VLESS protocol: Add lightweight, Post-Quantum ML-KEM-768-based PFS 1-RTT / anti-replay 0-RTT AEAD Encryption

common/protocol/headers.go

@@ -79,20 +79,18 @@ type CommandSwitchAccount struct {
 }
 
 var (
-	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+	// Keep in sync with crypto/tls/cipher_suites.go.
+	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ && cpu.X86.HasSSE41 && cpu.X86.HasSSSE3
 	hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-	// Keep in sync with crypto/aes/cipher_s390x.go.
-	hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
-		(cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
+	hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCTR && cpu.S390X.HasGHASH
+	hasGCMAsmPPC64 = runtime.GOARCH == "ppc64" || runtime.GOARCH == "ppc64le"
 
-	hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
-		runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
-		runtime.GOARCH == "s390x" && hasGCMAsmS390X
+	HasAESGCMHardwareSupport = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X || hasGCMAsmPPC64
 )
 
 func (sc *SecurityConfig) GetSecurityType() SecurityType {
 	if sc == nil || sc.Type == SecurityType_AUTO {
-		if hasAESGCMHardwareSupport {
+		if HasAESGCMHardwareSupport {
 			return SecurityType_AES128_GCM
 		}
 		return SecurityType_CHACHA20_POLY1305

infra/conf/vless.go

@@ -1,6 +1,7 @@
 package conf
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"path/filepath"
 	"runtime"
@@ -68,10 +69,45 @@ func (c *VLessInboundConfig) Build() (proto.Message, error) {
 		config.Clients[idx] = user
 	}
 
-	if c.Decryption != "none" {
-		return nil, errors.New(`VLESS settings: please add/set "decryption":"none" to every settings`)
-	}
 	config.Decryption = c.Decryption
+	if !func() bool {
+		s := strings.Split(config.Decryption, ".")
+		if len(s) < 4 || s[0] != "mlkem768x25519plus" {
+			return false
+		}
+		switch s[1] {
+		case "native":
+		case "xorpub":
+			config.XorMode = 1
+		case "random":
+			config.XorMode = 2
+		default:
+			return false
+		}
+		if s[2] != "1rtt" {
+			t := strings.TrimSuffix(s[2], "s")
+			if t == s[2] {
+				return false
+			}
+			i, err := strconv.Atoi(t)
+			if err != nil {
+				return false
+			}
+			config.Seconds = uint32(i)
+		}
+		for i := 3; i < len(s); i++ {
+			if b, _ := base64.RawURLEncoding.DecodeString(s[i]); len(b) != 32 && len(b) != 64 {
+				return false
+			}
+		}
+		config.Decryption = config.Decryption[27+len(s[2]):]
+		return true
+	}() && config.Decryption != "none" {
+		if config.Decryption == "" {
+			return nil, errors.New(`VLESS settings: please add/set "decryption":"none" to every settings`)
+		}
+		return nil, errors.New(`VLESS settings: unsupported "decryption": ` + config.Decryption)
+	}
 
 	for _, fb := range c.Fallbacks {
 		var i uint16
@@ -143,16 +179,16 @@ type VLessOutboundConfig struct {
 func (c *VLessOutboundConfig) Build() (proto.Message, error) {
 	config := new(outbound.Config)
 
-	if len(c.Vnext) == 0 {
-		return nil, errors.New(`VLESS settings: "vnext" is empty`)
+	if len(c.Vnext) != 1 {
+		return nil, errors.New(`VLESS settings: "vnext" should have one and only one member`)
 	}
 	config.Vnext = make([]*protocol.ServerEndpoint, len(c.Vnext))
 	for idx, rec := range c.Vnext {
 		if rec.Address == nil {
 			return nil, errors.New(`VLESS vnext: "address" is not set`)
 		}
-		if len(rec.Users) == 0 {
-			return nil, errors.New(`VLESS vnext: "users" is empty`)
+		if len(rec.Users) != 1 {
+			return nil, errors.New(`VLESS vnext: "users" should have one and only one member`)
 		}
 		spec := &protocol.ServerEndpoint{
 			Address: rec.Address.Build(),
@@ -181,8 +217,39 @@ func (c *VLessOutboundConfig) Build() (proto.Message, error) {
 				return nil, errors.New(`VLESS users: "flow" doesn't support "` + account.Flow + `" in this version`)
 			}
 
-			if account.Encryption != "none" {
-				return nil, errors.New(`VLESS users: please add/set "encryption":"none" for every user`)
+			if !func() bool {
+				s := strings.Split(account.Encryption, ".")
+				if len(s) < 4 || s[0] != "mlkem768x25519plus" {
+					return false
+				}
+				switch s[1] {
+				case "native":
+				case "xorpub":
+					account.XorMode = 1
+				case "random":
+					account.XorMode = 2
+				default:
+					return false
+				}
+				switch s[2] {
+				case "1rtt":
+				case "0rtt":
+					account.Seconds = 1
+				default:
+					return false
+				}
+				for i := 3; i < len(s); i++ {
+					if b, _ := base64.RawURLEncoding.DecodeString(s[i]); len(b) != 32 && len(b) != 1184 {
+						return false
+					}
+				}
+				account.Encryption = account.Encryption[27+len(s[2]):]
+				return true
+			}() && account.Encryption != "none" {
+				if account.Encryption == "" {
+					return nil, errors.New(`VLESS users: please add/set "encryption":"none" for every user`)
+				}
+				return nil, errors.New(`VLESS users: unsupported "encryption": ` + account.Encryption)
 			}
 
 			user.Account = serial.ToTypedMessage(account)

main/commands/all/commands.go

@@ -17,5 +17,6 @@ func init() {
 		cmdX25519,
 		cmdWG,
 		cmdMLDSA65,
+		cmdMLKEM768,
 	)
 }

main/commands/all/curve25519.go

@@ -1,58 +1,51 @@
 package all
 
 import (
+	"crypto/ecdh"
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 
-	"golang.org/x/crypto/curve25519"
+	"lukechampine.com/blake3"
 )
 
 func Curve25519Genkey(StdEncoding bool, input_base64 string) {
-	var output string
-	var err error
-	var privateKey, publicKey []byte
 	var encoding *base64.Encoding
 	if *input_stdEncoding || StdEncoding {
 		encoding = base64.StdEncoding
 	} else {
 		encoding = base64.RawURLEncoding
 	}
 
+	var privateKey []byte
 	if len(input_base64) > 0 {
-		privateKey, err = encoding.DecodeString(input_base64)
-		if err != nil {
-			output = err.Error()
-			goto out
-		}
-		if len(privateKey) != curve25519.ScalarSize {
-			output = "Invalid length of private key."
-			goto out
+		privateKey, _ = encoding.DecodeString(input_base64)
+		if len(privateKey) != 32 {
+			fmt.Println("Invalid length of X25519 private key.")
+			return
 		}
 	}
-
 	if privateKey == nil {
-		privateKey = make([]byte, curve25519.ScalarSize)
-		if _, err = rand.Read(privateKey); err != nil {
-			output = err.Error()
-			goto out
-		}
+		privateKey = make([]byte, 32)
+		rand.Read(privateKey)
 	}
 
 	// Modify random bytes using algorithm described at:
-	// https://cr.yp.to/ecdh.html.
+	// https://cr.yp.to/ecdh.html
+	// (Just to make sure printing the real private key)
 	privateKey[0] &= 248
 	privateKey[31] &= 127
 	privateKey[31] |= 64
 
-	if publicKey, err = curve25519.X25519(privateKey, curve25519.Basepoint); err != nil {
-		output = err.Error()
-		goto out
+	key, err := ecdh.X25519().NewPrivateKey(privateKey)
+	if err != nil {
+		fmt.Println(err.Error())
+		return
 	}
-
-	output = fmt.Sprintf("Private key: %v\nPublic key: %v",
+	password := key.PublicKey().Bytes()
+	hash32 := blake3.Sum256(password)
+	fmt.Printf("PrivateKey: %v\nPassword: %v\nHash32: %v",
 		encoding.EncodeToString(privateKey),
-		encoding.EncodeToString(publicKey))
-out:
-	fmt.Println(output)
+		encoding.EncodeToString(password),
+		encoding.EncodeToString(hash32[:]))
 }

main/commands/all/mldsa65.go

@@ -11,9 +11,9 @@ import (
 
 var cmdMLDSA65 = &base.Command{
 	UsageLine: `{{.Exec}} mldsa65 [-i "seed (base64.RawURLEncoding)"]`,
-	Short:     `Generate key pair for ML-DSA-65 post-quantum signature`,
+	Short:     `Generate key pair for ML-DSA-65 post-quantum signature (REALITY)`,
 	Long: `
-Generate key pair for ML-DSA-65 post-quantum signature.
+Generate key pair for ML-DSA-65 post-quantum signature (REALITY).
 
 Random: {{.Exec}} mldsa65
 
@@ -25,12 +25,16 @@ func init() {
 	cmdMLDSA65.Run = executeMLDSA65 // break init loop
 }
 
-var input_seed = cmdMLDSA65.Flag.String("i", "", "")
+var input_mldsa65 = cmdMLDSA65.Flag.String("i", "", "")
 
 func executeMLDSA65(cmd *base.Command, args []string) {
 	var seed [32]byte
-	if len(*input_seed) > 0 {
-		s, _ := base64.RawURLEncoding.DecodeString(*input_seed)
+	if len(*input_mldsa65) > 0 {
+		s, _ := base64.RawURLEncoding.DecodeString(*input_mldsa65)
+		if len(s) != 32 {
+			fmt.Println("Invalid length of ML-DSA-65 seed.")
+			return
+		}
 		seed = [32]byte(s)
 	} else {
 		rand.Read(seed[:])

main/commands/all/mlkem768.go

@@ -0,0 +1,50 @@
+package all
+
+import (
+	"crypto/mlkem"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/xtls/xray-core/main/commands/base"
+	"lukechampine.com/blake3"
+)
+
+var cmdMLKEM768 = &base.Command{
+	UsageLine: `{{.Exec}} mlkem768 [-i "seed (base64.RawURLEncoding)"]`,
+	Short:     `Generate key pair for ML-KEM-768 post-quantum key exchange (VLESS)`,
+	Long: `
+Generate key pair for ML-KEM-768 post-quantum key exchange (VLESS).
+
+Random: {{.Exec}} mlkem768
+
+From seed: {{.Exec}} mlkem768 -i "seed (base64.RawURLEncoding)"
+`,
+}
+
+func init() {
+	cmdMLKEM768.Run = executeMLKEM768 // break init loop
+}
+
+var input_mlkem768 = cmdMLKEM768.Flag.String("i", "", "")
+
+func executeMLKEM768(cmd *base.Command, args []string) {
+	var seed [64]byte
+	if len(*input_mlkem768) > 0 {
+		s, _ := base64.RawURLEncoding.DecodeString(*input_mlkem768)
+		if len(s) != 64 {
+			fmt.Println("Invalid length of ML-KEM-768 seed.")
+			return
+		}
+		seed = [64]byte(s)
+	} else {
+		rand.Read(seed[:])
+	}
+	key, _ := mlkem.NewDecapsulationKey768(seed[:])
+	client := key.EncapsulationKey().Bytes()
+	hash32 := blake3.Sum256(client)
+	fmt.Printf("Seed: %v\nClient: %v\nHash32: %v",
+		base64.RawURLEncoding.EncodeToString(seed[:]),
+		base64.RawURLEncoding.EncodeToString(client),
+		base64.RawURLEncoding.EncodeToString(hash32[:]))
+}

main/commands/all/uuid.go

@@ -9,9 +9,9 @@ import (
 
 var cmdUUID = &base.Command{
 	UsageLine: `{{.Exec}} uuid [-i "example"]`,
-	Short:     `Generate UUIDv4 or UUIDv5`,
+	Short:     `Generate UUIDv4 or UUIDv5 (VLESS)`,
 	Long: `
-Generate UUIDv4 or UUIDv5.
+Generate UUIDv4 or UUIDv5 (VLESS).
 
 UUIDv4 (random): {{.Exec}} uuid
 

main/commands/all/wg.go

@@ -6,9 +6,9 @@ import (
 
 var cmdWG = &base.Command{
 	UsageLine: `{{.Exec}} wg [-i "private key (base64.StdEncoding)"]`,
-	Short:     `Generate key pair for wireguard key exchange`,
+	Short:     `Generate key pair for X25519 key exchange (WireGuard)`,
 	Long: `
-Generate key pair for wireguard key exchange.
+Generate key pair for X25519 key exchange (WireGuard).
 
 Random: {{.Exec}} wg
 

main/commands/all/x25519.go

@@ -6,9 +6,9 @@ import (
 
 var cmdX25519 = &base.Command{
 	UsageLine: `{{.Exec}} x25519 [-i "private key (base64.RawURLEncoding)"] [--std-encoding]`,
-	Short:     `Generate key pair for x25519 key exchange`,
+	Short:     `Generate key pair for X25519 key exchange (VLESS, REALITY)`,
 	Long: `
-Generate key pair for x25519 key exchange.
+Generate key pair for X25519 key exchange (VLESS, REALITY).
 
 Random: {{.Exec}} x25519