v2ray-core/proxy/shadowsocks/protocol.go

405 lines
12 KiB
Go
Raw Normal View History

2016-01-28 11:33:58 +00:00
package shadowsocks
import (
2016-05-24 20:09:22 +00:00
"bytes"
2016-10-31 14:24:28 +00:00
"crypto/rand"
2016-01-28 11:33:58 +00:00
"io"
2016-12-09 11:08:25 +00:00
2016-12-09 10:35:27 +00:00
"v2ray.com/core/common/buf"
2016-10-31 14:24:28 +00:00
"v2ray.com/core/common/crypto"
2016-08-20 18:55:45 +00:00
v2net "v2ray.com/core/common/net"
2016-10-31 14:24:28 +00:00
"v2ray.com/core/common/protocol"
2016-12-06 10:03:42 +00:00
"v2ray.com/core/common/serial"
2016-01-28 11:33:58 +00:00
)
const (
2016-10-31 14:24:28 +00:00
Version = 1
RequestOptionOneTimeAuth = protocol.RequestOption(101)
2016-01-28 11:33:58 +00:00
AddrTypeIPv4 = 1
AddrTypeIPv6 = 4
AddrTypeDomain = 3
)
2016-12-09 12:17:34 +00:00
func ReadTCPSession(user *protocol.User, reader io.Reader) (*protocol.RequestHeader, buf.Reader, error) {
2016-10-31 14:24:28 +00:00
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to parse account").Base(err)
2016-05-01 15:18:02 +00:00
}
2016-10-31 14:24:28 +00:00
account := rawAccount.(*ShadowsocksAccount)
2016-05-01 15:18:02 +00:00
2016-12-09 11:08:25 +00:00
buffer := buf.NewLocal(512)
2016-01-28 11:33:58 +00:00
defer buffer.Release()
2016-10-31 14:24:28 +00:00
ivLen := account.Cipher.IVSize()
2016-12-09 11:08:25 +00:00
err = buffer.AppendSupplier(buf.ReadFullFrom(reader, ivLen))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read IV").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-06 10:31:19 +00:00
iv := append([]byte(nil), buffer.BytesTo(ivLen)...)
2016-10-31 14:24:28 +00:00
stream, err := account.Cipher.NewDecodingStream(account.Key, iv)
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to initialize decoding stream").Base(err)
2016-10-31 14:24:28 +00:00
}
reader = crypto.NewCryptionReader(stream, reader)
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
request := &protocol.RequestHeader{
Version: Version,
User: user,
Command: protocol.RequestCommandTCP,
}
2016-12-05 16:05:47 +00:00
buffer.Clear()
2016-12-09 11:08:25 +00:00
err = buffer.AppendSupplier(buf.ReadFullFrom(reader, 1))
2016-10-31 14:24:28 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read address type").Base(err)
2016-10-31 14:24:28 +00:00
}
2016-01-28 11:33:58 +00:00
2016-12-06 10:31:19 +00:00
addrType := (buffer.Byte(0) & 0x0F)
if (buffer.Byte(0) & 0x10) == 0x10 {
2016-10-31 14:24:28 +00:00
request.Option |= RequestOptionOneTimeAuth
2016-01-29 14:09:51 +00:00
}
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("rejecting connection with OTA enabled, while server disables OTA")
}
if !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("rejecting connection with OTA disabled, while server enables OTA")
}
2016-01-28 11:33:58 +00:00
switch addrType {
case AddrTypeIPv4:
2016-12-09 11:08:25 +00:00
err := buffer.AppendSupplier(buf.ReadFullFrom(reader, 4))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read IPv4 address").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-05 16:05:47 +00:00
request.Address = v2net.IPAddress(buffer.BytesFrom(-4))
2016-01-28 11:33:58 +00:00
case AddrTypeIPv6:
2016-12-09 11:08:25 +00:00
err := buffer.AppendSupplier(buf.ReadFullFrom(reader, 16))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read IPv6 address").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-05 16:05:47 +00:00
request.Address = v2net.IPAddress(buffer.BytesFrom(-16))
2016-01-28 11:33:58 +00:00
case AddrTypeDomain:
2016-12-09 11:08:25 +00:00
err := buffer.AppendSupplier(buf.ReadFullFrom(reader, 1))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read domain lenth.").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-05 16:05:47 +00:00
domainLength := int(buffer.BytesFrom(-1)[0])
2016-12-09 11:08:25 +00:00
err = buffer.AppendSupplier(buf.ReadFullFrom(reader, domainLength))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read domain").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-05 16:05:47 +00:00
request.Address = v2net.DomainAddress(string(buffer.BytesFrom(-domainLength)))
2016-01-28 11:33:58 +00:00
default:
2016-12-13 08:17:39 +00:00
// Check address validity after OTA verification.
2016-01-28 11:33:58 +00:00
}
2016-12-09 11:08:25 +00:00
err = buffer.AppendSupplier(buf.ReadFullFrom(reader, 2))
2016-01-28 11:33:58 +00:00
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("failed to read port").Base(err)
2016-01-28 11:33:58 +00:00
}
2016-12-05 16:05:47 +00:00
request.Port = v2net.PortFromBytes(buffer.BytesFrom(-2))
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
2016-12-06 10:03:42 +00:00
actualAuth := make([]byte, AuthSize)
authenticator.Authenticate(buffer.Bytes())(actualAuth)
2016-12-05 16:05:47 +00:00
2016-12-09 11:08:25 +00:00
err := buffer.AppendSupplier(buf.ReadFullFrom(reader, AuthSize))
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("Failed to read OTA").Base(err)
2016-01-29 20:55:42 +00:00
}
2016-10-31 14:24:28 +00:00
2016-12-05 16:05:47 +00:00
if !bytes.Equal(actualAuth, buffer.BytesFrom(-AuthSize)) {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("invalid OTA")
}
2016-10-31 14:24:28 +00:00
}
2016-12-13 08:17:39 +00:00
if request.Address == nil {
2017-04-08 23:43:25 +00:00
return nil, nil, newError("invalid remote address.")
2016-12-13 08:17:39 +00:00
}
2016-12-09 12:17:34 +00:00
var chunkReader buf.Reader
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
chunkReader = NewChunkReader(reader, NewAuthenticator(ChunkKeyGenerator(iv)))
2016-01-29 20:55:42 +00:00
} else {
2016-12-09 12:17:34 +00:00
chunkReader = buf.NewReader(reader)
2016-10-31 14:24:28 +00:00
}
return request, chunkReader, nil
}
2016-12-09 12:17:34 +00:00
func WriteTCPRequest(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
2016-10-31 14:24:28 +00:00
user := request.User
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, newError("failed to parse account").Base(err)
2016-10-31 14:24:28 +00:00
}
account := rawAccount.(*ShadowsocksAccount)
iv := make([]byte, account.Cipher.IVSize())
rand.Read(iv)
_, err = writer.Write(iv)
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, newError("failed to write IV")
2016-10-31 14:24:28 +00:00
}
stream, err := account.Cipher.NewEncodingStream(account.Key, iv)
if err != nil {
2017-04-08 23:43:25 +00:00
return nil, newError("failed to create encoding stream").Base(err)
2016-10-31 14:24:28 +00:00
}
writer = crypto.NewCryptionWriter(stream, writer)
2016-12-09 11:08:25 +00:00
header := buf.NewLocal(512)
2016-10-31 14:24:28 +00:00
switch request.Address.Family() {
case v2net.AddressFamilyIPv4:
header.AppendBytes(AddrTypeIPv4)
header.Append([]byte(request.Address.IP()))
2016-11-06 20:04:56 +00:00
case v2net.AddressFamilyIPv6:
2016-10-31 14:24:28 +00:00
header.AppendBytes(AddrTypeIPv6)
header.Append([]byte(request.Address.IP()))
2016-11-06 20:04:56 +00:00
case v2net.AddressFamilyDomain:
2016-10-31 14:24:28 +00:00
header.AppendBytes(AddrTypeDomain, byte(len(request.Address.Domain())))
header.Append([]byte(request.Address.Domain()))
default:
2017-04-09 11:30:46 +00:00
return nil, newError("unsupported address type: ", request.Address.Family())
2016-10-31 14:24:28 +00:00
}
2016-12-09 11:08:25 +00:00
header.AppendSupplier(serial.WriteUint16(uint16(request.Port)))
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
2016-12-06 10:31:19 +00:00
header.SetByte(0, header.Byte(0)|0x10)
2016-10-31 14:24:28 +00:00
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
2016-12-09 11:08:25 +00:00
header.AppendSupplier(authenticator.Authenticate(header.Bytes()))
2016-10-31 14:24:28 +00:00
}
2016-12-06 10:03:42 +00:00
_, err = writer.Write(header.Bytes())
2016-10-31 14:24:28 +00:00
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to write header").Base(err)
2016-10-31 14:24:28 +00:00
}
2016-12-09 12:17:34 +00:00
var chunkWriter buf.Writer
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
chunkWriter = NewChunkWriter(writer, NewAuthenticator(ChunkKeyGenerator(iv)))
} else {
2016-12-09 12:17:34 +00:00
chunkWriter = buf.NewWriter(writer)
2016-10-31 14:24:28 +00:00
}
return chunkWriter, nil
}
2016-12-09 12:17:34 +00:00
func ReadTCPResponse(user *protocol.User, reader io.Reader) (buf.Reader, error) {
2016-10-31 14:24:28 +00:00
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to parse account").Base(err).AtError()
2016-01-29 20:55:42 +00:00
}
2016-10-31 14:24:28 +00:00
account := rawAccount.(*ShadowsocksAccount)
2016-10-31 14:24:28 +00:00
iv := make([]byte, account.Cipher.IVSize())
_, err = io.ReadFull(reader, iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to read IV").Base(err)
2016-10-31 14:24:28 +00:00
}
stream, err := account.Cipher.NewDecodingStream(account.Key, iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to initialize decoding stream").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
2016-12-09 12:17:34 +00:00
return buf.NewReader(crypto.NewCryptionReader(stream, reader)), nil
2016-10-31 14:24:28 +00:00
}
2016-12-09 12:17:34 +00:00
func WriteTCPResponse(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
2016-10-31 14:24:28 +00:00
user := request.User
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to parse account.").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
account := rawAccount.(*ShadowsocksAccount)
iv := make([]byte, account.Cipher.IVSize())
rand.Read(iv)
_, err = writer.Write(iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to write IV.").Base(err)
2016-10-31 14:24:28 +00:00
}
stream, err := account.Cipher.NewEncodingStream(account.Key, iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to create encoding stream.").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
2016-12-09 12:17:34 +00:00
return buf.NewWriter(crypto.NewCryptionWriter(stream, writer)), nil
2016-10-31 14:24:28 +00:00
}
2016-12-09 10:35:27 +00:00
func EncodeUDPPacket(request *protocol.RequestHeader, payload *buf.Buffer) (*buf.Buffer, error) {
2016-10-31 14:24:28 +00:00
user := request.User
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to parse account.").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
account := rawAccount.(*ShadowsocksAccount)
2017-04-15 19:19:21 +00:00
buffer := buf.New()
2016-10-31 14:24:28 +00:00
ivLen := account.Cipher.IVSize()
2016-12-09 11:08:25 +00:00
buffer.AppendSupplier(buf.ReadFullFrom(rand.Reader, ivLen))
2016-12-06 10:03:42 +00:00
iv := buffer.Bytes()
2016-10-31 14:24:28 +00:00
switch request.Address.Family() {
case v2net.AddressFamilyIPv4:
buffer.AppendBytes(AddrTypeIPv4)
buffer.Append([]byte(request.Address.IP()))
2016-11-06 13:32:04 +00:00
case v2net.AddressFamilyIPv6:
2016-10-31 14:24:28 +00:00
buffer.AppendBytes(AddrTypeIPv6)
buffer.Append([]byte(request.Address.IP()))
2016-11-06 13:32:04 +00:00
case v2net.AddressFamilyDomain:
2016-10-31 14:24:28 +00:00
buffer.AppendBytes(AddrTypeDomain, byte(len(request.Address.Domain())))
buffer.Append([]byte(request.Address.Domain()))
default:
2017-04-09 11:30:46 +00:00
return nil, newError("unsupported address type: ", request.Address.Family())
2016-10-31 14:24:28 +00:00
}
2016-12-09 11:08:25 +00:00
buffer.AppendSupplier(serial.WriteUint16(uint16(request.Port)))
2016-12-06 10:03:42 +00:00
buffer.Append(payload.Bytes())
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
2016-12-06 10:31:19 +00:00
buffer.SetByte(ivLen, buffer.Byte(ivLen)|0x10)
2016-10-31 14:24:28 +00:00
2016-12-09 11:08:25 +00:00
buffer.AppendSupplier(authenticator.Authenticate(buffer.BytesFrom(ivLen)))
2016-10-31 14:24:28 +00:00
}
stream, err := account.Cipher.NewEncodingStream(account.Key, iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, newError("failed to create encoding stream").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
2016-12-06 10:03:42 +00:00
stream.XORKeyStream(buffer.BytesFrom(ivLen), buffer.BytesFrom(ivLen))
2016-10-31 14:24:28 +00:00
return buffer, nil
}
2016-12-09 10:35:27 +00:00
func DecodeUDPPacket(user *protocol.User, payload *buf.Buffer) (*protocol.RequestHeader, *buf.Buffer, error) {
2016-10-31 14:24:28 +00:00
rawAccount, err := user.GetTypedAccount()
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, nil, newError("failed to parse account").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
account := rawAccount.(*ShadowsocksAccount)
ivLen := account.Cipher.IVSize()
2016-12-06 10:03:42 +00:00
iv := payload.BytesTo(ivLen)
2016-10-31 14:24:28 +00:00
payload.SliceFrom(ivLen)
stream, err := account.Cipher.NewDecodingStream(account.Key, iv)
if err != nil {
2017-04-09 11:30:46 +00:00
return nil, nil, newError("failed to initialize decoding stream").Base(err).AtError()
2016-10-31 14:24:28 +00:00
}
2016-12-06 10:03:42 +00:00
stream.XORKeyStream(payload.Bytes(), payload.Bytes())
2016-10-31 14:24:28 +00:00
authenticator := NewAuthenticator(HeaderKeyGenerator(account.Key, iv))
request := &protocol.RequestHeader{
Version: Version,
User: user,
Command: protocol.RequestCommandUDP,
}
2016-12-06 10:03:42 +00:00
addrType := (payload.Byte(0) & 0x0F)
if (payload.Byte(0) & 0x10) == 0x10 {
2016-10-31 14:24:28 +00:00
request.Option |= RequestOptionOneTimeAuth
}
if request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Disabled {
2017-04-09 11:30:46 +00:00
return nil, nil, newError("rejecting packet with OTA enabled, while server disables OTA")
}
if !request.Option.Has(RequestOptionOneTimeAuth) && account.OneTimeAuth == Account_Enabled {
2017-04-09 11:30:46 +00:00
return nil, nil, newError("rejecting packet with OTA disabled, while server enables OTA")
}
2016-10-31 14:24:28 +00:00
if request.Option.Has(RequestOptionOneTimeAuth) {
payloadLen := payload.Len() - AuthSize
2016-12-06 10:03:42 +00:00
authBytes := payload.BytesFrom(payloadLen)
2016-10-31 14:24:28 +00:00
2016-12-06 10:03:42 +00:00
actualAuth := make([]byte, AuthSize)
authenticator.Authenticate(payload.BytesTo(payloadLen))(actualAuth)
2016-05-24 20:09:22 +00:00
if !bytes.Equal(actualAuth, authBytes) {
2017-04-09 11:30:46 +00:00
return nil, nil, newError("invalid OTA")
}
2016-10-31 14:24:28 +00:00
payload.Slice(0, payloadLen)
}
payload.SliceFrom(1)
switch addrType {
case AddrTypeIPv4:
2016-12-06 10:03:42 +00:00
request.Address = v2net.IPAddress(payload.BytesTo(4))
2016-10-31 14:24:28 +00:00
payload.SliceFrom(4)
case AddrTypeIPv6:
2016-12-06 10:03:42 +00:00
request.Address = v2net.IPAddress(payload.BytesTo(16))
2016-10-31 14:24:28 +00:00
payload.SliceFrom(16)
case AddrTypeDomain:
2016-12-06 10:03:42 +00:00
domainLength := int(payload.Byte(0))
request.Address = v2net.DomainAddress(string(payload.BytesRange(1, 1+domainLength)))
2016-10-31 14:24:28 +00:00
payload.SliceFrom(1 + domainLength)
default:
2017-04-09 11:30:46 +00:00
return nil, nil, newError("unknown address type: ", addrType)
}
2016-12-06 10:03:42 +00:00
request.Port = v2net.PortFromBytes(payload.BytesTo(2))
2016-10-31 14:24:28 +00:00
payload.SliceFrom(2)
return request, payload, nil
2016-01-28 11:33:58 +00:00
}
2016-10-31 15:35:18 +00:00
type UDPReader struct {
Reader io.Reader
User *protocol.User
}
2017-04-15 19:07:23 +00:00
func (v *UDPReader) Read() (buf.MultiBuffer, error) {
2017-04-15 19:19:21 +00:00
buffer := buf.New()
2016-12-09 11:08:25 +00:00
err := buffer.AppendSupplier(buf.ReadFrom(v.Reader))
2016-10-31 15:35:18 +00:00
if err != nil {
buffer.Release()
return nil, err
}
2016-11-27 20:39:09 +00:00
_, payload, err := DecodeUDPPacket(v.User, buffer)
2016-10-31 15:35:18 +00:00
if err != nil {
buffer.Release()
return nil, err
}
2017-04-15 19:07:23 +00:00
mb := buf.NewMultiBuffer()
mb.Append(payload)
return mb, nil
2016-10-31 15:35:18 +00:00
}
type UDPWriter struct {
Writer io.Writer
Request *protocol.RequestHeader
}
2017-04-15 19:07:23 +00:00
func (w *UDPWriter) Write(mb buf.MultiBuffer) error {
for _, b := range mb {
if err := w.writeInternal(b); err != nil {
return err
}
}
return nil
}
func (w *UDPWriter) writeInternal(buffer *buf.Buffer) error {
payload, err := EncodeUDPPacket(w.Request, buffer)
2016-10-31 15:35:18 +00:00
if err != nil {
return err
}
2017-04-15 19:07:23 +00:00
_, err = w.Writer.Write(payload.Bytes())
2016-10-31 15:35:18 +00:00
payload.Release()
return err
}