package/v2ray_simple
1
0
Fork 0
mirror of https://github.com/e1732a364fed/v2ray_simple.git synced 2025-12-24 13:27:56 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
v1.2.5-alpha.2
v2ray_simple/tlsLayer/cert.go
e1732a364fed 30ddc4aa8c 为rejectUnknownSni添加防纯ip访问时的情况;修复tls嗅探中的一个bug: 
纯ip访问tls时,golang的tls包的默认行为是直接通过,而我们要完全拒绝。
在这里做的是包外嗅探过滤。

正好又发现了针对包外过滤的一个bug。在嗅探代码中,原来的代码是,遇到
能解析出tls版本的extension后就马上退出,而这种退出忘记考虑嗅探sni了,
所以不再退出即可。而且又发现一个bug,cursor的移动计算错误,不应该是
++,而是 +=2.
2022-12-14 22:31:40 +08:00

209 lines
5.2 KiB
Go
Raw Permalink Blame History

package tlsLayer
import (
"errors"
mathrand "math/rand"
"strings"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"os"
"time"
"github.com/biter777/countries"
"github.com/e1732a364fed/v2ray_simple/utils"
"go.uber.org/zap"
)
var ErrCAFileWrong = errors.New("ca file is somehow wrong")
type CertConf struct {
CA string
CertFile, KeyFile string
}
func LoadCA(caFile string) (cp *x509.CertPool, err error) {
if caFile == "" {
err = utils.ErrNilParameter
return
}
cp = x509.NewCertPool()
data, err := os.ReadFile(caFile)
if err != nil {
return nil, err
}
if !cp.AppendCertsFromPEM(data) {
return nil, ErrCAFileWrong
}
return
}
// 使用 ecc p256 方式生成证书
func GenerateRandomeCert_Key() (certPEM []byte, keyPEM []byte) {
//可参考 https://blog.ideawand.com/2017/11/22/build-certificate-that-support-Subject-Alternative-Name-SAN/
clist := countries.All()
country := clist[mathrand.Intn(len(clist))]
companyName := utils.GetRandomWord()
subject := pkix.Name{
Country: []string{country.Alpha2()},
Province: []string{country.Capital().String()},
Organization: []string{companyName},
OrganizationalUnit: []string{""},
CommonName: "www." + companyName + ".com",
}
max := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, max)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
//IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
}
rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
panic(err)
}
b, err := x509.MarshalECPrivateKey(rootKey)
if err != nil {
panic(err)
}
keyPEM = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &rootKey.PublicKey, rootKey)
if err != nil {
panic(err)
}
certPEM = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if ce := utils.CanLogInfo("Generate random cert with"); ce != nil {
ce.Write(zap.String("country", country.Info().Name), zap.String("company", companyName), zap.String("sni", template.Subject.CommonName))
}
return
/*
//rsa
pk, _ := rsa.GenerateKey(rand.Reader, 2048)
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(pk)})
*/
}
// 会调用 GenerateRandomeCert_Key 来生成证书,并生成包含该证书的 []tls.Certificate
func GenerateRandomTLSCert() []tls.Certificate {
tlsCert, err := tls.X509KeyPair(GenerateRandomeCert_Key())
if err != nil {
panic(err)
}
return []tls.Certificate{tlsCert}
}
// 会调用 GenerateRandomeCert_Key 来生成证书,并输出到文件
func GenerateRandomCertKeyFiles(cfn, kfn string) error {
cb, kb := GenerateRandomeCert_Key()
certOut, err := os.Create(cfn)
if err != nil {
return err
}
certOut.Write(cb)
kOut, err := os.Create(kfn)
if err != nil {
return err
}
kOut.Write(kb)
certOut.Close()
kOut.Close()
return nil
}
// 若 certFile, keyFile 有一项没给出,则会自动生成随机证书
func GetCertArrayFromFile(certFile, keyFile string) (certArray []tls.Certificate, err error) {
if certFile != "" && keyFile != "" {
cert, err := tls.LoadX509KeyPair(utils.GetFilePath(certFile), utils.GetFilePath(keyFile))
if err != nil {
if ce := utils.CanLogErr("Failed in GetCertArrayFromFile reading cert and key files, will use generated random cert in memory"); ce != nil {
ce.Write(zap.Error(err))
}
certArray = GenerateRandomTLSCert()
err = nil
} else {
certArray = []tls.Certificate{cert}
}
} else {
if ce := utils.CanLogDebug("GetCertArrayFromFile generating random cert in memory"); ce != nil {
ce.Write()
}
certArray = GenerateRandomTLSCert()
}
return
}
func rejectUnknownGetCertificateFunc(certs []*tls.Certificate) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
if len(certs) == 0 {
return nil, utils.ErrInErr{ErrDesc: "len(certs) == 0", ErrDetail: utils.ErrInvalidData}
}
if hello == nil {
return nil, utils.ErrInErr{ErrDesc: "hello==nil", ErrDetail: utils.ErrInvalidData}
}
sni := strings.ToLower(hello.ServerName)
gsni := "*"
if index := strings.IndexByte(sni, '.'); index != -1 {
gsni += sni[index:]
}
for _, cert := range certs {
if cert.Leaf == nil {
var e error
cert.Leaf, e = x509.ParseCertificate(cert.Certificate[0])
if e != nil {
return nil, utils.ErrInErr{ErrDesc: "rejectUnknown: x509.ParseCertificate failed ", ErrDetail: e}
}
}
if cert.Leaf.Subject.CommonName == sni || cert.Leaf.Subject.CommonName == gsni {
return cert, nil
}
for _, name := range cert.Leaf.DNSNames {
if name == sni || name == gsni {
return cert, nil
}
}
}
return nil, utils.ErrInErr{ErrDesc: "rejectUnknownSNI", ErrDetail: utils.ErrInvalidData, Data: sni}
}
}
Reference in New Issue View Git Blame Copy Permalink