Home Explore Help
Register Sign In
Apq
/
sing-box
mirror of https://github.com/SagerNet/sing-box.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c7fabe40ed
Branches Tags
sing-box
/
common
/
dialer
/
tls.go

tls.go 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. package dialer
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"crypto/tls"
    6. 

  6. 	"crypto/x509"
    7. 

  7. 	"net"
    8. 

  8. 	"net/netip"
    9. 

  9. 	"os"
    10. 

  10. 

  11. 	C "github.com/sagernet/sing-box/constant"
    12. 

  12. 	"github.com/sagernet/sing-box/option"
    13. 

  13. 	E "github.com/sagernet/sing/common/exceptions"
    14. 

  14. 	M "github.com/sagernet/sing/common/metadata"
    15. 

  15. 	N "github.com/sagernet/sing/common/network"
    16. 

  16. )
    17. 

  17. 

  18. type TLSDialer struct {
    19. 

  19. 	dialer N.Dialer
    20. 

  20. 	config *tls.Config
    21. 

  21. }
    22. 

  22. 

  23. func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
    24. 

  24. 	if !options.Enabled {
    25. 

  25. 		return dialer, nil
    26. 

  26. 	}
    27. 

  27. 

  28. 	var serverName string
    29. 

  29. 	if options.ServerName != "" {
    30. 

  30. 		serverName = options.ServerName
    31. 

  31. 	} else if serverAddress != "" {
    32. 

  32. 		if _, err := netip.ParseAddr(serverName); err != nil {
    33. 

  33. 			serverName = serverAddress
    34. 

  34. 		}
    35. 

  35. 	}
    36. 

  36. 	if serverName == "" && options.Insecure {
    37. 

  37. 		return nil, E.New("missing server_name or insecure=true")
    38. 

  38. 	}
    39. 

  39. 

  40. 	var tlsConfig tls.Config
    41. 

  41. 	if options.DisableSNI {
    42. 

  42. 		tlsConfig.ServerName = "127.0.0.1"
    43. 

  43. 	} else {
    44. 

  44. 		tlsConfig.ServerName = serverName
    45. 

  45. 	}
    46. 

  46. 	if options.Insecure {
    47. 

  47. 		tlsConfig.InsecureSkipVerify = options.Insecure
    48. 

  48. 	} else if options.DisableSNI {
    49. 

  49. 		tlsConfig.InsecureSkipVerify = true
    50. 

  50. 		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
    51. 

  51. 			verifyOptions := x509.VerifyOptions{
    52. 

  52. 				DNSName:       serverName,
    53. 

  53. 				Intermediates: x509.NewCertPool(),
    54. 

  54. 			}
    55. 

  55. 			for _, cert := range state.PeerCertificates[1:] {
    56. 

  56. 				verifyOptions.Intermediates.AddCert(cert)
    57. 

  57. 			}
    58. 

  58. 			_, err := state.PeerCertificates[0].Verify(verifyOptions)
    59. 

  59. 			return err
    60. 

  60. 		}
    61. 

  61. 	}
    62. 

  62. 

  63. 	return &TLSDialer{
    64. 

  64. 		dialer: dialer,
    65. 

  65. 		config: &tlsConfig,
    66. 

  66. 	}, nil
    67. 

  67. }
    68. 

  68. 

  69. func (d *TLSDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
    70. 

  70. 	if network != C.NetworkTCP {
    71. 

  71. 		return nil, os.ErrInvalid
    72. 

  72. 	}
    73. 

  73. 	conn, err := d.dialer.DialContext(ctx, network, destination)
    74. 

  74. 	if err != nil {
    75. 

  75. 		return nil, err
    76. 

  76. 	}
    77. 

  77. 	tlsConn := tls.Client(conn, d.config)
    78. 

  78. 	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTCPTimeout)
    79. 

  79. 	defer cancel()
    80. 

  80. 	err = tlsConn.HandshakeContext(ctx)
    81. 

  81. 	return tlsConn, err
    82. 

  82. }
    83. 

  83. 

  84. func (d *TLSDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
    85. 

  85. 	return nil, os.ErrInvalid
    86. 

  86. }
    87.