chore: update utls to 1.7.0

component/ca/config.go

@@ -111,11 +111,7 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	return (*[32]byte)(fpByte), nil
 }
 
-// GetTLSConfig specified fingerprint, customCA and customCAString
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) {
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
-	}
+func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
@@ -131,17 +127,35 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 		if !certPool.AppendCertsFromPEM(certificate) {
 			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
 		}
-		tlsConfig.RootCAs = certPool
+		return certPool, nil
 	} else {
-		tlsConfig.RootCAs = getCertPool()
+		return getCertPool(), nil
 	}
+}
+
+func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
+	fingerprintBytes, err := convertFingerprint(fingerprint)
+	if err != nil {
+		return nil, err
+	}
+	return verifyFingerprint(fingerprintBytes), nil
+}
+
+// GetTLSConfig specified fingerprint, customCA and customCAString
+func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{}
+	}
+	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(fingerprint) > 0 {
-		var fingerprintBytes *[32]byte
-		fingerprintBytes, err = convertFingerprint(fingerprint)
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
 		if err != nil {
 			return nil, err
 		}
-		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 		tlsConfig.InsecureSkipVerify = true
 	}
 	return tlsConfig, nil

component/tls/utls.go

@@ -4,15 +4,16 @@ import (
 	"crypto/tls"
 	"net"
 
+	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/log"
 
 	utls "github.com/metacubex/utls"
 	"github.com/mroth/weightedrand/v2"
 )
 
-type UConn struct {
-	*utls.UConn
-}
+type UConn = utls.UConn
+
+const VersionTLS13 = utls.VersionTLS13
 
 type UClientHelloID struct {
 	*utls.ClientHelloID
@@ -21,13 +22,8 @@ type UClientHelloID struct {
 var initRandomFingerprint UClientHelloID
 var initUtlsClient string
 
-func UClient(c net.Conn, config *tls.Config, fingerprint UClientHelloID) *UConn {
-	utlsConn := utls.UClient(c, copyConfig(config), utls.ClientHelloID{
-		Client:  fingerprint.Client,
-		Version: fingerprint.Version,
-		Seed:    fingerprint.Seed,
-	})
-	return &UConn{UConn: utlsConn}
+func UClient(c net.Conn, config *utls.Config, fingerprint UClientHelloID) *UConn {
+	return utls.UClient(c, config, *fingerprint.ClientHelloID)
 }
 
 func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
@@ -95,18 +91,43 @@ func init() {
 	Fingerprints["randomized"] = UClientHelloID{&randomized}
 }
 
-func copyConfig(c *tls.Config) *utls.Config {
+func UCertificates(it tls.Certificate) utls.Certificate {
+	return utls.Certificate{
+		Certificate: it.Certificate,
+		PrivateKey:  it.PrivateKey,
+		SupportedSignatureAlgorithms: utils.Map(it.SupportedSignatureAlgorithms, func(it tls.SignatureScheme) utls.SignatureScheme {
+			return utls.SignatureScheme(it)
+		}),
+		OCSPStaple:                  it.OCSPStaple,
+		SignedCertificateTimestamps: it.SignedCertificateTimestamps,
+		Leaf:                        it.Leaf,
+	}
+}
+
+func UConfig(config *tls.Config) *utls.Config {
 	return &utls.Config{
-		RootCAs:               c.RootCAs,
-		ServerName:            c.ServerName,
-		InsecureSkipVerify:    c.InsecureSkipVerify,
-		VerifyPeerCertificate: c.VerifyPeerCertificate,
+		Rand:                  config.Rand,
+		Time:                  config.Time,
+		Certificates:          utils.Map(config.Certificates, UCertificates),
+		VerifyPeerCertificate: config.VerifyPeerCertificate,
+		RootCAs:               config.RootCAs,
+		NextProtos:            config.NextProtos,
+		ServerName:            config.ServerName,
+		InsecureSkipVerify:    config.InsecureSkipVerify,
+		CipherSuites:          config.CipherSuites,
+		MinVersion:            config.MinVersion,
+		MaxVersion:            config.MaxVersion,
+		CurvePreferences: utils.Map(config.CurvePreferences, func(it tls.CurveID) utls.CurveID {
+			return utls.CurveID(it)
+		}),
+		SessionTicketsDisabled: config.SessionTicketsDisabled,
+		Renegotiation:          utls.RenegotiationSupport(config.Renegotiation),
 	}
 }
 
 // BuildWebsocketHandshakeState it will only send http/1.1 in its ALPN.
 // Copy from https://github.com/XTLS/Xray-core/blob/main/transport/internet/tls/tls.go
-func (c *UConn) BuildWebsocketHandshakeState() error {
+func BuildWebsocketHandshakeState(c *UConn) error {
 	// Build the handshake state. This will apply every variable of the TLS of the
 	// fingerprint in the UConn
 	if err := c.BuildHandshakeState(); err != nil {