clash/component/tls/config.go

package tls

import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"errors"
	"fmt"
	"strings"
	"sync"
)

var trustCerts []*x509.Certificate
var certPool *x509.CertPool
var mutex sync.RWMutex
var errNotMatch = errors.New("certificate fingerprints do not match")

func AddCertificate(certificate string) error {
	mutex.Lock()
	defer mutex.Unlock()
	if certificate == "" {
		return fmt.Errorf("certificate is empty")
	}
	if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {
		trustCerts = append(trustCerts, cert)
		return nil
	} else {
		return fmt.Errorf("add certificate failed")
	}
}

func initializeCertPool() {
	var err error
	certPool, err = x509.SystemCertPool()
	if err != nil {
		certPool = x509.NewCertPool()
	}
	for _, cert := range trustCerts {
		certPool.AddCert(cert)
	}
}

func ResetCertificate() {
	mutex.Lock()
	defer mutex.Unlock()
	trustCerts = nil
	initializeCertPool()
}

func getCertPool() *x509.CertPool {
	if len(trustCerts) == 0 {
		return nil
	}
	if certPool == nil {
		mutex.Lock()
		defer mutex.Unlock()
		if certPool != nil {
			return certPool
		}
		initializeCertPool()
	}
	return certPool
}

func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		// ssl pining
		for i := range rawCerts {
			rawCert := rawCerts[i]
			cert, err := x509.ParseCertificate(rawCert)
			if err == nil {
				hash := sha256.Sum256(cert.Raw)
				if bytes.Equal(fingerprint[:], hash[:]) {
					return nil
				}
			}
		}
		return errNotMatch
	}
}

func convertFingerprint(fingerprint string) (*[32]byte, error) {
	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
	fpByte, err := hex.DecodeString(fingerprint)
	if err != nil {
		return nil, err
	}

	if len(fpByte) != 32 {
		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
	}
	return (*[32]byte)(fpByte), nil
}

func GetDefaultTLSConfig() *tls.Config {
	return GetGlobalTLSConfig(nil)
}

// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		tlsConfig = GetGlobalTLSConfig(tlsConfig)
		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
		tlsConfig.InsecureSkipVerify = true
		return tlsConfig, nil
	}
}

func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
	certPool := getCertPool()
	if tlsConfig == nil {
		return &tls.Config{
			RootCAs: certPool,
		}
	}
	tlsConfig.RootCAs = certPool
	return tlsConfig
}
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`package tls`

			`import (`
			`"bytes"`
			`"crypto/sha256"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/hex"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`"errors"`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`"fmt"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`"strings"`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`"sync"`
			`)`

chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`var trustCerts []*x509.Certificate`
feat: `nameserver-policy` support use rule-providers and reduce domain-set memory 2023-04-01 03:53:39 +00:00			`var certPool *x509.CertPool`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`var mutex sync.RWMutex`
[Feature] Proxy stores delay data of different URLs. And supports specifying different test URLs and expected statue by group (#588) Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com> Co-authored-by: wwqgtxx <wwqgtxx@gmail.com> 2023-06-04 03:51:30 +00:00			`var errNotMatch = errors.New("certificate fingerprints do not match")`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00
chore: add custom ca trust 2023-02-25 14:01:20 +00:00			`func AddCertificate(certificate string) error {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`mutex.Lock()`
			`defer mutex.Unlock()`
chore: add custom ca trust 2023-02-25 14:01:20 +00:00			`if certificate == "" {`
			`return fmt.Errorf("certificate is empty")`
			`}`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {`
			`trustCerts = append(trustCerts, cert)`
			`return nil`
			`} else {`
chore: add custom ca trust 2023-02-25 14:01:20 +00:00			`return fmt.Errorf("add certificate failed")`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`}`
			`}`

fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-13 16:21:59 +00:00			`func initializeCertPool() {`
			`var err error`
			`certPool, err = x509.SystemCertPool()`
			`if err != nil {`
			`certPool = x509.NewCertPool()`
			`}`
			`for _, cert := range trustCerts {`
			`certPool.AddCert(cert)`
			`}`
			`}`

chore: format code 2023-02-26 12:38:32 +00:00			`func ResetCertificate() {`
chore: add custom ca trust 2023-02-25 14:01:20 +00:00			`mutex.Lock()`
			`defer mutex.Unlock()`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`trustCerts = nil`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-13 16:21:59 +00:00			`initializeCertPool()`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`}`

			`func getCertPool() *x509.CertPool {`
feat: `nameserver-policy` support use rule-providers and reduce domain-set memory 2023-04-01 03:53:39 +00:00			`if len(trustCerts) == 0 {`
			`return nil`
			`}`
			`if certPool == nil {`
			`mutex.Lock()`
			`defer mutex.Unlock()`
			`if certPool != nil {`
			`return certPool`
			`}`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-13 16:21:59 +00:00			`initializeCertPool()`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`}`
			`return certPool`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`}`

			`func verifyFingerprint(fingerprint [32]byte) func(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {`
			`return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {`
			`// ssl pining`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`for i := range rawCerts {`
			`rawCert := rawCerts[i]`
			`cert, err := x509.ParseCertificate(rawCert)`
			`if err == nil {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`hash := sha256.Sum256(cert.Raw)`
			`if bytes.Equal(fingerprint[:], hash[:]) {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
			`}`
[Feature] Proxy stores delay data of different URLs. And supports specifying different test URLs and expected statue by group (#588) Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com> Co-authored-by: wwqgtxx <wwqgtxx@gmail.com> 2023-06-04 03:51:30 +00:00			`return errNotMatch`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`func convertFingerprint(fingerprint string) (*[32]byte, error) {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))`
chore: fingerprint style 2022-07-11 05:44:27 +00:00			`fpByte, err := hex.DecodeString(fingerprint)`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`if err != nil {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil, err`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`if len(fpByte) != 32 {`
fix: get tlsconfig err not handle, return nil pointer 2023-01-31 07:26:18 +00:00			`return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return (*[32]byte)(fpByte), nil`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`func GetDefaultTLSConfig() *tls.Config {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`return GetGlobalTLSConfig(nil)`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`

feat: add fingerprint param 2022-07-11 05:42:28 +00:00			`// GetSpecifiedFingerprintTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintTLSConfig(tlsConfig tls.Config, fingerprint string) (tls.Config, error) {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`tlsConfig = GetGlobalTLSConfig(tlsConfig)`
			`tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)`
			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 13:08:06 +00:00			`func GetGlobalTLSConfig(tlsConfig tls.Config) tls.Config {`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`certPool := getCertPool()`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`if tlsConfig == nil {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`return &tls.Config{`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`RootCAs: certPool,`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
chore: adjust trust cert 2023-03-27 14:27:59 +00:00			`tlsConfig.RootCAs = certPool`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`return tlsConfig`
			`}`