Clash.Meta/component/tls/config.go

package tls

import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"fmt"
	xtls "github.com/xtls/go"
	"sync"
	"time"
)

var globalFingerprints = make([][32]byte, 0, 0)
var mutex sync.Mutex

func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		if insecureSkipVerify {
			return nil
		}

		var preErr error
		for i := range rawCerts {
			rawCert := rawCerts[i]
			cert, err := x509.ParseCertificate(rawCert)
			if err == nil {
				opts := x509.VerifyOptions{
					CurrentTime: time.Now(),
				}

				if _, err := cert.Verify(opts); err == nil {
					return nil
				} else {
					fingerprint := sha256.Sum256(cert.Raw)
					for _, fp := range *fingerprints {
						if bytes.Equal(fingerprint[:], fp[:]) {
							return nil
						}
					}

					preErr = err
				}
			}
		}

		return preErr
	}
}

func AddCertFingerprint(fingerprint string) error {
	fpByte, err2 := convertFingerprint(fingerprint)
	if err2 != nil {
		return err2
	}

	mutex.Lock()
	globalFingerprints = append(globalFingerprints, *fpByte)
	mutex.Unlock()
	return nil
}

func convertFingerprint(fingerprint string) (*[32]byte, error) {
	fpByte, err := hex.DecodeString(fingerprint)
	if err != nil {
		return nil, err
	}

	if len(fpByte) != 32 {
		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
	}
	return (*[32]byte)(fpByte), nil
}

func GetDefaultTLSConfig() *tls.Config {
	return GetGlobalFingerprintTLCConfig(nil)
}

// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		if tlsConfig == nil {
			return &tls.Config{
				InsecureSkipVerify:    true,
				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
			}, nil
		} else {
			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
			tlsConfig.InsecureSkipVerify = true
			return tlsConfig, nil
		}
	}
}

func GetGlobalFingerprintTLCConfig(tlsConfig *tls.Config) *tls.Config {
	if tlsConfig == nil {
		return &tls.Config{
			InsecureSkipVerify:    true,
			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
		}
	}

	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
	tlsConfig.InsecureSkipVerify = true
	return tlsConfig
}

// GetSpecifiedFingerprintXTLSConfig specified fingerprint
func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		if tlsConfig == nil {
			return &xtls.Config{
				InsecureSkipVerify:    true,
				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
			}, nil
		} else {
			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
			tlsConfig.InsecureSkipVerify = true
			return tlsConfig, nil
		}
	}
}

func GetGlobalFingerprintXTLCConfig(tlsConfig *xtls.Config) *xtls.Config {
	if tlsConfig == nil {
		return &xtls.Config{
			InsecureSkipVerify:    true,
			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
		}
	}

	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
	tlsConfig.InsecureSkipVerify = true
	return tlsConfig
}
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`package tls`

			`import (`
			`"bytes"`
			`"crypto/sha256"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/hex"`
			`"fmt"`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`xtls "github.com/xtls/go"`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`"sync"`
			`"time"`
			`)`

fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`var globalFingerprints = make([][32]byte, 0, 0)`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`var mutex sync.Mutex`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`func verifyPeerCertificateAndFingerprints(fingerprints [][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {`
fix: skip-cert-verify not work 2022-07-11 12:37:27 +08:00			`if insecureSkipVerify {`
			`return nil`
			`}`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`var preErr error`
			`for i := range rawCerts {`
			`rawCert := rawCerts[i]`
			`cert, err := x509.ParseCertificate(rawCert)`
			`if err == nil {`
			`opts := x509.VerifyOptions{`
			`CurrentTime: time.Now(),`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`if _, err := cert.Verify(opts); err == nil {`
			`return nil`
			`} else {`
			`fingerprint := sha256.Sum256(cert.Raw)`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`for _, fp := range *fingerprints {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`if bytes.Equal(fingerprint[:], fp[:]) {`
			`return nil`
			`}`
			`}`

			`preErr = err`
			`}`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`
			`}`

feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`return preErr`
			`}`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

			`func AddCertFingerprint(fingerprint string) error {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`fpByte, err2 := convertFingerprint(fingerprint)`
			`if err2 != nil {`
			`return err2`
			`}`

			`mutex.Lock()`
			`globalFingerprints = append(globalFingerprints, *fpByte)`
			`mutex.Unlock()`
			`return nil`
			`}`

			`func convertFingerprint(fingerprint string) (*[32]byte, error) {`
chore: fingerprint style 2022-07-11 13:44:27 +08:00			`fpByte, err := hex.DecodeString(fingerprint)`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`if err != nil {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`return nil, err`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

			`if len(fpByte) != 32 {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`return (*[32]byte)(fpByte), nil`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

			`func GetDefaultTLSConfig() *tls.Config {`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`return GetGlobalFingerprintTLCConfig(nil)`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`}`

feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`// GetSpecifiedFingerprintTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintTLSConfig(tlsConfig tls.Config, fingerprint string) (tls.Config, error) {`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
			`if tlsConfig == nil {`
			`return &tls.Config{`
			`InsecureSkipVerify: true,`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`}, nil`
			`} else {`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
			`}`
			`}`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`func GetGlobalFingerprintTLCConfig(tlsConfig tls.Config) tls.Config {`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`if tlsConfig == nil {`
fix: skip-cert-verify not work 2022-07-11 12:37:27 +08:00			`return &tls.Config{`
			`InsecureSkipVerify: true,`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),`
fix: skip-cert-verify not work 2022-07-11 12:37:27 +08:00			`}`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig`
			`}`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00
			`// GetSpecifiedFingerprintXTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintXTLSConfig(tlsConfig xtls.Config, fingerprint string) (xtls.Config, error) {`
			`if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {`
			`return nil, err`
			`} else {`
			`if tlsConfig == nil {`
			`return &xtls.Config{`
			`InsecureSkipVerify: true,`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`}, nil`
			`} else {`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig, nil`
			`}`
			`}`
			`}`

			`func GetGlobalFingerprintXTLCConfig(tlsConfig xtls.Config) xtls.Config {`
			`if tlsConfig == nil {`
			`return &xtls.Config{`
			`InsecureSkipVerify: true,`
fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`}`
			`}`

fix: global fingerprints load failed 2022-10-03 22:41:24 +08:00			`tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)`
feat: add fingerprint param 2022-07-11 13:42:28 +08:00			`tlsConfig.InsecureSkipVerify = true`
			`return tlsConfig`
			`}`