Many fixes

Author: Fangliding

infra/conf/transport_internet.go

@@ -445,8 +445,15 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 		}
 	}
 
+	if c.ECHConfig != "" {
+		ECHConfig, err := base64.StdEncoding.DecodeString(c.ECHConfig)
+		if err != nil {
+			return nil, errors.New("invalid ECH Config", c.ECHConfig)
+		}
+		config.EchConfig = ECHConfig
+	}
+
 	config.MasterKeyLog = c.MasterKeyLog
-	config.EchConfig = c.ECHConfig
 	config.Ech_DOHserver = c.ECHDOHServer
 
 	return config, nil

transport/internet/tls/config.pb.go

@@ -88,6 +88,6 @@ message Config {
   repeated bytes pinned_peer_certificate_public_key_sha256 = 14;
 
   string master_key_log = 15;
-  string ech_config = 16;
+  bytes ech_config = 16;
   string ech_DOHserver = 17;
 }

transport/internet/tls/config.proto

@@ -7,10 +7,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
-	"encoding/base64"
 	"io"
 	"net/http"
-	"regexp"
 	"sync"
 	"time"
 
@@ -25,27 +23,23 @@ func ApplyECH(c *Config, config *tls.Config) error {
 	var err error
 
 	if len(c.EchConfig) > 0 {
-		ECHConfig, err = base64.StdEncoding.DecodeString(c.EchConfig)
-		if err != nil {
-			return errors.New("invalid ECH config")
-		}
+		ECHConfig = c.EchConfig
 	} else { // ECH config > DOH lookup
-		if c.ServerName == "" {
+		if config.ServerName == "" {
 			return errors.New("Using DOH for ECH needs serverName")
 		}
-		ECHRecord, err := QueryRecord(c.ServerName, c.Ech_DOHserver)
+		ECHConfig, err = QueryRecord(c.ServerName, c.Ech_DOHserver)
 		if err != nil {
 			return err
 		}
-		ECHConfig, _ = base64.StdEncoding.DecodeString(ECHRecord)
 	}
 
 	config.EncryptedClientHelloConfigList = ECHConfig
 	return nil
 }
 
 type record struct {
-	record string
+	record []byte
 	expire time.Time
 }
 
@@ -54,34 +48,40 @@ var (
 	mutex    sync.RWMutex
 )
 
-func QueryRecord(domain string, server string) (string, error) {
-	rec, found := dnsCache[domain]
-	if found && rec.expire.After(time.Now()) {
-		return rec.record, nil
-	}
-	mutex.Lock()
-	defer mutex.Unlock()
-	errors.LogDebug(context.Background(), "Tring to query ECH config for domain: ", domain, " with ECH server: ", server)
-	record, ttl, err := dohQuery(server, domain)
-	if err != nil {
-		return "", err
-	}
-	// Use TTL for good, but many HTTPS records have TTL 60, too short
-	if ttl < 600 {
-		ttl = 600
-	}
-	rec.record = record
-	rec.expire = time.Now().Add(time.Second * time.Duration(ttl))
-	dnsCache[domain] = rec
-	return record, nil
+func QueryRecord(domain string, server string) ([]byte, error) {
+    mutex.Lock()
+    rec, found := dnsCache[domain]
+    if found && rec.expire.After(time.Now()) {
+        mutex.Unlock()
+        return rec.record, nil
+    }
+    mutex.Unlock()
+
+    errors.LogDebug(context.Background(), "Trying to query ECH config for domain: ", domain, " with ECH server: ", server)
+    record, ttl, err := dohQuery(server, domain)
+    if err != nil {
+        return []byte{}, err
+    }
+
+    if ttl < 600 {
+        ttl = 600
+    }
+
+    mutex.Lock()
+    defer mutex.Unlock()
+    rec.record = record
+    rec.expire = time.Now().Add(time.Second * time.Duration(ttl))
+    dnsCache[domain] = rec
+    return record, nil
 }
 
-func dohQuery(server string, domain string) (string, uint32, error) {
+func dohQuery(server string, domain string) ([]byte, uint32, error) {
 	m := new(dns.Msg)
 	m.SetQuestion(dns.Fqdn(domain), dns.TypeHTTPS)
+	m.Id = 0
 	msg, err := m.Pack()
 	if err != nil {
-		return "", 0, err
+		return []byte{}, 0, err
 	}
 	tr := &http.Transport{
 		IdleConnTimeout:   90 * time.Second,
@@ -104,33 +104,37 @@ func dohQuery(server string, domain string) (string, uint32, error) {
 	}
 	req, err := http.NewRequest("POST", server, bytes.NewReader(msg))
 	if err != nil {
-		return "", 0, err
+		return []byte{}, 0, err
 	}
 	req.Header.Set("Content-Type", "application/dns-message")
 	resp, err := client.Do(req)
 	if err != nil {
-		return "", 0, err
+		return []byte{}, 0, err
 	}
 	defer resp.Body.Close()
 	respBody, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return "", 0, err
+		return []byte{}, 0, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", 0, errors.New("query failed with response code:", resp.StatusCode)
+		return []byte{}, 0, errors.New("query failed with response code:", resp.StatusCode)
 	}
 	respMsg := new(dns.Msg)
 	err = respMsg.Unpack(respBody)
 	if err != nil {
-		return "", 0, err
+		return []byte{}, 0, err
 	}
 	if len(respMsg.Answer) > 0 {
-		re := regexp.MustCompile(`ech="([^"]+)"`)
-		match := re.FindStringSubmatch(respMsg.Answer[0].String())
-		if match[1] != "" {
-			errors.LogDebug(context.Background(), "Get ECH config:", match[1], " TTL:", respMsg.Answer[0].Header().Ttl)
-			return match[1], respMsg.Answer[0].Header().Ttl, nil
+		for _, answer := range respMsg.Answer {
+			if https, ok := answer.(*dns.HTTPS); ok && https.Hdr.Name == dns.Fqdn(domain) {
+				for _, v := range https.Value {
+					if echConfig, ok := v.(*dns.SVCBECHConfig); ok {
+						errors.LogDebug(context.Background(), "Get ECH config:", echConfig.String(), " TTL:", respMsg.Answer[0].Header().Ttl)
+						return echConfig.ECH, answer.Header().Ttl, nil
+					}
+				}
+			}
 		}
 	}
-	return "", 0, errors.New("no ech record found")
+	return []byte{}, 0, errors.New("no ech record found")
 }