chore: sync vless encryption code

Author: wwqgtxx

component/generater/cmd.go

@@ -12,7 +12,7 @@ import (
 
 func Main(args []string) {
 	if len(args) < 1 {
-		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair/vless-mlkem768")
+		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair/vless-mlkem768/vless-x25519")
 	}
 	switch args[0] {
 	case "uuid":
@@ -57,5 +57,16 @@ func Main(args []string) {
 		}
 		fmt.Println("Seed: " + seedBase64)
 		fmt.Println("Client: " + clientBase64)
+	case "vless-x25519":
+		var privateKey string
+		if len(args) > 1 {
+			privateKey = args[1]
+		}
+		privateKeyBase64, passwordBase64, err := encryption.GenX25519(privateKey)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("PrivateKey:" + privateKeyBase64)
+		fmt.Println("Password:" + passwordBase64)
 	}
 }

docs/config.yaml

@@ -638,8 +638,12 @@ proxies: # socks5
     port: 443
     uuid: uuid
     network: tcp
-    encryption: "8min-vless-mlkem768client-bas64RawURLEncoding" # 复用八分钟后协商新的 sharedKey，需小于服务端的值
-    # encryption: "8min-xored-mlkem768client-bas64RawURLEncoding"
+    # -------------------------
+    # vless encryption客户端配置：
+    # （只使用 1-RTT 模式 / 复用八分钟后协商新的 baseKey，周期需小于服务端的值）
+    # / 是只能选一个，后面是 base64RawURLEncoding，使用 mihomo generate vless-x25519 和 mihomo generate vless-mlkem768 生成，替换值时需去掉括号
+    # -------------------------
+    encryption: "1rtt/8min.native/divide/random.mlkem768Client.(X25519 Password).(ML-KEM-768 Client)"
     tls: false #可以不开启tls
     udp: true
 
@@ -1359,8 +1363,12 @@ listeners:
         flow: xtls-rprx-vision
     # ws-path: "/" # 如果不为空则开启 websocket 传输层
     # grpc-service-name: "GunService" # 如果不为空则开启 grpc 传输层
-    # decryption: "10min-vless-mlkem768seed-bas64RawURLEncoding" # 同时允许 1-RTT 模式与十分钟复用的 0-RTT 模式, 后面base64字符串可由可由 mihomo generate vless-mlkem768 命令生成
-    # decryption: "10min-xored-mlkem768seed-bas64RawURLEncoding"
+    # -------------------------
+    # vless encryption服务端配置：
+    # （只允许 1-RTT 模式 / 同时允许 1-RTT 模式与十分钟复用的 0-RTT 模式；原生外观 / ECH 式 XOR / 全随机数）
+    # / 是只能选一个，后面是 base64RawURLEncoding，使用 mihomo generate vless-x25519 和 mihomo generate vless-mlkem768 生成，替换值时需去掉括号
+    # -------------------------
+    # decryption: "1rtt/10min.native/divide/random.mlkem768Seed.(X25519 PrivateKey).(ML-KEM-768 Seed)"
     # 下面两项如果填写则开启 tls（需要同时填写）
     # certificate: ./server.crt
     # private-key: ./server.key

listener/inbound/vless_test.go

@@ -94,34 +94,33 @@ func TestInboundVless_Encryption(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	t.Run("-vless-", func(t *testing.T) {
-		inboundOptions := inbound.VlessOption{
-			Decryption: "10min-vless-mlkem768seed-" + seedBase64,
-		}
-		outboundOptions := outbound.VlessOption{
-			Encryption: "8min-vless-mlkem768client-" + clientBase64,
-		}
-		testInboundVless(t, inboundOptions, outboundOptions)
-		t.Run("xtls-rprx-vision", func(t *testing.T) {
-			outboundOptions := outboundOptions
-			outboundOptions.Flow = "xtls-rprx-vision"
-			testInboundVless(t, inboundOptions, outboundOptions)
-		})
-	})
-	t.Run("-xored-", func(t *testing.T) {
-		inboundOptions := inbound.VlessOption{
-			Decryption: "10min-xored-mlkem768seed-" + seedBase64,
-		}
-		outboundOptions := outbound.VlessOption{
-			Encryption: "8min-xored-mlkem768client-" + clientBase64,
-		}
-		testInboundVless(t, inboundOptions, outboundOptions)
-		t.Run("xtls-rprx-vision", func(t *testing.T) {
-			outboundOptions := outboundOptions
-			outboundOptions.Flow = "xtls-rprx-vision"
+	privateKeyBase64, passwordBase64, err := encryption.GenX25519("")
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	var modes = []string{
+		"native",
+		"divide",
+		"random",
+	}
+	for i := range modes {
+		mode := modes[i]
+		t.Run(mode, func(t *testing.T) {
+			inboundOptions := inbound.VlessOption{
+				Decryption: "10min." + mode + ".mlkem768Seed." + privateKeyBase64 + "." + seedBase64,
+			}
+			outboundOptions := outbound.VlessOption{
+				Encryption: "8min." + mode + ".mlkem768Client." + passwordBase64 + "." + clientBase64,
+			}
 			testInboundVless(t, inboundOptions, outboundOptions)
+			t.Run("xtls-rprx-vision", func(t *testing.T) {
+				outboundOptions := outboundOptions
+				outboundOptions.Flow = "xtls-rprx-vision"
+				testInboundVless(t, inboundOptions, outboundOptions)
+			})
 		})
-	})
+	}
 }
 
 func TestInboundVless_Wss1(t *testing.T) {

transport/vless/encryption/client.go

@@ -3,6 +3,7 @@ package encryption
 import (
 	"bytes"
 	"crypto/cipher"
+	"crypto/ecdh"
 	"crypto/rand"
 	"errors"
 	"fmt"
@@ -40,7 +41,8 @@ type ClientInstance struct {
 	sync.RWMutex
 	nfsEKey *mlkem.EncapsulationKey768
 	hash11  [11]byte // no more capacity
-	xorKey  []byte
+	xorMode uint32
+	xorPKey *ecdh.PublicKey
 	minutes time.Duration
 	expire  time.Time
 	baseKey []byte
@@ -60,31 +62,32 @@ type ClientConn struct {
 	input     bytes.Reader // peerCache
 }
 
-func (i *ClientInstance) Init(nfsEKeyBytes []byte, xor uint32, minutes time.Duration) (err error) {
+func (i *ClientInstance) Init(nfsEKeyBytes, xorPKeyBytes []byte, xorMode, minutes uint32) (err error) {
 	if i.nfsEKey != nil {
 		err = errors.New("already initialized")
 		return
 	}
-	i.nfsEKey, err = mlkem.NewEncapsulationKey768(nfsEKeyBytes)
-	if err != nil {
+	if i.nfsEKey, err = mlkem.NewEncapsulationKey768(nfsEKeyBytes); err != nil {
 		return
 	}
 	hash32 := sha3.Sum256(nfsEKeyBytes)
 	copy(i.hash11[:], hash32[:])
-	if xor > 0 {
-		xorKey := sha3.Sum256(nfsEKeyBytes)
-		i.xorKey = xorKey[:]
+	if xorMode > 0 {
+		i.xorMode = xorMode
+		if i.xorPKey, err = ecdh.X25519().NewPublicKey(xorPKeyBytes); err != nil {
+			return
+		}
 	}
-	i.minutes = minutes
+	i.minutes = time.Duration(minutes) * time.Minute
 	return
 }
 
 func (i *ClientInstance) Handshake(conn net.Conn) (*ClientConn, error) {
 	if i.nfsEKey == nil {
 		return nil, errors.New("uninitialized")
 	}
-	if i.xorKey != nil {
-		conn = NewXorConn(conn, i.xorKey)
+	if i.xorMode > 0 {
+		conn, _ = NewXorConn(conn, i.xorMode, i.xorPKey, nil)
 	}
 	c := &ClientConn{Conn: conn}
 
@@ -145,7 +148,7 @@ func (i *ClientInstance) Handshake(conn net.Conn) (*ClientConn, error) {
 	}
 	c.baseKey = append(pfsKey, nfsKey...)
 
-	VLESS, _ := NewAead(ClientCipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Open(nil, append(i.hash11[:], ClientCipher), c.ticket[11:], pfsEKeyBytes)
+	VLESS, _ := NewAEAD(ClientCipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Open(nil, append(i.hash11[:], ClientCipher), c.ticket[11:], pfsEKeyBytes)
 	if !bytes.Equal(VLESS, []byte("VLESS")) {
 		return nil, errors.New("invalid server")
 	}
@@ -180,15 +183,15 @@ func (c *ClientConn) Write(b []byte) (int, error) {
 			rand.Read(c.random)
 			copy(data[5+32:], c.random)
 			EncodeHeader(data[5+32+32:], 23, len(b)+16)
-			c.aead = NewAead(ClientCipher, c.baseKey, c.random, c.ticket)
+			c.aead = NewAEAD(ClientCipher, c.baseKey, c.random, c.ticket)
 			c.nonce = make([]byte, 12)
 			c.aead.Seal(data[:5+32+32+5], c.nonce, b, data[5+32+32:5+32+32+5])
 		} else {
 			data = make([]byte, 5+len(b)+16)
 			EncodeHeader(data, 23, len(b)+16)
 			c.aead.Seal(data[:5], c.nonce, b, data[:5])
 			if bytes.Equal(c.nonce, MaxNonce) {
-				c.aead = NewAead(ClientCipher, c.baseKey, data[5:], data[:5])
+				c.aead = NewAEAD(ClientCipher, c.baseKey, data[5:], data[:5])
 			}
 		}
 		IncreaseNonce(c.nonce)
@@ -229,7 +232,7 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 		if c.random == nil {
 			return 0, errors.New("empty c.random")
 		}
-		c.peerAead = NewAead(ClientCipher, c.baseKey, peerRandomHello, c.random)
+		c.peerAead = NewAEAD(ClientCipher, c.baseKey, peerRandomHello, c.random)
 		c.peerNonce = make([]byte, 12)
 	}
 	if c.input.Len() > 0 {
@@ -252,7 +255,7 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 	}
 	var peerAead cipher.AEAD
 	if bytes.Equal(c.peerNonce, MaxNonce) {
-		peerAead = NewAead(ClientCipher, c.baseKey, peerData, h)
+		peerAead = NewAEAD(ClientCipher, c.baseKey, peerData, h)
 	}
 	_, err = c.peerAead.Open(dst[:0], c.peerNonce, peerData, h)
 	if peerAead != nil {

transport/vless/encryption/common.go

@@ -73,7 +73,7 @@ func ReadAndDiscardPaddings(conn net.Conn) (h []byte, t byte, l int, err error)
 	}
 }
 
-func NewAead(c byte, secret, salt, info []byte) (aead cipher.AEAD) {
+func NewAEAD(c byte, secret, salt, info []byte) (aead cipher.AEAD) {
 	key := make([]byte, 32)
 	hkdf.New(sha3.New256, secret, salt, info).Read(key)
 	if c&1 == 1 {

transport/vless/encryption/doc.go

@@ -14,4 +14,5 @@
 // https://github.com/XTLS/Xray-core/commit/d1fb48521271251a8c74bd64fcc2fc8700717a3b
 // https://github.com/XTLS/Xray-core/commit/49580705f6029648399304b816a2737f991582a8
 // https://github.com/XTLS/Xray-core/commit/84835bec7d0d8555d0dd30953ed26a272de814c4
+// https://github.com/XTLS/Xray-core/commit/373558ed7abdbac3de41745cf30ec04c9adde604
 package encryption

transport/vless/encryption/factory.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"time"
 )
 
 // NewClient new client from encryption string
@@ -15,7 +14,7 @@ func NewClient(encryption string) (*ClientInstance, error) {
 	case "", "none": // We will not reject empty string like xray-core does, because we need to ensure compatibility
 		return nil, nil
 	}
-	if s := strings.SplitN(encryption, "-", 4); len(s) == 4 && s[2] == "mlkem768client" {
+	if s := strings.Split(encryption, "."); len(s) == 5 && s[2] == "mlkem768Client" {
 		var minutes uint32
 		if s[0] != "1rtt" {
 			t := strings.TrimSuffix(s[0], "min")
@@ -28,27 +27,35 @@ func NewClient(encryption string) (*ClientInstance, error) {
 			}
 			minutes = uint32(i)
 		}
-		var xor uint32
+		var xorMode uint32
 		switch s[1] {
-		case "vless":
-		case "xored":
-			xor = 1
+		case "native":
+		case "divide":
+			xorMode = 1
+		case "random":
+			xorMode = 2
 		default:
 			return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
 		}
-		b, err := base64.RawURLEncoding.DecodeString(s[3])
+		xorPKeyBytes, err := base64.RawURLEncoding.DecodeString(s[3])
 		if err != nil {
 			return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
 		}
-		if len(b) == MLKEM768ClientLength {
-			client := &ClientInstance{}
-			if err = client.Init(b, xor, time.Duration(minutes)*time.Minute); err != nil {
-				return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
-			}
-			return client, nil
-		} else {
+		if len(xorPKeyBytes) != X25519PasswordSize {
+			return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
+		}
+		nfsEKeyBytes, err := base64.RawURLEncoding.DecodeString(s[4])
+		if err != nil {
 			return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
 		}
+		if len(nfsEKeyBytes) != MLKEM768ClientLength {
+			return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
+		}
+		client := &ClientInstance{}
+		if err = client.Init(nfsEKeyBytes, xorPKeyBytes, xorMode, minutes); err != nil {
+			return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
+		}
+		return client, nil
 	}
 	return nil, fmt.Errorf("invaild vless encryption value: %s", encryption)
 }
@@ -60,7 +67,7 @@ func NewServer(decryption string) (*ServerInstance, error) {
 	case "", "none": // We will not reject empty string like xray-core does, because we need to ensure compatibility
 		return nil, nil
 	}
-	if s := strings.SplitN(decryption, "-", 4); len(s) == 4 && s[2] == "mlkem768seed" {
+	if s := strings.Split(decryption, "."); len(s) == 5 && s[2] == "mlkem768Seed" {
 		var minutes uint32
 		if s[0] != "1rtt" {
 			t := strings.TrimSuffix(s[0], "min")
@@ -73,27 +80,35 @@ func NewServer(decryption string) (*ServerInstance, error) {
 			}
 			minutes = uint32(i)
 		}
-		var xor uint32
+		var xorMode uint32
 		switch s[1] {
-		case "vless":
-		case "xored":
-			xor = 1
+		case "native":
+		case "divide":
+			xorMode = 1
+		case "random":
+			xorMode = 2
 		default:
 			return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
 		}
-		b, err := base64.RawURLEncoding.DecodeString(s[3])
+		xorSKeyBytes, err := base64.RawURLEncoding.DecodeString(s[3])
 		if err != nil {
 			return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
 		}
-		if len(b) == MLKEM768SeedLength {
-			server := &ServerInstance{}
-			if err = server.Init(b, xor, time.Duration(minutes)*time.Minute); err != nil {
-				return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
-			}
-			return server, nil
-		} else {
+		if len(xorSKeyBytes) != X25519PrivateKeySize {
+			return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
+		}
+		nfsDKeySeed, err := base64.RawURLEncoding.DecodeString(s[4])
+		if err != nil {
 			return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
 		}
+		if len(nfsDKeySeed) != MLKEM768SeedLength {
+			return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
+		}
+		server := &ServerInstance{}
+		if err = server.Init(nfsDKeySeed, xorSKeyBytes, xorMode, minutes); err != nil {
+			return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
+		}
+		return server, nil
 	}
 	return nil, fmt.Errorf("invaild vless decryption value: %s", decryption)
 }