chore: sync vless encryption code

Author: wwqgtxx

transport/vless/encryption/client.go

@@ -70,13 +70,13 @@ func (i *ClientInstance) Init(nfsEKeyBytes, xorPKeyBytes []byte, xorMode, minute
 	if i.nfsEKey, err = mlkem.NewEncapsulationKey768(nfsEKeyBytes); err != nil {
 		return
 	}
-	hash32 := sha3.Sum256(nfsEKeyBytes)
-	copy(i.hash11[:], hash32[:])
 	if xorMode > 0 {
 		i.xorMode = xorMode
 		if i.xorPKey, err = ecdh.X25519().NewPublicKey(xorPKeyBytes); err != nil {
 			return
 		}
+		hash32 := sha3.Sum256(nfsEKeyBytes)
+		copy(i.hash11[:], hash32[:])
 	}
 	i.minutes = time.Duration(minutes) * time.Minute
 	return
@@ -126,7 +126,7 @@ func (i *ClientInstance) Handshake(conn net.Conn) (*ClientConn, error) {
 	}
 	// client can send more NFS AEAD paddings / messages if needed
 
-	_, t, l, err := ReadAndDiscardPaddings(c.Conn) // allow paddings before server hello
+	_, t, l, err := ReadAndDiscardPaddings(c.Conn, nil, nil) // allow paddings before server hello
 	if err != nil {
 		return nil, err
 	}
@@ -209,9 +209,9 @@ func (c *ClientConn) Read(b []byte) (int, error) {
 		return 0, nil
 	}
 	if c.peerAEAD == nil {
-		_, t, l, err := ReadAndDiscardPaddings(c.Conn) // allow paddings before random hello
+		_, t, l, err := ReadAndDiscardPaddings(c.Conn, nil, nil) // allow paddings before random hello
 		if err != nil {
-			if c.instance != nil && strings.HasPrefix(err.Error(), "invalid header: ") { // 0-RTT's 0-RTT
+			if c.instance != nil && strings.HasPrefix(err.Error(), "invalid header: ") { // 0-RTT
 				c.instance.Lock()
 				if bytes.Equal(c.ticket, c.instance.ticket) {
 					c.instance.expire = time.Now() // expired

transport/vless/encryption/common.go

@@ -62,14 +62,21 @@ func ReadAndDecodeHeader(conn net.Conn) (h []byte, t byte, l int, err error) {
 	return
 }
 
-func ReadAndDiscardPaddings(conn net.Conn) (h []byte, t byte, l int, err error) {
+func ReadAndDiscardPaddings(conn net.Conn, aead cipher.AEAD, nonce []byte) (h []byte, t byte, l int, err error) {
 	for {
 		if h, t, l, err = ReadAndDecodeHeader(conn); err != nil || t != 23 {
 			return
 		}
-		if _, err = io.ReadFull(conn, make([]byte, l)); err != nil {
+		padding := make([]byte, l)
+		if _, err = io.ReadFull(conn, padding); err != nil {
 			return
 		}
+		if aead != nil {
+			if _, err := aead.Open(nil, nonce, padding, h); err != nil {
+				return h, t, l, err
+			}
+			IncreaseNonce(nonce)
+		}
 	}
 }
 

transport/vless/encryption/doc.go

@@ -16,4 +16,5 @@
 // https://github.com/XTLS/Xray-core/commit/84835bec7d0d8555d0dd30953ed26a272de814c4
 // https://github.com/XTLS/Xray-core/commit/373558ed7abdbac3de41745cf30ec04c9adde604
 // https://github.com/XTLS/Xray-core/commit/38cc306c955c362f044e074049a5e67b6b9fb389
+// https://github.com/XTLS/Xray-core/commit/b33555cc0a52d0af3c23d2af8fca42f8a685d9af
 package encryption

transport/vless/encryption/server.go

@@ -55,13 +55,13 @@ func (i *ServerInstance) Init(nfsDKeySeed, xorSKeyBytes []byte, xorMode, minutes
 	if i.nfsDKey, err = mlkem.NewDecapsulationKey768(nfsDKeySeed); err != nil {
 		return
 	}
-	hash32 := sha3.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
-	copy(i.hash11[:], hash32[:])
 	if xorMode > 0 {
 		i.xorMode = xorMode
 		if i.xorSKey, err = ecdh.X25519().NewPrivateKey(xorSKeyBytes); err != nil {
 			return
 		}
+		hash32 := sha3.Sum256(i.nfsDKey.EncapsulationKey().Bytes())
+		copy(i.hash11[:], hash32[:])
 	}
 	if minutes > 0 {
 		i.minutes = time.Duration(minutes) * time.Minute
@@ -106,7 +106,7 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*ServerConn, error) {
 	}
 	c := &ServerConn{Conn: conn}
 
-	_, t, l, err := ReadAndDiscardPaddings(c.Conn) // allow paddings before client/ticket hello
+	_, t, l, err := ReadAndDiscardPaddings(c.Conn, nil, nil) // allow paddings before client/ticket hello
 	if err != nil {
 		return nil, err
 	}
@@ -170,11 +170,14 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*ServerConn, error) {
 	if err != nil {
 		return nil, err
 	}
+	nfsAEAD := NewAEAD(c.cipher, nfsKey, pfsEKeyBytes, encapsulatedNfsKey)
+	nfsNonce := append([]byte{}, peerClientHello[:11+1]...)
 	pfsKey, encapsulatedPfsKey := pfsEKey.Encapsulate()
 	c.baseKey = append(pfsKey, nfsKey...)
 	pfsAEAD := NewAEAD(c.cipher, c.baseKey, encapsulatedPfsKey, encapsulatedNfsKey)
-	c.ticket = append(i.hash11[:], pfsAEAD.Seal(nil, peerClientHello[:11+1], []byte("VLESS"), pfsEKeyBytes)...)
-	IncreaseNonce(peerClientHello[:11+1])
+	pfsNonce := append([]byte{}, peerClientHello[:11+1]...)
+	c.ticket = append(i.hash11[:], pfsAEAD.Seal(nil, pfsNonce, []byte("VLESS"), pfsEKeyBytes)...)
+	IncreaseNonce(pfsNonce)
 
 	serverHello := make([]byte, 5+1088+21+randBetween(100, 1000))
 	EncodeHeader(serverHello, 1, 1088+21)
@@ -183,20 +186,41 @@ func (i *ServerInstance) Handshake(conn net.Conn) (*ServerConn, error) {
 	padding := serverHello[5+1088+21:]
 	rand.Read(padding) // important
 	EncodeHeader(padding, 23, len(padding)-5)
-	pfsAEAD.Seal(padding[:5], peerClientHello[:11+1], padding[5:len(padding)-16], padding[:5])
+	pfsAEAD.Seal(padding[:5], pfsNonce, padding[5:len(padding)-16], padding[:5])
 
 	if _, err := c.Conn.Write(serverHello); err != nil {
 		return nil, err
 	}
 	// server can send more PFS AEAD paddings / messages if needed
 
+	_, t, l, err = ReadAndDiscardPaddings(c.Conn, nfsAEAD, nfsNonce) // allow paddings before ticket hello
+	if err != nil {
+		return nil, err
+	}
+	if t != 0 {
+		return nil, fmt.Errorf("unexpected type %v, expect ticket hello", t)
+	}
+	peerTicketHello := make([]byte, 32+32)
+	if l != len(peerTicketHello) {
+		return nil, fmt.Errorf("unexpected length %v for ticket hello", l)
+	}
+	if _, err := io.ReadFull(c.Conn, peerTicketHello); err != nil {
+		return nil, err
+	}
+	if !bytes.Equal(peerTicketHello[:32], c.ticket) {
+		return nil, errors.New("naughty boy")
+	}
+	c.peerRandom = peerTicketHello[32:]
+
 	if i.minutes > 0 {
 		i.Lock()
-		i.sessions[[32]byte(c.ticket)] = &ServerSession{
+		s := &ServerSession{
 			expire:  time.Now().Add(i.minutes),
 			cipher:  c.cipher,
 			baseKey: c.baseKey,
 		}
+		s.randoms.Store([32]byte(c.peerRandom), true)
+		i.sessions[[32]byte(c.ticket)] = s
 		i.Unlock()
 	}
 
@@ -208,26 +232,6 @@ func (c *ServerConn) Read(b []byte) (int, error) {
 		return 0, nil
 	}
 	if c.peerAEAD == nil {
-		if c.peerRandom == nil { // 1-RTT's 0-RTT
-			_, t, l, err := ReadAndDiscardPaddings(c.Conn) // allow paddings before ticket hello
-			if err != nil {
-				return 0, err
-			}
-			if t != 0 {
-				return 0, fmt.Errorf("unexpected type %v, expect ticket hello", t)
-			}
-			peerTicketHello := make([]byte, 32+32)
-			if l != len(peerTicketHello) {
-				return 0, fmt.Errorf("unexpected length %v for ticket hello", l)
-			}
-			if _, err := io.ReadFull(c.Conn, peerTicketHello); err != nil {
-				return 0, err
-			}
-			if !bytes.Equal(peerTicketHello[:32], c.ticket) {
-				return 0, errors.New("naughty boy")
-			}
-			c.peerRandom = peerTicketHello[32:]
-		}
 		c.peerAEAD = NewAEAD(c.cipher, c.baseKey, c.peerRandom, c.ticket)
 		c.peerNonce = make([]byte, 12)
 	}
@@ -280,9 +284,6 @@ func (c *ServerConn) Write(b []byte) (int, error) {
 		}
 		n += len(b)
 		if c.aead == nil {
-			if c.peerRandom == nil {
-				return 0, errors.New("empty c.peerRandom")
-			}
 			data = make([]byte, 5+32+5+len(b)+16)
 			EncodeHeader(data, 0, 32)
 			rand.Read(data[5 : 5+32])