@@ -3,79 +3,16 @@ package tls
33import (
44 "context"
55 "crypto/x509"
6- "net"
76 "os"
87 "strings"
98 "time"
109
1110 "github.com/sagernet/sing-box/adapter"
12- C "github.com/sagernet/sing-box/constant"
1311 "github.com/sagernet/sing-box/option"
1412 E "github.com/sagernet/sing/common/exceptions"
15- "github.com/sagernet/sing/common/ntp"
1613 "github.com/sagernet/sing/service"
1714)
1815
19- type systemTLSConfig struct {
20- serverName string
21- nextProtos []string
22- handshakeTimeout time.Duration
23- minVersion uint16
24- maxVersion uint16
25- insecure bool
26- anchorOnly bool
27- certificatePublicKeySHA256 [][]byte
28- timeFunc func () time.Time
29- store adapter.CertificateStore
30- }
31-
32- func (c * systemTLSConfig ) ServerName () string {
33- return c .serverName
34- }
35-
36- func (c * systemTLSConfig ) SetServerName (serverName string ) {
37- c .serverName = serverName
38- }
39-
40- func (c * systemTLSConfig ) NextProtos () []string {
41- return c .nextProtos
42- }
43-
44- func (c * systemTLSConfig ) SetNextProtos (nextProto []string ) {
45- c .nextProtos = append ([]string (nil ), nextProto ... )
46- }
47-
48- func (c * systemTLSConfig ) HandshakeTimeout () time.Duration {
49- return c .handshakeTimeout
50- }
51-
52- func (c * systemTLSConfig ) SetHandshakeTimeout (timeout time.Duration ) {
53- c .handshakeTimeout = timeout
54- }
55-
56- func (c * systemTLSConfig ) STDConfig () (* STDConfig , error ) {
57- return nil , E .New ("STDConfig is unsupported for the system TLS engine" )
58- }
59-
60- func (c * systemTLSConfig ) Client (conn net.Conn ) (Conn , error ) {
61- return nil , os .ErrInvalid
62- }
63-
64- func (c * systemTLSConfig ) clone () systemTLSConfig {
65- return systemTLSConfig {
66- serverName : c .serverName ,
67- nextProtos : append ([]string (nil ), c .nextProtos ... ),
68- handshakeTimeout : c .handshakeTimeout ,
69- minVersion : c .minVersion ,
70- maxVersion : c .maxVersion ,
71- insecure : c .insecure ,
72- anchorOnly : c .anchorOnly ,
73- certificatePublicKeySHA256 : append ([][]byte (nil ), c .certificatePublicKeySHA256 ... ),
74- timeFunc : c .timeFunc ,
75- store : c .store ,
76- }
77- }
78-
7916type SystemTLSValidated struct {
8017 MinVersion uint16
8118 MaxVersion uint16
@@ -165,38 +102,6 @@ func resolveSystemAnchors(ctx context.Context, options option.OutboundTLSOptions
165102 return nil , store .ExclusiveAnchors (), store , nil
166103}
167104
168- func newSystemTLSConfig (ctx context.Context , serverAddress string , options option.OutboundTLSOptions , allowEmptyServerName bool , engineName string ) (systemTLSConfig , SystemTLSValidated , error ) {
169- validated , err := ValidateSystemTLSOptions (ctx , options , engineName )
170- if err != nil {
171- return systemTLSConfig {}, SystemTLSValidated {}, err
172- }
173- var serverName string
174- if options .ServerName != "" {
175- serverName = options .ServerName
176- } else if serverAddress != "" {
177- serverName = serverAddress
178- }
179- if serverName == "" && ! options .Insecure && ! allowEmptyServerName {
180- return systemTLSConfig {}, SystemTLSValidated {}, errMissingServerName
181- }
182- handshakeTimeout := C .TCPTimeout
183- if options .HandshakeTimeout > 0 {
184- handshakeTimeout = options .HandshakeTimeout .Build ()
185- }
186- return systemTLSConfig {
187- serverName : serverName ,
188- nextProtos : append ([]string (nil ), options .ALPN ... ),
189- handshakeTimeout : handshakeTimeout ,
190- minVersion : validated .MinVersion ,
191- maxVersion : validated .MaxVersion ,
192- insecure : options .Insecure || len (options .CertificatePublicKeySHA256 ) > 0 ,
193- anchorOnly : validated .Exclusive ,
194- certificatePublicKeySHA256 : append ([][]byte (nil ), options .CertificatePublicKeySHA256 ... ),
195- timeFunc : ntp .TimeFuncFromContext (ctx ),
196- store : validated .Store ,
197- }, validated , nil
198- }
199-
200105func verifySystemTLSPeer (roots * x509.CertPool , serverName string , timeFunc func () time.Time , peerCertificates []* x509.Certificate ) error {
201106 if len (peerCertificates ) == 0 {
202107 return E .New ("no peer certificates" )
0 commit comments