iartamonov/mautrix-telegram
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

faketls: emit GREASE bytes and a real padding extension
Go / Lint (old) (push) Failing after 4m39s
Details
Go / Lint (latest) (push) Failing after 4m39s
Details
Go / Lint (old) (pull_request) Failing after 4m39s
Details
Go / Lint (latest) (pull_request) Failing after 4m42s
Details

Browse Source 
The ClientHello builder used a closure G(n) that was supposed to insert
two random GREASE bytes (RFC 8701, 0x?A?A pattern) at known positions
but expanded the buffer by zero. Every grease slot was therefore
omitted, and the trailing padding extension was written as a bare ext
id 0x0015 followed by raw zeros — its length field was never set.

Concretely, the old output looked structurally invalid to mtg's faketls
validator: the cipher list was off by two, supported_groups declared a
list_length larger than its body, and what should have been the padding
extension parsed as a stream of empty server_name extensions. mtg
responded with a fatal TLS Alert (description 50, decode_error) and
shut the connection.

Fix:
- generate seven distinct GREASE bytes per ClientHello, with the
  tdlib constraint grease[3] != grease[4]
- thread an io.Reader through writeClientHello so generation is
  deterministic in tests and keyed off the FakeTLS rand source in prod
- replace the trailing zero-pad with a proper padding extension whose
  length field is computed so the ClientHello is exactly 517 bytes

Add a regression test (structure_test.go) that feeds the result to
crypto/tls.Server: it must not return decode_error / malformed /
syntax errors. The previous output failed this; the new output passes.

The TestTLS golden vector is regenerated for the new layout.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Igor Artamonov
2026-05-01 11:15:03 +03:00
parent aab48f0dbe
commit 64bf6bfe90
4 changed files with 185 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/gotd/mtproxy/faketls/client_hello.go
+41 -6
View File
@@ -14,7 +14,26 @@ import (
const clientHelloLength = 517
func createClientHello(b *bin.Buffer, sessionID [32]byte, domain string, key [32]byte) (randomOffset int) {
// generateGrease produces seven GREASE bytes following the TLS spec
// (RFC 8701) and tdlib's TlsInit.cpp constraints used by MTProxy faketls
// validators: each byte has the form 0x?A (low nibble 0x0A), and grease[3]
// must differ from grease[4].
func generateGrease(rng io.Reader) ([7]byte, error) {
var raw [7]byte
if _, err := io.ReadFull(rng, raw[:]); err != nil {
return raw, errors.Wrap(err, "read grease entropy")
}
var g [7]byte
for i, r := range raw {
g[i] = (r & 0xF0) | 0x0A
}
if g[3] == g[4] {
g[3] ^= 0x10
}
return g, nil
}
func createClientHello(b *bin.Buffer, sessionID [32]byte, domain string, key [32]byte, grease [7]byte) (randomOffset int) {
S := func(s string) {
b.Buf = append(b.Buf, s...)
}
@@ -22,8 +41,9 @@ func createClientHello(b *bin.Buffer, sessionID [32]byte, domain string, key [32
randomOffset = len(b.Buf)
b.Expand(n)
}
G := func(_ int) {
b.Expand(0)
G := func(n int) {
v := grease[n]
b.Buf = append(b.Buf, v, v)
}
R := func() {
b.Buf = append(b.Buf, sessionID[:]...)
@@ -83,9 +103,18 @@ func createClientHello(b *bin.Buffer, sessionID [32]byte, domain string, key [32
G(3)
S("\x00\x01\x00\x00\x15")
if pad := clientHelloLength - b.Len(); pad > 0 {
b.Expand(pad)
// Padding extension (id 0x0015 already written above): write its
// length so the resulting ClientHello is exactly clientHelloLength
// bytes, then fill the body with zeros.
padLen := clientHelloLength - b.Len() - 2
if padLen < 0 {
padLen = 0
}
lenPos := b.Len()
b.Expand(2)
binary.BigEndian.PutUint16(b.Buf[lenPos:lenPos+2], uint16(padLen))
b.Expand(padLen)
return randomOffset
}
@@ -94,15 +123,21 @@ func createClientHello(b *bin.Buffer, sessionID [32]byte, domain string, key [32
// See https://tools.ietf.org/html/rfc5246#section-7.4.1.1.
func writeClientHello(
w io.Writer,
rng io.Reader,
now clock.Clock,
sessionID [32]byte,
domain string,
secret []byte,
) (r [32]byte, err error) {
grease, err := generateGrease(rng)
if err != nil {
return [32]byte{}, err
}
b := &bin.Buffer{
Buf: make([]byte, 0, 576),
}
randomOffset := createClientHello(b, sessionID, domain, [32]byte{})
randomOffset := createClientHello(b, sessionID, domain, [32]byte{}, grease)
// https://github.com/tdlib/td/blob/27d3fdd09d90f6b77ecbcce50b1e86dc4b3dd366/td/mtproto/TlsInit.cpp#L380-L384
mac := hmac.New(sha256.New, secret)