add support for uot on hysteria2

common/badtls/read_wait.go

@@ -4,6 +4,8 @@ package badtls
 
 import (
 	"bytes"
+	"context"
+	"net"
 	"os"
 	"reflect"
 	"sync"
@@ -18,20 +20,32 @@ import (
 var _ N.ReadWaiter = (*ReadWaitConn)(nil)
 
 type ReadWaitConn struct {
-	*tls.STDConn
-	halfAccess      *sync.Mutex
-	rawInput        *bytes.Buffer
-	input           *bytes.Reader
-	hand            *bytes.Buffer
-	readWaitOptions N.ReadWaitOptions
+	tls.Conn
+	halfAccess                    *sync.Mutex
+	rawInput                      *bytes.Buffer
+	input                         *bytes.Reader
+	hand                          *bytes.Buffer
+	readWaitOptions               N.ReadWaitOptions
+	tlsReadRecord                 func() error
+	tlsHandlePostHandshakeMessage func() error
 }
 
 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	stdConn, isSTDConn := conn.(*tls.STDConn)
-	if !isSTDConn {
+	var (
+		loaded                        bool
+		tlsReadRecord                 func() error
+		tlsHandlePostHandshakeMessage func() error
+	)
+	for _, tlsCreator := range tlsRegistry {
+		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
+		if loaded {
+			break
+		}
+	}
+	if !loaded {
 		return nil, os.ErrInvalid
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawHalfConn := rawConn.FieldByName("in")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -57,11 +71,13 @@ func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
 	}
 	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		STDConn:    stdConn,
-		halfAccess: halfAccess,
-		rawInput:   rawInput,
-		input:      input,
-		hand:       hand,
+		Conn:                          conn,
+		halfAccess:                    halfAccess,
+		rawInput:                      rawInput,
+		input:                         input,
+		hand:                          hand,
+		tlsReadRecord:                 tlsReadRecord,
+		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
 	}, nil
 }
 
@@ -71,19 +87,19 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }
 
 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.Handshake()
+	err = c.HandshakeContext(context.Background())
 	if err != nil {
 		return
 	}
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	for c.input.Len() == 0 {
-		err = tlsReadRecord(c.STDConn)
+		err = c.tlsReadRecord()
 		if err != nil {
 			return
 		}
 		for c.hand.Len() > 0 {
-			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			err = c.tlsHandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
@@ -100,16 +116,32 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
 		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
 		c.rawInput.Bytes()[0] == 21 {
-		_ = tlsReadRecord(c.STDConn)
+		_ = c.tlsReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}
 
 	c.readWaitOptions.PostReturn(buffer)
 	return
 }
 
-//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
-func tlsReadRecord(c *tls.STDConn) error
+var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := conn.(*tls.STDConn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return stdTLSReadRecord(tlsConn)
+			}, func() error {
+				return stdTLSHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
+func stdTLSReadRecord(c *tls.STDConn) error
 
-//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
+//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error

common/badtls/read_wait_ech.go

@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_ech
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing/common"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.Conn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return echReadRecord(tlsConn)
+			}, func() error {
+				return echHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
+func echReadRecord(c *tls.Conn) error
+
+//go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
+func echHandlePostHandshakeMessage(c *tls.Conn) error

common/badtls/read_wait_utls.go

@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_utls
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/utls"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.UConn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return utlsReadRecord(tlsConn.Conn)
+			}, func() error {
+				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
+			}
+	})
+}
+
+//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
+func utlsReadRecord(c *tls.Conn) error
+
+//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
+func utlsHandlePostHandshakeMessage(c *tls.Conn) error

common/process/searcher_windows.go

@@ -223,7 +223,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 	r1, _, err := syscall.SyscallN(
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
-		uintptr(1),
+		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)

docs/configuration/outbound/hysteria2.md

@@ -15,6 +15,7 @@
   },
   "password": "goofy_ahh_password",
   "network": "tcp",
+  "udp_over_stream": false,
   "tls": {},
   "brutal_debug": false,
 
@@ -72,6 +73,15 @@ One of `tcp` `udp`.
 
 Both is enabled by default.
 
+#### udp_over_stream
+
+This is the Hysteria2 port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that Hysteria2 does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode can improve reliability in proxying UDP traffic in lossy networks, as it supports retransmitting lost packets using
+QUIC's loss detection mechanisms.
+
 #### tls
 
 ==Required==

docs/configuration/outbound/hysteria2.zh.md

@@ -15,6 +15,7 @@
   },
   "password": "goofy_ahh_password",
   "network": "tcp",
+  "udp_over_stream": false,
   "tls": {},
   "brutal_debug": false,
 
@@ -70,6 +71,15 @@ QUIC 流量混淆器密码.
 
 默认所有。
 
+#### udp_over_stream
+
+这是 Hysteria2 版本的 [UDP over TCP protocol](/configuration/shared/udp-over-tcp), 设计为提供一个Hysteria2没有的，  
+基于QUIC stream的UDP中继模式。由于这是一个附加的协议，你需要使用   
+sing-box 或者与这个协议兼容的其他软件作为服务器。  
+
+这个协议可以增加在恶劣环境代理UDP的可靠性，因为它支持使用  
+QUIC 的丢失检测机制重传丢失的数据包。
+
 #### tls
 
 ==必填==

docs/migration.md

@@ -2,6 +2,28 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.0
+
+!!! warning "Unstable"
+
+    This version is still under development, and the following migration guide may be changed in the future.
+
+### `domain_suffix` behavior update
+
+For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
+
+sing-box 1.9.0 modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`,
+the behavior is unchanged, otherwise it matches `(domain|.+\.domain)` instead.
+
+### `process_path` format update on Windows
+
+The `process_path` rule of sing-box is inherited from Clash,
+the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`),
+but when the device has multiple disks, the HarddiskVolume serial number is not stable.
+
+sing-box 1.9.0 make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`),
+which will disrupt the existing `process_path` use cases in Windows.
+
 ## 1.8.0
 
 ### :material-close-box: Migrate cache file from Clash API to independent options

docs/migration.zh.md

@@ -2,6 +2,27 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.9.0
+
+!!! warning "不稳定的"
+
+    该版本仍在开发中，迁移指南可能将在未来更改。
+
+### `domain_suffix` 行为更新
+
+由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
+
+sing-box 1.9.0 修改了 `domain_suffix` 的行为：如果规则值以 `.` 为前缀则行为不变，否则改为匹配 `(domain|.+\.domain)`。
+
+### 对 Windows 上 `process_path` 格式的更新
+
+sing-box 的 `process_path` 规则继承自Clash，
+原始代码使用本地系统的路径格式（例如 `\Device\HarddiskVolume1\folder\program.exe`），
+但是当设备有多个硬盘时，该 HarddiskVolume 系列号并不稳定。
+
+sing-box 1.9.0 使 QueryFullProcessImageNameW 输出 Win32 路径（如 `C:\folder\program.exe`），
+这将会破坏现有的 Windows `process_path` 用例。
+
 ## 1.8.0
 
 ### :material-close-box: 将缓存文件从 Clash API 迁移到独立选项

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e
 	github.com/sagernet/quic-go v0.40.1-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.3.0-rc.7
+	github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573
 	github.com/sagernet/sing-dns v0.1.12
 	github.com/sagernet/sing-mux v0.1.8-rc.1
 	github.com/sagernet/sing-quic v0.1.7-rc.2

go.sum

@@ -109,8 +109,8 @@ github.com/sagernet/quic-go v0.40.1-beta.2/go.mod h1:CcKTpzTAISxrM4PA5M20/wYuz9T
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.3.0-rc.7 h1:FmnzFRYC6usVgWf112cUxiexwvL+iAurKmCL4Axa9+A=
-github.com/sagernet/sing v0.3.0-rc.7/go.mod h1:9pfuAH6mZfgnz/YjP6xu5sxx882rfyjpcrTdUpd6w3g=
+github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573 h1:aBpX3AIQ6jfIFBj4Gwofd3jZc2s1dC6/ChoyUOglyrc=
+github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573/go.mod h1:9pfuAH6mZfgnz/YjP6xu5sxx882rfyjpcrTdUpd6w3g=
 github.com/sagernet/sing-dns v0.1.12 h1:1HqZ+ln+Rezx/aJMStaS0d7oPeX2EobSV1NT537kyj4=
 github.com/sagernet/sing-dns v0.1.12/go.mod h1:rx/DTOisneQpCgNQ4jbFU/JNEtnz0lYcHXenlVzpjEU=
 github.com/sagernet/sing-mux v0.1.8-rc.1 h1:5dsZgWmNr9W6JzQj4fb3xX2pMP0OyJH6kVtlqc2kFKA=

inbound/hysteria2.go

@@ -4,6 +4,7 @@ package inbound
 
 import (
 	"context"
+	"github.com/sagernet/sing-box/common/uot"
 	"net"
 	"net/http"
 	"net/http/httputil"
@@ -81,7 +82,7 @@ func NewHysteria2(ctx context.Context, router adapter.Router, logger log.Context
 			protocol:      C.TypeHysteria2,
 			network:       []string{N.NetworkUDP},
 			ctx:           ctx,
-			router:        router,
+			router:        uot.NewRouter(router, logger),
 			logger:        logger,
 			tag:           tag,
 			listenOptions: options.ListenOptions,

mkdocs.yml

@@ -11,12 +11,14 @@ theme:
   logo: assets/icon.svg
   favicon: assets/icon.svg
   palette:
-    - scheme: default
+    - media: "(prefers-color-scheme: light)"
+      scheme: default
       primary: white
       toggle:
         icon: material/brightness-7
         name: Switch to dark mode
-    - scheme: slate
+    - media: "(prefers-color-scheme: dark)"
+      scheme: slate
       primary: black
       toggle:
         icon: material/brightness-4

option/hysteria2.go

@@ -31,5 +31,6 @@ type Hysteria2OutboundOptions struct {
 	Password string         `json:"password,omitempty"`
 	Network  NetworkList    `json:"network,omitempty"`
 	OutboundTLSOptionsContainer
+	UDPOverStream bool                `json:"udp_over_stream,omitempty"`
 	BrutalDebug bool `json:"brutal_debug,omitempty"`
 }