Detailed AEAD Auth Error

5 years ago · 6007e4cc6f
3 changed files with 10 additions and 10 deletions
--- a/proxy/vmess/aead/authid.go
+++ b/proxy/vmess/aead/authid.go
@ -90,7 +90,7 @@ func (a *AuthIDDecoderHolder) RemoveUser(key [16]byte) {

 func (a *AuthIDDecoderHolder) Match(AuthID [16]byte) (interface{}, error) {
 	if !a.apw.Check(AuthID[:]) {
-		return nil, errReplay
+		return nil, ErrReplay
 	}
 	for _, v := range a.aidhi {

@ -106,9 +106,9 @@ func (a *AuthIDDecoderHolder) Match(AuthID [16]byte) (interface{}, error) {
 		return v.ticket, nil

 	}
-	return nil, errNotFound
+	return nil, ErrNotFound
 }

-var errNotFound = errors.New("user do not exist")
+var ErrNotFound = errors.New("user do not exist")

-var errReplay = errors.New("replayed request")
+var ErrReplay = errors.New("replayed request")
--- a/proxy/vmess/encoding/server.go
+++ b/proxy/vmess/encoding/server.go
@ -165,7 +165,7 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
 	var decryptor io.Reader
 	var vmessAccount *vmess.MemoryAccount

-	user, foundAEAD := s.userValidator.GetAEAD(buffer.Bytes())
+	user, foundAEAD, errorAEAD := s.userValidator.GetAEAD(buffer.Bytes())

 	var fixedSizeAuthID [16]byte
 	copy(fixedSizeAuthID[:], buffer.Bytes())
@ -185,7 +185,7 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
 		}
 		decryptor = bytes.NewReader(aeadData)
 		s.isAEADRequest = true
-	} else if !s.isAEADForced {
+	} else if !s.isAEADForced && errorAEAD == vmessaead.ErrNotFound {
 		userLegacy, timestamp, valid, userValidationError := s.userValidator.Get(buffer.Bytes())
 		if !valid || userValidationError != nil {
 			return nil, drainConnection(newError("invalid user").Base(userValidationError))
@ -197,7 +197,7 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
 		aesStream := crypto.NewAesDecryptionStream(vmessAccount.ID.CmdKey(), iv[:])
 		decryptor = crypto.NewCryptionReader(aesStream, reader)
 	} else {
-		return nil, drainConnection(newError("invalid user"))
+		return nil, drainConnection(newError("invalid user").Base(errorAEAD))
 	}

 	readSizeRemain -= int(buffer.Len())
--- a/proxy/vmess/validator.go
+++ b/proxy/vmess/validator.go
@ -168,7 +168,7 @@ func (v *TimedUserValidator) Get(userHash []byte) (*protocol.MemoryUser, protoco
 	return nil, 0, false, ErrNotFound
 }

-func (v *TimedUserValidator) GetAEAD(userHash []byte) (*protocol.MemoryUser, bool) {
+func (v *TimedUserValidator) GetAEAD(userHash []byte) (*protocol.MemoryUser, bool, error) {
 	defer v.RUnlock()
 	v.RLock()
 	var userHashFL [16]byte
@ -176,9 +176,9 @@ func (v *TimedUserValidator) GetAEAD(userHash []byte) (*protocol.MemoryUser, boo

 	userd, err := v.aeadDecoderHolder.Match(userHashFL)
 	if err != nil {
-		return nil, false
+		return nil, false, err
 	}
-	return userd.(*protocol.MemoryUser), true
+	return userd.(*protocol.MemoryUser), true, err
 }

 func (v *TimedUserValidator) Remove(email string) bool {