Fix ECH server config

2025-06-13 21:54:13 +08:00 · 2023-09-01 13:42:54 +08:00 · 2023-09-01 13:42:54 +08:00 · e61c67cbc2
commit e61c67cbc2
parent 406e089d13
3 changed files with 30 additions and 5 deletions
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@ -171,8 +171,20 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
+
+	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
-		block, rest := pem.Decode([]byte(strings.Join(options.ECH.Config, "\n")))
+		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+	} else if options.ECH.ConfigPath != "" {
+		content, err := os.ReadFile(options.ECH.ConfigPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		echConfig = content
+	}
+
+	if len(echConfig) > 0 {
+		block, rest := pem.Decode(echConfig)
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@ -277,7 +277,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 		certificate = content
 	}
 	if len(options.Key) > 0 {
-		key = []byte(strings.Join(options.Key, ""))
+		key = []byte(strings.Join(options.Key, "\n"))
 	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.KeyPath)
 		if err != nil {
@ -298,7 +298,20 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	}
 	tlsConfig.Certificates = []cftls.Certificate{keyPair}

-	block, rest := pem.Decode([]byte(strings.Join(options.ECH.Key, "\n")))
+	var echKey []byte
+	if len(options.ECH.Key) > 0 {
+		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.ECH.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		echKey = content
+	} else {
+		return nil, E.New("missing ECH key")
+	}
+
+	block, rest := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return nil, E.New("invalid ECH keys pem")
 	}
--- a/option/tls.go
+++ b/option/tls.go
@ -50,8 +50,8 @@ type InboundECHOptions struct {
 	Enabled                     bool             `json:"enabled,omitempty"`
 	PQSignatureSchemesEnabled   bool             `json:"pq_signature_schemes_enabled,omitempty"`
 	DynamicRecordSizingDisabled bool             `json:"dynamic_record_sizing_disabled,omitempty"`
-	Key                         Listable[string] `json:"ech_keys,omitempty"`
-	KeyPath                     string           `json:"ech_keys_path,omitempty"`
+	Key                         Listable[string] `json:"key,omitempty"`
+	KeyPath                     string           `json:"key_path,omitempty"`
 }

 type OutboundECHOptions struct {