v2fly/transport/internet/tls/config_other.go

//go:build !windows && !confonly
// +build !windows,!confonly

package tls

import (
	"crypto/x509"
	"sync"
)

type rootCertsCache struct {
	sync.Mutex
	pool *x509.CertPool
}

func (c *rootCertsCache) load() (*x509.CertPool, error) {
	c.Lock()
	defer c.Unlock()

	if c.pool != nil {
		return c.pool, nil
	}

	pool, err := x509.SystemCertPool()
	if err != nil {
		return nil, err
	}
	c.pool = pool
	return pool, nil
}

var rootCerts rootCertsCache

func (c *Config) getCertPool() (*x509.CertPool, error) {
	if c.DisableSystemRoot {
		return c.loadSelfCertPool()
	}

	if len(c.Certificate) == 0 {
		return rootCerts.load()
	}

	pool, err := x509.SystemCertPool()
	if err != nil {
		return nil, newError("system root").AtWarning().Base(err)
	}
	for _, cert := range c.Certificate {
		/* Do not treat client certificate authority as a peer certificate authority.
		   This is designed to prevent a client certificate with a permissive key usage from being used to attacker server.
		   In next release, the certificate usage will be enforced strictly.
		   Only a certificate with AUTHORITY_VERIFY usage will be accepted.
		*/
		if cert.Usage == Certificate_AUTHORITY_VERIFY_CLIENT {
			continue
		}

		if !pool.AppendCertsFromPEM(cert.Certificate) {
			return nil, newError("append cert to root").AtWarning().Base(err)
		}
	}
	return pool, err
}
🏡 Housekeeping: Update to Go 1.17 (#1215) * ⬆ Update to Go 1.17 * 🏗 Update workflows and add windows-arm64 * 💾 Update generated files * 📛 Update not-so-friendly filenames 2021-08-21 01:20:40 -04:00			`//go:build !windows && !confonly`
			`// +build !windows,!confonly`
disable system roots for windows 2018-04-13 04:01:10 -04:00
			`package tls`

reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`import (`
			`"crypto/x509"`
			`"sync"`
			`)`

add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`type rootCertsCache struct {`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`sync.Mutex`
add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`pool *x509.CertPool`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`}`

add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`func (c rootCertsCache) load() (x509.CertPool, error) {`
			`c.Lock()`
			`defer c.Unlock()`

			`if c.pool != nil {`
			`return c.pool, nil`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`}`
add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00
			`pool, err := x509.SystemCertPool()`
			`if err != nil {`
			`return nil, err`
			`}`
			`c.pool = pool`
			`return pool, nil`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`}`

add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`var rootCerts rootCertsCache`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00
add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`func (c Config) getCertPool() (x509.CertPool, error) {`
			`if c.DisableSystemRoot {`
			`return c.loadSelfCertPool()`
disable system roots for windows 2018-04-13 04:01:10 -04:00			`}`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00
add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`if len(c.Certificate) == 0 {`
			`return rootCerts.load()`
reduce memory usage in tls 2018-08-09 07:30:29 -04:00			`}`

add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`pool, err := x509.SystemCertPool()`
			`if err != nil {`
			`return nil, newError("system root").AtWarning().Base(err)`
			`}`
			`for _, cert := range c.Certificate {`
separate client ca and server ca This is designed to prevent a server from being attacked with a client with a certificate issued by a trusted system CA. Some commercial CA actually can issue certificate to individual to proof their identity. The server should not accept these certs as a valid client certificates. 2021-09-01 17:34:13 -04:00			`/* Do not treat client certificate authority as a peer certificate authority.`
			`This is designed to prevent a client certificate with a permissive key usage from being used to attacker server.`
			`In next release, the certificate usage will be enforced strictly.`
			`Only a certificate with AUTHORITY_VERIFY usage will be accepted.`
			`*/`
			`if cert.Usage == Certificate_AUTHORITY_VERIFY_CLIENT {`
			`continue`
			`}`

add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`if !pool.AppendCertsFromPEM(cert.Certificate) {`
			`return nil, newError("append cert to root").AtWarning().Base(err)`
disable system roots for windows 2018-04-13 04:01:10 -04:00			`}`
			`}`
add support for not loading system roots. fixes #1513 2019-02-26 15:58:54 -05:00			`return pool, err`
disable system roots for windows 2018-04-13 04:01:10 -04:00			`}`