Merge branch 'covertdtls' into 'main'

Add covert-dtls to proxy and client See merge request tpo/anti-censorship/pluggable-transports/snowflake!448
2025-10-14 14:11:23 -04:00 · 2024-12-05 14:34:43 +00:00 · 2024-12-05 14:34:43 +00:00 · aa5c034ba2
commit aa5c034ba2
parent 75e73ce397 e5d13b9b95
9 changed files with 92 additions and 16 deletions
--- a/proxy/README.md
+++ b/proxy/README.md
@ -48,6 +48,10 @@ Usage of ./proxy:
        maximum concurrent clients (default is to accept an unlimited number of clients)
  -disable-stats-logger
        disable the exposing mechanism for stats using logs
+  -dtls-mimic
+    	mimic DTLS client hello of Chrome and Firefox
+  -dtls-randomize
+    	randomize DTLS client hello
  -ephemeral-ports-range range
        Set the range of ports used for client connections (format:"<min>:<max>").
        If omitted, the ports will be chosen automatically.
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@ -42,8 +42,11 @@ import (
 	"github.com/pion/ice/v4"

 	"github.com/gorilla/websocket"
+	"github.com/pion/dtls/v3"
 	"github.com/pion/transport/v3/stdnet"
 	"github.com/pion/webrtc/v4"
+	"github.com/theodorsm/covert-dtls/pkg/mimicry"
+	"github.com/theodorsm/covert-dtls/pkg/randomize"

 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/messages"
@ -166,6 +169,9 @@ type SnowflakeProxy struct {

 	periodicProxyStats *periodicProxyStats
 	bytesLogger        bytesLogger
+
+	DTLSRandomize bool
+	DTLSMimic     bool
 }

 // Checks whether an IP address is a remote address for the client
@ -424,6 +430,23 @@ func (sf *SnowflakeProxy) makeWebRTCAPI() *webrtc.API {

 	settingsEngine.SetDTLSInsecureSkipHelloVerify(true)

+	if sf.DTLSRandomize {
+		rand := randomize.RandomizedMessageClientHello{RandomALPN: true}
+		settingsEngine.SetDTLSClientHelloMessageHook(rand.Hook)
+	} else if sf.DTLSMimic {
+		mimic := &mimicry.MimickedClientHello{}
+		profiles := []dtls.SRTPProtectionProfile{
+			dtls.SRTP_AES128_CM_HMAC_SHA1_80,
+			dtls.SRTP_AES128_CM_HMAC_SHA1_32,
+			dtls.SRTP_AEAD_AES_128_GCM,
+			dtls.SRTP_AEAD_AES_256_GCM,
+			dtls.SRTP_AES256_CM_SHA1_32,
+			dtls.SRTP_AES256_CM_SHA1_80,
+		}
+		settingsEngine.SetSRTPProtectionProfiles(profiles...)
+		settingsEngine.SetDTLSClientHelloMessageHook(mimic.Hook)
+	}
+
 	return webrtc.NewAPI(webrtc.WithSettingEngine(settingsEngine))
 }

--- a/proxy/main.go
+++ b/proxy/main.go
@ -46,6 +46,8 @@ func main() {
 	verboseLogging := flag.Bool("verbose", false, "increase log verbosity")
 	ephemeralPortsRangeFlag := flag.String("ephemeral-ports-range", "", "Set the `range` of ports used for client connections (format:\"<min>:<max>\").\nIf omitted, the ports will be chosen automatically.")
 	versionFlag := flag.Bool("version", false, "display version info to stderr and quit")
+	dtlsRandomize := flag.Bool("dtls-randomize", false, "randomize DTLS client hello")
+	dtlsMimic := flag.Bool("dtls-mimic", false, "mimic DTLS client hello of Chrome and Firefox")

 	var ephemeralPortsRange []uint16 = []uint16{0, 0}

@ -64,6 +66,10 @@ func main() {
 		log.Fatal("Cannot keep local address candidates when outbound address is specified")
 	}

+	if *dtlsMimic && *dtlsRandomize {
+		log.Fatal("Cannot both Randomize and Mimic DTLS client hello")
+	}
+
 	eventLogger := event.NewSnowflakeEventDispatcher()

 	if *ephemeralPortsRangeFlag != "" {
@ -112,6 +118,8 @@ func main() {
 		AllowNonTLSRelay:                *allowNonTLSRelay,

 		SummaryInterval: *summaryInterval,
+		DTLSRandomize:   *dtlsRandomize,
+		DTLSMimic:       *dtlsMimic,
 	}

 	var logOutput = io.Discard