chunyu/sing-box
1
0
Fork 0
mirror of https://github.com/SagerNet/sing-box.git synced 2025-06-13 21:54:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

optimize code

Browse Source
This commit is contained in:
arm64v8a 2023-07-23 18:47:37 +09:00
parent 043e473000
commit e63a68ab04
1 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
common/tls/std_server.go
View File

@ -143,9 +143,12 @@ func (c *STDServerConfig) reloadKeyPair() error {
if err != nil { if err != nil {
return E.Cause(err, "reload key pair") return E.Cause(err, "reload key pair")
} }
setGetCertificateFunc(c.config, func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { c.config.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
return &keyPair, nil return &keyPair, nil
}, c.rejectUnknownSNI) }
if c.rejectUnknownSNI {
setRejectUnknownSNI(c.config)
}
c.logger.Info("reloaded TLS certificate") c.logger.Info("reloaded TLS certificate")
return nil return nil
} }
@ -234,9 +237,12 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
key = content key = content
} }
if certificate == nil && key == nil && options.Insecure { if certificate == nil && key == nil && options.Insecure {
setGetCertificateFunc(tlsConfig, func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
return GenerateKeyPair(router.TimeFunc(), info.ServerName) return GenerateKeyPair(router.TimeFunc(), info.ServerName)
}, options.RejectUnknownSNI) }
if options.RejectUnknownSNI {
return nil, E.New("insecure conflict with reject_unknown_sni")
}
} else { } else {
if certificate == nil { if certificate == nil {
return nil, E.New("missing certificate") return nil, E.New("missing certificate")
@ -248,9 +254,12 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
if err != nil { if err != nil {
return nil, E.Cause(err, "parse x509 key pair") return nil, E.Cause(err, "parse x509 key pair")
} }
setGetCertificateFunc(tlsConfig, func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
return &keyPair, nil return &keyPair, nil
}, options.RejectUnknownSNI) }
if options.RejectUnknownSNI {
setRejectUnknownSNI(tlsConfig)
}
} }
} }
return &STDServerConfig{ return &STDServerConfig{
@ -265,13 +274,13 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
}, nil }, nil
} }
func setGetCertificateFunc(tlsConfig *tls.Config, getCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error), rejectUnknownSNI bool) { func setRejectUnknownSNI(tlsConfig *tls.Config) {
getCertificate := tlsConfig.GetCertificate
tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, err := getCertificate(info) cert, err := getCertificate(info)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if rejectUnknownSNI {
if info.ServerName != "" && info.ServerName == tlsConfig.ServerName { if info.ServerName != "" && info.ServerName == tlsConfig.ServerName {
return cert, nil return cert, nil
} }
@ -284,7 +293,6 @@ func setGetCertificateFunc(tlsConfig *tls.Config, getCertificate func(*tls.Clien
if err = cert.Leaf.VerifyHostname(info.ServerName); err != nil { if err = cert.Leaf.VerifyHostname(info.ServerName); err != nil {
return nil, E.Cause(err, "cert is not valid for SNI") return nil, E.Cause(err, "cert is not valid for SNI")
} }
}
return cert, nil return cert, nil
} }
} }