replay filter for TCP & UDP in AEAD-2022

Author: zonyitoo

.gitignore

@@ -12,3 +12,4 @@
 /udp_echo_server.py
 /.idea
 /.devcontainer
+.DS_Store

crates/shadowsocks/Cargo.toml

@@ -32,7 +32,7 @@ stream-cipher = ["shadowsocks-crypto/v1-stream"]
 aead-cipher-extra = ["shadowsocks-crypto/v1-aead-extra"]
 
 # Enable AEAD 2022
-aead-cipher-2022 = ["shadowsocks-crypto/v2", "rand/small_rng", "aes", "lru_time_cache"]
+aead-cipher-2022 = ["shadowsocks-crypto/v2", "rand/small_rng", "aes", "lru_time_cache", "spin"]
 
 # Enable detection against replay attack
 security-replay-attack-detect = ["bloomfilter", "spin"]

crates/shadowsocks/src/context.rs

@@ -7,7 +7,7 @@ use log::warn;
 
 use crate::{
     config::{ReplayAttackPolicy, ServerType},
-    crypto::v1::random_iv_or_salt,
+    crypto::{v1::random_iv_or_salt, CipherKind},
     dns_resolver::DnsResolver,
     security::replay::ReplayProtector,
 };
@@ -50,15 +50,15 @@ impl Context {
     ///
     /// If not, set into the current bloom filter
     #[inline(always)]
-    fn check_nonce_and_set(&self, nonce: &[u8]) -> bool {
+    fn check_nonce_and_set(&self, method: CipherKind, nonce: &[u8]) -> bool {
         match self.replay_policy {
             ReplayAttackPolicy::Ignore => false,
-            _ => self.replay_protector.check_nonce_and_set(nonce),
+            _ => self.replay_protector.check_nonce_and_set(method, nonce),
         }
     }
 
     /// Generate nonce (IV or SALT)
-    pub fn generate_nonce(&self, nonce: &mut [u8], unique: bool) {
+    pub fn generate_nonce(&self, method: CipherKind, nonce: &mut [u8], unique: bool) {
         if nonce.is_empty() {
             return;
         }
@@ -86,7 +86,7 @@ impl Context {
             }
 
             // Salt already exists, generate a new one.
-            if unique && self.check_nonce_and_set(nonce) {
+            if unique && self.check_nonce_and_set(method, nonce) {
                 continue;
             }
 
@@ -95,21 +95,21 @@ impl Context {
     }
 
     /// Check nonce replay
-    pub fn check_nonce_replay(&self, nonce: &[u8]) -> io::Result<()> {
+    pub fn check_nonce_replay(&self, method: CipherKind, nonce: &[u8]) -> io::Result<()> {
         if nonce.is_empty() {
             return Ok(());
         }
 
         match self.replay_policy {
             ReplayAttackPolicy::Ignore => Ok(()),
             ReplayAttackPolicy::Detect => {
-                if self.replay_protector.check_nonce_and_set(nonce) {
+                if self.replay_protector.check_nonce_and_set(method, nonce) {
                     warn!("detected repeated nonce (iv/salt) {:?}", ByteStr::new(nonce));
                 }
                 Ok(())
             }
             ReplayAttackPolicy::Reject => {
-                if self.replay_protector.check_nonce_and_set(nonce) {
+                if self.replay_protector.check_nonce_and_set(method, nonce) {
                     let err = io::Error::new(io::ErrorKind::Other, "detected repeated nonce (iv/salt)");
                     Err(err)
                 } else {
@@ -151,4 +151,9 @@ impl Context {
     pub fn set_replay_attack_policy(&mut self, replay_policy: ReplayAttackPolicy) {
         self.replay_policy = replay_policy;
     }
+
+    /// Get policy against replay attach
+    pub fn replay_attack_policy(&self) -> ReplayAttackPolicy {
+        self.replay_policy
+    }
 }

crates/shadowsocks/src/relay/mod.rs

@@ -5,3 +5,25 @@ pub use self::socks5::Address;
 pub mod socks5;
 pub mod tcprelay;
 pub mod udprelay;
+
+/// AEAD 2022 maximum padding length
+#[cfg(feature = "aead-cipher-2022")]
+const AEAD2022_MAX_PADDING_SIZE: usize = 900;
+
+/// Get a properly AEAD 2022 padding size according to payload's length
+#[cfg(feature = "aead-cipher-2022")]
+fn get_aead_2022_padding_size(payload: &[u8]) -> usize {
+    use std::cell::RefCell;
+
+    use rand::{rngs::SmallRng, Rng, SeedableRng};
+
+    thread_local! {
+        static PADDING_RNG: RefCell<SmallRng> = RefCell::new(SmallRng::from_entropy());
+    }
+
+    if payload.is_empty() {
+        PADDING_RNG.with(|rng| rng.borrow_mut().gen::<usize>() % AEAD2022_MAX_PADDING_SIZE)
+    } else {
+        0
+    }
+}

crates/shadowsocks/src/relay/tcprelay/aead.rs

@@ -224,7 +224,7 @@ impl DecryptedReader {
 
         // Check repeated salt after first successful decryption #442
         if let Some(ref salt) = self.salt {
-            context.check_nonce_replay(salt)?;
+            context.check_nonce_replay(self.method, salt)?;
         }
 
         // Remote TAG

crates/shadowsocks/src/relay/tcprelay/aead_2022.rs

@@ -222,7 +222,7 @@ impl DecryptedReader {
 
         // Check repeated salt after first successful decryption #442
         if let Some(ref salt) = self.salt {
-            context.check_nonce_replay(salt)?;
+            context.check_nonce_replay(self.method, salt)?;
         }
 
         // Remote TAG

crates/shadowsocks/src/relay/tcprelay/crypto_io.rs

@@ -169,21 +169,21 @@ impl<S> CryptoStream<S> {
             #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => {
                 let mut local_iv = vec![0u8; prev_len];
-                context.generate_nonce(&mut local_iv, true);
+                context.generate_nonce(method, &mut local_iv, true);
                 trace!("generated Stream cipher IV {:?}", ByteStr::new(&local_iv));
                 local_iv
             }
             CipherCategory::Aead => {
                 let mut local_salt = vec![0u8; prev_len];
-                context.generate_nonce(&mut local_salt, true);
+                context.generate_nonce(method, &mut local_salt, true);
                 trace!("generated AEAD cipher salt {:?}", ByteStr::new(&local_salt));
                 local_salt
             }
             CipherCategory::None => Vec::new(),
             #[cfg(feature = "aead-cipher-2022")]
             CipherCategory::Aead2022 => {
                 let mut local_salt = vec![0u8; prev_len];
-                context.generate_nonce(&mut local_salt, true);
+                context.generate_nonce(method, &mut local_salt, true);
                 trace!("generated AEAD cipher salt {:?}", ByteStr::new(&local_salt));
                 local_salt
             }

crates/shadowsocks/src/relay/tcprelay/proxy_stream/client.rs

@@ -16,8 +16,6 @@ use tokio::{
     time,
 };
 
-#[cfg(feature = "aead-cipher-2022")]
-use crate::context::Context;
 use crate::{
     config::ServerConfig,
     context::SharedContext,
@@ -28,6 +26,8 @@ use crate::{
         tcprelay::crypto_io::{CryptoRead, CryptoStream, CryptoWrite},
     },
 };
+#[cfg(feature = "aead-cipher-2022")]
+use crate::{context::Context, relay::get_aead_2022_padding_size};
 
 enum ProxyClientStreamWriteState {
     Connect(Address),
@@ -197,8 +197,8 @@ fn poll_read_aead_2022_header<S>(
 where
     S: AsyncRead + AsyncWrite + Unpin,
 {
+    use super::protocol::v2::{get_now_timestamp, Aead2022TcpStreamType, SERVER_STREAM_TIMESTAMP_MAX_DIFF};
     use bytes::Buf;
-    use std::time::SystemTime;
 
     // AEAD 2022 TCP Response Header
     //
@@ -208,9 +208,6 @@ where
     // | Request SALT (Variable ...)
     // +-------+-------+-------+-------+-------+-------+-------+-------+-------+
 
-    const SERVER_STREAM_TYPE: u8 = 1;
-    const SERVER_STREAM_TIMESTAMP_MAX_DIFF: u64 = 30;
-
     // Initialize buffer
     let method = stream.method();
     if header_buf.is_empty() {
@@ -230,7 +227,7 @@ where
     // Done reading TCP header, check all the fields
 
     let stream_type = header_buf.get_u8();
-    if stream_type != SERVER_STREAM_TYPE {
+    if stream_type != Aead2022TcpStreamType::Server as u8 {
         return Err(io::Error::new(
             ErrorKind::Other,
             format!("received TCP response header with wrong type {}", stream_type),
@@ -239,10 +236,7 @@ where
     }
 
     let timestamp = header_buf.get_u64();
-    let now = match SystemTime::now().duration_since(SystemTime::UNIX_EPOCH) {
-        Ok(n) => n.as_secs(),
-        Err(_) => panic!("SystemTime::now() is before UNIX Epoch!"),
-    };
+    let now = get_now_timestamp();
 
     if now.abs_diff(timestamp) > SERVER_STREAM_TIMESTAMP_MAX_DIFF {
         return Err(io::Error::new(
@@ -317,30 +311,14 @@ fn make_first_packet_buffer(method: CipherKind, addr: &Address, buf: &[u8]) -> B
         //
         // Client -> Server TYPE=0
 
-        use rand::{rngs::SmallRng, Rng, SeedableRng};
-        use std::{cell::RefCell, time::SystemTime};
+        use super::protocol::v2::{get_now_timestamp, Aead2022TcpStreamType};
 
-        const CLIENT_STREAM_TYPE: u8 = 0;
-        const MAX_PADDING_SIZE: usize = 900;
-
-        thread_local! {
-            static PADDING_RNG: RefCell<SmallRng> = RefCell::new(SmallRng::from_entropy());
-        }
-
-        let padding_size = if buf.is_empty() {
-            PADDING_RNG.with(|rng| rng.borrow_mut().gen::<usize>() % MAX_PADDING_SIZE)
-        } else {
-            // If handshake with data buffer, then padding is not required and should be 0 for letting TFO work properly.
-            0
-        };
+        let padding_size = get_aead_2022_padding_size(buf);
 
         buffer.reserve(1 + 8 + addr_length + 2 + padding_size);
-        buffer.put_u8(CLIENT_STREAM_TYPE);
+        buffer.put_u8(Aead2022TcpStreamType::Client as u8);
 
-        let timestamp = match SystemTime::now().duration_since(SystemTime::UNIX_EPOCH) {
-            Ok(n) => n.as_secs(),
-            Err(_) => panic!("SystemTime::now() is before UNIX Epoch!"),
-        };
+        let timestamp = get_now_timestamp();
         buffer.put_u64(timestamp);
 
         addr.write_to_buf(&mut buffer);

crates/shadowsocks/src/relay/tcprelay/stream.rs

@@ -119,7 +119,7 @@ impl DecryptedReader {
         }
 
         let iv = &self.buffer[..iv_len];
-        context.check_nonce_replay(iv)?;
+        context.check_nonce_replay(self.method, iv)?;
 
         trace!("got stream iv {:?}", ByteStr::new(iv));
 

crates/shadowsocks/src/relay/udprelay/aead.rs

@@ -43,7 +43,7 @@ pub fn encrypt_payload_aead(
     let salt = &mut dst[..salt_len];
 
     if salt_len > 0 {
-        context.generate_nonce(salt, false);
+        context.generate_nonce(method, salt, false);
         trace!("UDP packet generated aead salt {:?}", ByteStr::new(salt));
     }