Restore ECHConfig from keysets

Co-authored-by: yuhan6665 <1588741+yuhan6665@users.noreply.github.com>

.github/workflows/docker.yml

@@ -38,9 +38,6 @@ jobs:
           if [[ -z "$SOURCE_TAG" ]]; then
             SOURCE_TAG="${{ github.ref_name }}"
           fi
-          if [[ -z "$SOURCE_TAG" ]]; then
-            SOURCE_TAG="${{ github.event.release.tag_name }}"
-          fi
 
           if [[ -z "$SOURCE_TAG" ]]; then
             echo "Error: Could not determine a valid tag source. Input tag and context tag (github.ref_name) are both empty."

core/core.go

@@ -19,7 +19,7 @@ import (
 var (
 	Version_x byte = 25
 	Version_y byte = 7
-	Version_z byte = 26
+	Version_z byte = 24
 )
 
 var (

infra/conf/transport_internet.go

@@ -413,7 +413,7 @@ type TLSConfig struct {
 	ServerNameToVerify                   string           `json:"serverNameToVerify"`
 	VerifyPeerCertInNames                []string         `json:"verifyPeerCertInNames"`
 	ECHConfigList                        string           `json:"echConfigList"`
-	ECHServerKeys                        string           `json:"echServerKeys"`
+	ECHSeverKeys                         string           `json:"echSeverKeys"`
 }
 
 // Build implements Buildable.
@@ -487,12 +487,12 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 
 	config.EchConfigList = c.ECHConfigList
 
-	if c.ECHServerKeys != "" {
+	if c.ECHSeverKeys != "" {
-		EchPrivateKey, err := base64.StdEncoding.DecodeString(c.ECHServerKeys)
+		EchPrivateKey, err := base64.StdEncoding.DecodeString(c.ECHSeverKeys)
 		if err != nil {
-			return nil, errors.New("invalid ECH Config", c.ECHServerKeys)
+			return nil, errors.New("invalid ECH Config", c.ECHSeverKeys)
 		}
-		config.EchServerKeys = EchPrivateKey
+		config.EchSeverKeys = EchPrivateKey
 	}
 
 	return config, nil
@@ -625,9 +625,6 @@ func (c *REALITYConfig) Build() (proto.Message, error) {
 		config.MaxTimeDiff = c.MaxTimeDiff
 
 		if c.Mldsa65Seed != "" {
-			if c.Mldsa65Seed == c.PrivateKey {
-				return nil, errors.New(`"mldsa65Seed" and "privateKey" can not be the same value: `, c.Mldsa65Seed)
-			}
 			if config.Mldsa65Seed, err = base64.RawURLEncoding.DecodeString(c.Mldsa65Seed); err != nil || len(config.Mldsa65Seed) != 32 {
 				return nil, errors.New(`invalid "mldsa65Seed": `, c.Mldsa65Seed)
 			}

main/commands/all/api/api.go

@@ -23,8 +23,6 @@ var CmdAPI = &base.Command{
 		cmdRemoveOutbounds,
 		cmdListInbounds,
 		cmdListOutbounds,
-		cmdAddInboundUsers,
-		cmdRemoveInboundUsers,
 		cmdInboundUser,
 		cmdInboundUserCount,
 		cmdAddRules,

main/commands/all/api/inbound_user_add.go

@@ -1,144 +0,0 @@
-package api
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/xtls/xray-core/common/protocol"
-
-	handlerService "github.com/xtls/xray-core/app/proxyman/command"
-	cserial "github.com/xtls/xray-core/common/serial"
-
-	"github.com/xtls/xray-core/core"
-	"github.com/xtls/xray-core/infra/conf"
-	"github.com/xtls/xray-core/infra/conf/serial"
-	"github.com/xtls/xray-core/proxy/shadowsocks"
-	"github.com/xtls/xray-core/proxy/shadowsocks_2022"
-	"github.com/xtls/xray-core/proxy/trojan"
-	vlessin "github.com/xtls/xray-core/proxy/vless/inbound"
-	vmessin "github.com/xtls/xray-core/proxy/vmess/inbound"
-
-	"github.com/xtls/xray-core/main/commands/base"
-)
-
-var cmdAddInboundUsers = &base.Command{
-	CustomFlags: true,
-	UsageLine:   "{{.Exec}} api adu [--server=127.0.0.1:8080] <c1.json> [c2.json]...",
-	Short:       "Add users to inbounds",
-	Long: `
-Add users to inbounds.
-Arguments:
-	-s, -server
-		The API server address. Default 127.0.0.1:8080
-	-t, -timeout
-		Timeout seconds to call API. Default 3
-Example:
-    {{.Exec}} {{.LongName}} --server=127.0.0.1:8080  c1.json c2.json
-`,
-	Run: executeAddInboundUsers,
-}
-
-func executeAddInboundUsers(cmd *base.Command, args []string) {
-	setSharedFlags(cmd)
-	cmd.Flag.Parse(args)
-	unnamedArgs := cmd.Flag.Args()
-	inbs := extractInboundsConfig(unnamedArgs)
-
-	conn, ctx, close := dialAPIServer()
-	defer close()
-	client := handlerService.NewHandlerServiceClient(conn)
-
-	success := 0
-	for _, inb := range inbs {
-		success += executeInboundUserAction(ctx, client, inb, addInboundUserAction)
-	}
-	fmt.Println("Added", success, "user(s) in total.")
-}
-
-func addInboundUserAction(ctx context.Context, client handlerService.HandlerServiceClient, tag string, user *protocol.User) error {
-	fmt.Println("add user:", user.Email)
-	_, err := client.AlterInbound(ctx, &handlerService.AlterInboundRequest{
-		Tag: tag,
-		Operation: cserial.ToTypedMessage(
-			&handlerService.AddUserOperation{
-				User: user,
-			}),
-	})
-	return err
-}
-
-func extractInboundUsers(inb *core.InboundHandlerConfig) []*protocol.User {
-	if inb == nil {
-		return nil
-	}
-	inst, err := inb.ProxySettings.GetInstance()
-	if err != nil || inst == nil {
-		fmt.Println("failed to get inbound instance:", err)
-		return nil
-	}
-	switch ty := inst.(type) {
-	case *vmessin.Config:
-		return ty.User
-	case *vlessin.Config:
-		return ty.Clients
-	case *trojan.ServerConfig:
-		return ty.Users
-	case *shadowsocks.ServerConfig:
-		return ty.Users
-	case *shadowsocks_2022.MultiUserServerConfig:
-		return ty.Users
-	default:
-		fmt.Println("unsupported inbound type")
-	}
-	return nil
-}
-
-func extractInboundsConfig(unnamedArgs []string) []conf.InboundDetourConfig {
-	ins := make([]conf.InboundDetourConfig, 0)
-	for _, arg := range unnamedArgs {
-		r, err := loadArg(arg)
-		if err != nil {
-			base.Fatalf("failed to load %s: %s", arg, err)
-		}
-		conf, err := serial.DecodeJSONConfig(r)
-		if err != nil {
-			base.Fatalf("failed to decode %s: %s", arg, err)
-		}
-		ins = append(ins, conf.InboundConfigs...)
-	}
-	return ins
-}
-
-func executeInboundUserAction(ctx context.Context, client handlerService.HandlerServiceClient, inb conf.InboundDetourConfig, action func(ctx context.Context, client handlerService.HandlerServiceClient, tag string, user *protocol.User) error) int {
-	success := 0
-
-	tag := inb.Tag
-	if len(tag) < 1 {
-		return success
-	}
-
-	fmt.Println("processing inbound:", tag)
-	built, err := inb.Build()
-	if err != nil {
-		fmt.Println("failed to build config:", err)
-		return success
-	}
-
-	users := extractInboundUsers(built)
-	if users == nil {
-		return success
-	}
-
-	for _, user := range users {
-		if len(user.Email) < 1 {
-			continue
-		}
-		if err := action(ctx, client, inb.Tag, user); err == nil {
-			fmt.Println("result: ok")
-			success += 1
-		} else {
-			fmt.Println(err)
-		}
-	}
-	return success
-}

main/commands/all/api/inbound_user_remove.go

@@ -1,62 +0,0 @@
-package api
-
-import (
-	"fmt"
-
-	handlerService "github.com/xtls/xray-core/app/proxyman/command"
-	cserial "github.com/xtls/xray-core/common/serial"
-
-	"github.com/xtls/xray-core/main/commands/base"
-)
-
-var cmdRemoveInboundUsers = &base.Command{
-	CustomFlags: true,
-	UsageLine:   "{{.Exec}} api rmu [--server=127.0.0.1:8080] -tag=tag <email1> [email2]...",
-	Short:       "Remove users from inbounds",
-	Long: `
-Remove users from inbounds.
-Arguments:
-	-s, -server
-		The API server address. Default 127.0.0.1:8080
-	-t, -timeout
-		Timeout seconds to call API. Default 3
-	-tag
-		Inbound tag
-Example:
-    {{.Exec}} {{.LongName}} --server=127.0.0.1:8080 -tag="vless-in" "xray@love.com" ...
-`,
-	Run: executeRemoveUsers,
-}
-
-func executeRemoveUsers(cmd *base.Command, args []string) {
-	setSharedFlags(cmd)
-	var tag string
-	cmd.Flag.StringVar(&tag, "tag", "", "")
-	cmd.Flag.Parse(args)
-	emails := cmd.Flag.Args()
-	if len(tag) < 1 {
-		base.Fatalf("inbound tag not specified")
-	}
-
-	conn, ctx, close := dialAPIServer()
-	defer close()
-	client := handlerService.NewHandlerServiceClient(conn)
-
-	success := 0
-	for _, email := range emails {
-		fmt.Println("remove user:", email)
-		_, err := client.AlterInbound(ctx, &handlerService.AlterInboundRequest{
-			Tag: tag,
-			Operation: cserial.ToTypedMessage(
-				&handlerService.RemoveUserOperation{
-					Email: email,
-				}),
-		})
-		if err == nil {
-			success += 1
-		} else {
-			fmt.Println(err)
-		}
-	}
-	fmt.Println("Removed", success, "user(s) in total.")
-}

main/commands/all/tls/ech.go

@@ -13,14 +13,14 @@ import (
 )
 
 var cmdECH = &base.Command{
-	UsageLine: `{{.Exec}} tls ech [--serverName (string)] [--pem] [-i "ECHServerKeys (base64.StdEncoding)"]`,
+	UsageLine: `{{.Exec}} tls ech [--serverName (string)] [--pem] [-i "ECHSeverKeys (base64.StdEncoding)"]`,
 	Short:     `Generate TLS-ECH certificates`,
 	Long: `
 Generate TLS-ECH certificates.
 
 Set serverName to your custom string: {{.Exec}} tls ech --serverName (string)
 Generate into pem format: {{.Exec}} tls ech --pem
-Restore ECHConfigs from ECHServerKeys: {{.Exec}} tls ech -i "ECHServerKeys (base64.StdEncoding)"
+Restore ECHConfigs from ECHSeverKeys: {{.Exec}} tls ech -i "ECHSeverKeys (base64.StdEncoding)"
 `, // Enable PQ signature schemes: {{.Exec}} tls ech --pq-signature-schemes-enabled
 }
 
@@ -28,7 +28,7 @@ func init() {
 	cmdECH.Run = executeECH
 }
 
-var input_echServerKeys = cmdECH.Flag.String("i", "", "ECHServerKeys (base64.StdEncoding)")
+var input_echSeverKeys = cmdECH.Flag.String("i", "", "ECHSeverKeys (base64.StdEncoding)")
 
 // var input_pqSignatureSchemesEnabled = cmdECH.Flag.Bool("pqSignatureSchemesEnabled", false, "")
 var input_serverName = cmdECH.Flag.String("serverName", "cloudflare-ech.com", "")
@@ -47,7 +47,7 @@ func executeECH(cmd *base.Command, args []string) {
 	common.Must(err)
 
 	var configBuffer, keyBuffer []byte
-	if *input_echServerKeys == "" {
+	if *input_echSeverKeys == "" {
 		configBytes, _ := tls.MarshalBinary(echConfig)
 		var b cryptobyte.Builder
 		b.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) {
@@ -61,15 +61,15 @@ func executeECH(cmd *base.Command, args []string) {
 		b2.AddBytes(configBytes)
 		keyBuffer, _ = b2.Bytes()
 	} else {
-		keySetsByte, err := base64.StdEncoding.DecodeString(*input_echServerKeys)
+		keySetsByte, err := base64.StdEncoding.DecodeString(*input_echSeverKeys)
 		if err != nil {
-			os.Stdout.WriteString("Failed to decode ECHServerKeys: " + err.Error() + "\n")
+			os.Stdout.WriteString("Failed to decode ECHSeverKeys: " + err.Error() + "\n")
 			return
 		}
 		keyBuffer = keySetsByte
 		KeySets, err := tls.ConvertToGoECHKeys(keySetsByte)
 		if err != nil {
-			os.Stdout.WriteString("Failed to decode ECHServerKeys: " + err.Error() + "\n")
+			os.Stdout.WriteString("Failed to decode ECHSeverKeys: " + err.Error() + "\n")
 			return
 		}
 		var b cryptobyte.Builder
@@ -88,6 +88,6 @@ func executeECH(cmd *base.Command, args []string) {
 		os.Stdout.WriteString(keyPEM)
 	} else {
 		os.Stdout.WriteString("ECH config list: \n" + base64.StdEncoding.EncodeToString(configBuffer) + "\n")
-		os.Stdout.WriteString("ECH server keys: \n" + base64.StdEncoding.EncodeToString(keyBuffer) + "\n")
+		os.Stdout.WriteString("ECH Key sets: \n" + base64.StdEncoding.EncodeToString(keyBuffer) + "\n")
 	}
 }

proxy/freedom/freedom.go

@@ -285,18 +285,14 @@ func NewPacketReader(conn net.Conn, UDPOverride net.Destination, DialDest net.De
 		counter = statConn.ReadCounter
 	}
 	if c, ok := iConn.(*internet.PacketConnWrapper); ok {
-		isOverridden := false
+		isAddrChanged := false
-		if UDPOverride.Address != nil || UDPOverride.Port != 0 {
+		if UDPOverride.Address != nil || UDPOverride.Port != 0 || DialDest.Address.Family().IsDomain() {
-			isOverridden = true
+			isAddrChanged = true
 		}
-		changedAddress, _, _ := net.SplitHostPort(conn.RemoteAddr().String())
-
 		return &PacketReader{
 			PacketConnWrapper: c,
 			Counter:           counter,
-			IsOverridden:      isOverridden,
+			IsAddrChanged:     isAddrChanged,
-			InitUnchangedAddr: DialDest.Address,
-			InitChangedAddr:   net.ParseAddress(changedAddress),
 		}
 	}
 	return &buf.PacketReader{Reader: conn}
@@ -305,9 +301,7 @@ func NewPacketReader(conn net.Conn, UDPOverride net.Destination, DialDest net.De
 type PacketReader struct {
 	*internet.PacketConnWrapper
 	stats.Counter
-	IsOverridden      bool
+	IsAddrChanged bool
-	InitUnchangedAddr net.Address
-	InitChangedAddr   net.Address
 }
 
 func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
@@ -321,13 +315,9 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	b.Resize(0, int32(n))
 	// if udp dest addr is changed, we are unable to get the correct src addr
 	// so we don't attach src info to udp packet, break cone behavior, assuming the dial dest is the expected scr addr
-	if !r.IsOverridden {
+	if !r.IsAddrChanged {
-		address := net.IPAddress(d.(*net.UDPAddr).IP)
-		if r.InitChangedAddr == address {
-			address = r.InitUnchangedAddr
-		}
 		b.UDP = &net.Destination{
-			Address: address,
+			Address: net.IPAddress(d.(*net.UDPAddr).IP),
 			Port:    net.Port(d.(*net.UDPAddr).Port),
 			Network: net.Network_UDP,
 		}

transport/internet/tls/config.go

@@ -444,7 +444,7 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 			config.KeyLogWriter = writer
 		}
 	}
-	if len(c.EchConfigList) > 0 || len(c.EchServerKeys) > 0 {
+	if len(c.EchConfigList) > 0 || len(c.EchSeverKeys) > 0 {
 		err := ApplyECH(c, config)
 		if err != nil {
 			errors.LogError(context.Background(), err)

transport/internet/tls/config.pb.go

@@ -218,7 +218,7 @@ type Config struct {
 	// @Critical
 	VerifyPeerCertInNames []string `protobuf:"bytes,17,rep,name=verify_peer_cert_in_names,json=verifyPeerCertInNames,proto3" json:"verify_peer_cert_in_names,omitempty"`
 	EchConfigList         string   `protobuf:"bytes,18,opt,name=ech_config_list,json=echConfigList,proto3" json:"ech_config_list,omitempty"`
-	EchServerKeys         []byte   `protobuf:"bytes,19,opt,name=ech_server_keys,json=echServerKeys,proto3" json:"ech_server_keys,omitempty"`
+	EchSeverKeys          []byte   `protobuf:"bytes,19,opt,name=ech_sever_keys,json=echSeverKeys,proto3" json:"ech_sever_keys,omitempty"`
 }
 
 func (x *Config) Reset() {
@@ -370,9 +370,9 @@ func (x *Config) GetEchConfigList() string {
 	return ""
 }
 
-func (x *Config) GetEchServerKeys() []byte {
+func (x *Config) GetEchSeverKeys() []byte {
 	if x != nil {
-		return x.EchServerKeys
+		return x.EchSeverKeys
 	}
 	return nil
 }
@@ -408,7 +408,7 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
 	0x4e, 0x43, 0x49, 0x50, 0x48, 0x45, 0x52, 0x4d, 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x14, 0x0a,
 	0x10, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x56, 0x45, 0x52, 0x49, 0x46,
 	0x59, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x41, 0x55, 0x54, 0x48, 0x4f, 0x52, 0x49, 0x54, 0x59,
-	0x5f, 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0xea, 0x06, 0x0a, 0x06, 0x43, 0x6f, 0x6e,
+	0x5f, 0x49, 0x53, 0x53, 0x55, 0x45, 0x10, 0x02, 0x22, 0xe8, 0x06, 0x0a, 0x06, 0x43, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x69, 0x6e, 0x73,
 	0x65, 0x63, 0x75, 0x72, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x61, 0x6c, 0x6c,
 	0x6f, 0x77, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x12, 0x4a, 0x0a, 0x0b, 0x63, 0x65,
@@ -460,18 +460,17 @@ var file_transport_internet_tls_config_proto_rawDesc = []byte{
 	0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x50, 0x65, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x49, 0x6e,
 	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x65, 0x63, 0x68, 0x5f, 0x63, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x5f, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
-	0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x26, 0x0a,
+	0x65, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x24, 0x0a,
-	0x0f, 0x65, 0x63, 0x68, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x73,
+	0x0e, 0x65, 0x63, 0x68, 0x5f, 0x73, 0x65, 0x76, 0x65, 0x72, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18,
-	0x18, 0x13, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x65, 0x63, 0x68, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x13, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x65, 0x63, 0x68, 0x53, 0x65, 0x76, 0x65, 0x72, 0x4b,
-	0x72, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,
+	0x65, 0x79, 0x73, 0x42, 0x73, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
-	0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
-	0x72, 0x6e, 0x65, 0x74, 0x2e, 0x74, 0x6c, 0x73, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68,
+	0x65, 0x74, 0x2e, 0x74, 0x6c, 0x73, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63,
-	0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f,
+	0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58,
+	0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2f, 0x74, 0x6c, 0x73, 0xaa, 0x02, 0x1b, 0x58, 0x72, 0x61,
-	0x72, 0x61, 0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e,
+	0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65,
-	0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x54, 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x72, 0x6e, 0x65, 0x74, 0x2e, 0x54, 0x6c, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-	0x6f, 0x33,
 }
 
 var (

transport/internet/tls/config.proto

@@ -94,5 +94,5 @@ message Config {
 
   string ech_config_list = 18;
 
-  bytes ech_server_keys = 19;
+  bytes ech_sever_keys = 19;
 }

transport/internet/tls/ech.go

@@ -20,7 +20,6 @@ import (
 	"github.com/xtls/reality/hpke"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/utils"
 	"github.com/xtls/xray-core/transport/internet"
 	"golang.org/x/crypto/cryptobyte"
 )
@@ -66,8 +65,8 @@ func ApplyECH(c *Config, config *tls.Config) error {
 	}
 
 	// for server
-	if len(c.EchServerKeys) != 0 {
+	if len(c.EchSeverKeys) != 0 {
-		KeySets, err := ConvertToGoECHKeys(c.EchServerKeys)
+		KeySets, err := ConvertToGoECHKeys(c.EchSeverKeys)
 		if err != nil {
 			return errors.New("Failed to unmarshal ECHKeySetList: ", err)
 		}
@@ -78,34 +77,19 @@ func ApplyECH(c *Config, config *tls.Config) error {
 }
 
 type ECHConfigCache struct {
-	configRecord atomic.Pointer[echConfigRecord]
+	echConfig atomic.Pointer[[]byte]
+	expire    atomic.Pointer[time.Time]
 	// updateLock is not for preventing concurrent read/write, but for preventing concurrent update
-	UpdateLock sync.Mutex
+	updateLock sync.Mutex
 }
 
-type echConfigRecord struct {
+func (c *ECHConfigCache) update(domain string, server string) ([]byte, error) {
-	config []byte
+	c.updateLock.Lock()
-	expire time.Time
+	defer c.updateLock.Unlock()
-}
-
-var (
-	GlobalECHConfigCache = utils.NewTypedSyncMap[string, *ECHConfigCache]()
-	clientForECHDOH      = utils.NewTypedSyncMap[string, *http.Client]()
-)
-
-// Update updates the ECH config for given domain and server.
-// this method is concurrent safe, only one update request will be sent, others get the cache.
-// if isLockedUpdate is true, it will not try to acquire the lock.
-func (c *ECHConfigCache) Update(domain string, server string, isLockedUpdate bool) ([]byte, error) {
-	if !isLockedUpdate {
-		c.UpdateLock.Lock()
-		defer c.UpdateLock.Unlock()
-	}
 	// Double check cache after acquiring lock
-	configRecord := c.configRecord.Load()
+	if c.expire.Load().After(time.Now()) {
-	if configRecord.expire.After(time.Now()) {
 		errors.LogDebug(context.Background(), "Cache hit for domain after double check: ", domain)
-		return configRecord.config, nil
+		return *c.echConfig.Load(), nil
 	}
 	// Query ECH config from DNS server
 	errors.LogDebug(context.Background(), "Trying to query ECH config for domain: ", domain, " with ECH server: ", server)
@@ -113,43 +97,49 @@ func (c *ECHConfigCache) Update(domain string, server string, isLockedUpdate boo
 	if err != nil {
 		return nil, err
 	}
-	configRecord = &echConfigRecord{
+	c.echConfig.Store(&echConfig)
-		config: echConfig,
+	expire := time.Now().Add(time.Duration(ttl) * time.Second)
-		expire: time.Now().Add(time.Duration(ttl) * time.Second),
+	c.expire.Store(&expire)
-	}
+	return *c.echConfig.Load(), nil
-	c.configRecord.Store(configRecord)
-	return configRecord.config, nil
 }
 
+var (
+	GlobalECHConfigCache       map[string]*ECHConfigCache
+	GlobalECHConfigCacheAccess sync.Mutex
+)
+
 // QueryRecord returns the ECH config for given domain.
 // If the record is not in cache or expired, it will query the DNS server and update the cache.
 func QueryRecord(domain string, server string) ([]byte, error) {
-	echConfigCache, ok := GlobalECHConfigCache.Load(domain)
+	// Global cache init
-	if !ok {
+	GlobalECHConfigCacheAccess.Lock()
+	if GlobalECHConfigCache == nil {
+		GlobalECHConfigCache = make(map[string]*ECHConfigCache)
+	}
+
+	echConfigCache := GlobalECHConfigCache[domain]
+	if echConfigCache == nil {
 		echConfigCache = &ECHConfigCache{}
-		echConfigCache.configRecord.Store(&echConfigRecord{})
+		echConfigCache.expire.Store(&time.Time{}) // zero value means initial state
-		echConfigCache, _ = GlobalECHConfigCache.LoadOrStore(domain, echConfigCache)
+		GlobalECHConfigCache[domain] = echConfigCache
 	}
-	configRecord := echConfigCache.configRecord.Load()
+	if echConfigCache != nil && echConfigCache.expire.Load().After(time.Now()) {
-	if configRecord.expire.After(time.Now()) {
 		errors.LogDebug(context.Background(), "Cache hit for domain: ", domain)
-		return configRecord.config, nil
+		GlobalECHConfigCacheAccess.Unlock()
+		return *echConfigCache.echConfig.Load(), nil
 	}
+	GlobalECHConfigCacheAccess.Unlock()
 
 	// If expire is zero value, it means we are in initial state, wait for the query to finish
 	// otherwise return old value immediately and update in a goroutine
-	// but if the cache is too old, wait for update
+	if *echConfigCache.expire.Load() == (time.Time{}) {
-	if configRecord.expire == (time.Time{}) || configRecord.expire.Add(time.Hour*6).Before(time.Now()) {
+		return echConfigCache.update(domain, server)
-		return echConfigCache.Update(domain, server, false)
 	} else {
 		// If someone already acquired the lock, it means it is updating, do not start another update goroutine
-		if echConfigCache.UpdateLock.TryLock() {
+		if echConfigCache.updateLock.TryLock() {
-			go func() {
+			go echConfigCache.update(domain, server)
-				defer echConfigCache.UpdateLock.Unlock()
-				echConfigCache.Update(domain, server, true)
-			}()
 		}
-		return configRecord.config, nil
+		return *echConfigCache.echConfig.Load(), nil
 	}
 }
 
@@ -167,30 +157,26 @@ func dnsQuery(server string, domain string) ([]byte, uint32, error) {
 		if err != nil {
 			return []byte{}, 0, err
 		}
-		var client *http.Client
+		// All traffic sent by core should via xray's internet.DialSystem
-		if client, _ = clientForECHDOH.Load(server); client == nil {
+		// This involves the behavior of some Android VPN GUI clients
-			// All traffic sent by core should via xray's internet.DialSystem
+		tr := &http.Transport{
-			// This involves the behavior of some Android VPN GUI clients
+			IdleConnTimeout:   90 * time.Second,
-			tr := &http.Transport{
+			ForceAttemptHTTP2: true,
-				IdleConnTimeout:   90 * time.Second,
+			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				ForceAttemptHTTP2: true,
+				dest, err := net.ParseDestination(network + ":" + addr)
-				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if err != nil {
-					dest, err := net.ParseDestination(network + ":" + addr)
+					return nil, err
-					if err != nil {
+				}
-						return nil, err
+				conn, err := internet.DialSystem(ctx, dest, nil)
-					}
+				if err != nil {
-					conn, err := internet.DialSystem(ctx, dest, nil)
+					return nil, err
-					if err != nil {
+				}
-						return nil, err
+				return conn, nil
-					}
+			},
-					return conn, nil
+		}
-				},
+		client := &http.Client{
-			}
+			Timeout:   5 * time.Second,
-			c := &http.Client{
+			Transport: tr,
-				Timeout:   5 * time.Second,
-				Transport: tr,
-			}
-			client, _ = clientForECHDOH.LoadOrStore(server, c)
 		}
 		req, err := http.NewRequest("POST", server, bytes.NewReader(msg))
 		if err != nil {
@@ -224,12 +210,7 @@ func dnsQuery(server string, domain string) ([]byte, uint32, error) {
 		defer cancel()
 		// use xray's internet.DialSystem as mentioned above
 		conn, err := internet.DialSystem(dnsTimeoutCtx, dest, nil)
-		defer func() {
+		defer conn.Close()
-			err := conn.Close()
-			if err != nil {
-				errors.LogDebug(context.Background(), "Failed to close connection: ", err)
-			}
-		}()
 		if err != nil {
 			return []byte{}, 0, err
 		}

transport/internet/udp/dispatcher.go

@@ -70,10 +70,11 @@ func (v *Dispatcher) getInboundRay(ctx context.Context, dest net.Destination) (*
 	removeRay := func() {
 		v.Lock()
 		defer v.Unlock()
-		// sometimes the entry is already removed by others, don't close again
 		if entry == v.conn {
 			cancel()
 			v.removeRay()
+		} else {
+			errors.LogError(ctx, "removeRay trying to remove a conn that not belongs to it, canceling.")
 		}
 	}
 	timer := signal.CancelAfterInactivity(ctx, removeRay, time.Minute)

transport/internet/udp/hub.go

@@ -40,14 +40,6 @@ func ListenUDP(ctx context.Context, address net.Address, port net.Port, streamSe
 		opt(hub)
 	}
 
-	if address.Family().IsDomain() && address.Domain() == "localhost" {
-		address = net.LocalHostIP
-	}
-
-	if address.Family().IsDomain() {
-		return nil, errors.New("domain address is not allowed for listening: ", address.Domain())
-	}
-
 	var sockopt *internet.SocketConfig
 	if streamSettings != nil {
 		sockopt = streamSettings.SocketSettings