Add UDP-over-TCP (UoT) support to samizdat protocol

Tunnel UDP traffic over samizdat's TCP connections using the standard
sing UoT protocol, following the AnyTLS pattern. Inbound wraps the
router with uot.NewRouter to intercept the UoT magic address; outbound
adds a uot.Client backed by a samizdatDialer adapter so sing-box can
route both TCP and UDP through samizdat.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: myleshorton

protocol/samizdat/inbound.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/adapter/inbound"
+	"github.com/sagernet/sing-box/common/uot"
 	"github.com/sagernet/sing-box/log"
 	M "github.com/sagernet/sing/common/metadata"
 
@@ -30,7 +31,7 @@ type Inbound struct {
 	inbound.Adapter
 	ctx    context.Context
 	logger log.ContextLogger
-	router adapter.Router
+	router adapter.ConnectionRouterEx
 	server *samizdat.Server
 }
 
@@ -115,7 +116,7 @@ func NewInbound(
 		Adapter: inbound.NewAdapter(constant.TypeSamizdat, tag),
 		ctx:     ctx,
 		logger:  logger,
-		router:  router,
+		router:  uot.NewRouter(router, logger),
 	}
 
 	serverConfig := samizdat.ServerConfig{

protocol/samizdat/outbound.go

@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net"
+	"os"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -14,6 +15,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/uot"
 
 	"github.com/getlantern/lantern-box/constant"
 	"github.com/getlantern/lantern-box/option"
@@ -29,10 +31,24 @@ func RegisterOutbound(registry *outbound.Registry) {
 // Outbound represents a Samizdat outbound adapter.
 type Outbound struct {
 	outbound.Adapter
-	logger logger.ContextLogger
+	logger    logger.ContextLogger
+	client    *samizdat.Client
+	uotClient *uot.Client
+}
+
+// samizdatDialer adapts a samizdat.Client to the N.Dialer interface for uot.Client.
+type samizdatDialer struct {
 	client *samizdat.Client
 }
 
+func (d *samizdatDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	return d.client.DialContext(ctx, network, destination.String())
+}
+
+func (d *samizdatDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
 // NewOutbound creates a new Samizdat outbound adapter.
 func NewOutbound(
 	ctx context.Context,
@@ -107,16 +123,23 @@ func NewOutbound(
 		return nil, fmt.Errorf("creating samizdat client: %w", err)
 	}
 
-	return &Outbound{
+	o := &Outbound{
 		Adapter: outbound.NewAdapterWithDialerOptions(
 			constant.TypeSamizdat,
 			tag,
-			[]string{N.NetworkTCP},
+			[]string{N.NetworkTCP, N.NetworkUDP},
 			options.DialerOptions,
 		),
 		logger: logger,
 		client: client,
-	}, nil
+	}
+
+	o.uotClient = &uot.Client{
+		Dialer:  &samizdatDialer{client: client},
+		Version: uot.Version,
+	}
+
+	return o, nil
 }
 
 // DialContext dials a connection to the destination through the Samizdat proxy.
@@ -125,23 +148,29 @@ func (o *Outbound) DialContext(ctx context.Context, network string, destination
 	metadata.Outbound = o.Tag()
 	metadata.Destination = destination
 
-	o.logger.InfoContext(ctx, "connecting to ", destination)
-	conn, err := o.client.DialContext(ctx, network, destination.String())
-	if err != nil {
-		return nil, fmt.Errorf("samizdat dial to %s: %w", destination, err)
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		o.logger.InfoContext(ctx, "outbound connection to ", destination)
+		return o.client.DialContext(ctx, network, destination.String())
+	case N.NetworkUDP:
+		o.logger.InfoContext(ctx, "outbound UoT packet connection to ", destination)
+		return o.uotClient.DialContext(ctx, network, destination)
 	}
-
-	return conn, nil
+	return nil, fmt.Errorf("unsupported network: %s", network)
 }
 
-// ListenPacket is not supported by Samizdat (TCP-only protocol).
+// ListenPacket creates a UoT packet connection through the Samizdat proxy.
 func (o *Outbound) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return nil, fmt.Errorf("samizdat does not support UDP")
+	ctx, metadata := adapter.ExtendContext(ctx)
+	metadata.Outbound = o.Tag()
+	metadata.Destination = destination
+	o.logger.InfoContext(ctx, "outbound UoT packet connection to ", destination)
+	return o.uotClient.ListenPacket(ctx, destination)
 }
 
 // Network returns the supported network types.
 func (o *Outbound) Network() []string {
-	return []string{N.NetworkTCP}
+	return []string{N.NetworkTCP, N.NetworkUDP}
 }
 
 // Close shuts down the Samizdat client.

protocol/samizdat/samizdat_test.go

@@ -296,6 +296,14 @@ func TestNewOutbound_InvalidPublicKey(t *testing.T) {
 	}
 }
 
+func TestOutbound_NetworkIncludesUDP(t *testing.T) {
+	o := &Outbound{}
+	networks := o.Network()
+	assert.Contains(t, networks, "tcp", "Network() should include TCP")
+	assert.Contains(t, networks, "udp", "Network() should include UDP")
+	assert.Len(t, networks, 2, "Network() should return exactly 2 networks")
+}
+
 func TestNewOutbound_InvalidShortID(t *testing.T) {
 	pubKey := testPubKeyHex(t)