Middle-End Fixes

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
2026-04-16 10:04:10 +03:00 · 2026-02-21 03:36:13 +03:00
parent c9a043d8d5
commit 83fc9d6db3
7 changed files with 300 additions and 73 deletions
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -7,6 +7,7 @@ use tracing::{debug, warn, trace, info};
 use zeroize::Zeroize;

 use crate::crypto::{sha256, AesCtr, SecureRandom};
+use rand::Rng;
 use crate::protocol::constants::*;
 use crate::protocol::tls;
 use crate::stream::{FakeTlsReader, FakeTlsWriter, CryptoReader, CryptoWriter};
@@ -119,6 +120,23 @@ where
        None
    };

+    let alpn_list = if config.censorship.alpn_enforce {
+        tls::extract_alpn_from_client_hello(handshake)
+    } else {
+        Vec::new()
+    };
+    let selected_alpn = if config.censorship.alpn_enforce {
+        if alpn_list.iter().any(|p| p == b"h2") {
+            Some(b"h2".to_vec())
+        } else if alpn_list.iter().any(|p| p == b"http/1.1") {
+            Some(b"http/1.1".to_vec())
+        } else {
+            None
+        }
+    } else {
+        None
+    };
+
    let response = if let Some(cached_entry) = cached {
        emulator::build_emulated_server_hello(
            secret,
@@ -126,6 +144,8 @@ where
            &validation.session_id,
            &cached_entry,
            rng,
+            selected_alpn.clone(),
+            config.censorship.tls_new_session_tickets,
        )
    } else {
        tls::build_server_hello(
@@ -134,9 +154,25 @@ where
            &validation.session_id,
            config.censorship.fake_cert_len,
            rng,
+            selected_alpn.clone(),
+            config.censorship.tls_new_session_tickets,
        )
    };

+    // Optional anti-fingerprint delay before sending ServerHello.
+    if config.censorship.server_hello_delay_max_ms > 0 {
+        let min = config.censorship.server_hello_delay_min_ms;
+        let max = config.censorship.server_hello_delay_max_ms.max(min);
+        let delay_ms = if max == min {
+            max
+        } else {
+            rand::rng().random_range(min..=max)
+        };
+        if delay_ms > 0 {
+            tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
+        }
+    }
+
    debug!(peer = %peer, response_len = response.len(), "Sending TLS ServerHello");

    if let Err(e) = writer.write_all(&response).await {