mirror of
https://github.com/v2fly/v2ray-core.git
synced 2026-01-06 01:05:35 -05:00
settings for forcing secure encryption in vmess server
This commit is contained in:
Darien Raymond
@@ -143,6 +143,13 @@ func readAddress(buffer *buf.Buffer, reader io.Reader) (net.Address, net.Port, e
|
||||
return address, port, nil
|
||||
}
|
||||
|
||||
func parseSecurityType(b byte) protocol.SecurityType {
|
||||
if _, f := protocol.SecurityType_name[int32(b)]; f {
|
||||
return protocol.SecurityType(b)
|
||||
}
|
||||
return protocol.SecurityType_UNKNOWN
|
||||
}
|
||||
|
||||
func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.RequestHeader, error) {
|
||||
buffer := buf.New()
|
||||
defer buffer.Release()
|
||||
@@ -191,11 +198,24 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
|
||||
s.responseHeader = buffer.Byte(33) // 1 byte
|
||||
request.Option = bitmask.Byte(buffer.Byte(34)) // 1 byte
|
||||
padingLen := int(buffer.Byte(35) >> 4)
|
||||
request.Security = protocol.NormSecurity(protocol.Security(buffer.Byte(35) & 0x0F))
|
||||
request.Security = parseSecurityType(buffer.Byte(35) & 0x0F)
|
||||
// 1 bytes reserved
|
||||
request.Command = protocol.RequestCommand(buffer.Byte(37))
|
||||
|
||||
var invalidRequestErr error
|
||||
defer func() {
|
||||
if invalidRequestErr != nil {
|
||||
randomLen := dice.Roll(64) + 1
|
||||
// Read random number of bytes for prevent detection.
|
||||
buffer.AppendSupplier(buf.ReadFullFrom(decryptor, randomLen))
|
||||
}
|
||||
}()
|
||||
|
||||
if request.Security == protocol.SecurityType_UNKNOWN || request.Security == protocol.SecurityType_AUTO {
|
||||
invalidRequestErr = newError("unknown security type")
|
||||
return nil, invalidRequestErr
|
||||
}
|
||||
|
||||
switch request.Command {
|
||||
case protocol.RequestCommandMux:
|
||||
request.Address = net.DomainAddress("v1.mux.cool")
|
||||
@@ -206,15 +226,10 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
|
||||
request.Port = port
|
||||
} else {
|
||||
invalidRequestErr = newError("invalid address").Base(err)
|
||||
return nil, invalidRequestErr
|
||||
}
|
||||
default:
|
||||
invalidRequestErr = newError("invalid request command: ", request.Command)
|
||||
}
|
||||
|
||||
if invalidRequestErr != nil {
|
||||
randomLen := dice.Roll(32) + 1
|
||||
// Read random number of bytes for prevent detection.
|
||||
buffer.AppendSupplier(buf.ReadFullFrom(decryptor, randomLen))
|
||||
return nil, invalidRequestErr
|
||||
}
|
||||
|
||||
@@ -249,7 +264,8 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
|
||||
if request.Option.Has(protocol.RequestOptionChunkMasking) {
|
||||
sizeParser = NewShakeSizeParser(s.requestBodyIV)
|
||||
}
|
||||
if request.Security.Is(protocol.SecurityType_NONE) {
|
||||
switch request.Security {
|
||||
case protocol.SecurityType_NONE:
|
||||
if request.Option.Has(protocol.RequestOptionChunkStream) {
|
||||
if request.Command.TransferType() == protocol.TransferTypeStream {
|
||||
return crypto.NewChunkStreamReader(sizeParser, reader)
|
||||
@@ -264,9 +280,7 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
|
||||
}
|
||||
|
||||
return buf.NewReader(reader)
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_LEGACY) {
|
||||
case protocol.SecurityType_LEGACY:
|
||||
aesStream := crypto.NewAesDecryptionStream(s.requestBodyKey, s.requestBodyIV)
|
||||
cryptionReader := crypto.NewCryptionReader(aesStream, reader)
|
||||
if request.Option.Has(protocol.RequestOptionChunkStream) {
|
||||
@@ -279,9 +293,7 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
|
||||
}
|
||||
|
||||
return buf.NewReader(cryptionReader)
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_AES128_GCM) {
|
||||
case protocol.SecurityType_AES128_GCM:
|
||||
block, _ := aes.NewCipher(s.requestBodyKey)
|
||||
aead, _ := cipher.NewGCM(block)
|
||||
|
||||
@@ -294,9 +306,7 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
|
||||
AdditionalDataGenerator: crypto.NoOpBytesGenerator{},
|
||||
}
|
||||
return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType())
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_CHACHA20_POLY1305) {
|
||||
case protocol.SecurityType_CHACHA20_POLY1305:
|
||||
aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.requestBodyKey))
|
||||
|
||||
auth := &crypto.AEADAuthenticator{
|
||||
@@ -308,9 +318,9 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
|
||||
AdditionalDataGenerator: crypto.NoOpBytesGenerator{},
|
||||
}
|
||||
return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType())
|
||||
default:
|
||||
panic("Unknown security type.")
|
||||
}
|
||||
|
||||
panic("Unknown security type.")
|
||||
}
|
||||
|
||||
func (s *ServerSession) EncodeResponseHeader(header *protocol.ResponseHeader, writer io.Writer) {
|
||||
@@ -335,7 +345,8 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
|
||||
if request.Option.Has(protocol.RequestOptionChunkMasking) {
|
||||
sizeParser = NewShakeSizeParser(s.responseBodyIV)
|
||||
}
|
||||
if request.Security.Is(protocol.SecurityType_NONE) {
|
||||
switch request.Security {
|
||||
case protocol.SecurityType_NONE:
|
||||
if request.Option.Has(protocol.RequestOptionChunkStream) {
|
||||
if request.Command.TransferType() == protocol.TransferTypeStream {
|
||||
return crypto.NewChunkStreamWriter(sizeParser, writer)
|
||||
@@ -350,9 +361,7 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
|
||||
}
|
||||
|
||||
return buf.NewWriter(writer)
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_LEGACY) {
|
||||
case protocol.SecurityType_LEGACY:
|
||||
if request.Option.Has(protocol.RequestOptionChunkStream) {
|
||||
auth := &crypto.AEADAuthenticator{
|
||||
AEAD: new(FnvAuthenticator),
|
||||
@@ -363,9 +372,7 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
|
||||
}
|
||||
|
||||
return buf.NewWriter(s.responseWriter)
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_AES128_GCM) {
|
||||
case protocol.SecurityType_AES128_GCM:
|
||||
block, _ := aes.NewCipher(s.responseBodyKey)
|
||||
aead, _ := cipher.NewGCM(block)
|
||||
|
||||
@@ -378,9 +385,7 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
|
||||
AdditionalDataGenerator: crypto.NoOpBytesGenerator{},
|
||||
}
|
||||
return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType())
|
||||
}
|
||||
|
||||
if request.Security.Is(protocol.SecurityType_CHACHA20_POLY1305) {
|
||||
case protocol.SecurityType_CHACHA20_POLY1305:
|
||||
aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.responseBodyKey))
|
||||
|
||||
auth := &crypto.AEADAuthenticator{
|
||||
@@ -392,7 +397,7 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
|
||||
AdditionalDataGenerator: crypto.NoOpBytesGenerator{},
|
||||
}
|
||||
return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType())
|
||||
default:
|
||||
panic("Unknown security type.")
|
||||
}
|
||||
|
||||
panic("Unknown security type.")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user