v2fly/transport/internet/tls/config.go

// +build !confonly

package tls

import (
	"crypto/hmac"
	"crypto/tls"
	"crypto/x509"
	"encoding/base64"
	"strings"
	"sync"
	"time"

	"github.com/v2fly/v2ray-core/v4/common/net"
	"github.com/v2fly/v2ray-core/v4/common/protocol/tls/cert"
	"github.com/v2fly/v2ray-core/v4/transport/internet"
)

var globalSessionCache = tls.NewLRUClientSessionCache(128)

const exp8357 = "experiment:8357"

// ParseCertificate converts a cert.Certificate to Certificate.
func ParseCertificate(c *cert.Certificate) *Certificate {
	if c != nil {
		certPEM, keyPEM := c.ToPEM()
		return &Certificate{
			Certificate: certPEM,
			Key:         keyPEM,
		}
	}
	return nil
}

func (c *Config) loadSelfCertPool() (*x509.CertPool, error) {
	root := x509.NewCertPool()
	for _, cert := range c.Certificate {
		if !root.AppendCertsFromPEM(cert.Certificate) {
			return nil, newError("failed to append cert").AtWarning()
		}
	}
	return root, nil
}

// BuildCertificates builds a list of TLS certificates from proto definition.
func (c *Config) BuildCertificates() []tls.Certificate {
	certs := make([]tls.Certificate, 0, len(c.Certificate))
	for _, entry := range c.Certificate {
		if entry.Usage != Certificate_ENCIPHERMENT {
			continue
		}
		keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
		if err != nil {
			newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()
			continue
		}
		certs = append(certs, keyPair)
	}
	return certs
}

func isCertificateExpired(c *tls.Certificate) bool {
	if c.Leaf == nil && len(c.Certificate) > 0 {
		if pc, err := x509.ParseCertificate(c.Certificate[0]); err == nil {
			c.Leaf = pc
		}
	}

	// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute))
}

func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
	parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)
	if err != nil {
		return nil, newError("failed to parse raw certificate").Base(err)
	}
	newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))
	if err != nil {
		return nil, newError("failed to generate new certificate for ", domain).Base(err)
	}
	newCertPEM, newKeyPEM := newCert.ToPEM()
	cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)
	return &cert, err
}

func (c *Config) getCustomCA() []*Certificate {
	certs := make([]*Certificate, 0, len(c.Certificate))
	for _, certificate := range c.Certificate {
		if certificate.Usage == Certificate_AUTHORITY_ISSUE {
			certs = append(certs, certificate)
		}
	}
	return certs
}

func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
	var access sync.RWMutex

	return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
		domain := hello.ServerName
		certExpired := false

		access.RLock()
		certificate, found := c.NameToCertificate[domain]
		access.RUnlock()

		if found {
			if !isCertificateExpired(certificate) {
				return certificate, nil
			}
			certExpired = true
		}

		if certExpired {
			newCerts := make([]tls.Certificate, 0, len(c.Certificates))

			access.Lock()
			for _, certificate := range c.Certificates {
				cert := certificate
				if !isCertificateExpired(&cert) {
					newCerts = append(newCerts, cert)
				}
			}

			c.Certificates = newCerts
			access.Unlock()
		}

		var issuedCertificate *tls.Certificate

		// Create a new certificate from existing CA if possible
		for _, rawCert := range ca {
			if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
				newCert, err := issueCertificate(rawCert, domain)
				if err != nil {
					newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
					continue
				}

				access.Lock()
				c.Certificates = append(c.Certificates, *newCert)
				issuedCertificate = &c.Certificates[len(c.Certificates)-1]
				access.Unlock()
				break
			}
		}

		if issuedCertificate == nil {
			return nil, newError("failed to create a new certificate for ", domain)
		}

		access.Lock()
		c.BuildNameToCertificate()
		access.Unlock()

		return issuedCertificate, nil
	}
}

func (c *Config) IsExperiment8357() bool {
	return strings.HasPrefix(c.ServerName, exp8357)
}

func (c *Config) parseServerName() string {
	if c.IsExperiment8357() {
		return c.ServerName[len(exp8357):]
	}

	return c.ServerName
}

func (c *Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	if c.PinnedPeerCertificateChainSha256 != nil {
		hashValue := GenerateCertChainHash(rawCerts)
		for _, v := range c.PinnedPeerCertificateChainSha256 {
			if hmac.Equal(hashValue, v) {
				return nil
			}
		}
		return newError("peer cert is unrecognized: ", base64.StdEncoding.EncodeToString(hashValue))
	}
	return nil
}

// GetTLSConfig converts this Config into tls.Config.
func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
	root, err := c.getCertPool()
	if err != nil {
		newError("failed to load system root certificate").AtError().Base(err).WriteToLog()
	}

	if c == nil {
		return &tls.Config{
			ClientSessionCache:     globalSessionCache,
			RootCAs:                root,
			InsecureSkipVerify:     false,
			NextProtos:             nil,
			SessionTicketsDisabled: true,
		}
	}

	config := &tls.Config{
		ClientSessionCache:     globalSessionCache,
		RootCAs:                root,
		InsecureSkipVerify:     c.AllowInsecure,
		NextProtos:             c.NextProtocol,
		SessionTicketsDisabled: !c.EnableSessionResumption,
		VerifyPeerCertificate:  c.verifyPeerCert,
	}

	for _, opt := range opts {
		opt(config)
	}

	config.Certificates = c.BuildCertificates()
	config.BuildNameToCertificate()

	caCerts := c.getCustomCA()
	if len(caCerts) > 0 {
		config.GetCertificate = getGetCertificateFunc(config, caCerts)
	}

	if sn := c.parseServerName(); len(sn) > 0 {
		config.ServerName = sn
	}

	if len(config.NextProtos) == 0 {
		config.NextProtos = []string{"h2", "http/1.1"}
	}

	return config
}

// Option for building TLS config.
type Option func(*tls.Config)

// WithDestination sets the server name in TLS config.
func WithDestination(dest net.Destination) Option {
	return func(config *tls.Config) {
		if dest.Address.Family().IsDomain() && config.ServerName == "" {
			config.ServerName = dest.Address.Domain()
		}
	}
}

// WithNextProto sets the ALPN values in TLS config.
func WithNextProto(protocol ...string) Option {
	return func(config *tls.Config) {
		if len(config.NextProtos) == 0 {
			config.NextProtos = protocol
		}
	}
}

// ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.
func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config {
	if settings == nil {
		return nil
	}
	config, ok := settings.SecuritySettings.(*Config)
	if !ok {
		return nil
	}
	return config
}
optimize v2ctl size 2019-02-01 19:08:21 +00:00			`// +build !confonly`

protobuf for stream settings 2016-10-02 21:43:58 +00:00			`package tls`

			`import (`
verify peer cert function for better man in the middle prevention 2021-04-15 17:16:19 +00:00			`"crypto/hmac"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`"crypto/tls"`
fix expired cert check 2018-04-18 09:45:49 +00:00			`"crypto/x509"`
added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb 2021-04-15 18:01:55 +00:00			`"encoding/base64"`
fix server name parsing 2019-02-19 12:05:36 +00:00			`"strings"`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`"sync"`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`"time"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00
Chore: change module name (#677) 2021-02-16 20:31:50 +00:00			`"github.com/v2fly/v2ray-core/v4/common/net"`
			`"github.com/v2fly/v2ray-core/v4/common/protocol/tls/cert"`
			`"github.com/v2fly/v2ray-core/v4/transport/internet"`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`)`

Style: format code by gofumpt (#1022) 2021-05-19 21:28:52 +00:00			`var globalSessionCache = tls.NewLRUClientSessionCache(128)`
protobuf for stream settings 2016-10-02 21:43:58 +00:00
fix server name parsing 2019-02-19 12:05:36 +00:00			`const exp8357 = "experiment:8357"`

test case for tls certs 2018-04-10 21:02:47 +00:00			`// ParseCertificate converts a cert.Certificate to Certificate.`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`func ParseCertificate(c cert.Certificate) Certificate {`
Refine code according to golangci-lint results 2020-10-11 11:22:46 +00:00			`if c != nil {`
			`certPEM, keyPEM := c.ToPEM()`
			`return &Certificate{`
			`Certificate: certPEM,`
			`Key: keyPEM,`
			`}`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`}`
Refine code according to golangci-lint results 2020-10-11 11:22:46 +00:00			`return nil`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`}`

add support for not loading system roots. fixes #1513 2019-02-26 20:58:54 +00:00			`func (c Config) loadSelfCertPool() (x509.CertPool, error) {`
			`root := x509.NewCertPool()`
			`for _, cert := range c.Certificate {`
			`if !root.AppendCertsFromPEM(cert.Certificate) {`
			`return nil, newError("failed to append cert").AtWarning()`
			`}`
			`}`
			`return root, nil`
			`}`

comments 2018-04-17 21:33:39 +00:00			`// BuildCertificates builds a list of TLS certificates from proto definition.`
fix #643 2017-10-26 09:43:02 +00:00			`func (c *Config) BuildCertificates() []tls.Certificate {`
			`certs := make([]tls.Certificate, 0, len(c.Certificate))`
			`for _, entry := range c.Certificate {`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`if entry.Usage != Certificate_ENCIPHERMENT {`
			`continue`
			`}`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)`
			`if err != nil {`
merge log into common log 2017-12-19 20:28:12 +00:00			`newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`continue`
			`}`
			`certs = append(certs, keyPair)`
			`}`
			`return certs`
			`}`

automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`func isCertificateExpired(c *tls.Certificate) bool {`
fix expired cert check 2018-04-18 09:45:49 +00:00			`if c.Leaf == nil && len(c.Certificate) > 0 {`
			`if pc, err := x509.ParseCertificate(c.Certificate[0]); err == nil {`
			`c.Leaf = pc`
			`}`
			`}`

automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.`
fix expired cert check 2018-04-18 09:45:49 +00:00			`return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute))`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`}`

			`func issueCertificate(rawCA Certificate, domain string) (tls.Certificate, error) {`
			`parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)`
			`if err != nil {`
			`return nil, newError("failed to parse raw certificate").Base(err)`
			`}`
			`newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))`
			`if err != nil {`
			`return nil, newError("failed to generate new certificate for ", domain).Base(err)`
			`}`
			`newCertPEM, newKeyPEM := newCert.ToPEM()`
			`cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)`
			`return &cert, err`
			`}`

refine cert generation 2018-04-14 11:28:57 +00:00			`func (c Config) getCustomCA() []Certificate {`
			`certs := make([]*Certificate, 0, len(c.Certificate))`
only try issuing new certificate when user provide custom CA 2018-04-14 11:12:50 +00:00			`for _, certificate := range c.Certificate {`
			`if certificate.Usage == Certificate_AUTHORITY_ISSUE {`
refine cert generation 2018-04-14 11:28:57 +00:00			`certs = append(certs, certificate)`
only try issuing new certificate when user provide custom CA 2018-04-14 11:12:50 +00:00			`}`
			`}`
refine cert generation 2018-04-14 11:28:57 +00:00			`return certs`
			`}`

			`func getGetCertificateFunc(c tls.Config, ca []Certificate) func(hello tls.ClientHelloInfo) (tls.Certificate, error) {`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`var access sync.RWMutex`

refine cert generation 2018-04-14 11:28:57 +00:00			`return func(hello tls.ClientHelloInfo) (tls.Certificate, error) {`
			`domain := hello.ServerName`
			`certExpired := false`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00
			`access.RLock()`
			`certificate, found := c.NameToCertificate[domain]`
			`access.RUnlock()`

			`if found {`
refine cert generation 2018-04-14 11:28:57 +00:00			`if !isCertificateExpired(certificate) {`
			`return certificate, nil`
			`}`
			`certExpired = true`
			`}`

			`if certExpired {`
			`newCerts := make([]tls.Certificate, 0, len(c.Certificates))`

fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Lock()`
refine cert generation 2018-04-14 11:28:57 +00:00			`for _, certificate := range c.Certificates {`
Fix lint according to golangci-lint (#439) 2020-11-21 21:05:01 +00:00			`cert := certificate`
			`if !isCertificateExpired(&cert) {`
			`newCerts = append(newCerts, cert)`
refine cert generation 2018-04-14 11:28:57 +00:00			`}`
			`}`

			`c.Certificates = newCerts`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Unlock()`
refine cert generation 2018-04-14 11:28:57 +00:00			`}`

			`var issuedCertificate *tls.Certificate`

			`// Create a new certificate from existing CA if possible`
			`for _, rawCert := range ca {`
			`if rawCert.Usage == Certificate_AUTHORITY_ISSUE {`
			`newCert, err := issueCertificate(rawCert, domain)`
			`if err != nil {`
			`newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()`
			`continue`
			`}`

fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Lock()`
refine cert generation 2018-04-14 11:28:57 +00:00			`c.Certificates = append(c.Certificates, *newCert)`
			`issuedCertificate = &c.Certificates[len(c.Certificates)-1]`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Unlock()`
refine cert generation 2018-04-14 11:28:57 +00:00			`break`
			`}`
			`}`

			`if issuedCertificate == nil {`
			`return nil, newError("failed to create a new certificate for ", domain)`
			`}`

fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Lock()`
refine cert generation 2018-04-14 11:28:57 +00:00			`c.BuildNameToCertificate()`
fix concurrent access to tls config 2018-07-13 22:21:58 +00:00			`access.Unlock()`
refine cert generation 2018-04-14 11:28:57 +00:00
			`return issuedCertificate, nil`
			`}`
only try issuing new certificate when user provide custom CA 2018-04-14 11:12:50 +00:00			`}`

refine tls connection 2019-02-16 23:58:02 +00:00			`func (c *Config) IsExperiment8357() bool {`
fix server name parsing 2019-02-19 12:05:36 +00:00			`return strings.HasPrefix(c.ServerName, exp8357)`
			`}`

			`func (c *Config) parseServerName() string {`
			`if c.IsExperiment8357() {`
			`return c.ServerName[len(exp8357):]`
			`}`

			`return c.ServerName`
refine tls connection 2019-02-16 23:58:02 +00:00			`}`

verify peer cert function for better man in the middle prevention 2021-04-15 17:16:19 +00:00			`func (c Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]x509.Certificate) error {`
			`if c.PinnedPeerCertificateChainSha256 != nil {`
publish cert chain hash generation algorithm 2021-04-15 17:17:52 +00:00			`hashValue := GenerateCertChainHash(rawCerts)`
verify peer cert function for better man in the middle prevention 2021-04-15 17:16:19 +00:00			`for _, v := range c.PinnedPeerCertificateChainSha256 {`
			`if hmac.Equal(hashValue, v) {`
			`return nil`
			`}`
			`}`
added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb 2021-04-15 18:01:55 +00:00			`return newError("peer cert is unrecognized: ", base64.StdEncoding.EncodeToString(hashValue))`
verify peer cert function for better man in the middle prevention 2021-04-15 17:16:19 +00:00			`}`
			`return nil`
			`}`

comments 2018-04-17 21:33:39 +00:00			`// GetTLSConfig converts this Config into tls.Config.`
update tls config generation 2018-02-28 14:15:22 +00:00			`func (c Config) GetTLSConfig(opts ...Option) tls.Config {`
add support for not loading system roots. fixes #1513 2019-02-26 20:58:54 +00:00			`root, err := c.getCertPool()`
			`if err != nil {`
			`newError("failed to load system root certificate").AtError().Base(err).WriteToLog()`
			`}`

Refine code according to golangci-lint results 2020-10-11 11:22:46 +00:00			`if c == nil {`
			`return &tls.Config{`
			`ClientSessionCache: globalSessionCache,`
			`RootCAs: root,`
			`InsecureSkipVerify: false,`
			`NextProtos: nil,`
SessionTicketsDisabled: false -> true 2021-01-01 11:25:04 +00:00			`SessionTicketsDisabled: true,`
Refine code according to golangci-lint results 2020-10-11 11:22:46 +00:00			`}`
			`}`

protobuf for stream settings 2016-10-02 21:43:58 +00:00			`config := &tls.Config{`
offer an option to disable session resumption 2018-07-24 13:12:09 +00:00			`ClientSessionCache: globalSessionCache,`
add support for not loading system roots. fixes #1513 2019-02-26 20:58:54 +00:00			`RootCAs: root,`
Further strip unique signatures of tls handshake 1. allow users to disable session ticket 2. set default alpn to ["h2", "http/1.1"] 2020-05-31 09:35:21 +00:00			`InsecureSkipVerify: c.AllowInsecure,`
			`NextProtos: c.NextProtocol,`
Disable session resumption by default (#569) 2021-01-01 09:01:14 +00:00			`SessionTicketsDisabled: !c.EnableSessionResumption,`
verify peer cert function for better man in the middle prevention 2021-04-15 17:16:19 +00:00			`VerifyPeerCertificate: c.verifyPeerCert,`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`}`

update tls config generation 2018-02-28 14:15:22 +00:00			`for _, opt := range opts {`
			`opt(config)`
			`}`

fix #643 2017-10-26 09:43:02 +00:00			`config.Certificates = c.BuildCertificates()`
protobuf for stream settings 2016-10-02 21:43:58 +00:00			`config.BuildNameToCertificate()`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00
refine cert generation 2018-04-14 11:28:57 +00:00			`caCerts := c.getCustomCA()`
			`if len(caCerts) > 0 {`
			`config.GetCertificate = getGetCertificateFunc(config, caCerts)`
automatic issuing certificates from provided CA 2018-04-10 10:42:02 +00:00			`}`
only try issuing new certificate when user provide custom CA 2018-04-14 11:12:50 +00:00
fix server name parsing 2019-02-19 12:05:36 +00:00			`if sn := c.parseServerName(); len(sn) > 0 {`
			`config.ServerName = sn`
support server name override 2016-12-11 22:58:37 +00:00			`}`
fix server name parsing 2019-02-19 12:05:36 +00:00
h2 transport 2018-03-01 12:16:52 +00:00			`if len(config.NextProtos) == 0 {`
Further strip unique signatures of tls handshake 1. allow users to disable session ticket 2. set default alpn to ["h2", "http/1.1"] 2020-05-31 09:35:21 +00:00			`config.NextProtos = []string{"h2", "http/1.1"}`
h2 transport 2018-03-01 12:16:52 +00:00			`}`
protobuf for stream settings 2016-10-02 21:43:58 +00:00
			`return config`
			`}`
fix #643 2017-10-26 09:43:02 +00:00
comments 2018-04-17 21:33:39 +00:00			`// Option for building TLS config.`
update tls config generation 2018-02-28 14:15:22 +00:00			`type Option func(*tls.Config)`
simplify tls config 2017-12-16 23:53:17 +00:00
comments 2018-04-17 21:33:39 +00:00			`// WithDestination sets the server name in TLS config.`
simplify tls config 2017-12-16 23:53:17 +00:00			`func WithDestination(dest net.Destination) Option {`
update tls config generation 2018-02-28 14:15:22 +00:00			`return func(config *tls.Config) {`
Some code improvements * Rewrite empty string checks more idiomatically. * Change strings.ToLower comparisons to strings.EqualFold. * Rewrite switch statement with only one case as if. 2019-06-14 13:47:28 +00:00			`if dest.Address.Family().IsDomain() && config.ServerName == "" {`
simplify tls config 2017-12-16 23:53:17 +00:00			`config.ServerName = dest.Address.Domain()`
			`}`
			`}`
			`}`

comments 2018-04-17 21:33:39 +00:00			`// WithNextProto sets the ALPN values in TLS config.`
Use 'h2' for ALPN in TCP 2018-01-02 17:16:36 +00:00			`func WithNextProto(protocol ...string) Option {`
update tls config generation 2018-02-28 14:15:22 +00:00			`return func(config *tls.Config) {`
			`if len(config.NextProtos) == 0 {`
			`config.NextProtos = protocol`
Use 'h2' for ALPN in TCP 2018-01-02 17:16:36 +00:00			`}`
			`}`
			`}`

remove use of context.WithValue in transport 2018-11-21 13:54:40 +00:00			`// ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.`
			`func ConfigFromStreamSettings(settings internet.MemoryStreamConfig) Config {`
			`if settings == nil {`
simplify tls config 2017-12-16 23:53:17 +00:00			`return nil`
			`}`
remove use of context.WithValue in transport 2018-11-21 13:54:40 +00:00			`config, ok := settings.SecuritySettings.(*Config)`
update tls config generation 2018-02-28 14:15:22 +00:00			`if !ok {`
			`return nil`
fix #643 2017-10-26 09:43:02 +00:00			`}`
update tls config generation 2018-02-28 14:15:22 +00:00			`return config`
fix #643 2017-10-26 09:43:02 +00:00			`}`