github.com/yaling888/clash@v1.53.0/transport/vmess/header.go (about) 1 package vmess 2 3 import ( 4 "crypto/aes" 5 "crypto/cipher" 6 "crypto/hmac" 7 "crypto/rand" 8 "crypto/sha256" 9 "encoding/binary" 10 "hash" 11 "hash/crc32" 12 "time" 13 14 "github.com/yaling888/clash/common/pool" 15 ) 16 17 const ( 18 kdfSaltConstAuthIDEncryptionKey = "AES Auth ID Encryption" 19 kdfSaltConstAEADRespHeaderLenKey = "AEAD Resp Header Len Key" 20 kdfSaltConstAEADRespHeaderLenIV = "AEAD Resp Header Len IV" 21 kdfSaltConstAEADRespHeaderPayloadKey = "AEAD Resp Header Key" 22 kdfSaltConstAEADRespHeaderPayloadIV = "AEAD Resp Header IV" 23 kdfSaltConstVMessAEADKDF = "VMess AEAD KDF" 24 kdfSaltConstVMessHeaderPayloadAEADKey = "VMess Header AEAD Key" 25 kdfSaltConstVMessHeaderPayloadAEADIV = "VMess Header AEAD Nonce" 26 kdfSaltConstVMessHeaderPayloadLengthAEADKey = "VMess Header AEAD Key_Length" 27 kdfSaltConstVMessHeaderPayloadLengthAEADIV = "VMess Header AEAD Nonce_Length" 28 ) 29 30 func kdf(key []byte, path ...string) []byte { 31 hmacCreator := &hMacCreator{value: []byte(kdfSaltConstVMessAEADKDF)} 32 for _, v := range path { 33 hmacCreator = &hMacCreator{value: []byte(v), parent: hmacCreator} 34 } 35 hmacf := hmacCreator.Create() 36 hmacf.Write(key) 37 return hmacf.Sum(nil) 38 } 39 40 type hMacCreator struct { 41 parent *hMacCreator 42 value []byte 43 } 44 45 func (h *hMacCreator) Create() hash.Hash { 46 if h.parent == nil { 47 return hmac.New(sha256.New, h.value) 48 } 49 return hmac.New(h.parent.Create, h.value) 50 } 51 52 func createAuthID(cmdKey []byte, time int64) [16]byte { 53 buf := pool.BufferWriter{} 54 buf.PutUint64be(uint64(time)) 55 _ = buf.ReadFull(rand.Reader, 4) 56 zero := crc32.ChecksumIEEE(buf.Bytes()) 57 buf.PutUint32be(zero) 58 59 aesBlock, _ := aes.NewCipher(kdf(cmdKey[:], kdfSaltConstAuthIDEncryptionKey)[:16]) 60 var result [16]byte 61 aesBlock.Encrypt(result[:], buf.Bytes()) 62 return result 63 } 64 65 func sealVMessAEADHeader(key [16]byte, data []byte, t time.Time) []byte { 66 generatedAuthID := createAuthID(key[:], t.Unix()) 67 connectionNonce := make([]byte, 8) 68 _, _ = rand.Read(connectionNonce) 69 70 aeadPayloadLengthSerializedByte := make([]byte, 2) 71 binary.BigEndian.PutUint16(aeadPayloadLengthSerializedByte, uint16(len(data))) 72 73 var payloadHeaderLengthAEADEncrypted []byte 74 75 { 76 payloadHeaderLengthAEADKey := kdf(key[:], kdfSaltConstVMessHeaderPayloadLengthAEADKey, string(generatedAuthID[:]), string(connectionNonce))[:16] 77 payloadHeaderLengthAEADNonce := kdf(key[:], kdfSaltConstVMessHeaderPayloadLengthAEADIV, string(generatedAuthID[:]), string(connectionNonce))[:12] 78 payloadHeaderLengthAEADAESBlock, _ := aes.NewCipher(payloadHeaderLengthAEADKey) 79 payloadHeaderAEAD, _ := cipher.NewGCM(payloadHeaderLengthAEADAESBlock) 80 payloadHeaderLengthAEADEncrypted = payloadHeaderAEAD.Seal(nil, payloadHeaderLengthAEADNonce, aeadPayloadLengthSerializedByte, generatedAuthID[:]) 81 } 82 83 var payloadHeaderAEADEncrypted []byte 84 85 { 86 payloadHeaderAEADKey := kdf(key[:], kdfSaltConstVMessHeaderPayloadAEADKey, string(generatedAuthID[:]), string(connectionNonce))[:16] 87 payloadHeaderAEADNonce := kdf(key[:], kdfSaltConstVMessHeaderPayloadAEADIV, string(generatedAuthID[:]), string(connectionNonce))[:12] 88 payloadHeaderAEADAESBlock, _ := aes.NewCipher(payloadHeaderAEADKey) 89 payloadHeaderAEAD, _ := cipher.NewGCM(payloadHeaderAEADAESBlock) 90 payloadHeaderAEADEncrypted = payloadHeaderAEAD.Seal(nil, payloadHeaderAEADNonce, data, generatedAuthID[:]) 91 } 92 93 outputBuffer := pool.BufferWriter{} 94 95 outputBuffer.PutSlice(generatedAuthID[:]) 96 outputBuffer.PutSlice(payloadHeaderLengthAEADEncrypted) 97 outputBuffer.PutSlice(connectionNonce) 98 outputBuffer.PutSlice(payloadHeaderAEADEncrypted) 99 100 return outputBuffer.Bytes() 101 }