底层支持国密TLS

Dot-Liu · Dot-Liu · commit a4b0defac95c · 2025-07-07T17:47:54.000+08:00
diff --git a/config/cert.go b/config/cert.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"os"
@@ -16,16 +17,16 @@ var (
 	errorCertificateNotExit = errors.New("not exist cert")
 )
 
-type Cert struct {
-	certs map[string]*gmtls.Certificate
+type Cert[T any] struct {
+	certs map[string]*T
 }
 
-func NewCert(certs map[string]*gmtls.Certificate) *Cert {
-	return &Cert{certs: certs}
+func NewCert[T any](certs map[string]*T) *Cert[T] {
+	return &Cert[T]{certs: certs}
 }
 
-func LoadCert(certs []CertConfig, dir string) (*Cert, error) {
-	cs := make(map[string]*gmtls.Certificate)
+func LoadCert(certs []CertConfig, dir string) (*Cert[tls.Certificate], error) {
+	cs := make(map[string]*tls.Certificate)
 	for _, c := range certs {
 		if c.Key != "" && c.Cert != "" {
 			cert, err := loadCert(c.Cert, c.Key, dir)
@@ -79,31 +80,39 @@ func LoadCert(certs []CertConfig, dir string) (*Cert, error) {
 			}
 		}
 	}
-	return NewCert(cs), nil
+	return NewCert[tls.Certificate](cs), nil
 }
 
-func loadCert(pem string, key string, dir string) (*gmtls.Certificate, error) {
+func loadCert(pem string, key string, dir string) (*tls.Certificate, error) {
 	if !filepath.IsAbs(pem) {
 		pem = fmt.Sprintf("%s/%s", strings.TrimSuffix(dir, "/"), strings.TrimPrefix(pem, "/"))
 	}
 	if !filepath.IsAbs(key) {
 		key = fmt.Sprintf("%s/%s", strings.TrimSuffix(dir, "/"), strings.TrimPrefix(key, "/"))
 	}
-	cert, err := gmtls.LoadX509KeyPair(pem, key)
+	cert, err := tls.LoadX509KeyPair(pem, key)
 	return &cert, err
 }
 
-func (c *Cert) GetCertificate(clientHello *gmtls.ClientHelloInfo) (*gmtls.Certificate, error) {
+func (c *Cert[T]) GetCertificate(clientHello interface{}) (*T, error) {
 	if c.certs == nil {
 		return nil, errorCertificateNotExit
 	}
+	name := ""
+	switch t := clientHello.(type) {
+	case *tls.ClientHelloInfo:
+		name = strings.ToLower(t.ServerName)
+	case *gmtls.ClientHelloInfo:
+		name = strings.ToLower(t.ServerName)
+	default:
+		return nil, fmt.Errorf("unsupported type %T for GetCertificate", clientHello)
+	}
 	if len(c.certs) == 1 {
 		// There's only one choice, so no point doing any work.
 		for _, cert := range c.certs {
 			return cert, nil
 		}
 	}
-	name := strings.ToLower(clientHello.ServerName)
 	if cert, ok := c.certs[name]; ok {
 		return cert, nil
 	}
@@ -118,3 +127,9 @@ func (c *Cert) GetCertificate(clientHello *gmtls.ClientHelloInfo) (*gmtls.Certif
 
 	return nil, errorCertificateNotExit
 }
+
+func GetCertificateFunc(cert *Cert[tls.Certificate]) func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return cert.GetCertificate(info)
+	}
+}
diff --git a/process-master/master.go b/process-master/master.go
@@ -20,8 +20,6 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/tjfoc/gmsm/gmtls"
-
 	"github.com/eolinker/eosc/process-master/proxy"
 
 	"github.com/eolinker/eosc/etcd"
@@ -264,7 +262,7 @@ func (m *Master) Start(handler *MasterHandler) error {
 
 func (m *Master) listen(conf config.UrlConfig) (net.Listener, error) {
 	tf := traffic.NewTraffic(m.adminTraffic)
-	tcp, ssl := tf.Listen(conf.ListenUrls...)
+	tcp, ssl, _ := tf.Listen(conf.ListenUrls...)
 
 	listener := make([]net.Listener, 0, len(tcp)+len(ssl))
 	listener = append(listener, tcp...)
@@ -273,12 +271,12 @@ func (m *Master) listen(conf config.UrlConfig) (net.Listener, error) {
 		if err != nil {
 			return nil, err
 		}
-		tlsConf := &gmtls.Config{
-			GetCertificate: cert.GetCertificate,
+		tlsConf := &tls.Config{
+			GetCertificate: config.GetCertificateFunc(cert),
 			MaxVersion:     tls.VersionTLS13,
 		}
 		for _, l := range ssl {
-			listener = append(listener, gmtls.NewListener(l, tlsConf))
+			listener = append(listener, tls.NewListener(l, tlsConf))
 		}
 	}
 	if len(listener) == 0 {
diff --git a/traffic/traffic.go b/traffic/traffic.go
@@ -26,7 +26,7 @@ var (
 )
 
 type ITraffic interface {
-	Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener)
+	Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener)
 	IsStop() bool
 	Close()
 }
@@ -42,7 +42,7 @@ const (
 	bitBoth = bitTCP | bitSSL
 )
 
-func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener) {
+func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener) {
 
 	schemes := make(map[string]int)
 	for _, addr := range addrs {
@@ -63,19 +63,20 @@ func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listene
 		case bitBoth:
 			{
 				cMux := cmux.New(listener)
-				ssl = append(ssl, cMux.Match(cmux.TLS(gmtls.VersionGMSSL, gmtls.VersionSSL30, gmtls.VersionTLS10, gmtls.VersionTLS11, gmtls.VersionTLS12, tls.VersionTLS13)))
+				ssl = append(ssl, cMux.Match(cmux.TLS(tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12, tls.VersionTLS13)))
+				gmSsl = append(gmSsl, cMux.Match(cmux.TLS(gmtls.VersionGMSSL)))
 				tcp = append(tcp, cMux.Match(cmux.Any()))
 				go runMux(cMux)
-
 			}
 		case bitTCP:
 			tcp = append(tcp, listener)
 		case bitSSL:
 			ssl = append(ssl, listener)
+			gmSsl = append(gmSsl, listener)
 		}
 
 	}
-	return tcp, ssl
+	return tcp, ssl, gmSsl
 }
 func runMux(c cmux.CMux) {
 	err := c.Serve()
@@ -125,8 +126,8 @@ func FromArg(traffics []*PbTraffic) ITraffic {
 type EmptyTraffic struct {
 }
 
-func (e *EmptyTraffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener) {
-	return nil, nil
+func (e *EmptyTraffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener) {
+	return nil, nil, gmSsl
 }
 
 func (e *EmptyTraffic) IsStop() bool {
diff --git a/traffic/traffic_test.go b/traffic/traffic_test.go
@@ -2,6 +2,7 @@ package traffic
 
 import (
 	"fmt"
+
 	"github.com/eolinker/eosc/config"
 
 	"testing"
@@ -17,7 +18,7 @@ func ExampleListen() {
 	tfData = NewTrafficData(tfData.data)
 	tf := NewTraffic(tfData)
 
-	tcps, ssls := tf.Listen(addrs...)
+	tcps, ssls, _ := tf.Listen(addrs...)
 	fmt.Println("tcp")
 	for _, l := range tcps {
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package config`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "crypto/tls"`
`4`	`5`	`"errors"`
`5`	`6`	`"fmt"`
`6`	`7`	`"os"`
`@@ -16,16 +17,16 @@ var (`
`16`	`17`	`errorCertificateNotExit = errors.New("not exist cert")`
`17`	`18`	`)`
`18`	`19`
`19`		`-type Cert struct {`
`20`		`- certs map[string]*gmtls.Certificate`
	`20`	`+type Cert[T any] struct {`
	`21`	`+ certs map[string]*T`
`21`	`22`	`}`
`22`	`23`
`23`		`-func NewCert(certs map[string]gmtls.Certificate) Cert {`
`24`		`- return &Cert{certs: certs}`
	`24`	`+func NewCert[T any](certs map[string]T) Cert[T] {`
	`25`	`+ return &Cert[T]{certs: certs}`
`25`	`26`	`}`
`26`	`27`
`27`		`-func LoadCert(certs []CertConfig, dir string) (*Cert, error) {`
`28`		`- cs := make(map[string]*gmtls.Certificate)`
	`28`	`+func LoadCert(certs []CertConfig, dir string) (*Cert[tls.Certificate], error) {`
	`29`	`+ cs := make(map[string]*tls.Certificate)`
`29`	`30`	`for _, c := range certs {`
`30`	`31`	`if c.Key != "" && c.Cert != "" {`
`31`	`32`	`cert, err := loadCert(c.Cert, c.Key, dir)`
`@@ -79,31 +80,39 @@ func LoadCert(certs []CertConfig, dir string) (*Cert, error) {`
`79`	`80`	`}`
`80`	`81`	`}`
`81`	`82`	`}`
`82`		`- return NewCert(cs), nil`
	`83`	`+ return NewCert[tls.Certificate](cs), nil`
`83`	`84`	`}`
`84`	`85`
`85`		`-func loadCert(pem string, key string, dir string) (*gmtls.Certificate, error) {`
	`86`	`+func loadCert(pem string, key string, dir string) (*tls.Certificate, error) {`
`86`	`87`	`if !filepath.IsAbs(pem) {`
`87`	`88`	`pem = fmt.Sprintf("%s/%s", strings.TrimSuffix(dir, "/"), strings.TrimPrefix(pem, "/"))`
`88`	`89`	`}`
`89`	`90`	`if !filepath.IsAbs(key) {`
`90`	`91`	`key = fmt.Sprintf("%s/%s", strings.TrimSuffix(dir, "/"), strings.TrimPrefix(key, "/"))`
`91`	`92`	`}`
`92`		`- cert, err := gmtls.LoadX509KeyPair(pem, key)`
	`93`	`+ cert, err := tls.LoadX509KeyPair(pem, key)`
`93`	`94`	`return &cert, err`
`94`	`95`	`}`
`95`	`96`
`96`		`-func (c Cert) GetCertificate(clientHello gmtls.ClientHelloInfo) (*gmtls.Certificate, error) {`
	`97`	`+func (c Cert[T]) GetCertificate(clientHello interface{}) (T, error) {`
`97`	`98`	`if c.certs == nil {`
`98`	`99`	`return nil, errorCertificateNotExit`
`99`	`100`	`}`
	`101`	`+ name := ""`
	`102`	`+ switch t := clientHello.(type) {`
	`103`	`+ case *tls.ClientHelloInfo:`
	`104`	`+ name = strings.ToLower(t.ServerName)`
	`105`	`+ case *gmtls.ClientHelloInfo:`
	`106`	`+ name = strings.ToLower(t.ServerName)`
	`107`	`+ default:`
	`108`	`+ return nil, fmt.Errorf("unsupported type %T for GetCertificate", clientHello)`
	`109`	`+ }`
`100`	`110`	`if len(c.certs) == 1 {`
`101`	`111`	`// There's only one choice, so no point doing any work.`
`102`	`112`	`for _, cert := range c.certs {`
`103`	`113`	`return cert, nil`
`104`	`114`	`}`
`105`	`115`	`}`
`106`		`- name := strings.ToLower(clientHello.ServerName)`
`107`	`116`	`if cert, ok := c.certs[name]; ok {`
`108`	`117`	`return cert, nil`
`109`	`118`	`}`
`@@ -118,3 +127,9 @@ func (c Cert) GetCertificate(clientHello gmtls.ClientHelloInfo) (*gmtls.Certif`
`118`	`127`
`119`	`128`	`return nil, errorCertificateNotExit`
`120`	`129`	`}`
	`130`	`+`
	`131`	`+func GetCertificateFunc(cert Cert[tls.Certificate]) func(info tls.ClientHelloInfo) (*tls.Certificate, error) {`
	`132`	`+ return func(info tls.ClientHelloInfo) (tls.Certificate, error) {`
	`133`	`+ return cert.GetCertificate(info)`
	`134`	`+ }`
	`135`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ var (`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`type ITraffic interface {`
`29`		`- Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener)`
	`29`	`+ Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener)`
`30`	`30`	`IsStop() bool`
`31`	`31`	`Close()`
`32`	`32`	`}`
`@@ -42,7 +42,7 @@ const (`
`42`	`42`	`bitBoth = bitTCP \| bitSSL`
`43`	`43`	`)`
`44`	`44`
`45`		`-func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener) {`
	`45`	`+func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener) {`
`46`	`46`
`47`	`47`	`schemes := make(map[string]int)`
`48`	`48`	`for _, addr := range addrs {`
`@@ -63,19 +63,20 @@ func (t *Traffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listene`
`63`	`63`	`case bitBoth:`
`64`	`64`	`{`
`65`	`65`	`cMux := cmux.New(listener)`
`66`		`- ssl = append(ssl, cMux.Match(cmux.TLS(gmtls.VersionGMSSL, gmtls.VersionSSL30, gmtls.VersionTLS10, gmtls.VersionTLS11, gmtls.VersionTLS12, tls.VersionTLS13)))`
	`66`	`+ ssl = append(ssl, cMux.Match(cmux.TLS(tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11, tls.VersionTLS12, tls.VersionTLS13)))`
	`67`	`+ gmSsl = append(gmSsl, cMux.Match(cmux.TLS(gmtls.VersionGMSSL)))`
`67`	`68`	`tcp = append(tcp, cMux.Match(cmux.Any()))`
`68`	`69`	`go runMux(cMux)`
`69`		`-`
`70`	`70`	`}`
`71`	`71`	`case bitTCP:`
`72`	`72`	`tcp = append(tcp, listener)`
`73`	`73`	`case bitSSL:`
`74`	`74`	`ssl = append(ssl, listener)`
	`75`	`+ gmSsl = append(gmSsl, listener)`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`}`
`78`		`- return tcp, ssl`
	`79`	`+ return tcp, ssl, gmSsl`
`79`	`80`	`}`
`80`	`81`	`func runMux(c cmux.CMux) {`
`81`	`82`	`err := c.Serve()`
`@@ -125,8 +126,8 @@ func FromArg(traffics []*PbTraffic) ITraffic {`
`125`	`126`	`type EmptyTraffic struct {`
`126`	`127`	`}`
`127`	`128`
`128`		`-func (e *EmptyTraffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener) {`
`129`		`- return nil, nil`
	`129`	`+func (e *EmptyTraffic) Listen(addrs ...string) (tcp []net.Listener, ssl []net.Listener, gmSsl []net.Listener) {`
	`130`	`+ return nil, nil, gmSsl`
`130`	`131`	`}`
`131`	`132`
`132`	`133`	`func (e *EmptyTraffic) IsStop() bool {`