TLS ECH client: Use chrome-fingerprint and add padding; Add "h2c" and echSockopt; Fix some issues (XTLS#4949)

Completes XTLS#3813

Author: drovosek229

infra/conf/transport_internet.go

@@ -415,6 +415,7 @@ type TLSConfig struct {
 	ECHServerKeys                        string           `json:"echServerKeys"`
 	ECHConfigList                        string           `json:"echConfigList"`
 	ECHForceQuery                        bool             `json:"echForceQuery"`
+	ECHSocketSettings                    *SocketConfig    `json:"echSockopt"`
 }
 
 // Build implements Buildable.
@@ -438,7 +439,7 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	}
 	if len(config.NextProtocol) > 1 {
 		for _, p := range config.NextProtocol {
-			if tcp.IsFromMitm(p) {
+			if tls.IsFromMitm(p) {
 				return nil, errors.New(`only one element is allowed in "alpn" when using "fromMitm" in it`)
 			}
 		}
@@ -495,6 +496,13 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	}
 	config.EchForceQuery = c.ECHForceQuery
 	config.EchConfigList = c.ECHConfigList
+	if c.ECHSocketSettings != nil {
+		ss, err := c.ECHSocketSettings.Build()
+		if err != nil {
+			return nil, errors.New("Failed to build ech sockopt.").Base(err)
+		}
+		config.EchSocketSettings = ss
+	}
 
 	return config, nil
 }

transport/internet/tcp/dialer.go

@@ -2,6 +2,7 @@ package tcp
 
 import (
 	"context"
+	gotls "crypto/tls"
 	"slices"
 	"strings"
 
@@ -15,10 +16,6 @@ import (
 	"github.com/xtls/xray-core/transport/internet/tls"
 )
 
-func IsFromMitm(str string) bool {
-	return strings.ToLower(str) == "frommitm"
-}
-
 // Dial dials a new TCP connection to the given destination.
 func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {
 	errors.LogInfo(ctx, "dialing TCP to ", dest)
@@ -30,14 +27,17 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
 	if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {
 		mitmServerName := session.MitmServerNameFromContext(ctx)
 		mitmAlpn11 := session.MitmAlpn11FromContext(ctx)
-		tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))
-		if IsFromMitm(tlsConfig.ServerName) {
-			tlsConfig.ServerName = mitmServerName
+		var tlsConfig *gotls.Config
+		if tls.IsFromMitm(config.ServerName) {
+			tlsConfig = config.GetTLSConfig(tls.WithOverrideName(mitmServerName))
+		} else {
+			tlsConfig = config.GetTLSConfig(tls.WithDestination(dest))
 		}
+
 		isFromMitmVerify := false
 		if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 {
 			for i, name := range r.VerifyPeerCertInNames {
-				if IsFromMitm(name) {
+				if tls.IsFromMitm(name) {
 					isFromMitmVerify = true
 					r.VerifyPeerCertInNames[0], r.VerifyPeerCertInNames[i] = r.VerifyPeerCertInNames[i], r.VerifyPeerCertInNames[0]
 					r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]
@@ -56,7 +56,7 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
 				}
 			}
 		}
-		isFromMitmAlpn := len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0])
+		isFromMitmAlpn := len(tlsConfig.NextProtos) == 1 && tls.IsFromMitm(tlsConfig.NextProtos[0])
 		if isFromMitmAlpn {
 			if mitmAlpn11 {
 				tlsConfig.NextProtos[0] = "http/1.1"

transport/internet/tls/config.go

@@ -8,6 +8,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"github.com/xtls/xray-core/features/dns"
 	"os"
 	"slices"
 	"strings"
@@ -275,6 +276,9 @@ func getNewGetCertificateFunc(certs []*tls.Certificate, rejectUnknownSNI bool) f
 }
 
 func (c *Config) parseServerName() string {
+	if IsFromMitm(c.ServerName) {
+		return ""
+	}
 	return c.ServerName
 }
 
@@ -447,7 +451,11 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 	if len(c.EchConfigList) > 0 || len(c.EchServerKeys) > 0 {
 		err := ApplyECH(c, config)
 		if err != nil {
-			errors.LogError(context.Background(), err)
+			if c.EchForceQuery || errors.Cause(err) != dns.ErrEmptyResponse {
+				errors.LogError(context.Background(), err)
+			} else {
+				errors.LogInfo(context.Background(), err)
+			}
 		}
 	}
 
@@ -469,6 +477,12 @@ func WithDestination(dest net.Destination) Option {
 	}
 }
 
+func WithOverrideName(serverName string) Option {
+	return func(config *tls.Config) {
+		config.ServerName = serverName
+	}
+}
+
 // WithNextProto sets the ALPN values in TLS config.
 func WithNextProto(protocol ...string) Option {
 	return func(config *tls.Config) {
@@ -509,3 +523,7 @@ func ParseCurveName(curveNames []string) []tls.CurveID {
 	}
 	return curveIDs
 }
+
+func IsFromMitm(str string) bool {
+	return strings.ToLower(str) == "frommitm"
+}