tls,wss,trojan: support certificate pinning (#275)

2025-02-23 01:15:41 +08:00 · 2021-08-20 18:47:15 +08:00 · 2021-08-20 18:47:15 +08:00 · c86cadb4be
commit c86cadb4be
parent 5578b19f61
9 changed files with 63 additions and 18 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,4 +1,4 @@
-name: 'Close stale issues and PRs'
+name: 'Close stale issues'
 on:
  schedule:
    - cron: '30 1 * * *'
@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v3
+      - uses: actions/stale@v4
        with:
          stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          days-before-stale: 90
--- a/README.md
+++ b/README.md
@ -215,7 +215,7 @@ VLESS scheme:
  vless://uuid@host:port[?fallback=127.0.0.1:80]

 Trojan client scheme:
-  trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true]
+  trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH]
  trojanc://pass@host:port     (cleartext, without TLS)

 Trojan server scheme:
@ -226,7 +226,7 @@ Available securities for vmess:
  none, aes-128-gcm, chacha20-poly1305

 TLS client scheme:
-  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2]
+  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&alpn=proto1][&alpn=proto2]

 Proxy over tls client:
  tls://host:port[?skipVerify=true][&serverName=SERVERNAME],scheme://
@ -245,7 +245,7 @@ Proxy over tls server:

 Websocket client scheme:
  ws://host:port[/path][?host=HOST][&origin=ORIGIN]
-  wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&host=HOST][&origin=ORIGIN]
+  wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&host=HOST][&origin=ORIGIN]

 Websocket server scheme:
  ws://:port[/path][?host=HOST]
--- a/config.go
+++ b/config.go
@ -190,7 +190,7 @@ func usage() {
 	fmt.Fprintf(w, "\n")

 	fmt.Fprintf(w, "Trojan client scheme:\n")
-	fmt.Fprintf(w, "  trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true]\n")
+	fmt.Fprintf(w, "  trojan://pass@host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH]\n")
 	fmt.Fprintf(w, "  trojanc://pass@host:port     (cleartext, without TLS)\n")
 	fmt.Fprintf(w, "\n")

@ -204,7 +204,7 @@ func usage() {
 	fmt.Fprintf(w, "\n")

 	fmt.Fprintf(w, "TLS client scheme:\n")
-	fmt.Fprintf(w, "  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&alpn=proto1][&alpn=proto2]\n")
+	fmt.Fprintf(w, "  tls://host:port[?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&alpn=proto1][&alpn=proto2]\n")
 	fmt.Fprintf(w, "\n")

 	fmt.Fprintf(w, "Proxy over tls client:\n")
@ -227,7 +227,7 @@ func usage() {

 	fmt.Fprintf(w, "Websocket client scheme:\n")
 	fmt.Fprintf(w, "  ws://host:port[/path][?host=HOST][&origin=ORIGIN]\n")
-	fmt.Fprintf(w, "  wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&host=HOST][&origin=ORIGIN]\n")
+	fmt.Fprintf(w, "  wss://host:port[/path][?serverName=SERVERNAME][&skipVerify=true][&cert=PATH][&host=HOST][&origin=ORIGIN]\n")
 	fmt.Fprintf(w, "\n")

 	fmt.Fprintf(w, "Websocket server scheme:\n")
--- a/go.mod
+++ b/go.mod
@ -7,12 +7,12 @@ require (
 	github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d
 	github.com/dgryski/go-idea v0.0.0-20170306091226-d2fb45a411fb
 	github.com/dgryski/go-rc2 v0.0.0-20150621095337-8a9021637152
-	github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e
+	github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386
 	github.com/nadoo/conflag v0.2.3
 	github.com/nadoo/ipset v0.3.0
 	github.com/xtaci/kcp-go/v5 v5.6.1
-	golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e
-	golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7
 )

 require (
--- a/go.sum
+++ b/go.sum
@ -39,8 +39,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714 h1:/jC7qQFrv8CrSJVmaolDVOxTfS9kc36uB6H40kdbQq8=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
-github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e h1:ttrVy1tKtnMySMy7pbVtMQSweHyLLQuLCcRj4lbGCBQ=
-github.com/insomniacslk/dhcp v0.0.0-20210813103503-c143d771146e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386 h1:tVT6eeQjYk8cStFUlU7vfFpwUrzRHhC48VUhb2gbF9M=
+github.com/insomniacslk/dhcp v0.0.0-20210817203519-d82598001386/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
@ -104,8 +104,8 @@ golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e h1:VvfwVmMH40bpMeizC9/K7ipM5Qjucuu16RWfneFPyhQ=
-golang.org/x/crypto v0.0.0-20210813211128-0a44fdfbc16e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912 h1:uCLL3g5wH2xjxVREVuAbP9JM5PPKjRbXKRa6IBjkzmU=
-golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7 h1:/bmDWM82ZX7TawqxuI8kVjKI0TXHdSY6pHJArewwHtU=
+golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
--- a/proxy/tls/tls.go
+++ b/proxy/tls/tls.go
@ -2,9 +2,12 @@ package tls

 import (
 	stdtls "crypto/tls"
+	"crypto/x509"
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
+	"os"
 	"strings"

 	"github.com/nadoo/glider/log"
@ -80,6 +83,19 @@ func NewTLSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
 		MinVersion:         stdtls.VersionTLS12,
 	}

+	if t.certFile != "" {
+		certData, err := os.ReadFile(t.certFile)
+		if err != nil {
+			return nil, fmt.Errorf("[tls] read cert file error: %s", err)
+		}
+
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certData) {
+			return nil, fmt.Errorf("[tls] can not append cert file: %s", t.certFile)
+		}
+		t.config.RootCAs = certPool
+	}
+
 	return t, err
 }

--- a/proxy/trojan/client.go
+++ b/proxy/trojan/client.go
@ -2,8 +2,10 @@ package trojan

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
+	"os"

 	"github.com/nadoo/glider/log"
 	"github.com/nadoo/glider/pool"
@ -34,6 +36,19 @@ func NewTrojanDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
 		MinVersion:         tls.VersionTLS12,
 	}

+	if t.certFile != "" {
+		certData, err := os.ReadFile(t.certFile)
+		if err != nil {
+			return nil, fmt.Errorf("[trojan] read cert file error: %s", err)
+		}
+
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certData) {
+			return nil, fmt.Errorf("[trojan] can not append cert file: %s", t.certFile)
+		}
+		t.tlsConfig.RootCAs = certPool
+	}
+
 	return t, err
 }

--- a/proxy/vmess/user.go
+++ b/proxy/vmess/user.go
@ -73,7 +73,6 @@ func StrToUUID(s string) (uuid [16]byte, err error) {
 	return
 }

-
 // GetKey returns the key of AES-128-CFB encrypter.
 // Key：MD5(UUID + []byte('c48619fe-8f02-49e0-b9e9-edf763e17e21'))
 func GetKey(uuid [16]byte) []byte {
--- a/proxy/ws/client.go
+++ b/proxy/ws/client.go
@ -2,11 +2,13 @@ package ws

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/textproto"
+	"os"

 	"github.com/nadoo/glider/pool"
 	"github.com/nadoo/glider/proxy"
@ -34,6 +36,19 @@ func NewWSSDialer(s string, d proxy.Dialer) (proxy.Dialer, error) {
 		MinVersion:         tls.VersionTLS12,
 	}

+	if w.certFile != "" {
+		certData, err := os.ReadFile(w.certFile)
+		if err != nil {
+			return nil, fmt.Errorf("[wss] read cert file error: %s", err)
+		}
+
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certData) {
+			return nil, fmt.Errorf("[wss] can not append cert file: %s", w.certFile)
+		}
+		w.tlsConfig.RootCAs = certPool
+	}
+
 	return w, err
 }