mirror of
https://github.com/v2fly/v2ray-core.git
synced 2024-11-08 03:07:47 -05:00
b6da3e86a5
* Shadowsocks2022 Client Implementation Improvements 1. Added UDP Replay Detection 2. Added UDP Processor State Cache 3. Added More Detailed Output for Time Difference Error 4. Replaced Mutex with RWMutex for reduced lock contention 5. Added per server session tracking of decryption cache and anti-replay window 6. Adjust server session track time 7. Increase per session buffer to 128 8. Fix client crash when EIH is not enabled 9. Fix client log contains non-human-friendly content 10.Remove mark and remove for trackedSessions 11. Fixed packet size uint16 overflow issue
292 lines
9.2 KiB
Go
292 lines
9.2 KiB
Go
package shadowsocks2022
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/cipher"
|
|
cryptoRand "crypto/rand"
|
|
"encoding/binary"
|
|
"io"
|
|
"math/rand"
|
|
"time"
|
|
|
|
"github.com/v2fly/v2ray-core/v5/common"
|
|
|
|
"github.com/lunixbochs/struc"
|
|
|
|
"github.com/v2fly/v2ray-core/v5/common/buf"
|
|
"github.com/v2fly/v2ray-core/v5/common/crypto"
|
|
"github.com/v2fly/v2ray-core/v5/common/net"
|
|
"github.com/v2fly/v2ray-core/v5/common/protocol"
|
|
)
|
|
|
|
type TCPRequest struct {
|
|
keyDerivation KeyDerivation
|
|
method Method
|
|
|
|
c2sSalt RequestSalt
|
|
c2sNonce crypto.BytesGenerator
|
|
c2sAEAD cipher.AEAD
|
|
|
|
s2cSalt RequestSalt
|
|
s2cNonce crypto.BytesGenerator
|
|
s2cAEAD cipher.AEAD
|
|
|
|
s2cSaltAssert RequestSalt
|
|
s2cInitialPayloadSize int
|
|
}
|
|
|
|
func (t *TCPRequest) EncodeTCPRequestHeader(effectivePsk []byte,
|
|
eih [][]byte, address DestinationAddress, destPort int, initialPayload []byte, out *buf.Buffer,
|
|
) error {
|
|
requestSalt := newRequestSaltWithLength(t.method.GetSessionSubKeyAndSaltLength())
|
|
{
|
|
err := requestSalt.FillAllFrom(cryptoRand.Reader)
|
|
if err != nil {
|
|
return newError("failed to fill salt").Base(err)
|
|
}
|
|
}
|
|
t.c2sSalt = requestSalt
|
|
sessionKey := make([]byte, t.method.GetSessionSubKeyAndSaltLength())
|
|
{
|
|
err := t.keyDerivation.GetSessionSubKey(effectivePsk, requestSalt.Bytes(), sessionKey)
|
|
if err != nil {
|
|
return newError("failed to get session sub key").Base(err)
|
|
}
|
|
}
|
|
|
|
aead, err := t.method.GetStreamAEAD(sessionKey)
|
|
if err != nil {
|
|
return newError("failed to get stream AEAD").Base(err)
|
|
}
|
|
t.c2sAEAD = aead
|
|
paddingLength := TCPMinPaddingLength
|
|
if initialPayload == nil {
|
|
initialPayload = []byte{}
|
|
paddingLength += 1 + rand.Intn(TCPMaxPaddingLength) // TODO INSECURE RANDOM USED
|
|
}
|
|
|
|
variableLengthHeader := &TCPRequestHeader3VariableLength{
|
|
DestinationAddress: address,
|
|
Contents: struct {
|
|
PaddingLength uint16 `struc:"sizeof=Padding"`
|
|
Padding []byte
|
|
}(struct {
|
|
PaddingLength uint16
|
|
Padding []byte
|
|
}{
|
|
PaddingLength: uint16(paddingLength),
|
|
Padding: make([]byte, paddingLength),
|
|
}),
|
|
}
|
|
variableLengthHeaderBuffer := buf.New()
|
|
defer variableLengthHeaderBuffer.Release()
|
|
{
|
|
err := addrParser.WriteAddressPort(variableLengthHeaderBuffer, address, net.Port(destPort))
|
|
if err != nil {
|
|
return newError("failed to write address port").Base(err)
|
|
}
|
|
}
|
|
{
|
|
err := struc.Pack(variableLengthHeaderBuffer, &variableLengthHeader.Contents)
|
|
if err != nil {
|
|
return newError("failed to pack variable length header").Base(err)
|
|
}
|
|
}
|
|
{
|
|
_, err := variableLengthHeaderBuffer.Write(initialPayload)
|
|
if err != nil {
|
|
return newError("failed to write initial payload").Base(err)
|
|
}
|
|
}
|
|
|
|
fixedLengthHeader := &TCPRequestHeader2FixedLength{
|
|
Type: TCPHeaderTypeClientToServerStream,
|
|
Timestamp: uint64(time.Now().Unix()),
|
|
HeaderLength: uint16(variableLengthHeaderBuffer.Len()),
|
|
}
|
|
|
|
fixedLengthHeaderBuffer := buf.New()
|
|
defer fixedLengthHeaderBuffer.Release()
|
|
{
|
|
err := struc.Pack(fixedLengthHeaderBuffer, fixedLengthHeader)
|
|
if err != nil {
|
|
return newError("failed to pack fixed length header").Base(err)
|
|
}
|
|
}
|
|
eihHeader := ExtensibleIdentityHeaders(newAESEIH(0))
|
|
if len(eih) != 0 {
|
|
eihGenerator := newAESEIHGeneratorContainer(len(eih), effectivePsk, eih)
|
|
eihHeaderGenerated, err := eihGenerator.GenerateEIH(t.keyDerivation, t.method, requestSalt.Bytes())
|
|
if err != nil {
|
|
return newError("failed to construct EIH").Base(err)
|
|
}
|
|
eihHeader = eihHeaderGenerated
|
|
}
|
|
preSessionKeyHeader := &TCPRequestHeader1PreSessionKey{
|
|
Salt: requestSalt,
|
|
EIH: eihHeader,
|
|
}
|
|
preSessionKeyHeaderBuffer := buf.New()
|
|
defer preSessionKeyHeaderBuffer.Release()
|
|
{
|
|
err := struc.Pack(preSessionKeyHeaderBuffer, preSessionKeyHeader)
|
|
if err != nil {
|
|
return newError("failed to pack pre session key header").Base(err)
|
|
}
|
|
}
|
|
requestNonce := crypto.GenerateInitialAEADNonce()
|
|
t.c2sNonce = requestNonce
|
|
{
|
|
n, err := out.Write(preSessionKeyHeaderBuffer.BytesFrom(0))
|
|
if err != nil {
|
|
return newError("failed to write pre session key header").Base(err)
|
|
}
|
|
if int32(n) != preSessionKeyHeaderBuffer.Len() {
|
|
return newError("failed to write pre session key header")
|
|
}
|
|
}
|
|
{
|
|
fixedLengthEncrypted := out.Extend(fixedLengthHeaderBuffer.Len() + int32(aead.Overhead()))
|
|
aead.Seal(fixedLengthEncrypted[:0], requestNonce(), fixedLengthHeaderBuffer.Bytes(), nil)
|
|
}
|
|
{
|
|
variableLengthEncrypted := out.Extend(variableLengthHeaderBuffer.Len() + int32(aead.Overhead()))
|
|
aead.Seal(variableLengthEncrypted[:0], requestNonce(), variableLengthHeaderBuffer.Bytes(), nil)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (t *TCPRequest) DecodeTCPResponseHeader(effectivePsk []byte, in io.Reader) error {
|
|
var preSessionKeyHeader TCPResponseHeader1PreSessionKey
|
|
preSessionKeyHeader.Salt = newRequestSaltWithLength(t.method.GetSessionSubKeyAndSaltLength())
|
|
{
|
|
err := struc.Unpack(in, &preSessionKeyHeader)
|
|
if err != nil {
|
|
return newError("failed to unpack pre session key header").Base(err)
|
|
}
|
|
}
|
|
s2cSalt := preSessionKeyHeader.Salt.Bytes()
|
|
t.s2cSalt = preSessionKeyHeader.Salt
|
|
sessionKey := make([]byte, t.method.GetSessionSubKeyAndSaltLength())
|
|
{
|
|
err := t.keyDerivation.GetSessionSubKey(effectivePsk, s2cSalt, sessionKey)
|
|
if err != nil {
|
|
return newError("failed to get session sub key").Base(err)
|
|
}
|
|
}
|
|
aead, err := t.method.GetStreamAEAD(sessionKey)
|
|
if err != nil {
|
|
return newError("failed to get stream AEAD").Base(err)
|
|
}
|
|
t.s2cAEAD = aead
|
|
|
|
fixedLengthHeaderEncryptedBuffer := buf.New()
|
|
defer fixedLengthHeaderEncryptedBuffer.Release()
|
|
{
|
|
_, err := fixedLengthHeaderEncryptedBuffer.ReadFullFrom(in, 11+int32(t.method.GetSessionSubKeyAndSaltLength())+int32(aead.Overhead()))
|
|
if err != nil {
|
|
return newError("failed to read fixed length header encrypted").Base(err)
|
|
}
|
|
}
|
|
s2cNonce := crypto.GenerateInitialAEADNonce()
|
|
t.s2cNonce = s2cNonce
|
|
fixedLengthHeaderDecryptedBuffer := buf.New()
|
|
defer fixedLengthHeaderDecryptedBuffer.Release()
|
|
{
|
|
decryptionBuffer := fixedLengthHeaderDecryptedBuffer.Extend(11 + int32(t.method.GetSessionSubKeyAndSaltLength()))
|
|
_, err = aead.Open(decryptionBuffer[:0], s2cNonce(), fixedLengthHeaderEncryptedBuffer.Bytes(), nil)
|
|
if err != nil {
|
|
return newError("failed to decrypt fixed length header").Base(err)
|
|
}
|
|
}
|
|
var fixedLengthHeader TCPResponseHeader2FixedLength
|
|
fixedLengthHeader.RequestSalt = newRequestSaltWithLength(t.method.GetSessionSubKeyAndSaltLength())
|
|
{
|
|
err := struc.Unpack(bytes.NewReader(fixedLengthHeaderDecryptedBuffer.Bytes()), &fixedLengthHeader)
|
|
if err != nil {
|
|
return newError("failed to unpack fixed length header").Base(err)
|
|
}
|
|
}
|
|
|
|
if fixedLengthHeader.Type != TCPHeaderTypeServerToClientStream {
|
|
return newError("unexpected TCP header type")
|
|
}
|
|
timeDifference := int64(fixedLengthHeader.Timestamp) - time.Now().Unix()
|
|
if timeDifference < -30 || timeDifference > 30 {
|
|
return newError("timestamp is too far away, timeDifference = ", timeDifference)
|
|
}
|
|
|
|
t.s2cSaltAssert = fixedLengthHeader.RequestSalt
|
|
t.s2cInitialPayloadSize = int(fixedLengthHeader.InitialPayloadLength)
|
|
return nil
|
|
}
|
|
|
|
func (t *TCPRequest) CheckC2SConnectionConstraint() error {
|
|
if !bytes.Equal(t.c2sSalt.Bytes(), t.s2cSaltAssert.Bytes()) {
|
|
return newError("c2s salt not equal to s2c salt assert")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (t *TCPRequest) CreateClientS2CReader(in io.Reader, initialPayload *buf.Buffer) (buf.Reader, error) {
|
|
AEADAuthenticator := &crypto.AEADAuthenticator{
|
|
AEAD: t.s2cAEAD,
|
|
NonceGenerator: t.s2cNonce,
|
|
AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
|
|
}
|
|
initialPayloadEncrypted := buf.NewWithSize(65535)
|
|
defer initialPayloadEncrypted.Release()
|
|
initialPayloadEncryptedBytes := initialPayloadEncrypted.Extend(int32(t.s2cAEAD.Overhead()) + int32(t.s2cInitialPayloadSize))
|
|
_, err := io.ReadFull(in, initialPayloadEncryptedBytes)
|
|
if err != nil {
|
|
return nil, newError("failed to read initial payload").Base(err)
|
|
}
|
|
initialPayloadBytes := initialPayload.Extend(int32(t.s2cInitialPayloadSize))
|
|
_, err = t.s2cAEAD.Open(initialPayloadBytes[:0], t.s2cNonce(), initialPayloadEncryptedBytes, nil)
|
|
if err != nil {
|
|
return nil, newError("failed to decrypt initial payload").Base(err)
|
|
}
|
|
return crypto.NewAuthenticationReader(AEADAuthenticator, &AEADChunkSizeParser{
|
|
Auth: AEADAuthenticator,
|
|
}, in, protocol.TransferTypeStream, nil), nil
|
|
}
|
|
|
|
func (t *TCPRequest) CreateClientC2SWriter(writer io.Writer) buf.Writer {
|
|
AEADAuthenticator := &crypto.AEADAuthenticator{
|
|
AEAD: t.c2sAEAD,
|
|
NonceGenerator: t.c2sNonce,
|
|
AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
|
|
}
|
|
sizeParser := &crypto.AEADChunkSizeParser{
|
|
Auth: AEADAuthenticator,
|
|
}
|
|
return crypto.NewAuthenticationWriter(AEADAuthenticator, sizeParser, writer, protocol.TransferTypeStream, nil)
|
|
}
|
|
|
|
type AEADChunkSizeParser struct {
|
|
Auth *crypto.AEADAuthenticator
|
|
}
|
|
|
|
func (p *AEADChunkSizeParser) HasConstantOffset() uint16 {
|
|
return uint16(p.Auth.Overhead())
|
|
}
|
|
|
|
func (p *AEADChunkSizeParser) SizeBytes() int32 {
|
|
return 2 + int32(p.Auth.Overhead())
|
|
}
|
|
|
|
func (p *AEADChunkSizeParser) Encode(size uint16, b []byte) []byte {
|
|
binary.BigEndian.PutUint16(b, size-uint16(p.Auth.Overhead()))
|
|
b, err := p.Auth.Seal(b[:0], b[:2])
|
|
common.Must(err)
|
|
return b
|
|
}
|
|
|
|
func (p *AEADChunkSizeParser) Decode(b []byte) (uint16, error) {
|
|
b, err := p.Auth.Open(b[:0], b)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
return binary.BigEndian.Uint16(b), nil
|
|
}
|