From 03f4513f61af630e163794864104e7afeab31154 Mon Sep 17 00:00:00 2001
From: wwqgtxx <wwqgtxx@gmail.com>
Date: Mon, 18 Aug 2025 08:43:17 +0800
Subject: [PATCH] chore: sync vless encryption code

---
 transport/vless/encryption/client.go | 45 ++++++++++++-----------
 transport/vless/encryption/doc.go    |  1 +
 transport/vless/encryption/server.go | 54 ++++++++++++++++------------
 3 files changed, 56 insertions(+), 44 deletions(-)

diff --git a/transport/vless/encryption/client.go b/transport/vless/encryption/client.go
index db2d1c8c..fad68061 100644
--- a/transport/vless/encryption/client.go
+++ b/transport/vless/encryption/client.go
@@ -39,6 +39,7 @@ func init() {
 type ClientInstance struct {
 	sync.RWMutex
 	nfsEKey *mlkem.EncapsulationKey768
+	hash11  [11]byte // no more capacity
 	xorKey  []byte
 	minutes time.Duration
 	expire  time.Time
@@ -56,7 +57,7 @@ type ClientConn struct {
 	nonce     []byte
 	peerAead  cipher.AEAD
 	peerNonce []byte
-	peerCache []byte
+	PeerCache []byte
 }
 
 func (i *ClientInstance) Init(nfsEKeyBytes []byte, xor uint32, minutes time.Duration) (err error) {
@@ -68,6 +69,8 @@ func (i *ClientInstance) Init(nfsEKeyBytes []byte, xor uint32, minutes time.Dura
 	if err != nil {
 		return
 	}
+	hash256 := sha256.Sum256(nfsEKeyBytes)
+	copy(i.hash11[:], hash256[:])
 	if xor > 0 {
 		xorKey := sha256.Sum256(nfsEKeyBytes)
 		i.xorKey = xorKey[:]
@@ -104,13 +107,14 @@ func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	nfsKey, encapsulatedNfsKey := i.nfsEKey.Encapsulate()
 	paddingLen := randBetween(100, 1000)
 
-	clientHello := make([]byte, 5+1+1184+1088+5+paddingLen)
-	EncodeHeader(clientHello, 1, 1+1184+1088)
-	clientHello[5] = ClientCipher
-	copy(clientHello[5+1:], pfsEKeyBytes)
-	copy(clientHello[5+1+1184:], encapsulatedNfsKey)
-	EncodeHeader(clientHello[5+1+1184+1088:], 23, int(paddingLen))
-	rand.Read(clientHello[5+1+1184+1088+5:])
+	clientHello := make([]byte, 5+11+1+1184+1088+5+paddingLen)
+	EncodeHeader(clientHello, 1, 11+1+1184+1088)
+	copy(clientHello[5:], i.hash11[:])
+	clientHello[5+11] = ClientCipher
+	copy(clientHello[5+11+1:], pfsEKeyBytes)
+	copy(clientHello[5+11+1+1184:], encapsulatedNfsKey)
+	EncodeHeader(clientHello[5+11+1+1184+1088:], 23, int(paddingLen))
+	rand.Read(clientHello[5+11+1+1184+1088+5:])
 
 	if _, err := c.Conn.Write(clientHello); err != nil {
 		return nil, err
@@ -133,7 +137,7 @@ func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
 		return nil, err
 	}
 	encapsulatedPfsKey := peerServerHello[:1088]
-	c.ticket = peerServerHello[1088:]
+	c.ticket = append(i.hash11[:], peerServerHello[1088:]...)
 
 	pfsKey, err := pfsDKey.Decapsulate(encapsulatedPfsKey)
 	if err != nil {
@@ -141,8 +145,7 @@ func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	}
 	c.baseKey = append(pfsKey, nfsKey...)
 
-	nonce := [12]byte{ClientCipher}
-	VLESS, _ := NewAead(ClientCipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Open(nil, nonce[:], c.ticket, pfsEKeyBytes)
+	VLESS, _ := NewAead(ClientCipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Open(nil, append(i.hash11[:], ClientCipher), c.ticket[11:], pfsEKeyBytes)
 	if !bytes.Equal(VLESS, []byte("VLESS")) {
 		return nil, errors.New("invalid server")
 	}
@@ -170,16 +173,16 @@ func (c *ClientConn) Write(b []byte) (int, error) {
 		}
 		n += len(b)
 		if c.aead == nil {
+			data = make([]byte, 5+32+32+5+len(b)+16)
+			EncodeHeader(data, 0, 32+32)
+			copy(data[5:], c.ticket)
 			c.random = make([]byte, 32)
 			rand.Read(c.random)
+			copy(data[5+32:], c.random)
+			EncodeHeader(data[5+32+32:], 23, len(b)+16)
 			c.aead = NewAead(ClientCipher, c.baseKey, c.random, c.ticket)
 			c.nonce = make([]byte, 12)
-			data = make([]byte, 5+21+32+5+len(b)+16)
-			EncodeHeader(data, 0, 21+32)
-			copy(data[5:], c.ticket)
-			copy(data[5+21:], c.random)
-			EncodeHeader(data[5+21+32:], 23, len(b)+16)
-			c.aead.Seal(data[:5+21+32+5], c.nonce, b, data[5+21+32:5+21+32+5])
+			c.aead.Seal(data[:5+32+32+5], c.nonce, b, data[5+32+32:5+32+32+5])
 		} else {
 			data = make([]byte, 5+len(b)+16)
 			EncodeHeader(data, 23, len(b)+16)
@@ -229,9 +232,9 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 		c.peerAead = NewAead(ClientCipher, c.baseKey, peerRandomHello, c.random)
 		c.peerNonce = make([]byte, 12)
 	}
-	if len(c.peerCache) != 0 {
-		n := copy(b, c.peerCache)
-		c.peerCache = c.peerCache[n:]
+	if len(c.PeerCache) != 0 {
+		n := copy(b, c.PeerCache)
+		c.PeerCache = c.PeerCache[n:]
 		return n, nil
 	}
 	h, t, l, err := ReadAndDecodeHeader(c.Conn) // l: 17~17000
@@ -262,7 +265,7 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 		return 0, err
 	}
 	if len(dst) > len(b) {
-		c.peerCache = dst[copy(b, dst):]
+		c.PeerCache = dst[copy(b, dst):]
 		dst = b // for len(dst)
 	}
 	return len(dst), nil
diff --git a/transport/vless/encryption/doc.go b/transport/vless/encryption/doc.go
index 900866ec..a5004c27 100644
--- a/transport/vless/encryption/doc.go
+++ b/transport/vless/encryption/doc.go
@@ -11,4 +11,5 @@
 // https://github.com/XTLS/Xray-core/commit/09cc92c61d9067e0d65c1cae9124664ecfc78f43
 // https://github.com/XTLS/Xray-core/commit/2807ee432a1fbeb301815647189eacd650b12a8b
 // https://github.com/XTLS/Xray-core/commit/bfe4820f2f086daf639b1957eb23dc13c843cad1
+// https://github.com/XTLS/Xray-core/commit/d1fb48521271251a8c74bd64fcc2fc8700717a3b
 package encryption
diff --git a/transport/vless/encryption/server.go b/transport/vless/encryption/server.go
index f67c9720..336deefc 100644
--- a/transport/vless/encryption/server.go
+++ b/transport/vless/encryption/server.go
@@ -25,9 +25,10 @@ type ServerSession struct {
 type ServerInstance struct {
 	sync.RWMutex
 	nfsDKey  *mlkem.DecapsulationKey768
+	hash11   [11]byte // no more capacity
 	xorKey   []byte
 	minutes  time.Duration
-	sessions map[[21]byte]*ServerSession
+	sessions map[[32]byte]*ServerSession
 	closed   bool
 }
 
@@ -39,7 +40,7 @@ type ServerConn struct {
 	peerRandom []byte
 	peerAead   cipher.AEAD
 	peerNonce  []byte
-	peerCache  []byte
+	PeerCache  []byte
 	aead       cipher.AEAD
 	nonce      []byte
 }
@@ -53,13 +54,15 @@ func (i *ServerInstance) Init(nfsDKeySeed []byte, xor uint32, minutes time.Durat
 	if err != nil {
 		return
 	}
+	hash256 := sha256.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
+	copy(i.hash11[:], hash256[:])
 	if xor > 0 {
 		xorKey := sha256.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
 		i.xorKey = xorKey[:]
 	}
 	if minutes > 0 {
 		i.minutes = minutes
-		i.sessions = make(map[[21]byte]*ServerSession)
+		i.sessions = make(map[[32]byte]*ServerSession)
 		go func() {
 			for {
 				time.Sleep(time.Minute)
@@ -106,15 +109,18 @@ func (i *ServerInstance) Handshake(conn net.Conn) (net.Conn, error) {
 		if i.minutes == 0 {
 			return nil, errors.New("0-RTT is not allowed")
 		}
-		peerTicketHello := make([]byte, 21+32)
+		peerTicketHello := make([]byte, 32+32)
 		if l != len(peerTicketHello) {
 			return nil, fmt.Errorf("unexpected length %v for ticket hello", l)
 		}
 		if _, err := io.ReadFull(c.Conn, peerTicketHello); err != nil {
 			return nil, err
 		}
+		if !bytes.Equal(peerTicketHello[:11], i.hash11[:]) {
+			return nil, fmt.Errorf("unexpected hash11: %v", peerTicketHello[:11])
+		}
 		i.RLock()
-		s := i.sessions[[21]byte(peerTicketHello)]
+		s := i.sessions[[32]byte(peerTicketHello)]
 		i.RUnlock()
 		if s == nil {
 			noises := make([]byte, randBetween(100, 1000))
@@ -126,26 +132,29 @@ func (i *ServerInstance) Handshake(conn net.Conn) (net.Conn, error) {
 			c.Conn.Write(noises) // make client do new handshake
 			return nil, errors.New("expired ticket")
 		}
-		if _, replay := s.randoms.LoadOrStore([32]byte(peerTicketHello[21:]), true); replay {
+		if _, replay := s.randoms.LoadOrStore([32]byte(peerTicketHello[32:]), true); replay {
 			return nil, errors.New("replay detected")
 		}
 		c.cipher = s.cipher
 		c.baseKey = s.baseKey
-		c.ticket = peerTicketHello[:21]
-		c.peerRandom = peerTicketHello[21:]
+		c.ticket = peerTicketHello[:32]
+		c.peerRandom = peerTicketHello[32:]
 		return c, nil
 	}
 
-	peerClientHello := make([]byte, 1+1184+1088)
+	peerClientHello := make([]byte, 11+1+1184+1088)
 	if l != len(peerClientHello) {
 		return nil, fmt.Errorf("unexpected length %v for client hello", l)
 	}
 	if _, err := io.ReadFull(c.Conn, peerClientHello); err != nil {
 		return nil, err
 	}
-	c.cipher = peerClientHello[0]
-	pfsEKeyBytes := peerClientHello[1:1185]
-	encapsulatedNfsKey := peerClientHello[1185:2273]
+	if !bytes.Equal(peerClientHello[:11], i.hash11[:]) {
+		return nil, fmt.Errorf("unexpected hash11: %v", peerClientHello[:11])
+	}
+	c.cipher = peerClientHello[11]
+	pfsEKeyBytes := peerClientHello[11+1 : 11+1+1184]
+	encapsulatedNfsKey := peerClientHello[11+1+1184:]
 
 	pfsEKey, err := mlkem.NewEncapsulationKey768(pfsEKeyBytes)
 	if err != nil {
@@ -158,15 +167,14 @@ func (i *ServerInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	pfsKey, encapsulatedPfsKey := pfsEKey.Encapsulate()
 	c.baseKey = append(pfsKey, nfsKey...)
 
-	nonce := [12]byte{c.cipher}
-	c.ticket = NewAead(c.cipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Seal(nil, nonce[:], []byte("VLESS"), pfsEKeyBytes)
+	c.ticket = append(i.hash11[:], NewAead(c.cipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Seal(nil, peerClientHello[:12], []byte("VLESS"), pfsEKeyBytes)...)
 
 	paddingLen := randBetween(100, 1000)
 
 	serverHello := make([]byte, 5+1088+21+5+paddingLen)
 	EncodeHeader(serverHello, 1, 1088+21)
 	copy(serverHello[5:], encapsulatedPfsKey)
-	copy(serverHello[5+1088:], c.ticket)
+	copy(serverHello[5+1088:], c.ticket[11:])
 	EncodeHeader(serverHello[5+1088+21:], 23, int(paddingLen))
 	rand.Read(serverHello[5+1088+21+5:])
 
@@ -177,7 +185,7 @@ func (i *ServerInstance) Handshake(conn net.Conn) (net.Conn, error) {
 
 	if i.minutes > 0 {
 		i.Lock()
-		i.sessions[[21]byte(c.ticket)] = &ServerSession{
+		i.sessions[[32]byte(c.ticket)] = &ServerSession{
 			expire:  time.Now().Add(i.minutes),
 			cipher:  c.cipher,
 			baseKey: c.baseKey,
@@ -201,24 +209,24 @@ func (c *ServerConn) Read(b []byte) (int, error) {
 			if t != 0 {
 				return 0, fmt.Errorf("unexpected type %v, expect ticket hello", t)
 			}
-			peerTicketHello := make([]byte, 21+32)
+			peerTicketHello := make([]byte, 32+32)
 			if l != len(peerTicketHello) {
 				return 0, fmt.Errorf("unexpected length %v for ticket hello", l)
 			}
 			if _, err := io.ReadFull(c.Conn, peerTicketHello); err != nil {
 				return 0, err
 			}
-			if !bytes.Equal(peerTicketHello[:21], c.ticket) {
+			if !bytes.Equal(peerTicketHello[:32], c.ticket) {
 				return 0, errors.New("naughty boy")
 			}
-			c.peerRandom = peerTicketHello[21:]
+			c.peerRandom = peerTicketHello[32:]
 		}
 		c.peerAead = NewAead(c.cipher, c.baseKey, c.peerRandom, c.ticket)
 		c.peerNonce = make([]byte, 12)
 	}
-	if len(c.peerCache) != 0 {
-		n := copy(b, c.peerCache)
-		c.peerCache = c.peerCache[n:]
+	if len(c.PeerCache) != 0 {
+		n := copy(b, c.PeerCache)
+		c.PeerCache = c.PeerCache[n:]
 		return n, nil
 	}
 	h, t, l, err := ReadAndDecodeHeader(c.Conn) // l: 17~17000
@@ -249,7 +257,7 @@ func (c *ServerConn) Read(b []byte) (int, error) {
 		return 0, err
 	}
 	if len(dst) > len(b) {
-		c.peerCache = dst[copy(b, dst):]
+		c.PeerCache = dst[copy(b, dst):]
 		dst = b // for len(dst)
 	}
 	return len(dst), nil