mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-11-22 15:03:02 +00:00
Many fixes
This commit is contained in:
parent
72892dac2f
commit
df370f0223
@ -445,8 +445,15 @@ func (c *TLSConfig) Build() (proto.Message, error) {
|
||||
}
|
||||
}
|
||||
|
||||
if c.ECHConfig != "" {
|
||||
ECHConfig, err := base64.StdEncoding.DecodeString(c.ECHConfig)
|
||||
if err != nil {
|
||||
return nil, errors.New("invalid ECH Config", c.ECHConfig)
|
||||
}
|
||||
config.EchConfig = ECHConfig
|
||||
}
|
||||
|
||||
config.MasterKeyLog = c.MasterKeyLog
|
||||
config.EchConfig = c.ECHConfig
|
||||
config.Ech_DOHserver = c.ECHDOHServer
|
||||
|
||||
return config, nil
|
||||
|
@ -220,7 +220,7 @@ type Config struct {
|
||||
// @Critical
|
||||
PinnedPeerCertificatePublicKeySha256 [][]byte `protobuf:"bytes,14,rep,name=pinned_peer_certificate_public_key_sha256,json=pinnedPeerCertificatePublicKeySha256,proto3" json:"pinned_peer_certificate_public_key_sha256,omitempty"`
|
||||
MasterKeyLog string `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
|
||||
EchConfig string `protobuf:"bytes,16,opt,name=ech_config,json=echConfig,proto3" json:"ech_config,omitempty"`
|
||||
EchConfig []byte `protobuf:"bytes,16,opt,name=ech_config,json=echConfig,proto3" json:"ech_config,omitempty"`
|
||||
Ech_DOHserver string `protobuf:"bytes,17,opt,name=ech_DOHserver,json=echDOHserver,proto3" json:"ech_DOHserver,omitempty"`
|
||||
}
|
||||
|
||||
@ -362,11 +362,11 @@ func (x *Config) GetMasterKeyLog() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Config) GetEchConfig() string {
|
||||
func (x *Config) GetEchConfig() []byte {
|
||||
if x != nil {
|
||||
return x.EchConfig
|
||||
}
|
||||
return ""
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Config) GetEch_DOHserver() string {
|
||||
@ -456,7 +456,7 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
|
||||
0x61, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x0f, 0x20,
|
||||
0x01, 0x28, 0x09, 0x52, 0x0c, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x4c, 0x6f,
|
||||
0x67, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x63, 0x68, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18,
|
||||
0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
|
||||
0x10, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
|
||||
0x12, 0x23, 0x0a, 0x0d, 0x65, 0x63, 0x68, 0x5f, 0x44, 0x4f, 0x48, 0x73, 0x65, 0x72, 0x76, 0x65,
|
||||
0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x63, 0x68, 0x44, 0x4f, 0x48, 0x73,
|
||||
0x65, 0x72, 0x76, 0x65, 0x72, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,
|
||||
|
@ -88,6 +88,6 @@ message Config {
|
||||
repeated bytes pinned_peer_certificate_public_key_sha256 = 14;
|
||||
|
||||
string master_key_log = 15;
|
||||
string ech_config = 16;
|
||||
bytes ech_config = 16;
|
||||
string ech_DOHserver = 17;
|
||||
}
|
||||
|
@ -7,10 +7,8 @@ import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
@ -25,19 +23,15 @@ func ApplyECH(c *Config, config *tls.Config) error {
|
||||
var err error
|
||||
|
||||
if len(c.EchConfig) > 0 {
|
||||
ECHConfig, err = base64.StdEncoding.DecodeString(c.EchConfig)
|
||||
if err != nil {
|
||||
return errors.New("invalid ECH config")
|
||||
}
|
||||
ECHConfig = c.EchConfig
|
||||
} else { // ECH config > DOH lookup
|
||||
if c.ServerName == "" {
|
||||
if config.ServerName == "" {
|
||||
return errors.New("Using DOH for ECH needs serverName")
|
||||
}
|
||||
ECHRecord, err := QueryRecord(c.ServerName, c.Ech_DOHserver)
|
||||
ECHConfig, err = QueryRecord(c.ServerName, c.Ech_DOHserver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ECHConfig, _ = base64.StdEncoding.DecodeString(ECHRecord)
|
||||
}
|
||||
|
||||
config.EncryptedClientHelloConfigList = ECHConfig
|
||||
@ -45,7 +39,7 @@ func ApplyECH(c *Config, config *tls.Config) error {
|
||||
}
|
||||
|
||||
type record struct {
|
||||
record string
|
||||
record []byte
|
||||
expire time.Time
|
||||
}
|
||||
|
||||
@ -54,34 +48,40 @@ var (
|
||||
mutex sync.RWMutex
|
||||
)
|
||||
|
||||
func QueryRecord(domain string, server string) (string, error) {
|
||||
func QueryRecord(domain string, server string) ([]byte, error) {
|
||||
mutex.Lock()
|
||||
rec, found := dnsCache[domain]
|
||||
if found && rec.expire.After(time.Now()) {
|
||||
mutex.Unlock()
|
||||
return rec.record, nil
|
||||
}
|
||||
mutex.Lock()
|
||||
defer mutex.Unlock()
|
||||
errors.LogDebug(context.Background(), "Tring to query ECH config for domain: ", domain, " with ECH server: ", server)
|
||||
mutex.Unlock()
|
||||
|
||||
errors.LogDebug(context.Background(), "Trying to query ECH config for domain: ", domain, " with ECH server: ", server)
|
||||
record, ttl, err := dohQuery(server, domain)
|
||||
if err != nil {
|
||||
return "", err
|
||||
return []byte{}, err
|
||||
}
|
||||
// Use TTL for good, but many HTTPS records have TTL 60, too short
|
||||
|
||||
if ttl < 600 {
|
||||
ttl = 600
|
||||
}
|
||||
|
||||
mutex.Lock()
|
||||
defer mutex.Unlock()
|
||||
rec.record = record
|
||||
rec.expire = time.Now().Add(time.Second * time.Duration(ttl))
|
||||
dnsCache[domain] = rec
|
||||
return record, nil
|
||||
}
|
||||
|
||||
func dohQuery(server string, domain string) (string, uint32, error) {
|
||||
func dohQuery(server string, domain string) ([]byte, uint32, error) {
|
||||
m := new(dns.Msg)
|
||||
m.SetQuestion(dns.Fqdn(domain), dns.TypeHTTPS)
|
||||
m.Id = 0
|
||||
msg, err := m.Pack()
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
return []byte{}, 0, err
|
||||
}
|
||||
tr := &http.Transport{
|
||||
IdleConnTimeout: 90 * time.Second,
|
||||
@ -104,33 +104,37 @@ func dohQuery(server string, domain string) (string, uint32, error) {
|
||||
}
|
||||
req, err := http.NewRequest("POST", server, bytes.NewReader(msg))
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
return []byte{}, 0, err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/dns-message")
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
return []byte{}, 0, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
respBody, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
return []byte{}, 0, err
|
||||
}
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return "", 0, errors.New("query failed with response code:", resp.StatusCode)
|
||||
return []byte{}, 0, errors.New("query failed with response code:", resp.StatusCode)
|
||||
}
|
||||
respMsg := new(dns.Msg)
|
||||
err = respMsg.Unpack(respBody)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
return []byte{}, 0, err
|
||||
}
|
||||
if len(respMsg.Answer) > 0 {
|
||||
re := regexp.MustCompile(`ech="([^"]+)"`)
|
||||
match := re.FindStringSubmatch(respMsg.Answer[0].String())
|
||||
if match[1] != "" {
|
||||
errors.LogDebug(context.Background(), "Get ECH config:", match[1], " TTL:", respMsg.Answer[0].Header().Ttl)
|
||||
return match[1], respMsg.Answer[0].Header().Ttl, nil
|
||||
for _, answer := range respMsg.Answer {
|
||||
if https, ok := answer.(*dns.HTTPS); ok && https.Hdr.Name == dns.Fqdn(domain) {
|
||||
for _, v := range https.Value {
|
||||
if echConfig, ok := v.(*dns.SVCBECHConfig); ok {
|
||||
errors.LogDebug(context.Background(), "Get ECH config:", echConfig.String(), " TTL:", respMsg.Answer[0].Header().Ttl)
|
||||
return echConfig.ECH, answer.Header().Ttl, nil
|
||||
}
|
||||
}
|
||||
return "", 0, errors.New("no ech record found")
|
||||
}
|
||||
}
|
||||
}
|
||||
return []byte{}, 0, errors.New("no ech record found")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user