SagerNet/sing-shadowtls
1
0
Fork 0
mirror of https://github.com/SagerNet/sing-shadowtls.git synced 2025-04-02 19:57:35 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix TLS12 support for v3 client

Browse source
This commit is contained in:
世界 2023-05-31 10:58:05 +08:00
parent 74b210a0e6
commit ebadc7615d
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
2 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
client.go
View file

@ -20,6 +20,7 @@ type ClientConfig struct {
Password string Password string
Server M.Socksaddr Server M.Socksaddr
Dialer N.Dialer Dialer N.Dialer
StrictMode bool
TLSHandshake TLSHandshakeFunc TLSHandshake TLSHandshakeFunc
Logger logger.ContextLogger Logger logger.ContextLogger
} }
@ -27,6 +28,7 @@ type ClientConfig struct {
type Client struct { type Client struct {
version int version int
password string password string
strictMode bool
server M.Socksaddr server M.Socksaddr
dialer N.Dialer dialer N.Dialer
tlsHandshake TLSHandshakeFunc tlsHandshake TLSHandshakeFunc
@ -37,6 +39,7 @@ func NewClient(config ClientConfig) (*Client, error) {
client := &Client{ client := &Client{
version: config.Version, version: config.Version,
password: config.Password, password: config.Password,
strictMode: config.StrictMode,
server: config.Server, server: config.Server,
dialer: config.Dialer, dialer: config.Dialer,
tlsHandshake: config.TLSHandshake, tlsHandshake: config.TLSHandshake,
@ -103,9 +106,11 @@ func (c *Client) DialContextConn(ctx context.Context, conn net.Conn) (net.Conn,
return nil, err return nil, err
} }
c.logger.TraceContext(ctx, "handshake success") c.logger.TraceContext(ctx, "handshake success")
authorized, serverRandom, readHMAC := stream.Authorized() isTLS13, authorized, serverRandom, readHMAC := stream.Authorized()
if !authorized { if c.strictMode && !isTLS13 {
return nil, E.New("traffic hijacked or TLS1.3 is not supported") return nil, E.New("TLS1.3 is not supported")
} else if !authorized {
return nil, E.New("traffic hijacked")
} }
if debug.Enabled { if debug.Enabled {
c.logger.TraceContext(ctx, "authorized, server random extracted: ", hex.EncodeToString(serverRandom)) c.logger.TraceContext(ctx, "authorized, server random extracted: ", hex.EncodeToString(serverRandom))

9
v3_client.go
View file

@ -41,6 +41,7 @@ type streamWrapper struct {
serverRandom []byte serverRandom []byte
readHMAC hash.Hash readHMAC hash.Hash
readHMACKey []byte readHMACKey []byte
isTLS13 bool
authorized bool authorized bool
} }
@ -51,8 +52,8 @@ func newStreamWrapper(conn net.Conn, password string) *streamWrapper {
} }
} }
func (w *streamWrapper) Authorized() (bool, []byte, hash.Hash) { func (w *streamWrapper) Authorized() (bool, bool, []byte, hash.Hash) {
return w.authorized, w.serverRandom, w.readHMAC return w.isTLS13, w.authorized, w.serverRandom, w.readHMAC
} }
func (w *streamWrapper) Read(p []byte) (n int, err error) { func (w *streamWrapper) Read(p []byte) (n int, err error) {
@ -84,6 +85,10 @@ func (w *streamWrapper) Read(p []byte) (n int, err error) {
w.readHMAC = hmac.New(sha1.New, []byte(w.password)) w.readHMAC = hmac.New(sha1.New, []byte(w.password))
w.readHMAC.Write(w.serverRandom) w.readHMAC.Write(w.serverRandom)
w.readHMACKey = kdf(w.password, w.serverRandom) w.readHMACKey = kdf(w.password, w.serverRandom)
w.isTLS13 = isServerHelloSupportTLS13(buffer[5:])
if !w.isTLS13 {
w.authorized = true
}
} }
case applicationData: case applicationData:
w.authorized = false w.authorized = false