Add Surge MITM and scripts

2026-06-12 14:28:15 +03:00 · 2025-03-20 09:12:48 +08:00
parent 276584be09
commit 82bc416985
85 changed files with 7309 additions and 355 deletions
--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -3,6 +3,7 @@ package certificate
 import (
 	"context"
 	"crypto/x509"
+	"encoding/base64"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -16,6 +17,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/service"
+
+	"software.sslmate.com/src/go-pkcs12"
 )

 var _ adapter.CertificateStore = (*Store)(nil)
@@ -27,6 +30,9 @@ type Store struct {
 	certificatePaths          []string
 	certificateDirectoryPaths []string
 	watcher                   *fswatch.Watcher
+	tlsDecryptionEnabled      bool
+	tlsDecryptionPrivateKey   any
+	tlsDecryptionCertificate  *x509.Certificate
 }

 func NewStore(ctx context.Context, logger logger.Logger, options option.CertificateOptions) (*Store, error) {
@@ -90,6 +96,19 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 	if err != nil {
 		return nil, E.Cause(err, "initializing certificate store")
 	}
+	if options.TLSDecryption != nil && options.TLSDecryption.Enabled {
+		pfxBytes, err := base64.StdEncoding.DecodeString(options.TLSDecryption.KeyPair)
+		if err != nil {
+			return nil, E.Cause(err, "decode key pair base64 bytes")
+		}
+		privateKey, certificate, err := pkcs12.Decode(pfxBytes, options.TLSDecryption.KeyPairPassword)
+		if err != nil {
+			return nil, E.Cause(err, "decode key pair")
+		}
+		store.tlsDecryptionEnabled = true
+		store.tlsDecryptionPrivateKey = privateKey
+		store.tlsDecryptionCertificate = certificate
+	}
 	return store, nil
 }

@@ -183,3 +202,15 @@ func isSameDirSymlink(f fs.DirEntry, dir string) bool {
 	target, err := os.Readlink(filepath.Join(dir, f.Name()))
 	return err == nil && !strings.Contains(target, "/")
 }
+
+func (s *Store) TLSDecryptionEnabled() bool {
+	return s.tlsDecryptionEnabled
+}
+
+func (s *Store) TLSDecryptionCertificate() *x509.Certificate {
+	return s.tlsDecryptionCertificate
+}
+
+func (s *Store) TLSDecryptionPrivateKey() any {
+	return s.tlsDecryptionPrivateKey
+}
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -18,5 +18,6 @@ func HTTPHost(_ context.Context, metadata *adapter.InboundContext, reader io.Rea
 	}
 	metadata.Protocol = C.ProtocolHTTP
 	metadata.Domain = M.ParseSocksaddr(request.Host).AddrString()
+	metadata.HTTPRequest = request
 	return nil
 }
--- a/common/sniff/tls.go
+++ b/common/sniff/tls.go
@@ -21,6 +21,7 @@ func TLSClientHello(ctx context.Context, metadata *adapter.InboundContext, reade
 	if clientHello != nil {
 		metadata.Protocol = C.ProtocolTLS
 		metadata.Domain = clientHello.ServerName
+		metadata.ClientHello = clientHello
 		return nil
 	}
 	return err
--- a/common/tls/mkcert.go
+++ b/common/tls/mkcert.go
@@ -8,7 +8,10 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
+	"net"
 	"time"
+
+	M "github.com/sagernet/sing/common/metadata"
 )

 func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
@@ -35,17 +38,30 @@ func GenerateCertificate(parent *x509.Certificate, parentKey any, timeFunc func(
 	if err != nil {
 		return
 	}
-	template := &x509.Certificate{
-		SerialNumber:          serialNumber,
-		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              expire,
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		Subject: pkix.Name{
-			CommonName: serverName,
-		},
-		DNSNames: []string{serverName},
+	var template *x509.Certificate
+	if serverAddress := M.ParseAddr(serverName); serverAddress.IsValid() {
+		template = &x509.Certificate{
+			SerialNumber:          serialNumber,
+			IPAddresses:           []net.IP{serverAddress.AsSlice()},
+			NotBefore:             timeFunc().Add(time.Hour * -1),
+			NotAfter:              expire,
+			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			BasicConstraintsValid: true,
+		}
+	} else {
+		template = &x509.Certificate{
+			SerialNumber:          serialNumber,
+			NotBefore:             timeFunc().Add(time.Hour * -1),
+			NotAfter:              expire,
+			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			BasicConstraintsValid: true,
+			Subject: pkix.Name{
+				CommonName: serverName,
+			},
+			DNSNames: []string{serverName},
+		}
 	}
 	if parent == nil {
 		parent = template