v2fly/transport/internet/tls/config.go

package tls

import (
	"context"
	"crypto/tls"
	"time"

	"v2ray.com/core/common/net"
	"v2ray.com/core/common/protocol/tls/cert"
	"v2ray.com/core/transport/internet"
)

var (
	globalSessionCache = tls.NewLRUClientSessionCache(128)
)

// ParseCertificate converts a cert.Certificate to Certificate.
func ParseCertificate(c *cert.Certificate) *Certificate {
	certPEM, keyPEM := c.ToPEM()
	return &Certificate{
		Certificate: certPEM,
		Key:         keyPEM,
	}
}

func (c *Config) BuildCertificates() []tls.Certificate {
	certs := make([]tls.Certificate, 0, len(c.Certificate))
	for _, entry := range c.Certificate {
		if entry.Usage != Certificate_ENCIPHERMENT {
			continue
		}
		keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
		if err != nil {
			newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()
			continue
		}
		certs = append(certs, keyPair)
	}
	return certs
}

func isCertificateExpired(c *tls.Certificate) bool {
	// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
	return c.Leaf != nil && c.Leaf.NotAfter.After(time.Now().Add(-time.Minute))
}

func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
	parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)
	if err != nil {
		return nil, newError("failed to parse raw certificate").Base(err)
	}
	newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))
	if err != nil {
		return nil, newError("failed to generate new certificate for ", domain).Base(err)
	}
	newCertPEM, newKeyPEM := newCert.ToPEM()
	cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)
	return &cert, err
}

func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
	config := &tls.Config{
		ClientSessionCache: globalSessionCache,
		RootCAs:            c.GetCertPool(),
	}
	if c == nil {
		return config
	}

	for _, opt := range opts {
		opt(config)
	}

	config.InsecureSkipVerify = c.AllowInsecure
	config.Certificates = c.BuildCertificates()
	config.BuildNameToCertificate()
	config.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
		domain := hello.ServerName
		certExpired := false
		if certificate, found := config.NameToCertificate[domain]; found {
			if !isCertificateExpired(certificate) {
				return certificate, nil
			}
			certExpired = true
		}

		if certExpired {
			newCerts := make([]tls.Certificate, 0, len(config.Certificates))

			for _, certificate := range config.Certificates {
				if !isCertificateExpired(&certificate) {
					newCerts = append(newCerts, certificate)
				}
			}

			config.Certificates = newCerts
		}

		var issuedCertificate *tls.Certificate

		// Create a new certificate from existing CA if possible
		for _, rawCert := range c.Certificate {
			if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
				newCert, err := issueCertificate(rawCert, domain)
				if err != nil {
					newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
					continue
				}

				config.Certificates = append(config.Certificates, *newCert)
				issuedCertificate = &config.Certificates[len(config.Certificates)-1]
				break
			}
		}

		if issuedCertificate == nil {
			return nil, newError("failed to create a new certificate for ", domain)
		}

		config.BuildNameToCertificate()

		return issuedCertificate, nil
	}
	if len(c.ServerName) > 0 {
		config.ServerName = c.ServerName
	}
	if len(c.NextProtocol) > 0 {
		config.NextProtos = c.NextProtocol
	}
	if len(config.NextProtos) == 0 {
		config.NextProtos = []string{"http/1.1"}
	}

	return config
}

type Option func(*tls.Config)

func WithDestination(dest net.Destination) Option {
	return func(config *tls.Config) {
		if dest.Address.Family().IsDomain() && len(config.ServerName) == 0 {
			config.ServerName = dest.Address.Domain()
		}
	}
}

func WithNextProto(protocol ...string) Option {
	return func(config *tls.Config) {
		if len(config.NextProtos) == 0 {
			config.NextProtos = protocol
		}
	}
}

func ConfigFromContext(ctx context.Context) *Config {
	securitySettings := internet.SecuritySettingsFromContext(ctx)
	if securitySettings == nil {
		return nil
	}
	config, ok := securitySettings.(*Config)
	if !ok {
		return nil
	}
	return config
}
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`package tls`

			`import (`
simplify tls config 2017-12-16 23:53:17 +00:00			`"context"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`"crypto/tls"`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`"time"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00
simplify tls config 2017-12-16 23:53:17 +00:00			`"v2ray.com/core/common/net"`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`"v2ray.com/core/common/protocol/tls/cert"`
simplify tls config 2017-12-16 23:53:17 +00:00			`"v2ray.com/core/transport/internet"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`)`

			`var (`
			`globalSessionCache = tls.NewLRUClientSessionCache(128)`
			`)`

test case for tls certs 2018-04-10 21:02:47 +00:00			`// ParseCertificate converts a cert.Certificate to Certificate.`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`func ParseCertificate(c cert.Certificate) Certificate {`
			`certPEM, keyPEM := c.ToPEM()`
			`return &Certificate{`
			`Certificate: certPEM,`
			`Key: keyPEM,`
			`}`
			`}`

fix #643 2017-10-26 09:43:02 +00:00			`func (c *Config) BuildCertificates() []tls.Certificate {`
			`certs := make([]tls.Certificate, 0, len(c.Certificate))`
			`for _, entry := range c.Certificate {`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`if entry.Usage != Certificate_ENCIPHERMENT {`
			`continue`
			`}`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)`
			`if err != nil {`
merge log into common log 2017-12-19 20:28:12 +00:00			`newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`continue`
			`}`
			`certs = append(certs, keyPair)`
			`}`
			`return certs`
			`}`

automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`func isCertificateExpired(c *tls.Certificate) bool {`
			`// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.`
			`return c.Leaf != nil && c.Leaf.NotAfter.After(time.Now().Add(-time.Minute))`
			`}`

			`func issueCertificate(rawCA Certificate, domain string) (tls.Certificate, error) {`
			`parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)`
			`if err != nil {`
			`return nil, newError("failed to parse raw certificate").Base(err)`
			`}`
			`newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))`
			`if err != nil {`
			`return nil, newError("failed to generate new certificate for ", domain).Base(err)`
			`}`
			`newCertPEM, newKeyPEM := newCert.ToPEM()`
			`cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)`
			`return &cert, err`
			`}`

update tls config generation 2018-02-28 14:15:22 +00:00			`func (c Config) GetTLSConfig(opts ...Option) tls.Config {`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`config := &tls.Config{`
			`ClientSessionCache: globalSessionCache,`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`RootCAs: c.GetCertPool(),`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`}`
fix #643 2017-10-26 09:43:02 +00:00			`if c == nil {`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`return config`
			`}`

update tls config generation 2018-02-28 14:15:22 +00:00			`for _, opt := range opts {`
			`opt(config)`
			`}`

fix #643 2017-10-26 09:43:02 +00:00			`config.InsecureSkipVerify = c.AllowInsecure`
			`config.Certificates = c.BuildCertificates()`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`config.BuildNameToCertificate()`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`config.GetCertificate = func(hello tls.ClientHelloInfo) (tls.Certificate, error) {`
			`domain := hello.ServerName`
			`certExpired := false`
			`if certificate, found := config.NameToCertificate[domain]; found {`
			`if !isCertificateExpired(certificate) {`
			`return certificate, nil`
			`}`
			`certExpired = true`
			`}`

			`if certExpired {`
			`newCerts := make([]tls.Certificate, 0, len(config.Certificates))`

			`for _, certificate := range config.Certificates {`
			`if !isCertificateExpired(&certificate) {`
			`newCerts = append(newCerts, certificate)`
			`}`
			`}`

			`config.Certificates = newCerts`
			`}`

			`var issuedCertificate *tls.Certificate`

			`// Create a new certificate from existing CA if possible`
			`for _, rawCert := range c.Certificate {`
			`if rawCert.Usage == Certificate_AUTHORITY_ISSUE {`
			`newCert, err := issueCertificate(rawCert, domain)`
			`if err != nil {`
			`newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()`
			`continue`
			`}`

			`config.Certificates = append(config.Certificates, *newCert)`
			`issuedCertificate = &config.Certificates[len(config.Certificates)-1]`
			`break`
			`}`
			`}`

			`if issuedCertificate == nil {`
			`return nil, newError("failed to create a new certificate for ", domain)`
			`}`

			`config.BuildNameToCertificate()`

			`return issuedCertificate, nil`
			`}`
fix #643 2017-10-26 09:43:02 +00:00			`if len(c.ServerName) > 0 {`
			`config.ServerName = c.ServerName`
support server name override 2016-12-11 22:58:37 +00:00			`}`
Use 'h2' for ALPN in TCP 2018-01-02 17:16:36 +00:00			`if len(c.NextProtocol) > 0 {`
			`config.NextProtos = c.NextProtocol`
			`}`
h2 transport 2018-03-01 12:16:52 +00:00			`if len(config.NextProtos) == 0 {`
			`config.NextProtos = []string{"http/1.1"}`
			`}`
protobuf for stream settings 2016-10-02 21:43:58 +00:00
			`return config`
			`}`
fix #643 2017-10-26 09:43:02 +00:00
update tls config generation 2018-02-28 14:15:22 +00:00			`type Option func(*tls.Config)`
simplify tls config 2017-12-16 23:53:17 +00:00
			`func WithDestination(dest net.Destination) Option {`
update tls config generation 2018-02-28 14:15:22 +00:00			`return func(config *tls.Config) {`
simplify tls config 2017-12-16 23:53:17 +00:00			`if dest.Address.Family().IsDomain() && len(config.ServerName) == 0 {`
			`config.ServerName = dest.Address.Domain()`
			`}`
			`}`
			`}`

Use 'h2' for ALPN in TCP 2018-01-02 17:16:36 +00:00			`func WithNextProto(protocol ...string) Option {`
update tls config generation 2018-02-28 14:15:22 +00:00			`return func(config *tls.Config) {`
			`if len(config.NextProtos) == 0 {`
			`config.NextProtos = protocol`
Use 'h2' for ALPN in TCP 2018-01-02 17:16:36 +00:00			`}`
			`}`
			`}`

update tls config generation 2018-02-28 14:15:22 +00:00			`func ConfigFromContext(ctx context.Context) *Config {`
simplify tls config 2017-12-16 23:53:17 +00:00			`securitySettings := internet.SecuritySettingsFromContext(ctx)`
			`if securitySettings == nil {`
			`return nil`
			`}`
update tls config generation 2018-02-28 14:15:22 +00:00			`config, ok := securitySettings.(*Config)`
			`if !ok {`
			`return nil`
fix #643 2017-10-26 09:43:02 +00:00			`}`
update tls config generation 2018-02-28 14:15:22 +00:00			`return config`
fix #643 2017-10-26 09:43:02 +00:00			`}`