Add support for internal DNS system

README.md

@@ -85,7 +85,6 @@
   - [X-flutter](https://github.com/XTLS/X-flutter)
   - [SaeedDev94/Xray](https://github.com/SaeedDev94/Xray)
 - iOS & macOS arm64
-  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215)
   - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
   - [Streisand](https://apps.apple.com/app/streisand/id6450534064)
 - macOS arm64 & x64

app/dns/dns.go

@@ -210,6 +210,34 @@ func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, error) {
 	return nil, errors.New("returning nil for domain ", domain).Base(errors.Combine(errs...))
 }
 
+func (s *DNS) LookupHTTPS(domain string) (map[string]string, error) {
+	errs := []error{}
+	ctx := session.ContextWithInbound(s.ctx, &session.Inbound{Tag: s.tag})
+	for _, client := range s.sortClients(domain) {
+		if strings.EqualFold(client.Name(), "FakeDNS") {
+			errors.LogDebug(s.ctx, "skip DNS resolution for domain ", domain, " at server ", client.Name())
+			continue
+		}
+		EnhancedServer, ok := client.server.(EnhancedServer)
+		if !ok {
+			continue
+		}
+		HTTPSRecord, err := EnhancedServer.QueryHTTPS(ctx, domain, s.disableCache)
+		if len(HTTPSRecord) > 0 {
+			return HTTPSRecord, nil
+		}
+		if err != nil {
+			errors.LogInfoInner(s.ctx, err, "failed to lookup HTTPS for domain ", domain, " at server ", client.Name())
+			errs = append(errs, err)
+		}
+		// 5 for RcodeRefused in miekg/dns, hardcode to reduce binary size
+		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch && err != dns.ErrEmptyResponse && dns.RCodeFromError(err) != 5 {
+			return nil, err
+		}
+	}
+	return nil, errors.New("returning nil for domain ", domain).Base(errors.Combine(errs...))
+}
+
 // LookupHosts implements dns.HostsLookup.
 func (s *DNS) LookupHosts(domain string) *net.Address {
 	domain = strings.TrimSuffix(domain, ".")

app/dns/dnscommon.go

@@ -29,6 +29,12 @@ type record struct {
 	AAAA *IPRecord
 }
 
+type HTTPSRecord struct {
+	keypair map[string]string
+	Expire time.Time
+	RCode  dnsmessage.RCode
+}
+
 // IPRecord is a cacheable item for a resolved domain
 type IPRecord struct {
 	ReqID  uint16

app/dns/nameserver.go

@@ -23,6 +23,13 @@ type Server interface {
 	QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns.IPOption, disableCache bool) ([]net.IP, error)
 }
 
+// Server is the interface for Enhanced Name Server.
+type EnhancedServer interface {
+	Server
+	// QueryHTTPS sends HTTPS queries to its configured server.
+	QueryHTTPS(ctx context.Context, domain string, disableCache bool) (map[string]string, error)
+}
+
 // Client is the interface for DNS client.
 type Client struct {
 	server       Server

app/dns/nameserver_doh.go

@@ -12,6 +12,7 @@ import (
 	"sync"
 	"time"
 
+	mdns "github.com/miekg/dns"
 	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/crypto"
@@ -42,6 +43,8 @@ type DoHNameServer struct {
 	dohURL        string
 	name          string
 	queryStrategy QueryStrategy
+
+	HTTPSCache map[string]*HTTPSRecord
 }
 
 // NewDoHNameServer creates DOH/DOHL client object for remote/local resolving.
@@ -58,6 +61,7 @@ func NewDoHNameServer(url *url.URL, queryStrategy QueryStrategy, dispatcher rout
 		name:          mode + "//" + url.Host,
 		dohURL:        url.String(),
 		queryStrategy: queryStrategy,
+		HTTPSCache:    make(map[string]*HTTPSRecord),
 	}
 	s.cleanup = &task.Periodic{
 		Interval: time.Minute,
@@ -207,6 +211,21 @@ func (s *DoHNameServer) updateIP(req *dnsRequest, ipRec *IPRecord) {
 	common.Must(s.cleanup.Start())
 }
 
+func (s *DoHNameServer) updateHTTPS(domain string, HTTPSRec *HTTPSRecord) {
+	s.Lock()
+	rec, found := s.HTTPSCache[domain]
+	if !found {
+		s.HTTPSCache[domain] = HTTPSRec
+	}
+	if found && rec.Expire.Before(time.Now()) {
+		s.HTTPSCache[domain] = HTTPSRec
+	}
+	errors.LogInfo(context.Background(), s.name, " got answer: ", domain, " ", "HTTPS", " -> ", HTTPSRec.keypair)
+
+	s.pub.Publish(domain+"HTTPS", nil)
+	s.Unlock()
+}
+
 func (s *DoHNameServer) newReqID() uint16 {
 	return 0
 }
@@ -271,6 +290,59 @@ func (s *DoHNameServer) sendQuery(ctx context.Context, domain string, clientIP n
 	}
 }
 
+func (s *DoHNameServer) sendHTTPSQuery(ctx context.Context, domain string) {
+	errors.LogInfo(ctx, s.name, " querying HTTPS record for: ", domain)
+	var deadline time.Time
+	if d, ok := ctx.Deadline(); ok {
+		deadline = d
+	} else {
+		deadline = time.Now().Add(time.Second * 5)
+	}
+	dnsCtx := ctx
+	// reserve internal dns server requested Inbound
+	if inbound := session.InboundFromContext(ctx); inbound != nil {
+		dnsCtx = session.ContextWithInbound(dnsCtx, inbound)
+	}
+	dnsCtx = session.ContextWithContent(dnsCtx, &session.Content{
+		Protocol:       "https",
+		SkipDNSResolve: true,
+	})
+	var cancel context.CancelFunc
+	dnsCtx, cancel = context.WithDeadline(dnsCtx, deadline)
+	defer cancel()
+
+	m := new(mdns.Msg)
+	m.SetQuestion(mdns.Fqdn(domain), mdns.TypeHTTPS)
+	m.Id = 0
+	msg, _ := m.Pack()
+	response, err := s.dohHTTPSContext(dnsCtx, msg)
+	if err != nil {
+		errors.LogError(ctx, err, "failed to retrieve HTTPS query response for ", domain)
+		return
+	}
+	respMsg := new(mdns.Msg)
+	err = respMsg.Unpack(response)
+	if err != nil {
+		errors.LogError(ctx, err, "failed to parse HTTPS query response for ", domain)
+		return
+	}
+	var Record = HTTPSRecord{
+		keypair: map[string]string{},
+	}
+	if len(respMsg.Answer) > 0 {
+		for _, answer := range respMsg.Answer {
+			if https, ok := answer.(*mdns.HTTPS); ok && https.Hdr.Name == mdns.Fqdn(domain) {
+				for _, value := range https.Value {
+					Record.keypair[value.Key().String()] = value.String()
+				}
+			}
+		}
+	}
+	Record.Expire = time.Now().Add(time.Duration(respMsg.Answer[0].Header().Ttl) * time.Second)
+
+	s.updateHTTPS(domain, &Record)
+}
+
 func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte, error) {
 	body := bytes.NewBuffer(b)
 	req, err := http.NewRequest("POST", s.dohURL, body)
@@ -341,6 +413,27 @@ func (s *DoHNameServer) findIPsForDomain(domain string, option dns_feature.IPOpt
 	return nil, errRecordNotFound
 }
 
+func (s *DoHNameServer) findRecordsForDomain(domain string, Querytype string) (any, error) {
+	switch Querytype {
+	case "HTTPS":
+		s.RLock()
+		record, found := s.HTTPSCache[domain]
+		s.RUnlock()
+		if !found {
+			return nil, errRecordNotFound
+		}
+		if len(record.keypair) == 0 {
+			return nil, dns_feature.ErrEmptyResponse
+		}
+		if record.Expire.Before(time.Now()) {
+			return nil, errRecordNotFound
+		}
+		return record, nil
+	default:
+		return nil, errors.New("unsupported query type: " + Querytype)
+	}
+}
+
 // QueryIP implements Server.
 func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, clientIP net.IP, option dns_feature.IPOption, disableCache bool) ([]net.IP, error) { // nolint: dupl
 	fqdn := Fqdn(domain)
@@ -403,3 +496,44 @@ func (s *DoHNameServer) QueryIP(ctx context.Context, domain string, clientIP net
 		}
 	}
 }
+
+// QueryHTTPS implements EnhancedServer.
+func (s *DoHNameServer) QueryHTTPS(ctx context.Context, domain string, disableCache bool) (map[string]string, error) { // nolint: dupl
+	fqdn := Fqdn(domain)
+
+	if disableCache {
+		errors.LogDebug(ctx, "DNS cache is disabled. Querying HTTPS for ", domain, " at ", s.name)
+	} else {
+		Record, err := s.findRecordsForDomain(fqdn, "HTTPS")
+		if err == nil || err == dns_feature.ErrEmptyResponse {
+			errors.LogDebugInner(ctx, err, s.name, " cache HIT ", domain, " -> ", Record.(HTTPSRecord).keypair)
+			return Record.(HTTPSRecord).keypair, err
+		}
+	}
+	sub := s.pub.Subscribe(fqdn + "HTTPS")
+	defer sub.Close()
+	done := make(chan interface{})
+	go func() {
+		if sub != nil {
+			select {
+			case <-sub.Wait():
+			case <-ctx.Done():
+			}
+		}
+		close(done)
+	}()
+	s.sendHTTPSQuery(ctx, fqdn)
+
+	for {
+		Record, err := s.findRecordsForDomain(fqdn, "HTTPS")
+		if err != errRecordNotFound {
+			return Record.(*HTTPSRecord).keypair, err
+		}
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-done:
+		}
+	}
+}

common/crypto/chunk.go

@@ -1,13 +1,11 @@
 package crypto
 
 import (
-	"context"
 	"encoding/binary"
 	"io"
 
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
-	"github.com/xtls/xray-core/common/errors"
 )
 
 // ChunkSizeDecoder is a utility class to decode size value from bytes.
@@ -119,7 +117,6 @@ func (r *ChunkStreamReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	}
 	r.leftOverSize = size
 
-	errors.LogInfo(context.Background(), "StreamReader read ", size)
 	mb, err := r.reader.ReadAtMost(size)
 	if !mb.IsEmpty() {
 		r.leftOverSize -= mb.Len()

common/mux/reader.go

@@ -1,7 +1,6 @@
 package mux
 
 import (
-	"context"
 	"io"
 
 	"github.com/xtls/xray-core/common/buf"
@@ -34,7 +33,6 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	}
 
 	size, err := serial.ReadUint16(r.reader)
-	errors.LogInfo(context.Background(), "PacketReader read ", size, r.dest)
 	if err != nil {
 		return nil, err
 	}

common/mux/server_test.go

@@ -90,8 +90,7 @@ func TestRegressionOutboundLeak(t *testing.T) {
 	}
 
 	{
-		b := buf.New()
-		b.Write([]byte("hello"))
+		b := buf.FromBytes([]byte("hello"))
 		common.Must(muxClientDownlink.Writer.WriteMultiBuffer(buf.MultiBuffer{b}))
 	}
 
@@ -103,8 +102,7 @@ func TestRegressionOutboundLeak(t *testing.T) {
 	}
 
 	{
-		b := buf.New()
-		b.Write([]byte("world"))
+		b := buf.FromBytes([]byte("world"))
 		common.Must(websiteUplink.Writer.WriteMultiBuffer(buf.MultiBuffer{b}))
 	}
 

common/mux/writer.go

@@ -1,11 +1,8 @@
 package mux
 
 import (
-	"context"
-
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
-	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/serial"
@@ -78,10 +75,10 @@ func writeMetaWithFrame(writer buf.Writer, meta FrameMetadata, data buf.MultiBuf
 	if _, err := serial.WriteUint16(frame, uint16(data.Len())); err != nil {
 		return err
 	}
+
 	mb2 := make(buf.MultiBuffer, 0, len(data)+1)
 	mb2 = append(mb2, frame)
 	mb2 = append(mb2, data...)
-	mb2 = buf.Compact(mb2)
 	return writer.WriteMultiBuffer(mb2)
 }
 
@@ -109,7 +106,6 @@ func (w *Writer) WriteMultiBuffer(mb buf.MultiBuffer) error {
 			mb = mb2
 			chunk = buf.MultiBuffer{b}
 		}
-		errors.LogInfo(context.Background(), "MuxWriter write ", chunk.Len(), w.dest)
 		if err := w.writeData(chunk); err != nil {
 			return err
 		}

core/core.go

@@ -19,7 +19,7 @@ import (
 var (
 	Version_x byte = 25
 	Version_y byte = 3
-	Version_z byte = 6
+	Version_z byte = 3
 )
 
 var (

features/dns/client.go

@@ -24,6 +24,13 @@ type Client interface {
 	LookupIP(domain string, option IPOption) ([]net.IP, error)
 }
 
+type EnhancedClient interface {
+	Client
+
+	// LookupHTTPS returns HTTPS records for the given domain.
+	LookupHTTPS(domain string) (map[string]string, error)
+}
+
 type HostsLookup interface {
 	LookupHosts(domain string) *net.Address
 }

go.mod

@@ -3,7 +3,7 @@ module github.com/xtls/xray-core
 go 1.24
 
 require (
-	github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0
+	github.com/OmarTariq612/goech v0.0.1
 	github.com/cloudflare/circl v1.6.0
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/golang/mock v1.7.0-rc.1
@@ -22,12 +22,12 @@ require (
 	github.com/vishvananda/netlink v1.3.0
 	github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.36.0
-	golang.org/x/net v0.37.0
-	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/crypto v0.35.0
+	golang.org/x/net v0.35.0
+	golang.org/x/sync v0.11.0
+	golang.org/x/sys v0.30.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	google.golang.org/grpc v1.71.0
+	google.golang.org/grpc v1.70.0
 	google.golang.org/protobuf v1.36.5
 	gvisor.dev/gvisor v0.0.0-20240320123526-dc6abceb7ff0
 	h12.io/socks v1.0.3
@@ -51,11 +51,11 @@ require (
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect
 	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0 h1:Wo41lDOevRJSGpevP+8Pk5bANX7fJacO2w04aqLiC5I=
-github.com/OmarTariq612/goech v0.0.0-20240405204721-8e2e1dafd3a0/go.mod h1:FVGavL/QEBQDcBpr3fAojoK17xX5k9bicBphrOpP7uM=
+github.com/OmarTariq612/goech v0.0.1 h1:/0c918Bk1ik65GXDj2k7SOK78DyZr30Jmq9euy1/HXg=
+github.com/OmarTariq612/goech v0.0.1/go.mod h1:FVGavL/QEBQDcBpr3fAojoK17xX5k9bicBphrOpP7uM=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
 github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
@@ -79,26 +79,24 @@ github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZla
 github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d h1:+B97uD9uHLgAAulhigmys4BVwZZypzK7gPN3WtpgRJg=
 github.com/xtls/reality v0.0.0-20240712055506-48f0b2d5ed6d/go.mod h1:dm4y/1QwzjGaK17ofi0Vs6NpKAHegZky8qk6J2JJZAE=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
+go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
+go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc h1:O9NuF4s+E/PvMIy+9IUZB9znFwUIXEWSstNjek6VpVg=
 golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
@@ -107,12 +105,12 @@ golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -121,14 +119,14 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -143,10 +141,10 @@ golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeu
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50=
-google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
-google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a h1:hgh8P4EuoxpsuKMXX/To36nOFD7vixReXgn8lPGnt+o=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
+google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

infra/conf/transport_internet.go

@@ -18,7 +18,6 @@ import (
 	"github.com/xtls/xray-core/transport/internet"
 	"github.com/xtls/xray-core/transport/internet/httpupgrade"
 	"github.com/xtls/xray-core/transport/internet/kcp"
-	"github.com/xtls/xray-core/transport/internet/quic"
 	"github.com/xtls/xray-core/transport/internet/reality"
 	"github.com/xtls/xray-core/transport/internet/splithttp"
 	"github.com/xtls/xray-core/transport/internet/tcp"
@@ -333,22 +332,6 @@ func (c *SplitHTTPConfig) Build() (proto.Message, error) {
 	return config, nil
 }
 
-type QUICConfig struct {
-	// Header   json.RawMessage `json:"header"`
-	// Security string          `json:"security"`
-	// Key      string          `json:"key"`
-
-	Fec bool `json:"fec"`
-}
-
-// Build implements Buildable.
-func (c *QUICConfig) Build() (proto.Message, error) {
-	config := &quic.Config{
-		Fec: c.Fec,
-	}
-	return config, nil
-}
-
 func readFileOrString(f string, s []string) ([]byte, error) {
 	if len(f) > 0 {
 		return filesystem.ReadFile(f)
@@ -429,6 +412,8 @@ type TLSConfig struct {
 	MasterKeyLog                         string           `json:"masterKeyLog"`
 	ServerNameToVerify                   string           `json:"serverNameToVerify"`
 	VerifyPeerCertInNames                []string         `json:"verifyPeerCertInNames"`
+	ECHConfigList                        string           `json:"echConfigList"`
+	EchKeySets                           string           `json:"echKeySets"`
 }
 
 // Build implements Buildable.
@@ -500,6 +485,16 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	}
 	config.VerifyPeerCertInNames = c.VerifyPeerCertInNames
 
+	config.EchConfigList = c.ECHConfigList
+
+	if c.EchKeySets != "" {
+		EchPrivateKey, err := base64.StdEncoding.DecodeString(c.EchKeySets)
+		if err != nil {
+			return nil, errors.New("invalid ECH Config", c.EchKeySets)
+		}
+		config.EchKeySets = EchPrivateKey
+	}
+
 	return config, nil
 }
 
@@ -700,8 +695,8 @@ func (p TransportProtocol) Build() (string, error) {
 		return "httpupgrade", nil
 	case "h2", "h3", "http":
 		return "", errors.PrintRemovedFeatureError("HTTP transport (without header padding, etc.)", "XHTTP stream-one H2 & H3")
-	case "quic", "datagram":
-		return "quic", nil
+	case "quic":
+		return "", errors.PrintRemovedFeatureError("QUIC transport (without web service, etc.)", "XHTTP stream-one H3")
 	default:
 		return "", errors.New("Config: unknown transport protocol: ", p)
 	}
@@ -856,7 +851,6 @@ type StreamConfig struct {
 	XHTTPSettings       *SplitHTTPConfig   `json:"xhttpSettings"`
 	SplitHTTPSettings   *SplitHTTPConfig   `json:"splithttpSettings"`
 	KCPSettings         *KCPConfig         `json:"kcpSettings"`
-	QUICSettings        *QUICConfig        `json:"quicSettings"`
 	GRPCSettings        *GRPCConfig        `json:"grpcSettings"`
 	WSSettings          *WebSocketConfig   `json:"wsSettings"`
 	HTTPUPGRADESettings *HttpUpgradeConfig `json:"httpupgradeSettings"`
@@ -948,16 +942,6 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 			Settings:     serial.ToTypedMessage(ts),
 		})
 	}
-	if c.QUICSettings != nil {
-		qs, err := c.QUICSettings.Build()
-		if err != nil {
-			return nil, errors.New("Failed to build QUIC config").Base(err)
-		}
-		config.TransportSettings = append(config.TransportSettings, &internet.TransportConfig{
-			ProtocolName: "quic",
-			Settings:     serial.ToTypedMessage(qs),
-		})
-	}
 	if c.GRPCSettings != nil {
 		gs, err := c.GRPCSettings.Build()
 		if err != nil {

main/commands/all/tls/ech.go

@@ -1,10 +1,8 @@
 package tls
 
 import (
-	"encoding/json"
 	"encoding/pem"
 	"os"
-	"strings"
 
 	"github.com/OmarTariq612/goech"
 	"github.com/cloudflare/circl/hpke"
@@ -13,13 +11,13 @@ import (
 )
 
 var cmdECH = &base.Command{
-	UsageLine: `{{.Exec}} tls ech [--serverName (string)] [--json]`,
+	UsageLine: `{{.Exec}} tls ech [--serverName (string)] [--pem]`,
 	Short:     `Generate TLS-ECH certificates`,
 	Long: `
 Generate TLS-ECH certificates.
 
 Set serverName to your custom string: {{.Exec}} tls ech --serverName (string)
-Generate into json format: {{.Exec}} tls ech --json
+Generate into pem format: {{.Exec}} tls ech --pem
 `, // Enable PQ signature schemes: {{.Exec}} tls ech --pq-signature-schemes-enabled
 }
 
@@ -29,7 +27,7 @@ func init() {
 
 var input_pqSignatureSchemesEnabled = cmdECH.Flag.Bool("pqSignatureSchemesEnabled", false, "")
 var input_serverName = cmdECH.Flag.String("serverName", "cloudflare-ech.com", "")
-var input_json = cmdECH.Flag.Bool("json", false, "True == turn on json output")
+var input_pem = cmdECH.Flag.Bool("pem", false, "True == turn on pem output")
 
 func executeECH(cmd *base.Command, args []string) {
 	var kem hpke.KEM
@@ -40,30 +38,26 @@ func executeECH(cmd *base.Command, args []string) {
 		kem = hpke.KEM_X25519_HKDF_SHA256
 	}
 
-	echKeySet, err := goech.GenerateECHKeySet(0, *input_serverName, kem)
+	echKeySet, err := goech.GenerateECHKeySet(0, *input_serverName, kem, nil)
 	common.Must(err)
 
-	configBuffer, _ := echKeySet.ECHConfig.MarshalBinary()
-	keyBuffer, _ := echKeySet.MarshalBinary()
+	// Make single key set to a list with only one element
+	ECHConfigList := make(goech.ECHConfigList, 1)
+	ECHConfigList[0] = echKeySet.ECHConfig
+	ECHKeySetList := make(goech.ECHKeySetList, 1)
+	ECHKeySetList[0] = echKeySet
+	configBuffer, _ := ECHConfigList.MarshalBinary()
+	keyBuffer, _ := ECHKeySetList.MarshalBinary()
+	configStr, _ := ECHConfigList.ToBase64()
+	keySetStr, _ := ECHKeySetList.ToBase64()
 
 	configPEM := string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer}))
 	keyPEM := string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer}))
-	if *input_json {
-		jECHConfigs := map[string]interface{}{
-			"configs": strings.Split(strings.TrimSpace(string(configPEM)), "\n"),
-		}
-		jECHKey := map[string]interface{}{
-			"key": strings.Split(strings.TrimSpace(string(keyPEM)), "\n"),
-		}
-
-		for _, i := range []map[string]interface{}{jECHConfigs, jECHKey} {
-			content, err := json.MarshalIndent(i, "", "  ")
-			common.Must(err)
-			os.Stdout.Write(content)
-			os.Stdout.WriteString("\n")
-		}
-	} else {
+	if *input_pem {
 		os.Stdout.WriteString(configPEM)
 		os.Stdout.WriteString(keyPEM)
+	} else {
+		os.Stdout.WriteString("ECH config list: \n" + configStr + "\n")
+		os.Stdout.WriteString("ECH Key sets: \n" + keySetStr + "\n")
 	}
 }

main/distro/all/all.go

@@ -53,7 +53,6 @@ import (
 	_ "github.com/xtls/xray-core/transport/internet/grpc"
 	_ "github.com/xtls/xray-core/transport/internet/httpupgrade"
 	_ "github.com/xtls/xray-core/transport/internet/kcp"
-	_ "github.com/xtls/xray-core/transport/internet/quic"
 	_ "github.com/xtls/xray-core/transport/internet/reality"
 	_ "github.com/xtls/xray-core/transport/internet/splithttp"
 	_ "github.com/xtls/xray-core/transport/internet/tcp"

transport/internet/dialer.go

@@ -106,6 +106,14 @@ func lookupIP(domain string, strategy DomainStrategy, localAddr net.Address) ([]
 	return ips, err
 }
 
+func LookupHTTPS(domain string) (map[string]string, error) {
+	if dnsClient == nil {
+		return nil, nil
+	}
+	HTTPSRecord, err := dnsClient.(dns.EnhancedClient).LookupHTTPS(domain)
+	return HTTPSRecord, err
+}
+
 func canLookupIP(ctx context.Context, dst net.Destination, sockopt *SocketConfig) bool {
 	if dst.Address.Family().IsIP() || dnsClient == nil {
 		return false

transport/internet/quic/config.pb.go

@@ -1,137 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.35.1
-// 	protoc        v5.28.2
-// source: transport/internet/quic/config.proto
-
-package quic
-
-import (
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-type Config struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// string key = 1;
-	// xray.common.protocol.SecurityConfig security = 2;
-	// xray.common.serial.TypedMessage header = 3;
-	Fec bool `protobuf:"varint,4,opt,name=fec,proto3" json:"fec,omitempty"`
-}
-
-func (x *Config) Reset() {
-	*x = Config{}
-	mi := &file_transport_internet_quic_config_proto_msgTypes[0]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *Config) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*Config) ProtoMessage() {}
-
-func (x *Config) ProtoReflect() protoreflect.Message {
-	mi := &file_transport_internet_quic_config_proto_msgTypes[0]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use Config.ProtoReflect.Descriptor instead.
-func (*Config) Descriptor() ([]byte, []int) {
-	return file_transport_internet_quic_config_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *Config) GetFec() bool {
-	if x != nil {
-		return x.Fec
-	}
-	return false
-}
-
-var File_transport_internet_quic_config_proto protoreflect.FileDescriptor
-
-var file_transport_internet_quic_config_proto_rawDesc = []byte{
-	0x0a, 0x24, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x69, 0x63, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61,
-	0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e,
-	0x71, 0x75, 0x69, 0x63, 0x22, 0x1a, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10,
-	0x0a, 0x03, 0x66, 0x65, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x66, 0x65, 0x63,
-	0x42, 0x76, 0x0a, 0x20, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61,
-	0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e,
-	0x71, 0x75, 0x69, 0x63, 0x50, 0x01, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72,
-	0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x69, 0x63, 0xaa, 0x02, 0x1c, 0x58, 0x72, 0x61, 0x79,
-	0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72,
-	0x6e, 0x65, 0x74, 0x2e, 0x51, 0x75, 0x69, 0x63, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
-
-var (
-	file_transport_internet_quic_config_proto_rawDescOnce sync.Once
-	file_transport_internet_quic_config_proto_rawDescData = file_transport_internet_quic_config_proto_rawDesc
-)
-
-func file_transport_internet_quic_config_proto_rawDescGZIP() []byte {
-	file_transport_internet_quic_config_proto_rawDescOnce.Do(func() {
-		file_transport_internet_quic_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_transport_internet_quic_config_proto_rawDescData)
-	})
-	return file_transport_internet_quic_config_proto_rawDescData
-}
-
-var file_transport_internet_quic_config_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
-var file_transport_internet_quic_config_proto_goTypes = []any{
-	(*Config)(nil), // 0: xray.transport.internet.quic.Config
-}
-var file_transport_internet_quic_config_proto_depIdxs = []int32{
-	0, // [0:0] is the sub-list for method output_type
-	0, // [0:0] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
-}
-
-func init() { file_transport_internet_quic_config_proto_init() }
-func file_transport_internet_quic_config_proto_init() {
-	if File_transport_internet_quic_config_proto != nil {
-		return
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_transport_internet_quic_config_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   1,
-			NumExtensions: 0,
-			NumServices:   0,
-		},
-		GoTypes:           file_transport_internet_quic_config_proto_goTypes,
-		DependencyIndexes: file_transport_internet_quic_config_proto_depIdxs,
-		MessageInfos:      file_transport_internet_quic_config_proto_msgTypes,
-	}.Build()
-	File_transport_internet_quic_config_proto = out.File
-	file_transport_internet_quic_config_proto_rawDesc = nil
-	file_transport_internet_quic_config_proto_goTypes = nil
-	file_transport_internet_quic_config_proto_depIdxs = nil
-}

transport/internet/quic/config.proto

@@ -1,14 +0,0 @@
-syntax = "proto3";
-
-package xray.transport.internet.quic;
-option csharp_namespace = "Xray.Transport.Internet.Quic";
-option go_package = "github.com/xtls/xray-core/transport/internet/quic";
-option java_package = "com.xray.transport.internet.quic";
-option java_multiple_files = true;
-
-message Config {
-//   string key = 1;
-//   xray.common.protocol.SecurityConfig security = 2;
-//   xray.common.serial.TypedMessage header = 3;
-     bool fec = 4;
-}

transport/internet/quic/conn.go

@@ -1,247 +0,0 @@
-package quic
-
-import (
-	"context"
-	"time"
-
-	"github.com/quic-go/quic-go"
-	"github.com/xtls/xray-core/common/buf"
-	"github.com/xtls/xray-core/common/errors"
-	"github.com/xtls/xray-core/common/mux"
-	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/serial"
-	"github.com/xtls/xray-core/common/signal/done"
-)
-
-var MaxIncomingStreams = 16
-var currentStream = 0
-
-type interConn struct {
-	ctx         context.Context
-	quicConn    quic.Connection // small udp packet can be sent with Datagram directly 
-	streams     []quic.Stream	// other packets can be sent via steam, it offer mux, reliability, fragmentation and ordering 
-	readChannel chan readResult
-	reader      buf.MultiBufferContainer
-	done        *done.Instance
-	local       net.Addr
-	remote      net.Addr
-}
-
-type readResult struct {
-	buffer []byte
-	err    error 
-}
-
-func NewConnInitReader(ctx context.Context, quicConn quic.Connection, done *done.Instance, remote net.Addr) *interConn {
-	c := &interConn{
-		ctx:         ctx,
-		quicConn:    quicConn,
-		readChannel: make(chan readResult),
-		reader:      buf.MultiBufferContainer{},
-		done:        done,
-		local:       quicConn.LocalAddr(),
-		remote:      remote,
-	}
-	go func() {
-		for {
-			received, e := c.quicConn.ReceiveDatagram(c.ctx)
-			errors.LogInfo(c.ctx, "Read ReceiveDatagram ", len(received))
-			c.readChannel <- readResult{buffer: received, err: e}
-		}
-	}()
-	go c.acceptStreams()
-	return c
-}
-
-func (c *interConn) acceptStreams() {
-	for {
-		stream, err := c.quicConn.AcceptStream(context.Background())
-		errors.LogInfo(c.ctx, "Read AcceptStream ", err)
-		if err != nil {
-			errors.LogInfoInner(context.Background(), err, "failed to accept stream")
-			select {
-			case <-c.quicConn.Context().Done():
-				return
-			case <-c.done.Wait():
-				if err := c.quicConn.CloseWithError(0, ""); err != nil {
-					errors.LogInfoInner(context.Background(), err, "failed to close connection")
-				}
-				return
-			default:
-				time.Sleep(time.Second)
-				continue
-			}
-		}
-		go c.readMuxCoolPacket(stream)
-		c.streams = append(c.streams, stream)
-	}
-}
-
-func (c *interConn) readMuxCoolPacket(stream quic.Stream) {
-	for {
-		received := make([]byte, buf.Size)
-		i, e := stream.Read(received)
-		if e != nil {
-			errors.LogErrorInner(c.ctx, e, "Error read stream, drop this buffer ", i)
-			c.readChannel <- readResult{buffer: nil, err: e}
-			continue;
-		}
-		errors.LogInfo(c.ctx, "Read stream ", i)
-
-		buffer := buf.New()
-		buffer.Write(received[:i])
-		muxCoolReader := &buf.MultiBufferContainer{}
-		muxCoolReader.MultiBuffer = append(muxCoolReader.MultiBuffer, buffer)
-		var meta mux.FrameMetadata
-		err := meta.Unmarshal(muxCoolReader)
-		if err != nil {
-			errors.LogInfo(c.ctx, "Not a Mux Cool packet beginning, copy directly ", i)
-			buf.ReleaseMulti(muxCoolReader.MultiBuffer)
-			c.readChannel <- readResult{buffer: received[:i], err: e}
-			continue;
-		}
-		if !meta.Option.Has(mux.OptionData) {
-			errors.LogInfo(c.ctx, "No option data, copy directly ", i)
-			buf.ReleaseMulti(muxCoolReader.MultiBuffer)
-			c.readChannel <- readResult{buffer: received[:i], err: e}
-			continue;
-		}
-		size, err := serial.ReadUint16(muxCoolReader)
-		remaining := uint16(muxCoolReader.MultiBuffer.Len())
-		errors.LogInfo(c.ctx, "Read stream ", i, " option size ", size, " remaining size ", remaining)
-		if err != nil || size <= remaining || size > remaining + 1500 {
-			errors.LogInfo(c.ctx, "do not wait for second part of UDP packet ", i)
-			buf.ReleaseMulti(muxCoolReader.MultiBuffer)
-			c.readChannel <- readResult{buffer: received[:i], err: e}
-			continue;
-		}
-
-		i2, e := stream.Read(received[i:])
-		if e != nil {
-			errors.LogErrorInner(c.ctx, e, "Error read stream, drop this buffer ", i2)
-			buf.ReleaseMulti(muxCoolReader.MultiBuffer)
-			c.readChannel <- readResult{buffer: nil, err: e}
-			continue;
-		}
-		errors.LogInfo(c.ctx, "Read stream i2 size ", i2)
-		buf.ReleaseMulti(muxCoolReader.MultiBuffer)
-		c.readChannel <- readResult{buffer: received[:(i + i2)], err: e}
-	}
-}
-
-func (c *interConn) Read(b []byte) (int, error) {	
-	if c.reader.MultiBuffer.Len() > 0 {
-		return c.reader.Read(b)
-	}
-	received := <- c.readChannel
-	if received.err != nil {
-		return 0, received.err
-	}
-	buffer := buf.New()
-	buffer.Write(received.buffer)
-	c.reader.MultiBuffer = append(c.reader.MultiBuffer, buffer)
-	errors.LogInfo(c.ctx, "Read copy ", len(received.buffer))
-	return c.reader.Read(b)
-}
-
-func (c *interConn) WriteMultiBuffer(mb buf.MultiBuffer) error {
-	mb = buf.Compact(mb)
-	mb, err := buf.WriteMultiBuffer(c, mb)
-	buf.ReleaseMulti(mb)
-	return err
-}
-
-func (c *interConn) Write(b []byte) (int, error) {
-	if len(b) > 1240 { // TODO: why quic-go increase internal MTU causing packet loss?
-		if len(c.streams) < MaxIncomingStreams {
-			stream, err := c.quicConn.OpenStream()
-			errors.LogInfo(c.ctx, "Write OpenStream ", err)
-			if err == nil {
-				c.streams = append(c.streams, stream)
-			} else {
-				errors.LogInfoInner(c.ctx, err, "failed to openStream: ")
-			}
-		}
-		currentStream++;
-		if currentStream > len(c.streams) - 1 {
-			currentStream = 0;
-		}
-		errors.LogInfo(c.ctx, "Write stream ", len(b), currentStream, len(c.streams))
-		return c.streams[currentStream].Write(b)
-	}
-	var err = c.quicConn.SendDatagram(b)
-	errors.LogInfo(c.ctx, "Write SendDatagram ", len(b), err)
-	if _, ok := err.(*quic.DatagramTooLargeError); ok {
-		if len(c.streams) < MaxIncomingStreams {
-			stream, err := c.quicConn.OpenStream()
-			errors.LogInfo(c.ctx, "Write OpenStream ", err)
-			if err == nil {
-				c.streams = append(c.streams, stream)
-			} else {
-				errors.LogInfoInner(c.ctx, err, "failed to openStream: ")
-			}
-		}
-		currentStream++;
-		if currentStream > len(c.streams) - 1 {
-			currentStream = 0;
-		}
-		errors.LogInfo(c.ctx, "Write stream ", len(b), currentStream, len(c.streams))
-		return c.streams[currentStream].Write(b)
-	}
-	if err != nil {
-		return 0, err
-	}
-	return len(b), nil
-}
-
-func (c *interConn) Close() error {
-	var err error
-	for _, s := range c.streams {
-		e := s.Close()
-		if e != nil {
-			err = e
-		}
-	}
-	return err
-}
-
-func (c *interConn) LocalAddr() net.Addr {
-	return c.local
-}
-
-func (c *interConn) RemoteAddr() net.Addr {
-	return c.remote
-}
-
-func (c *interConn) SetDeadline(t time.Time) error {
-	var err error
-	for _, s := range c.streams {
-		e := s.SetDeadline(t)
-		if e != nil {
-			err = e
-		}
-	}
-	return err
-}
-
-func (c *interConn) SetReadDeadline(t time.Time) error {
-	var err error
-	for _, s := range c.streams {
-		e := s.SetReadDeadline(t)
-		if e != nil {
-			err = e
-		}
-	}
-	return err
-}
-
-func (c *interConn) SetWriteDeadline(t time.Time) error {
-	var err error
-	for _, s := range c.streams {
-		e := s.SetWriteDeadline(t)
-		if e != nil {
-			err = e
-		}
-	}
-	return err
-}

transport/internet/quic/dialer.go

@@ -1,95 +0,0 @@
-package quic
-
-import (
-	"context"
-	"time"
-
-	"github.com/quic-go/quic-go"
-	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/errors"
-	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/signal/done"
-	"github.com/xtls/xray-core/transport/internet"
-	"github.com/xtls/xray-core/transport/internet/stat"
-	"github.com/xtls/xray-core/transport/internet/tls"
-)
-
-func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {
-	tlsConfig := tls.ConfigFromStreamSettings(streamSettings)
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{
-			ServerName:    internalDomain,
-			AllowInsecure: true,
-		}
-	}
-
-	var destAddr *net.UDPAddr
-	if dest.Address.Family().IsIP() {
-		destAddr = &net.UDPAddr{
-			IP:   dest.Address.IP(),
-			Port: int(dest.Port),
-		}
-	} else {
-		dialerIp := internet.DestIpAddress()
-		if dialerIp != nil {
-			destAddr = &net.UDPAddr{
-				IP:   dialerIp,
-				Port: int(dest.Port),
-			}
-			errors.LogInfo(ctx, "quic Dial use dialer dest addr: ", destAddr)
-		} else {
-			addr, err := net.ResolveUDPAddr("udp", dest.NetAddr())
-			if err != nil {
-				return nil, err
-			}
-			destAddr = addr
-		}
-	}
-
-	config := streamSettings.ProtocolSettings.(*Config)
-
-	return openConnection(ctx, destAddr, config, tlsConfig, streamSettings.SocketSettings)
-}
-
-func openConnection(ctx context.Context, destAddr net.Addr, config *Config, tlsConfig *tls.Config, sockopt *internet.SocketConfig) (stat.Connection, error) {
-	dest := net.DestinationFromAddr(destAddr)
-	errors.LogInfo(ctx, "dialing quic to ", dest)
-	rawConn, err := internet.DialSystem(ctx, dest, sockopt)
-	if err != nil {
-		return nil, errors.New("failed to dial to dest: ", err).AtWarning().Base(err)
-	}
-
-	quicConfig := &quic.Config{
-		KeepAlivePeriod:      0,
-		HandshakeIdleTimeout: time.Second * 8,
-		MaxIdleTimeout:       time.Second * 300,
-		EnableDatagrams:      true,
-	}
-
-	var udpConn *net.UDPConn
-	switch conn := rawConn.(type) {
-	case *net.UDPConn:
-		udpConn = conn
-	case *internet.PacketConnWrapper:
-		udpConn = conn.Conn.(*net.UDPConn)
-	default:
-		rawConn.Close()
-		return nil, errors.New("QUIC with sockopt is unsupported").AtWarning()
-	}
-
-	tr := quic.Transport{
-		ConnectionIDLength: 12,
-		Conn:               udpConn,
-	}
-	conn, err := tr.Dial(context.Background(), destAddr, tlsConfig.GetTLSConfig(tls.WithDestination(dest)), quicConfig)
-	if err != nil {
-		udpConn.Close()
-		return nil, err
-	}
-
-	return NewConnInitReader(ctx, conn, done.New(), destAddr), nil
-}
-
-func init() {
-	common.Must(internet.RegisterTransportDialer(protocolName, Dial))
-}

transport/internet/quic/hub.go

@@ -1,108 +0,0 @@
-package quic
-
-import (
-	"context"
-	"time"
-
-	"github.com/quic-go/quic-go"
-	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/errors"
-	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/protocol/tls/cert"
-	"github.com/xtls/xray-core/common/signal/done"
-	"github.com/xtls/xray-core/transport/internet"
-	"github.com/xtls/xray-core/transport/internet/tls"
-)
-
-// Listener is an internet.Listener that listens for TCP connections.
-type Listener struct {
-	rawConn  *net.UDPConn
-	listener *quic.Listener
-	done     *done.Instance
-	addConn  internet.ConnHandler
-}
-
-func (l *Listener) keepAccepting(ctx context.Context) {
-	for {
-		conn, err := l.listener.Accept(context.Background())
-		if err != nil {
-			errors.LogInfoInner(context.Background(), err, "failed to accept QUIC connection")
-			if l.done.Done() {
-				break
-			}
-			time.Sleep(time.Second)
-			continue
-		}
-		l.addConn(NewConnInitReader(ctx, conn, l.done, conn.RemoteAddr()))
-	}
-}
-
-// Addr implements internet.Listener.Addr.
-func (l *Listener) Addr() net.Addr {
-	return l.listener.Addr()
-}
-
-// Close implements internet.Listener.Close.
-func (l *Listener) Close() error {
-	l.done.Close()
-	l.listener.Close()
-	l.rawConn.Close()
-	return nil
-}
-
-// Listen creates a new Listener based on configurations.
-func Listen(ctx context.Context, address net.Address, port net.Port, streamSettings *internet.MemoryStreamConfig, handler internet.ConnHandler) (internet.Listener, error) {
-	if address.Family().IsDomain() {
-		return nil, errors.New("domain address is not allows for listening quic")
-	}
-
-	tlsConfig := tls.ConfigFromStreamSettings(streamSettings)
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{
-			Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil, cert.DNSNames(internalDomain), cert.CommonName(internalDomain)))},
-		}
-	}
-
-	//config := streamSettings.ProtocolSettings.(*Config)
-	rawConn, err := internet.ListenSystemPacket(context.Background(), &net.UDPAddr{
-		IP:   address.IP(),
-		Port: int(port),
-	}, streamSettings.SocketSettings)
-	if err != nil {
-		return nil, err
-	}
-
-	quicConfig := &quic.Config{
-		KeepAlivePeriod:       0,
-		HandshakeIdleTimeout:  time.Second * 8,
-		MaxIdleTimeout:        time.Second * 300,
-		MaxIncomingStreams:    16,
-		MaxIncomingUniStreams: -1,
-		EnableDatagrams:       true,
-	}
-
-	tr := quic.Transport{
-		ConnectionIDLength: 12,
-		Conn:               rawConn.(*net.UDPConn),
-	}
-	qListener, err := tr.Listen(tlsConfig.GetTLSConfig(), quicConfig)
-	if err != nil {
-		rawConn.Close()
-		return nil, err
-	}
-
-	listener := &Listener{
-		done:     done.New(),
-		rawConn:  rawConn.(*net.UDPConn),
-		listener: qListener,
-		addConn:  handler,
-	}
-
-	go listener.keepAccepting(ctx)
-
-	return listener, nil
-}
-
-func init() {
-	common.Must(internet.RegisterTransportListener(protocolName, Listen))
-}

transport/internet/quic/quic.go

@@ -1,17 +0,0 @@
-package quic
-
-import (
-	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/transport/internet"
-)
-
-const (
-	protocolName   = "quic"
-	internalDomain = "quic.internal.example.com"
-)
-
-func init() {
-	common.Must(internet.RegisterProtocolConfigCreator(protocolName, func() interface{} {
-		return new(Config)
-	}))
-}

transport/internet/quic/quic_test.go

@@ -1,105 +0,0 @@
-package quic_test
-
-import (
-	"context"
-	"crypto/rand"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/buf"
-	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/protocol/tls/cert"
-	"github.com/xtls/xray-core/testing/servers/udp"
-	"github.com/xtls/xray-core/transport/internet"
-	"github.com/xtls/xray-core/transport/internet/quic"
-	"github.com/xtls/xray-core/transport/internet/stat"
-	"github.com/xtls/xray-core/transport/internet/tls"
-)
-
-func TestShortQuicConnection(t *testing.T) {
-	testQuicConnection(t, 1024)
-}
-
-func TestAroundMTUQuicConnection(t *testing.T) {
-	testQuicConnection(t, 1247)
-}
-
-func TestLongQuicConnection(t *testing.T) {
-	testQuicConnection(t, 1500)
-}
-
-func testQuicConnection(t *testing.T, dataLen int32) {
-	port := udp.PickPort()
-
-	listener, err := quic.Listen(context.Background(), net.LocalHostIP, port, &internet.MemoryStreamConfig{
-		ProtocolName:     "quic",
-		ProtocolSettings: &quic.Config{},
-		SecurityType:     "tls",
-		SecuritySettings: &tls.Config{
-			Certificate: []*tls.Certificate{
-				tls.ParseCertificate(
-					cert.MustGenerate(nil,
-						cert.DNSNames("www.example.com"),
-					),
-				),
-			},
-		},
-	}, func(conn stat.Connection) {
-		go func() {
-			defer conn.Close()
-
-			b := buf.New()
-			defer b.Release()
-
-			for {
-				b.Clear()
-				if _, err := b.ReadFrom(conn); err != nil {
-					return
-				}
-				common.Must2(conn.Write(b.Bytes()))
-			}
-		}()
-	})
-	common.Must(err)
-
-	defer listener.Close()
-
-	time.Sleep(time.Second)
-
-	dctx := context.Background()
-	conn, err := quic.Dial(dctx, net.TCPDestination(net.LocalHostIP, port), &internet.MemoryStreamConfig{
-		ProtocolName:     "quic",
-		ProtocolSettings: &quic.Config{},
-		SecurityType:     "tls",
-		SecuritySettings: &tls.Config{
-			ServerName:    "www.example.com",
-			AllowInsecure: true,
-		},
-	})
-	common.Must(err)
-	defer conn.Close()
-
-	b1 := make([]byte, dataLen)
-	common.Must2(rand.Read(b1))
-	b2 := buf.New()
-
-	common.Must2(conn.Write(b1))
-
-	b2.Clear()
-	common.Must2(b2.ReadFullFrom(conn, dataLen))
-	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
-		t.Error(r)
-	}
-
-	time.Sleep(1000 * time.Millisecond)
-
-	common.Must2(conn.Write(b1))
-
-	b2.Clear()
-	common.Must2(b2.ReadFullFrom(conn, dataLen))
-	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
-		t.Error(r)
-	}
-}

transport/internet/tls/config.go

@@ -444,6 +444,12 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 			config.KeyLogWriter = writer
 		}
 	}
+	if len(c.EchConfigList) > 0 || len(c.EchKeySets) > 0 {
+		err := ApplyECH(c, config)
+		if err != nil {
+			errors.LogError(context.Background(), err)
+		}
+	}
 
 	return config
 }

transport/internet/tls/config.pb.go

@@ -217,6 +217,8 @@ type Config struct {
 	// @Document After allow_insecure (automatically), if the server's cert can't be verified by any of these names, pinned_peer_certificate_chain_sha256 will be tried.
 	// @Critical
 	VerifyPeerCertInNames []string `protobuf:"bytes,17,rep,name=verify_peer_cert_in_names,json=verifyPeerCertInNames,proto3" json:"verify_peer_cert_in_names,omitempty"`
+	EchConfigList         string   `protobuf:"bytes,18,opt,name=ech_config_list,json=echConfigList,proto3" json:"ech_config_list,omitempty"`
+	EchKeySets            []byte   `protobuf:"bytes,19,opt,name=ech_key_sets,json=echKeySets,proto3" json:"ech_key_sets,omitempty"`
 }
 
 func (x *Config) Reset() {
@@ -361,6 +363,20 @@ func (x *Config) GetVerifyPeerCertInNames() []string {
 	return nil
 }
 
+func (x *Config) GetEchConfigList() string {
+	if x != nil {
+		return x.EchConfigList
+	}
+	return ""
+}
+
+func (x *Config) GetEchKeySets() []byte {
+	if x != nil {
+		return x.EchKeySets
+	}
+	return nil
+}
+
 var File_transport_internet_tls_config_proto protoreflect.FileDescriptor
 
 var file_transport_internet_tls_config_proto_rawDesc = []byte{
@@ -392,7 +408,7 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
 	0x4e, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x4d, 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x14, 0x0a,
 	0x10, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46,
 	0x59, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59,
-	0x5f, 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0x9a, 0x06, 0x0a, 0x06, 0x43, 0x6f, 0x6e,
+	0x5f, 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0xe4, 0x06, 0x0a, 0x06, 0x43, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x69, 0x6e, 0x73,
 	0x65, 0x63, 0x75, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x61, 0x6c, 0x6c,
 	0x6f, 0x77, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x12, 0x4a, 0x0a, 0x0b, 0x63, 0x65,
@@ -442,15 +458,19 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
 	0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f,
 	0x69, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15,
 	0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x49, 0x6e,
-	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,
-	0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x65, 0x74, 0x2e, 0x74, 0x6c, 0x73, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79,
-	0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58,
-	0x72, 0x61, 0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e,
-	0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x54, 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x65, 0x63, 0x68, 0x5f, 0x63, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x5f, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
+	0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x20, 0x0a,
+	0x0c, 0x65, 0x63, 0x68, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x73, 0x65, 0x74, 0x73, 0x18, 0x13, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x0a, 0x65, 0x63, 0x68, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x73, 0x42,
+	0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e,
+	0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x74,
+	0x6c, 0x73, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x65, 0x74, 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x54, 0x72,
+	0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
+	0x2e, 0x54, 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

transport/internet/tls/config.proto

@@ -91,4 +91,8 @@ message Config {
      @Critical
   */
   repeated string verify_peer_cert_in_names = 17;
+
+  string ech_config_list = 18;
+
+  bytes ech_key_sets = 19;
 }

transport/internet/tls/ech.go

@@ -0,0 +1,255 @@
+package tls
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/OmarTariq612/goech"
+	"github.com/miekg/dns"
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/transport/internet"
+)
+
+func ApplyECH(c *Config, config *tls.Config) error {
+	var ECHConfig []byte
+	var err error
+
+	nameToQuery := c.ServerName
+	var DNSServer string
+
+	// for client
+	if len(c.EchConfigList) != 0 {
+		// direct base64 config
+		if strings.HasPrefix(c.EchConfigList, "base64") {
+			Base64ECHConfigList := c.EchConfigList[len("base64://"):]
+			ECHConfigList, err := goech.ECHConfigListFromBase64(Base64ECHConfigList)
+			if err != nil {
+				return errors.New("Failed to unmarshal ECHConfigList: ", err)
+			}
+			ECHConfig, _ = ECHConfigList.MarshalBinary()
+		} else { // query config from dns
+			parts := strings.Split(c.EchConfigList, "+")
+			if len(parts) == 2 {
+				// parse ECH DNS server in format of "example.com+https://1.1.1.1/dns-query"
+				nameToQuery = parts[0]
+				DNSServer = parts[1]
+			} else if len(parts) == 1 {
+				// normal format
+				DNSServer = parts[0]
+			} else {
+				return errors.New("Invalid ECH DNS server format: ", c.EchConfigList)
+			}
+			if nameToQuery == "" {
+				return errors.New("Using DNS for ECH Config needs serverName or use Server format example.com+https://1.1.1.1/dns-query")
+			}
+			ECHConfig, err = QueryRecord(nameToQuery, DNSServer)
+			if err != nil {
+				return err
+			}
+		}
+
+		config.EncryptedClientHelloConfigList = ECHConfig
+	}
+
+	// for server
+	if len(c.EchKeySets) != 0 {
+		var keys []tls.EncryptedClientHelloKey
+		KeySets, err := goech.UnmarshalECHKeySetList(c.EchKeySets)
+		if err != nil {
+			return errors.New("Failed to unmarshal ECHKeySetList: ", err)
+		}
+		for idx, keySet := range KeySets {
+			ECHConfig, err := keySet.ECHConfig.MarshalBinary()
+			ECHPrivateKey, err := keySet.PrivateKey.MarshalBinary()
+			if err != nil {
+				return errors.New("Failed to marshal ECHKey in index: ", idx, "with err: ", err)
+			}
+			keys = append(keys, tls.EncryptedClientHelloKey{
+				Config:     ECHConfig,
+				PrivateKey: ECHPrivateKey})
+		}
+		config.EncryptedClientHelloKeys = keys
+	}
+	
+	return nil
+}
+
+type record struct {
+	echConfig []byte
+	expire    time.Time
+}
+
+var (
+	dnsCache sync.Map
+	// global Lock? I'm not sure if this needs finer grained locks.
+	// If we do this, we will need to nest another layer of struct
+	updating sync.Mutex
+)
+
+// QueryRecord returns the ECH config for given domain.
+// If the record is not in cache or expired, it will query the DNS server and update the cache.
+func QueryRecord(domain string, server string) ([]byte, error) {
+	val, found := dnsCache.Load(domain)
+	rec, _ := val.(record)
+	if found && rec.expire.After(time.Now()) {
+		errors.LogDebug(context.Background(), "Cache hit for domain: ", domain)
+		return rec.echConfig, nil
+	}
+
+	updating.Lock()
+	defer updating.Unlock()
+	// Try to get cache again after lock, in case another goroutine has updated it
+	// This might happen when the core tring is just stared and multiple goroutines are trying to query the same domain
+	val, found = dnsCache.Load(domain)
+	rec, _ = val.(record)
+	if found && rec.expire.After(time.Now()) {
+		errors.LogDebug(context.Background(), "ECH Config cache hit for domain: ", domain, " after trying to get update lock")
+		return rec.echConfig, nil
+	}
+
+	// Query ECH config from DNS server
+	errors.LogDebug(context.Background(), "Trying to query ECH config for domain: ", domain, " with ECH server: ", server)
+	echConfig, ttl, err := dnsQuery(server, domain)
+	if err != nil {
+		return []byte{}, err
+	}
+
+	// Set minimum TTL to 600 seconds
+	if ttl < 600 {
+		ttl = 600
+	}
+
+	// Update cache
+	newRecored := record{
+		echConfig: echConfig,
+		expire:    time.Now().Add(time.Second * time.Duration(ttl)),
+	}
+	dnsCache.Store(domain, newRecored)
+	return echConfig, nil
+}
+
+// dnsQuery is the real func for sending type65 query for given domain to given DNS server.
+// return ECH config, TTL and error
+func dnsQuery(server string, domain string) ([]byte, uint32, error) {
+	if server == "xray" {
+		HTTPSRecord, err := internet.LookupHTTPS(domain)
+		if err !=nil {
+			return []byte{}, 0, errors.New("failed to lookup HTTPS record with xray internal DNS: ", err)
+		}
+		ECH := HTTPSRecord["ech"]
+		if ECH == "" {
+			return []byte{}, 0, errors.New("no ech record found")
+		}
+		Base64echConfigList, err := goech.ECHConfigListFromBase64(ECH)
+		if err != nil {
+			return []byte{}, 0, errors.New("failed to unmarshal ECHConfigList: ", err)
+		}
+		echConfigList, _ := Base64echConfigList.MarshalBinary()
+		return echConfigList, 600, nil
+	}
+	m := new(dns.Msg)
+	var dnsResolve []byte
+	m.SetQuestion(dns.Fqdn(domain), dns.TypeHTTPS)
+	// for DOH server
+	if strings.HasPrefix(server, "https://") {
+		// always 0 in DOH
+		m.Id = 0
+		msg, err := m.Pack()
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		// All traffic sent by core should via xray's internet.DialSystem
+		// This involves the behavior of some Android VPN GUI clients
+		tr := &http.Transport{
+			IdleConnTimeout:   90 * time.Second,
+			ForceAttemptHTTP2: true,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				dest, err := net.ParseDestination(network + ":" + addr)
+				if err != nil {
+					return nil, err
+				}
+				conn, err := internet.DialSystem(ctx, dest, nil)
+				if err != nil {
+					return nil, err
+				}
+				return conn, nil
+			},
+		}
+		client := &http.Client{
+			Timeout:   5 * time.Second,
+			Transport: tr,
+		}
+		req, err := http.NewRequest("POST", server, bytes.NewReader(msg))
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		req.Header.Set("Content-Type", "application/dns-message")
+		resp, err := client.Do(req)
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		defer resp.Body.Close()
+		respBody, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		if resp.StatusCode != http.StatusOK {
+			return []byte{}, 0, errors.New("query failed with response code:", resp.StatusCode)
+		}
+		dnsResolve = respBody
+	} else if strings.HasPrefix(server, "udp://") { // for classic udp dns server
+		udpServerAddr := server[len("udp://"):]
+		// default port 53 if not specified
+		if !strings.Contains(udpServerAddr, ":") {
+			udpServerAddr = udpServerAddr + ":53"
+		}
+		dest, err := net.ParseDestination("udp" + ":" + udpServerAddr)
+		if err != nil {
+			return nil, 0, errors.New("failed to parse udp dns server ", udpServerAddr, " for ECH: ", err)
+		}
+		dnsTimeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		// use xray's internet.DialSystem as mentioned above
+		conn, err := internet.DialSystem(dnsTimeoutCtx, dest, nil)
+		defer conn.Close()
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		msg, err := m.Pack()
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		conn.Write(msg)
+		udpResponse := make([]byte, 512)
+		_, err = conn.Read(udpResponse)
+		if err != nil {
+			return []byte{}, 0, err
+		}
+		dnsResolve = udpResponse
+	}
+	respMsg := new(dns.Msg)
+	err := respMsg.Unpack(dnsResolve)
+	if err != nil {
+		return []byte{}, 0, errors.New("failed to unpack dns response for ECH: ", err)
+	}
+	if len(respMsg.Answer) > 0 {
+		for _, answer := range respMsg.Answer {
+			if https, ok := answer.(*dns.HTTPS); ok && https.Hdr.Name == dns.Fqdn(domain) {
+				for _, v := range https.Value {
+					if echConfig, ok := v.(*dns.SVCBECHConfig); ok {
+						errors.LogDebug(context.Background(), "Get ECH config:", echConfig.String(), " TTL:", respMsg.Answer[0].Header().Ttl)
+						return echConfig.ECH, answer.Header().Ttl, nil
+					}
+				}
+			}
+		}
+	}
+	return []byte{}, 0, errors.New("no ech record found")
+}