Add --tls-random (#37)

* Added --tls-random, closes #35
* Added tls-random to changelog

Author: ameshkov

CHANGELOG.md

@@ -11,6 +11,13 @@ adheres to [Semantic Versioning][semver].
 
 ## [Unreleased]
 
+### Added
+
+* Added support for `--tls-random` command-line argument. This option is used to
+  enable TLS Random for TLS ClientHello. ([#35][#35])
+
+[#35]: https://github.com/ameshkov/gocurl/issues/35
+
 [unreleased]: https://github.com/ameshkov/gocurl/compare/v1.4.7...HEAD
 
 ## [1.4.7] - 2025-04-02

README.md

@@ -89,6 +89,8 @@ Also, you can use some new stuff that is not supported by curl.
 * `gocurl --tls-split-hello 5:50 https://httpbin.agrd.workers.dev/get` split
   TLS ClientHello in two parts and make a 50ms delay after sending the first
   part.
+* `gocurl --tls-random "gyufwmGYeIiq0B4nUjEYu3NcqVdlHbIXhx74fq4terc=" https://httpbin.agrd.workers.dev/get`
+  use a custom TLS ClientHello random value.
 * `gocurl -v --ech https://crypto.cloudflare.com/cdn-cgi/trace` enables support
   for ECH (Encrypted Client Hello) for the request. More on this [below](#ech).
 * `gocurl --dns-servers "tls://dns.google" https://httpbin.agrd.workers.dev/get`
@@ -262,58 +264,41 @@ Usage:
   gocurl [OPTIONS]
 
 Application Options:
-      --url=<URL>                                           URL the request will be made to. Can be specified
-                                                            without any flags.
+      --url=<URL>                                           URL the request will be made to. Can be specified without any flags.
   -X, --request=<method>                                    HTTP method. GET by default.
-  -d, --data=<data>                                         Sends the specified data to the HTTP server using
-                                                            content type application/x-www-form-urlencoded.
-  -H, --header=                                             Extra header to include in the request. Can be
-                                                            specified multiple times.
-  -x, --proxy=[protocol://username:password@]host[:port]    Use the specified proxy. The proxy string can be
-                                                            specified with a protocol:// prefix.
-      --connect-to=<HOST1:PORT1:HOST2:PORT2>                For a request to the given HOST1:PORT1 pair, connect
-                                                            to HOST2:PORT2 instead. Can be specified multiple
-                                                            times.
+  -d, --data=<data>                                         Sends the specified data to the HTTP server using content type application/x-www-form-urlencoded.
+  -H, --header=                                             Extra header to include in the request. Can be specified multiple times.
+  -x, --proxy=[protocol://username:password@]host[:port]    Use the specified proxy. The proxy string can be specified with a protocol:// prefix.
+      --connect-to=<HOST1:PORT1:HOST2:PORT2>                For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead. Can be specified
+                                                            multiple times.
   -I, --head                                                Fetch the headers only.
   -k, --insecure                                            Disables TLS verification of the connection.
       --tlsv1.3                                             Forces gocurl to use TLS v1.3 or newer.
       --tlsv1.2                                             Forces gocurl to use TLS v1.2 or newer.
-      --tls-max=<VERSION>                                   (TLS) VERSION defines maximum supported TLS version.
-                                                            Can be 1.2 or 1.3. The minimum acceptable version is
-                                                            set by tlsv1.2 or tlsv1.3.
+      --tls-max=<VERSION>                                   (TLS) VERSION defines maximum supported TLS version. Can be 1.2 or 1.3. The minimum acceptable
+                                                            version is set by tlsv1.2 or tlsv1.3.
       --ciphers=<space-separated list of ciphers>           Specifies which ciphers to use in the connection, see
-                                                            https://go.dev/src/crypto/tls/cipher_suites.go for the
-                                                            full list of available ciphers.
-      --tls-servername=<HOSTNAME>                           Specifies the server name that will be sent in TLS
-                                                            ClientHello
+                                                            https://go.dev/src/crypto/tls/cipher_suites.go for the full list of available ciphers.
+      --tls-servername=<HOSTNAME>                           Specifies the server name that will be sent in TLS ClientHello
       --http1.1                                             Forces gocurl to use HTTP v1.1.
       --http2                                               Forces gocurl to use HTTP v2.
       --http3                                               Forces gocurl to use HTTP v3.
       --ech                                                 Enables ECH support for the request.
-      --echgrease                                           Forces sending ECH grease in the ClientHello, but does
-                                                            not try to resolve the ECH configuration.
-      --echconfig=<base64-encoded data>                     ECH configuration to use for this request. Implicitly
-                                                            enables --ech when specified.
-  -4, --ipv4                                                This option tells gocurl to use IPv4 addresses only
-                                                            when resolving host names.
-  -6, --ipv6                                                This option tells gocurl to use IPv6 addresses only
-                                                            when resolving host names.
-      --dns-servers=<DNSADDR1,DNSADDR2>                     DNS servers to use when making the request. Supports
-                                                            encrypted DNS: tls://, https://, quic://, sdns://
-      --resolve=<[+]host:port:addr[,addr]...>               Provide a custom address for a specific host. port is
-                                                            ignored by gocurl. '*' can be used instead of the host
-                                                            name. Can be specified multiple times.
-      --tls-split-hello=<CHUNKSIZE:DELAY>                   An option that allows splitting TLS ClientHello in two
-                                                            parts in order to avoid common DPI systems detecting
-                                                            TLS. CHUNKSIZE is the size of the first bytes before
-                                                            ClientHello is split, DELAY is delay in milliseconds
-                                                            before sending the second part.
-      --json-output                                         Makes gocurl write machine-readable output in JSON
-                                                            format.
-  -o, --output=<file>                                       Defines where to write the received data. If not set,
-                                                            gocurl will write everything to stdout.
-      --experiment=<name[:value]>                           Allows enabling experimental options. See the
-                                                            documentation for available options. Can be specified
+      --echgrease                                           Forces sending ECH grease in the ClientHello, but does not try to resolve the ECH configuration.
+      --echconfig=<base64-encoded data>                     ECH configuration to use for this request. Implicitly enables --ech when specified.
+  -4, --ipv4                                                This option tells gocurl to use IPv4 addresses only when resolving host names.
+  -6, --ipv6                                                This option tells gocurl to use IPv6 addresses only when resolving host names.
+      --dns-servers=<DNSADDR1,DNSADDR2>                     DNS servers to use when making the request. Supports encrypted DNS: tls://, https://, quic://,
+                                                            sdns://
+      --resolve=<[+]host:port:addr[,addr]...>               Provide a custom address for a specific host. port is ignored by gocurl. '*' can be used instead of
+                                                            the host name. Can be specified multiple times.
+      --tls-split-hello=<CHUNKSIZE:DELAY>                   An option that allows splitting TLS ClientHello in two parts in order to avoid common DPI systems
+                                                            detecting TLS. CHUNKSIZE is the size of the first bytes before ClientHello is split, DELAY is delay
+                                                            in milliseconds before sending the second part.
+      --tls-random=<base64>                                 Base64-encoded 32-byte TLS ClientHello random value.
+      --json-output                                         Makes gocurl write machine-readable output in JSON format.
+  -o, --output=<file>                                       Defines where to write the received data. If not set, gocurl will write everything to stdout.
+      --experiment=<name[:value]>                           Allows enabling experimental options. See the documentation for available options. Can be specified
                                                             multiple times.
   -v, --verbose                                             Verbose output (optional).
 

internal/client/clientdialer.go

@@ -2,8 +2,10 @@ package client
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/tls"
 	"fmt"
+	"io"
 	"net"
 
 	"github.com/ameshkov/gocurl/internal/client/cfcrypto"
@@ -162,6 +164,37 @@ func createDialFunc(
 	return dial, nil
 }
 
+// tlsRandomReader is an io.Reader that returns the provided TLS random bytes,
+// and then fallbacks to crypto/rand.Reader.
+type tlsRandomReader struct {
+	data []byte
+	pos  int
+}
+
+// type check
+var _ io.Reader = (*tlsRandomReader)(nil)
+
+// Read implements io.Reader for *tlsRandomReader. It returns the provided TLS
+// random bytes, and then fallbacks to crypto/rand.Reader.
+func (r *tlsRandomReader) Read(p []byte) (n int, err error) {
+	if r.pos < len(r.data) {
+		toCopy := len(r.data) - r.pos
+		if toCopy > len(p) {
+			toCopy = len(p)
+		}
+		copy(p, r.data[r.pos:r.pos+toCopy])
+		r.pos += toCopy
+		if toCopy < len(p) {
+			// Fill the rest from crypto/rand.Reader
+			nn, err := io.ReadFull(rand.Reader, p[toCopy:])
+			return toCopy + nn, err
+		}
+		return toCopy, nil
+	}
+	// All data consumed, fallback to crypto/rand.Reader
+	return rand.Read(p)
+}
+
 // createTLSConfig creates TLS config based on the configuration.
 func createTLSConfig(cfg *config.Config, out *output.Output) (tlsConfig *tls.Config) {
 	tlsConfig = &tls.Config{
@@ -184,6 +217,11 @@ func createTLSConfig(cfg *config.Config, out *output.Output) (tlsConfig *tls.Con
 		tlsConfig.InsecureSkipVerify = true
 	}
 
+	if cfg.TLSRandom != nil && len(cfg.TLSRandom) == 32 {
+		out.Debug("Overriding TLS ClientHello random value")
+		tlsConfig.Rand = &tlsRandomReader{data: cfg.TLSRandom}
+	}
+
 	if websocket.IsWebSocket(cfg.RequestURL) {
 		out.Debug("Forcing ALPN http/1.1 as this is a WebSocket request")
 

internal/config/config.go

@@ -64,7 +64,7 @@ type Config struct {
 	// ForceHTTP2 forces using HTTP/2.
 	ForceHTTP2 bool
 
-	// ForceHTTP2 forces using HTTP/3.
+	// ForceHTTP3 forces using HTTP/3.
 	ForceHTTP3 bool
 
 	// ECH forces usage of Encrypted Client Hello for the request.  If other
@@ -106,6 +106,10 @@ type Config struct {
 	// chunk of ClientHello.
 	TLSSplitDelay int
 
+	// TLSRandom is a 32-byte value to override the TLS ClientHello random.
+	// If nil, use default.
+	TLSRandom []byte
+
 	// OutputJSON enables writing output in JSON format.
 	OutputJSON bool
 
@@ -261,6 +265,18 @@ func ParseConfig() (cfg *Config, err error) {
 		}
 	}
 
+	if opts.TLSRandom != "" {
+		var b []byte
+		b, err = base64.StdEncoding.DecodeString(opts.TLSRandom)
+		if err != nil {
+			return nil, fmt.Errorf("--tls-random must be a valid base64 string: %w", err)
+		}
+		if len(b) != 32 {
+			return nil, fmt.Errorf("--tls-random must decode to exactly 32 bytes (got %d)", len(b))
+		}
+		cfg.TLSRandom = b
+	}
+
 	if opts.ECHConfig != "" {
 		cfg.ECHConfigs, err = unmarshalECHConfigs(opts.ECHConfig)
 		if err != nil {

internal/config/options.go

@@ -103,6 +103,10 @@ type Options struct {
 	// in milliseconds before sending the second part.
 	TLSSplitHello string `long:"tls-split-hello" description:"An option that allows splitting TLS ClientHello in two parts in order to avoid common DPI systems detecting TLS. CHUNKSIZE is the size of the first bytes before ClientHello is split, DELAY is delay in milliseconds before sending the second part." value-name:"<CHUNKSIZE:DELAY>"`
 
+	// TLSRandom allows overriding the TLS ClientHello random value. Must be
+	// a base64-encoded 32-byte string.
+	TLSRandom string `long:"tls-random" description:"Base64-encoded 32-byte TLS ClientHello random value." value-name:"<base64>"`
+
 	// OutputJSON enables writing output in JSON format.
 	OutputJSON bool `long:"json-output" description:"Makes gocurl write machine-readable output in JSON format." optional:"yes" optional-value:"true"`