Use shadowsocket's bloomring for shadowsocket's replay protection (#764)

* use shadowsocket's bloomring for shadowsocket's replay protection * added shadowsockets iv check for tcp socket * Rename to shadowsockets iv check * shadowsocks iv check config file * iv check should proceed after decryption * use shadowsocket's bloomring for shadowsocket's replay protection * Chore: format code (#842) Co-authored-by: Shelikhoo <xiaokangwang@outlook.com> Co-authored-by: Loyalsoldier <10487845+Loyalsoldier@users.noreply.github.com>
2025-04-30 01:08:33 +00:00 · 2021-10-22 00:03:09 -04:00 · 2021-10-22 00:03:09 -04:00 · 45dc97e2b6
commit 45dc97e2b6
parent 0f0a424e8c
9 changed files with 138 additions and 53 deletions
--- a/proxy/shadowsocks/config.go
+++ b/proxy/shadowsocks/config.go
@ -14,6 +14,7 @@ import (
 	"golang.org/x/crypto/hkdf"

 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/antireplay"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/protocol"
@ -23,6 +24,8 @@ import (
 type MemoryAccount struct {
 	Cipher Cipher
 	Key    []byte
+
+	replayFilter antireplay.GeneralizedReplayFilter
 }

 // Equals implements protocol.Account.Equals().
@ -33,6 +36,16 @@ func (a *MemoryAccount) Equals(another protocol.Account) bool {
 	return false
 }

+func (a *MemoryAccount) CheckIV(iv []byte) error {
+	if a.replayFilter == nil {
+		return nil
+	}
+	if a.replayFilter.Check(iv) {
+		return nil
+	}
+	return newError("IV is not unique")
+}
+
 func (a *MemoryAccount) GetCipherName() string {
 	switch a.Cipher.(type) {
 	case *AEADCipher:
@ -100,6 +113,12 @@ func (a *Account) AsAccount() (protocol.Account, error) {
 	return &MemoryAccount{
 		Cipher: Cipher,
 		Key:    passwordToCipherKey([]byte(a.Password), Cipher.KeySize()),
+		replayFilter: func() antireplay.GeneralizedReplayFilter {
+			if a.IvCheck {
+				return antireplay.NewBloomRing()
+			}
+			return nil
+		}(),
 	}, nil
 }