From 4cb2a128db083475f137e6c6e2e136c0ca7d9125 Mon Sep 17 00:00:00 2001 From: yuhan6665 <1588741+yuhan6665@users.noreply.github.com> Date: Wed, 24 Jul 2024 19:47:26 -0400 Subject: [PATCH] Don't do raw/splice copy in case of MITM --- proxy/freedom/freedom.go | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/proxy/freedom/freedom.go b/proxy/freedom/freedom.go index dcb72b04..55ad353d 100644 --- a/proxy/freedom/freedom.go +++ b/proxy/freedom/freedom.go @@ -28,6 +28,7 @@ import ( "github.com/xtls/xray-core/transport" "github.com/xtls/xray-core/transport/internet" "github.com/xtls/xray-core/transport/internet/stat" + "github.com/xtls/xray-core/transport/internet/tls" ) var useSplice bool @@ -225,9 +226,16 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte writeConn = inbound.Conn inTimer = inbound.Timer } - return proxy.CopyRawConnIfExist(ctx, conn, writeConn, link.Writer, timer, inTimer) + if !isTLSConn(conn) { // it would be tls conn in special use case of MITM, we need to let link handle traffic + return proxy.CopyRawConnIfExist(ctx, conn, writeConn, link.Writer, timer, inTimer) + } + } + var reader buf.Reader + if destination.Network == net.Network_TCP { + reader = buf.NewReader(conn) + } else { + reader = NewPacketReader(conn, UDPOverride) } - reader := NewPacketReader(conn, UDPOverride) if err := buf.Copy(reader, output, buf.UpdateActivity(timer)); err != nil { return errors.New("failed to process response").Base(err) } @@ -245,6 +253,19 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte return nil } +func isTLSConn(conn stat.Connection) bool { + if conn != nil { + statConn, ok := conn.(*stat.CounterConnection) + if ok { + conn = statConn.Connection + } + if _, ok := conn.(*tls.Conn); ok { + return true + } + } + return false +} + func NewPacketReader(conn net.Conn, UDPOverride net.Destination) buf.Reader { iConn := conn statConn, ok := iConn.(*stat.CounterConnection)