1
0
mirror of https://github.com/v2fly/v2ray-core.git synced 2024-11-18 02:16:10 -05:00
v2fly/transport/internet/tls/config.go

289 lines
7.7 KiB
Go
Raw Normal View History

2016-10-02 17:43:58 -04:00
package tls
import (
"crypto/hmac"
2016-10-02 17:43:58 -04:00
"crypto/tls"
2018-04-18 05:45:49 -04:00
"crypto/x509"
"encoding/base64"
2019-02-19 07:05:36 -05:00
"strings"
2018-07-13 18:21:58 -04:00
"sync"
"time"
2016-10-02 17:43:58 -04:00
"github.com/v2fly/v2ray-core/v5/common/net"
"github.com/v2fly/v2ray-core/v5/common/protocol/tls/cert"
"github.com/v2fly/v2ray-core/v5/transport/internet"
2016-10-02 17:43:58 -04:00
)
2021-05-19 17:28:52 -04:00
var globalSessionCache = tls.NewLRUClientSessionCache(128)
2016-10-02 17:43:58 -04:00
2019-02-19 07:05:36 -05:00
const exp8357 = "experiment:8357"
2018-04-10 17:02:47 -04:00
// ParseCertificate converts a cert.Certificate to Certificate.
func ParseCertificate(c *cert.Certificate) *Certificate {
if c != nil {
certPEM, keyPEM := c.ToPEM()
return &Certificate{
Certificate: certPEM,
Key: keyPEM,
}
}
return nil
}
func (c *Config) loadSelfCertPool(usage Certificate_Usage) (*x509.CertPool, error) {
root := x509.NewCertPool()
for _, cert := range c.Certificate {
if cert.Usage == usage {
if !root.AppendCertsFromPEM(cert.Certificate) {
return nil, newError("failed to append cert").AtWarning()
}
}
}
return root, nil
}
2018-04-17 17:33:39 -04:00
// BuildCertificates builds a list of TLS certificates from proto definition.
2017-10-26 05:43:02 -04:00
func (c *Config) BuildCertificates() []tls.Certificate {
certs := make([]tls.Certificate, 0, len(c.Certificate))
for _, entry := range c.Certificate {
if entry.Usage != Certificate_ENCIPHERMENT {
continue
}
2016-10-02 17:43:58 -04:00
keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
if err != nil {
2017-12-19 15:28:12 -05:00
newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()
2016-10-02 17:43:58 -04:00
continue
}
certs = append(certs, keyPair)
}
return certs
}
func isCertificateExpired(c *tls.Certificate) bool {
2018-04-18 05:45:49 -04:00
if c.Leaf == nil && len(c.Certificate) > 0 {
if pc, err := x509.ParseCertificate(c.Certificate[0]); err == nil {
c.Leaf = pc
}
}
// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2))
}
func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)
if err != nil {
return nil, newError("failed to parse raw certificate").Base(err)
}
newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))
if err != nil {
return nil, newError("failed to generate new certificate for ", domain).Base(err)
}
newCertPEM, newKeyPEM := newCert.ToPEM()
cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)
return &cert, err
}
2018-04-14 07:28:57 -04:00
func (c *Config) getCustomCA() []*Certificate {
certs := make([]*Certificate, 0, len(c.Certificate))
for _, certificate := range c.Certificate {
if certificate.Usage == Certificate_AUTHORITY_ISSUE {
2018-04-14 07:28:57 -04:00
certs = append(certs, certificate)
}
}
2018-04-14 07:28:57 -04:00
return certs
}
func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
2018-07-13 18:21:58 -04:00
var access sync.RWMutex
2018-04-14 07:28:57 -04:00
return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
domain := hello.ServerName
certExpired := false
2018-07-13 18:21:58 -04:00
access.RLock()
certificate, found := c.NameToCertificate[domain]
access.RUnlock()
if found {
2018-04-14 07:28:57 -04:00
if !isCertificateExpired(certificate) {
return certificate, nil
}
certExpired = true
}
if certExpired {
newCerts := make([]tls.Certificate, 0, len(c.Certificates))
2018-07-13 18:21:58 -04:00
access.Lock()
2018-04-14 07:28:57 -04:00
for _, certificate := range c.Certificates {
cert := certificate
if !isCertificateExpired(&cert) {
newCerts = append(newCerts, cert)
} else if cert.Leaf != nil {
expTime := cert.Leaf.NotAfter.Format(time.RFC3339)
2021-06-04 15:07:27 -04:00
newError("old certificate for ", domain, " (expire on ", expTime, ") discard").AtInfo().WriteToLog()
2018-04-14 07:28:57 -04:00
}
}
c.Certificates = newCerts
2018-07-13 18:21:58 -04:00
access.Unlock()
2018-04-14 07:28:57 -04:00
}
var issuedCertificate *tls.Certificate
// Create a new certificate from existing CA if possible
for _, rawCert := range ca {
if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
newCert, err := issueCertificate(rawCert, domain)
if err != nil {
newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
continue
}
parsed, err := x509.ParseCertificate(newCert.Certificate[0])
if err == nil {
newCert.Leaf = parsed
expTime := parsed.NotAfter.Format(time.RFC3339)
newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog()
} else {
newError("failed to parse new certificate for ", domain).Base(err).WriteToLog()
2018-04-14 07:28:57 -04:00
}
2018-07-13 18:21:58 -04:00
access.Lock()
2018-04-14 07:28:57 -04:00
c.Certificates = append(c.Certificates, *newCert)
issuedCertificate = &c.Certificates[len(c.Certificates)-1]
2018-07-13 18:21:58 -04:00
access.Unlock()
2018-04-14 07:28:57 -04:00
break
}
}
if issuedCertificate == nil {
return nil, newError("failed to create a new certificate for ", domain)
}
2018-07-13 18:21:58 -04:00
access.Lock()
2018-04-14 07:28:57 -04:00
c.BuildNameToCertificate()
2018-07-13 18:21:58 -04:00
access.Unlock()
2018-04-14 07:28:57 -04:00
return issuedCertificate, nil
}
}
2019-02-16 18:58:02 -05:00
func (c *Config) IsExperiment8357() bool {
2019-02-19 07:05:36 -05:00
return strings.HasPrefix(c.ServerName, exp8357)
}
func (c *Config) parseServerName() string {
if c.IsExperiment8357() {
return c.ServerName[len(exp8357):]
}
return c.ServerName
2019-02-16 18:58:02 -05:00
}
func (c *Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if c.PinnedPeerCertificateChainSha256 != nil {
hashValue := GenerateCertChainHash(rawCerts)
for _, v := range c.PinnedPeerCertificateChainSha256 {
if hmac.Equal(hashValue, v) {
return nil
}
}
return newError("peer cert is unrecognized: ", base64.StdEncoding.EncodeToString(hashValue))
}
return nil
}
2018-04-17 17:33:39 -04:00
// GetTLSConfig converts this Config into tls.Config.
2018-02-28 09:15:22 -05:00
func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
root, err := c.getCertPool()
if err != nil {
newError("failed to load system root certificate").AtError().Base(err).WriteToLog()
}
if c == nil {
return &tls.Config{
ClientSessionCache: globalSessionCache,
RootCAs: root,
InsecureSkipVerify: false,
NextProtos: nil,
2021-01-01 06:25:04 -05:00
SessionTicketsDisabled: true,
}
}
clientRoot, err := c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY_CLIENT)
if err != nil {
newError("failed to load client root certificate").AtError().Base(err).WriteToLog()
}
2016-10-02 17:43:58 -04:00
config := &tls.Config{
ClientSessionCache: globalSessionCache,
RootCAs: root,
InsecureSkipVerify: c.AllowInsecure,
NextProtos: c.NextProtocol,
SessionTicketsDisabled: !c.EnableSessionResumption,
VerifyPeerCertificate: c.verifyPeerCert,
ClientCAs: clientRoot,
2016-10-02 17:43:58 -04:00
}
2018-02-28 09:15:22 -05:00
for _, opt := range opts {
opt(config)
}
2017-10-26 05:43:02 -04:00
config.Certificates = c.BuildCertificates()
2016-10-02 17:43:58 -04:00
config.BuildNameToCertificate()
2018-04-14 07:28:57 -04:00
caCerts := c.getCustomCA()
if len(caCerts) > 0 {
config.GetCertificate = getGetCertificateFunc(config, caCerts)
}
2019-02-19 07:05:36 -05:00
if sn := c.parseServerName(); len(sn) > 0 {
config.ServerName = sn
2016-12-11 17:58:37 -05:00
}
2019-02-19 07:05:36 -05:00
2018-03-01 07:16:52 -05:00
if len(config.NextProtos) == 0 {
config.NextProtos = []string{"h2", "http/1.1"}
2018-03-01 07:16:52 -05:00
}
2016-10-02 17:43:58 -04:00
if c.VerifyClientCertificate {
config.ClientAuth = tls.RequireAndVerifyClientCert
}
2016-10-02 17:43:58 -04:00
return config
}
2017-10-26 05:43:02 -04:00
2018-04-17 17:33:39 -04:00
// Option for building TLS config.
2018-02-28 09:15:22 -05:00
type Option func(*tls.Config)
2017-12-16 18:53:17 -05:00
2018-04-17 17:33:39 -04:00
// WithDestination sets the server name in TLS config.
2017-12-16 18:53:17 -05:00
func WithDestination(dest net.Destination) Option {
2018-02-28 09:15:22 -05:00
return func(config *tls.Config) {
if dest.Address.Family().IsDomain() && config.ServerName == "" {
2017-12-16 18:53:17 -05:00
config.ServerName = dest.Address.Domain()
}
}
}
2018-04-17 17:33:39 -04:00
// WithNextProto sets the ALPN values in TLS config.
2018-01-02 12:16:36 -05:00
func WithNextProto(protocol ...string) Option {
2018-02-28 09:15:22 -05:00
return func(config *tls.Config) {
if len(config.NextProtos) == 0 {
config.NextProtos = protocol
2018-01-02 12:16:36 -05:00
}
}
}
// ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.
func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config {
if settings == nil {
2017-12-16 18:53:17 -05:00
return nil
}
if settings.SecuritySettings == nil {
2018-02-28 09:15:22 -05:00
return nil
2017-10-26 05:43:02 -04:00
}
// Fail close for unknown TLS settings type.
// For TLS Clients, Security Engine should be used, instead of this.
config := settings.SecuritySettings.(*Config)
2018-02-28 09:15:22 -05:00
return config
2017-10-26 05:43:02 -04:00
}