chore: sync vless encryption code

2025-09-19 20:15:59 +08:00 · 2025-08-25 20:23:09 +08:00
parent aca0d97beb
commit 443200a51e
4 changed files with 16 additions and 11 deletions
--- a/transport/vless/encryption/client.go
+++ b/transport/vless/encryption/client.go
@ -160,7 +160,9 @@ func (i *ClientInstance) Handshake(conn net.Conn) (*CommonConn, error) {
 	if err != nil {
 		return nil, err
 	}
-	pfsKey := append(mlkem768Key, x25519Key...)
+	pfsKey := make([]byte, 32+32) // no more capacity
+	copy(pfsKey, mlkem768Key)
+	copy(pfsKey[32:], x25519Key)
 	c.UnitedKey = append(pfsKey, nfsKey...)
 	c.GCM = NewGCM(pfsPublicKey, c.UnitedKey)
 	c.PeerGCM = NewGCM(encryptedPfsPublicKey[:1088+32], c.UnitedKey)
--- a/transport/vless/encryption/common.go
+++ b/transport/vless/encryption/common.go
@ -89,7 +89,7 @@ func (c *CommonConn) Read(b []byte) (int, error) {
 	if err != nil {
 		if c.Client != nil && strings.HasPrefix(err.Error(), "invalid header: ") { // client's 0-RTT
 			c.Client.RWLock.Lock()
-			if bytes.Equal(c.UnitedKey[:32], c.Client.PfsKey) {
+			if bytes.HasPrefix(c.UnitedKey, c.Client.PfsKey) {
 				c.Client.Expire = time.Now() // expired
 			}
 			c.Client.RWLock.Unlock()
--- a/transport/vless/encryption/doc.go
+++ b/transport/vless/encryption/doc.go
@ -19,4 +19,5 @@
 // https://github.com/XTLS/Xray-core/commit/b33555cc0a52d0af3c23d2af8fca42f8a685d9af
 // https://github.com/XTLS/Xray-core/commit/ad7140641c44239c9dcdc3d7215ea639b1f0841c
 // https://github.com/XTLS/Xray-core/commit/0199dea39988a1a1b846d0bf8598631bade40902
+// https://github.com/XTLS/Xray-core/commit/fce1195b60f48ca18a953dbd5c7d991869de9a5e
 package encryption
--- a/transport/vless/encryption/server.go
+++ b/transport/vless/encryption/server.go
@ -19,7 +19,7 @@ import (
 type ServerSession struct {
 	Expire  time.Time
 	PfsKey  []byte
-	Replays sync.Map
+	NfsKeys sync.Map
 }

 type ServerInstance struct {
@ -177,7 +177,7 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*CommonConn, error) {
 		s := i.Sessions[[16]byte(ticket)]
 		i.RWLock.RUnlock()
 		if s == nil {
-			noises := make([]byte, randBetween(100, 1000))
+			noises := make([]byte, randBetween(1268, 2268)) // matches 1-RTT's server hello length for "random", though it is not important, just for example
 			var err error
 			for err == nil {
 				rand.Read(noises)
@ -186,21 +186,21 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*CommonConn, error) {
 			conn.Write(noises) // make client do new handshake
 			return nil, errors.New("expired ticket")
 		}
-		if _, replay := s.Replays.LoadOrStore([32]byte(nfsKey), true); replay { // prevents bad client also
+		if _, loaded := s.NfsKeys.LoadOrStore([32]byte(nfsKey), true); loaded { // prevents bad client also
 			return nil, errors.New("replay detected")
 		}
-		c.UnitedKey = append(s.PfsKey, nfsKey...) // the same nfsKey links the upload & download
-		c.PreWrite = make([]byte, 16)             // always trust yourself, not the client
-		rand.Read(c.PreWrite)
+		c.UnitedKey = append(s.PfsKey, nfsKey...) // the same nfsKey links the upload & download (prevents server -> client's another request)
+		c.PreWrite = make([]byte, 16)
+		rand.Read(c.PreWrite) // always trust yourself, not the client (also prevents being parsed as TLS thus causing false interruption for "native" and "xorpub")
 		c.GCM = NewGCM(c.PreWrite, c.UnitedKey)
-		c.PeerGCM = NewGCM(encryptedTicket, c.UnitedKey) // unchangeable ctx, and different ctx length for upload / download
+		c.PeerGCM = NewGCM(encryptedTicket, c.UnitedKey) // unchangeable ctx (prevents server -> server), and different ctx length for upload / download (prevents client -> client)
 		if i.XorMode == 2 {
 			c.Conn = NewXorConn(conn, NewCTR(c.UnitedKey, c.PreWrite), NewCTR(c.UnitedKey, iv), 16, 0) // it doesn't matter if the attacker sends client's iv back to the client
 		}
 		return c, nil
 	}

-	if length < 1184+32+16 { // client may send more public keys
+	if length < 1184+32+16 { // client may send more public keys in the future's version
 		return nil, errors.New("too short length")
 	}
 	encryptedPfsPublicKey := make([]byte, length)
@ -224,7 +224,9 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*CommonConn, error) {
 	if err != nil {
 		return nil, err
 	}
-	pfsKey := append(mlkem768Key, x25519Key...)
+	pfsKey := make([]byte, 32+32) // no more capacity
+	copy(pfsKey, mlkem768Key)
+	copy(pfsKey[32:], x25519Key)
 	pfsPublicKey := append(encapsulatedPfsKey, x25519SKey.PublicKey().Bytes()...)
 	c.UnitedKey = append(pfsKey, nfsKey...)
 	c.GCM = NewGCM(pfsPublicKey, c.UnitedKey)