Merge pull request #1885 from zxlhhyccc/tuic

luci-app-ssr-plus: remove allowInsecure in xray 26.1.31 or later.

luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua

@@ -12,6 +12,7 @@ local m, s, o
 
 local sid = arg[1]
 local uuid = luci.sys.exec("cat /proc/sys/kernel/random/uuid")
+local xray_version = nil
 
 -- 确保正确判断程序是否存在
 local function is_finded(e)
@@ -22,6 +23,14 @@ local function is_installed(e)
 	return luci.model.ipkg.installed(e)
 end
 
+-- 获取 Xray 版本号
+if is_finded("xray") then
+    local version = luci.sys.exec("xray version 2>&1")
+    if version and version ~= "" then
+        xray_version = version:match("Xray%s+([%d%.]+)")
+    end
+end
+
 -- 默认的保存并应用行为
 local function apply_redirect(m)
     local tmp_uci_file = "/etc/config/" .. "shadowsocksr" .. "_redirect"
@@ -1266,17 +1275,43 @@ o:depends("tuic_dual_stack", true)
 -- [[ allowInsecure ]]--
 o = s:option(Flag, "insecure", translate("allowInsecure"))
 o.rmempty = false
-o:depends("tls", true)
 o:depends("type", "hysteria2")
+o:depends("type", "trojan")
 o:depends("type", "tuic")
-o:depends({type = "v2ray", v2ray_protocol = "vless", reality = true})
 o.description = translate("If true, allowss insecure connection at TLS client, e.g., TLS server uses unverifiable certificates.")
+-- Xray 的26.1.31 以下版本使用
+if xray_version and xray_version ~= "" then
+	-- 提取所有数字部分，允许版本号有1到3个部分，不足部分补0
+	local major, minor, patch =
+		xray_version:match("(%d+)%.?(%d*)%.?(%d*)")
+	-- 将字符串转换为数字，空字符串转为0
+	major = tonumber(major) or 0
+	minor = tonumber(minor) or 0
+	patch = tonumber(patch) or 0
+	-- 如果版本低于 26.1.31
+	if (major * 10000 + minor * 100 + patch) < 260131 then
+		o:depends("tls", true)
+		o:depends({ type = "v2ray", v2ray_protocol = "vless", reality = true })
+	end
+end
 
 -- [[ Hysteria2 TLS pinSHA256 ]] --
 o = s:option(Value, "pinsha256", translate("Certificate fingerprint"))
 o:depends("type", "hysteria2")
 o.rmempty = true
 
+-- [[ Xray TLS pinSHA256 ]] --
+o = s:option(Value, "chain_fingerprint", translate("TLS Chain Fingerprint (SHA256)"), translate("Once set, connects only when the server’s chain fingerprint matches."))
+o.rmempty = true
+o:depends({type = "v2ray", tls = true})
+o:depends({type = "v2ray", reality = true})
+
+-- [[ Xray TLS verify leaf certificate name ]] --
+o = s:option(Value, "verify_name", translate("TLS Certificate Name (CertName)"), translate("TLS is used to verify the leaf certificate name."))
+o.rmempty = true
+o:depends({type = "v2ray", tls = true})
+o:depends({type = "v2ray", reality = true})
+
 -- [[ Mux.Cool ]] --
 o = s:option(Flag, "mux", translate("Mux"), translate("Enable Mux.Cool"))
 o.rmempty = false

luci-app-ssr-plus/luasrc/view/shadowsocksr/ssrurl.htm

@@ -122,7 +122,6 @@ function import_ssr_url(btn, urlname, sid) {
 
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.transport_protocol')[0].value = params.get("protocol") || "udp";
 				}
-
 				if (params.get("pinSHA256")) {
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.pinsha256')[0].value = params.get("pinSHA256") || "";
 				}
@@ -131,6 +130,13 @@ function import_ssr_url(btn, urlname, sid) {
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.type')[0].dispatchEvent(event);
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.v2ray_protocol')[0].value = (ssu[0] === "hy2") ? "hysteria2" : ssu[0];
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.v2ray_protocol')[0].dispatchEvent(event);
+
+				if (params.get("pcs")) {
+					document.getElementsByName('cbid.shadowsocksr.' + sid + '.chain_fingerprint')[0].value = params.get("pcs") || "";
+				}
+				if (params.get("vcn")) {
+					document.getElementsByName('cbid.shadowsocksr.' + sid + '.verify_name')[0].value = params.get("vcn") || "";
+				}
 			}
 			document.getElementsByName('cbid.shadowsocksr.' + sid + '.server')[0].value = url.hostname;
 			document.getElementsByName('cbid.shadowsocksr.' + sid + '.server_port')[0].value = url.port || "443";
@@ -167,10 +173,10 @@ function import_ssr_url(btn, urlname, sid) {
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.tls_alpn')[0].value = params.get("alpn") || "";
 				}
 			}
-			if (params.get("insecure") === "1") { 
-				document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].checked = true;
-				document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].dispatchEvent(event);
-			}
+			document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].checked =
+				!!(params.get("insecure") ?? params.get("allowInsecure")); // 设置 insecure 为 true
+			document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].dispatchEvent(event); // 触发事件
+
 			document.getElementsByName('cbid.shadowsocksr.' + sid + '.alias')[0].value = url.hash ? decodeURIComponent(url.hash.slice(1)) : "";
 
 			s.innerHTML = "<font style=\'color:green\'><%:Import configuration information successfully.%></font>";
@@ -398,6 +404,12 @@ function import_ssr_url(btn, urlname, sid) {
 							setElementValue('cbid.shadowsocksr.' + sid + '.reality_mldsa65verify', params.pqv || "");
 						}
 					}
+					if (params.pcs && params.pcs.trim() !== "") {
+						setElementValue('cbid.shadowsocksr.' + sid + '.chain_fingerprint', params.pcs);
+					}
+					if (params.vcn && params.vcn.trim() !== "") {
+						setElementValue('cbid.shadowsocksr.' + sid + '.verify_name', params.vcn);
+					}
 					setElementValue('cbid.shadowsocksr.' + sid + '.tls_flow', params.flow || "none");
 					dispatchEventIfExists('cbid.shadowsocksr.' + sid + '.tls_flow', event);
 
@@ -557,6 +569,12 @@ function import_ssr_url(btn, urlname, sid) {
 				if (params.get("security") === "tls") {
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.tls_alpn')[0].value = params.get("alpn") || "";
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.fingerprint')[0].value = params.get("fp") || "";
+					if (params.get("pcs") && params.get("pcs").trim() !== "") {
+						document.getElementsByName('cbid.shadowsocksr.' + sid + '.chain_fingerprint')[0].value = params.get("pcs");
+					}
+					if (params.get("vcn") && params.get("vcn").trim() !== "") {
+						document.getElementsByName('cbid.shadowsocksr.' + sid + '.verify_name')[0].value = params.get("vcn");
+					}
 				}
 				switch (params.get("type")) {
 				case "ws":
@@ -692,6 +710,12 @@ function import_ssr_url(btn, urlname, sid) {
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.enable_ech')[0].dispatchEvent(event); // 触发事件
 					document.getElementsByName('cbid.shadowsocksr.' + sid + '.ech_config')[0].value = ssm.ech;
 				}
+				if (params.pcs && params.pcs.trim() !== "") {
+					document.getElementsByName('cbid.shadowsocksr.' + sid + '.chain_fingerprint')[0].value = ssm.pcs;
+				}
+				if (params.vcn && params.vcn.trim() !== "") {
+					document.getElementsByName('cbid.shadowsocksr.' + sid + '.verify_name')[0].value = ssm.vcn;
+				}
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].checked =
 					!!(ssm.allowInsecure ?? ssm.allowlnsecure ?? ssm['skip-cert-verify']); // 设置 insecure 为 true
 				document.getElementsByName('cbid.shadowsocksr.' + sid + '.insecure')[0].dispatchEvent(event); // 触发事件
@@ -776,6 +800,12 @@ function import_ssr_url(btn, urlname, sid) {
 						setElementValue('cbid.shadowsocksr.' + sid + '.reality_mldsa65verify', params.get("pqv") || "");
 					}
 				}
+				if (params.get("pcs") && params.get("pcs").trim() !== "") {
+					setElementValue('cbid.shadowsocksr.' + sid + '.chain_fingerprint', params.get("pcs"));
+				}
+				if (params.get("vcn") && params.get("vcn").trim() !== "") {
+					setElementValue('cbid.shadowsocksr.' + sid + '.verify_name', params.get("vcn"));
+				}
 
 				setElementValue('cbid.shadowsocksr.' + sid + '.tls_alpn', params.get("alpn") || "");
 				setElementValue('cbid.shadowsocksr.' + sid + '.fingerprint', params.get("fp") || "");

luci-app-ssr-plus/root/usr/share/shadowsocksr/gen_config.lua

@@ -1,5 +1,6 @@
 #!/usr/bin/lua
 
+require "luci.sys"
 local ucursor = require "luci.model.uci".cursor()
 local json = require "luci.jsonc"
 
@@ -16,10 +17,24 @@ local socks_server = ucursor:get_all("shadowsocksr", "@socks5_proxy[0]") or {}
 local xray_fragment = ucursor:get_all("shadowsocksr", "@global_xray_fragment[0]") or {}
 local xray_noise = ucursor:get_all("shadowsocksr", "@xray_noise_packets[0]") or {}
 local outbound_settings = nil
+local xray_version = nil
 
 local node_id = server_section
 local remarks = server.alias or ""
 
+-- 确保正确判断程序是否存在
+local function is_finded(e)
+	return luci.sys.exec(string.format('type -t -p "%s" 2>/dev/null', e)) ~= ""
+end
+
+-- 获取 Xray 版本号
+if is_finded("xray") then
+	local version = luci.sys.exec("xray version 2>&1")
+	if version and version ~= "" then
+		xray_version = version:match("Xray%s+([%d%.]+)")
+	end
+end
+
 function vmess_vless()
 	outbound_settings = {
 		vnext = {
@@ -238,12 +253,29 @@ end
 						end
 					end)() or nil,
 					fingerprint = server.fingerprint,
-					allowInsecure = (server.insecure == "1" or server.insecure == true or server.insecure == "true"),
+					allowInsecure = (function()
+						if xray_version and xray_version ~= "" then
+							-- 提取所有数字部分，允许版本号有1到3个部分，不足部分补0
+							local major, minor, patch =
+								xray_version:match("(%d+)%.?(%d*)%.?(%d*)")
+							-- 将字符串转换为数字，空字符串转为0
+							major = tonumber(major) or 0
+							minor = tonumber(minor) or 0
+							patch = tonumber(patch) or 0
+							-- 如果版本低于 26.1.31
+							if (major * 10000 + minor * 100 + patch) < 260131 then
+								return (server.insecure == "1" or server.insecure == true or server.insecure == "true")
+							end
+						end
+						return nil
+					end)(),
 					serverName = server.tls_host,
 					certificates = server.certificate and {
 						usage = "verify",
 						certificateFile = server.certpath
 					} or nil,
+					pinnedPeerCertSha256 = server.chain_fingerprint or nil,
+					verifyPeerCertByName = server.verify_name or nil,
 					echConfigList = (server.enable_ech == "1") and server.ech_config or nil,
 					echForceQuery = (server.enable_ech == "1") and (server.ech_ForceQuery or "none") or nil
 				} or nil,

luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua

@@ -230,6 +230,12 @@ local function processData(szType, content)
 			end
 		else
 			result.v2ray_protocol = has_xray_hy2_type
+			if params.pcs then
+				result.chain_fingerprint = params.pcs
+			end
+			if params.vcn then
+				result.verify_name = params.vcn
+			end
 		end
 
 		result.alias = url.fragment and UrlDecode(url.fragment) or nil
@@ -428,6 +434,12 @@ local function processData(szType, content)
 					result.insecure = "1"
 				end
 			end
+			if info.pcs and info.pcs ~= "" then
+				result.chain_fingerprint = info.pcs
+			end
+			if info.vcn and info.vcn ~= "" then
+				result.verify_name = info.vcn
+			end
 		else
 			result.tls = "0"
 		end
@@ -633,6 +645,12 @@ local function processData(szType, content)
 				end
 				result.tls_alpn = params.alpn
 			end
+			if params.pcs and params.pcs ~= "" then
+				result.chain_fingerprint = params.pcs
+			end
+			if params.vcn and params.vcn ~= "" then
+				result.verify_name = params.vcn
+			end
 			result.tls_host = params.sni
 			result.tls_flow = (params.security == "tls" or params.security == "reality") and params.flow or nil
 			result.fingerprint = params.fp
@@ -834,6 +852,12 @@ local function processData(szType, content)
 				if result.transport == "splithttp" then
 					result.transport = "xhttp"
 				end
+				if params.pcs and params.pcs ~= "" then
+					result.chain_fingerprint = params.pcs
+				end
+				if params.vcn and params.vcn ~= "" then
+					result.verify_name = params.vcn
+				end
 				if result.transport == "ws" then
 					result.ws_host = (result.tls ~= "1") and (params.host and UrlDecode(params.host)) or nil
 					result.ws_path = params.path and UrlDecode(params.path) or "/"
@@ -936,6 +960,16 @@ local function processData(szType, content)
 			result.insecure = "1"
 		end
 
+		-- 处理 pinsha256 参数
+		if params.pcs and params.pcs ~= "" then
+			result.chain_fingerprint = params.pcs
+		end
+
+		-- 处理 Leaf Certificate Name 参数
+		if params.vcn and params.vcn ~= "" then
+			result.verify_name = params.vcn
+		end
+
 		-- Reality 参数
 		if security == "reality" then
 			result.reality_publickey = params.pbk and UrlDecode(params.pbk) or nil