Migrate to stdlib ECH support

2025-02-22 08:00:59 +08:00
parent e5d12c9b72
commit 1c4bcefa8f
34 changed files with 667 additions and 897 deletions
--- a/common/badtls/read_wait_ech.go
+++ b/common/badtls/read_wait_ech.go
@@ -1,31 +0,0 @@
-//go:build go1.21 && !without_badtls && with_ech
-
-package badtls
-
-import (
-	"net"
-	_ "unsafe"
-
-	"github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/sing/common"
-)
-
-func init() {
-	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, tlsReadRecord func() error, tlsHandlePostHandshakeMessage func() error) {
-		tlsConn, loaded := common.Cast[*tls.Conn](conn)
-		if !loaded {
-			return
-		}
-		return true, func() error {
-				return echReadRecord(tlsConn)
-			}, func() error {
-				return echHandlePostHandshakeMessage(tlsConn)
-			}
-	})
-}
-
-//go:linkname echReadRecord github.com/sagernet/cloudflare-tls.(*Conn).readRecord
-func echReadRecord(c *tls.Conn) error
-
-//go:linkname echHandlePostHandshakeMessage github.com/sagernet/cloudflare-tls.(*Conn).handlePostHandshakeMessage
-func echHandlePostHandshakeMessage(c *tls.Conn) error
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -29,15 +29,12 @@ func NewClient(ctx context.Context, serverAddress string, options option.Outboun
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(ctx, serverAddress, options)
-	} else if options.Reality != nil && options.Reality.Enabled {
+	if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
 		return NewUTLSClient(ctx, serverAddress, options)
-	} else {
-		return NewSTDClient(ctx, serverAddress, options)
 	}
+	return NewSTDClient(ctx, serverAddress, options)
 }

 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
--- a/common/tls/ech.go
+++ b/common/tls/ech.go
@@ -0,0 +1,174 @@
+//go:build go1.24
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/pem"
+	"net"
+	"os"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/dns"
+	"github.com/sagernet/sing-box/experimental/deprecated"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	aTLS "github.com/sagernet/sing/common/tls"
+	"github.com/sagernet/sing/service"
+
+	mDNS "github.com/miekg/dns"
+	"golang.org/x/crypto/cryptobyte"
+)
+
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
+	var echConfig []byte
+	if len(options.ECH.Config) > 0 {
+		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+	} else if options.ECH.ConfigPath != "" {
+		content, err := os.ReadFile(options.ECH.ConfigPath)
+		if err != nil {
+			return nil, E.Cause(err, "read ECH config")
+		}
+		echConfig = content
+	}
+	//nolint:staticcheck
+	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+	}
+	if len(echConfig) > 0 {
+		block, rest := pem.Decode(echConfig)
+		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
+			return nil, E.New("invalid ECH configs pem")
+		}
+		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
+		return &STDClientConfig{tlsConfig}, nil
+	} else {
+		return &STDECHClientConfig{STDClientConfig{tlsConfig}, service.FromContext[adapter.DNSRouter](ctx)}, nil
+	}
+}
+
+func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
+	var echKey []byte
+	if len(options.ECH.Key) > 0 {
+		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+	} else if options.ECH.KeyPath != "" {
+		content, err := os.ReadFile(options.ECH.KeyPath)
+		if err != nil {
+			return E.Cause(err, "read ECH keys")
+		}
+		echKey = content
+		*echKeyPath = options.ECH.KeyPath
+	} else {
+		return E.New("missing ECH keys")
+	}
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	tlsConfig.EncryptedClientHelloKeys = echKeys
+	//nolint:staticcheck
+	if options.ECH.PQSignatureSchemesEnabled || options.ECH.DynamicRecordSizingDisabled {
+		deprecated.Report(ctx, deprecated.OptionLegacyECHOptions)
+	}
+	return nil
+}
+
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	echKey, err := os.ReadFile(echKeyPath)
+	if err != nil {
+		return E.Cause(err, "reload ECH keys from ", echKeyPath)
+	}
+	block, _ := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	tlsConfig.EncryptedClientHelloKeys = echKeys
+	return nil
+}
+
+type STDECHClientConfig struct {
+	STDClientConfig
+	dnsRouter adapter.DNSRouter
+}
+
+func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+	if len(s.config.EncryptedClientHelloConfigList) == 0 {
+		message := &mDNS.Msg{
+			MsgHdr: mDNS.MsgHdr{
+				RecursionDesired: true,
+			},
+			Question: []mDNS.Question{
+				{
+					Name:   mDNS.Fqdn(s.config.ServerName),
+					Qtype:  mDNS.TypeHTTPS,
+					Qclass: mDNS.ClassINET,
+				},
+			},
+		}
+		response, err := s.dnsRouter.Exchange(ctx, message, adapter.DNSQueryOptions{})
+		if err != nil {
+			return nil, E.Cause(err, "fetch ECH config list")
+		}
+		if response.Rcode != mDNS.RcodeSuccess {
+			return nil, E.Cause(dns.RcodeError(response.Rcode), "fetch ECH config list")
+		}
+		for _, rr := range response.Answer {
+			switch resource := rr.(type) {
+			case *mDNS.HTTPS:
+				for _, value := range resource.Value {
+					if value.Key().String() == "ech" {
+						echConfigList, err := base64.StdEncoding.DecodeString(value.String())
+						if err != nil {
+							return nil, E.Cause(err, "decode ECH config")
+						}
+						s.config.EncryptedClientHelloConfigList = echConfigList
+					}
+				}
+			}
+		}
+		return nil, E.New("no ECH config found in DNS records")
+	}
+	tlsConn, err := s.Client(conn)
+	if err != nil {
+		return nil, err
+	}
+	err = tlsConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return tlsConn, nil
+}
+
+func (s *STDECHClientConfig) Clone() Config {
+	return &STDECHClientConfig{STDClientConfig{s.config.Clone()}, s.dnsRouter}
+}
+
+func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {
+	var keys []tls.EncryptedClientHelloKey
+	rawString := cryptobyte.String(raw)
+	for !rawString.Empty() {
+		var key tls.EncryptedClientHelloKey
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
+			return nil, E.New("error parsing private key")
+		}
+		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
+			return nil, E.New("error parsing config")
+		}
+		keys = append(keys, key)
+	}
+	if len(keys) == 0 {
+		return nil, E.New("empty ECH keys")
+	}
+	return keys, nil
+}
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -1,244 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"net"
-	"net/netip"
-	"os"
-	"strings"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/dns"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
-	"github.com/sagernet/sing/service"
-
-	mDNS "github.com/miekg/dns"
-)
-
-type echClientConfig struct {
-	config *cftls.Config
-}
-
-func (c *echClientConfig) ServerName() string {
-	return c.config.ServerName
-}
-
-func (c *echClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
-}
-
-func (c *echClientConfig) NextProtos() []string {
-	return c.config.NextProtos
-}
-
-func (c *echClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
-}
-
-func (c *echClientConfig) Config() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for ECH")
-}
-
-func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
-}
-
-func (c *echClientConfig) Clone() Config {
-	return &echClientConfig{
-		config: c.config.Clone(),
-	}
-}
-
-type echConnWrapper struct {
-	*cftls.Conn
-}
-
-func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
-	state := c.Conn.ConnectionState()
-	//nolint:staticcheck
-	return tls.ConnectionState{
-		Version:                     state.Version,
-		HandshakeComplete:           state.HandshakeComplete,
-		DidResume:                   state.DidResume,
-		CipherSuite:                 state.CipherSuite,
-		NegotiatedProtocol:          state.NegotiatedProtocol,
-		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
-		ServerName:                  state.ServerName,
-		PeerCertificates:            state.PeerCertificates,
-		VerifiedChains:              state.VerifiedChains,
-		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
-		OCSPResponse:                state.OCSPResponse,
-		TLSUnique:                   state.TLSUnique,
-	}
-}
-
-func (c *echConnWrapper) Upstream() any {
-	return c.Conn
-}
-
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	var serverName string
-	if options.ServerName != "" {
-		serverName = options.ServerName
-	} else if serverAddress != "" {
-		if _, err := netip.ParseAddr(serverName); err != nil {
-			serverName = serverAddress
-		}
-	}
-	if serverName == "" && !options.Insecure {
-		return nil, E.New("missing server_name or insecure=true")
-	}
-
-	var tlsConfig cftls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
-	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if options.DisableSNI {
-		tlsConfig.ServerName = "127.0.0.1"
-	} else {
-		tlsConfig.ServerName = serverName
-	}
-	if options.Insecure {
-		tlsConfig.InsecureSkipVerify = options.Insecure
-	} else if options.DisableSNI {
-		tlsConfig.InsecureSkipVerify = true
-		tlsConfig.VerifyConnection = func(state cftls.ConnectionState) error {
-			verifyOptions := x509.VerifyOptions{
-				DNSName:       serverName,
-				Intermediates: x509.NewCertPool(),
-			}
-			for _, cert := range state.PeerCertificates[1:] {
-				verifyOptions.Intermediates.AddCert(cert)
-			}
-			_, err := state.PeerCertificates[0].Verify(verifyOptions)
-			return err
-		}
-	}
-	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = options.ALPN
-	}
-	if options.MinVersion != "" {
-		minVersion, err := ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse min_version")
-		}
-		tlsConfig.MinVersion = minVersion
-	}
-	if options.MaxVersion != "" {
-		maxVersion, err := ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse max_version")
-		}
-		tlsConfig.MaxVersion = maxVersion
-	}
-	if options.CipherSuites != nil {
-	find:
-		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range cftls.CipherSuites() {
-				if cipherSuite == tlsCipherSuite.Name {
-					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
-					continue find
-				}
-			}
-			return nil, E.New("unknown cipher_suite: ", cipherSuite)
-		}
-	}
-	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
-	} else if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read certificate")
-		}
-		certificate = content
-	}
-	if len(certificate) > 0 {
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(certificate) {
-			return nil, E.New("failed to parse certificate:\n\n", certificate)
-		}
-		tlsConfig.RootCAs = certPool
-	}
-
-	// ECH Config
-
-	tlsConfig.ECHEnabled = true
-	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
-	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-
-	var echConfig []byte
-	if len(options.ECH.Config) > 0 {
-		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
-	} else if options.ECH.ConfigPath != "" {
-		content, err := os.ReadFile(options.ECH.ConfigPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
-		}
-		echConfig = content
-	}
-
-	if len(echConfig) > 0 {
-		block, rest := pem.Decode(echConfig)
-		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
-			return nil, E.New("invalid ECH configs pem")
-		}
-		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
-		if err != nil {
-			return nil, E.Cause(err, "parse ECH configs")
-		}
-		tlsConfig.ClientECHConfigs = echConfigs
-	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
-	}
-	return &echClientConfig{&tlsConfig}, nil
-}
-
-func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
-		message := &mDNS.Msg{
-			MsgHdr: mDNS.MsgHdr{
-				RecursionDesired: true,
-			},
-			Question: []mDNS.Question{
-				{
-					Name:   serverName + ".",
-					Qtype:  mDNS.TypeHTTPS,
-					Qclass: mDNS.ClassINET,
-				},
-			},
-		}
-		response, err := service.FromContext[adapter.DNSRouter](ctx).Exchange(ctx, message, adapter.DNSQueryOptions{})
-		if err != nil {
-			return nil, err
-		}
-		if response.Rcode != mDNS.RcodeSuccess {
-			return nil, dns.RcodeError(response.Rcode)
-		}
-		for _, rr := range response.Answer {
-			switch resource := rr.(type) {
-			case *mDNS.HTTPS:
-				for _, value := range resource.Value {
-					if value.Key().String() == "ech" {
-						echConfig, err := base64.StdEncoding.DecodeString(value.String())
-						if err != nil {
-							return nil, E.Cause(err, "decode ECH config")
-						}
-						return cftls.UnmarshalECHConfigs(echConfig)
-					}
-				}
-			default:
-				return nil, E.New("unknown resource record type: ", resource.Header().Rrtype)
-			}
-		}
-		return nil, E.New("no ECH config found")
-	}
-}
--- a/common/tls/ech_keygen.go
+++ b/common/tls/ech_keygen.go
@@ -1,5 +1,3 @@
-//go:build with_ech
-
 package tls

 import (
@@ -7,14 +5,13 @@ import (
 	"encoding/binary"
 	"encoding/pem"

-	cftls "github.com/sagernet/cloudflare-tls"
 	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/cloudflare/circl/hpke"
 	"github.com/cloudflare/circl/kem"
 )

-func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
 	cipherSuites := []echCipherSuite{
 		{
 			kdf:  hpke.KDF_HKDF_SHA256,
@@ -24,13 +21,9 @@ func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (config
 			aead: hpke.AEAD_ChaCha20Poly1305,
 		},
 	}
-
 	keyConfig := []myECHKeyConfig{
 		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
 	}
-	if pqSignatureSchemesEnabled {
-		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
-	}

 	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
 	if err != nil {
@@ -59,7 +52,6 @@ func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (config

 type echKeyConfigPair struct {
 	id      uint8
-	key     cftls.EXP_ECHKey
 	rawKey  []byte
 	conf    myECHKeyConfig
 	rawConf []byte
@@ -155,15 +147,6 @@ func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite [
 		sk = append(sk, secBuf...)
 		sk = be.AppendUint16(sk, uint16(len(b)))
 		sk = append(sk, b...)
-
-		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
-		if err != nil {
-			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
-		}
-		if len(cfECHKeys) != 1 {
-			return nil, E.New("bug: unexpected server key count")
-		}
-		pair.key = cfECHKeys[0]
 		pair.rawKey = sk

 		pairs = append(pairs, pair)
--- a/common/tls/ech_quic.go
+++ b/common/tls/ech_quic.go
@@ -1,55 +0,0 @@
-//go:build with_quic && with_ech
-
-package tls
-
-import (
-	"context"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/quic-go/ech"
-	"github.com/sagernet/quic-go/http3_ech"
-	"github.com/sagernet/sing-quic"
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-var (
-	_ qtls.Config       = (*echClientConfig)(nil)
-	_ qtls.ServerConfig = (*echServerConfig)(nil)
-)
-
-func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
-	return quic.Dial(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
-	return quic.DialEarly(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config) http.RoundTripper {
-	return &http3.Transport{
-		TLSClientConfig: c.config,
-		QUICConfig:      quicConfig,
-		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
-			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
-			if err != nil {
-				return nil, err
-			}
-			*quicConnPtr = quicConn
-			return quicConn, nil
-		},
-	}
-}
-
-func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
-	return quic.Listen(conn, c.config, config)
-}
-
-func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
-	return quic.ListenEarly(conn, c.config, config)
-}
-
-func (c *echServerConfig) ConfigureHTTP3() {
-	http3.ConfigureTLSConfig(c.config)
-}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -1,278 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/pem"
-	"net"
-	"os"
-	"strings"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/fswatch"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
-)
-
-type echServerConfig struct {
-	config          *cftls.Config
-	logger          log.Logger
-	certificate     []byte
-	key             []byte
-	certificatePath string
-	keyPath         string
-	echKeyPath      string
-	watcher         *fswatch.Watcher
-}
-
-func (c *echServerConfig) ServerName() string {
-	return c.config.ServerName
-}
-
-func (c *echServerConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
-}
-
-func (c *echServerConfig) NextProtos() []string {
-	return c.config.NextProtos
-}
-
-func (c *echServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
-}
-
-func (c *echServerConfig) Config() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for ECH")
-}
-
-func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Clone() Config {
-	return &echServerConfig{
-		config: c.config.Clone(),
-	}
-}
-
-func (c *echServerConfig) Start() error {
-	err := c.startWatcher()
-	if err != nil {
-		c.logger.Warn("create credentials watcher: ", err)
-	}
-	return nil
-}
-
-func (c *echServerConfig) startWatcher() error {
-	var watchPath []string
-	if c.certificatePath != "" {
-		watchPath = append(watchPath, c.certificatePath)
-	}
-	if c.keyPath != "" {
-		watchPath = append(watchPath, c.keyPath)
-	}
-	if c.echKeyPath != "" {
-		watchPath = append(watchPath, c.echKeyPath)
-	}
-	if len(watchPath) == 0 {
-		return nil
-	}
-	watcher, err := fswatch.NewWatcher(fswatch.Options{
-		Path: watchPath,
-		Callback: func(path string) {
-			err := c.credentialsUpdated(path)
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload credentials"))
-			}
-		},
-	})
-	if err != nil {
-		return err
-	}
-	err = watcher.Start()
-	if err != nil {
-		return err
-	}
-	c.watcher = watcher
-	return nil
-}
-
-func (c *echServerConfig) credentialsUpdated(path string) error {
-	if path == c.certificatePath || path == c.keyPath {
-		if path == c.certificatePath {
-			certificate, err := os.ReadFile(c.certificatePath)
-			if err != nil {
-				return err
-			}
-			c.certificate = certificate
-		} else {
-			key, err := os.ReadFile(c.keyPath)
-			if err != nil {
-				return err
-			}
-			c.key = key
-		}
-		keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
-		if err != nil {
-			return E.Cause(err, "parse key pair")
-		}
-		c.config.Certificates = []cftls.Certificate{keyPair}
-		c.logger.Info("reloaded TLS certificate")
-	} else {
-		echKeyContent, err := os.ReadFile(c.echKeyPath)
-		if err != nil {
-			return err
-		}
-		block, rest := pem.Decode(echKeyContent)
-		if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-			return E.New("invalid ECH keys pem")
-		}
-		echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-		if err != nil {
-			return E.Cause(err, "parse ECH keys")
-		}
-		echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-		if err != nil {
-			return E.Cause(err, "create ECH key set")
-		}
-		c.config.ServerECHProvider = echKeySet
-		c.logger.Info("reloaded ECH keys")
-	}
-	return nil
-}
-
-func (c *echServerConfig) Close() error {
-	var err error
-	if c.watcher != nil {
-		err = E.Append(err, c.watcher.Close(), func(err error) error {
-			return E.Cause(err, "close credentials watcher")
-		})
-	}
-	return err
-}
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	if !options.Enabled {
-		return nil, nil
-	}
-	var tlsConfig cftls.Config
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		return nil, E.New("acme is unavailable in ech")
-	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
-	if options.ServerName != "" {
-		tlsConfig.ServerName = options.ServerName
-	}
-	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
-	}
-	if options.MinVersion != "" {
-		minVersion, err := ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse min_version")
-		}
-		tlsConfig.MinVersion = minVersion
-	}
-	if options.MaxVersion != "" {
-		maxVersion, err := ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse max_version")
-		}
-		tlsConfig.MaxVersion = maxVersion
-	}
-	if options.CipherSuites != nil {
-	find:
-		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range tls.CipherSuites() {
-				if cipherSuite == tlsCipherSuite.Name {
-					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
-					continue find
-				}
-			}
-			return nil, E.New("unknown cipher_suite: ", cipherSuite)
-		}
-	}
-	var certificate []byte
-	var key []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
-	} else if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read certificate")
-		}
-		certificate = content
-	}
-	if len(options.Key) > 0 {
-		key = []byte(strings.Join(options.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read key")
-		}
-		key = content
-	}
-
-	if certificate == nil {
-		return nil, E.New("missing certificate")
-	} else if key == nil {
-		return nil, E.New("missing key")
-	}
-
-	keyPair, err := cftls.X509KeyPair(certificate, key)
-	if err != nil {
-		return nil, E.Cause(err, "parse x509 key pair")
-	}
-	tlsConfig.Certificates = []cftls.Certificate{keyPair}
-
-	var echKey []byte
-	if len(options.ECH.Key) > 0 {
-		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.ECH.KeyPath != "" {
-		content, err := os.ReadFile(options.ECH.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH key")
-		}
-		echKey = content
-	} else {
-		return nil, E.New("missing ECH key")
-	}
-
-	block, rest := pem.Decode(echKey)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return nil, E.New("invalid ECH keys pem")
-	}
-
-	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-	if err != nil {
-		return nil, E.Cause(err, "parse ECH keys")
-	}
-
-	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-	if err != nil {
-		return nil, E.Cause(err, "create ECH key set")
-	}
-
-	tlsConfig.ECHEnabled = true
-	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
-	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	tlsConfig.ServerECHProvider = echKeySet
-
-	return &echServerConfig{
-		config:          &tlsConfig,
-		logger:          logger,
-		certificate:     certificate,
-		key:             key,
-		certificatePath: options.CertificatePath,
-		keyPath:         options.KeyPath,
-		echKeyPath:      options.ECH.KeyPath,
-	}, nil
-}
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -1,25 +1,23 @@
-//go:build !with_ech
+//go:build !go1.24

 package tls

 import (
 	"context"
+	"crypto/tls"

-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, errECHNotIncluded
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
+	return nil, E.New("ECH requires go1.24, please recompile your binary.")
 }

-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, errECHNotIncluded
+func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions, tlsConfig *tls.Config, echKeyPath *string) error {
+	return E.New("ECH requires go1.24, please recompile your binary.")
 }

-func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
-	return "", "", errECHNotIncluded
+func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
+	return E.New("ECH requires go1.24, please recompile your binary.")
 }
--- a/common/tls/mkcert.go
+++ b/common/tls/mkcert.go
@@ -12,6 +12,9 @@ import (
 )

 func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
+	if timeFunc == nil {
+		timeFunc = time.Now
+	}
 	privateKeyPem, publicKeyPem, err := GenerateCertificate(parent, parentKey, timeFunc, serverName, timeFunc().Add(time.Hour))
 	if err != nil {
 		return nil, err
@@ -24,9 +27,6 @@ func GenerateKeyPair(parent *x509.Certificate, parentKey any, timeFunc func() ti
 }

 func GenerateCertificate(parent *x509.Certificate, parentKey any, timeFunc func() time.Time, serverName string, expire time.Time) (privateKeyPem []byte, publicKeyPem []byte, err error) {
-	if timeFunc == nil {
-		timeFunc = time.Now
-	}
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -16,13 +16,10 @@ func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLS
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHServer(ctx, logger, options)
-	} else if options.Reality != nil && options.Reality.Enabled {
+	if options.Reality != nil && options.Reality.Enabled {
 		return NewRealityServer(ctx, logger, options)
-	} else {
-		return NewSTDServer(ctx, logger, options)
 	}
+	return NewSTDServer(ctx, logger, options)
 }

 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -127,5 +127,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
+	if options.ECH != nil && options.ECH.Enabled {
+		return parseECHClientConfig(ctx, options, &tlsConfig)
+	}
 	return &STDClientConfig{&tlsConfig}, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -26,6 +26,7 @@ type STDServerConfig struct {
 	key             []byte
 	certificatePath string
 	keyPath         string
+	echKeyPath      string
 	watcher         *fswatch.Watcher
 }

@@ -94,6 +95,9 @@ func (c *STDServerConfig) startWatcher() error {
 	if c.keyPath != "" {
 		watchPath = append(watchPath, c.keyPath)
 	}
+	if c.echKeyPath != "" {
+		watchPath = append(watchPath, c.echKeyPath)
+	}
 	watcher, err := fswatch.NewWatcher(fswatch.Options{
 		Path: watchPath,
 		Callback: func(path string) {
@@ -115,25 +119,33 @@ func (c *STDServerConfig) startWatcher() error {
 }

 func (c *STDServerConfig) certificateUpdated(path string) error {
-	if path == c.certificatePath {
-		certificate, err := os.ReadFile(c.certificatePath)
-		if err != nil {
-			return E.Cause(err, "reload certificate from ", c.certificatePath)
+	if path == c.certificatePath || path == c.keyPath {
+		if path == c.certificatePath {
+			certificate, err := os.ReadFile(c.certificatePath)
+			if err != nil {
+				return E.Cause(err, "reload certificate from ", c.certificatePath)
+			}
+			c.certificate = certificate
+		} else if path == c.keyPath {
+			key, err := os.ReadFile(c.keyPath)
+			if err != nil {
+				return E.Cause(err, "reload key from ", c.keyPath)
+			}
+			c.key = key
 		}
-		c.certificate = certificate
-	} else if path == c.keyPath {
-		key, err := os.ReadFile(c.keyPath)
+		keyPair, err := tls.X509KeyPair(c.certificate, c.key)
 		if err != nil {
-			return E.Cause(err, "reload key from ", c.keyPath)
+			return E.Cause(err, "reload key pair")
 		}
-		c.key = key
+		c.config.Certificates = []tls.Certificate{keyPair}
+		c.logger.Info("reloaded TLS certificate")
+	} else if path == c.echKeyPath {
+		err := reloadECHKeys(c.echKeyPath, c.config)
+		if err != nil {
+			return err
+		}
+		c.logger.Info("reloaded ECH keys")
 	}
-	keyPair, err := tls.X509KeyPair(c.certificate, c.key)
-	if err != nil {
-		return E.Cause(err, "reload key pair")
-	}
-	c.config.Certificates = []tls.Certificate{keyPair}
-	c.logger.Info("reloaded TLS certificate")
 	return nil
 }

@@ -238,6 +250,13 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			tlsConfig.Certificates = []tls.Certificate{keyPair}
 		}
 	}
+	var echKeyPath string
+	if options.ECH != nil && options.ECH.Enabled {
+		err = parseECHServerConfig(ctx, options, tlsConfig, &echKeyPath)
+		if err != nil {
+			return nil, err
+		}
+	}
 	return &STDServerConfig{
 		config:          tlsConfig,
 		logger:          logger,
@@ -246,5 +265,6 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		key:             key,
 		certificatePath: options.CertificatePath,
 		keyPath:         options.KeyPath,
+		echKeyPath:      echKeyPath,
 	}, nil
 }