func handleResponse(conn net.Conn, request *protocol.VMessRequest, output chan<- *alloc.Buffer, finish *sync.Mutex, isUDP bool) {
defer finish.Unlock()
defer close(output)
responseKey := md5.Sum(request.RequestKey[:])
responseIV := md5.Sum(request.RequestIV[:])
aesStream, err := v2crypto.NewAesDecryptionStream(responseKey[:], responseIV[:])
if err != nil {
log.Error("VMessOut: Failed to create AES encryption stream: %v", err)
return
}
decryptResponseReader := v2crypto.NewCryptionReader(aesStream, conn)
buffer, err := v2net.ReadFrom(decryptResponseReader, nil)
if err != nil {
log.Error("VMessOut: Failed to read VMess response (%d bytes): %v", buffer.Len(), err)
return
}
if buffer.Len() < 4 || !headerMatch(request, buffer.Value[:2]) {
log.Warning("VMessOut: unexepcted response header. The connection is probably hijacked.")
return
}
log.Info("VMessOut received %d bytes from %s", buffer.Len()-4, conn.RemoteAddr().String())
buffer.SliceFrom(4)
output <- buffer
if !isUDP {
v2net.ReaderToChan(output, decryptResponseReader)
}
return
}
func (this *ClientSession) DecodeResponseHeader(reader io.Reader) (*protocol.ResponseHeader, error) {
aesStream := crypto.NewAesDecryptionStream(this.responseBodyKey, this.responseBodyIV)
this.responseReader = crypto.NewCryptionReader(aesStream, reader)
buffer := alloc.NewSmallBuffer()
defer buffer.Release()
_, err := io.ReadFull(this.responseReader, buffer.Value[:4])
if err != nil {
log.Error("Raw: Failed to read response header: ", err)
return nil, err
}
if buffer.Value[0] != this.responseHeader {
log.Warning("Raw: Unexpected response header. Expecting %d, but actually %d", this.responseHeader, buffer.Value[0])
return nil, transport.ErrorCorruptedPacket
}
header := new(protocol.ResponseHeader)
if buffer.Value[2] != 0 {
cmdId := buffer.Value[2]
dataLen := int(buffer.Value[3])
_, err := io.ReadFull(this.responseReader, buffer.Value[:dataLen])
if err != nil {
log.Error("Raw: Failed to read response command: ", err)
return nil, err
}
data := buffer.Value[:dataLen]
command, err := UnmarshalCommand(cmdId, data)
header.Command = command
}
return header, nil
}
func (this *AesCfb) NewDecodingStream(key []byte, iv []byte, reader io.Reader) (io.Reader, error) {
stream, err := crypto.NewAesDecryptionStream(key, iv)
if err != nil {
return nil, err
}
aesReader := crypto.NewCryptionReader(stream, reader)
return aesReader, nil
}
func handleInput(request *protocol.VMessRequest, reader io.Reader, input chan<- *alloc.Buffer, finish *sync.Mutex) {
defer close(input)
defer finish.Unlock()
aesStream, err := v2crypto.NewAesDecryptionStream(request.RequestKey, request.RequestIV)
if err != nil {
log.Error("VMessIn: Failed to create AES decryption stream: ", err)
return
}
requestReader := v2crypto.NewCryptionReader(aesStream, reader)
v2net.ReaderToChan(input, requestReader)
}
func (this *VMessOutboundHandler) handleResponse(conn net.Conn, request *protocol.VMessRequest, dest v2net.Destination, output chan<- *alloc.Buffer, finish *sync.Mutex) {
defer finish.Unlock()
defer close(output)
responseKey := md5.Sum(request.RequestKey[:])
responseIV := md5.Sum(request.RequestIV[:])
aesStream, err := v2crypto.NewAesDecryptionStream(responseKey[:], responseIV[:])
if err != nil {
log.Error("VMessOut: Failed to create AES encryption stream: ", err)
return
}
decryptResponseReader := v2crypto.NewCryptionReader(aesStream, conn)
buffer := alloc.NewSmallBuffer()
defer buffer.Release()
_, err = io.ReadFull(decryptResponseReader, buffer.Value[:4])
if err != nil {
log.Error("VMessOut: Failed to read VMess response (", buffer.Len(), " bytes): ", err)
return
}
if !headerMatch(request, buffer.Value[0]) {
log.Warning("VMessOut: unexepcted response header. The connection is probably hijacked.")
return
}
if buffer.Value[2] != 0 {
command := buffer.Value[2]
dataLen := int(buffer.Value[3])
_, err := io.ReadFull(decryptResponseReader, buffer.Value[:dataLen])
if err != nil {
log.Error("VMessOut: Failed to read response command: ", err)
return
}
data := buffer.Value[:dataLen]
go this.handleCommand(dest, command, data)
}
var reader v2io.Reader
if request.IsChunkStream() {
reader = vmessio.NewAuthChunkReader(decryptResponseReader)
} else {
reader = v2io.NewAdaptiveReader(decryptResponseReader)
}
v2io.ReaderToChan(output, reader)
return
}
func handleResponse(conn net.Conn, request *protocol.VMessRequest, output chan<- *alloc.Buffer, finish *sync.Mutex, isUDP bool) {
defer finish.Unlock()
defer close(output)
responseKey := md5.Sum(request.RequestKey[:])
responseIV := md5.Sum(request.RequestIV[:])
aesStream, err := v2crypto.NewAesDecryptionStream(responseKey[:], responseIV[:])
if err != nil {
log.Error("VMessOut: Failed to create AES encryption stream: ", err)
return
}
decryptResponseReader := v2crypto.NewCryptionReader(aesStream, conn)
buffer, err := v2net.ReadFrom(decryptResponseReader, nil)
if err != nil {
log.Error("VMessOut: Failed to read VMess response (", buffer.Len(), " bytes): ", err)
buffer.Release()
return
}
if buffer.Len() < 4 || !headerMatch(request, buffer.Value[:2]) {
log.Warning("VMessOut: unexepcted response header. The connection is probably hijacked.")
return
}
log.Info("VMessOut received ", buffer.Len()-4, " bytes from ", conn.RemoteAddr())
responseBegin := 4
if buffer.Value[2] != 0 {
dataLen := int(buffer.Value[3])
if buffer.Len() < dataLen+4 { // Rare case
diffBuffer := make([]byte, dataLen+4-buffer.Len())
v2net.ReadAllBytes(decryptResponseReader, diffBuffer)
buffer.Append(diffBuffer)
}
command := buffer.Value[2]
data := buffer.Value[4 : 4+dataLen]
go handleCommand(command, data)
responseBegin = 4 + dataLen
}
buffer.SliceFrom(responseBegin)
output <- buffer
if !isUDP {
v2net.ReaderToChan(output, decryptResponseReader)
}
return
}
func handleInput(request *protocol.VMessRequest, reader io.Reader, input chan<- *alloc.Buffer, finish *sync.Mutex) {
defer close(input)
defer finish.Unlock()
aesStream, err := v2crypto.NewAesDecryptionStream(request.RequestKey, request.RequestIV)
if err != nil {
log.Error("VMessIn: Failed to create AES decryption stream: ", err)
return
}
descriptionReader := v2crypto.NewCryptionReader(aesStream, reader)
var requestReader v2io.Reader
if request.IsChunkStream() {
requestReader = vmessio.NewAuthChunkReader(descriptionReader)
} else {
requestReader = v2io.NewAdaptiveReader(descriptionReader)
}
v2io.ReaderToChan(input, requestReader)
}
func (this *ClientSession) DecodeResponseHeader(reader io.Reader) (*protocol.ResponseHeader, error) {
aesStream := crypto.NewAesDecryptionStream(this.responseBodyKey, this.responseBodyIV)
this.responseReader = crypto.NewCryptionReader(aesStream, reader)
buffer := make([]byte, 256)
_, err := io.ReadFull(this.responseReader, buffer[:4])
if err != nil {
log.Info("Raw: Failed to read response header: ", err)
return nil, err
}
if buffer[0] != this.responseHeader {
log.Info("Raw: Unexpected response header. Expecting ", this.responseHeader, " but actually ", buffer[0])
return nil, transport.ErrCorruptedPacket
}
header := &protocol.ResponseHeader{
Option: protocol.ResponseOption(buffer[1]),
}
if buffer[2] != 0 {
cmdId := buffer[2]
dataLen := int(buffer[3])
_, err := io.ReadFull(this.responseReader, buffer[:dataLen])
if err != nil {
log.Info("Raw: Failed to read response command: ", err)
return nil, err
}
data := buffer[:dataLen]
command, err := UnmarshalCommand(cmdId, data)
if err == nil {
header.Command = command
}
}
return header, nil
}
// Read reads a VMessRequest from a byte stream.
func (this *VMessRequestReader) Read(reader io.Reader) (*VMessRequest, error) {
buffer := alloc.NewSmallBuffer()
defer buffer.Release()
nBytes, err := io.ReadFull(reader, buffer.Value[:proto.IDBytesLen])
if err != nil {
log.Debug("VMess: Failed to read request ID (", nBytes, " bytes): ", err)
return nil, err
}
userObj, timeSec, valid := this.vUserSet.GetUser(buffer.Value[:nBytes])
if !valid {
return nil, proxy.ErrorInvalidAuthentication
}
timestampHash := TimestampHash()
timestampHash.Write(timeSec.HashBytes())
iv := timestampHash.Sum(nil)
aesStream, err := v2crypto.NewAesDecryptionStream(userObj.ID.CmdKey(), iv)
if err != nil {
log.Debug("VMess: Failed to create AES stream: ", err)
return nil, err
}
decryptor := v2crypto.NewCryptionReader(aesStream, reader)
nBytes, err = io.ReadFull(decryptor, buffer.Value[:41])
if err != nil {
log.Debug("VMess: Failed to read request header (", nBytes, " bytes): ", err)
return nil, err
}
bufferLen := nBytes
request := &VMessRequest{
User: userObj,
Version: buffer.Value[0],
}
if request.Version != Version {
log.Warning("VMess: Invalid protocol version ", request.Version)
return nil, proxy.ErrorInvalidProtocolVersion
}
request.RequestIV = append([]byte(nil), buffer.Value[1:17]...) // 16 bytes
request.RequestKey = append([]byte(nil), buffer.Value[17:33]...) // 16 bytes
request.ResponseHeader = buffer.Value[33] // 1 byte
request.Option = buffer.Value[34] // 1 byte + 2 bytes reserved
request.Command = buffer.Value[37]
request.Port = v2net.PortFromBytes(buffer.Value[38:40])
switch buffer.Value[40] {
case addrTypeIPv4:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:45]) // 4 bytes
bufferLen += 4
if err != nil {
log.Debug("VMess: Failed to read target IPv4 (", nBytes, " bytes): ", err)
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:45])
case addrTypeIPv6:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:57]) // 16 bytes
bufferLen += 16
if err != nil {
log.Debug("VMess: Failed to read target IPv6 (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:57])
case addrTypeDomain:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:42])
if err != nil {
log.Debug("VMess: Failed to read target domain (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
domainLength := int(buffer.Value[41])
if domainLength == 0 {
return nil, transport.ErrorCorruptedPacket
}
nBytes, err = io.ReadFull(decryptor, buffer.Value[42:42+domainLength])
if err != nil {
log.Debug("VMess: Failed to read target domain (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
bufferLen += 1 + domainLength
domainBytes := append([]byte(nil), buffer.Value[42:42+domainLength]...)
request.Address = v2net.DomainAddress(string(domainBytes))
}
nBytes, err = io.ReadFull(decryptor, buffer.Value[bufferLen:bufferLen+4])
if err != nil {
log.Debug("VMess: Failed to read checksum (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
fnv1a := fnv.New32a()
fnv1a.Write(buffer.Value[:bufferLen])
actualHash := fnv1a.Sum32()
expectedHash := binary.BigEndian.Uint32(buffer.Value[bufferLen : bufferLen+4])
if actualHash != expectedHash {
return nil, transport.ErrorCorruptedPacket
}
return request, nil
}
// Read reads a VMessRequest from a byte stream.
func (this *VMessRequestReader) Read(reader io.Reader) (*VMessRequest, error) {
buffer := alloc.NewSmallBuffer()
nBytes, err := v2net.ReadAllBytes(reader, buffer.Value[:config.IDBytesLen])
if err != nil {
return nil, err
}
userObj, timeSec, valid := this.vUserSet.GetUser(buffer.Value[:nBytes])
if !valid {
return nil, proxyerrors.InvalidAuthentication
}
aesStream, err := v2crypto.NewAesDecryptionStream(userObj.ID().CmdKey(), user.Int64Hash(timeSec))
if err != nil {
return nil, err
}
decryptor := v2crypto.NewCryptionReader(aesStream, reader)
nBytes, err = v2net.ReadAllBytes(decryptor, buffer.Value[:41])
if err != nil {
return nil, err
}
bufferLen := nBytes
request := &VMessRequest{
User: userObj,
Version: buffer.Value[0],
}
if request.Version != Version {
log.Warning("Invalid protocol version %d", request.Version)
return nil, proxyerrors.InvalidProtocolVersion
}
request.RequestIV = buffer.Value[1:17] // 16 bytes
request.RequestKey = buffer.Value[17:33] // 16 bytes
request.ResponseHeader = buffer.Value[33:37] // 4 bytes
request.Command = buffer.Value[37]
port := binary.BigEndian.Uint16(buffer.Value[38:40])
switch buffer.Value[40] {
case addrTypeIPv4:
_, err = v2net.ReadAllBytes(decryptor, buffer.Value[41:45]) // 4 bytes
bufferLen += 4
if err != nil {
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:45], port)
case addrTypeIPv6:
_, err = v2net.ReadAllBytes(decryptor, buffer.Value[41:57]) // 16 bytes
bufferLen += 16
if err != nil {
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:57], port)
case addrTypeDomain:
_, err = v2net.ReadAllBytes(decryptor, buffer.Value[41:42])
if err != nil {
return nil, err
}
domainLength := int(buffer.Value[41])
_, err = v2net.ReadAllBytes(decryptor, buffer.Value[42:42+domainLength])
if err != nil {
return nil, err
}
bufferLen += 1 + domainLength
request.Address = v2net.DomainAddress(string(buffer.Value[42:42+domainLength]), port)
}
_, err = v2net.ReadAllBytes(decryptor, buffer.Value[bufferLen:bufferLen+4])
if err != nil {
return nil, err
}
fnv1a := fnv.New32a()
fnv1a.Write(buffer.Value[:bufferLen])
actualHash := fnv1a.Sum32()
expectedHash := binary.BigEndian.Uint32(buffer.Value[bufferLen : bufferLen+4])
if actualHash != expectedHash {
return nil, transport.CorruptedPacket
}
return request, nil
}
func (this *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.RequestHeader, error) {
buffer := alloc.NewSmallBuffer()
defer buffer.Release()
_, err := io.ReadFull(reader, buffer.Value[:protocol.IDBytesLen])
if err != nil {
log.Error("Raw: Failed to read request header: ", err)
return nil, err
}
user, timestamp, valid := this.userValidator.Get(buffer.Value[:protocol.IDBytesLen])
if !valid {
return nil, protocol.ErrorInvalidUser
}
timestampHash := md5.New()
timestampHash.Write(hashTimestamp(timestamp))
iv := timestampHash.Sum(nil)
aesStream := crypto.NewAesDecryptionStream(user.ID.CmdKey(), iv)
decryptor := crypto.NewCryptionReader(aesStream, reader)
nBytes, err := io.ReadFull(decryptor, buffer.Value[:41])
if err != nil {
log.Debug("Raw: Failed to read request header (", nBytes, " bytes): ", err)
return nil, err
}
bufferLen := nBytes
request := &protocol.RequestHeader{
User: user,
Version: buffer.Value[0],
}
if request.Version != Version {
log.Warning("Raw: Invalid protocol version ", request.Version)
return nil, protocol.ErrorInvalidVersion
}
this.requestBodyIV = append([]byte(nil), buffer.Value[1:17]...) // 16 bytes
this.requestBodyKey = append([]byte(nil), buffer.Value[17:33]...) // 16 bytes
this.responseHeader = buffer.Value[33] // 1 byte
request.Option = protocol.RequestOption(buffer.Value[34]) // 1 byte + 2 bytes reserved
request.Command = protocol.RequestCommand(buffer.Value[37])
request.Port = v2net.PortFromBytes(buffer.Value[38:40])
switch buffer.Value[40] {
case AddrTypeIPv4:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:45]) // 4 bytes
bufferLen += 4
if err != nil {
log.Debug("VMess: Failed to read target IPv4 (", nBytes, " bytes): ", err)
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:45])
case AddrTypeIPv6:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:57]) // 16 bytes
bufferLen += 16
if err != nil {
log.Debug("VMess: Failed to read target IPv6 (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
request.Address = v2net.IPAddress(buffer.Value[41:57])
case AddrTypeDomain:
nBytes, err = io.ReadFull(decryptor, buffer.Value[41:42])
if err != nil {
log.Debug("VMess: Failed to read target domain (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
domainLength := int(buffer.Value[41])
if domainLength == 0 {
return nil, transport.ErrorCorruptedPacket
}
nBytes, err = io.ReadFull(decryptor, buffer.Value[42:42+domainLength])
if err != nil {
log.Debug("VMess: Failed to read target domain (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
bufferLen += 1 + domainLength
domainBytes := append([]byte(nil), buffer.Value[42:42+domainLength]...)
request.Address = v2net.DomainAddress(string(domainBytes))
}
nBytes, err = io.ReadFull(decryptor, buffer.Value[bufferLen:bufferLen+4])
if err != nil {
log.Debug("VMess: Failed to read checksum (", nBytes, " bytes): ", nBytes, err)
return nil, err
}
fnv1a := fnv.New32a()
fnv1a.Write(buffer.Value[:bufferLen])
actualHash := fnv1a.Sum32()
expectedHash := serial.BytesLiteral(buffer.Value[bufferLen : bufferLen+4]).Uint32Value()
if actualHash != expectedHash {
return nil, transport.ErrorCorruptedPacket
}
return request, nil
}
func (this *ServerSession) DecodeRequestBody(reader io.Reader) io.Reader {
aesStream := crypto.NewAesDecryptionStream(this.requestBodyKey, this.requestBodyIV)
return crypto.NewCryptionReader(aesStream, reader)
}
func (this *AesCfb) NewDecodingStream(key []byte, iv []byte) (cipher.Stream, error) {
stream := crypto.NewAesDecryptionStream(key, iv)
return stream, nil
}
