Allow paddings before handshake; CTR 128->256; Fix panic

https://github.com/XTLS/Xray-core/pull/4952#issuecomment-3187832651
2025-08-22 09:36:49 +08:00 · 2025-08-14 10:28:17 +00:00
parent 7f778a4e2f
commit 2807ee432a
4 changed files with 59 additions and 65 deletions
--- a/proxy/vless/encryption/client.go
+++ b/proxy/vless/encryption/client.go
@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"io"
 	"net"
 	"strings"
 	"sync"
 	"time"
@@ -26,13 +27,12 @@ func init() {
 type ClientInstance struct {
 	sync.RWMutex
-	nfsEKey       *mlkem.EncapsulationKey768
+	nfsEKey *mlkem.EncapsulationKey768
-	nfsEKeySha256 [32]byte
+	xorKey  []byte
-	xor           uint32
+	minutes time.Duration
-	minutes       time.Duration
+	expire  time.Time
-	expire        time.Time
+	baseKey []byte
-	baseKey       []byte
+	ticket  []byte
 	ticket        []byte
 }
 type ClientConn struct {
@@ -49,10 +49,17 @@ type ClientConn struct {
 }
 func (i *ClientInstance) Init(nfsEKeyBytes []byte, xor uint32, minutes time.Duration) (err error) {
 	if i.nfsEKey != nil {
 		err = errors.New("already initialized")
 		return
 	}
 	i.nfsEKey, err = mlkem.NewEncapsulationKey768(nfsEKeyBytes)
 	if err != nil {
 		return
 	}
 	if xor > 0 {
-		i.nfsEKeySha256 = sha256.Sum256(nfsEKeyBytes)
+		xorKey := sha256.Sum256(nfsEKeyBytes)
-		i.xor = xor
+		i.xorKey = xorKey[:]
 	}
 	i.minutes = minutes
 	return
@@ -62,8 +69,8 @@ func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	if i.nfsEKey == nil {
 		return nil, errors.New("uninitialized")
 	}
-	if i.xor > 0 {
+	if i.xorKey != nil {
-		conn = NewXorConn(conn, i.nfsEKeySha256[:])
+		conn = NewXorConn(conn, i.xorKey)
 	}
 	c := &ClientConn{Conn: conn}
@@ -99,14 +106,14 @@ func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	}
 	// client can send more padding / NFS AEAD messages if needed
-	_, t, l, err := ReadAndDecodeHeader(c.Conn)
+	_, t, l, err := ReadAndDiscardPaddings(c.Conn)
 	if err != nil {
 		return nil, err
 	}
 	if t != 1 {
 		return nil, errors.New("unexpected type ", t, ", expect server hello")
 	}
 	peerServerHello := make([]byte, 1088+21)
 	if l != len(peerServerHello) {
 		return nil, errors.New("unexpected length ", l, " for server hello")
@@ -183,27 +190,9 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 		return 0, nil
 	}
 	if c.peerAead == nil {
-		var t byte
+		_, t, l, err := ReadAndDiscardPaddings(c.Conn)
-		var l int
+		if err != nil {
-		var err error
+			if c.instance != nil && strings.HasPrefix(err.Error(), "invalid header: ") { // from 0-RTT
 		if c.instance == nil { // from 1-RTT
 			for {
 				if _, t, l, err = ReadAndDecodeHeader(c.Conn); err != nil {
 					return 0, err
 				}
 				if t != 23 {
 					break
 				}
 				if _, err := io.ReadFull(c.Conn, make([]byte, l)); err != nil {
 					return 0, err
 				}
 			}
 		} else {
 			h := make([]byte, 5)
 			if _, err := io.ReadFull(c.Conn, h); err != nil {
 				return 0, err
 			}
 			if t, l, err = DecodeHeader(h); err != nil {
 				c.instance.Lock()
 				if bytes.Equal(c.ticket, c.instance.ticket) {
 					c.instance.expire = time.Now() // expired
@@ -211,6 +200,7 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 				c.instance.Unlock()
 				return 0, errors.New("new handshake needed")
 			}
 			return 0, err
 		}
 		if t != 0 {
 			return 0, errors.New("unexpected type ", t, ", expect random hello")
--- a/proxy/vless/encryption/common.go
+++ b/proxy/vless/encryption/common.go
@@ -44,10 +44,10 @@ func DecodeHeader(h []byte) (t byte, l int, err error) {
 	} else if h[0] == 1 && h[1] == 1 && h[2] == 1 {
 		t = 1
 	} else {
-		h = nil
+		l = 0
 	}
-	if h == nil || l < 17 || l > 17000 { // TODO: TLSv1.3 max length
+	if l < 17 || l > 17000 { // TODO: TLSv1.3 max length
-		err = errors.New("invalid header: ", fmt.Sprintf("%v", h[:5]))
+		err = errors.New("invalid header: ", fmt.Sprintf("%v", h[:5])) // relied by client's Read()
 	}
 	return
 }
@@ -61,6 +61,17 @@ func ReadAndDecodeHeader(conn net.Conn) (h []byte, t byte, l int, err error) {
 	return
 }
 func ReadAndDiscardPaddings(conn net.Conn) (h []byte, t byte, l int, err error) {
 	for {
 		if h, t, l, err = ReadAndDecodeHeader(conn); err != nil || t != 23 {
 			return
 		}
 		if _, err = io.ReadFull(conn, make([]byte, l)); err != nil {
 			return
 		}
 	}
 }
 func NewAead(c byte, secret, salt, info []byte) (aead cipher.AEAD) {
 	key := make([]byte, 32)
 	hkdf.New(sha256.New, secret, salt, info).Read(key)
--- a/proxy/vless/encryption/server.go
+++ b/proxy/vless/encryption/server.go
@@ -24,12 +24,11 @@ type ServerSession struct {
 type ServerInstance struct {
 	sync.RWMutex
-	nfsDKey       *mlkem.DecapsulationKey768
+	nfsDKey  *mlkem.DecapsulationKey768
-	nfsEKeySha256 [32]byte
+	xorKey   []byte
-	xor           uint32
+	minutes  time.Duration
-	minutes       time.Duration
+	sessions map[[21]byte]*ServerSession
-	sessions      map[[21]byte]*ServerSession
+	closed   bool
 	closed        bool
 }
 type ServerConn struct {
@@ -46,10 +45,17 @@ type ServerConn struct {
 }
 func (i *ServerInstance) Init(nfsDKeySeed []byte, xor uint32, minutes time.Duration) (err error) {
 	if i.nfsDKey != nil {
 		err = errors.New("already initialized")
 		return
 	}
 	i.nfsDKey, err = mlkem.NewDecapsulationKey768(nfsDKeySeed)
 	if err != nil {
 		return
 	}
 	if xor > 0 {
-		i.nfsEKeySha256 = sha256.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
+		xorKey := sha256.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
-		i.xor = xor
+		i.xorKey = xorKey[:]
 	}
 	if minutes > 0 {
 		i.minutes = minutes
@@ -86,18 +92,15 @@ func (i *ServerInstance) Handshake(conn net.Conn) (net.Conn, error) {
 	if i.nfsDKey == nil {
 		return nil, errors.New("uninitialized")
 	}
-	if i.xor > 0 {
+	if i.xorKey != nil {
-		conn = NewXorConn(conn, i.nfsEKeySha256[:])
+		conn = NewXorConn(conn, i.xorKey)
 	}
 	c := &ServerConn{Conn: conn}
-	_, t, l, err := ReadAndDecodeHeader(c.Conn)
+	_, t, l, err := ReadAndDiscardPaddings(c.Conn)
 	if err != nil {
 		return nil, err
 	}
 	if t == 23 {
 		return nil, errors.New("unexpected data")
 	}
 	if t == 0 {
 		if i.minutes == 0 {
@@ -187,19 +190,9 @@ func (c *ServerConn) Read(b []byte) (int, error) {
 	}
 	if c.peerAead == nil {
 		if c.peerRandom == nil { // from 1-RTT
-			var t byte
+			_, t, l, err := ReadAndDiscardPaddings(c.Conn)
-			var l int
+			if err != nil {
-			var err error
+				return 0, err
 			for {
 				if _, t, l, err = ReadAndDecodeHeader(c.Conn); err != nil {
 					return 0, err
 				}
 				if t != 23 {
 					break
 				}
 				if _, err := io.ReadFull(c.Conn, make([]byte, l)); err != nil {
 					return 0, err
 				}
 			}
 			if t != 0 {
 				return 0, errors.New("unexpected type ", t, ", expect ticket hello")
--- a/proxy/vless/encryption/xor.go
+++ b/proxy/vless/encryption/xor.go
@@ -18,7 +18,7 @@ type XorConn struct {
 }
 func NewXorConn(conn net.Conn, key []byte) *XorConn {
-	return &XorConn{Conn: conn, key: key[:16]}
+	return &XorConn{Conn: conn, key: key}
 	//chacha20.NewUnauthenticatedCipher()
 }