Add raw DTLS fingerprints

2025-10-14 05:11:19 -04:00 · 2024-12-19 00:33:48 +01:00 · 2024-12-19 00:33:48 +01:00 · 0976198523
commit 0976198523
parent fd9f08d986
6 changed files with 60 additions and 17 deletions
--- a/proxy/README.md
+++ b/proxy/README.md
@ -48,6 +48,8 @@ Usage of ./proxy:
        maximum concurrent clients (default is to accept an unlimited number of clients)
  -covertdtls-config string
    	Configuration of dtls mimicking and randomization: mimic, randomize, randomizemimic
+  -covertdtls-fingerprint string
+    	Mimicking of a raw DTLS fingerprint
  -disable-stats-logger
        disable the exposing mechanism for stats using logs
  -dtls-randomize
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@ -430,7 +430,17 @@ func (sf *SnowflakeProxy) makeWebRTCAPI() *webrtc.API {

 	settingsEngine.SetDTLSInsecureSkipHelloVerify(true)

-	if sf.CovertDTLSConfig.Mimic {
+	if sf.CovertDTLSConfig.Fingerprint != "" {
+		mimic := &mimicry.MimickedClientHello{}
+		err := mimic.LoadFingerprint(sf.CovertDTLSConfig.Fingerprint)
+		if err != nil {
+			log.Printf("NewPeerConnection ERROR: %s", err)
+			return nil
+		}
+		profiles := utils.DefaultSRTPProtectionProfiles()
+		settingsEngine.SetSRTPProtectionProfiles(profiles...)
+		settingsEngine.SetDTLSClientHelloMessageHook(mimic.Hook)
+	} else if sf.CovertDTLSConfig.Mimic {
 		mimic := &mimicry.MimickedClientHello{}
 		if sf.CovertDTLSConfig.Randomize {
 			err := mimic.LoadRandomFingerprint()
--- a/proxy/main.go
+++ b/proxy/main.go
@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/theodorsm/covert-dtls/pkg/fingerprints"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/ptutil/safelog"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/covertdtls"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
@ -47,7 +48,8 @@ func main() {
 	verboseLogging := flag.Bool("verbose", false, "increase log verbosity")
 	ephemeralPortsRangeFlag := flag.String("ephemeral-ports-range", "", "Set the `range` of ports used for client connections (format:\"<min>:<max>\").\nIf omitted, the ports will be chosen automatically.")
 	versionFlag := flag.Bool("version", false, "display version info to stderr and quit")
-	covertDTLSConfig := flag.String("covertdtls-config", "", "Configuration of dtls mimicking and randomization: mimic, randomize, randomizemimic")
+	covertDTLSConfig := flag.String("covertdtls-config", "", "Configuration of DTLS mimicking and randomization: mimic, randomize, randomizemimic")
+	covertDTLSfingerprint := flag.String("covertdtls-fingerprint", "", "Mimicking of a raw DTLS fingerprint")

 	var ephemeralPortsRange []uint16 = []uint16{0, 0}

@ -94,6 +96,15 @@ func main() {
 		}
 	}

+	var cDTLSconfig covertdtls.CovertDTLSConfig
+
+	if *covertDTLSConfig != "" {
+		cDTLSconfig = covertdtls.ParseConfigString(*covertDTLSConfig)
+	}
+	if *covertDTLSfingerprint != "" {
+		cDTLSconfig.Fingerprint = fingerprints.ClientHelloFingerprint(*covertDTLSfingerprint)
+	}
+
 	proxy := sf.SnowflakeProxy{
 		PollInterval:       *pollInterval,
 		Capacity:           uint(*capacity),
@ -114,7 +125,7 @@ func main() {
 		AllowNonTLSRelay:                *allowNonTLSRelay,

 		SummaryInterval:  *summaryInterval,
-		CovertDTLSConfig: covertdtls.ParseConfigString(*covertDTLSConfig),
+		CovertDTLSConfig: cDTLSconfig,
 	}

 	var logOutput = io.Discard