refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning

component/tls/config.go

@@ -6,63 +6,57 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
+	"errors"
 	"fmt"
+	"strings"
 	"sync"
-	"time"
+
+	CN "github.com/Dreamacro/clash/common/net"
 
 	xtls "github.com/xtls/go"
 )
 
-var globalFingerprints = make([][32]byte, 0)
-var mutex sync.Mutex
+var tlsCertificates = make([]tls.Certificate, 0)
 
-func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+var mutex sync.RWMutex
+var errNotMacth error = errors.New("certificate fingerprints do not match")
+
+func AddCertificate(privateKey, certificate string) error {
+	mutex.Lock()
+	defer mutex.Unlock()
+	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
+		return err
+	} else {
+		tlsCertificates = append(tlsCertificates, cert)
+	}
+	return nil
+}
+
+func GetCertificates() []tls.Certificate {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return tlsCertificates
+}
+
+func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		if insecureSkipVerify {
-			return nil
-		}
-
-		var preErr error
+		// ssl pining
 		for i := range rawCerts {
 			rawCert := rawCerts[i]
 			cert, err := x509.ParseCertificate(rawCert)
 			if err == nil {
-				opts := x509.VerifyOptions{
-					CurrentTime: time.Now(),
-				}
-
-				if _, err := cert.Verify(opts); err == nil {
+				hash := sha256.Sum256(cert.Raw)
+				if bytes.Equal(fingerprint[:], hash[:]) {
 					return nil
-				} else {
-					fingerprint := sha256.Sum256(cert.Raw)
-					for _, fp := range *fingerprints {
-						if bytes.Equal(fingerprint[:], fp[:]) {
-							return nil
-						}
-					}
-
-					preErr = err
 				}
 			}
 		}
-
-		return preErr
+		return errNotMacth
 	}
 }
 
-func AddCertFingerprint(fingerprint string) error {
-	fpByte, err2 := convertFingerprint(fingerprint)
-	if err2 != nil {
-		return err2
-	}
-
-	mutex.Lock()
-	globalFingerprints = append(globalFingerprints, *fpByte)
-	mutex.Unlock()
-	return nil
-}
-
 func convertFingerprint(fingerprint string) (*[32]byte, error) {
+	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, err
@@ -75,7 +69,7 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) {
 }
 
 func GetDefaultTLSConfig() *tls.Config {
-	return GetGlobalFingerprintTLSConfig(nil)
+	return GetGlobalTLSConfig(nil)
 }
 
 // GetSpecifiedFingerprintTLSConfig specified fingerprint
@@ -83,33 +77,20 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
-			return &tls.Config{
-				InsecureSkipVerify:    true,
-				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
-			}, nil
-		} else {
-			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
-			tlsConfig.InsecureSkipVerify = true
-			return tlsConfig, nil
-		}
+		tlsConfig = GetGlobalTLSConfig(tlsConfig)
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
+		tlsConfig.InsecureSkipVerify = true
+		return tlsConfig, nil
 	}
 }
 
-func GetGlobalFingerprintTLSConfig(tlsConfig *tls.Config) *tls.Config {
-	// If there's at least one fingerprint then we could skip the general check
-	// If there's no fingerprints but the config insists then we should skip.
-	// Otherwise we should do a general verification.
-	shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify
+func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			InsecureSkipVerify:    shouldSkipVerify,
-			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
+			Certificates: tlsCertificates,
 		}
 	}
-
-	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
-	tlsConfig.InsecureSkipVerify = shouldSkipVerify
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
 	return tlsConfig
 }
 
@@ -118,29 +99,37 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
-			return &xtls.Config{
-				InsecureSkipVerify:    true,
-				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
-			}, nil
-		} else {
-			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
+		tlsConfig=GetGlobalXTLSConfig(tlsConfig)
+			tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 			tlsConfig.InsecureSkipVerify = true
 			return tlsConfig, nil
-		}
 	}
 }
 
-func GetGlobalFingerprintXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
-	shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify
+func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
+	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
+	for _, cert := range tlsCertificates {
+		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
+		for _, ssa := range cert.SupportedSignatureAlgorithms {
+			tlsSsa := xtls.SignatureScheme(ssa)
+			tlsSsaList = append(tlsSsaList, tlsSsa)
+		}
+		xtlsCert := xtls.Certificate{
+			Certificate:                  cert.Certificate,
+			PrivateKey:                   cert.PrivateKey,
+			OCSPStaple:                   cert.OCSPStaple,
+			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
+			Leaf:                         cert.Leaf,
+			SupportedSignatureAlgorithms: tlsSsaList,
+		}
+		xtlsCerts = append(xtlsCerts, xtlsCert)
+	}
 	if tlsConfig == nil {
 		return &xtls.Config{
-			InsecureSkipVerify:    shouldSkipVerify,
-			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
+			Certificates: xtlsCerts,
 		}
 	}
 
-	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
-	tlsConfig.InsecureSkipVerify = shouldSkipVerify
+	tlsConfig.Certificates = xtlsCerts
 	return tlsConfig
 }