Add shadowtls (SagerNet#49)

* Add shadowtls outbound

* Add shadowtls inbound

* Add shadowtls example

* Add shadowtls documentation

Author: nekohasekai

constant/proxy.go

@@ -18,6 +18,7 @@ const (
 	TypeHysteria    = "hysteria"
 	TypeTor         = "tor"
 	TypeSSH         = "ssh"
+	TypeShadowTLS   = "shadowtls"
 )
 
 const (

docs/configuration/inbound/shadowtls.md

@@ -0,0 +1,31 @@
+### Structure
+
+```json
+{
+  "type": "shadowtls",
+  "tag": "st-in",
+
+  ... // Listen Fields
+
+  "handshake": {
+    "server": "google.com",
+    "server_port": 443,
+    
+    ... // Dial Fields
+  }
+}
+```
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+
+### Fields
+
+#### handshake
+
+==Required==
+
+Handshake server address and [dial options](/configuration/shared/dial).
+

docs/configuration/inbound/shadowtls.zh.md

@@ -0,0 +1,29 @@
+### 结构
+
+```json
+{
+  "type": "shadowtls",
+  "tag": "st-in",
+
+  ... // 监听字段
+
+  "handshake": {
+    "server": "google.com",
+    "server_port": 443,
+
+    ... // 拨号字段
+  }
+}
+```
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### handshake
+
+==必填==
+
+握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。

docs/configuration/outbound/shadowtls.md

@@ -0,0 +1,38 @@
+### Structure
+
+```json
+{
+  "type": "shadowtls",
+  "tag": "st-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "tls": {},
+
+  ... // Dial Fields
+}
+```
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/shadowtls.zh.md

@@ -0,0 +1,38 @@
+### 结构
+
+```json
+{
+  "type": "shadowtls",
+  "tag": "st-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "tls": {},
+
+  ... // 拨号字段
+}
+```
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/examples/shadowtls.md

@@ -0,0 +1,55 @@
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowtls",
+      "listen": "::",
+      "listen_port": 4443,
+      "handshake": {
+        "server": "google.com",
+        "server_port": 443
+      },
+      "detour": "shadowsocks-in"
+    },
+    {
+      "type": "shadowsocks",
+      "tag": "shadowsocks-in",
+      "listen": "127.0.0.1",
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "detour": "shadowtls-out",
+      "multiplex": {
+        "enabled": 1,
+        "max_connections": 4,
+        "min_streams": 4
+      }
+    },
+    {
+      "type": "shadowtls",
+      "tag": "shadowtls-out",
+      "server": "127.0.0.1",
+      "server_port": 4443,
+      "tls": {
+        "enabled": true,
+        "server_name": "google.com"
+      }
+    }
+  ]
+}
+```

inbound/builder.go

@@ -39,6 +39,8 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 		return NewNaive(ctx, router, logger, options.Tag, options.NaiveOptions)
 	case C.TypeHysteria:
 		return NewHysteria(ctx, router, logger, options.Tag, options.HysteriaOptions)
+	case C.TypeShadowTLS:
+		return NewShadowTLS(ctx, router, logger, options.Tag, options.ShadowTLSOptions)
 	default:
 		return nil, E.New("unknown inbound type: ", options.Type)
 	}

inbound/shadowsocks.go

@@ -87,15 +87,3 @@ func (h *Shadowsocks) NewPacket(ctx context.Context, conn N.PacketConn, buffer *
 func (h *Shadowsocks) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return os.ErrInvalid
 }
-
-func (h *Shadowsocks) newConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-	return h.router.RouteConnection(ctx, conn, metadata)
-}
-
-func (h *Shadowsocks) newPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	ctx = log.ContextWithNewID(ctx)
-	h.logger.InfoContext(ctx, "inbound packet connection from ", metadata.Source)
-	h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-	return h.router.RoutePacketConnection(ctx, conn, metadata)
-}

inbound/shadowtls.go

@@ -0,0 +1,93 @@
+package inbound
+
+import (
+	"bytes"
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/task"
+)
+
+type ShadowTLS struct {
+	myInboundAdapter
+	handshakeDialer N.Dialer
+	handshakeAddr   M.Socksaddr
+}
+
+func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowTLSInboundOptions) (*ShadowTLS, error) {
+	inbound := &ShadowTLS{
+		myInboundAdapter: myInboundAdapter{
+			protocol:      C.TypeShadowTLS,
+			network:       []string{N.NetworkTCP},
+			ctx:           ctx,
+			router:        router,
+			logger:        logger,
+			tag:           tag,
+			listenOptions: options.ListenOptions,
+		},
+		handshakeDialer: dialer.New(router, options.Handshake.DialerOptions),
+		handshakeAddr:   options.Handshake.ServerOptions.Build(),
+	}
+	inbound.connHandler = inbound
+	return inbound, nil
+}
+
+func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	handshakeConn, err := s.handshakeDialer.DialContext(ctx, N.NetworkTCP, s.handshakeAddr)
+	if err != nil {
+		return err
+	}
+	var handshake task.Group
+	handshake.Append("client handshake", func(ctx context.Context) error {
+		return s.copyUntilHandshakeFinished(handshakeConn, conn)
+	})
+	handshake.Append("server handshake", func(ctx context.Context) error {
+		return s.copyUntilHandshakeFinished(conn, handshakeConn)
+	})
+	handshake.FastFail()
+	err = handshake.Run(ctx)
+	if err != nil {
+		return err
+	}
+	return s.newConnection(ctx, conn, metadata)
+}
+
+func (s *ShadowTLS) copyUntilHandshakeFinished(dst io.Writer, src io.Reader) error {
+	const handshake = 0x16
+	const changeCipherSpec = 0x14
+	var hasSeenChangeCipherSpec bool
+	var tlsHdr [5]byte
+	for {
+		_, err := io.ReadFull(src, tlsHdr[:])
+		if err != nil {
+			return err
+		}
+		length := binary.BigEndian.Uint16(tlsHdr[3:])
+		_, err = io.Copy(dst, io.MultiReader(bytes.NewReader(tlsHdr[:]), io.LimitReader(src, int64(length))))
+		if err != nil {
+			return err
+		}
+		if tlsHdr[0] != handshake {
+			if tlsHdr[0] != changeCipherSpec {
+				return E.New("unexpected tls frame type: ", tlsHdr[0])
+			}
+			if !hasSeenChangeCipherSpec {
+				hasSeenChangeCipherSpec = true
+				continue
+			}
+		}
+		if hasSeenChangeCipherSpec {
+			return nil
+		}
+	}
+}

mkdocs.yml

@@ -68,6 +68,7 @@ nav:
           - Trojan: configuration/inbound/trojan.md
           - Naive: configuration/inbound/naive.md
           - Hysteria: configuration/inbound/hysteria.md
+          - ShadowTLS: configuration/inbound/shadowtls.md
           - Tun: configuration/inbound/tun.md
           - Redirect: configuration/inbound/redirect.md
           - TProxy: configuration/inbound/tproxy.md
@@ -82,6 +83,7 @@ nav:
           - Trojan: configuration/outbound/trojan.md
           - WireGuard: configuration/outbound/wireguard.md
           - Hysteria: configuration/outbound/hysteria.md
+          - ShadowTLS: configuration/outbound/shadowtls.md
           - Tor: configuration/outbound/tor.md
           - SSH: configuration/outbound/ssh.md
           - DNS: configuration/outbound/dns.md
@@ -95,6 +97,7 @@ nav:
       - Shadowsocks Server: examples/ss-server.md
       - Shadowsocks Client: examples/ss-client.md
       - Shadowsocks Tun: examples/ss-tun.md
+      - ShadowTLS: examples/shadowtls.md
       - DNS Hijack: examples/dns-hijack.md
   - Contributing:
       - contributing/index.md

option/inbound.go

@@ -21,6 +21,7 @@ type _Inbound struct {
 	TrojanOptions      TrojanInboundOptions      `json:"-"`
 	NaiveOptions       NaiveInboundOptions       `json:"-"`
 	HysteriaOptions    HysteriaInboundOptions    `json:"-"`
+	ShadowTLSOptions   ShadowTLSInboundOptions   `json:"-"`
 }
 
 type Inbound _Inbound
@@ -52,6 +53,8 @@ func (h Inbound) MarshalJSON() ([]byte, error) {
 		v = h.NaiveOptions
 	case C.TypeHysteria:
 		v = h.HysteriaOptions
+	case C.TypeShadowTLS:
+		v = h.ShadowTLSOptions
 	default:
 		return nil, E.New("unknown inbound type: ", h.Type)
 	}
@@ -89,6 +92,8 @@ func (h *Inbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.NaiveOptions
 	case C.TypeHysteria:
 		v = &h.HysteriaOptions
+	case C.TypeShadowTLS:
+		v = &h.ShadowTLSOptions
 	default:
 		return E.New("unknown inbound type: ", h.Type)
 	}

option/outbound.go

@@ -20,6 +20,7 @@ type _Outbound struct {
 	HysteriaOptions    HysteriaOutboundOptions    `json:"-"`
 	TorOptions         TorOutboundOptions         `json:"-"`
 	SSHOptions         SSHOutboundOptions         `json:"-"`
+	ShadowTLSOptions   ShadowTLSOutboundOptions   `json:"-"`
 	SelectorOptions    SelectorOutboundOptions    `json:"-"`
 }
 
@@ -50,6 +51,8 @@ func (h Outbound) MarshalJSON() ([]byte, error) {
 		v = h.TorOptions
 	case C.TypeSSH:
 		v = h.SSHOptions
+	case C.TypeShadowTLS:
+		v = h.ShadowTLSOptions
 	case C.TypeSelector:
 		v = h.SelectorOptions
 	default:
@@ -87,6 +90,8 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.TorOptions
 	case C.TypeSSH:
 		v = &h.SSHOptions
+	case C.TypeShadowTLS:
+		v = &h.ShadowTLSOptions
 	case C.TypeSelector:
 		v = &h.SelectorOptions
 	default: