\x00\x12\x00\x00\x00\x33\x00\x2b\x00\x29\xaa\xaa\x00\x01\x00\x00"
+    msg += b"\x1d\x00\x20"
+    msg += bytes([random.randrange(0, 256) for i in range(32)])
+    msg += b"\x00\x2d\x00\x02\x01\x01\x00\x2b\x00\x0b\x0a\xba\xba\x03\x04\x03\x03\x03\x02\x03"
+    msg += b"\x01\x00\x1b\x00\x03\x02\x00\x02\x3a\x3a\x00\x01\x00\x00\x15"
+    msg += int.to_bytes(517 - len(msg) - 2, 2, "big")
+    msg += b"\x00" * (517 - len(msg))
+    return bytes(msg)
+
+
+async def get_encrypted_cert(host, port, server_name):
+    async def get_tls_record(reader):
+        record_type = (await reader.readexactly(1))[0]
+        tls_version = await reader.readexactly(2)
+        if tls_version != b"\x03\x03":
+            return 0, b""
+        record_len = int.from_bytes(await reader.readexactly(2), "big")
+        record = await reader.readexactly(record_len)
+
+        return record_type, record
+
+    reader, writer = await asyncio.open_connection(host, port)
+    writer.write(gen_tls_client_hello_msg(server_name))
+    await writer.drain()
+
+    record1_type, record1 = await get_tls_record(reader)
+    if record1_type != 22:
+        return b""
+
+    record2_type, record2 = await get_tls_record(reader)
+    if record2_type != 20:
+        return b""
+
+    record3_type, record3 = await get_tls_record(reader)
+    if record3_type != 23:
+        return b""
+
+    return record3
+
+
+async def get_mask_host_cert_len():
+    global fake_cert_len
+
+    GET_CERT_TIMEOUT = 10
+    MASK_ENABLING_CHECK_PERIOD = 60
+
+    while True:
+        try:
+            if not config.MASK:
+                # do nothing
+                await asyncio.sleep(MASK_ENABLING_CHECK_PERIOD)
+                continue
+
+            task = get_encrypted_cert(config.MASK_HOST, config.MASK_PORT, config.TLS_DOMAIN)
+            cert = await asyncio.wait_for(task, timeout=GET_CERT_TIMEOUT)
+            if cert and len(cert) != fake_cert_len:
+                print("TLS cert len updated from %d to %d" % (fake_cert_len, len(cert)), flush=True)
+                fake_cert_len = len(cert)
+        except Exception as E:
+            pass
+
+        await asyncio.sleep(config.GET_CERT_LEN_PERIOD)
+
+
 async def get_srv_time():
    TIME_SYNC_ADDR = "https://core.telegram.org/getProxySecret"
    MAX_TIME_SKEW = 30
@@ -1702,6 +1784,9 @@ def main():
            time_get_task = asyncio.Task(get_srv_time())
            asyncio.ensure_future(time_get_task)

+    get_cert_len_task = asyncio.Task(get_mask_host_cert_len())
+    asyncio.ensure_future(get_cert_len_task)
+
    reuse_port = hasattr(socket, "SO_REUSEPORT")

    if config.LISTEN_ADDR_IPV4: