Refactor: new Shadowsocks validator (#629)

* Refactor: new Shadowsocks validator * Fix NoneCliper cannot work * Feat: refine the size of drain * fix: fix validator after merge 'main' * fix: UDP user logic * style: refine code style
2025-04-30 01:08:33 +00:00 · 2021-11-01 10:10:26 +08:00 · 2021-11-01 10:10:26 +08:00 · 63d0cb1bd6
commit 63d0cb1bd6
parent dd6769954c
4 changed files with 139 additions and 187 deletions
--- a/proxy/shadowsocks/validator.go
+++ b/proxy/shadowsocks/validator.go
@ -2,112 +2,127 @@ package shadowsocks

 import (
 	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/sha256"
+	"hash/crc64"
 	"strings"
 	"sync"

+	"github.com/xtls/xray-core/common/dice"
 	"github.com/xtls/xray-core/common/protocol"
 )

 // Validator stores valid Shadowsocks users.
 type Validator struct {
-	// Considering email's usage here, map + sync.Mutex/RWMutex may have better performance.
-	email sync.Map
-	users sync.Map
+	sync.RWMutex
+	users []*protocol.MemoryUser
+
+	behaviorSeed  uint64
+	behaviorFused bool
 }

-// Add a Shadowsocks user, Email must be empty or unique.
+var (
+	ErrNotFound = newError("Not Found")
+)
+
+// Add a Shadowsocks user.
 func (v *Validator) Add(u *protocol.MemoryUser) error {
+	v.Lock()
+	defer v.Unlock()
+
 	account := u.Account.(*MemoryAccount)
+	if !account.Cipher.IsAEAD() && len(v.users) > 0 {
+		return newError("The cipher is not support Single-port Multi-user")
+	}
+	v.users = append(v.users, u)

-	if !account.Cipher.IsAEAD() && v.Count() > 0 {
-		return newError("The cipher do not support Single-port Multi-user")
+	if !v.behaviorFused {
+		hashkdf := hmac.New(sha256.New, []byte("SSBSKDF"))
+		hashkdf.Write(account.Key)
+		v.behaviorSeed = crc64.Update(v.behaviorSeed, crc64.MakeTable(crc64.ECMA), hashkdf.Sum(nil))
 	}

-	if u.Email != "" {
-		_, loaded := v.email.LoadOrStore(strings.ToLower(u.Email), u)
-		if loaded {
-			return newError("User ", u.Email, " already exists.")
-		}
-	}
-
-	v.users.Store(string(account.Key)+"&"+account.GetCipherName(), u)
 	return nil
 }

 // Del a Shadowsocks user with a non-empty Email.
-func (v *Validator) Del(e string) error {
-	if e == "" {
+func (v *Validator) Del(email string) error {
+	if email == "" {
 		return newError("Email must not be empty.")
 	}
-	le := strings.ToLower(e)
-	u, _ := v.email.Load(le)
-	if u == nil {
-		return newError("User ", e, " not found.")
+
+	v.Lock()
+	defer v.Unlock()
+
+	email = strings.ToLower(email)
+	idx := -1
+	for i, u := range v.users {
+		if strings.EqualFold(u.Email, email) {
+			idx = i
+			break
+		}
 	}
-	account := u.(*protocol.MemoryUser).Account.(*MemoryAccount)
-	v.email.Delete(le)
-	v.users.Delete(string(account.Key) + "&" + account.GetCipherName())
+
+	if idx == -1 {
+		return newError("User ", email, " not found.")
+	}
+	ulen := len(v.users)
+
+	v.users[idx] = v.users[ulen-1]
+	v.users[ulen-1] = nil
+	v.users = v.users[:ulen-1]
+
 	return nil
 }

-// Count the number of Shadowsocks users
-func (v *Validator) Count() int {
-	length := 0
-	v.users.Range(func(_, _ interface{}) bool {
-		length++
-
-		return true
-	})
-	return length
-}
-
-// Get a Shadowsocks user and the user's cipher.
+// Get a Shadowsocks user.
 func (v *Validator) Get(bs []byte, command protocol.RequestCommand) (u *protocol.MemoryUser, aead cipher.AEAD, ret []byte, ivLen int32, err error) {
-	var dataSize int
+	v.RLock()
+	defer v.RUnlock()

-	switch command {
-	case protocol.RequestCommandTCP:
-		dataSize = 16
-	case protocol.RequestCommandUDP:
-		dataSize = 8192
+	for _, user := range v.users {
+		if account := user.Account.(*MemoryAccount); account.Cipher.IsAEAD() {
+			aeadCipher := account.Cipher.(*AEADCipher)
+			ivLen = aeadCipher.IVSize()
+			iv := bs[:ivLen]
+			subkey := make([]byte, 32)
+			subkey = subkey[:aeadCipher.KeyBytes]
+			hkdfSHA1(account.Key, iv, subkey)
+			aead = aeadCipher.AEADAuthCreator(subkey)
+
+			var matchErr error
+			switch command {
+			case protocol.RequestCommandTCP:
+				data := make([]byte, 16)
+				ret, matchErr = aead.Open(data[:0], data[4:16], bs[ivLen:ivLen+18], nil)
+			case protocol.RequestCommandUDP:
+				data := make([]byte, 8192)
+				ret, matchErr = aead.Open(data[:0], data[8180:8192], bs[ivLen:], nil)
+			}
+
+			if matchErr == nil {
+				u = user
+				err = account.CheckIV(iv)
+				return
+			}
+		} else {
+			u = user
+			ivLen = user.Account.(*MemoryAccount).Cipher.IVSize()
+			// err = user.Account.(*MemoryAccount).CheckIV(bs[:ivLen]) // The IV size of None Cipher is 0.
+			return
+		}
 	}

-	var aeadCipher *AEADCipher
-	subkey := make([]byte, 32)
-	data := make([]byte, dataSize)
-
-	v.users.Range(func(key, user interface{}) bool {
-		account := user.(*protocol.MemoryUser).Account.(*MemoryAccount)
-		aeadCipher = account.Cipher.(*AEADCipher)
-		ivLen = aeadCipher.IVSize()
-		subkey = subkey[:aeadCipher.KeyBytes]
-		hkdfSHA1(account.Key, bs[:ivLen], subkey)
-		aead = aeadCipher.AEADAuthCreator(subkey)
-
-		switch command {
-		case protocol.RequestCommandTCP:
-			ret, err = aead.Open(data[:0], data[4:16], bs[ivLen:ivLen+18], nil)
-		case protocol.RequestCommandUDP:
-			ret, err = aead.Open(data[:0], data[8180:8192], bs[ivLen:], nil)
-		}
-
-		if err == nil {
-			u = user.(*protocol.MemoryUser)
-			return false
-		}
-		return true
-	})
-
-	return
+	return nil, nil, nil, 0, ErrNotFound
 }

-// Get the only user without authentication
-func (v *Validator) GetOnlyUser() (u *protocol.MemoryUser, ivLen int32) {
-	v.users.Range(func(_, user interface{}) bool {
-		u = user.(*protocol.MemoryUser)
-		return false
-	})
-	ivLen = u.Account.(*MemoryAccount).Cipher.IVSize()
+func (v *Validator) GetBehaviorSeed() uint64 {
+	v.Lock()
+	defer v.Unlock()

-	return
+	v.behaviorFused = true
+	if v.behaviorSeed == 0 {
+		v.behaviorSeed = dice.RollUint64()
+	}
+	return v.behaviorSeed
 }