clash/component/tls/config.go

package tls

import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"fmt"
	"strings"
	"sync"
	"time"
)

var globalFingerprints [][32]byte
var mutex sync.Mutex

func verifyPeerCertificateAndFingerprints(fingerprints [][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		if insecureSkipVerify {
			return nil
		}

		var preErr error
		for i := range rawCerts {
			rawCert := rawCerts[i]
			cert, err := x509.ParseCertificate(rawCert)
			if err == nil {
				opts := x509.VerifyOptions{
					CurrentTime: time.Now(),
				}

				if _, err := cert.Verify(opts); err == nil {
					return nil
				} else {
					fingerprint := sha256.Sum256(cert.Raw)
					for _, fp := range fingerprints {
						if bytes.Equal(fingerprint[:], fp[:]) {
							return nil
						}
					}

					preErr = err
				}
			}
		}

		return preErr
	}
}

func AddCertFingerprint(fingerprint string) error {
	fpByte, err2 := convertFingerprint(fingerprint)
	if err2 != nil {
		return err2
	}

	mutex.Lock()
	globalFingerprints = append(globalFingerprints, *fpByte)
	mutex.Unlock()
	return nil
}

func convertFingerprint(fingerprint string) (*[32]byte, error) {
	fp := strings.Replace(fingerprint, ":", "", -1)
	fpByte, err := hex.DecodeString(fp)
	if err != nil {
		return nil, err
	}

	if len(fpByte) != 32 {
		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
	}
	return (*[32]byte)(fpByte), nil
}

func GetDefaultTLSConfig() *tls.Config {
	return MixinTLSConfig(nil)
}

// GetTLSConfigWithSpecifiedFingerprint specified fingerprint
func GetTLSConfigWithSpecifiedFingerprint(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		if tlsConfig == nil {
			return &tls.Config{
				InsecureSkipVerify:    true,
				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, false),
			}, nil
		} else {
			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
			tlsConfig.InsecureSkipVerify = true
			return tlsConfig, nil
		}
	}
}

func MixinTLSConfig(tlsConfig *tls.Config) *tls.Config {
	if tlsConfig == nil {
		return &tls.Config{
			InsecureSkipVerify:    true,
			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(globalFingerprints, false),
		}
	}

	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(globalFingerprints, tlsConfig.InsecureSkipVerify)
	tlsConfig.InsecureSkipVerify = true
	return tlsConfig
}
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`package tls`

			`import (`
			`"bytes"`
			`"crypto/sha256"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/hex"`
			`"fmt"`
			`"strings"`
			`"sync"`
			`"time"`
			`)`

feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`var globalFingerprints [][32]byte`
			`var mutex sync.Mutex`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`func verifyPeerCertificateAndFingerprints(fingerprints [][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`if insecureSkipVerify {`
			`return nil`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`var preErr error`
			`for i := range rawCerts {`
			`rawCert := rawCerts[i]`
			`cert, err := x509.ParseCertificate(rawCert)`
			`if err == nil {`
			`opts := x509.VerifyOptions{`
			`CurrentTime: time.Now(),`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`if _, err := cert.Verify(opts); err == nil {`
			`return nil`
			`} else {`
			`fingerprint := sha256.Sum256(cert.Raw)`
			`for _, fp := range fingerprints {`
			`if bytes.Equal(fingerprint[:], fp[:]) {`
			`return nil`
			`}`
			`}`

			`preErr = err`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return preErr`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`func AddCertFingerprint(fingerprint string) error {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`fpByte, err2 := convertFingerprint(fingerprint)`
			`if err2 != nil {`
			`return err2`
			`}`

			`mutex.Lock()`
			`globalFingerprints = append(globalFingerprints, *fpByte)`
			`mutex.Unlock()`
			`return nil`
			`}`

			`func convertFingerprint(fingerprint string) (*[32]byte, error) {`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`fp := strings.Replace(fingerprint, ":", "", -1)`
			`fpByte, err := hex.DecodeString(fp)`
			`if err != nil {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil, err`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`if len(fpByte) != 32 {`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`return (*[32]byte)(fpByte), nil`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`func GetDefaultTLSConfig() *tls.Config {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`return MixinTLSConfig(nil)`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}`

			`// GetTLSConfigWithSpecifiedFingerprint specified fingerprint`
			`func GetTLSConfigWithSpecifiedFingerprint(tlsConfig tls.Config, fingerprint string) (tls.Config, error) {`
			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
			`if tlsConfig == nil {`
			`return &tls.Config{`
			`InsecureSkipVerify: true,`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, false),`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`}, nil`
			`} else {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)`
feat: Prepare to specify the fingerprint function 2022-07-10 13:56:33 +00:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
			`}`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

			`func MixinTLSConfig(tlsConfig tls.Config) tls.Config {`
			`if tlsConfig == nil {`
fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`return &tls.Config{`
			`InsecureSkipVerify: true,`
			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(globalFingerprints, false),`
			`}`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`}`

fix: skip-cert-verify not work 2022-07-11 04:37:27 +00:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(globalFingerprints, tlsConfig.InsecureSkipVerify)`
feat: add fingerprint for tls verify 2022-07-10 12:44:24 +00:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig`
			`}`