🚮 Remove security-iv-printable-prefix feature

For shadowsocks/shadowsocks-org#204.
shadowsocks · Sep 12, 2022 · 26b2a1d · 26b2a1d
1 parent 1947eb1
commit 26b2a1d
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 85 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -136,8 +136,6 @@ aead-cipher-2022-extra = ["shadowsocks-service/aead-cipher-2022-extra"]
 # Enable detection against replay attack (Stream / AEAD)
 security-replay-attack-detect = ["shadowsocks-service/security-replay-attack-detect"]
 replay-attack-detect = ["security-replay-attack-detect"] # Backward compatibility. DO NOT USE.
-# Enable IV printable prefix
-security-iv-printable-prefix = ["shadowsocks-service/security-iv-printable-prefix"]
 
 # Enable ARMv8 related optimizations
 armv8 = ["shadowsocks-service/armv8"]

diff --git a/crates/shadowsocks-service/Cargo.toml b/crates/shadowsocks-service/Cargo.toml
@@ -75,8 +75,6 @@ aead-cipher-2022-extra = ["shadowsocks/aead-cipher-2022-extra"]
 
 # Enable detection against replay attack
 security-replay-attack-detect = ["shadowsocks/security-replay-attack-detect"]
-# Enable IV printable prefix
-security-iv-printable-prefix = ["shadowsocks/security-iv-printable-prefix"]
 
 # Enable ARMv8 related optimizations
 armv8 = ["shadowsocks/armv8"]

diff --git a/crates/shadowsocks/Cargo.toml b/crates/shadowsocks/Cargo.toml
@@ -38,8 +38,6 @@ aead-cipher-2022-extra = ["aead-cipher-2022", "shadowsocks-crypto/v2-extra"]
 
 # Enable detection against replay attack
 security-replay-attack-detect = ["bloomfilter"]
-# Enable IV printable prefix
-security-iv-printable-prefix = ["rand"]
 
 # Enable ARMv8 related optimizations
 armv8 = ["shadowsocks-crypto/armv8"]

diff --git a/crates/shadowsocks/src/context.rs b/crates/shadowsocks/src/context.rs
@@ -66,22 +66,6 @@ impl Context {
         loop {
             random_iv_or_salt(nonce);
 
-            // SECURITY: First 6 bytes of payload should be printable characters
-            // Observation shows that prepending 6 bytes of printable characters to random payload will exempt it from blocking.
-            // by 2022-01-13 gfw.report et al.
-            #[cfg(feature = "security-iv-printable-prefix")]
-            {
-                const SECURITY_PRINTABLE_PREFIX_LEN: usize = 6;
-                if nonce.len() >= SECURITY_PRINTABLE_PREFIX_LEN {
-                    // Printable characters use base64 letters instead
-                    static ASCII_PRINTABLE_CHARS: &[u8] = br##"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"##;
-
-                    for b in nonce.iter_mut().take(SECURITY_PRINTABLE_PREFIX_LEN) {
-                        *b = ASCII_PRINTABLE_CHARS[(*b as usize) % ASCII_PRINTABLE_CHARS.len()];
-                    }
-                }
-            }
-
             // Salt already exists, generate a new one.
             if unique && self.check_nonce_and_set(method, nonce) {
                 continue;
@@ -163,20 +147,3 @@ impl Context {
         self.replay_policy
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use crate::config::ServerType;
-    use crate::context::Context;
-    use byte_string::ByteStr;
-    use shadowsocks_crypto::CipherKind;
-
-    #[test]
-    fn generate_nonce() {
-        let mut salt = vec![0u8; 64];
-        let context = Context::new(ServerType::Server);
-        context.generate_nonce(CipherKind::AES_128_GCM, &mut salt, false);
-        println!("generate nonce printable ascii: {:?}", ByteStr::new(&salt));
-    }
-
-}