Fix TLS Client verification and SSL Pinning introduced in uTLS

2022-10-27 09:15:31 +08:00 · 2022-10-27 09:15:31 +08:00 · a37f4d0019
commit a37f4d0019
parent b1cd2b2c37
4 changed files with 33 additions and 4 deletions
--- a/gost.go
+++ b/gost.go
@ -20,7 +20,7 @@ import (
 )

 // Version is the gost version.
-const Version = "2.11.2-EvanMod-v1.2.2"
+const Version = "2.11.2-EvanMod-v1.2.3"
 const ProxyAgent = "nginx"

 // Debug is a flag that enables the debug log.
--- a/strong_mod.sh
+++ b/strong_mod.sh
@ -1,2 +1,6 @@
 sed -b -i s/\*gost./*evan./g $1
 sed -b -i s/]gost./]evan./g $1
+sed -b -i s#ginuerzh/gost#evanevan/evan#g $1
+sed -b -i s#go-gost#ev-evan#g $1
+sed -b -i s#gost.#evan.#g $1
+sed -b -i s#cmd/gost#cmd/evan#g $1
--- a/tls.go
+++ b/tls.go
@ -280,10 +280,23 @@ func wrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration,

 	//tlsConn := tls.Client(conn, tlsConfig)
 	var tlsConn *utls.UConn
+
+	utlsConf := &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName, ClientAuth: utls.ClientAuthType(tlsConfig.ClientAuth), ClientCAs: tlsConfig.ClientCAs, RootCAs: tlsConfig.RootCAs}
+	if len(tlsConfig.Certificates) > 0 {
+		for _, certificate := range tlsConfig.Certificates {
+			utlsConf.Certificates = append(utlsConf.Certificates, utls.Certificate{
+				Certificate:                 certificate.Certificate,
+				PrivateKey:                  certificate.PrivateKey,
+				OCSPStaple:                  certificate.OCSPStaple,
+				SignedCertificateTimestamps: certificate.SignedCertificateTimestamps,
+				Leaf:                        certificate.Leaf,
+			})
+		}
+	}
 	if h2Alpn {
-		tlsConn = utls.UClient(conn, &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName}, utls.HelloChrome_Auto)
+		tlsConn = utls.UClient(conn, utlsConf, utls.HelloChrome_Auto)
 	} else {
-		tlsConn = utls.UClient(conn, &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName}, utls.HelloCustom)
+		tlsConn = utls.UClient(conn, utlsConf, utls.HelloCustom)
 		tlsConn.ApplyPreset(newWsSpec())
 	}

--- a/ws.go
+++ b/ws.go
@ -837,7 +837,19 @@ func websocketClientConn(url string, conn net.Conn, tlsConfig *tls.Config, optio
 			return conn, nil
 		},
 		NetDialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			client := utls.UClient(conn, &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName}, utls.HelloCustom)
+			utlsConf := &utls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName, ClientAuth: utls.ClientAuthType(tlsConfig.ClientAuth), ClientCAs: tlsConfig.ClientCAs, RootCAs: tlsConfig.RootCAs}
+			if len(tlsConfig.Certificates) > 0 {
+				for _, certificate := range tlsConfig.Certificates {
+					utlsConf.Certificates = append(utlsConf.Certificates, utls.Certificate{
+						Certificate:                 certificate.Certificate,
+						PrivateKey:                  certificate.PrivateKey,
+						OCSPStaple:                  certificate.OCSPStaple,
+						SignedCertificateTimestamps: certificate.SignedCertificateTimestamps,
+						Leaf:                        certificate.Leaf,
+					})
+				}
+			}
+			client := utls.UClient(conn, utlsConf, utls.HelloCustom)
 			client.ApplyPreset(newWsSpec())
 			err := client.Handshake()
 			if err != nil {