clash/component/tls/config.go

147 lines
4.2 KiB
Go
Raw Normal View History

2022-07-10 12:44:24 +00:00
package tls
import (
"bytes"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"sync"
"time"
xtls "github.com/xtls/go"
2022-07-10 12:44:24 +00:00
)
var globalFingerprints = make([][32]byte, 0)
var mutex sync.Mutex
2022-07-10 12:44:24 +00:00
2022-10-03 14:41:24 +00:00
func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
2022-07-11 04:37:27 +00:00
if insecureSkipVerify {
return nil
}
2022-07-10 12:44:24 +00:00
var preErr error
for i := range rawCerts {
rawCert := rawCerts[i]
cert, err := x509.ParseCertificate(rawCert)
if err == nil {
opts := x509.VerifyOptions{
CurrentTime: time.Now(),
2022-07-10 12:44:24 +00:00
}
if _, err := cert.Verify(opts); err == nil {
return nil
} else {
fingerprint := sha256.Sum256(cert.Raw)
2022-10-03 14:41:24 +00:00
for _, fp := range *fingerprints {
if bytes.Equal(fingerprint[:], fp[:]) {
return nil
}
}
preErr = err
}
2022-07-10 12:44:24 +00:00
}
}
return preErr
}
2022-07-10 12:44:24 +00:00
}
func AddCertFingerprint(fingerprint string) error {
fpByte, err2 := convertFingerprint(fingerprint)
if err2 != nil {
return err2
}
mutex.Lock()
globalFingerprints = append(globalFingerprints, *fpByte)
mutex.Unlock()
return nil
}
func convertFingerprint(fingerprint string) (*[32]byte, error) {
2022-07-11 05:44:27 +00:00
fpByte, err := hex.DecodeString(fingerprint)
2022-07-10 12:44:24 +00:00
if err != nil {
return nil, err
2022-07-10 12:44:24 +00:00
}
if len(fpByte) != 32 {
return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
2022-07-10 12:44:24 +00:00
}
return (*[32]byte)(fpByte), nil
2022-07-10 12:44:24 +00:00
}
func GetDefaultTLSConfig() *tls.Config {
return GetGlobalFingerprintTLSConfig(nil)
}
2022-07-11 05:42:28 +00:00
// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
return nil, err
} else {
if tlsConfig == nil {
return &tls.Config{
InsecureSkipVerify: true,
2022-10-03 14:41:24 +00:00
VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
}, nil
} else {
2022-10-03 14:41:24 +00:00
tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
tlsConfig.InsecureSkipVerify = true
return tlsConfig, nil
}
}
2022-07-10 12:44:24 +00:00
}
func GetGlobalFingerprintTLSConfig(tlsConfig *tls.Config) *tls.Config {
// If there's at least one fingerprint then we could skip the general check
// If there's no fingerprints but the config insists then we should skip.
// Otherwise we should do a general verification.
shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify
2022-07-10 12:44:24 +00:00
if tlsConfig == nil {
2022-07-11 04:37:27 +00:00
return &tls.Config{
InsecureSkipVerify: shouldSkipVerify,
2022-10-03 14:41:24 +00:00
VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
2022-07-11 04:37:27 +00:00
}
2022-07-10 12:44:24 +00:00
}
2022-10-03 14:41:24 +00:00
tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
tlsConfig.InsecureSkipVerify = shouldSkipVerify
2022-07-10 12:44:24 +00:00
return tlsConfig
}
2022-07-11 05:42:28 +00:00
// GetSpecifiedFingerprintXTLSConfig specified fingerprint
func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
return nil, err
} else {
if tlsConfig == nil {
return &xtls.Config{
InsecureSkipVerify: true,
2022-10-03 14:41:24 +00:00
VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
2022-07-11 05:42:28 +00:00
}, nil
} else {
2022-10-03 14:41:24 +00:00
tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
2022-07-11 05:42:28 +00:00
tlsConfig.InsecureSkipVerify = true
return tlsConfig, nil
}
}
}
func GetGlobalFingerprintXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify
2022-07-11 05:42:28 +00:00
if tlsConfig == nil {
return &xtls.Config{
InsecureSkipVerify: shouldSkipVerify,
2022-10-03 14:41:24 +00:00
VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
2022-07-11 05:42:28 +00:00
}
}
2022-10-03 14:41:24 +00:00
tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
tlsConfig.InsecureSkipVerify = shouldSkipVerify
2022-07-11 05:42:28 +00:00
return tlsConfig
}