diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..cc9ee0ad8 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,55 @@ +name: Test + +on: + push: + branches: + - stable + - testing + - unstable + paths-ignore: + - '**.md' + - '.github/**' + - '!.github/workflows/test.yml' + pull_request: + branches: + - stable + - testing + - unstable + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}-${{ inputs.build }} + cancel-in-progress: true + +jobs: + test: + name: Test + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + - windows-latest + - macos-latest + go: + - ~1.24 + - ~1.25 + runs-on: ${{ matrix.os }} + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go }} + - name: Set build tags and ldflags + shell: bash + run: | + echo "BUILD_TAGS=$(cat release/DEFAULT_BUILD_TAGS_OTHERS)" >> "$GITHUB_ENV" + echo "LDFLAGS_SHARED=$(cat release/LDFLAGS)" >> "$GITHUB_ENV" + - name: Test (unix) + if: matrix.os != 'windows-latest' + run: go test -v -exec sudo -tags "$BUILD_TAGS" -ldflags "$LDFLAGS_SHARED" ./... + - name: Test (windows) + if: matrix.os == 'windows-latest' + shell: bash + run: go test -v -tags "$BUILD_TAGS" -ldflags "$LDFLAGS_SHARED" ./... diff --git a/.golangci.yml b/.golangci.yml index d6905dc10..53553d714 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -19,7 +19,6 @@ linters: enable: - govet - ineffassign - - paralleltest - staticcheck settings: staticcheck: diff --git a/Makefile b/Makefile index 1a1138cc7..6ec7bc9b0 100644 --- a/Makefile +++ b/Makefile @@ -52,7 +52,7 @@ lint: GOOS=android golangci-lint run ./... GOOS=windows golangci-lint run ./... GOOS=darwin golangci-lint run ./... - GOOS=freebsd golangci-lint run ./... + # GOOS=freebsd golangci-lint run ./... lint_install: go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest diff --git a/common/tls/apple_client.go b/common/tls/apple_client.go index 4b84a31b2..01043fd3d 100644 --- a/common/tls/apple_client.go +++ b/common/tls/apple_client.go @@ -155,6 +155,9 @@ func ValidateAppleTLSOptions(ctx context.Context, options option.OutboundTLSOpti if options.KernelTx || options.KernelRx { return AppleTLSValidated{}, E.New("ktls is unsupported in ", engineName) } + if options.Spoof != "" || options.SpoofMethod != "" { + return AppleTLSValidated{}, E.New("spoof is unsupported in ", engineName) + } if len(options.CertificatePublicKeySHA256) > 0 && (len(options.Certificate) > 0 || options.CertificatePath != "") { return AppleTLSValidated{}, E.New("certificate_public_key_sha256 is conflict with certificate or certificate_path") } diff --git a/common/tls/client.go b/common/tls/client.go index 40560b9a5..00020ee2c 100644 --- a/common/tls/client.go +++ b/common/tls/client.go @@ -8,6 +8,7 @@ import ( "os" "github.com/sagernet/sing-box/common/badtls" + "github.com/sagernet/sing-box/common/tlsspoof" C "github.com/sagernet/sing-box/constant" "github.com/sagernet/sing-box/option" E "github.com/sagernet/sing/common/exceptions" @@ -19,6 +20,37 @@ import ( var errMissingServerName = E.New("missing server_name or insecure=true") +func parseTLSSpoofOptions(serverName string, options option.OutboundTLSOptions) (string, tlsspoof.Method, error) { + if options.Spoof == "" { + if options.SpoofMethod != "" { + return "", 0, E.New("`spoof_method` requires `spoof`") + } + return "", 0, nil + } + if !tlsspoof.PlatformSupported { + return "", 0, E.New("`spoof` is not supported on this platform") + } + if options.DisableSNI || serverName == "" { + return "", 0, E.New("`spoof` requires TLS ClientHello with SNI") + } + method, err := tlsspoof.ParseMethod(options.SpoofMethod) + if err != nil { + return "", 0, err + } + return options.Spoof, method, nil +} + +func applyTLSSpoof(conn net.Conn, spoof string, method tlsspoof.Method) (net.Conn, error) { + if spoof == "" { + return conn, nil + } + spoofer, err := tlsspoof.NewSpoofer(conn, method) + if err != nil { + return nil, err + } + return tlsspoof.NewConn(conn, spoofer, spoof), nil +} + func NewDialerFromOptions(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) { if !options.Enabled { return dialer, nil diff --git a/common/tls/reality_client.go b/common/tls/reality_client.go index 38f0965e2..bb57e76d3 100644 --- a/common/tls/reality_client.go +++ b/common/tls/reality_client.go @@ -59,6 +59,9 @@ func newRealityClient(ctx context.Context, logger logger.ContextLogger, serverAd if options.UTLS == nil || !options.UTLS.Enabled { return nil, E.New("uTLS is required by reality client") } + if options.Spoof != "" || options.SpoofMethod != "" { + return nil, E.New("spoof is unsupported in reality") + } uClient, err := newUTLSClient(ctx, logger, serverAddress, options, allowEmptyServerName) if err != nil { diff --git a/common/tls/std_client.go b/common/tls/std_client.go index 7da36defe..f38981c68 100644 --- a/common/tls/std_client.go +++ b/common/tls/std_client.go @@ -14,6 +14,7 @@ import ( "github.com/sagernet/sing-box/adapter" "github.com/sagernet/sing-box/common/tlsfragment" + "github.com/sagernet/sing-box/common/tlsspoof" C "github.com/sagernet/sing-box/constant" "github.com/sagernet/sing-box/option" E "github.com/sagernet/sing/common/exceptions" @@ -31,6 +32,8 @@ type STDClientConfig struct { fragment bool fragmentFallbackDelay time.Duration recordFragment bool + spoof string + spoofMethod tlsspoof.Method } func (c *STDClientConfig) ServerName() string { @@ -75,6 +78,10 @@ func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) { if c.recordFragment { conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay) } + conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod) + if err != nil { + return nil, err + } return tls.Client(conn, c.config), nil } @@ -89,6 +96,8 @@ func (c *STDClientConfig) Clone() Config { fragment: c.fragment, fragmentFallbackDelay: c.fragmentFallbackDelay, recordFragment: c.recordFragment, + spoof: c.spoof, + spoofMethod: c.spoofMethod, } cloned.SetServerName(cloned.serverName) return cloned @@ -218,6 +227,10 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres } else { handshakeTimeout = C.TCPTimeout } + spoof, spoofMethod, err := parseTLSSpoofOptions(serverName, options) + if err != nil { + return nil, err + } var config Config = &STDClientConfig{ ctx: ctx, config: &tlsConfig, @@ -228,6 +241,8 @@ func newSTDClient(ctx context.Context, logger logger.ContextLogger, serverAddres fragment: options.Fragment, fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay), recordFragment: options.RecordFragment, + spoof: spoof, + spoofMethod: spoofMethod, } config.SetServerName(serverName) if options.ECH != nil && options.ECH.Enabled { diff --git a/common/tls/utls_client.go b/common/tls/utls_client.go index 20261bfd4..a8b91973c 100644 --- a/common/tls/utls_client.go +++ b/common/tls/utls_client.go @@ -14,6 +14,7 @@ import ( "github.com/sagernet/sing-box/adapter" "github.com/sagernet/sing-box/common/tlsfragment" + "github.com/sagernet/sing-box/common/tlsspoof" C "github.com/sagernet/sing-box/constant" "github.com/sagernet/sing-box/option" "github.com/sagernet/sing/common" @@ -36,6 +37,8 @@ type UTLSClientConfig struct { fragment bool fragmentFallbackDelay time.Duration recordFragment bool + spoof string + spoofMethod tlsspoof.Method } func (c *UTLSClientConfig) ServerName() string { @@ -83,6 +86,10 @@ func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) { if c.recordFragment { conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay) } + conn, err := applyTLSSpoof(conn, c.spoof, c.spoofMethod) + if err != nil { + return nil, err + } return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, c.config.Clone(), c.id)}, c.config.NextProtos}, nil } @@ -102,6 +109,8 @@ func (c *UTLSClientConfig) Clone() Config { fragment: c.fragment, fragmentFallbackDelay: c.fragmentFallbackDelay, recordFragment: c.recordFragment, + spoof: c.spoof, + spoofMethod: c.spoofMethod, } cloned.SetServerName(cloned.serverName) return cloned @@ -290,6 +299,10 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre } else { handshakeTimeout = C.TCPTimeout } + spoof, spoofMethod, err := parseTLSSpoofOptions(serverName, options) + if err != nil { + return nil, err + } id, err := uTLSClientHelloID(options.UTLS.Fingerprint) if err != nil { return nil, err @@ -305,6 +318,8 @@ func newUTLSClient(ctx context.Context, logger logger.ContextLogger, serverAddre fragment: options.Fragment, fragmentFallbackDelay: time.Duration(options.FragmentFallbackDelay), recordFragment: options.RecordFragment, + spoof: spoof, + spoofMethod: spoofMethod, } config.SetServerName(serverName) if options.ECH != nil && options.ECH.Enabled { diff --git a/common/tlsfragment/index.go b/common/tlsfragment/index.go index 0d58c445c..83e4bcbc1 100644 --- a/common/tlsfragment/index.go +++ b/common/tlsfragment/index.go @@ -23,9 +23,10 @@ const ( ) type MyServerName struct { - Index int - Length int - ServerName string + Index int + Length int + ServerName string + ExtensionsListLengthIndex int } func IndexTLSServerName(payload []byte) *MyServerName { @@ -41,6 +42,7 @@ func IndexTLSServerName(payload []byte) *MyServerName { return nil } serverName.Index += recordLayerHeaderLen + serverName.ExtensionsListLengthIndex += recordLayerHeaderLen return serverName } @@ -82,6 +84,7 @@ func indexTLSServerNameFromHandshake(handshake []byte) *MyServerName { return nil } serverName.Index += currentIndex + serverName.ExtensionsListLengthIndex = currentIndex return serverName } diff --git a/common/tlsspoof/client_hello.go b/common/tlsspoof/client_hello.go new file mode 100644 index 000000000..0ca7c5a9f --- /dev/null +++ b/common/tlsspoof/client_hello.go @@ -0,0 +1,86 @@ +package tlsspoof + +import ( + "encoding/binary" + + tf "github.com/sagernet/sing-box/common/tlsfragment" + E "github.com/sagernet/sing/common/exceptions" +) + +const ( + recordLengthOffset = 3 + handshakeLengthOffset = 6 +) + +// server_name extension layout (RFC 6066 §3). Offsets are relative to the +// SNI host name (index returned by the parser): +// +// ... uint16 extension_type = 0x0000 (host_name - 9) +// ... uint16 extension_data_length (host_name - 7) +// ... uint16 server_name_list_length (host_name - 5) +// ... uint8 name_type = host_name (host_name - 3) +// ... uint16 host_name_length (host_name - 2) +// sni host_name (host_name) +const ( + extensionDataLengthOffsetFromSNI = -7 + listLengthOffsetFromSNI = -5 + hostNameLengthOffsetFromSNI = -2 +) + +func rewriteSNI(record []byte, fakeSNI string) ([]byte, error) { + if len(fakeSNI) > 0xFFFF { + return nil, E.New("fake SNI too long: ", len(fakeSNI), " bytes") + } + serverName := tf.IndexTLSServerName(record) + if serverName == nil { + return nil, E.New("not a ClientHello with SNI") + } + + delta := len(fakeSNI) - serverName.Length + out := make([]byte, len(record)+delta) + copy(out, record[:serverName.Index]) + copy(out[serverName.Index:], fakeSNI) + copy(out[serverName.Index+len(fakeSNI):], record[serverName.Index+serverName.Length:]) + + err := patchUint16(out, recordLengthOffset, delta) + if err != nil { + return nil, E.Cause(err, "patch record length") + } + err = patchUint24(out, handshakeLengthOffset, delta) + if err != nil { + return nil, E.Cause(err, "patch handshake length") + } + for _, off := range []int{ + serverName.ExtensionsListLengthIndex, + serverName.Index + extensionDataLengthOffsetFromSNI, + serverName.Index + listLengthOffsetFromSNI, + serverName.Index + hostNameLengthOffsetFromSNI, + } { + err = patchUint16(out, off, delta) + if err != nil { + return nil, E.Cause(err, "patch length at offset ", off) + } + } + return out, nil +} + +func patchUint16(data []byte, offset, delta int) error { + patched := int(binary.BigEndian.Uint16(data[offset:])) + delta + if patched < 0 || patched > 0xFFFF { + return E.New("uint16 out of range: ", patched) + } + binary.BigEndian.PutUint16(data[offset:], uint16(patched)) + return nil +} + +func patchUint24(data []byte, offset, delta int) error { + original := int(data[offset])<<16 | int(data[offset+1])<<8 | int(data[offset+2]) + patched := original + delta + if patched < 0 || patched > 0xFFFFFF { + return E.New("uint24 out of range: ", patched) + } + data[offset] = byte(patched >> 16) + data[offset+1] = byte(patched >> 8) + data[offset+2] = byte(patched) + return nil +} diff --git a/common/tlsspoof/client_hello_test.go b/common/tlsspoof/client_hello_test.go new file mode 100644 index 000000000..746d0482a --- /dev/null +++ b/common/tlsspoof/client_hello_test.go @@ -0,0 +1,79 @@ +package tlsspoof + +import ( + "encoding/binary" + "encoding/hex" + "testing" + + tf "github.com/sagernet/sing-box/common/tlsfragment" + + "github.com/stretchr/testify/require" +) + +// realClientHello is a captured Chrome ClientHello for github.com, +// reused from common/tlsfragment/index_test.go. +const realClientHello = "16030105f8010005f403036e35de7389a679c54029cf452611f2211c70d9ac3897271de589ab6155f8e4ab20637d225f1ef969ad87ed78bfb9d171300bcb1703b6f314ccefb964f79b7d0961002a0a0a130213031301c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a01000581baba00000000000f000d00000a6769746875622e636f6d00170000ff01000100000a000e000c3a3a11ec001d001700180019000b000201000010000e000c02683208687474702f312e31000500050100000000000d00160014040308040401050308050805050108060601020100120000003304ef04ed3a3a00010011ec04c0aeb2250c092a3463161cccb29d9183331a424964248579507ed23a180b0ceab2a5f5d9ce41547e497a89055471ea572867ba3a1fc3c9e45025274a20f60c6b60e62476b6afed0403af59ab83660ef4112ae20386a602010d0a5d454c0ed34c84ed4423e750213e6a2baab1bf9c4367a6007ab40a33d95220c2dcaa44f257024a5626b545db0510f4311b1a60714154909c6a61fdfca011fb2626d657aeb6070bf078508babe3b584555013e34acc56198ed4663742b3155a664a9901794c4586820a7dc162c01827291f3792e1237f801a8d1ef096013c181c4a58d2f6859ba75022d18cc4418bd4f351d5c18f83a58857d05af860c4b9ac018a5b63f17184e591532c6bc2cf2215d4a282c8a8a4f6f7aee110422c8bc9ebd3b1d609c568523aaae555db320e6c269473d87af38c256cbb9febc20aea6380c32a8916f7a373c8b1e37554e3260bf6621f6b804ee80b3c516b1d01985bf4c603b6daa9a5991de6a7a29f3a7122b8afb843a7660110fce62b43c615f5bcc2db688ba012649c0952b0a2c031e732d2b454c6b2968683cb8d244be2c9a7fa163222979eaf92722b92b862d81a3d94450c2b60c318421ebb4307c42d1f0473592a5c30e42039cc68cda9721e61aa63f49def17c15221680ed444896340133bbee67556f56b9f9d78a4df715f926a12add0cc9c862e46ea8b7316ae468282c18601b2771c9c9322f982228cf93effaacd3f80cbd12bce5fc36f56e2a3caf91e578a5fae00c9b23a8ed1a66764f4433c3628a70b8f0a6196adc60a4cb4226f07ba4c6b363fe9065563bfc1347452946386bab488686e837ab979c64f9047417fca635fe1bb4f074f256cc8af837c7b455e280426547755af90a61640169ef180aea3a77e662bb6dac1b6c3696027129b1a5edf495314e9c7f4b6110e16378ec893fa24642330a40aba1a85326101acb97c620fd8d71389e69eaed7bdb01bbe1fd428d66191150c7b2cd1ad4257391676a82ba8ce07fb2667c3b289f159003a7c7bc31d361b7b7f49a802961739d950dfcc0fa1c7abce5abdd2245101da391151490862028110465950b9e9c03d08a90998ab83267838d2e74a0593bc81f74cdf734519a05b351c0e5488c68dd810e6e9142ccc1e2f4a7f464297eb340e27acc6b9d64e12e38cce8492b3d939140b5a9e149a75597f10a23874c84323a07cdd657274378f887c85c4259b9c04cd33ba58ed630ef2a744f8e19dd34843dff331d2a6be7e2332c599289cd248a611c73d7481cd4a9bd43449a3836f14b2af18a1739e17999e4c67e85cc5bcecabb14185e5bcaff3c96098f03dc5aba819f29587758f49f940585354a2a780830528d68ccd166920dadcaa25cab5fc1907272a826aba3f08bc6b88757776812ecb6c7cec69a223ec0a13a7b62a2349a0f63ed7a27a3b15ba21d71fe6864ec6e089ae17cadd433fa3138f7ee24353c11365818f8fc34f43a05542d18efaac24bfccc1f748a0cc1a67ad379468b76fd34973dba785f5c91d618333cd810fe0700d1bbc8422029782628070a624c52c5309a4a64d625b11f8033ab28df34a1add297517fcc06b92b6817b3c5144438cf260867c57bde68c8c4b82e6a135ef676a52fbae5708002a404e6189a60e2836de565ad1b29e3819e5ed49f6810bcb28e1bd6de57306f94b79d9dae1cc4624d2a068499beef81cd5fe4b76dcbfff2a2008001d002001976128c6d5a934533f28b9914d2480aab2a8c1ab03d212529ce8b27640a716002d00020101002b000706caca03040303001b00030200015a5a000100" + +func decodeClientHello(t *testing.T) []byte { + t.Helper() + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + return payload +} + +func assertConsistent(t *testing.T, payload []byte, expectedSNI string) { + t.Helper() + serverName := tf.IndexTLSServerName(payload) + require.NotNil(t, serverName, "parser should find SNI in rewritten payload") + require.Equal(t, expectedSNI, serverName.ServerName) + require.Equal(t, expectedSNI, string(payload[serverName.Index:serverName.Index+serverName.Length])) + // Record length must equal len(payload) - 5. + recordLen := binary.BigEndian.Uint16(payload[3:5]) + require.Equal(t, len(payload)-5, int(recordLen), "record length must equal payload - 5") + // Handshake length must equal len(payload) - 5 - 4. + handshakeLen := int(payload[6])<<16 | int(payload[7])<<8 | int(payload[8]) + require.Equal(t, len(payload)-5-4, handshakeLen, "handshake length must equal payload - 9") +} + +func TestRewriteSNI_ShorterReplacement(t *testing.T) { + t.Parallel() + payload := decodeClientHello(t) + out, err := rewriteSNI(payload, "a.io") + require.NoError(t, err) + require.Len(t, out, len(payload)-6) // original "github.com" is 10 bytes, "a.io" is 4 bytes. + assertConsistent(t, out, "a.io") +} + +func TestRewriteSNI_SameLengthReplacement(t *testing.T) { + t.Parallel() + payload := decodeClientHello(t) + out, err := rewriteSNI(payload, "example.co") + require.NoError(t, err) + require.Len(t, out, len(payload)) + assertConsistent(t, out, "example.co") +} + +func TestRewriteSNI_LongerReplacement(t *testing.T) { + t.Parallel() + payload := decodeClientHello(t) + out, err := rewriteSNI(payload, "letsencrypt.org") + require.NoError(t, err) + require.Len(t, out, len(payload)+5) // "letsencrypt.org" is 15, original 10, delta 5. + assertConsistent(t, out, "letsencrypt.org") +} + +func TestRewriteSNI_NoSNIReturnsError(t *testing.T) { + t.Parallel() + // Truncated payload — not a valid ClientHello. + _, err := rewriteSNI([]byte{0x16, 0x03, 0x01, 0x00, 0x01, 0x01}, "x.com") + require.Error(t, err) +} + +func TestRewriteSNI_DoesNotMutateInput(t *testing.T) { + t.Parallel() + payload := decodeClientHello(t) + original := append([]byte(nil), payload...) + _, err := rewriteSNI(payload, "letsencrypt.org") + require.NoError(t, err) + require.Equal(t, original, payload, "input payload must not be mutated") +} diff --git a/common/tlsspoof/conn_test.go b/common/tlsspoof/conn_test.go new file mode 100644 index 000000000..981f1a49c --- /dev/null +++ b/common/tlsspoof/conn_test.go @@ -0,0 +1,126 @@ +package tlsspoof + +import ( + "encoding/hex" + "io" + "net" + "testing" + + tf "github.com/sagernet/sing-box/common/tlsfragment" + + "github.com/stretchr/testify/require" +) + +type fakeSpoofer struct { + injected [][]byte + err error +} + +func (f *fakeSpoofer) Inject(payload []byte) error { + if f.err != nil { + return f.err + } + f.injected = append(f.injected, append([]byte(nil), payload...)) + return nil +} + +func (f *fakeSpoofer) Close() error { + return nil +} + +func readAll(t *testing.T, conn net.Conn) []byte { + t.Helper() + data, err := io.ReadAll(conn) + require.NoError(t, err) + return data +} + +func TestConn_Write_InjectsThenForwards(t *testing.T) { + t.Parallel() + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + + client, server := net.Pipe() + spoofer := &fakeSpoofer{} + wrapped := NewConn(client, spoofer, "letsencrypt.org") + + serverRead := make(chan []byte, 1) + go func() { + serverRead <- readAll(t, server) + }() + + n, err := wrapped.Write(payload) + require.NoError(t, err) + require.Equal(t, len(payload), n) + require.NoError(t, wrapped.Close()) + + forwarded := <-serverRead + require.Equal(t, payload, forwarded, "underlying conn must receive the real ClientHello unchanged") + require.Len(t, spoofer.injected, 1) + + injected := spoofer.injected[0] + serverName := tf.IndexTLSServerName(injected) + require.NotNil(t, serverName, "injected payload must parse as ClientHello") + require.Equal(t, "letsencrypt.org", serverName.ServerName) +} + +func TestConn_Write_SecondWriteDoesNotInject(t *testing.T) { + t.Parallel() + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + + client, server := net.Pipe() + spoofer := &fakeSpoofer{} + wrapped := NewConn(client, spoofer, "letsencrypt.org") + + serverRead := make(chan []byte, 1) + go func() { + serverRead <- readAll(t, server) + }() + + _, err = wrapped.Write(payload) + require.NoError(t, err) + _, err = wrapped.Write([]byte("second")) + require.NoError(t, err) + require.NoError(t, wrapped.Close()) + + forwarded := <-serverRead + require.Equal(t, append(append([]byte(nil), payload...), []byte("second")...), forwarded) + require.Len(t, spoofer.injected, 1) +} + +func TestConn_Write_NonClientHelloReturnsError(t *testing.T) { + t.Parallel() + client, server := net.Pipe() + defer client.Close() + defer server.Close() + + spoofer := &fakeSpoofer{} + wrapped := NewConn(client, spoofer, "letsencrypt.org") + + _, err := wrapped.Write([]byte("not a ClientHello")) + require.Error(t, err) + require.Empty(t, spoofer.injected) +} + +func TestParseMethod(t *testing.T) { + t.Parallel() + cases := map[string]struct { + want Method + ok bool + }{ + "": {MethodWrongSequence, true}, + "wrong-sequence": {MethodWrongSequence, true}, + "wrong-checksum": {MethodWrongChecksum, true}, + "nonsense": {0, false}, + } + for input, expected := range cases { + m, err := ParseMethod(input) + if !expected.ok { + require.Error(t, err, "input=%q", input) + continue + } + require.NoError(t, err, "input=%q", input) + require.Equal(t, expected.want, m, "input=%q", input) + } +} diff --git a/common/tlsspoof/endpoints.go b/common/tlsspoof/endpoints.go new file mode 100644 index 000000000..6be458c85 --- /dev/null +++ b/common/tlsspoof/endpoints.go @@ -0,0 +1,29 @@ +package tlsspoof + +import ( + "net" + "net/netip" + + "github.com/sagernet/sing/common" + E "github.com/sagernet/sing/common/exceptions" + M "github.com/sagernet/sing/common/metadata" +) + +// The returned addresses are v4-unmapped and share the same family. +func tcpEndpoints(conn net.Conn) (*net.TCPConn, netip.AddrPort, netip.AddrPort, error) { + tcpConn, isTCP := common.Cast[*net.TCPConn](conn) + if !isTCP { + return nil, netip.AddrPort{}, netip.AddrPort{}, E.New("tls_spoof: underlying conn is not *net.TCPConn") + } + local := M.AddrPortFromNet(tcpConn.LocalAddr()) + remote := M.AddrPortFromNet(tcpConn.RemoteAddr()) + if !local.IsValid() || !remote.IsValid() { + return nil, netip.AddrPort{}, netip.AddrPort{}, E.New("tls_spoof: invalid conn address") + } + local = netip.AddrPortFrom(local.Addr().Unmap(), local.Port()) + remote = netip.AddrPortFrom(remote.Addr().Unmap(), remote.Port()) + if local.Addr().Is4() != remote.Addr().Is4() { + return nil, netip.AddrPort{}, netip.AddrPort{}, E.New("tls_spoof: local/remote address family mismatch") + } + return tcpConn, local, remote, nil +} diff --git a/common/tlsspoof/integration_darwin_test.go b/common/tlsspoof/integration_darwin_test.go new file mode 100644 index 000000000..60a933e5f --- /dev/null +++ b/common/tlsspoof/integration_darwin_test.go @@ -0,0 +1,5 @@ +//go:build darwin + +package tlsspoof + +const loopbackInterface = "lo0" diff --git a/common/tlsspoof/integration_linux_test.go b/common/tlsspoof/integration_linux_test.go new file mode 100644 index 000000000..3294c272e --- /dev/null +++ b/common/tlsspoof/integration_linux_test.go @@ -0,0 +1,5 @@ +//go:build linux + +package tlsspoof + +const loopbackInterface = "lo" diff --git a/common/tlsspoof/integration_test.go b/common/tlsspoof/integration_test.go new file mode 100644 index 000000000..e36592908 --- /dev/null +++ b/common/tlsspoof/integration_test.go @@ -0,0 +1,112 @@ +//go:build linux || darwin + +package tlsspoof + +import ( + "bufio" + "context" + "fmt" + "io" + "net" + "os" + "os/exec" + "strings" + "sync/atomic" + "testing" + "time" + + "github.com/stretchr/testify/require" +) + +func requireRoot(t *testing.T) { + t.Helper() + if os.Geteuid() != 0 { + t.Fatal("integration test requires root") + } +} + +func tcpdumpObserver(t *testing.T, iface string, port uint16, needle string, do func(), wait time.Duration) bool { + t.Helper() + ctx, cancel := context.WithTimeout(context.Background(), wait) + defer cancel() + cmd := exec.CommandContext(ctx, "tcpdump", "-i", iface, "-n", "-A", "-l", + "-s", "4096", fmt.Sprintf("tcp and port %d", port)) + cmd.Cancel = func() error { + return cmd.Process.Signal(os.Interrupt) + } + stdout, err := cmd.StdoutPipe() + require.NoError(t, err) + stderr, err := cmd.StderrPipe() + require.NoError(t, err) + require.NoError(t, cmd.Start()) + t.Cleanup(func() { + _ = cmd.Process.Signal(os.Interrupt) + _ = cmd.Wait() + }) + + ready := make(chan struct{}) + go func() { + scanner := bufio.NewScanner(stderr) + for scanner.Scan() { + if strings.Contains(scanner.Text(), "listening on") { + close(ready) + io.Copy(io.Discard, stderr) + return + } + } + }() + + select { + case <-ready: + case <-time.After(2 * time.Second): + t.Fatal("tcpdump did not attach within 2s") + } + + var found atomic.Bool + readerDone := make(chan struct{}) + go func() { + defer close(readerDone) + scanner := bufio.NewScanner(stdout) + scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024) + for scanner.Scan() { + if strings.Contains(scanner.Text(), needle) { + found.Store(true) + } + } + }() + + do() + + time.Sleep(200 * time.Millisecond) + _ = cmd.Process.Signal(os.Interrupt) + <-readerDone + return found.Load() +} + +func dialLocalEchoServer(t *testing.T) (client net.Conn, serverPort uint16) { + t.Helper() + listener, err := net.Listen("tcp4", "127.0.0.1:0") + require.NoError(t, err) + + accepted := make(chan net.Conn, 1) + go func() { + c, err := listener.Accept() + if err == nil { + accepted <- c + } + close(accepted) + }() + addr := listener.Addr().(*net.TCPAddr) + client, err = net.Dial("tcp4", addr.String()) + require.NoError(t, err) + server := <-accepted + require.NotNil(t, server) + + go io.Copy(io.Discard, server) + t.Cleanup(func() { + client.Close() + server.Close() + listener.Close() + }) + return client, uint16(addr.Port) +} diff --git a/common/tlsspoof/integration_unix_test.go b/common/tlsspoof/integration_unix_test.go new file mode 100644 index 000000000..c734ed891 --- /dev/null +++ b/common/tlsspoof/integration_unix_test.go @@ -0,0 +1,100 @@ +//go:build linux || darwin + +package tlsspoof + +import ( + "encoding/hex" + "io" + "net" + "testing" + "time" + + "github.com/stretchr/testify/require" +) + +func TestIntegrationSpoofer_WrongChecksum(t *testing.T) { + requireRoot(t) + client, serverPort := dialLocalEchoServer(t) + spoofer, err := NewSpoofer(client, MethodWrongChecksum) + require.NoError(t, err) + defer spoofer.Close() + + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + fake, err := rewriteSNI(payload, "letsencrypt.org") + require.NoError(t, err) + + captured := tcpdumpObserver(t, loopbackInterface, serverPort, "letsencrypt.org", func() { + require.NoError(t, spoofer.Inject(fake)) + }, 3*time.Second) + require.True(t, captured, "injected fake ClientHello must be observable on loopback") +} + +func TestIntegrationSpoofer_WrongSequence(t *testing.T) { + requireRoot(t) + client, serverPort := dialLocalEchoServer(t) + spoofer, err := NewSpoofer(client, MethodWrongSequence) + require.NoError(t, err) + defer spoofer.Close() + + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + fake, err := rewriteSNI(payload, "letsencrypt.org") + require.NoError(t, err) + + captured := tcpdumpObserver(t, loopbackInterface, serverPort, "letsencrypt.org", func() { + require.NoError(t, spoofer.Inject(fake)) + }, 3*time.Second) + require.True(t, captured, "injected fake ClientHello must be observable on loopback") +} + +// Loopback bypasses TCP checksum validation, so wrong-sequence is used instead. +func TestIntegrationConn_InjectsThenForwardsRealCH(t *testing.T) { + requireRoot(t) + + listener, err := net.Listen("tcp4", "127.0.0.1:0") + require.NoError(t, err) + + serverReceived := make(chan []byte, 1) + go func() { + conn, err := listener.Accept() + if err != nil { + return + } + defer conn.Close() + _ = conn.SetReadDeadline(time.Now().Add(2 * time.Second)) + got, _ := io.ReadAll(conn) + serverReceived <- got + }() + + addr := listener.Addr().(*net.TCPAddr) + serverPort := uint16(addr.Port) + client, err := net.Dial("tcp4", addr.String()) + require.NoError(t, err) + t.Cleanup(func() { + client.Close() + listener.Close() + }) + + spoofer, err := NewSpoofer(client, MethodWrongSequence) + require.NoError(t, err) + wrapped := NewConn(client, spoofer, "letsencrypt.org") + + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + + captured := tcpdumpObserver(t, loopbackInterface, serverPort, "letsencrypt.org", func() { + n, err := wrapped.Write(payload) + require.NoError(t, err) + require.Equal(t, len(payload), n) + }, 3*time.Second) + require.True(t, captured, "fake ClientHello with letsencrypt.org SNI must be on the wire") + + _ = wrapped.Close() + select { + case got := <-serverReceived: + require.Equal(t, payload, got, "server must receive real ClientHello unchanged (wrong-sequence fake must be dropped)") + case <-time.After(2 * time.Second): + t.Fatal("echo server did not receive real ClientHello") + } +} diff --git a/common/tlsspoof/integration_windows_test.go b/common/tlsspoof/integration_windows_test.go new file mode 100644 index 000000000..d3f823841 --- /dev/null +++ b/common/tlsspoof/integration_windows_test.go @@ -0,0 +1,139 @@ +//go:build windows && (amd64 || 386) + +package tlsspoof + +import ( + "encoding/hex" + "io" + "net" + "testing" + "time" + + "github.com/stretchr/testify/require" +) + +func newSpoofer(t *testing.T, conn net.Conn, method Method) Spoofer { + t.Helper() + spoofer, err := NewSpoofer(conn, method) + require.NoError(t, err) + return spoofer +} + +// Basic lifecycle: opening a spoofer against a live TCP conn installs +// the driver, spawns run(), then shuts down cleanly without ever +// injecting. Exercises the close path that cancels an in-flight Recv. +func TestIntegrationSpooferOpenClose(t *testing.T) { + listener, err := net.Listen("tcp4", "127.0.0.1:0") + require.NoError(t, err) + t.Cleanup(func() { listener.Close() }) + + accepted := make(chan net.Conn, 1) + go func() { + c, _ := listener.Accept() + accepted <- c + }() + client, err := net.Dial("tcp4", listener.Addr().String()) + require.NoError(t, err) + t.Cleanup(func() { client.Close() }) + server := <-accepted + t.Cleanup(func() { + if server != nil { + server.Close() + } + }) + + spoofer := newSpoofer(t, client, MethodWrongSequence) + require.NoError(t, spoofer.Close()) +} + +// End-to-end: Conn.Write injects a fake ClientHello with a rewritten +// SNI, then forwards the real ClientHello. With wrong-sequence, the +// fake lands before the connection's send-next sequence — the peer TCP +// stack treats it as already-received and only surfaces the real bytes +// to the echo server. +func TestIntegrationConnInjectsThenForwardsRealCH(t *testing.T) { + listener, err := net.Listen("tcp4", "127.0.0.1:0") + require.NoError(t, err) + t.Cleanup(func() { listener.Close() }) + + serverReceived := make(chan []byte, 1) + go func() { + conn, acceptErr := listener.Accept() + if acceptErr != nil { + return + } + defer conn.Close() + _ = conn.SetReadDeadline(time.Now().Add(5 * time.Second)) + got, _ := io.ReadAll(conn) + serverReceived <- got + }() + + client, err := net.Dial("tcp4", listener.Addr().String()) + require.NoError(t, err) + t.Cleanup(func() { client.Close() }) + + spoofer := newSpoofer(t, client, MethodWrongSequence) + wrapped := NewConn(client, spoofer, "letsencrypt.org") + + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + + n, err := wrapped.Write(payload) + require.NoError(t, err) + require.Equal(t, len(payload), n) + _ = wrapped.Close() + + select { + case got := <-serverReceived: + require.Equal(t, payload, got, + "server must receive real ClientHello unchanged (wrong-sequence fake must be dropped)") + case <-time.After(5 * time.Second): + t.Fatal("echo server did not receive real ClientHello within 5s") + } +} + +// Inject before any kernel payload: stages the fake, then Write flushes +// the real CH. Same terminal expectation as the Conn variant but via the +// Spoofer primitive directly. +func TestIntegrationSpooferInjectThenWrite(t *testing.T) { + listener, err := net.Listen("tcp4", "127.0.0.1:0") + require.NoError(t, err) + t.Cleanup(func() { listener.Close() }) + + serverReceived := make(chan []byte, 1) + go func() { + conn, acceptErr := listener.Accept() + if acceptErr != nil { + return + } + defer conn.Close() + _ = conn.SetReadDeadline(time.Now().Add(5 * time.Second)) + got, _ := io.ReadAll(conn) + serverReceived <- got + }() + + client, err := net.Dial("tcp4", listener.Addr().String()) + require.NoError(t, err) + t.Cleanup(func() { client.Close() }) + + spoofer := newSpoofer(t, client, MethodWrongSequence) + t.Cleanup(func() { spoofer.Close() }) + + payload, err := hex.DecodeString(realClientHello) + require.NoError(t, err) + fake, err := rewriteSNI(payload, "letsencrypt.org") + require.NoError(t, err) + require.NoError(t, spoofer.Inject(fake)) + + n, err := client.Write(payload) + require.NoError(t, err) + require.Equal(t, len(payload), n) + _ = client.Close() + + select { + case got := <-serverReceived: + require.Equal(t, payload, got) + case <-time.After(5 * time.Second): + t.Fatal("echo server did not receive real ClientHello within 5s") + } +} diff --git a/common/tlsspoof/packet.go b/common/tlsspoof/packet.go new file mode 100644 index 000000000..d84fc4b12 --- /dev/null +++ b/common/tlsspoof/packet.go @@ -0,0 +1,100 @@ +package tlsspoof + +import ( + "net/netip" + + "github.com/sagernet/sing-tun/gtcpip/checksum" + "github.com/sagernet/sing-tun/gtcpip/header" + E "github.com/sagernet/sing/common/exceptions" +) + +const ( + defaultTTL uint8 = 64 + defaultWindowSize uint16 = 0xFFFF + tcpHeaderLen = header.TCPMinimumSize +) + +func buildTCPSegment( + src netip.AddrPort, + dst netip.AddrPort, + seqNum uint32, + ackNum uint32, + payload []byte, + corruptChecksum bool, +) []byte { + if src.Addr().Is4() != dst.Addr().Is4() { + panic("tlsspoof: mixed IPv4/IPv6 address family") + } + var ( + frame []byte + ipHeaderLen int + ) + if src.Addr().Is4() { + ipHeaderLen = header.IPv4MinimumSize + frame = make([]byte, ipHeaderLen+tcpHeaderLen+len(payload)) + ip := header.IPv4(frame[:ipHeaderLen]) + ip.Encode(&header.IPv4Fields{ + TotalLength: uint16(len(frame)), + ID: 0, + TTL: defaultTTL, + Protocol: uint8(header.TCPProtocolNumber), + SrcAddr: src.Addr(), + DstAddr: dst.Addr(), + }) + ip.SetChecksum(^ip.CalculateChecksum()) + } else { + ipHeaderLen = header.IPv6MinimumSize + frame = make([]byte, ipHeaderLen+tcpHeaderLen+len(payload)) + ip := header.IPv6(frame[:ipHeaderLen]) + ip.Encode(&header.IPv6Fields{ + PayloadLength: uint16(tcpHeaderLen + len(payload)), + TransportProtocol: header.TCPProtocolNumber, + HopLimit: defaultTTL, + SrcAddr: src.Addr(), + DstAddr: dst.Addr(), + }) + } + encodeTCP(frame, ipHeaderLen, src, dst, seqNum, ackNum, payload, corruptChecksum) + return frame +} + +func encodeTCP(frame []byte, ipHeaderLen int, src, dst netip.AddrPort, seqNum, ackNum uint32, payload []byte, corruptChecksum bool) { + tcp := header.TCP(frame[ipHeaderLen:]) + copy(frame[ipHeaderLen+tcpHeaderLen:], payload) + tcp.Encode(&header.TCPFields{ + SrcPort: src.Port(), + DstPort: dst.Port(), + SeqNum: seqNum, + AckNum: ackNum, + DataOffset: tcpHeaderLen, + Flags: header.TCPFlagAck | header.TCPFlagPsh, + WindowSize: defaultWindowSize, + }) + applyTCPChecksum(tcp, src.Addr(), dst.Addr(), payload, corruptChecksum) +} + +func buildSpoofFrame(method Method, src, dst netip.AddrPort, sendNext, receiveNext uint32, payload []byte) ([]byte, error) { + var sequence uint32 + corrupt := false + switch method { + case MethodWrongSequence: + sequence = sendNext - uint32(len(payload)) + case MethodWrongChecksum: + sequence = sendNext + corrupt = true + default: + return nil, E.New("tls_spoof: unknown method ", method) + } + return buildTCPSegment(src, dst, sequence, receiveNext, payload, corrupt), nil +} + +func applyTCPChecksum(tcp header.TCP, srcAddr, dstAddr netip.Addr, payload []byte, corrupt bool) { + tcpLen := tcpHeaderLen + len(payload) + pseudo := header.PseudoHeaderChecksum(header.TCPProtocolNumber, srcAddr.AsSlice(), dstAddr.AsSlice(), uint16(tcpLen)) + payloadChecksum := checksum.Checksum(payload, 0) + tcpChecksum := ^tcp.CalculateChecksum(checksum.Combine(pseudo, payloadChecksum)) + if corrupt { + tcpChecksum ^= 0xFFFF + } + tcp.SetChecksum(tcpChecksum) +} diff --git a/common/tlsspoof/packet_test.go b/common/tlsspoof/packet_test.go new file mode 100644 index 000000000..992a96840 --- /dev/null +++ b/common/tlsspoof/packet_test.go @@ -0,0 +1,77 @@ +package tlsspoof + +import ( + "net/netip" + "testing" + + "github.com/sagernet/sing-tun/gtcpip" + "github.com/sagernet/sing-tun/gtcpip/checksum" + "github.com/sagernet/sing-tun/gtcpip/header" + + "github.com/stretchr/testify/require" +) + +func TestBuildTCPSegment_IPv4_ValidChecksum(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:54321") + dst := netip.MustParseAddrPort("1.2.3.4:443") + payload := []byte("fake-client-hello") + frame := buildTCPSegment(src, dst, 100_000, 200_000, payload, false) + + ip := header.IPv4(frame[:header.IPv4MinimumSize]) + require.True(t, ip.IsChecksumValid()) + + tcp := header.TCP(frame[header.IPv4MinimumSize:]) + payloadChecksum := checksum.Checksum(payload, 0) + require.True(t, tcp.IsChecksumValid( + tcpip.AddrFrom4(src.Addr().As4()), + tcpip.AddrFrom4(dst.Addr().As4()), + payloadChecksum, + uint16(len(payload)), + )) +} + +func TestBuildTCPSegment_IPv4_CorruptChecksum(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:54321") + dst := netip.MustParseAddrPort("1.2.3.4:443") + payload := []byte("fake-client-hello") + frame := buildTCPSegment(src, dst, 100_000, 200_000, payload, true) + + tcp := header.TCP(frame[header.IPv4MinimumSize:]) + payloadChecksum := checksum.Checksum(payload, 0) + require.False(t, tcp.IsChecksumValid( + tcpip.AddrFrom4(src.Addr().As4()), + tcpip.AddrFrom4(dst.Addr().As4()), + payloadChecksum, + uint16(len(payload)), + )) + // IP checksum must still be valid so the router forwards the packet. + require.True(t, header.IPv4(frame[:header.IPv4MinimumSize]).IsChecksumValid()) +} + +func TestBuildTCPSegment_IPv6_ValidChecksum(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("[fe80::1]:54321") + dst := netip.MustParseAddrPort("[2606:4700::1]:443") + payload := []byte("fake-client-hello") + frame := buildTCPSegment(src, dst, 0xDEADBEEF, 0x12345678, payload, false) + + tcp := header.TCP(frame[header.IPv6MinimumSize:]) + payloadChecksum := checksum.Checksum(payload, 0) + require.True(t, tcp.IsChecksumValid( + tcpip.AddrFrom16(src.Addr().As16()), + tcpip.AddrFrom16(dst.Addr().As16()), + payloadChecksum, + uint16(len(payload)), + )) +} + +func TestBuildTCPSegment_MixedFamilyPanics(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:54321") + dst := netip.MustParseAddrPort("[2606:4700::1]:443") + require.Panics(t, func() { + buildTCPSegment(src, dst, 0, 0, nil, false) + }) +} diff --git a/common/tlsspoof/raw_darwin.go b/common/tlsspoof/raw_darwin.go new file mode 100644 index 000000000..170561a87 --- /dev/null +++ b/common/tlsspoof/raw_darwin.go @@ -0,0 +1,161 @@ +package tlsspoof + +import ( + "encoding/binary" + "net" + "net/netip" + "strconv" + "strings" + "sync" + "syscall" + + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/unix" +) + +const PlatformSupported = true + +// Offsets into xinpcb_n within each net.inet.tcp.pcblist_n record, identical +// to the values used by common/process/searcher_darwin_shared.go. +const ( + darwinXinpgenSize = 24 + darwinXsocketOffset = 104 + darwinXinpcbForeignPort = 16 + darwinXinpcbLocalPort = 18 + darwinXinpcbVFlag = 44 + darwinXinpcbForeignAddr = 48 + darwinXinpcbLocalAddr = 64 + darwinXinpcbIPv4Offset = 12 + + darwinTCPExtraSize = 208 + + darwinXtcpcbSndNxtOffset = 56 + darwinXtcpcbRcvNxtOffset = 80 +) + +var darwinStructSize = sync.OnceValue(func() int { + value, _ := syscall.Sysctl("kern.osrelease") + major, _, _ := strings.Cut(value, ".") + n, _ := strconv.ParseInt(major, 10, 64) + if n >= 22 { + return 408 + } + return 384 +}) + +type darwinSpoofer struct { + method Method + src netip.AddrPort + dst netip.AddrPort + rawFD int + rawSockAddr unix.Sockaddr + sendNext uint32 + receiveNext uint32 +} + +func newRawSpoofer(conn net.Conn, method Method) (Spoofer, error) { + _, src, dst, err := tcpEndpoints(conn) + if err != nil { + return nil, err + } + fd, sockaddr, err := openDarwinRawSocket(dst) + if err != nil { + return nil, err + } + sendNext, receiveNext, err := readDarwinTCPSequence(src, dst) + if err != nil { + unix.Close(fd) + return nil, err + } + return &darwinSpoofer{ + method: method, + src: src, + dst: dst, + rawFD: fd, + rawSockAddr: sockaddr, + sendNext: sendNext, + receiveNext: receiveNext, + }, nil +} + +// readDarwinTCPSequence scans net.inet.tcp.pcblist_n for the PCB that matches +// src -> dst and returns (snd_nxt, rcv_nxt). These live in xtcpcb_n at the end +// of each record; see darwin-xnu bsd/netinet/in_pcblist.c:get_pcblist_n. +func readDarwinTCPSequence(src, dst netip.AddrPort) (uint32, uint32, error) { + buffer, err := unix.SysctlRaw("net.inet.tcp.pcblist_n") + if err != nil { + return 0, 0, E.Cause(err, "sysctl net.inet.tcp.pcblist_n") + } + structSize := darwinStructSize() + itemSize := structSize + darwinTCPExtraSize + for i := darwinXinpgenSize; i+itemSize <= len(buffer); i += itemSize { + inpcb := buffer[i : i+darwinXsocketOffset] + xtcpcb := buffer[i+structSize : i+itemSize] + localPort := binary.BigEndian.Uint16(inpcb[darwinXinpcbLocalPort : darwinXinpcbLocalPort+2]) + remotePort := binary.BigEndian.Uint16(inpcb[darwinXinpcbForeignPort : darwinXinpcbForeignPort+2]) + if localPort != src.Port() || remotePort != dst.Port() { + continue + } + versionFlag := inpcb[darwinXinpcbVFlag] + var localAddr, remoteAddr netip.Addr + switch { + case versionFlag&0x1 != 0: + localAddr = netip.AddrFrom4([4]byte(inpcb[darwinXinpcbLocalAddr+darwinXinpcbIPv4Offset : darwinXinpcbLocalAddr+darwinXinpcbIPv4Offset+4])) + remoteAddr = netip.AddrFrom4([4]byte(inpcb[darwinXinpcbForeignAddr+darwinXinpcbIPv4Offset : darwinXinpcbForeignAddr+darwinXinpcbIPv4Offset+4])) + case versionFlag&0x2 != 0: + localAddr = netip.AddrFrom16([16]byte(inpcb[darwinXinpcbLocalAddr : darwinXinpcbLocalAddr+16])) + remoteAddr = netip.AddrFrom16([16]byte(inpcb[darwinXinpcbForeignAddr : darwinXinpcbForeignAddr+16])) + default: + continue + } + if localAddr.Unmap() != src.Addr() || remoteAddr.Unmap() != dst.Addr() { + continue + } + sendNext := binary.NativeEndian.Uint32(xtcpcb[darwinXtcpcbSndNxtOffset : darwinXtcpcbSndNxtOffset+4]) + receiveNext := binary.NativeEndian.Uint32(xtcpcb[darwinXtcpcbRcvNxtOffset : darwinXtcpcbRcvNxtOffset+4]) + return sendNext, receiveNext, nil + } + return 0, 0, E.New("tls_spoof: connection ", src, "->", dst, " not found in pcblist_n") +} + +func openDarwinRawSocket(dst netip.AddrPort) (int, unix.Sockaddr, error) { + if !dst.Addr().Is4() { + // macOS does not expose IPV6_HDRINCL; raw AF_INET6 injection would + // require either BPF link-layer writes or kernel-side IPv6 header + // synthesis, neither of which is implemented here. + return -1, nil, E.New("tls_spoof: IPv6 not supported on darwin") + } + return openIPv4RawSocket(dst) +} + +func (s *darwinSpoofer) Inject(payload []byte) error { + frame, err := buildSpoofFrame(s.method, s.src, s.dst, s.sendNext, s.receiveNext, payload) + if err != nil { + return err + } + // Darwin inherits the historical BSD quirk: with IP_HDRINCL the kernel + // expects ip_len and ip_off in host byte order, not network byte order. + // Apple's rip_output swaps them back before transmission. This does not + // apply to IPv6. + if s.src.Addr().Is4() { + totalLen := binary.BigEndian.Uint16(frame[2:4]) + binary.NativeEndian.PutUint16(frame[2:4], totalLen) + fragOff := binary.BigEndian.Uint16(frame[6:8]) + binary.NativeEndian.PutUint16(frame[6:8], fragOff) + } + err = unix.Sendto(s.rawFD, frame, 0, s.rawSockAddr) + if err != nil { + return E.Cause(err, "sendto raw socket") + } + return nil +} + +func (s *darwinSpoofer) Close() error { + if s.rawFD < 0 { + return nil + } + err := unix.Close(s.rawFD) + s.rawFD = -1 + return err +} diff --git a/common/tlsspoof/raw_linux.go b/common/tlsspoof/raw_linux.go new file mode 100644 index 000000000..cb694aba9 --- /dev/null +++ b/common/tlsspoof/raw_linux.go @@ -0,0 +1,127 @@ +package tlsspoof + +import ( + "net" + "net/netip" + + "github.com/sagernet/sing/common/control" + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/unix" +) + +const PlatformSupported = true + +const ( + // Values of enum { TCP_NO_QUEUE, TCP_RECV_QUEUE, TCP_SEND_QUEUE } from + // include/net/tcp.h; not exported by golang.org/x/sys/unix. + tcpRecvQueue = 1 + tcpSendQueue = 2 +) + +type linuxSpoofer struct { + method Method + src netip.AddrPort + dst netip.AddrPort + rawFD int + rawSockAddr unix.Sockaddr + sendNext uint32 + receiveNext uint32 +} + +func newRawSpoofer(conn net.Conn, method Method) (Spoofer, error) { + tcpConn, src, dst, err := tcpEndpoints(conn) + if err != nil { + return nil, err + } + fd, sockaddr, err := openLinuxRawSocket(dst) + if err != nil { + return nil, err + } + spoofer := &linuxSpoofer{ + method: method, + src: src, + dst: dst, + rawFD: fd, + rawSockAddr: sockaddr, + } + err = spoofer.loadSequenceNumbers(tcpConn) + if err != nil { + unix.Close(fd) + return nil, err + } + return spoofer, nil +} + +func openLinuxRawSocket(dst netip.AddrPort) (int, unix.Sockaddr, error) { + if dst.Addr().Is4() { + return openIPv4RawSocket(dst) + } + fd, err := unix.Socket(unix.AF_INET6, unix.SOCK_RAW, unix.IPPROTO_TCP) + if err != nil { + return -1, nil, E.Cause(err, "open AF_INET6 SOCK_RAW") + } + err = unix.SetsockoptInt(fd, unix.IPPROTO_IPV6, unix.IPV6_HDRINCL, 1) + if err != nil { + unix.Close(fd) + return -1, nil, E.Cause(err, "set IPV6_HDRINCL") + } + sockaddr := &unix.SockaddrInet6{Port: int(dst.Port())} + sockaddr.Addr = dst.Addr().As16() + return fd, sockaddr, nil +} + +// loadSequenceNumbers puts the socket briefly into TCP_REPAIR mode to read +// snd_nxt and rcv_nxt from the kernel. TCP_REPAIR requires CAP_NET_ADMIN; +// callers must run as root or grant both CAP_NET_RAW and CAP_NET_ADMIN. +func (s *linuxSpoofer) loadSequenceNumbers(tcpConn *net.TCPConn) error { + return control.Conn(tcpConn, func(raw uintptr) error { + fd := int(raw) + err := unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR, unix.TCP_REPAIR_ON) + if err != nil { + return E.Cause(err, "enter TCP_REPAIR (need CAP_NET_ADMIN)") + } + defer unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR, unix.TCP_REPAIR_OFF) + + err = unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR_QUEUE, tcpSendQueue) + if err != nil { + return E.Cause(err, "select TCP_SEND_QUEUE") + } + sendSequence, err := unix.GetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_QUEUE_SEQ) + if err != nil { + return E.Cause(err, "read send queue sequence") + } + err = unix.SetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_REPAIR_QUEUE, tcpRecvQueue) + if err != nil { + return E.Cause(err, "select TCP_RECV_QUEUE") + } + receiveSequence, err := unix.GetsockoptInt(fd, unix.IPPROTO_TCP, unix.TCP_QUEUE_SEQ) + if err != nil { + return E.Cause(err, "read recv queue sequence") + } + s.sendNext = uint32(sendSequence) + s.receiveNext = uint32(receiveSequence) + return nil + }) +} + +func (s *linuxSpoofer) Inject(payload []byte) error { + frame, err := buildSpoofFrame(s.method, s.src, s.dst, s.sendNext, s.receiveNext, payload) + if err != nil { + return err + } + err = unix.Sendto(s.rawFD, frame, 0, s.rawSockAddr) + if err != nil { + return E.Cause(err, "sendto raw socket") + } + return nil +} + +func (s *linuxSpoofer) Close() error { + if s.rawFD < 0 { + return nil + } + err := unix.Close(s.rawFD) + s.rawFD = -1 + return err +} diff --git a/common/tlsspoof/raw_stub.go b/common/tlsspoof/raw_stub.go new file mode 100644 index 000000000..a2da87d6b --- /dev/null +++ b/common/tlsspoof/raw_stub.go @@ -0,0 +1,15 @@ +//go:build !linux && !darwin && !(windows && (amd64 || 386)) + +package tlsspoof + +import ( + "net" + + E "github.com/sagernet/sing/common/exceptions" +) + +const PlatformSupported = false + +func newRawSpoofer(conn net.Conn, method Method) (Spoofer, error) { + return nil, E.New("tls_spoof: unsupported platform") +} diff --git a/common/tlsspoof/raw_unix.go b/common/tlsspoof/raw_unix.go new file mode 100644 index 000000000..7ab1d44a2 --- /dev/null +++ b/common/tlsspoof/raw_unix.go @@ -0,0 +1,26 @@ +//go:build linux || darwin + +package tlsspoof + +import ( + "net/netip" + + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/unix" +) + +func openIPv4RawSocket(dst netip.AddrPort) (int, unix.Sockaddr, error) { + fd, err := unix.Socket(unix.AF_INET, unix.SOCK_RAW, unix.IPPROTO_TCP) + if err != nil { + return -1, nil, E.Cause(err, "open AF_INET SOCK_RAW") + } + err = unix.SetsockoptInt(fd, unix.IPPROTO_IP, unix.IP_HDRINCL, 1) + if err != nil { + unix.Close(fd) + return -1, nil, E.Cause(err, "set IP_HDRINCL") + } + sockaddr := &unix.SockaddrInet4{Port: int(dst.Port())} + sockaddr.Addr = dst.Addr().As4() + return fd, sockaddr, nil +} diff --git a/common/tlsspoof/raw_windows.go b/common/tlsspoof/raw_windows.go new file mode 100644 index 000000000..b6961169f --- /dev/null +++ b/common/tlsspoof/raw_windows.go @@ -0,0 +1,218 @@ +//go:build windows && (amd64 || 386) + +package tlsspoof + +import ( + "errors" + "net" + "net/netip" + "sync" + "sync/atomic" + "time" + + "github.com/sagernet/sing-box/common/windivert" + "github.com/sagernet/sing-tun/gtcpip/header" + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/windows" +) + +const PlatformSupported = true + +// closeGracePeriod caps how long Close() waits for the divert goroutine to +// observe the kernel-emitted real ClientHello and perform the reorder +// (fake → real). In practice this completes in microseconds; the cap +// bounds the pathological case where the kernel buffers the packet. +const closeGracePeriod = 2 * time.Second + +type windowsSpoofer struct { + method Method + src, dst netip.AddrPort + divertH *windivert.Handle + injectH *windivert.Handle + + fakeReady chan []byte // buffered(1): staged by Inject + done chan struct{} // closed by run() on exit + closeOnce sync.Once + runErr atomic.Pointer[error] +} + +func newRawSpoofer(conn net.Conn, method Method) (Spoofer, error) { + _, src, dst, err := tcpEndpoints(conn) + if err != nil { + return nil, err + } + + filter, err := windivert.OutboundTCP(src, dst) + if err != nil { + return nil, err + } + divertH, err := windivert.Open(filter, windivert.LayerNetwork, 0, 0) + if err != nil { + return nil, E.Cause(err, "tls_spoof: open WinDivert") + } + injectH, err := windivert.Open(nil, windivert.LayerNetwork, 0, windivert.FlagSendOnly) + if err != nil { + divertH.Close() + return nil, E.Cause(err, "tls_spoof: open WinDivert") + } + s := &windowsSpoofer{ + method: method, + src: src, + dst: dst, + divertH: divertH, + injectH: injectH, + fakeReady: make(chan []byte, 1), + done: make(chan struct{}), + } + go s.run() + return s, nil +} + +func (s *windowsSpoofer) Inject(payload []byte) error { + select { + case s.fakeReady <- payload: + return nil + case <-s.done: + if p := s.runErr.Load(); p != nil { + return *p + } + return E.New("tls_spoof: spoofer closed before Inject") + } +} + +func (s *windowsSpoofer) Close() error { + s.closeOnce.Do(func() { + // Give run() a grace window to finish handling the real packet. + select { + case <-s.done: + case <-time.After(closeGracePeriod): + // Force Recv() to return by closing the divert handle. + s.divertH.Close() + <-s.done + } + s.injectH.Close() + }) + if p := s.runErr.Load(); p != nil { + return *p + } + return nil +} + +func (s *windowsSpoofer) recordErr(err error) { s.runErr.Store(&err) } + +func (s *windowsSpoofer) run() { + defer close(s.done) + defer s.divertH.Close() + + buf := make([]byte, windivert.MTUMax) + for { + n, addr, err := s.divertH.Recv(buf) + if err != nil { + if errors.Is(err, windows.ERROR_OPERATION_ABORTED) || + errors.Is(err, windows.ERROR_NO_DATA) { + return + } + s.recordErr(E.Cause(err, "windivert recv")) + return + } + pkt := buf[:n] + seq, ack, payloadLen, ok := parseTCPFields(pkt, addr.IPv6()) + if !ok { + // Malformed / not TCP — shouldn't match our filter, but be safe. + _, _ = s.divertH.Send(pkt, &addr) + continue + } + if payloadLen == 0 { + // Handshake ACK, keepalive, FIN — pass through unchanged. + _, err := s.divertH.Send(pkt, &addr) + if err != nil { + s.recordErr(E.Cause(err, "windivert re-inject empty")) + return + } + continue + } + + // Non-empty outbound TCP payload = the real ClientHello. + var fake []byte + select { + case fake = <-s.fakeReady: + default: + // Inject() not yet called — pass through and keep observing. + _, err := s.divertH.Send(pkt, &addr) + if err != nil { + s.recordErr(E.Cause(err, "windivert re-inject early data")) + return + } + continue + } + + frame, err := buildSpoofFrame(s.method, s.src, s.dst, seq, ack, fake) + if err != nil { + s.recordErr(err) + return + } + fakeAddr := addr // inherit Outbound, IfIdx + // buildSpoofFrame emits ready-to-wire bytes. The driver recomputes + // checksums on Send when TCPChecksum/IPChecksum are 0 — which would + // overwrite the intentionally corrupt checksum in WrongChecksum mode. + // Force both to 1 to keep our bytes intact. + fakeAddr.SetIPChecksum(true) + fakeAddr.SetTCPChecksum(true) + _, err = s.injectH.Send(frame, &fakeAddr) + if err != nil { + s.recordErr(E.Cause(err, "windivert inject fake")) + return + } + _, err = s.divertH.Send(pkt, &addr) + if err != nil { + s.recordErr(E.Cause(err, "windivert re-inject real")) + return + } + return // single-shot reorder complete + } +} + +func parseTCPFields(pkt []byte, isV6 bool) (seq, ack uint32, payloadLen int, ok bool) { + if isV6 { + if len(pkt) < header.IPv6MinimumSize+header.TCPMinimumSize { + return 0, 0, 0, false + } + ip := header.IPv6(pkt) + if ip.TransportProtocol() != header.TCPProtocolNumber { + return 0, 0, 0, false + } + tcp := header.TCP(pkt[header.IPv6MinimumSize:]) + tcpHdr := int(tcp.DataOffset()) + if tcpHdr < header.TCPMinimumSize || header.IPv6MinimumSize+tcpHdr > len(pkt) { + return 0, 0, 0, false + } + return tcp.SequenceNumber(), tcp.AckNumber(), + len(pkt) - header.IPv6MinimumSize - tcpHdr, true + } + if len(pkt) < header.IPv4MinimumSize+header.TCPMinimumSize { + return 0, 0, 0, false + } + ip := header.IPv4(pkt) + if ip.Protocol() != uint8(header.TCPProtocolNumber) { + return 0, 0, 0, false + } + ihl := int(ip.HeaderLength()) + // ihl+TCPMinimumSize guards the TCP-header field reads below; without + // this, an IPv4 packet with options (ihl>20) against a 40-byte buffer + // reads past the TCP slice when calling DataOffset. + if ihl < header.IPv4MinimumSize || ihl+header.TCPMinimumSize > len(pkt) { + return 0, 0, 0, false + } + tcp := header.TCP(pkt[ihl:]) + tcpHdr := int(tcp.DataOffset()) + if tcpHdr < header.TCPMinimumSize || ihl+tcpHdr > len(pkt) { + return 0, 0, 0, false + } + total := int(ip.TotalLength()) + if total == 0 || total > len(pkt) { + total = len(pkt) + } + return tcp.SequenceNumber(), tcp.AckNumber(), + total - ihl - tcpHdr, true +} diff --git a/common/tlsspoof/raw_windows_test.go b/common/tlsspoof/raw_windows_test.go new file mode 100644 index 000000000..58566b875 --- /dev/null +++ b/common/tlsspoof/raw_windows_test.go @@ -0,0 +1,112 @@ +//go:build windows && (amd64 || 386) + +package tlsspoof + +import ( + "net/netip" + "testing" + + "github.com/sagernet/sing-tun/gtcpip/header" + + "github.com/stretchr/testify/require" +) + +func TestParseTCPFieldsIPv4Valid(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:54321") + dst := netip.MustParseAddrPort("1.2.3.4:443") + payload := []byte("hello") + frame := buildTCPSegment(src, dst, 1000, 2000, payload, false) + + seq, ack, payloadLen, ok := parseTCPFields(frame, false) + require.True(t, ok) + require.Equal(t, uint32(1000), seq) + require.Equal(t, uint32(2000), ack) + require.Equal(t, len(payload), payloadLen) +} + +func TestParseTCPFieldsIPv4NoPayload(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:54321") + dst := netip.MustParseAddrPort("1.2.3.4:443") + frame := buildTCPSegment(src, dst, 42, 100, nil, false) + + seq, ack, payloadLen, ok := parseTCPFields(frame, false) + require.True(t, ok) + require.Equal(t, uint32(42), seq) + require.Equal(t, uint32(100), ack) + require.Equal(t, 0, payloadLen) +} + +func TestParseTCPFieldsIPv6Valid(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("[fe80::1]:54321") + dst := netip.MustParseAddrPort("[2606:4700::1]:443") + payload := []byte("hello-v6") + frame := buildTCPSegment(src, dst, 0xDEADBEEF, 0x12345678, payload, false) + + seq, ack, payloadLen, ok := parseTCPFields(frame, true) + require.True(t, ok) + require.Equal(t, uint32(0xDEADBEEF), seq) + require.Equal(t, uint32(0x12345678), ack) + require.Equal(t, len(payload), payloadLen) +} + +func TestParseTCPFieldsIPv4TooShort(t *testing.T) { + t.Parallel() + _, _, _, ok := parseTCPFields(make([]byte, header.IPv4MinimumSize+header.TCPMinimumSize-1), false) + require.False(t, ok) +} + +func TestParseTCPFieldsIPv6TooShort(t *testing.T) { + t.Parallel() + _, _, _, ok := parseTCPFields(make([]byte, header.IPv6MinimumSize+header.TCPMinimumSize-1), true) + require.False(t, ok) +} + +// buildTCPSegment only produces TCP; a UDP packet hitting parseTCPFields +// (for example from a mis-specified filter) must be rejected. +func TestParseTCPFieldsIPv4WrongProtocol(t *testing.T) { + t.Parallel() + frame := make([]byte, header.IPv4MinimumSize+header.TCPMinimumSize) + ip := header.IPv4(frame[:header.IPv4MinimumSize]) + ip.Encode(&header.IPv4Fields{ + TotalLength: uint16(len(frame)), + TTL: 64, + Protocol: 17, // UDP + SrcAddr: netip.MustParseAddr("10.0.0.1"), + DstAddr: netip.MustParseAddr("10.0.0.2"), + }) + _, _, _, ok := parseTCPFields(frame, false) + require.False(t, ok) +} + +func TestParseTCPFieldsIPv6WrongProtocol(t *testing.T) { + t.Parallel() + frame := make([]byte, header.IPv6MinimumSize+header.TCPMinimumSize) + ip := header.IPv6(frame[:header.IPv6MinimumSize]) + ip.Encode(&header.IPv6Fields{ + PayloadLength: header.TCPMinimumSize, + TransportProtocol: 17, // UDP + HopLimit: 64, + SrcAddr: netip.MustParseAddr("fe80::1"), + DstAddr: netip.MustParseAddr("fe80::2"), + }) + _, _, _, ok := parseTCPFields(frame, true) + require.False(t, ok) +} + +// ihl > 20 must not read past the TCP slice. Build an IPv4 packet with +// options header but truncate so ihl*4 + TCPMinimumSize exceeds len. +func TestParseTCPFieldsIPv4OptionsOverflow(t *testing.T) { + t.Parallel() + // Start with a valid IPv4+TCP frame, then lie about the header length. + src := netip.MustParseAddrPort("10.0.0.1:1") + dst := netip.MustParseAddrPort("10.0.0.2:2") + frame := buildTCPSegment(src, dst, 0, 0, []byte("x"), false) + ip := header.IPv4(frame[:header.IPv4MinimumSize]) + // ihl=15 → 60 bytes of IP header claimed, but buffer only has 20. + ip.SetHeaderLength(60) + _, _, _, ok := parseTCPFields(frame, false) + require.False(t, ok) +} diff --git a/common/tlsspoof/spoof.go b/common/tlsspoof/spoof.go new file mode 100644 index 000000000..2a27ec328 --- /dev/null +++ b/common/tlsspoof/spoof.go @@ -0,0 +1,100 @@ +package tlsspoof + +import ( + "net" + + E "github.com/sagernet/sing/common/exceptions" +) + +type Method int + +const ( + MethodWrongSequence Method = iota + MethodWrongChecksum +) + +const ( + MethodNameWrongSequence = "wrong-sequence" + MethodNameWrongChecksum = "wrong-checksum" +) + +func ParseMethod(s string) (Method, error) { + switch s { + case "", MethodNameWrongSequence: + return MethodWrongSequence, nil + case MethodNameWrongChecksum: + return MethodWrongChecksum, nil + default: + return 0, E.New("tls_spoof: unknown method: ", s) + } +} + +func (m Method) String() string { + switch m { + case MethodWrongSequence: + return MethodNameWrongSequence + case MethodWrongChecksum: + return MethodNameWrongChecksum + default: + return "unknown" + } +} + +type Spoofer interface { + Inject(payload []byte) error + Close() error +} + +func NewSpoofer(conn net.Conn, method Method) (Spoofer, error) { + return newRawSpoofer(conn, method) +} + +type Conn struct { + net.Conn + spoofer Spoofer + fakeSNI string + injected bool +} + +func NewConn(conn net.Conn, spoofer Spoofer, fakeSNI string) *Conn { + return &Conn{ + Conn: conn, + spoofer: spoofer, + fakeSNI: fakeSNI, + } +} + +func (c *Conn) Write(b []byte) (int, error) { + if c.injected { + return c.Conn.Write(b) + } + defer c.spoofer.Close() + fake, err := rewriteSNI(b, c.fakeSNI) + if err != nil { + return 0, E.Cause(err, "tls_spoof: rewrite SNI") + } + err = c.spoofer.Inject(fake) + if err != nil { + return 0, E.Cause(err, "tls_spoof: inject") + } + c.injected = true + return c.Conn.Write(b) +} + +func (c *Conn) Close() error { + return E.Append(c.Conn.Close(), c.spoofer.Close(), func(e error) error { + return E.Cause(e, "close spoofer") + }) +} + +func (c *Conn) ReaderReplaceable() bool { + return true +} + +func (c *Conn) WriterReplaceable() bool { + return c.injected +} + +func (c *Conn) Upstream() any { + return c.Conn +} diff --git a/common/windivert/address_test.go b/common/windivert/address_test.go new file mode 100644 index 000000000..bfc995589 --- /dev/null +++ b/common/windivert/address_test.go @@ -0,0 +1,53 @@ +package windivert + +import ( + "testing" + "unsafe" + + "github.com/stretchr/testify/require" +) + +func TestAddressSize(t *testing.T) { + t.Parallel() + require.Equal(t, uintptr(80), unsafe.Sizeof(Address{})) +} + +func TestAddressIPv6(t *testing.T) { + t.Parallel() + var addr Address + require.False(t, addr.IPv6()) + addr.bits = 1 << addrBitIPv6 + require.True(t, addr.IPv6()) +} + +func TestAddressSetIPChecksum(t *testing.T) { + t.Parallel() + var addr Address + addr.SetIPChecksum(true) + require.Equal(t, uint32(1< + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. + +============================================================================== + + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. + +============================================================================== + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. + diff --git a/common/windivert/assets/WinDivert32.sys b/common/windivert/assets/WinDivert32.sys new file mode 100644 index 000000000..d06738cbb Binary files /dev/null and b/common/windivert/assets/WinDivert32.sys differ diff --git a/common/windivert/assets/WinDivert64.sys b/common/windivert/assets/WinDivert64.sys new file mode 100644 index 000000000..218ccaf42 Binary files /dev/null and b/common/windivert/assets/WinDivert64.sys differ diff --git a/common/windivert/assets_386.go b/common/windivert/assets_386.go new file mode 100644 index 000000000..0cbf35ed5 --- /dev/null +++ b/common/windivert/assets_386.go @@ -0,0 +1,14 @@ +//go:build windows && 386 + +package windivert + +import _ "embed" + +//go:embed assets/WinDivert32.sys +var sysBytes []byte + +func assetFiles() []assetFile { + return []assetFile{{"WinDivert32.sys", sysBytes}} +} + +func driverSysName() string { return "WinDivert32.sys" } diff --git a/common/windivert/assets_amd64.go b/common/windivert/assets_amd64.go new file mode 100644 index 000000000..2c9fb6c6a --- /dev/null +++ b/common/windivert/assets_amd64.go @@ -0,0 +1,14 @@ +//go:build windows && amd64 + +package windivert + +import _ "embed" + +//go:embed assets/WinDivert64.sys +var sysBytes []byte + +func assetFiles() []assetFile { + return []assetFile{{"WinDivert64.sys", sysBytes}} +} + +func driverSysName() string { return "WinDivert64.sys" } diff --git a/common/windivert/assets_unsupported.go b/common/windivert/assets_unsupported.go new file mode 100644 index 000000000..04698953f --- /dev/null +++ b/common/windivert/assets_unsupported.go @@ -0,0 +1,7 @@ +//go:build windows && !amd64 && !386 + +package windivert + +func assetFiles() []assetFile { return nil } + +func driverSysName() string { return "" } diff --git a/common/windivert/driver_windows.go b/common/windivert/driver_windows.go new file mode 100644 index 000000000..d6bc59f89 --- /dev/null +++ b/common/windivert/driver_windows.go @@ -0,0 +1,212 @@ +//go:build windows + +package windivert + +import ( + "errors" + "os" + "path/filepath" + "runtime" + "strconv" + "sync" + + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/windows" +) + +const ( + driverServiceName = "WinDivert" + driverDeviceName = `\\.\WinDivert` +) + +var ( + driverOnce sync.Once + driverErr error + // driverDevName is ASCII-safe and must be available before ensureDriver + // so Open can try CreateFile first and only install on FILE_NOT_FOUND. + driverDevName, _ = windows.UTF16PtrFromString(driverDeviceName) +) + +// Requires SeLoadDriverPrivilege (Administrator). Running the 386 build +// under WOW64 on a 64-bit kernel is rejected — use the amd64 build. +func ensureDriver() error { + driverOnce.Do(func() { + driverErr = installDriver() + }) + return driverErr +} + +func installDriver() error { + if runtime.GOARCH == "386" { + var isWow64 bool + err := windows.IsWow64Process(windows.CurrentProcess(), &isWow64) + if err == nil && isWow64 { + return E.New("windivert: 386 build detected running under WOW64 on a 64-bit kernel; use the amd64 build") + } + } + + dir, err := ensureExtracted() + if err != nil { + return err + } + sysPath := filepath.Join(dir, driverSysName()) + sysPathW, err := windows.UTF16PtrFromString(sysPath) + if err != nil { + return E.Cause(err, "windivert: utf16 driver path") + } + + // Serialize driver install across concurrent processes. + mutexName, _ := windows.UTF16PtrFromString("WinDivertDriverInstallMutex") + mutex, err := windows.CreateMutex(nil, false, mutexName) + if err != nil { + return E.Cause(err, "windivert: create install mutex") + } + defer windows.CloseHandle(mutex) + _, err = windows.WaitForSingleObject(mutex, windows.INFINITE) + if err != nil { + return E.Cause(err, "windivert: wait install mutex") + } + defer windows.ReleaseMutex(mutex) + + manager, err := windows.OpenSCManager(nil, nil, windows.SC_MANAGER_ALL_ACCESS) + if err != nil { + return E.Cause(err, "windivert: open SCM") + } + defer windows.CloseServiceHandle(manager) + + serviceNameW, _ := windows.UTF16PtrFromString(driverServiceName) + service, err := windows.OpenService(manager, serviceNameW, windows.SERVICE_ALL_ACCESS) + if err != nil { + service, err = windows.CreateService( + manager, + serviceNameW, + serviceNameW, + windows.SERVICE_ALL_ACCESS, + windows.SERVICE_KERNEL_DRIVER, + windows.SERVICE_DEMAND_START, + windows.SERVICE_ERROR_NORMAL, + sysPathW, + nil, nil, nil, nil, nil, + ) + if err != nil { + if errors.Is(err, windows.ERROR_SERVICE_EXISTS) { + service, err = windows.OpenService(manager, serviceNameW, windows.SERVICE_ALL_ACCESS) + } + if err != nil { + return wrapDriverInstallError(err) + } + } + } + defer windows.CloseServiceHandle(service) + + err = windows.StartService(service, 0, nil) + if err != nil && errors.Is(err, windows.ERROR_SERVICE_DISABLED) { + // A prior process called DeleteService on a still-running kernel + // driver: SCM marks the record for deletion and flips START_TYPE + // to DISABLED until the last handle closes. Re-enable so we can + // start it instead of waiting for a reboot. + err = windows.ChangeServiceConfig( + service, + windows.SERVICE_NO_CHANGE, + windows.SERVICE_DEMAND_START, + windows.SERVICE_NO_CHANGE, + nil, nil, nil, nil, nil, nil, nil, + ) + if err != nil { + return E.Cause(err, "windivert: re-enable disabled service") + } + err = windows.StartService(service, 0, nil) + } + if err == nil { + // Mark for deletion so the driver unregisters when the last handle + // closes or on next reboot. Matches the upstream DLL's behavior: + // only the process that actually started the service takes on the + // cleanup responsibility. If another process already started it, + // we leave DeleteService to them. + _ = windows.DeleteService(service) + } else if !errors.Is(err, windows.ERROR_SERVICE_ALREADY_RUNNING) { + return E.Cause(err, "windivert: start service") + } + return nil +} + +func wrapDriverInstallError(err error) error { + if errors.Is(err, windows.ERROR_ACCESS_DENIED) { + return E.Cause(err, "windivert: installing the kernel driver requires Administrator privileges") + } + return E.Cause(err, "windivert: create service") +} + +type assetFile struct { + name string + data []byte +} + +var ( + extractOnce sync.Once + extractErr error + extractDir string +) + +// The on-disk copy is protected by Windows Authenticode signature +// enforcement, which rejects any tampered .sys at StartService time. +func ensureExtracted() (string, error) { + extractOnce.Do(func() { + extractDir, extractErr = extractImpl() + }) + return extractDir, extractErr +} + +func extractImpl() (string, error) { + files := assetFiles() + if len(files) == 0 { + return "", E.New("windivert: unsupported architecture ", runtime.GOARCH) + } + + base, err := os.UserCacheDir() + if err != nil { + return "", E.Cause(err, "windivert: locate user cache dir") + } + dir := filepath.Join(base, "sing-box", "windivert", "v"+AssetVersion) + err = os.MkdirAll(dir, 0o755) + if err != nil { + return "", E.Cause(err, "windivert: mkdir ", dir) + } + + for _, asset := range files { + err = ensureAsset(dir, asset) + if err != nil { + return "", err + } + } + return dir, nil +} + +// Concurrent sing-box processes race on os.Rename (atomic on NTFS); +// whichever wins creates the final file. Writers that lose the race +// silently discard their temp copy. +func ensureAsset(dir string, asset assetFile) error { + target := filepath.Join(dir, asset.name) + _, err := os.Stat(target) + if err == nil { + return nil + } + if !os.IsNotExist(err) { + return E.Cause(err, "windivert: stat ", asset.name) + } + tmp := target + ".tmp-" + strconv.Itoa(os.Getpid()) + err = os.WriteFile(tmp, asset.data, 0o644) + if err != nil { + return E.Cause(err, "windivert: write ", asset.name) + } + err = os.Rename(tmp, target) + if err != nil { + os.Remove(tmp) + if _, statErr := os.Stat(target); statErr == nil { + return nil + } + return E.Cause(err, "windivert: rename ", asset.name) + } + return nil +} diff --git a/common/windivert/filter.go b/common/windivert/filter.go new file mode 100644 index 000000000..5c8fb5adc --- /dev/null +++ b/common/windivert/filter.go @@ -0,0 +1,182 @@ +package windivert + +import ( + "encoding/binary" + "net/netip" + + E "github.com/sagernet/sing/common/exceptions" +) + +// WINDIVERT_FILTER VM instruction layout (24 bytes, #pragma pack(1)): +// +// word 0 (LE): field:11 | test:5 | success:16 +// word 1 (LE): failure:16 | neg:1 | reserved:15 +// words 2..5: arg[4] (native-endian uint32 each) +// +// The driver walks this as a decision tree: evaluate the test at inst i; +// on success jump to success; on failure jump to failure. Continuations +// 0x7FFE and 0x7FFF are ACCEPT and REJECT terminals. +const ( + filterInstBytes = 24 + filterMaxInsts = 256 + + fieldZero = 0 + fieldOutbound = 2 + fieldIP = 5 + fieldIPv6 = 6 + fieldTCP = 8 + fieldIPSrcAddr = 21 + fieldIPDstAddr = 22 + fieldIPv6SrcAddr = 28 + fieldIPv6DstAddr = 29 + fieldTCPSrcPort = 38 + fieldTCPDstPort = 39 + + testEQ = 0 + + resultAccept uint16 = 0x7FFE + resultReject uint16 = 0x7FFF +) + +// Filter flags passed to IOCTL_WINDIVERT_STARTUP alongside the compiled +// filter. These tell the driver what *kinds* of packets the filter might +// match, used as a kernel-side fast-reject. +const ( + filterFlagOutbound uint64 = 0x0020 + filterFlagIP uint64 = 0x0040 + filterFlagIPv6 uint64 = 0x0080 +) + +type filterInst struct { + field uint16 // 11 bits used + test uint8 // 5 bits used + success uint16 + failure uint16 + neg bool + arg [4]uint32 +} + +// Filter is a typed specification of packets to capture. It replaces +// WinDivert's filter string language. +// +// Zero value = "reject all" (match nothing), suitable for send-only handles. +type Filter struct { + insts []filterInst + flags uint64 // filter flags for STARTUP ioctl +} + +// reject returns a filter that matches no packet. The empty insts slice +// is encoded as a single rejecting instruction by encode(). +func reject() *Filter { + return &Filter{} +} + +// OutboundTCP returns a filter matching outbound TCP packets on the given +// 5-tuple. Both addresses must share an address family (IPv4 or IPv6). +func OutboundTCP(src, dst netip.AddrPort) (*Filter, error) { + if !src.IsValid() || !dst.IsValid() { + return nil, E.New("windivert: filter: invalid address port") + } + if src.Addr().Is4() != dst.Addr().Is4() { + return nil, E.New("windivert: filter: mixed IPv4/IPv6") + } + f := &Filter{ + flags: filterFlagOutbound, + } + // Insts chain as AND: each test's failure = REJECT, success = next inst. + // The final inst's success = ACCEPT. + f.add(fieldOutbound, testEQ, argUint32(1)) + if src.Addr().Is4() { + f.flags |= filterFlagIP + f.add(fieldIP, testEQ, argUint32(1)) + f.add(fieldTCP, testEQ, argUint32(1)) + f.add(fieldIPSrcAddr, testEQ, argIPv4(src.Addr())) + f.add(fieldIPDstAddr, testEQ, argIPv4(dst.Addr())) + } else { + f.flags |= filterFlagIPv6 + f.add(fieldIPv6, testEQ, argUint32(1)) + f.add(fieldTCP, testEQ, argUint32(1)) + f.add(fieldIPv6SrcAddr, testEQ, argIPv6(src.Addr())) + f.add(fieldIPv6DstAddr, testEQ, argIPv6(dst.Addr())) + } + f.add(fieldTCPSrcPort, testEQ, argUint32(uint32(src.Port()))) + f.add(fieldTCPDstPort, testEQ, argUint32(uint32(dst.Port()))) + return f, nil +} + +func (f *Filter) add(field uint16, test uint8, arg [4]uint32) { + f.insts = append(f.insts, filterInst{field: field, test: test, arg: arg}) +} + +func argUint32(v uint32) [4]uint32 { return [4]uint32{v, 0, 0, 0} } + +// argIPv4 encodes an IPv4 address for IP_SRCADDR/IP_DSTADDR. The driver +// compares against an IPv4-mapped-IPv6 form: {host_order_u32, 0x0000FFFF, +// 0, 0} (see sys/windivert.c windivert_get_ipv4_addr and the IPv4_SRCADDR +// val-word construction). Omitting the 0x0000FFFF marker causes the EQ +// test to fail for every packet. +func argIPv4(addr netip.Addr) [4]uint32 { + b := addr.As4() + return [4]uint32{binary.BigEndian.Uint32(b[:]), 0x0000FFFF, 0, 0} +} + +// argIPv6 encodes an IPv6 address for IPV6_SRCADDR/IPV6_DSTADDR. The +// driver stores the address as four host-order uint32s in REVERSED word +// order: val[0]=low (bytes 12..15), val[3]=high (bytes 0..3). See +// sys/windivert.c windivert_outbound_network_v6_classify val-word +// construction. +func argIPv6(addr netip.Addr) [4]uint32 { + b := addr.As16() + return [4]uint32{ + binary.BigEndian.Uint32(b[12:16]), + binary.BigEndian.Uint32(b[8:12]), + binary.BigEndian.Uint32(b[4:8]), + binary.BigEndian.Uint32(b[0:4]), + } +} + +// encode serializes the Filter to the on-wire WINDIVERT_FILTER[] format +// plus the filter_flags for STARTUP ioctl. +func (f *Filter) encode() ([]byte, uint64, error) { + if len(f.insts) == 0 { + // "Reject all" — one instruction, ZERO == 0 is always true, but we + // invert by setting both success and failure to REJECT. + return encodeInst(filterInst{ + field: fieldZero, + test: testEQ, + success: resultReject, + failure: resultReject, + }), 0, nil + } + if len(f.insts) > filterMaxInsts-1 { + return nil, 0, E.New("windivert: filter too long") + } + buf := make([]byte, 0, filterInstBytes*len(f.insts)) + for i, inst := range f.insts { + if i == len(f.insts)-1 { + inst.success = resultAccept + } else { + inst.success = uint16(i + 1) + } + inst.failure = resultReject + buf = append(buf, encodeInst(inst)...) + } + return buf, f.flags, nil +} + +func encodeInst(inst filterInst) []byte { + out := make([]byte, filterInstBytes) + word0 := uint32(inst.field&0x7FF) | uint32(inst.test&0x1F)<<11 | + uint32(inst.success)<<16 + word1 := uint32(inst.failure) + if inst.neg { + word1 |= 1 << 16 + } + binary.LittleEndian.PutUint32(out[0:4], word0) + binary.LittleEndian.PutUint32(out[4:8], word1) + binary.LittleEndian.PutUint32(out[8:12], inst.arg[0]) + binary.LittleEndian.PutUint32(out[12:16], inst.arg[1]) + binary.LittleEndian.PutUint32(out[16:20], inst.arg[2]) + binary.LittleEndian.PutUint32(out[20:24], inst.arg[3]) + return out +} diff --git a/common/windivert/filter_test.go b/common/windivert/filter_test.go new file mode 100644 index 000000000..babac3e86 --- /dev/null +++ b/common/windivert/filter_test.go @@ -0,0 +1,140 @@ +package windivert + +import ( + "encoding/binary" + "net/netip" + "testing" +) + +func TestRejectFilter(t *testing.T) { + t.Parallel() + bin, flags, err := reject().encode() + if err != nil { + t.Fatal(err) + } + if len(bin) != filterInstBytes { + t.Fatalf("reject filter len: got %d, want %d", len(bin), filterInstBytes) + } + if flags != 0 { + t.Fatalf("reject filter flags: got %x, want 0", flags) + } + // word0: field=ZERO=0, test=EQ=0, success=REJECT=0x7FFF + word0 := binary.LittleEndian.Uint32(bin[0:4]) + if word0 != uint32(resultReject)<<16 { + t.Fatalf("reject word0 = %08x", word0) + } + // word1: failure=REJECT + word1 := binary.LittleEndian.Uint32(bin[4:8]) + if word1 != uint32(resultReject) { + t.Fatalf("reject word1 = %08x", word1) + } +} + +func TestOutboundTCPFilterIPv4(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.1.2.3:54321") + dst := netip.MustParseAddrPort("1.2.3.4:443") + f, err := OutboundTCP(src, dst) + if err != nil { + t.Fatal(err) + } + bin, flags, err := f.encode() + if err != nil { + t.Fatal(err) + } + if want := filterFlagOutbound | filterFlagIP; flags != want { + t.Fatalf("flags: got %x, want %x", flags, want) + } + // 7 instructions: OUTBOUND, IP, TCP, IP_SRCADDR, IP_DSTADDR, TCP_SRCPORT, TCP_DSTPORT + const wantInsts = 7 + if len(bin) != wantInsts*filterInstBytes { + t.Fatalf("instruction count: got %d, want %d", len(bin)/filterInstBytes, wantInsts) + } + + // Inst 0: OUTBOUND == 1, success=1, failure=REJECT + checkInst(t, bin[0*filterInstBytes:], 0, fieldOutbound, testEQ, 1, resultReject, 1) + // Inst 1: IP == 1, success=2 + checkInst(t, bin[1*filterInstBytes:], 1, fieldIP, testEQ, 2, resultReject, 1) + // Inst 2: TCP == 1, success=3 + checkInst(t, bin[2*filterInstBytes:], 2, fieldTCP, testEQ, 3, resultReject, 1) + // Inst 3: IP_SRCADDR == 10.1.2.3 (host-order uint32 = 0x0A010203, arg[1]=0x0000FFFF marker) + checkInst(t, bin[3*filterInstBytes:], 3, fieldIPSrcAddr, testEQ, 4, resultReject, 0x0A010203) + checkArg1(t, bin[3*filterInstBytes:], 3, 0x0000FFFF) + // Inst 4: IP_DSTADDR == 1.2.3.4 + checkInst(t, bin[4*filterInstBytes:], 4, fieldIPDstAddr, testEQ, 5, resultReject, 0x01020304) + checkArg1(t, bin[4*filterInstBytes:], 4, 0x0000FFFF) + // Inst 5: TCP_SRCPORT == 54321 + checkInst(t, bin[5*filterInstBytes:], 5, fieldTCPSrcPort, testEQ, 6, resultReject, 54321) + // Last inst 6: TCP_DSTPORT == 443, success=ACCEPT + checkInst(t, bin[6*filterInstBytes:], 6, fieldTCPDstPort, testEQ, resultAccept, resultReject, 443) +} + +func TestOutboundTCPFilterIPv6(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("[2001:db8::1]:54321") + dst := netip.MustParseAddrPort("[2001:db8::2]:443") + f, err := OutboundTCP(src, dst) + if err != nil { + t.Fatal(err) + } + bin, flags, err := f.encode() + if err != nil { + t.Fatal(err) + } + if want := filterFlagOutbound | filterFlagIPv6; flags != want { + t.Fatalf("flags: got %x, want %x", flags, want) + } + // Inst 3: IPv6_SRCADDR. The driver stores the address in reversed + // word order: arg[0]=low (bytes 12..15)=1, arg[3]=high (bytes 0..3)=0x20010db8. + off := 3 * filterInstBytes + a0 := binary.LittleEndian.Uint32(bin[off+8:]) + a1 := binary.LittleEndian.Uint32(bin[off+12:]) + a2 := binary.LittleEndian.Uint32(bin[off+16:]) + a3 := binary.LittleEndian.Uint32(bin[off+20:]) + if a0 != 1 || a1 != 0 || a2 != 0 || a3 != 0x20010db8 { + t.Fatalf("ipv6 src arg=[%08x %08x %08x %08x], want [1 0 0 0x20010db8]", a0, a1, a2, a3) + } +} + +func TestOutboundTCPFilterMixedFamily(t *testing.T) { + t.Parallel() + src := netip.MustParseAddrPort("10.0.0.1:1234") + dst := netip.MustParseAddrPort("[2001:db8::1]:443") + if _, err := OutboundTCP(src, dst); err == nil { + t.Fatal("expected error for mixed families") + } +} + +func checkArg1(t *testing.T, raw []byte, idx int, arg1 uint32) { + t.Helper() + got := binary.LittleEndian.Uint32(raw[12:16]) + if got != arg1 { + t.Errorf("inst %d arg[1]: got %08x, want %08x", idx, got, arg1) + } +} + +func checkInst(t *testing.T, raw []byte, idx int, field uint16, test uint8, success, failure uint16, arg0 uint32) { + t.Helper() + word0 := binary.LittleEndian.Uint32(raw[0:4]) + word1 := binary.LittleEndian.Uint32(raw[4:8]) + a0 := binary.LittleEndian.Uint32(raw[8:12]) + gotField := uint16(word0 & 0x7FF) + gotTest := uint8((word0 >> 11) & 0x1F) + gotSuccess := uint16(word0 >> 16) + gotFailure := uint16(word1 & 0xFFFF) + if gotField != field { + t.Errorf("inst %d field: got %d, want %d", idx, gotField, field) + } + if gotTest != test { + t.Errorf("inst %d test: got %d, want %d", idx, gotTest, test) + } + if gotSuccess != success { + t.Errorf("inst %d success: got %d, want %d", idx, gotSuccess, success) + } + if gotFailure != failure { + t.Errorf("inst %d failure: got %d, want %d", idx, gotFailure, failure) + } + if a0 != arg0 { + t.Errorf("inst %d arg[0]: got %08x, want %08x", idx, a0, arg0) + } +} diff --git a/common/windivert/handle_windows.go b/common/windivert/handle_windows.go new file mode 100644 index 000000000..e7f5ae673 --- /dev/null +++ b/common/windivert/handle_windows.go @@ -0,0 +1,320 @@ +//go:build windows + +package windivert + +import ( + "encoding/binary" + "errors" + "runtime" + "sync" + "unsafe" + + E "github.com/sagernet/sing/common/exceptions" + + "golang.org/x/sys/windows" +) + +// Handle owns a WinDivert kernel device handle plus a private event for +// overlapped I/O. Methods on *Handle are not safe for concurrent use +// across goroutines (there is a single shared event per Handle). +// +// addr is a per-Handle Address buffer the IOCTL struct embeds a pointer +// to. It lives on the heap (as a field of a heap-allocated Handle) so +// the pointer value stored as bytes in the ioctl buffer remains valid +// across stack growth between buildIoctl* and the DeviceIoControl +// syscall — stack-local Address values are not safe for this pattern +// because Go's escape analysis does not see the pointer through the +// unsafe.Pointer → uintptr → bytes conversion. +type Handle struct { + device windows.Handle + event windows.Handle + closing sync.Once + closeErr error + addr Address +} + +// Filter may be nil for "reject all", suitable for send-only handles. +// Requires Administrator on first call per process (installs the kernel +// driver via SCM); subsequent calls reuse the running driver. +func Open(filter *Filter, layer Layer, priority int16, flags Flag) (*Handle, error) { + err := validateOpenArgs(layer, priority, flags) + if err != nil { + return nil, err + } + if filter == nil { + filter = reject() + } + filterBin, filterFlags, err := filter.encode() + if err != nil { + return nil, err + } + device, err := openDevice() + if err != nil { + if !errors.Is(err, windows.ERROR_FILE_NOT_FOUND) && + !errors.Is(err, windows.ERROR_PATH_NOT_FOUND) { + if errors.Is(err, windows.ERROR_ACCESS_DENIED) { + return nil, E.Cause(err, "windivert: open device (administrator required)") + } + return nil, E.Cause(err, "windivert: open device") + } + // Device node missing: kernel driver not loaded. Install + retry. + // Matches WinDivertOpen's lazy-install path; avoids racing StartService + // against a still-loaded driver whose SCM record is marked for deletion. + err = ensureDriver() + if err != nil { + return nil, err + } + device, err = openDevice() + if err != nil { + if errors.Is(err, windows.ERROR_ACCESS_DENIED) { + return nil, E.Cause(err, "windivert: open device (administrator required)") + } + return nil, E.Cause(err, "windivert: open device") + } + } + event, err := windows.CreateEvent(nil, 1, 0, nil) // manual reset, unsignaled + if err != nil { + windows.CloseHandle(device) + return nil, E.Cause(err, "windivert: create event") + } + h := &Handle{device: device, event: event} + + err = h.initialize(layer, priority, flags) + if err != nil { + h.Close() + return nil, err + } + err = h.startup(filterBin, filterFlags) + if err != nil { + h.Close() + return nil, err + } + return h, nil +} + +func openDevice() (windows.Handle, error) { + return windows.CreateFile( + driverDevName, + windows.GENERIC_READ|windows.GENERIC_WRITE, + 0, nil, + windows.OPEN_EXISTING, + windows.FILE_ATTRIBUTE_NORMAL|windows.FILE_FLAG_OVERLAPPED, + 0, + ) +} + +func validateOpenArgs(layer Layer, priority int16, flags Flag) error { + if layer != LayerNetwork { + return E.New("windivert: invalid layer ", uint32(layer)) + } + if priority < PriorityLowest || priority > PriorityHighest { + return E.New("windivert: priority out of range") + } + if flags&^FlagSendOnly != 0 { + return E.New("windivert: unknown flag bits") + } + return nil +} + +func (h *Handle) initialize(layer Layer, priority int16, flags Flag) error { + in := buildIoctlInitialize(layer, priority, flags) + // WINDIVERT_VERSION is a 64-byte packed struct; only the first 20 + // bytes (magic, major, minor, bits) carry data, the rest is reserved. + var outBuf [versionStructSize]byte + binary.LittleEndian.PutUint64(outBuf[0:8], magicDLL) + binary.LittleEndian.PutUint32(outBuf[8:12], versionMajor) + binary.LittleEndian.PutUint32(outBuf[12:16], versionMinor) + binary.LittleEndian.PutUint32(outBuf[16:20], uint32(unsafe.Sizeof(uintptr(0))*8)) + _, err := doIoctl(h.device, ioctlInitialize, in[:], outBuf[:], h.event) + if err != nil { + return E.Cause(err, "windivert: initialize ioctl") + } + gotMagic := binary.LittleEndian.Uint64(outBuf[0:8]) + if gotMagic != magicSYS { + return E.New("windivert: driver magic mismatch (got ", gotMagic, ")") + } + gotMajor := binary.LittleEndian.Uint32(outBuf[8:12]) + if gotMajor < versionMajor { + gotMinor := binary.LittleEndian.Uint32(outBuf[12:16]) + return E.New("windivert: driver version too old: ", gotMajor, ".", gotMinor) + } + return nil +} + +func (h *Handle) startup(filterBin []byte, filterFlags uint64) error { + in := buildIoctlStartup(filterFlags) + _, err := doIoctl(h.device, ioctlStartup, in[:], filterBin, h.event) + if err != nil { + return E.Cause(err, "windivert: startup ioctl") + } + return nil +} + +// If the handle is closed mid-Recv the error wraps ERROR_OPERATION_ABORTED. +func (h *Handle) Recv(buf []byte) (int, Address, error) { + if len(buf) == 0 { + return 0, Address{}, E.New("windivert: recv: zero-length buffer") + } + h.addr = Address{} + in := buildIoctlRecv(&h.addr) + n, err := doIoctl(h.device, ioctlRecv, in[:], buf, h.event) + runtime.KeepAlive(h) + if err != nil { + return 0, Address{}, err + } + return int(n), h.addr, nil +} + +// The address's Outbound flag controls whether the packet is sent toward +// the wire (outbound=true) or delivered up the stack (outbound=false). +// IfIdx and SubIfIdx can stay zero — the driver uses the routing table +// when IfIdx=0. +func (h *Handle) Send(packet []byte, addr *Address) (int, error) { + if len(packet) == 0 { + return 0, E.New("windivert: send: empty packet") + } + if addr == nil { + return 0, E.New("windivert: send: nil address") + } + h.addr = *addr + in := buildIoctlSend(&h.addr) + n, err := doIoctl(h.device, ioctlSend, in[:], packet, h.event) + runtime.KeepAlive(h) + if err != nil { + return 0, err + } + return int(n), nil +} + +// Idempotent. Aborts any in-flight I/O on the handle. +func (h *Handle) Close() error { + h.closing.Do(func() { + var errs []error + if h.device != 0 { + err := windows.CloseHandle(h.device) + if err != nil { + errs = append(errs, err) + } + h.device = 0 + } + if h.event != 0 { + err := windows.CloseHandle(h.event) + if err != nil { + errs = append(errs, err) + } + h.event = 0 + } + h.closeErr = E.Errors(errs...) + }) + return h.closeErr +} + +// IOCTL codes from windivert_device.h. CTL_CODE macro layout: +// +// (DeviceType << 16) | (Access << 14) | (Function << 2) | Method +const ( + fileDeviceNetwork uint32 = 0x12 + accessReadWrite uint32 = 3 // FILE_READ_DATA | FILE_WRITE_DATA + accessRead uint32 = 1 + + methodInDirect uint32 = 1 + methodOutDirect uint32 = 2 +) + +func ctlCode(deviceType, access, function, method uint32) uint32 { + return (deviceType << 16) | (access << 14) | (function << 2) | method +} + +var ( + ioctlInitialize = ctlCode(fileDeviceNetwork, accessReadWrite, 0x921, methodOutDirect) + ioctlStartup = ctlCode(fileDeviceNetwork, accessReadWrite, 0x922, methodInDirect) + ioctlRecv = ctlCode(fileDeviceNetwork, accessRead, 0x923, methodOutDirect) + ioctlSend = ctlCode(fileDeviceNetwork, accessReadWrite, 0x924, methodInDirect) +) + +// Magic numbers exchanged during INITIALIZE. DLL sends magicDLL in the +// version struct; driver returns magicSYS on success. +const ( + magicDLL uint64 = 0x4C4C447669645724 // "$WdivDLL" in LE bytes + magicSYS uint64 = 0x5359537669645723 // "#WdivSYS" in LE bytes +) + +const ( + versionMajor uint32 = 2 + versionMinor uint32 = 2 +) + +// Size of the WINDIVERT_IOCTL union on wire (packed). +const ioctlSize = 16 + +// Size of WINDIVERT_VERSION on wire (packed). Only the first 20 bytes +// carry data; the rest is reserved zero padding. +const versionStructSize = 64 + +// doIoctl performs a single synchronous (blocking) overlapped +// DeviceIoControl. The handle is opened with FILE_FLAG_OVERLAPPED so +// DeviceIoControl returns ERROR_IO_PENDING; we then wait for completion +// via GetOverlappedResult. Event is passed in so callers can reuse it +// across calls on the same handle (avoids per-call CreateEvent). +func doIoctl(handle windows.Handle, code uint32, in []byte, out []byte, event windows.Handle) (uint32, error) { + var overlapped windows.Overlapped + overlapped.HEvent = event + _ = windows.ResetEvent(event) + + var inPtr *byte + var inLen uint32 + if len(in) > 0 { + inPtr = &in[0] + inLen = uint32(len(in)) + } + var outPtr *byte + var outLen uint32 + if len(out) > 0 { + outPtr = &out[0] + outLen = uint32(len(out)) + } + var returned uint32 + err := windows.DeviceIoControl(handle, code, inPtr, inLen, outPtr, outLen, &returned, &overlapped) + if err != nil && !errors.Is(err, windows.ERROR_IO_PENDING) { + return 0, err + } + err = windows.GetOverlappedResult(handle, &overlapped, &returned, true) + if err != nil { + return 0, err + } + return returned, nil +} + +func buildIoctlInitialize(layer Layer, priority int16, flags Flag) [ioctlSize]byte { + var buf [ioctlSize]byte + binary.LittleEndian.PutUint32(buf[0:4], uint32(layer)) + // The driver expects priority + WINDIVERT_PRIORITY_HIGHEST (30000) so + // the low range maps to non-negative integers. + binary.LittleEndian.PutUint32(buf[4:8], uint32(int32(priority)+int32(PriorityHighest))) + binary.LittleEndian.PutUint64(buf[8:16], uint64(flags)) + return buf +} + +func buildIoctlStartup(filterFlags uint64) [ioctlSize]byte { + var buf [ioctlSize]byte + binary.LittleEndian.PutUint64(buf[0:8], filterFlags) + return buf +} + +// buildIoctlRecv packs a user-space pointer to a WINDIVERT_ADDRESS into +// the ioctl struct. The driver dereferences it to write the address for +// the received packet. Caller must keep the Address alive via +// runtime.KeepAlive. +func buildIoctlRecv(addr *Address) [ioctlSize]byte { + var buf [ioctlSize]byte + binary.LittleEndian.PutUint64(buf[0:8], uint64(uintptr(unsafe.Pointer(addr)))) + binary.LittleEndian.PutUint64(buf[8:16], 0) + return buf +} + +func buildIoctlSend(addr *Address) [ioctlSize]byte { + var buf [ioctlSize]byte + binary.LittleEndian.PutUint64(buf[0:8], uint64(uintptr(unsafe.Pointer(addr)))) + binary.LittleEndian.PutUint64(buf[8:16], uint64(unsafe.Sizeof(Address{}))) + return buf +} diff --git a/common/windivert/handle_windows_test.go b/common/windivert/handle_windows_test.go new file mode 100644 index 000000000..dd05ce7b0 --- /dev/null +++ b/common/windivert/handle_windows_test.go @@ -0,0 +1,106 @@ +//go:build windows + +package windivert + +import ( + "encoding/binary" + "testing" + "unsafe" + + "github.com/stretchr/testify/require" +) + +// CTL_CODE macro from Windows DDK: +// +// (DeviceType<<16) | (Access<<14) | (Function<<2) | Method +func TestCtlCodeMatchesDDK(t *testing.T) { + t.Parallel() + // FILE_DEVICE_NETWORK=0x12, FILE_READ_DATA|FILE_WRITE_DATA=3, METHOD_OUT_DIRECT=2 + require.Equal(t, uint32(0x12E486), ctlCode(0x12, 3, 0x921, 2)) + // FILE_READ_DATA=1, METHOD_OUT_DIRECT=2 + require.Equal(t, uint32(0x12648E), ctlCode(0x12, 1, 0x923, 2)) +} + +// Baked-in against windivert_device.h @ v2.2.2. A mismatch here means the +// kernel will reject every ioctl with ERROR_INVALID_FUNCTION. +func TestIoctlCodesMatchUpstream(t *testing.T) { + t.Parallel() + require.Equal(t, uint32(0x12E486), ioctlInitialize) + require.Equal(t, uint32(0x12E489), ioctlStartup) + require.Equal(t, uint32(0x12648E), ioctlRecv) + require.Equal(t, uint32(0x12E491), ioctlSend) +} + +func TestBuildIoctlInitialize(t *testing.T) { + t.Parallel() + buf := buildIoctlInitialize(LayerNetwork, 100, FlagSendOnly) + require.Equal(t, uint32(LayerNetwork), binary.LittleEndian.Uint32(buf[0:4])) + // Driver expects priority+PriorityHighest(30000) so the range is non-negative. + require.Equal(t, uint32(30100), binary.LittleEndian.Uint32(buf[4:8])) + require.Equal(t, uint64(FlagSendOnly), binary.LittleEndian.Uint64(buf[8:16])) +} + +func TestBuildIoctlInitializePriorityRange(t *testing.T) { + t.Parallel() + lowest := buildIoctlInitialize(LayerNetwork, PriorityLowest, 0) + require.Equal(t, uint32(0), binary.LittleEndian.Uint32(lowest[4:8])) + highest := buildIoctlInitialize(LayerNetwork, PriorityHighest, 0) + require.Equal(t, uint32(60000), binary.LittleEndian.Uint32(highest[4:8])) + zero := buildIoctlInitialize(LayerNetwork, 0, 0) + require.Equal(t, uint32(30000), binary.LittleEndian.Uint32(zero[4:8])) +} + +func TestBuildIoctlStartup(t *testing.T) { + t.Parallel() + flags := filterFlagOutbound | filterFlagIP + buf := buildIoctlStartup(flags) + require.Equal(t, flags, binary.LittleEndian.Uint64(buf[0:8])) + // The second quad-word is unused for STARTUP. + require.Equal(t, uint64(0), binary.LittleEndian.Uint64(buf[8:16])) +} + +func TestBuildIoctlRecvEmbedsAddressPointer(t *testing.T) { + t.Parallel() + addr := &Address{Timestamp: 0xCAFEBABE} + buf := buildIoctlRecv(addr) + require.Equal(t, uint64(uintptr(unsafe.Pointer(addr))), + binary.LittleEndian.Uint64(buf[0:8])) + // RECV does not carry an address length; driver writes full Address back. + require.Equal(t, uint64(0), binary.LittleEndian.Uint64(buf[8:16])) +} + +func TestBuildIoctlSendEmbedsAddressPointerAndSize(t *testing.T) { + t.Parallel() + addr := &Address{} + buf := buildIoctlSend(addr) + require.Equal(t, uint64(uintptr(unsafe.Pointer(addr))), + binary.LittleEndian.Uint64(buf[0:8])) + require.Equal(t, uint64(unsafe.Sizeof(Address{})), + binary.LittleEndian.Uint64(buf[8:16])) + require.Equal(t, uint64(80), binary.LittleEndian.Uint64(buf[8:16])) +} + +func TestValidateOpenArgsLayer(t *testing.T) { + t.Parallel() + require.NoError(t, validateOpenArgs(LayerNetwork, 0, 0)) + require.Error(t, validateOpenArgs(Layer(1), 0, 0)) + require.Error(t, validateOpenArgs(Layer(42), 0, 0)) +} + +func TestValidateOpenArgsPriorityBounds(t *testing.T) { + t.Parallel() + require.NoError(t, validateOpenArgs(LayerNetwork, PriorityHighest, 0)) + require.NoError(t, validateOpenArgs(LayerNetwork, PriorityLowest, 0)) + require.NoError(t, validateOpenArgs(LayerNetwork, 0, 0)) + require.Error(t, validateOpenArgs(LayerNetwork, PriorityHighest+1, 0)) + require.Error(t, validateOpenArgs(LayerNetwork, PriorityLowest-1, 0)) +} + +func TestValidateOpenArgsFlags(t *testing.T) { + t.Parallel() + require.NoError(t, validateOpenArgs(LayerNetwork, 0, 0)) + require.NoError(t, validateOpenArgs(LayerNetwork, 0, FlagSendOnly)) + // Unknown flag bits must be rejected to surface caller mistakes early. + require.Error(t, validateOpenArgs(LayerNetwork, 0, Flag(0x10))) + require.Error(t, validateOpenArgs(LayerNetwork, 0, FlagSendOnly|Flag(0x10))) +} diff --git a/common/windivert/integration_windows_test.go b/common/windivert/integration_windows_test.go new file mode 100644 index 000000000..00ab89709 --- /dev/null +++ b/common/windivert/integration_windows_test.go @@ -0,0 +1,88 @@ +//go:build windows + +package windivert + +import ( + "errors" + "net/netip" + "testing" + "time" + + "github.com/stretchr/testify/require" + "golang.org/x/sys/windows" +) + +func openHandle(t *testing.T, filter *Filter, flags Flag) *Handle { + t.Helper() + h, err := Open(filter, LayerNetwork, 0, flags) + require.NoError(t, err) + return h +} + +// A send-only handle installs+opens the driver but does not attach a +// receive filter, so it exercises the full driver-install path without +// diverting any live traffic on the host. +func TestIntegrationOpenSendOnly(t *testing.T) { + h := openHandle(t, nil, FlagSendOnly) + require.NoError(t, h.Close()) +} + +// Close is idempotent per the doc contract. +func TestIntegrationCloseTwice(t *testing.T) { + h := openHandle(t, nil, FlagSendOnly) + require.NoError(t, h.Close()) + require.NoError(t, h.Close()) +} + +// Recv must unblock when the handle is closed concurrently. Without this, +// the spoofer's run goroutine could deadlock on shutdown. +func TestIntegrationRecvAbortsOnClose(t *testing.T) { + // A filter no live traffic will match, so Recv blocks indefinitely + // until Close aborts the overlapped I/O. + filter, err := OutboundTCP( + netip.MustParseAddrPort("10.255.255.254:1"), + netip.MustParseAddrPort("10.255.255.253:2"), + ) + require.NoError(t, err) + h := openHandle(t, filter, 0) + + errCh := make(chan error, 1) + go func() { + buf := make([]byte, MTUMax) + _, _, recvErr := h.Recv(buf) + errCh <- recvErr + }() + + // Let Recv reach the blocking DeviceIoControl before Close races in. + time.Sleep(200 * time.Millisecond) + require.NoError(t, h.Close()) + + select { + case err := <-errCh: + require.Error(t, err) + require.True(t, errors.Is(err, windows.ERROR_OPERATION_ABORTED), + "Recv should return ERROR_OPERATION_ABORTED, got %v", err) + case <-time.After(3 * time.Second): + t.Fatal("Recv did not unblock within 3s after Close") + } +} + +// Two concurrent Open calls must both succeed: the first wins the driver +// install race, the second reuses the already-running service. +func TestIntegrationConcurrentOpen(t *testing.T) { + errCh := make(chan error, 2) + handles := make(chan *Handle, 2) + for i := 0; i < 2; i++ { + go func() { + h, err := Open(nil, LayerNetwork, 0, FlagSendOnly) + handles <- h + errCh <- err + }() + } + for i := 0; i < 2; i++ { + err := <-errCh + h := <-handles + require.NoError(t, err) + require.NoError(t, h.Close()) + } +} diff --git a/common/windivert/windivert.go b/common/windivert/windivert.go new file mode 100644 index 000000000..e9a8fc954 --- /dev/null +++ b/common/windivert/windivert.go @@ -0,0 +1,71 @@ +// Package windivert provides a pure-Go binding to the WinDivert kernel +// driver on Windows (amd64 and 386). User-mode WinDivert calls are +// reimplemented in Go; only the signed kernel driver is embedded as an +// asset, since SCM-installed drivers must live on disk and their +// Authenticode signature forbids modification. +// +// Administrator is required for the first Open in a process so SCM can +// load the driver. Upstream: https://github.com/basil00/WinDivert v2.2.2, +// redistributed under its LGPL v3 option; see assets/LICENSE.txt. +package windivert + +import "unsafe" + +const AssetVersion = "2.2.2" + +// MTUMax is WINDIVERT_MTU_MAX from windivert.h (40 + 0xFFFF). Suitable as +// a single-packet receive buffer size. +const MTUMax = 40 + 0xFFFF + +type Layer uint32 + +const LayerNetwork Layer = 0 + +type Flag uint64 + +const FlagSendOnly Flag = 0x0008 + +const ( + PriorityHighest int16 = 30000 + PriorityLowest int16 = -30000 +) + +// Address mirrors WINDIVERT_ADDRESS from windivert.h (80 bytes, +// little-endian on both amd64 and 386): +// +// 0: INT64 Timestamp +// 8: UINT32 bitfield: Layer:8 | Event:8 | flags | Reserved1:8 +// 12: UINT32 Reserved2 +// 16: 64 bytes union (WINDIVERT_DATA_NETWORK / FLOW / SOCKET / REFLECT) +type Address struct { + Timestamp int64 + bits uint32 + Reserved2 uint32 + union [64]byte +} + +var _ [80]byte = [unsafe.Sizeof(Address{})]byte{} + +// Bit positions inside the Address's packed flags word. +const ( + addrBitIPv6 = 20 + addrBitIPChecksum = 21 + addrBitTCPChecksum = 22 +) + +func getFlagBit(bits uint32, pos uint) bool { return bits&(1<