diff --git a/component/ca/config.go b/component/ca/config.go index c097ca25..f50780af 100644 --- a/component/ca/config.go +++ b/component/ca/config.go @@ -10,7 +10,6 @@ import ( "sync" "github.com/metacubex/mihomo/common/once" - C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/ntp" "github.com/metacubex/tls" @@ -107,7 +106,7 @@ func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) { } if len(opt.Certificate) > 0 || len(opt.PrivateKey) > 0 { - certLoader, err := NewTLSKeyPairLoader(opt.Certificate, opt.PrivateKey, C.Path) + certLoader, err := NewTLSKeyPairLoader(opt.Certificate, opt.PrivateKey) if err != nil { return nil, err } diff --git a/component/ca/keypair.go b/component/ca/keypair.go index 7f869afb..bf0176ed 100644 --- a/component/ca/keypair.go +++ b/component/ca/keypair.go @@ -14,19 +14,14 @@ import ( "os" "time" + C "github.com/metacubex/mihomo/constant" + "github.com/metacubex/tls" ) -type Path interface { - Resolve(path string) string - IsSafePath(path string) bool - ErrNotSafePath(path string) error -} - // NewTLSKeyPairLoader creates a loader function for TLS key pairs from the provided certificate and private key data or file paths. // If both certificate and privateKey are empty, generates a random TLS RSA key pair. -// Accepts a Path interface for resolving file paths when necessary. -func NewTLSKeyPairLoader(certificate, privateKey string, path Path) (func() (*tls.Certificate, error), error) { +func NewTLSKeyPairLoader(certificate, privateKey string) (func() (*tls.Certificate, error), error) { if certificate == "" && privateKey == "" { var err error certificate, privateKey, _, err = NewRandomTLSKeyPair(KeyPairTypeRSA) @@ -40,17 +35,14 @@ func NewTLSKeyPairLoader(certificate, privateKey string, path Path) (func() (*tl return &cert, nil }, nil } - if path == nil { - return nil, painTextErr - } - certificate = path.Resolve(certificate) - privateKey = path.Resolve(privateKey) + certificate = C.Path.Resolve(certificate) + privateKey = C.Path.Resolve(privateKey) var loadErr error - if !path.IsSafePath(certificate) { - loadErr = path.ErrNotSafePath(certificate) - } else if !path.IsSafePath(privateKey) { - loadErr = path.ErrNotSafePath(privateKey) + if !C.Path.IsSafePath(certificate) { + loadErr = C.Path.ErrNotSafePath(certificate) + } else if !C.Path.IsSafePath(privateKey) { + loadErr = C.Path.ErrNotSafePath(privateKey) } else { cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey) } @@ -62,20 +54,17 @@ func NewTLSKeyPairLoader(certificate, privateKey string, path Path) (func() (*tl }, nil } -func LoadCertificates(certificate string, path Path) (*x509.CertPool, error) { +func LoadCertificates(certificate string) (*x509.CertPool, error) { pool := x509.NewCertPool() if pool.AppendCertsFromPEM([]byte(certificate)) { return pool, nil } painTextErr := fmt.Errorf("invalid certificate: %s", certificate) - if path == nil { - return nil, painTextErr - } - certificate = path.Resolve(certificate) + certificate = C.Path.Resolve(certificate) var loadErr error - if !path.IsSafePath(certificate) { - loadErr = path.ErrNotSafePath(certificate) + if !C.Path.IsSafePath(certificate) { + loadErr = C.Path.ErrNotSafePath(certificate) } else { certPEMBlock, err := os.ReadFile(certificate) if pool.AppendCertsFromPEM(certPEMBlock) { diff --git a/component/ech/key.go b/component/ech/key.go index b0d572d6..ceca6547 100644 --- a/component/ech/key.go +++ b/component/ech/key.go @@ -9,7 +9,7 @@ import ( "fmt" "os" - "github.com/metacubex/mihomo/component/ca" + C "github.com/metacubex/mihomo/constant" "github.com/metacubex/tls" "golang.org/x/crypto/cryptobyte" @@ -104,7 +104,7 @@ func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) { return keys, nil } -func LoadECHKey(key string, tlsConfig *tls.Config, path ca.Path) error { +func LoadECHKey(key string, tlsConfig *tls.Config) error { if key == "" { return nil } @@ -112,10 +112,10 @@ func LoadECHKey(key string, tlsConfig *tls.Config, path ca.Path) error { if painTextErr == nil { return nil } - key = path.Resolve(key) + key = C.Path.Resolve(key) var loadErr error - if !path.IsSafePath(key) { - loadErr = path.ErrNotSafePath(key) + if !C.Path.IsSafePath(key) { + loadErr = C.Path.ErrNotSafePath(key) } else { var echKey []byte echKey, loadErr = os.ReadFile(key) diff --git a/hub/route/server.go b/hub/route/server.go index a27ee6a9..4e0d0c93 100644 --- a/hub/route/server.go +++ b/hub/route/server.go @@ -191,7 +191,7 @@ func startTLS(cfg *Config) { // handle tlsAddr if len(cfg.TLSAddr) > 0 { - certLoader, err := ca.NewTLSKeyPairLoader(cfg.Certificate, cfg.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(cfg.Certificate, cfg.PrivateKey) if err != nil { log.Errorln("External controller tls listen error: %s", err) return @@ -216,7 +216,7 @@ func startTLS(cfg *Config) { } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(cfg.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(cfg.ClientAuthCert) if err != nil { log.Errorln("External controller tls listen error: %s", err) return @@ -225,7 +225,7 @@ func startTLS(cfg *Config) { } if cfg.EchKey != "" { - err = ech.LoadECHKey(cfg.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(cfg.EchKey, tlsConfig) if err != nil { log.Errorln("External controller tls serve error: %s", err) return diff --git a/listener/anytls/server.go b/listener/anytls/server.go index 197aabd9..0d35d4d6 100644 --- a/listener/anytls/server.go +++ b/listener/anytls/server.go @@ -45,7 +45,7 @@ func New(config LC.AnyTLSServer, tunnel C.Tunnel, additions ...inbound.Addition) tlsConfig := &tls.Config{Time: ntp.Now} if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -54,7 +54,7 @@ func New(config LC.AnyTLSServer, tunnel C.Tunnel, additions ...inbound.Addition) } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -67,7 +67,7 @@ func New(config LC.AnyTLSServer, tunnel C.Tunnel, additions ...inbound.Addition) } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/http/server.go b/listener/http/server.go index 66bf86c3..2c537ded 100644 --- a/listener/http/server.go +++ b/listener/http/server.go @@ -71,7 +71,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A var realityBuilder *reality.Builder if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -80,7 +80,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -93,7 +93,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/mixed/mixed.go b/listener/mixed/mixed.go index 1efbb40f..bc67a476 100644 --- a/listener/mixed/mixed.go +++ b/listener/mixed/mixed.go @@ -67,7 +67,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A var realityBuilder *reality.Builder if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -76,7 +76,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -89,7 +89,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/sing_hysteria2/server.go b/listener/sing_hysteria2/server.go index 94dd0db6..493607d5 100644 --- a/listener/sing_hysteria2/server.go +++ b/listener/sing_hysteria2/server.go @@ -60,7 +60,7 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi Time: ntp.Now, MinVersion: tls.VersionTLS13, } - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -74,7 +74,7 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } @@ -82,7 +82,7 @@ func New(config LC.Hysteria2Server, tunnel C.Tunnel, additions ...inbound.Additi } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } diff --git a/listener/sing_vless/server.go b/listener/sing_vless/server.go index 10cb6e2c..83ba5779 100644 --- a/listener/sing_vless/server.go +++ b/listener/sing_vless/server.go @@ -81,7 +81,7 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition) var httpServer http.Server if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -90,7 +90,7 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition) } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -103,7 +103,7 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition) } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/sing_vmess/server.go b/listener/sing_vmess/server.go index 5ca6a159..7dd0a163 100644 --- a/listener/sing_vmess/server.go +++ b/listener/sing_vmess/server.go @@ -81,7 +81,7 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition) var httpServer http.Server if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -90,7 +90,7 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition) } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -103,7 +103,7 @@ func New(config LC.VmessServer, tunnel C.Tunnel, additions ...inbound.Addition) } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go index 60a34e1c..45de2135 100644 --- a/listener/socks/tcp.go +++ b/listener/socks/tcp.go @@ -66,7 +66,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A var realityBuilder *reality.Builder if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -75,7 +75,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -88,7 +88,7 @@ func NewWithConfig(config LC.AuthServer, tunnel C.Tunnel, additions ...inbound.A } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/trojan/server.go b/listener/trojan/server.go index a5e123d0..e3c1002c 100644 --- a/listener/trojan/server.go +++ b/listener/trojan/server.go @@ -76,7 +76,7 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition) var httpServer http.Server if config.Certificate != "" && config.PrivateKey != "" { - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -85,7 +85,7 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition) } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err } @@ -98,7 +98,7 @@ func New(config LC.TrojanServer, tunnel C.Tunnel, additions ...inbound.Addition) } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } diff --git a/listener/tuic/server.go b/listener/tuic/server.go index da492129..7e659e59 100644 --- a/listener/tuic/server.go +++ b/listener/tuic/server.go @@ -53,7 +53,7 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) ( Time: ntp.Now, MinVersion: tls.VersionTLS13, } - certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey, C.Path) + certLoader, err := ca.NewTLSKeyPairLoader(config.Certificate, config.PrivateKey) if err != nil { return nil, err } @@ -67,7 +67,7 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) ( } } if tlsConfig.ClientAuth == tls.VerifyClientCertIfGiven || tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert { - pool, err := ca.LoadCertificates(config.ClientAuthCert, C.Path) + pool, err := ca.LoadCertificates(config.ClientAuthCert) if err != nil { return nil, err } @@ -75,7 +75,7 @@ func New(config LC.TuicServer, tunnel C.Tunnel, additions ...inbound.Addition) ( } if config.EchKey != "" { - err = ech.LoadECHKey(config.EchKey, tlsConfig, C.Path) + err = ech.LoadECHKey(config.EchKey, tlsConfig) if err != nil { return nil, err }