2016-01-28 06:33:58 -05:00
|
|
|
package shadowsocks
|
|
|
|
|
|
|
|
import (
|
2016-05-24 16:09:22 -04:00
|
|
|
"bytes"
|
2016-10-31 10:24:28 -04:00
|
|
|
"crypto/rand"
|
2016-01-28 06:33:58 -05:00
|
|
|
"io"
|
2016-12-09 06:08:25 -05:00
|
|
|
|
2017-10-22 14:17:06 -04:00
|
|
|
"v2ray.com/core/common"
|
2017-10-21 15:04:24 -04:00
|
|
|
"v2ray.com/core/common/bitmask"
|
2016-12-09 05:35:27 -05:00
|
|
|
"v2ray.com/core/common/buf"
|
2017-08-29 06:56:57 -04:00
|
|
|
"v2ray.com/core/common/net"
|
2016-10-31 10:24:28 -04:00
|
|
|
"v2ray.com/core/common/protocol"
|
2016-01-28 06:33:58 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2017-10-21 15:04:24 -04:00
|
|
|
Version = 1
|
|
|
|
RequestOptionOneTimeAuth bitmask.Byte = 0x01
|
2018-02-23 17:42:01 -05:00
|
|
|
)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
var addrParser = protocol.NewAddressParser(
|
|
|
|
protocol.AddressFamilyByte(0x01, net.AddressFamilyIPv4),
|
|
|
|
protocol.AddressFamilyByte(0x04, net.AddressFamilyIPv6),
|
|
|
|
protocol.AddressFamilyByte(0x03, net.AddressFamilyDomain),
|
|
|
|
protocol.WithAddressTypeParser(func(b byte) byte {
|
|
|
|
return b & 0x0F
|
|
|
|
}),
|
2016-01-28 06:33:58 -05:00
|
|
|
)
|
|
|
|
|
2017-12-14 09:02:36 -05:00
|
|
|
// ReadTCPSession reads a Shadowsocks TCP session from the given reader, returns its header and remaining parts.
|
2018-08-26 18:11:32 -04:00
|
|
|
func ReadTCPSession(user *protocol.MemoryUser, reader io.Reader) (*protocol.RequestHeader, buf.Reader, error) {
|
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-05-01 11:18:02 -04:00
|
|
|
|
2018-03-09 05:26:00 -05:00
|
|
|
buffer := buf.New()
|
2016-01-28 06:33:58 -05:00
|
|
|
defer buffer.Release()
|
|
|
|
|
2016-10-31 10:24:28 -04:00
|
|
|
ivLen := account.Cipher.IVSize()
|
2017-11-29 16:19:04 -05:00
|
|
|
var iv []byte
|
|
|
|
if ivLen > 0 {
|
2018-11-02 10:01:33 -04:00
|
|
|
if _, err := buffer.ReadFullFrom(reader, ivLen); err != nil {
|
2017-11-29 16:19:04 -05:00
|
|
|
return nil, nil, newError("failed to read IV").Base(err)
|
|
|
|
}
|
2016-01-28 06:33:58 -05:00
|
|
|
|
2017-11-29 16:19:04 -05:00
|
|
|
iv = append([]byte(nil), buffer.BytesTo(ivLen)...)
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-25 18:51:54 -05:00
|
|
|
r, err := account.Cipher.NewDecryptionReader(account.Key, iv, reader)
|
2016-10-31 10:24:28 -04:00
|
|
|
if err != nil {
|
2017-04-26 18:09:01 -04:00
|
|
|
return nil, nil, newError("failed to initialize decoding stream").Base(err).AtError()
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
2018-04-20 18:54:53 -04:00
|
|
|
br := &buf.BufferedReader{Reader: r}
|
2017-11-26 10:56:01 -05:00
|
|
|
reader = nil
|
2016-10-31 10:24:28 -04:00
|
|
|
|
|
|
|
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
|
|
|
|
request := &protocol.RequestHeader{
|
|
|
|
Version: Version,
|
|
|
|
User: user,
|
|
|
|
Command: protocol.RequestCommandTCP,
|
|
|
|
}
|
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
buffer.Clear()
|
|
|
|
|
|
|
|
addr, port, err := addrParser.ReadAddressPort(buffer, br)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, newError("failed to read address").Base(err)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
2016-01-28 06:33:58 -05:00
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
request.Address = addr
|
|
|
|
request.Port = port
|
|
|
|
|
2017-11-25 19:02:10 -05:00
|
|
|
if !account.Cipher.IsAEAD() {
|
|
|
|
if (buffer.Byte(0) & 0x10) == 0x10 {
|
|
|
|
request.Option.Set(RequestOptionOneTimeAuth)
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-25 19:02:10 -05:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
|
|
|
|
return nil, nil, newError("rejecting connection with OTA enabled, while server disables OTA")
|
|
|
|
}
|
2016-11-25 10:46:59 -05:00
|
|
|
|
2017-11-25 19:02:10 -05:00
|
|
|
if !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
|
|
|
|
return nil, nil, newError("rejecting connection with OTA disabled, while server enables OTA")
|
|
|
|
}
|
2016-11-25 10:46:59 -05:00
|
|
|
}
|
|
|
|
|
2016-10-31 10:24:28 -04:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) {
|
2016-12-06 05:03:42 -05:00
|
|
|
actualAuth := make([]byte, AuthSize)
|
|
|
|
authenticator.Authenticate(buffer.Bytes())(actualAuth)
|
2016-12-05 11:05:47 -05:00
|
|
|
|
2018-11-02 10:01:33 -04:00
|
|
|
_, err := buffer.ReadFullFrom(br, AuthSize)
|
2016-01-29 10:43:45 -05:00
|
|
|
if err != nil {
|
2017-04-08 19:43:25 -04:00
|
|
|
return nil, nil, newError("Failed to read OTA").Base(err)
|
2016-01-29 15:55:42 -05:00
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2016-12-05 11:05:47 -05:00
|
|
|
if !bytes.Equal(actualAuth, buffer.BytesFrom(-AuthSize)) {
|
2017-04-08 19:43:25 -04:00
|
|
|
return nil, nil, newError("invalid OTA")
|
2016-01-29 10:43:45 -05:00
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2016-12-13 03:17:39 -05:00
|
|
|
if request.Address == nil {
|
2017-04-08 19:43:25 -04:00
|
|
|
return nil, nil, newError("invalid remote address.")
|
2016-12-13 03:17:39 -05:00
|
|
|
}
|
|
|
|
|
2016-12-09 07:17:34 -05:00
|
|
|
var chunkReader buf.Reader
|
2016-10-31 10:24:28 -04:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) {
|
2017-11-26 10:56:01 -05:00
|
|
|
chunkReader = NewChunkReader(br, NewAuthenticator(ChunkKeyGenerator(iv)))
|
2016-01-29 15:55:42 -05:00
|
|
|
} else {
|
2017-11-26 10:56:01 -05:00
|
|
|
chunkReader = buf.NewReader(br)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return request, chunkReader, nil
|
|
|
|
}
|
|
|
|
|
2017-12-14 09:02:36 -05:00
|
|
|
// WriteTCPRequest writes Shadowsocks request into the given writer, and returns a writer for body.
|
2016-12-09 07:17:34 -05:00
|
|
|
func WriteTCPRequest(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
|
2016-10-31 10:24:28 -04:00
|
|
|
user := request.User
|
2018-08-26 18:11:32 -04:00
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-25 18:58:57 -05:00
|
|
|
if account.Cipher.IsAEAD() {
|
|
|
|
request.Option.Clear(RequestOptionOneTimeAuth)
|
|
|
|
}
|
|
|
|
|
2017-11-29 16:19:04 -05:00
|
|
|
var iv []byte
|
|
|
|
if account.Cipher.IVSize() > 0 {
|
|
|
|
iv = make([]byte, account.Cipher.IVSize())
|
|
|
|
common.Must2(rand.Read(iv))
|
2018-07-28 09:03:40 -04:00
|
|
|
if err := buf.WriteAllBytes(writer, iv); err != nil {
|
2017-11-29 16:19:04 -05:00
|
|
|
return nil, newError("failed to write IV")
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2017-11-25 18:51:54 -05:00
|
|
|
w, err := account.Cipher.NewEncryptionWriter(account.Key, iv, writer)
|
2016-10-31 10:24:28 -04:00
|
|
|
if err != nil {
|
2017-04-26 18:09:01 -04:00
|
|
|
return nil, newError("failed to create encoding stream").Base(err).AtError()
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2018-03-09 05:26:00 -05:00
|
|
|
header := buf.New()
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
if err := addrParser.WriteAddressPort(header, request.Address, request.Port); err != nil {
|
2017-12-03 18:55:34 -05:00
|
|
|
return nil, newError("failed to write address").Base(err)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) {
|
2016-12-06 05:31:19 -05:00
|
|
|
header.SetByte(0, header.Byte(0)|0x10)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
|
|
|
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
|
2017-10-22 14:17:06 -04:00
|
|
|
common.Must(header.AppendSupplier(authenticator.Authenticate(header.Bytes())))
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2017-11-26 10:56:01 -05:00
|
|
|
if err := w.WriteMultiBuffer(buf.NewMultiBufferValue(header)); err != nil {
|
2017-04-09 07:30:46 -04:00
|
|
|
return nil, newError("failed to write header").Base(err)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2016-12-09 07:17:34 -05:00
|
|
|
var chunkWriter buf.Writer
|
2016-10-31 10:24:28 -04:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) {
|
2017-11-26 10:56:01 -05:00
|
|
|
chunkWriter = NewChunkWriter(w.(io.Writer), NewAuthenticator(ChunkKeyGenerator(iv)))
|
2016-10-31 10:24:28 -04:00
|
|
|
} else {
|
2017-11-26 10:56:01 -05:00
|
|
|
chunkWriter = w
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return chunkWriter, nil
|
|
|
|
}
|
|
|
|
|
2018-08-26 18:11:32 -04:00
|
|
|
func ReadTCPResponse(user *protocol.MemoryUser, reader io.Reader) (buf.Reader, error) {
|
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-01-29 10:43:45 -05:00
|
|
|
|
2017-11-29 16:19:04 -05:00
|
|
|
var iv []byte
|
|
|
|
if account.Cipher.IVSize() > 0 {
|
|
|
|
iv = make([]byte, account.Cipher.IVSize())
|
2018-08-26 18:11:32 -04:00
|
|
|
if _, err := io.ReadFull(reader, iv); err != nil {
|
2017-11-29 16:19:04 -05:00
|
|
|
return nil, newError("failed to read IV").Base(err)
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2017-11-25 18:51:54 -05:00
|
|
|
return account.Cipher.NewDecryptionReader(account.Key, iv, reader)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2016-12-09 07:17:34 -05:00
|
|
|
func WriteTCPResponse(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
|
2016-10-31 10:24:28 -04:00
|
|
|
user := request.User
|
2018-08-26 18:11:32 -04:00
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-29 16:19:04 -05:00
|
|
|
var iv []byte
|
|
|
|
if account.Cipher.IVSize() > 0 {
|
|
|
|
iv = make([]byte, account.Cipher.IVSize())
|
|
|
|
common.Must2(rand.Read(iv))
|
2018-07-28 09:03:40 -04:00
|
|
|
if err := buf.WriteAllBytes(writer, iv); err != nil {
|
2017-11-29 16:19:04 -05:00
|
|
|
return nil, newError("failed to write IV.").Base(err)
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2017-11-25 18:51:54 -05:00
|
|
|
return account.Cipher.NewEncryptionWriter(account.Key, iv, writer)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2017-04-21 08:51:09 -04:00
|
|
|
func EncodeUDPPacket(request *protocol.RequestHeader, payload []byte) (*buf.Buffer, error) {
|
2016-10-31 10:24:28 -04:00
|
|
|
user := request.User
|
2018-08-26 18:11:32 -04:00
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-04-15 15:19:21 -04:00
|
|
|
buffer := buf.New()
|
2016-10-31 10:24:28 -04:00
|
|
|
ivLen := account.Cipher.IVSize()
|
2017-11-29 16:19:04 -05:00
|
|
|
if ivLen > 0 {
|
2018-11-02 10:01:33 -04:00
|
|
|
common.Must2(buffer.ReadFullFrom(rand.Reader, ivLen))
|
2017-11-29 16:19:04 -05:00
|
|
|
}
|
2016-12-06 05:03:42 -05:00
|
|
|
iv := buffer.Bytes()
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
if err := addrParser.WriteAddressPort(buffer, request.Address, request.Port); err != nil {
|
2017-12-03 18:55:34 -05:00
|
|
|
return nil, newError("failed to write address").Base(err)
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2018-04-19 16:56:55 -04:00
|
|
|
buffer.Write(payload)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-26 08:18:23 -05:00
|
|
|
if !account.Cipher.IsAEAD() && request.Option.Has(RequestOptionOneTimeAuth) {
|
2016-10-31 10:24:28 -04:00
|
|
|
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
|
2017-11-26 15:51:30 -05:00
|
|
|
buffer.SetByte(ivLen, buffer.Byte(ivLen)|0x10)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-26 15:51:30 -05:00
|
|
|
common.Must(buffer.AppendSupplier(authenticator.Authenticate(buffer.BytesFrom(ivLen))))
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
2017-11-26 15:51:30 -05:00
|
|
|
if err := account.Cipher.EncodePacket(account.Key, buffer); err != nil {
|
|
|
|
return nil, newError("failed to encrypt UDP payload").Base(err)
|
2017-11-25 18:51:54 -05:00
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
|
|
|
return buffer, nil
|
|
|
|
}
|
|
|
|
|
2018-08-26 18:11:32 -04:00
|
|
|
func DecodeUDPPacket(user *protocol.MemoryUser, payload *buf.Buffer) (*protocol.RequestHeader, *buf.Buffer, error) {
|
|
|
|
account := user.Account.(*MemoryAccount)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-27 04:42:51 -05:00
|
|
|
var iv []byte
|
2017-11-29 16:19:04 -05:00
|
|
|
if !account.Cipher.IsAEAD() && account.Cipher.IVSize() > 0 {
|
2017-11-27 04:42:51 -05:00
|
|
|
// Keep track of IV as it gets removed from payload in DecodePacket.
|
|
|
|
iv = make([]byte, account.Cipher.IVSize())
|
|
|
|
copy(iv, payload.BytesTo(account.Cipher.IVSize()))
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
2017-11-26 15:51:30 -05:00
|
|
|
|
|
|
|
if err := account.Cipher.DecodePacket(account.Key, payload); err != nil {
|
|
|
|
return nil, nil, newError("failed to decrypt UDP payload").Base(err)
|
2017-11-25 18:51:54 -05:00
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
|
|
|
request := &protocol.RequestHeader{
|
|
|
|
Version: Version,
|
|
|
|
User: user,
|
|
|
|
Command: protocol.RequestCommandUDP,
|
|
|
|
}
|
|
|
|
|
2017-11-26 08:18:23 -05:00
|
|
|
if !account.Cipher.IsAEAD() {
|
|
|
|
if (payload.Byte(0) & 0x10) == 0x10 {
|
|
|
|
request.Option |= RequestOptionOneTimeAuth
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-26 08:18:23 -05:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
|
|
|
|
return nil, nil, newError("rejecting packet with OTA enabled, while server disables OTA").AtWarning()
|
|
|
|
}
|
2016-11-25 10:46:59 -05:00
|
|
|
|
2017-11-26 08:18:23 -05:00
|
|
|
if !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
|
|
|
|
return nil, nil, newError("rejecting packet with OTA disabled, while server enables OTA").AtWarning()
|
|
|
|
}
|
2016-11-25 10:46:59 -05:00
|
|
|
|
2017-11-26 08:18:23 -05:00
|
|
|
if request.Option.Has(RequestOptionOneTimeAuth) {
|
|
|
|
payloadLen := payload.Len() - AuthSize
|
|
|
|
authBytes := payload.BytesFrom(payloadLen)
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2017-11-29 17:08:02 -05:00
|
|
|
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
|
2017-11-26 08:18:23 -05:00
|
|
|
actualAuth := make([]byte, AuthSize)
|
2018-04-03 18:29:30 -04:00
|
|
|
common.Must2(authenticator.Authenticate(payload.BytesTo(payloadLen))(actualAuth))
|
2017-11-26 08:18:23 -05:00
|
|
|
if !bytes.Equal(actualAuth, authBytes) {
|
|
|
|
return nil, nil, newError("invalid OTA")
|
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
|
2018-04-19 17:48:38 -04:00
|
|
|
payload.Resize(0, payloadLen)
|
2017-11-26 08:18:23 -05:00
|
|
|
}
|
2016-10-31 10:24:28 -04:00
|
|
|
}
|
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
payload.SetByte(0, payload.Byte(0)&0x0F)
|
2018-02-22 04:31:08 -05:00
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
addr, port, err := addrParser.ReadAddressPort(nil, payload)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, newError("failed to parse address").Base(err)
|
2016-01-29 10:43:45 -05:00
|
|
|
}
|
|
|
|
|
2018-02-23 17:42:01 -05:00
|
|
|
request.Address = addr
|
|
|
|
request.Port = port
|
2016-10-31 10:24:28 -04:00
|
|
|
|
|
|
|
return request, payload, nil
|
2016-01-28 06:33:58 -05:00
|
|
|
}
|
2016-10-31 11:35:18 -04:00
|
|
|
|
|
|
|
type UDPReader struct {
|
|
|
|
Reader io.Reader
|
2018-08-26 18:11:32 -04:00
|
|
|
User *protocol.MemoryUser
|
2016-10-31 11:35:18 -04:00
|
|
|
}
|
|
|
|
|
2017-11-09 16:33:15 -05:00
|
|
|
func (v *UDPReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
|
2017-04-15 15:19:21 -04:00
|
|
|
buffer := buf.New()
|
2018-11-02 10:01:33 -04:00
|
|
|
_, err := buffer.ReadFrom(v.Reader)
|
2016-10-31 11:35:18 -04:00
|
|
|
if err != nil {
|
|
|
|
buffer.Release()
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-11-27 15:39:09 -05:00
|
|
|
_, payload, err := DecodeUDPPacket(v.User, buffer)
|
2016-10-31 11:35:18 -04:00
|
|
|
if err != nil {
|
|
|
|
buffer.Release()
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-04-16 07:17:35 -04:00
|
|
|
return buf.NewMultiBufferValue(payload), nil
|
2016-10-31 11:35:18 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
type UDPWriter struct {
|
|
|
|
Writer io.Writer
|
|
|
|
Request *protocol.RequestHeader
|
|
|
|
}
|
|
|
|
|
2017-04-21 09:36:05 -04:00
|
|
|
// Write implements io.Writer.
|
2017-04-21 08:51:09 -04:00
|
|
|
func (w *UDPWriter) Write(payload []byte) (int, error) {
|
|
|
|
packet, err := EncodeUDPPacket(w.Request, payload)
|
2016-10-31 11:35:18 -04:00
|
|
|
if err != nil {
|
2017-04-21 08:51:09 -04:00
|
|
|
return 0, err
|
2016-10-31 11:35:18 -04:00
|
|
|
}
|
2017-04-21 08:51:09 -04:00
|
|
|
_, err = w.Writer.Write(packet.Bytes())
|
|
|
|
packet.Release()
|
|
|
|
return len(payload), err
|
2016-10-31 11:35:18 -04:00
|
|
|
}
|