Update TLS Mirror with TLS1.2 AEAD support, defer_instance_derived_write_time, transport_layer_padding, h2_do_not_wait_for_download_finish

.github/linters/.golangci.yml

@@ -50,7 +50,7 @@ linters:
       - builtin$
       - examples$
 issues:
-  new: true
+  new: false
 formatters:
   enable:
     - gofmt

transport/internet/tls/config.go

@@ -294,6 +294,13 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		}
 	}
 
+	if len(c.Ciphersuites) > 0 {
+		config.CipherSuites = make([]uint16, 0, len(c.Ciphersuites))
+		for _, cs := range c.Ciphersuites {
+			config.CipherSuites = append(config.CipherSuites, uint16(cs))
+		}
+	}
+
 	return config
 }
 

transport/internet/tls/config.pb.go

@@ -235,8 +235,11 @@ type Config struct {
 	Ech_DOHserver string `protobuf:"bytes,17,opt,name=ech_DOHserver,json=echDOHserver,proto3" json:"ech_DOHserver,omitempty"`
 	// domain to query for https record
 	EchQueryDomain string `protobuf:"bytes,18,opt,name=ech_query_domain,json=echQueryDomain,proto3" json:"ech_query_domain,omitempty"`
-	unknownFields  protoimpl.UnknownFields
-	sizeCache      protoimpl.SizeCache
+	// cipher suites to to be offered or accepted.
+	// This is an developer option.
+	Ciphersuites  []uint32 `protobuf:"varint,19,rep,packed,name=ciphersuites,proto3" json:"ciphersuites,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *Config) Reset() {
@@ -367,6 +370,13 @@ func (x *Config) GetEchQueryDomain() string {
 	return ""
 }
 
+func (x *Config) GetCiphersuites() []uint32 {
+	if x != nil {
+		return x.Ciphersuites
+	}
+	return nil
+}
+
 var File_transport_internet_tls_config_proto protoreflect.FileDescriptor
 
 const file_transport_internet_tls_config_proto_rawDesc = "" +
@@ -382,7 +392,7 @@ const file_transport_internet_tls_config_proto_rawDesc = "" +
 	"\fENCIPHERMENT\x10\x00\x12\x14\n" +
 	"\x10AUTHORITY_VERIFY\x10\x01\x12\x13\n" +
 	"\x0fAUTHORITY_ISSUE\x10\x02\x12\x1b\n" +
-	"\x17AUTHORITY_VERIFY_CLIENT\x10\x03\"\xa0\a\n" +
+	"\x17AUTHORITY_VERIFY_CLIENT\x10\x03\"\xc4\a\n" +
 	"\x06Config\x12-\n" +
 	"\x0eallow_insecure\x18\x01 \x01(\bB\x06\x82\xb5\x18\x02(\x01R\rallowInsecure\x12P\n" +
 	"\vcertificate\x18\x02 \x03(\v2..v2ray.core.transport.internet.tls.CertificateR\vcertificate\x12\x1f\n" +
@@ -402,7 +412,8 @@ const file_transport_internet_tls_config_proto_rawDesc = "" +
 	"\n" +
 	"ech_config\x18\x10 \x01(\fR\techConfig\x12#\n" +
 	"\rech_DOHserver\x18\x11 \x01(\tR\fechDOHserver\x12(\n" +
-	"\x10ech_query_domain\x18\x12 \x01(\tR\x0eechQueryDomain\"I\n" +
+	"\x10ech_query_domain\x18\x12 \x01(\tR\x0eechQueryDomain\x12\"\n" +
+	"\fciphersuites\x18\x13 \x03(\rR\fciphersuites\"I\n" +
 	"\n" +
 	"TLSVersion\x12\v\n" +
 	"\aDefault\x10\x00\x12\n" +

transport/internet/tls/config.proto

@@ -87,4 +87,8 @@ message Config {
 
   // domain to query for https record
   string ech_query_domain = 18;
+
+  // cipher suites to to be offered or accepted.
+  // This is an developer option.
+  repeated uint32 ciphersuites = 19;
 }

transport/internet/tlsmirror/httponconnection/errors.generated.go

@@ -0,0 +1,9 @@
+package httponconnection
+
+import "github.com/v2fly/v2ray-core/v5/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}

transport/internet/tlsmirror/httponconnection/singleconnhttp.go

@@ -0,0 +1,82 @@
+package httponconnection
+
+import (
+	"bufio"
+	"net"
+	"net/http"
+
+	"golang.org/x/net/http2"
+)
+
+//go:generate go run github.com/v2fly/v2ray-core/v5/common/errors/errorgen
+
+type HttpRequestTransport interface {
+	http.RoundTripper
+}
+
+func newHTTPRequestTransportH1(conn net.Conn) HttpRequestTransport {
+	return &httpRequestTransportH1{
+		conn:      conn,
+		bufReader: bufio.NewReader(conn),
+	}
+}
+
+type httpRequestTransportH1 struct {
+	conn      net.Conn
+	bufReader *bufio.Reader
+}
+
+func (h *httpRequestTransportH1) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Proto = "HTTP/1.1"
+	req.ProtoMajor = 1
+	req.ProtoMinor = 1
+
+	err := req.Write(h.conn)
+	if err != nil {
+		return nil, err
+	}
+	return http.ReadResponse(h.bufReader, req)
+}
+
+func newHTTPRequestTransportH2(conn net.Conn) HttpRequestTransport {
+	transport := &http2.Transport{}
+	clientConn, err := transport.NewClientConn(conn)
+	if err != nil {
+		return nil
+	}
+	return &httpRequestTransportH2{
+		transport:        transport,
+		clientConnection: clientConn,
+	}
+}
+
+type httpRequestTransportH2 struct {
+	transport        *http2.Transport
+	clientConnection *http2.ClientConn
+}
+
+func (h *httpRequestTransportH2) RoundTrip(request *http.Request) (*http.Response, error) {
+	request.ProtoMajor = 2
+	request.ProtoMinor = 0
+
+	response, err := h.clientConnection.RoundTrip(request)
+	if err != nil {
+		return nil, err
+	}
+	return response, nil
+}
+
+func newSingleConnectionHTTPTransport(conn net.Conn, alpn string) (HttpRequestTransport, error) {
+	switch alpn {
+	case "h2":
+		return newHTTPRequestTransportH2(conn), nil
+	case "http/1.1", "":
+		return newHTTPRequestTransportH1(conn), nil
+	default:
+		return nil, newError("unknown alpn: " + alpn).AtWarning()
+	}
+}
+
+func NewSingleConnectionHTTPTransport(conn net.Conn, alpn string) (HttpRequestTransport, error) {
+	return newSingleConnectionHTTPTransport(conn, alpn)
+}

transport/internet/tlsmirror/interface.go

@@ -31,16 +31,20 @@ type PartialTLSRecordRejectProfile interface {
 
 type MessageHook func(message *TLSRecord) (drop bool, ok error)
 
+type ExplicitNonceDetection func(cipherSuite uint16) bool
+
 type InsertableTLSConn interface {
 	common.Closable
 	GetHandshakeRandom() ([]byte, []byte, error)
 	InsertC2SMessage(message *TLSRecord) error
 	InsertS2CMessage(message *TLSRecord) error
+	GetApplicationDataExplicitNonceReservedOverheadHeaderLength() (int, error)
 }
 
 const TrafficGeneratorManagedConnectionContextKey = "TrafficGeneratorManagedConnection-ku63HMMD-kduCPhr8-DN4y6WEa"
 
 type TrafficGeneratorManagedConnection interface {
 	RecallTrafficGenerator() error
 	WaitConnectionReady() context.Context
+	IsConnectionInvalidated() bool
 }