Acasă Explorează Ajutor
Autentificare
txlyre
/
3x-ui
oglindă de https://github.com/MHSanaei/3x-ui
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: 1c0fdb4527
Ramuri Etichete
3x-ui
/
internal
/
web
/
runtime
/
tls_client.go

tls_client.go 2.6 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 
  1. package runtime
    2. 

  2. 

  3. import (
    4. 

  4. 	"crypto/sha256"
    5. 

  5. 	"crypto/subtle"
    6. 

  6. 	"crypto/tls"
    7. 

  7. 	"encoding/base64"
    8. 

  8. 	"encoding/hex"
    9. 

  9. 	"net/http"
    10. 

  10. 	"strings"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/mhsanaei/3x-ui/v3/internal/database/model"
    14. 

  14. 	"github.com/mhsanaei/3x-ui/v3/internal/util/common"
    15. 

  15. 	"github.com/mhsanaei/3x-ui/v3/internal/util/netsafe"
    16. 

  16. )
    17. 

  17. 

  18. // defaultNodeHTTPClient reaches nodes trusting the system CA store ("verify"
    19. 

  19. // mode or plain http); shared so connections pool across nodes.
    20. 

  20. var defaultNodeHTTPClient = &http.Client{
    21. 

  21. 	Transport: &http.Transport{
    22. 

  22. 		MaxIdleConns:        64,
    23. 

  23. 		MaxIdleConnsPerHost: 4,
    24. 

  24. 		IdleConnTimeout:     60 * time.Second,
    25. 

  25. 		DialContext:         netsafe.SSRFGuardedDialContext,
    26. 

  26. 	},
    27. 

  27. }
    28. 

  28. 

  29. // HTTPClientForNode returns the node's HTTP client honoring its TLS verify mode
    30. 

  30. // (verify→system CA, skip→no check, pin→leaf SHA-256). Used by both the probe
    31. 

  31. // and every Remote op so they can't disagree on a self-signed node (#5264).
    32. 

  32. func HTTPClientForNode(n *model.Node) (*http.Client, error) {
    33. 

  33. 	mode := n.TlsVerifyMode
    34. 

  34. 	if mode == "" {
    35. 

  35. 		mode = "verify"
    36. 

  36. 	}
    37. 

  37. 	if mode == "verify" || n.Scheme == "http" {
    38. 

  38. 		return defaultNodeHTTPClient, nil
    39. 

  39. 	}
    40. 

  40. 	tlsCfg := &tls.Config{InsecureSkipVerify: true} // lgtm[go/disabled-certificate-check]
    41. 

  41. 	if mode == "pin" {
    42. 

  42. 		want, err := DecodeCertPin(n.PinnedCertSha256)
    43. 

  43. 		if err != nil {
    44. 

  44. 			return nil, err
    45. 

  45. 		}
    46. 

  46. 		tlsCfg.VerifyConnection = func(cs tls.ConnectionState) error {
    47. 

  47. 			if len(cs.PeerCertificates) == 0 {
    48. 

  48. 				return common.NewError("node presented no certificate")
    49. 

  49. 			}
    50. 

  50. 			sum := sha256.Sum256(cs.PeerCertificates[0].Raw)
    51. 

  51. 			if subtle.ConstantTimeCompare(sum[:], want) != 1 {
    52. 

  52. 				return common.NewError("node certificate does not match pinned SHA-256")
    53. 

  53. 			}
    54. 

  54. 			return nil
    55. 

  55. 		}
    56. 

  56. 	}
    57. 

  57. 	return &http.Client{
    58. 

  58. 		Transport: &http.Transport{
    59. 

  59. 			MaxIdleConns:        64,
    60. 

  60. 			MaxIdleConnsPerHost: 4,
    61. 

  61. 			IdleConnTimeout:     60 * time.Second,
    62. 

  62. 			DialContext:         netsafe.SSRFGuardedDialContext,
    63. 

  63. 			TLSClientConfig:     tlsCfg,
    64. 

  64. 		},
    65. 

  65. 	}, nil
    66. 

  66. }
    67. 

  67. 

  68. // DecodeCertPin decodes a SHA-256 cert pin given as base64 (Xray's
    69. 

  69. // pinnedPeerCertSha256 form) or hex with optional colons into 32 raw bytes.
    70. 

  70. func DecodeCertPin(s string) ([]byte, error) {
    71. 

  71. 	s = strings.TrimSpace(s)
    72. 

  72. 	if s == "" {
    73. 

  73. 		return nil, common.NewError("certificate pin is empty")
    74. 

  74. 	}
    75. 

  75. 	if b, err := hex.DecodeString(strings.ReplaceAll(s, ":", "")); err == nil && len(b) == sha256.Size {
    76. 

  76. 		return b, nil
    77. 

  77. 	}
    78. 

  78. 	for _, enc := range []*base64.Encoding{base64.StdEncoding, base64.RawStdEncoding, base64.URLEncoding, base64.RawURLEncoding} {
    79. 

  79. 		if b, err := enc.DecodeString(s); err == nil && len(b) == sha256.Size {
    80. 

  80. 			return b, nil
    81. 

  81. 		}
    82. 

  82. 	}
    83. 

  83. 	return nil, common.NewError("certificate pin must be a SHA-256 hash (base64 or hex)")
    84. 

  84. }
    85.