From e61c67cbc23dd3322d96c7f073701ac0d2c4d2e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Fri, 1 Sep 2023 13:42:54 +0800 Subject: [PATCH] Fix ECH server config --- common/tls/ech_client.go | 14 +++++++++++++- common/tls/ech_server.go | 17 +++++++++++++++-- option/tls.go | 4 ++-- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/common/tls/ech_client.go b/common/tls/ech_client.go index aa5b915e..930dfaaf 100644 --- a/common/tls/ech_client.go +++ b/common/tls/ech_client.go @@ -171,8 +171,20 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb tlsConfig.ECHEnabled = true tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled + + var echConfig []byte if len(options.ECH.Config) > 0 { - block, rest := pem.Decode([]byte(strings.Join(options.ECH.Config, "\n"))) + echConfig = []byte(strings.Join(options.ECH.Config, "\n")) + } else if options.ECH.ConfigPath != "" { + content, err := os.ReadFile(options.ECH.ConfigPath) + if err != nil { + return nil, E.Cause(err, "read key") + } + echConfig = content + } + + if len(echConfig) > 0 { + block, rest := pem.Decode(echConfig) if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 { return nil, E.New("invalid ECH configs pem") } diff --git a/common/tls/ech_server.go b/common/tls/ech_server.go index 412599ed..b6b6f7d0 100644 --- a/common/tls/ech_server.go +++ b/common/tls/ech_server.go @@ -277,7 +277,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound certificate = content } if len(options.Key) > 0 { - key = []byte(strings.Join(options.Key, "")) + key = []byte(strings.Join(options.Key, "\n")) } else if options.KeyPath != "" { content, err := os.ReadFile(options.KeyPath) if err != nil { @@ -298,7 +298,20 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound } tlsConfig.Certificates = []cftls.Certificate{keyPair} - block, rest := pem.Decode([]byte(strings.Join(options.ECH.Key, "\n"))) + var echKey []byte + if len(options.ECH.Key) > 0 { + echKey = []byte(strings.Join(options.ECH.Key, "\n")) + } else if options.KeyPath != "" { + content, err := os.ReadFile(options.ECH.KeyPath) + if err != nil { + return nil, E.Cause(err, "read key") + } + echKey = content + } else { + return nil, E.New("missing ECH key") + } + + block, rest := pem.Decode(echKey) if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 { return nil, E.New("invalid ECH keys pem") } diff --git a/option/tls.go b/option/tls.go index 1f9f5746..63944980 100644 --- a/option/tls.go +++ b/option/tls.go @@ -50,8 +50,8 @@ type InboundECHOptions struct { Enabled bool `json:"enabled,omitempty"` PQSignatureSchemesEnabled bool `json:"pq_signature_schemes_enabled,omitempty"` DynamicRecordSizingDisabled bool `json:"dynamic_record_sizing_disabled,omitempty"` - Key Listable[string] `json:"ech_keys,omitempty"` - KeyPath string `json:"ech_keys_path,omitempty"` + Key Listable[string] `json:"key,omitempty"` + KeyPath string `json:"key_path,omitempty"` } type OutboundECHOptions struct {