2025-08-10 22:16:25 +08:00
|
|
|
package encryption
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/cipher"
|
|
|
|
|
"crypto/rand"
|
2025-08-14 09:57:20 +08:00
|
|
|
"crypto/sha256"
|
2025-08-10 22:16:25 +08:00
|
|
|
"errors"
|
2025-08-13 18:51:47 +08:00
|
|
|
"fmt"
|
2025-08-10 22:16:25 +08:00
|
|
|
"io"
|
|
|
|
|
"net"
|
|
|
|
|
"runtime"
|
2025-08-14 18:31:56 +08:00
|
|
|
"strings"
|
2025-08-10 22:16:25 +08:00
|
|
|
"sync"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/metacubex/utls/mlkem"
|
|
|
|
|
"golang.org/x/sys/cpu"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
// Keep in sync with crypto/tls/cipher_suites.go.
|
|
|
|
|
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ && cpu.X86.HasSSE41 && cpu.X86.HasSSSE3
|
|
|
|
|
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
|
|
|
|
|
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCTR && cpu.S390X.HasGHASH
|
|
|
|
|
hasGCMAsmPPC64 = runtime.GOARCH == "ppc64" || runtime.GOARCH == "ppc64le"
|
|
|
|
|
|
|
|
|
|
HasAESGCMHardwareSupport = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X || hasGCMAsmPPC64
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var ClientCipher byte
|
|
|
|
|
|
|
|
|
|
func init() {
|
2025-08-12 20:06:08 +08:00
|
|
|
if HasAESGCMHardwareSupport {
|
2025-08-10 22:16:25 +08:00
|
|
|
ClientCipher = 1
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type ClientInstance struct {
|
|
|
|
|
sync.RWMutex
|
2025-08-14 18:31:56 +08:00
|
|
|
nfsEKey *mlkem.EncapsulationKey768
|
|
|
|
|
xorKey []byte
|
|
|
|
|
minutes time.Duration
|
|
|
|
|
expire time.Time
|
|
|
|
|
baseKey []byte
|
|
|
|
|
ticket []byte
|
2025-08-10 22:16:25 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type ClientConn struct {
|
|
|
|
|
net.Conn
|
|
|
|
|
instance *ClientInstance
|
|
|
|
|
baseKey []byte
|
2025-08-11 09:31:13 +08:00
|
|
|
ticket []byte
|
2025-08-10 22:16:25 +08:00
|
|
|
random []byte
|
|
|
|
|
aead cipher.AEAD
|
|
|
|
|
nonce []byte
|
|
|
|
|
peerAead cipher.AEAD
|
|
|
|
|
peerNonce []byte
|
|
|
|
|
peerCache []byte
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-12 20:06:08 +08:00
|
|
|
func (i *ClientInstance) Init(nfsEKeyBytes []byte, xor uint32, minutes time.Duration) (err error) {
|
2025-08-14 18:31:56 +08:00
|
|
|
if i.nfsEKey != nil {
|
|
|
|
|
err = errors.New("already initialized")
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-08-12 20:06:08 +08:00
|
|
|
i.nfsEKey, err = mlkem.NewEncapsulationKey768(nfsEKeyBytes)
|
2025-08-14 18:31:56 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
2025-08-12 20:06:08 +08:00
|
|
|
if xor > 0 {
|
2025-08-14 18:31:56 +08:00
|
|
|
xorKey := sha256.Sum256(nfsEKeyBytes)
|
|
|
|
|
i.xorKey = xorKey[:]
|
2025-08-12 20:06:08 +08:00
|
|
|
}
|
2025-08-10 22:16:25 +08:00
|
|
|
i.minutes = minutes
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (i *ClientInstance) Handshake(conn net.Conn) (net.Conn, error) {
|
2025-08-12 20:06:08 +08:00
|
|
|
if i.nfsEKey == nil {
|
2025-08-10 22:16:25 +08:00
|
|
|
return nil, errors.New("uninitialized")
|
|
|
|
|
}
|
2025-08-14 18:31:56 +08:00
|
|
|
if i.xorKey != nil {
|
|
|
|
|
conn = NewXorConn(conn, i.xorKey)
|
2025-08-11 20:57:23 +08:00
|
|
|
}
|
2025-08-10 22:16:25 +08:00
|
|
|
c := &ClientConn{Conn: conn}
|
|
|
|
|
|
|
|
|
|
if i.minutes > 0 {
|
|
|
|
|
i.RLock()
|
|
|
|
|
if time.Now().Before(i.expire) {
|
|
|
|
|
c.instance = i
|
|
|
|
|
c.baseKey = i.baseKey
|
2025-08-11 09:31:13 +08:00
|
|
|
c.ticket = i.ticket
|
2025-08-10 22:16:25 +08:00
|
|
|
i.RUnlock()
|
|
|
|
|
return c, nil
|
|
|
|
|
}
|
|
|
|
|
i.RUnlock()
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-12 20:06:08 +08:00
|
|
|
pfsDKeySeed := make([]byte, 64)
|
|
|
|
|
rand.Read(pfsDKeySeed)
|
|
|
|
|
pfsDKey, _ := mlkem.NewDecapsulationKey768(pfsDKeySeed)
|
|
|
|
|
pfsEKeyBytes := pfsDKey.EncapsulationKey().Bytes()
|
|
|
|
|
nfsKey, encapsulatedNfsKey := i.nfsEKey.Encapsulate()
|
|
|
|
|
paddingLen := randBetween(100, 1000)
|
2025-08-10 22:16:25 +08:00
|
|
|
|
2025-08-13 18:51:47 +08:00
|
|
|
clientHello := make([]byte, 5+1+1184+1088+5+paddingLen)
|
|
|
|
|
EncodeHeader(clientHello, 1, 1+1184+1088)
|
|
|
|
|
clientHello[5] = ClientCipher
|
|
|
|
|
copy(clientHello[5+1:], pfsEKeyBytes)
|
|
|
|
|
copy(clientHello[5+1+1184:], encapsulatedNfsKey)
|
|
|
|
|
EncodeHeader(clientHello[5+1+1184+1088:], 23, int(paddingLen))
|
|
|
|
|
rand.Read(clientHello[5+1+1184+1088+5:])
|
2025-08-10 22:16:25 +08:00
|
|
|
|
2025-08-13 20:50:46 +08:00
|
|
|
if _, err := c.Conn.Write(clientHello); err != nil {
|
2025-08-10 22:16:25 +08:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-08-13 18:51:47 +08:00
|
|
|
// client can send more padding / NFS AEAD messages if needed
|
|
|
|
|
|
2025-08-14 18:31:56 +08:00
|
|
|
_, t, l, err := ReadAndDiscardPaddings(c.Conn)
|
2025-08-13 18:51:47 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-08-14 18:31:56 +08:00
|
|
|
|
2025-08-13 18:51:47 +08:00
|
|
|
if t != 1 {
|
2025-08-13 19:50:53 +08:00
|
|
|
return nil, fmt.Errorf("unexpected type %v, expect random hello", t)
|
2025-08-13 18:51:47 +08:00
|
|
|
}
|
2025-08-13 19:50:53 +08:00
|
|
|
peerRandomHello := make([]byte, 1088+21)
|
|
|
|
|
if l != len(peerRandomHello) {
|
|
|
|
|
return nil, fmt.Errorf("unexpected length %v for random hello", l)
|
2025-08-13 18:51:47 +08:00
|
|
|
}
|
2025-08-13 19:50:53 +08:00
|
|
|
if _, err := io.ReadFull(c.Conn, peerRandomHello); err != nil {
|
2025-08-10 22:16:25 +08:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-08-13 19:50:53 +08:00
|
|
|
encapsulatedPfsKey := peerRandomHello[:1088]
|
|
|
|
|
c.ticket = peerRandomHello[1088:]
|
2025-08-10 22:16:25 +08:00
|
|
|
|
2025-08-12 20:06:08 +08:00
|
|
|
pfsKey, err := pfsDKey.Decapsulate(encapsulatedPfsKey)
|
2025-08-10 22:16:25 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-08-12 20:06:08 +08:00
|
|
|
c.baseKey = append(pfsKey, nfsKey...)
|
2025-08-10 22:16:25 +08:00
|
|
|
|
2025-08-12 20:06:08 +08:00
|
|
|
nonce := [12]byte{ClientCipher}
|
2025-08-12 22:59:25 +08:00
|
|
|
VLESS, _ := NewAead(ClientCipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey).Open(nil, nonce[:], c.ticket, pfsEKeyBytes)
|
2025-08-13 18:51:47 +08:00
|
|
|
if !bytes.Equal(VLESS, []byte("VLESS")) {
|
2025-08-10 22:16:25 +08:00
|
|
|
return nil, errors.New("invalid server")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if i.minutes > 0 {
|
|
|
|
|
i.Lock()
|
|
|
|
|
i.expire = time.Now().Add(i.minutes)
|
|
|
|
|
i.baseKey = c.baseKey
|
2025-08-11 09:31:13 +08:00
|
|
|
i.ticket = c.ticket
|
2025-08-10 22:16:25 +08:00
|
|
|
i.Unlock()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return c, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *ClientConn) Write(b []byte) (int, error) {
|
|
|
|
|
if len(b) == 0 {
|
|
|
|
|
return 0, nil
|
|
|
|
|
}
|
2025-08-12 22:59:25 +08:00
|
|
|
var data []byte
|
2025-08-12 20:06:08 +08:00
|
|
|
for n := 0; n < len(b); {
|
|
|
|
|
b := b[n:]
|
|
|
|
|
if len(b) > 8192 {
|
|
|
|
|
b = b[:8192] // for avoiding another copy() in server's Read()
|
|
|
|
|
}
|
|
|
|
|
n += len(b)
|
|
|
|
|
if c.aead == nil {
|
|
|
|
|
c.random = make([]byte, 32)
|
|
|
|
|
rand.Read(c.random)
|
2025-08-12 22:59:25 +08:00
|
|
|
c.aead = NewAead(ClientCipher, c.baseKey, c.random, c.ticket)
|
2025-08-12 20:06:08 +08:00
|
|
|
c.nonce = make([]byte, 12)
|
2025-08-13 18:51:47 +08:00
|
|
|
data = make([]byte, 5+21+32+5+len(b)+16)
|
|
|
|
|
EncodeHeader(data, 0, 21+32)
|
|
|
|
|
copy(data[5:], c.ticket)
|
|
|
|
|
copy(data[5+21:], c.random)
|
|
|
|
|
EncodeHeader(data[5+21+32:], 23, len(b)+16)
|
|
|
|
|
c.aead.Seal(data[:5+21+32+5], c.nonce, b, data[5+21+32:5+21+32+5])
|
2025-08-12 20:06:08 +08:00
|
|
|
} else {
|
|
|
|
|
data = make([]byte, 5+len(b)+16)
|
2025-08-13 18:51:47 +08:00
|
|
|
EncodeHeader(data, 23, len(b)+16)
|
2025-08-12 20:06:08 +08:00
|
|
|
c.aead.Seal(data[:5], c.nonce, b, data[:5])
|
2025-08-12 22:59:25 +08:00
|
|
|
if bytes.Equal(c.nonce, MaxNonce) {
|
|
|
|
|
c.aead = NewAead(ClientCipher, c.baseKey, data[5:], data[:5])
|
|
|
|
|
}
|
2025-08-12 20:06:08 +08:00
|
|
|
}
|
2025-08-12 22:59:25 +08:00
|
|
|
IncreaseNonce(c.nonce)
|
2025-08-13 20:50:46 +08:00
|
|
|
if _, err := c.Conn.Write(data); err != nil {
|
2025-08-12 20:06:08 +08:00
|
|
|
return 0, err
|
|
|
|
|
}
|
2025-08-10 22:16:25 +08:00
|
|
|
}
|
|
|
|
|
return len(b), nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-08-12 20:06:08 +08:00
|
|
|
func (c *ClientConn) Read(b []byte) (int, error) {
|
2025-08-10 22:16:25 +08:00
|
|
|
if len(b) == 0 {
|
|
|
|
|
return 0, nil
|
|
|
|
|
}
|
|
|
|
|
if c.peerAead == nil {
|
2025-08-14 18:31:56 +08:00
|
|
|
_, t, l, err := ReadAndDiscardPaddings(c.Conn)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if c.instance != nil && strings.HasPrefix(err.Error(), "invalid header: ") { // from 0-RTT
|
2025-08-13 18:51:47 +08:00
|
|
|
c.instance.Lock()
|
|
|
|
|
if bytes.Equal(c.ticket, c.instance.ticket) {
|
|
|
|
|
c.instance.expire = time.Now() // expired
|
|
|
|
|
}
|
|
|
|
|
c.instance.Unlock()
|
|
|
|
|
return 0, errors.New("new handshake needed")
|
|
|
|
|
}
|
2025-08-14 18:31:56 +08:00
|
|
|
return 0, err
|
2025-08-13 18:51:47 +08:00
|
|
|
}
|
|
|
|
|
if t != 0 {
|
|
|
|
|
return 0, fmt.Errorf("unexpected type %v, expect server random", t)
|
2025-08-10 22:16:25 +08:00
|
|
|
}
|
|
|
|
|
peerRandom := make([]byte, 32)
|
2025-08-13 18:51:47 +08:00
|
|
|
if l != len(peerRandom) {
|
|
|
|
|
return 0, fmt.Errorf("unexpected length %v for server random", l)
|
|
|
|
|
}
|
|
|
|
|
if _, err := io.ReadFull(c.Conn, peerRandom); err != nil {
|
2025-08-10 22:16:25 +08:00
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
if c.random == nil {
|
2025-08-12 20:06:08 +08:00
|
|
|
return 0, errors.New("empty c.random")
|
2025-08-10 22:16:25 +08:00
|
|
|
}
|
2025-08-12 22:59:25 +08:00
|
|
|
c.peerAead = NewAead(ClientCipher, c.baseKey, peerRandom, c.random)
|
2025-08-10 22:16:25 +08:00
|
|
|
c.peerNonce = make([]byte, 12)
|
|
|
|
|
}
|
|
|
|
|
if len(c.peerCache) != 0 {
|
|
|
|
|
n := copy(b, c.peerCache)
|
|
|
|
|
c.peerCache = c.peerCache[n:]
|
|
|
|
|
return n, nil
|
|
|
|
|
}
|
2025-08-13 18:51:47 +08:00
|
|
|
h, t, l, err := ReadAndDecodeHeader(c.Conn) // l: 17~17000
|
2025-08-10 22:16:25 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
2025-08-13 18:51:47 +08:00
|
|
|
if t != 23 {
|
|
|
|
|
return 0, fmt.Errorf("unexpected type %v, expect encrypted data", t)
|
|
|
|
|
}
|
|
|
|
|
peerData := make([]byte, l)
|
2025-08-10 22:16:25 +08:00
|
|
|
if _, err := io.ReadFull(c.Conn, peerData); err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
2025-08-13 18:51:47 +08:00
|
|
|
dst := peerData[:l-16]
|
2025-08-10 22:16:25 +08:00
|
|
|
if len(dst) <= len(b) {
|
2025-08-12 20:06:08 +08:00
|
|
|
dst = b[:len(dst)] // avoids another copy()
|
2025-08-10 22:16:25 +08:00
|
|
|
}
|
2025-08-12 22:59:25 +08:00
|
|
|
var peerAead cipher.AEAD
|
|
|
|
|
if bytes.Equal(c.peerNonce, MaxNonce) {
|
2025-08-13 18:51:47 +08:00
|
|
|
peerAead = NewAead(ClientCipher, c.baseKey, peerData, h)
|
2025-08-12 22:59:25 +08:00
|
|
|
}
|
2025-08-13 18:51:47 +08:00
|
|
|
_, err = c.peerAead.Open(dst[:0], c.peerNonce, peerData, h)
|
2025-08-12 22:59:25 +08:00
|
|
|
if peerAead != nil {
|
|
|
|
|
c.peerAead = peerAead
|
|
|
|
|
}
|
|
|
|
|
IncreaseNonce(c.peerNonce)
|
2025-08-10 22:16:25 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
if len(dst) > len(b) {
|
|
|
|
|
c.peerCache = dst[copy(b, dst):]
|
|
|
|
|
dst = b // for len(dst)
|
|
|
|
|
}
|
|
|
|
|
return len(dst), nil
|
|
|
|
|
}
|
