handle AEAD cipher

2025-02-20 23:47:21 -05:00 · 2017-11-26 00:58:57 +01:00 · 2017-11-26 00:58:57 +01:00 · 80258c0542
commit 80258c0542
parent 713ebfb203
2 changed files with 19 additions and 2 deletions
--- a/proxy/shadowsocks/config.go
+++ b/proxy/shadowsocks/config.go
@ -102,12 +102,17 @@ type Cipher interface {
 	IVSize() int
 	NewEncryptionWriter(key []byte, iv []byte, writer io.Writer) (buf.Writer, error)
 	NewDecryptionReader(key []byte, iv []byte, reader io.Reader) (buf.Reader, error)
+	IsAEAD() bool
 }

 type AesCfb struct {
 	KeyBytes int
 }

+func (*AesCfb) IsAEAD() bool {
+	return false
+}
+
 func (v *AesCfb) KeySize() int {
 	return v.KeyBytes
 }
@ -132,6 +137,10 @@ type AEADCipher struct {
 	AEADAuthCreator func(key []byte) cipher.AEAD
 }

+func (*AEADCipher) IsAEAD() bool {
+	return true
+}
+
 func (c *AEADCipher) KeySize() int {
 	return c.KeyBytes
 }
@ -170,6 +179,10 @@ type ChaCha20 struct {
 	IVBytes int
 }

+func (*ChaCha20) IsAEAD() bool {
+	return false
+}
+
 func (v *ChaCha20) KeySize() int {
 	return 32
 }
--- a/proxy/shadowsocks/protocol.go
+++ b/proxy/shadowsocks/protocol.go
@ -61,7 +61,7 @@ func ReadTCPSession(user *protocol.User, reader io.Reader) (*protocol.RequestHea
 		request.Option.Set(RequestOptionOneTimeAuth)
 	}

-	if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
+	if request.Option.Has(RequestOptionOneTimeAuth) && (account.OneTimeAuth == Account_Disabled || account.Cipher.IsAEAD()) {
 		return nil, nil, newError("rejecting connection with OTA enabled, while server disables OTA")
 	}

@ -136,8 +136,12 @@ func WriteTCPRequest(request *protocol.RequestHeader, writer io.Writer) (buf.Wri
 	}
 	account := rawAccount.(*ShadowsocksAccount)

+	if account.Cipher.IsAEAD() {
+		request.Option.Clear(RequestOptionOneTimeAuth)
+	}
+
 	iv := make([]byte, account.Cipher.IVSize())
-	rand.Read(iv)
+	common.Must2(rand.Read(iv))
 	_, err = writer.Write(iv)
 	if err != nil {
 		return nil, newError("failed to write IV")