Bump github.com/cloudflare/circl from 1.3.6 to 1.3.7

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.6 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.6...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Improve domain suffix match behavior
2026-05-14 08:52:47 +03:00 · 2024-01-08 16:52:54 +00:00 · 2024-01-05 14:31:06 +08:00 · 2024-01-05 14:06:15 +08:00 · 2024-01-05 13:48:06 +08:00
8 changed files with 166 additions and 29 deletions
--- a/common/badtls/read_wait.go
+++ b/common/badtls/read_wait.go
@@ -4,6 +4,8 @@ package badtls

 import (
 	"bytes"
+	"context"
+	"net"
 	"os"
 	"reflect"
 	"sync"
@@ -18,20 +20,32 @@ import (
 var _ N.ReadWaiter = (*ReadWaitConn)(nil)

 type ReadWaitConn struct {
-	*tls.STDConn
-	halfAccess      *sync.Mutex
-	rawInput        *bytes.Buffer
-	input           *bytes.Reader
-	hand            *bytes.Buffer
-	readWaitOptions N.ReadWaitOptions
+	tls.Conn
+	halfAccess                    *sync.Mutex
+	rawInput                      *bytes.Buffer
+	input                         *bytes.Reader
+	hand                          *bytes.Buffer
+	readWaitOptions               N.ReadWaitOptions
+	tlsReadRecord                 func() error
+	tlsHandlePostHandshakeMessage func() error
 }

 func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
-	stdConn, isSTDConn := conn.(*tls.STDConn)
-	if !isSTDConn {
+	var (
+		loaded                        bool
+		tlsReadRecord                 func() error
+		tlsHandlePostHandshakeMessage func() error
+	)
+	for _, tlsCreator := range tlsRegistry {
+		loaded, tlsReadRecord, tlsHandlePostHandshakeMessage = tlsCreator(conn)
+		if loaded {
+			break
+		}
+	}
+	if !loaded {
 		return nil, os.ErrInvalid
 	}
-	rawConn := reflect.Indirect(reflect.ValueOf(stdConn))
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawHalfConn := rawConn.FieldByName("in")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -57,11 +71,13 @@ func NewReadWaitConn(conn tls.Conn) (tls.Conn, error) {
 	}
 	hand := (*bytes.Buffer)(unsafe.Pointer(rawHand.UnsafeAddr()))
 	return &ReadWaitConn{
-		STDConn:    stdConn,
-		halfAccess: halfAccess,
-		rawInput:   rawInput,
-		input:      input,
-		hand:       hand,
+		Conn:                          conn,
+		halfAccess:                    halfAccess,
+		rawInput:                      rawInput,
+		input:                         input,
+		hand:                          hand,
+		tlsReadRecord:                 tlsReadRecord,
+		tlsHandlePostHandshakeMessage: tlsHandlePostHandshakeMessage,
 	}, nil
 }

@@ -71,19 +87,19 @@ func (c *ReadWaitConn) InitializeReadWaiter(options N.ReadWaitOptions) (needCopy
 }

 func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
-	err = c.Handshake()
+	err = c.HandshakeContext(context.Background())
 	if err != nil {
 		return
 	}
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	for c.input.Len() == 0 {
-		err = tlsReadRecord(c.STDConn)
+		err = c.tlsReadRecord()
 		if err != nil {
 			return
 		}
 		for c.hand.Len() > 0 {
-			err = tlsHandlePostHandshakeMessage(c.STDConn)
+			err = c.tlsHandlePostHandshakeMessage()
 			if err != nil {
 				return
 			}
@@ -100,7 +116,7 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 &&
 		// recordType(c.rawInput.Bytes()[0]) == recordTypeAlert {
 		c.rawInput.Bytes()[0] == 21 {
-		_ = tlsReadRecord(c.STDConn)
+		_ = c.tlsReadRecord()
 		// return n, err // will be io.EOF on closeNotify
 	}

@@ -108,8 +124,24 @@ func (c *ReadWaitConn) WaitReadBuffer() (buffer *buf.Buffer, err error) {
 	return
 }

-//go:linkname tlsReadRecord crypto/tls.(*Conn).readRecord
-func tlsReadRecord(c *tls.STDConn) error
+var tlsRegistry []func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error)

-//go:linkname tlsHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
-func tlsHandlePostHandshakeMessage(c *tls.STDConn) error
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := conn.(*tls.STDConn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return stdTLSReadRecord(tlsConn)
+			}, func() error {
+				return stdTLSHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname stdTLSReadRecord crypto/tls.(*Conn).readRecord
+func stdTLSReadRecord(c *tls.STDConn) error
+
+//go:linkname stdTLSHandlePostHandshakeMessage crypto/tls.(*Conn).handlePostHandshakeMessage
+func stdTLSHandlePostHandshakeMessage(c *tls.STDConn) error
--- a/common/badtls/read_wait_ech.go
+++ b/common/badtls/read_wait_ech.go
@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_ech
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing/common"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.Conn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return echReadRecord(tlsConn)
+			}, func() error {
+				return echHandlePostHandshakeMessage(tlsConn)
+			}
+	})
+}
+
+//go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
+func echReadRecord(c *tls.Conn) error
+
+//go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
+func echHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/badtls/read_wait_utls.go
+++ b/common/badtls/read_wait_utls.go
@@ -0,0 +1,31 @@
+//go:build go1.21 && !without_badtls && with_utls
+
+package badtls
+
+import (
+	"net"
+	_ "unsafe"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/utls"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
+		tlsConn, loaded := common.Cast[*tls.UConn](conn)
+		if !loaded {
+			return
+		}
+		return true, func() error {
+				return utlsReadRecord(tlsConn.Conn)
+			}, func() error {
+				return utlsHandlePostHandshakeMessage(tlsConn.Conn)
+			}
+	})
+}
+
+//go:linkname utlsReadRecord github.com/sagernet/utls.(*Conn).readRecord
+func utlsReadRecord(c *tls.Conn) error
+
+//go:linkname utlsHandlePostHandshakeMessage github.com/sagernet/utls.(*Conn).handlePostHandshakeMessage
+func utlsHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/process/searcher_windows.go
+++ b/common/process/searcher_windows.go
@@ -223,7 +223,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 	r1, _, err := syscall.SyscallN(
 		procQueryFullProcessImageNameW.Addr(),
 		uintptr(h),
-		uintptr(1),
+		uintptr(0),
 		uintptr(unsafe.Pointer(&buf[0])),
 		uintptr(unsafe.Pointer(&size)),
 	)
--- a/docs/migration.md
+++ b/docs/migration.md
@@ -2,6 +2,28 @@
 icon: material/arrange-bring-forward
 ---

+## 1.9.0
+
+!!! warning "Unstable"
+
+    This version is still under development, and the following migration guide may be changed in the future.
+
+### `domain_suffix` behavior update
+
+For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects.
+
+sing-box 1.9.0 modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`,
+the behavior is unchanged, otherwise it matches `(domain|.+\.domain)` instead.
+
+### `process_path` format update on Windows
+
+The `process_path` rule of sing-box is inherited from Clash,
+the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`),
+but when the device has multiple disks, the HarddiskVolume serial number is not stable.
+
+sing-box 1.9.0 make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`),
+which will disrupt the existing `process_path` use cases in Windows.
+
 ## 1.8.0

 ### :material-close-box: Migrate cache file from Clash API to independent options
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@@ -2,6 +2,27 @@
 icon: material/arrange-bring-forward
 ---

+## 1.9.0
+
+!!! warning "不稳定的"
+
+    该版本仍在开发中，迁移指南可能将在未来更改。
+
+### `domain_suffix` 行为更新
+
+由于历史原因，sing-box 的 `domain_suffix` 规则匹配字面前缀，而不与其他项目相同。
+
+sing-box 1.9.0 修改了 `domain_suffix` 的行为：如果规则值以 `.` 为前缀则行为不变，否则改为匹配 `(domain|.+\.domain)`。
+
+### 对 Windows 上 `process_path` 格式的更新
+
+sing-box 的 `process_path` 规则继承自Clash，
+原始代码使用本地系统的路径格式（例如 `\Device\HarddiskVolume1\folder\program.exe`），
+但是当设备有多个硬盘时，该 HarddiskVolume 系列号并不稳定。
+
+sing-box 1.9.0 使 QueryFullProcessImageNameW 输出 Win32 路径（如 `C:\folder\program.exe`），
+这将会破坏现有的 Windows `process_path` 用例。
+
 ## 1.8.0

 ### :material-close-box: 将缓存文件从 Clash API 迁移到独立选项
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.20
 require (
 	berty.tech/go-libtor v1.0.385
 	github.com/caddyserver/certmagic v0.20.0
-	github.com/cloudflare/circl v1.3.6
+	github.com/cloudflare/circl v1.3.7
 	github.com/cretz/bine v0.2.0
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-chi/chi/v5 v5.0.11
@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20231209105102-8d27a30e436e
 	github.com/sagernet/quic-go v0.40.1-beta.2
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.3.0-rc.7
+	github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573
 	github.com/sagernet/sing-dns v0.1.12
 	github.com/sagernet/sing-mux v0.1.8-rc.1
 	github.com/sagernet/sing-quic v0.1.7-rc.2
--- a/go.sum
+++ b/go.sum
@@ -6,8 +6,8 @@ github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sx
 github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
-github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
-github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
@@ -109,8 +109,8 @@ github.com/sagernet/quic-go v0.40.1-beta.2/go.mod h1:CcKTpzTAISxrM4PA5M20/wYuz9T
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.2.18/go.mod h1:OL6k2F0vHmEzXz2KW19qQzu172FDgSbUSODylighuVo=
-github.com/sagernet/sing v0.3.0-rc.7 h1:FmnzFRYC6usVgWf112cUxiexwvL+iAurKmCL4Axa9+A=
-github.com/sagernet/sing v0.3.0-rc.7/go.mod h1:9pfuAH6mZfgnz/YjP6xu5sxx882rfyjpcrTdUpd6w3g=
+github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573 h1:aBpX3AIQ6jfIFBj4Gwofd3jZc2s1dC6/ChoyUOglyrc=
+github.com/sagernet/sing v0.3.0-rc.7.0.20240105061852-782bc05c5573/go.mod h1:9pfuAH6mZfgnz/YjP6xu5sxx882rfyjpcrTdUpd6w3g=
 github.com/sagernet/sing-dns v0.1.12 h1:1HqZ+ln+Rezx/aJMStaS0d7oPeX2EobSV1NT537kyj4=
 github.com/sagernet/sing-dns v0.1.12/go.mod h1:rx/DTOisneQpCgNQ4jbFU/JNEtnz0lYcHXenlVzpjEU=
 github.com/sagernet/sing-mux v0.1.8-rc.1 h1:5dsZgWmNr9W6JzQj4fb3xX2pMP0OyJH6kVtlqc2kFKA=
Author	SHA1	Message	Date
dependabot[bot]	e3eaa01c68	Bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.6 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.3.6...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-01-08 16:52:54 +00:00
世界	f91a90cad8	Improve domain suffix match behavior For historical reasons, sing-box's `domain_suffix` rule matches literal prefixes instead of the same as other projects. This change modifies the behavior of `domain_suffix`: If the rule value is prefixed with `.`, the behavior is unchanged, otherwise it matches `(domain\|.+\.domain)` instead.	2024-01-05 14:31:06 +08:00
世界	62ac3c8e32	Remove `PROCESS_NAME_NATIVE` dwFlag in process query output The `process_path` rule of sing-box is inherited from Clash, the original code uses the local system's path format (e.g. `\Device\HarddiskVolume1\folder\program.exe`), but when the device has multiple disks, the HarddiskVolume serial number is not stable. This change make QueryFullProcessImageNameW output a Win32 path (such as `C:\folder\program.exe`), which will disrupt the existing `process_path` use cases in Windows.	2024-01-05 14:06:15 +08:00
世界	1ce8ae6cd5	badtls: Support uTLS and TLS ECH for read waiter	2024-01-05 13:48:06 +08:00