From 02ab3f3494952afdff296932645ed0983b386e6c Mon Sep 17 00:00:00 2001
From: Darien Raymond <admin@v2ray.com>
Date: Sun, 26 Nov 2017 01:02:10 +0100
Subject: [PATCH] refine aead check on server

---
 proxy/shadowsocks/protocol.go | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/proxy/shadowsocks/protocol.go b/proxy/shadowsocks/protocol.go
index b4edcf146..46cd512cd 100644
--- a/proxy/shadowsocks/protocol.go
+++ b/proxy/shadowsocks/protocol.go
@@ -56,19 +56,21 @@ func ReadTCPSession(user *protocol.User, reader io.Reader) (*protocol.RequestHea
 		return nil, nil, newError("failed to read address type").Base(err)
 	}
 
+	if !account.Cipher.IsAEAD() {
+		if (buffer.Byte(0) & 0x10) == 0x10 {
+			request.Option.Set(RequestOptionOneTimeAuth)
+		}
+
+		if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
+			return nil, nil, newError("rejecting connection with OTA enabled, while server disables OTA")
+		}
+
+		if !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
+			return nil, nil, newError("rejecting connection with OTA disabled, while server enables OTA")
+		}
+	}
+
 	addrType := (buffer.Byte(0) & 0x0F)
-	if (buffer.Byte(0) & 0x10) == 0x10 {
-		request.Option.Set(RequestOptionOneTimeAuth)
-	}
-
-	if request.Option.Has(RequestOptionOneTimeAuth) && (account.OneTimeAuth == Account_Disabled || account.Cipher.IsAEAD()) {
-		return nil, nil, newError("rejecting connection with OTA enabled, while server disables OTA")
-	}
-
-	if !account.Cipher.IsAEAD() && !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
-		return nil, nil, newError("rejecting connection with OTA disabled, while server enables OTA")
-	}
-
 	switch addrType {
 	case AddrTypeIPv4:
 		if err := buffer.AppendSupplier(buf.ReadFullFrom(reader, 4)); err != nil {