clash/component/tls/config.go

package tls

import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"errors"
	"fmt"
	"strings"
	"sync"

	CN "github.com/Dreamacro/clash/common/net"

	xtls "github.com/xtls/go"
)

var tlsCertificates = make([]tls.Certificate, 0)

var mutex sync.RWMutex
var errNotMacth error = errors.New("certificate fingerprints do not match")

func AddCertificate(privateKey, certificate string) error {
	mutex.Lock()
	defer mutex.Unlock()
	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
		return err
	} else {
		tlsCertificates = append(tlsCertificates, cert)
	}
	return nil
}

func GetCertificates() []tls.Certificate {
	mutex.RLock()
	defer mutex.RUnlock()
	return tlsCertificates
}

func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		// ssl pining
		for i := range rawCerts {
			rawCert := rawCerts[i]
			cert, err := x509.ParseCertificate(rawCert)
			if err == nil {
				hash := sha256.Sum256(cert.Raw)
				if bytes.Equal(fingerprint[:], hash[:]) {
					return nil
				}
			}
		}
		return errNotMacth
	}
}

func convertFingerprint(fingerprint string) (*[32]byte, error) {
	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
	fpByte, err := hex.DecodeString(fingerprint)
	if err != nil {
		return nil, err
	}

	if len(fpByte) != 32 {
		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
	}
	return (*[32]byte)(fpByte), nil
}

func GetDefaultTLSConfig() *tls.Config {
	return GetGlobalTLSConfig(nil)
}

// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		tlsConfig = GetGlobalTLSConfig(tlsConfig)
		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
		tlsConfig.InsecureSkipVerify = true
		return tlsConfig, nil
	}
}

func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
	if tlsConfig == nil {
		return &tls.Config{
			Certificates: tlsCertificates,
		}
	}
	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
	return tlsConfig
}

// GetSpecifiedFingerprintXTLSConfig specified fingerprint
func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		tlsConfig=GetGlobalXTLSConfig(tlsConfig)
			tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
			tlsConfig.InsecureSkipVerify = true
			return tlsConfig, nil
	}
}

func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
	for _, cert := range tlsCertificates {
		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
		for _, ssa := range cert.SupportedSignatureAlgorithms {
			tlsSsa := xtls.SignatureScheme(ssa)
			tlsSsaList = append(tlsSsaList, tlsSsa)
		}
		xtlsCert := xtls.Certificate{
			Certificate:                  cert.Certificate,
			PrivateKey:                   cert.PrivateKey,
			OCSPStaple:                   cert.OCSPStaple,
			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
			Leaf:                         cert.Leaf,
			SupportedSignatureAlgorithms: tlsSsaList,
		}
		xtlsCerts = append(xtlsCerts, xtlsCert)
	}
	if tlsConfig == nil {
		return &xtls.Config{
			Certificates: xtlsCerts,
		}
	}

	tlsConfig.Certificates = xtlsCerts
	return tlsConfig
}
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`package tls`

			`import (`
			`"bytes"`
			`"crypto/sha256"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/hex"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`"errors"`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`"fmt"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`"strings"`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`"sync"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00
			`CN "github.com/Dreamacro/clash/common/net"`
fix: skip-cert-verify is true by default (#333) * fix: skip-cert-verify is true by default * fix: format * fix: typo Co-authored-by: 3andero <3andero@github.com> Co-authored-by: Hellojack <106379370+H1JK@users.noreply.github.com> 2023-01-13 01:55:01 +00:00
			`xtls "github.com/xtls/go"`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`)`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`var tlsCertificates = make([]tls.Certificate, 0)`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`var mutex sync.RWMutex`
			`var errNotMacth error = errors.New("certificate fingerprints do not match")`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`func AddCertificate(privateKey, certificate string) error {`
			`mutex.Lock()`
			`defer mutex.Unlock()`
			`if cert, err := CN.ParseCert(certificate, privateKey); err != nil {`
			`return err`
			`} else {`
			`tlsCertificates = append(tlsCertificates, cert)`
			`}`
			`return nil`
			`}`

			`func GetCertificates() []tls.Certificate {`
			`mutex.RLock()`
			`defer mutex.RUnlock()`
			`return tlsCertificates`
			`}`

			`func verifyFingerprint(fingerprint [32]byte) func(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {`
			`return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {`
			`// ssl pining`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`for i := range rawCerts {`
			`rawCert := rawCerts[i]`
			`cert, err := x509.ParseCertificate(rawCert)`
			`if err == nil {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`hash := sha256.Sum256(cert.Raw)`
			`if bytes.Equal(fingerprint[:], hash[:]) {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
			`}`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`return errNotMacth`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`func convertFingerprint(fingerprint string) (*[32]byte, error) {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))`
chore: fingerprint style 2022-07-11 05:44:27 +00:00			`fpByte, err := hex.DecodeString(fingerprint)`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`if err != nil {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil, err`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`if len(fpByte) != 32 {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return (*[32]byte)(fpByte), nil`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`func GetDefaultTLSConfig() *tls.Config {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`return GetGlobalTLSConfig(nil)`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`

feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`// GetSpecifiedFingerprintTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintTLSConfig(tlsConfig tls.Config, fingerprint string) (tls.Config, error) {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`tlsConfig = GetGlobalTLSConfig(tlsConfig)`
			`tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)`
			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`func GetGlobalTLSConfig(tlsConfig tls.Config) tls.Config {`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`if tlsConfig == nil {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`return &tls.Config{`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`Certificates: tlsCertificates,`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`return tlsConfig`
			`}`
feat: add fingerprint param 2022-07-11 05:42:28 +00:00
			`// GetSpecifiedFingerprintXTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintXTLSConfig(tlsConfig xtls.Config, fingerprint string) (xtls.Config, error) {`
			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`tlsConfig=GetGlobalXTLSConfig(tlsConfig)`
			`tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)`
feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
			`}`
			`}`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`func GetGlobalXTLSConfig(tlsConfig xtls.Config) xtls.Config {`
			`xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))`
			`for _, cert := range tlsCertificates {`
			`tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))`
			`for _, ssa := range cert.SupportedSignatureAlgorithms {`
			`tlsSsa := xtls.SignatureScheme(ssa)`
			`tlsSsaList = append(tlsSsaList, tlsSsa)`
			`}`
			`xtlsCert := xtls.Certificate{`
			`Certificate: cert.Certificate,`
			`PrivateKey: cert.PrivateKey,`
			`OCSPStaple: cert.OCSPStaple,`
			`SignedCertificateTimestamps: cert.SignedCertificateTimestamps,`
			`Leaf: cert.Leaf,`
			`SupportedSignatureAlgorithms: tlsSsaList,`
			`}`
			`xtlsCerts = append(xtlsCerts, xtlsCert)`
			`}`
feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`if tlsConfig == nil {`
			`return &xtls.Config{`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`Certificates: xtlsCerts,`
feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`}`
			`}`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`tlsConfig.Certificates = xtlsCerts`
feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`return tlsConfig`
			`}`