You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
v2ray-core/transport/internet/tls/config.go

166 lines
4.2 KiB

package tls
import (
"context"
"crypto/tls"
"time"
"v2ray.com/core/common/net"
"v2ray.com/core/common/protocol/tls/cert"
"v2ray.com/core/transport/internet"
)
var (
globalSessionCache = tls.NewLRUClientSessionCache(128)
)
// ParseCertificate converts a cert.Certificate to Certificate.
func ParseCertificate(c *cert.Certificate) *Certificate {
certPEM, keyPEM := c.ToPEM()
return &Certificate{
Certificate: certPEM,
Key: keyPEM,
}
}
7 years ago
func (c *Config) BuildCertificates() []tls.Certificate {
certs := make([]tls.Certificate, 0, len(c.Certificate))
for _, entry := range c.Certificate {
if entry.Usage != Certificate_ENCIPHERMENT {
continue
}
keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
if err != nil {
newError("ignoring invalid X509 key pair").Base(err).AtWarning().WriteToLog()
continue
}
certs = append(certs, keyPair)
}
return certs
}
func isCertificateExpired(c *tls.Certificate) bool {
// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
return c.Leaf != nil && c.Leaf.NotAfter.After(time.Now().Add(-time.Minute))
}
func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
parent, err := cert.ParseCertificate(rawCA.Certificate, rawCA.Key)
if err != nil {
return nil, newError("failed to parse raw certificate").Base(err)
}
newCert, err := cert.Generate(parent, cert.CommonName(domain), cert.DNSNames(domain))
if err != nil {
return nil, newError("failed to generate new certificate for ", domain).Base(err)
}
newCertPEM, newKeyPEM := newCert.ToPEM()
cert, err := tls.X509KeyPair(newCertPEM, newKeyPEM)
return &cert, err
}
func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
config := &tls.Config{
ClientSessionCache: globalSessionCache,
RootCAs: c.GetCertPool(),
}
7 years ago
if c == nil {
return config
}
for _, opt := range opts {
opt(config)
}
7 years ago
config.InsecureSkipVerify = c.AllowInsecure
config.Certificates = c.BuildCertificates()
config.BuildNameToCertificate()
config.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
domain := hello.ServerName
certExpired := false
if certificate, found := config.NameToCertificate[domain]; found {
if !isCertificateExpired(certificate) {
return certificate, nil
}
certExpired = true
}
if certExpired {
newCerts := make([]tls.Certificate, 0, len(config.Certificates))
for _, certificate := range config.Certificates {
if !isCertificateExpired(&certificate) {
newCerts = append(newCerts, certificate)
}
}
config.Certificates = newCerts
}
var issuedCertificate *tls.Certificate
// Create a new certificate from existing CA if possible
for _, rawCert := range c.Certificate {
if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
newCert, err := issueCertificate(rawCert, domain)
if err != nil {
newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
continue
}
config.Certificates = append(config.Certificates, *newCert)
issuedCertificate = &config.Certificates[len(config.Certificates)-1]
break
}
}
if issuedCertificate == nil {
return nil, newError("failed to create a new certificate for ", domain)
}
config.BuildNameToCertificate()
return issuedCertificate, nil
}
7 years ago
if len(c.ServerName) > 0 {
config.ServerName = c.ServerName
}
if len(c.NextProtocol) > 0 {
config.NextProtos = c.NextProtocol
}
7 years ago
if len(config.NextProtos) == 0 {
config.NextProtos = []string{"http/1.1"}
}
return config
}
7 years ago
type Option func(*tls.Config)
func WithDestination(dest net.Destination) Option {
return func(config *tls.Config) {
if dest.Address.Family().IsDomain() && len(config.ServerName) == 0 {
config.ServerName = dest.Address.Domain()
}
}
}
func WithNextProto(protocol ...string) Option {
return func(config *tls.Config) {
if len(config.NextProtos) == 0 {
config.NextProtos = protocol
}
}
}
func ConfigFromContext(ctx context.Context) *Config {
securitySettings := internet.SecuritySettingsFromContext(ctx)
if securitySettings == nil {
return nil
}
config, ok := securitySettings.(*Config)
if !ok {
return nil
7 years ago
}
return config
7 years ago
}