From ebadc7615da37b1998ec9f013741a1e5fe46472d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Wed, 31 May 2023 10:58:05 +0800
Subject: [PATCH] Fix TLS12 support for v3 client

---
 client.go    | 11 ++++++++---
 v3_client.go |  9 +++++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/client.go b/client.go
index 58febcd..856dbf9 100644
--- a/client.go
+++ b/client.go
@@ -20,6 +20,7 @@ type ClientConfig struct {
 	Password     string
 	Server       M.Socksaddr
 	Dialer       N.Dialer
+	StrictMode   bool
 	TLSHandshake TLSHandshakeFunc
 	Logger       logger.ContextLogger
 }
@@ -27,6 +28,7 @@ type ClientConfig struct {
 type Client struct {
 	version      int
 	password     string
+	strictMode   bool
 	server       M.Socksaddr
 	dialer       N.Dialer
 	tlsHandshake TLSHandshakeFunc
@@ -37,6 +39,7 @@ func NewClient(config ClientConfig) (*Client, error) {
 	client := &Client{
 		version:      config.Version,
 		password:     config.Password,
+		strictMode:   config.StrictMode,
 		server:       config.Server,
 		dialer:       config.Dialer,
 		tlsHandshake: config.TLSHandshake,
@@ -103,9 +106,11 @@ func (c *Client) DialContextConn(ctx context.Context, conn net.Conn) (net.Conn,
 			return nil, err
 		}
 		c.logger.TraceContext(ctx, "handshake success")
-		authorized, serverRandom, readHMAC := stream.Authorized()
-		if !authorized {
-			return nil, E.New("traffic hijacked or TLS1.3 is not supported")
+		isTLS13, authorized, serverRandom, readHMAC := stream.Authorized()
+		if c.strictMode && !isTLS13 {
+			return nil, E.New("TLS1.3 is not supported")
+		} else if !authorized {
+			return nil, E.New("traffic hijacked")
 		}
 		if debug.Enabled {
 			c.logger.TraceContext(ctx, "authorized, server random extracted: ", hex.EncodeToString(serverRandom))
diff --git a/v3_client.go b/v3_client.go
index 0976f24..2a914ed 100644
--- a/v3_client.go
+++ b/v3_client.go
@@ -41,6 +41,7 @@ type streamWrapper struct {
 	serverRandom []byte
 	readHMAC     hash.Hash
 	readHMACKey  []byte
+	isTLS13      bool
 	authorized   bool
 }
 
@@ -51,8 +52,8 @@ func newStreamWrapper(conn net.Conn, password string) *streamWrapper {
 	}
 }
 
-func (w *streamWrapper) Authorized() (bool, []byte, hash.Hash) {
-	return w.authorized, w.serverRandom, w.readHMAC
+func (w *streamWrapper) Authorized() (bool, bool, []byte, hash.Hash) {
+	return w.isTLS13, w.authorized, w.serverRandom, w.readHMAC
 }
 
 func (w *streamWrapper) Read(p []byte) (n int, err error) {
@@ -84,6 +85,10 @@ func (w *streamWrapper) Read(p []byte) (n int, err error) {
 			w.readHMAC = hmac.New(sha1.New, []byte(w.password))
 			w.readHMAC.Write(w.serverRandom)
 			w.readHMACKey = kdf(w.password, w.serverRandom)
+			w.isTLS13 = isServerHelloSupportTLS13(buffer[5:])
+			if !w.isTLS13 {
+				w.authorized = true
+			}
 		}
 	case applicationData:
 		w.authorized = false