Fix DoS attack vulnerability in VMess Option Processing

xiaokangwang · xiaokangwang · commit 9132f94e40d5 · 2022-06-12T23:34:09.000+01:00
diff --git a/proxy/vmess/encoding/client.go b/proxy/vmess/encoding/client.go
@@ -137,31 +137,35 @@ func (c *ClientSession) EncodeRequestHeader(header *protocol.RequestHeader, writ
 	return nil
 }
 
-func (c *ClientSession) EncodeRequestBody(request *protocol.RequestHeader, writer io.Writer) buf.Writer {
+func (c *ClientSession) EncodeRequestBody(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
 	var sizeParser crypto.ChunkSizeEncoder = crypto.PlainChunkSizeParser{}
 	if request.Option.Has(protocol.RequestOptionChunkMasking) {
 		sizeParser = NewShakeSizeParser(c.requestBodyIV[:])
 	}
 	var padding crypto.PaddingLengthGenerator
 	if request.Option.Has(protocol.RequestOptionGlobalPadding) {
-		padding = sizeParser.(crypto.PaddingLengthGenerator)
+		var ok bool
+		padding, ok = sizeParser.(crypto.PaddingLengthGenerator)
+		if !ok {
+			return nil, newError("invalid option: RequestOptionGlobalPadding")
+		}
 	}
 
 	switch request.Security {
 	case protocol.SecurityType_NONE:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
 			if request.Command.TransferType() == protocol.TransferTypeStream {
-				return crypto.NewChunkStreamWriter(sizeParser, writer)
+				return crypto.NewChunkStreamWriter(sizeParser, writer), nil
 			}
 			auth := &crypto.AEADAuthenticator{
 				AEAD:                    new(NoOpAuthenticator),
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding)
+			return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding), nil
 		}
 
-		return buf.NewWriter(writer)
+		return buf.NewWriter(writer), nil
 	case protocol.SecurityType_LEGACY:
 		aesStream := crypto.NewAesEncryptionStream(c.requestBodyKey[:], c.requestBodyIV[:])
 		cryptionWriter := crypto.NewCryptionWriter(aesStream, writer)
@@ -171,10 +175,10 @@ func (c *ClientSession) EncodeRequestBody(request *protocol.RequestHeader, write
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationWriter(auth, sizeParser, cryptionWriter, request.Command.TransferType(), padding)
+			return crypto.NewAuthenticationWriter(auth, sizeParser, cryptionWriter, request.Command.TransferType(), padding), nil
 		}
 
-		return &buf.SequentialWriter{Writer: cryptionWriter}
+		return &buf.SequentialWriter{Writer: cryptionWriter}, nil
 	case protocol.SecurityType_AES128_GCM:
 		aead := crypto.NewAesGcm(c.requestBodyKey[:])
 		auth := &crypto.AEADAuthenticator{
@@ -193,7 +197,7 @@ func (c *ClientSession) EncodeRequestBody(request *protocol.RequestHeader, write
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil
 	case protocol.SecurityType_CHACHA20_POLY1305:
 		aead, err := chacha20poly1305.New(GenerateChacha20Poly1305Key(c.requestBodyKey[:]))
 		common.Must(err)
@@ -215,9 +219,9 @@ func (c *ClientSession) EncodeRequestBody(request *protocol.RequestHeader, write
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil
 	default:
-		panic("Unknown security type.")
+		return nil, newError("invalid option: Security")
 	}
 }
 
@@ -306,21 +310,25 @@ func (c *ClientSession) DecodeResponseHeader(reader io.Reader) (*protocol.Respon
 	return header, nil
 }
 
-func (c *ClientSession) DecodeResponseBody(request *protocol.RequestHeader, reader io.Reader) buf.Reader {
+func (c *ClientSession) DecodeResponseBody(request *protocol.RequestHeader, reader io.Reader) (buf.Reader, error) {
 	var sizeParser crypto.ChunkSizeDecoder = crypto.PlainChunkSizeParser{}
 	if request.Option.Has(protocol.RequestOptionChunkMasking) {
 		sizeParser = NewShakeSizeParser(c.responseBodyIV[:])
 	}
 	var padding crypto.PaddingLengthGenerator
 	if request.Option.Has(protocol.RequestOptionGlobalPadding) {
-		padding = sizeParser.(crypto.PaddingLengthGenerator)
+		var ok bool
+		padding, ok = sizeParser.(crypto.PaddingLengthGenerator)
+		if !ok {
+			return nil, newError("invalid option: RequestOptionGlobalPadding")
+		}
 	}
 
 	switch request.Security {
 	case protocol.SecurityType_NONE:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
 			if request.Command.TransferType() == protocol.TransferTypeStream {
-				return crypto.NewChunkStreamReader(sizeParser, reader)
+				return crypto.NewChunkStreamReader(sizeParser, reader), nil
 			}
 
 			auth := &crypto.AEADAuthenticator{
@@ -329,21 +337,21 @@ func (c *ClientSession) DecodeResponseBody(request *protocol.RequestHeader, read
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
 
-			return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding)
+			return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding), nil
 		}
 
-		return buf.NewReader(reader)
+		return buf.NewReader(reader), nil
 	case protocol.SecurityType_LEGACY:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
 			auth := &crypto.AEADAuthenticator{
 				AEAD:                    new(FnvAuthenticator),
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationReader(auth, sizeParser, c.responseReader, request.Command.TransferType(), padding)
+			return crypto.NewAuthenticationReader(auth, sizeParser, c.responseReader, request.Command.TransferType(), padding), nil
 		}
 
-		return buf.NewReader(c.responseReader)
+		return buf.NewReader(c.responseReader), nil
 	case protocol.SecurityType_AES128_GCM:
 		aead := crypto.NewAesGcm(c.responseBodyKey[:])
 
@@ -363,7 +371,7 @@ func (c *ClientSession) DecodeResponseBody(request *protocol.RequestHeader, read
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil
 	case protocol.SecurityType_CHACHA20_POLY1305:
 		aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(c.responseBodyKey[:]))
 
@@ -384,9 +392,9 @@ func (c *ClientSession) DecodeResponseBody(request *protocol.RequestHeader, read
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil
 	default:
-		panic("Unknown security type.")
+		return nil, newError("invalid option: Security")
 	}
 }
 
diff --git a/proxy/vmess/encoding/server.go b/proxy/vmess/encoding/server.go
@@ -305,31 +305,35 @@ func (s *ServerSession) DecodeRequestHeader(reader io.Reader) (*protocol.Request
 }
 
 // DecodeRequestBody returns Reader from which caller can fetch decrypted body.
-func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reader io.Reader) buf.Reader {
+func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reader io.Reader) (buf.Reader, error) {
 	var sizeParser crypto.ChunkSizeDecoder = crypto.PlainChunkSizeParser{}
 	if request.Option.Has(protocol.RequestOptionChunkMasking) {
 		sizeParser = NewShakeSizeParser(s.requestBodyIV[:])
 	}
 	var padding crypto.PaddingLengthGenerator
 	if request.Option.Has(protocol.RequestOptionGlobalPadding) {
-		padding = sizeParser.(crypto.PaddingLengthGenerator)
+		var ok bool
+		padding, ok = sizeParser.(crypto.PaddingLengthGenerator)
+		if !ok {
+			return nil, newError("invalid option: RequestOptionGlobalPadding")
+		}
 	}
 
 	switch request.Security {
 	case protocol.SecurityType_NONE:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
 			if request.Command.TransferType() == protocol.TransferTypeStream {
-				return crypto.NewChunkStreamReader(sizeParser, reader)
+				return crypto.NewChunkStreamReader(sizeParser, reader), nil
 			}
 
 			auth := &crypto.AEADAuthenticator{
 				AEAD:                    new(NoOpAuthenticator),
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding)
+			return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding), nil
 		}
-		return buf.NewReader(reader)
+		return buf.NewReader(reader), nil
 
 	case protocol.SecurityType_LEGACY:
 		aesStream := crypto.NewAesDecryptionStream(s.requestBodyKey[:], s.requestBodyIV[:])
@@ -340,9 +344,9 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationReader(auth, sizeParser, cryptionReader, request.Command.TransferType(), padding)
+			return crypto.NewAuthenticationReader(auth, sizeParser, cryptionReader, request.Command.TransferType(), padding), nil
 		}
-		return buf.NewReader(cryptionReader)
+		return buf.NewReader(cryptionReader), nil
 
 	case protocol.SecurityType_AES128_GCM:
 		aead := crypto.NewAesGcm(s.requestBodyKey[:])
@@ -362,7 +366,7 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil
 
 	case protocol.SecurityType_CHACHA20_POLY1305:
 		aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.requestBodyKey[:]))
@@ -384,10 +388,10 @@ func (s *ServerSession) DecodeRequestBody(request *protocol.RequestHeader, reade
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil
 
 	default:
-		panic("Unknown security type.")
+		return nil, newError("invalid option: Security")
 	}
 }
 
@@ -448,31 +452,35 @@ func (s *ServerSession) EncodeResponseHeader(header *protocol.ResponseHeader, wr
 }
 
 // EncodeResponseBody returns a Writer that auto-encrypt content written by caller.
-func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writer io.Writer) buf.Writer {
+func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {
 	var sizeParser crypto.ChunkSizeEncoder = crypto.PlainChunkSizeParser{}
 	if request.Option.Has(protocol.RequestOptionChunkMasking) {
 		sizeParser = NewShakeSizeParser(s.responseBodyIV[:])
 	}
 	var padding crypto.PaddingLengthGenerator
 	if request.Option.Has(protocol.RequestOptionGlobalPadding) {
-		padding = sizeParser.(crypto.PaddingLengthGenerator)
+		var ok bool
+		padding, ok = sizeParser.(crypto.PaddingLengthGenerator)
+		if !ok {
+			return nil, newError("invalid option: RequestOptionGlobalPadding")
+		}
 	}
 
 	switch request.Security {
 	case protocol.SecurityType_NONE:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
 			if request.Command.TransferType() == protocol.TransferTypeStream {
-				return crypto.NewChunkStreamWriter(sizeParser, writer)
+				return crypto.NewChunkStreamWriter(sizeParser, writer), nil
 			}
 
 			auth := &crypto.AEADAuthenticator{
 				AEAD:                    new(NoOpAuthenticator),
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding)
+			return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding), nil
 		}
-		return buf.NewWriter(writer)
+		return buf.NewWriter(writer), nil
 
 	case protocol.SecurityType_LEGACY:
 		if request.Option.Has(protocol.RequestOptionChunkStream) {
@@ -481,9 +489,9 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
 				NonceGenerator:          crypto.GenerateEmptyBytes(),
 				AdditionalDataGenerator: crypto.GenerateEmptyBytes(),
 			}
-			return crypto.NewAuthenticationWriter(auth, sizeParser, s.responseWriter, request.Command.TransferType(), padding)
+			return crypto.NewAuthenticationWriter(auth, sizeParser, s.responseWriter, request.Command.TransferType(), padding), nil
 		}
-		return &buf.SequentialWriter{Writer: s.responseWriter}
+		return &buf.SequentialWriter{Writer: s.responseWriter}, nil
 
 	case protocol.SecurityType_AES128_GCM:
 		aead := crypto.NewAesGcm(s.responseBodyKey[:])
@@ -503,7 +511,7 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil
 
 	case protocol.SecurityType_CHACHA20_POLY1305:
 		aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.responseBodyKey[:]))
@@ -525,9 +533,9 @@ func (s *ServerSession) EncodeResponseBody(request *protocol.RequestHeader, writ
 			}
 			sizeParser = NewAEADSizeParser(lengthAuth)
 		}
-		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)
+		return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil
 
 	default:
-		panic("Unknown security type.")
+		return nil, newError("invalid option: Security")
 	}
 }
diff --git a/proxy/vmess/inbound/inbound.go b/proxy/vmess/inbound/inbound.go
@@ -182,8 +182,10 @@ func (h *Handler) RemoveUser(ctx context.Context, email string) error {
 func transferResponse(timer signal.ActivityUpdater, session *encoding.ServerSession, request *protocol.RequestHeader, response *protocol.ResponseHeader, input buf.Reader, output *buf.BufferedWriter) error {
 	session.EncodeResponseHeader(response, output)
 
-	bodyWriter := session.EncodeResponseBody(request, output)
-
+	bodyWriter, err := session.EncodeResponseBody(request, output)
+	if err != nil {
+		return newError("failed to start decoding response").Base(err)
+	}
 	{
 		// Optimize for small response packet
 		data, err := input.ReadMultiBuffer()
@@ -290,7 +292,10 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection i
 	requestDone := func() error {
 		defer timer.SetTimeout(sessionPolicy.Timeouts.DownlinkOnly)
 
-		bodyReader := svrSession.DecodeRequestBody(request, reader)
+		bodyReader, err := svrSession.DecodeRequestBody(request, reader)
+		if err != nil {
+			return newError("failed to start decoding").Base(err)
+		}
 		if err := buf.Copy(bodyReader, link.Writer, buf.UpdateActivity(timer)); err != nil {
 			return newError("failed to transfer request").Base(err)
 		}
diff --git a/proxy/vmess/outbound/outbound.go b/proxy/vmess/outbound/outbound.go
@@ -151,7 +151,10 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
 			return newError("failed to encode request").Base(err).AtWarning()
 		}
 
-		bodyWriter := session.EncodeRequestBody(request, writer)
+		bodyWriter, err := session.EncodeRequestBody(request, writer)
+		if err != nil {
+			return newError("failed to start encoding").Base(err)
+		}
 		if err := buf.CopyOnceTimeout(input, bodyWriter, time.Millisecond*100); err != nil && err != buf.ErrNotTimeoutReader && err != buf.ErrReadTimeout {
 			return newError("failed to write first payload").Base(err)
 		}
@@ -183,8 +186,10 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
 		}
 		h.handleCommand(rec.Destination(), header.Command)
 
-		bodyReader := session.DecodeResponseBody(request, reader)
-
+		bodyReader, err := session.DecodeResponseBody(request, reader)
+		if err != nil {
+			return newError("failed to start encoding response").Base(err)
+		}
 		return buf.Copy(bodyReader, output, buf.UpdateActivity(timer))
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -137,31 +137,35 @@ func (c ClientSession) EncodeRequestHeader(header protocol.RequestHeader, writ`
`137`	`137`	`return nil`
`138`	`138`	`}`
`139`	`139`
`140`		`-func (c ClientSession) EncodeRequestBody(request protocol.RequestHeader, writer io.Writer) buf.Writer {`
	`140`	`+func (c ClientSession) EncodeRequestBody(request protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {`
`141`	`141`	`var sizeParser crypto.ChunkSizeEncoder = crypto.PlainChunkSizeParser{}`
`142`	`142`	`if request.Option.Has(protocol.RequestOptionChunkMasking) {`
`143`	`143`	`sizeParser = NewShakeSizeParser(c.requestBodyIV[:])`
`144`	`144`	`}`
`145`	`145`	`var padding crypto.PaddingLengthGenerator`
`146`	`146`	`if request.Option.Has(protocol.RequestOptionGlobalPadding) {`
`147`		`- padding = sizeParser.(crypto.PaddingLengthGenerator)`
	`147`	`+ var ok bool`
	`148`	`+ padding, ok = sizeParser.(crypto.PaddingLengthGenerator)`
	`149`	`+ if !ok {`
	`150`	`+ return nil, newError("invalid option: RequestOptionGlobalPadding")`
	`151`	`+ }`
`148`	`152`	`}`
`149`	`153`
`150`	`154`	`switch request.Security {`
`151`	`155`	`case protocol.SecurityType_NONE:`
`152`	`156`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`153`	`157`	`if request.Command.TransferType() == protocol.TransferTypeStream {`
`154`		`- return crypto.NewChunkStreamWriter(sizeParser, writer)`
	`158`	`+ return crypto.NewChunkStreamWriter(sizeParser, writer), nil`
`155`	`159`	`}`
`156`	`160`	`auth := &crypto.AEADAuthenticator{`
`157`	`161`	`AEAD: new(NoOpAuthenticator),`
`158`	`162`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`159`	`163`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`160`	`164`	`}`
`161`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding)`
	`165`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding), nil`
`162`	`166`	`}`
`163`	`167`
`164`		`- return buf.NewWriter(writer)`
	`168`	`+ return buf.NewWriter(writer), nil`
`165`	`169`	`case protocol.SecurityType_LEGACY:`
`166`	`170`	`aesStream := crypto.NewAesEncryptionStream(c.requestBodyKey[:], c.requestBodyIV[:])`
`167`	`171`	`cryptionWriter := crypto.NewCryptionWriter(aesStream, writer)`
`@@ -171,10 +175,10 @@ func (c ClientSession) EncodeRequestBody(request protocol.RequestHeader, write`
`171`	`175`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`172`	`176`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`173`	`177`	`}`
`174`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, cryptionWriter, request.Command.TransferType(), padding)`
	`178`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, cryptionWriter, request.Command.TransferType(), padding), nil`
`175`	`179`	`}`
`176`	`180`
`177`		`- return &buf.SequentialWriter{Writer: cryptionWriter}`
	`181`	`+ return &buf.SequentialWriter{Writer: cryptionWriter}, nil`
`178`	`182`	`case protocol.SecurityType_AES128_GCM:`
`179`	`183`	`aead := crypto.NewAesGcm(c.requestBodyKey[:])`
`180`	`184`	`auth := &crypto.AEADAuthenticator{`
`@@ -193,7 +197,7 @@ func (c ClientSession) EncodeRequestBody(request protocol.RequestHeader, write`
`193`	`197`	`}`
`194`	`198`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`195`	`199`	`}`
`196`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)`
	`200`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil`
`197`	`201`	`case protocol.SecurityType_CHACHA20_POLY1305:`
`198`	`202`	`aead, err := chacha20poly1305.New(GenerateChacha20Poly1305Key(c.requestBodyKey[:]))`
`199`	`203`	`common.Must(err)`
`@@ -215,9 +219,9 @@ func (c ClientSession) EncodeRequestBody(request protocol.RequestHeader, write`
`215`	`219`	`}`
`216`	`220`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`217`	`221`	`}`
`218`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)`
	`222`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil`
`219`	`223`	`default:`
`220`		`- panic("Unknown security type.")`
	`224`	`+ return nil, newError("invalid option: Security")`
`221`	`225`	`}`
`222`	`226`	`}`
`223`	`227`
`@@ -306,21 +310,25 @@ func (c ClientSession) DecodeResponseHeader(reader io.Reader) (protocol.Respon`
`306`	`310`	`return header, nil`
`307`	`311`	`}`
`308`	`312`
`309`		`-func (c ClientSession) DecodeResponseBody(request protocol.RequestHeader, reader io.Reader) buf.Reader {`
	`313`	`+func (c ClientSession) DecodeResponseBody(request protocol.RequestHeader, reader io.Reader) (buf.Reader, error) {`
`310`	`314`	`var sizeParser crypto.ChunkSizeDecoder = crypto.PlainChunkSizeParser{}`
`311`	`315`	`if request.Option.Has(protocol.RequestOptionChunkMasking) {`
`312`	`316`	`sizeParser = NewShakeSizeParser(c.responseBodyIV[:])`
`313`	`317`	`}`
`314`	`318`	`var padding crypto.PaddingLengthGenerator`
`315`	`319`	`if request.Option.Has(protocol.RequestOptionGlobalPadding) {`
`316`		`- padding = sizeParser.(crypto.PaddingLengthGenerator)`
	`320`	`+ var ok bool`
	`321`	`+ padding, ok = sizeParser.(crypto.PaddingLengthGenerator)`
	`322`	`+ if !ok {`
	`323`	`+ return nil, newError("invalid option: RequestOptionGlobalPadding")`
	`324`	`+ }`
`317`	`325`	`}`
`318`	`326`
`319`	`327`	`switch request.Security {`
`320`	`328`	`case protocol.SecurityType_NONE:`
`321`	`329`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`322`	`330`	`if request.Command.TransferType() == protocol.TransferTypeStream {`
`323`		`- return crypto.NewChunkStreamReader(sizeParser, reader)`
	`331`	`+ return crypto.NewChunkStreamReader(sizeParser, reader), nil`
`324`	`332`	`}`
`325`	`333`
`326`	`334`	`auth := &crypto.AEADAuthenticator{`
`@@ -329,21 +337,21 @@ func (c ClientSession) DecodeResponseBody(request protocol.RequestHeader, read`
`329`	`337`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`330`	`338`	`}`
`331`	`339`
`332`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding)`
	`340`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding), nil`
`333`	`341`	`}`
`334`	`342`
`335`		`- return buf.NewReader(reader)`
	`343`	`+ return buf.NewReader(reader), nil`
`336`	`344`	`case protocol.SecurityType_LEGACY:`
`337`	`345`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`338`	`346`	`auth := &crypto.AEADAuthenticator{`
`339`	`347`	`AEAD: new(FnvAuthenticator),`
`340`	`348`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`341`	`349`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`342`	`350`	`}`
`343`		`- return crypto.NewAuthenticationReader(auth, sizeParser, c.responseReader, request.Command.TransferType(), padding)`
	`351`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, c.responseReader, request.Command.TransferType(), padding), nil`
`344`	`352`	`}`
`345`	`353`
`346`		`- return buf.NewReader(c.responseReader)`
	`354`	`+ return buf.NewReader(c.responseReader), nil`
`347`	`355`	`case protocol.SecurityType_AES128_GCM:`
`348`	`356`	`aead := crypto.NewAesGcm(c.responseBodyKey[:])`
`349`	`357`
`@@ -363,7 +371,7 @@ func (c ClientSession) DecodeResponseBody(request protocol.RequestHeader, read`
`363`	`371`	`}`
`364`	`372`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`365`	`373`	`}`
`366`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)`
	`374`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil`
`367`	`375`	`case protocol.SecurityType_CHACHA20_POLY1305:`
`368`	`376`	`aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(c.responseBodyKey[:]))`
`369`	`377`
`@@ -384,9 +392,9 @@ func (c ClientSession) DecodeResponseBody(request protocol.RequestHeader, read`
`384`	`392`	`}`
`385`	`393`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`386`	`394`	`}`
`387`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)`
	`395`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil`
`388`	`396`	`default:`
`389`		`- panic("Unknown security type.")`
	`397`	`+ return nil, newError("invalid option: Security")`
`390`	`398`	`}`
`391`	`399`	`}`
`392`	`400`
Original file line number	Diff line number	Diff line change
`@@ -305,31 +305,35 @@ func (s ServerSession) DecodeRequestHeader(reader io.Reader) (protocol.Request`
`305`	`305`	`}`
`306`	`306`
`307`	`307`	`// DecodeRequestBody returns Reader from which caller can fetch decrypted body.`
`308`		`-func (s ServerSession) DecodeRequestBody(request protocol.RequestHeader, reader io.Reader) buf.Reader {`
	`308`	`+func (s ServerSession) DecodeRequestBody(request protocol.RequestHeader, reader io.Reader) (buf.Reader, error) {`
`309`	`309`	`var sizeParser crypto.ChunkSizeDecoder = crypto.PlainChunkSizeParser{}`
`310`	`310`	`if request.Option.Has(protocol.RequestOptionChunkMasking) {`
`311`	`311`	`sizeParser = NewShakeSizeParser(s.requestBodyIV[:])`
`312`	`312`	`}`
`313`	`313`	`var padding crypto.PaddingLengthGenerator`
`314`	`314`	`if request.Option.Has(protocol.RequestOptionGlobalPadding) {`
`315`		`- padding = sizeParser.(crypto.PaddingLengthGenerator)`
	`315`	`+ var ok bool`
	`316`	`+ padding, ok = sizeParser.(crypto.PaddingLengthGenerator)`
	`317`	`+ if !ok {`
	`318`	`+ return nil, newError("invalid option: RequestOptionGlobalPadding")`
	`319`	`+ }`
`316`	`320`	`}`
`317`	`321`
`318`	`322`	`switch request.Security {`
`319`	`323`	`case protocol.SecurityType_NONE:`
`320`	`324`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`321`	`325`	`if request.Command.TransferType() == protocol.TransferTypeStream {`
`322`		`- return crypto.NewChunkStreamReader(sizeParser, reader)`
	`326`	`+ return crypto.NewChunkStreamReader(sizeParser, reader), nil`
`323`	`327`	`}`
`324`	`328`
`325`	`329`	`auth := &crypto.AEADAuthenticator{`
`326`	`330`	`AEAD: new(NoOpAuthenticator),`
`327`	`331`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`328`	`332`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`329`	`333`	`}`
`330`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding)`
	`334`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, protocol.TransferTypePacket, padding), nil`
`331`	`335`	`}`
`332`		`- return buf.NewReader(reader)`
	`336`	`+ return buf.NewReader(reader), nil`
`333`	`337`
`334`	`338`	`case protocol.SecurityType_LEGACY:`
`335`	`339`	`aesStream := crypto.NewAesDecryptionStream(s.requestBodyKey[:], s.requestBodyIV[:])`
`@@ -340,9 +344,9 @@ func (s ServerSession) DecodeRequestBody(request protocol.RequestHeader, reade`
`340`	`344`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`341`	`345`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`342`	`346`	`}`
`343`		`- return crypto.NewAuthenticationReader(auth, sizeParser, cryptionReader, request.Command.TransferType(), padding)`
	`347`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, cryptionReader, request.Command.TransferType(), padding), nil`
`344`	`348`	`}`
`345`		`- return buf.NewReader(cryptionReader)`
	`349`	`+ return buf.NewReader(cryptionReader), nil`
`346`	`350`
`347`	`351`	`case protocol.SecurityType_AES128_GCM:`
`348`	`352`	`aead := crypto.NewAesGcm(s.requestBodyKey[:])`
`@@ -362,7 +366,7 @@ func (s ServerSession) DecodeRequestBody(request protocol.RequestHeader, reade`
`362`	`366`	`}`
`363`	`367`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`364`	`368`	`}`
`365`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)`
	`369`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil`
`366`	`370`
`367`	`371`	`case protocol.SecurityType_CHACHA20_POLY1305:`
`368`	`372`	`aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.requestBodyKey[:]))`
`@@ -384,10 +388,10 @@ func (s ServerSession) DecodeRequestBody(request protocol.RequestHeader, reade`
`384`	`388`	`}`
`385`	`389`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`386`	`390`	`}`
`387`		`- return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding)`
	`391`	`+ return crypto.NewAuthenticationReader(auth, sizeParser, reader, request.Command.TransferType(), padding), nil`
`388`	`392`
`389`	`393`	`default:`
`390`		`- panic("Unknown security type.")`
	`394`	`+ return nil, newError("invalid option: Security")`
`391`	`395`	`}`
`392`	`396`	`}`
`393`	`397`
`@@ -448,31 +452,35 @@ func (s ServerSession) EncodeResponseHeader(header protocol.ResponseHeader, wr`
`448`	`452`	`}`
`449`	`453`
`450`	`454`	`// EncodeResponseBody returns a Writer that auto-encrypt content written by caller.`
`451`		`-func (s ServerSession) EncodeResponseBody(request protocol.RequestHeader, writer io.Writer) buf.Writer {`
	`455`	`+func (s ServerSession) EncodeResponseBody(request protocol.RequestHeader, writer io.Writer) (buf.Writer, error) {`
`452`	`456`	`var sizeParser crypto.ChunkSizeEncoder = crypto.PlainChunkSizeParser{}`
`453`	`457`	`if request.Option.Has(protocol.RequestOptionChunkMasking) {`
`454`	`458`	`sizeParser = NewShakeSizeParser(s.responseBodyIV[:])`
`455`	`459`	`}`
`456`	`460`	`var padding crypto.PaddingLengthGenerator`
`457`	`461`	`if request.Option.Has(protocol.RequestOptionGlobalPadding) {`
`458`		`- padding = sizeParser.(crypto.PaddingLengthGenerator)`
	`462`	`+ var ok bool`
	`463`	`+ padding, ok = sizeParser.(crypto.PaddingLengthGenerator)`
	`464`	`+ if !ok {`
	`465`	`+ return nil, newError("invalid option: RequestOptionGlobalPadding")`
	`466`	`+ }`
`459`	`467`	`}`
`460`	`468`
`461`	`469`	`switch request.Security {`
`462`	`470`	`case protocol.SecurityType_NONE:`
`463`	`471`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`464`	`472`	`if request.Command.TransferType() == protocol.TransferTypeStream {`
`465`		`- return crypto.NewChunkStreamWriter(sizeParser, writer)`
	`473`	`+ return crypto.NewChunkStreamWriter(sizeParser, writer), nil`
`466`	`474`	`}`
`467`	`475`
`468`	`476`	`auth := &crypto.AEADAuthenticator{`
`469`	`477`	`AEAD: new(NoOpAuthenticator),`
`470`	`478`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`471`	`479`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`472`	`480`	`}`
`473`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding)`
	`481`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, protocol.TransferTypePacket, padding), nil`
`474`	`482`	`}`
`475`		`- return buf.NewWriter(writer)`
	`483`	`+ return buf.NewWriter(writer), nil`
`476`	`484`
`477`	`485`	`case protocol.SecurityType_LEGACY:`
`478`	`486`	`if request.Option.Has(protocol.RequestOptionChunkStream) {`
`@@ -481,9 +489,9 @@ func (s ServerSession) EncodeResponseBody(request protocol.RequestHeader, writ`
`481`	`489`	`NonceGenerator: crypto.GenerateEmptyBytes(),`
`482`	`490`	`AdditionalDataGenerator: crypto.GenerateEmptyBytes(),`
`483`	`491`	`}`
`484`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, s.responseWriter, request.Command.TransferType(), padding)`
	`492`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, s.responseWriter, request.Command.TransferType(), padding), nil`
`485`	`493`	`}`
`486`		`- return &buf.SequentialWriter{Writer: s.responseWriter}`
	`494`	`+ return &buf.SequentialWriter{Writer: s.responseWriter}, nil`
`487`	`495`
`488`	`496`	`case protocol.SecurityType_AES128_GCM:`
`489`	`497`	`aead := crypto.NewAesGcm(s.responseBodyKey[:])`
`@@ -503,7 +511,7 @@ func (s ServerSession) EncodeResponseBody(request protocol.RequestHeader, writ`
`503`	`511`	`}`
`504`	`512`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`505`	`513`	`}`
`506`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)`
	`514`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil`
`507`	`515`
`508`	`516`	`case protocol.SecurityType_CHACHA20_POLY1305:`
`509`	`517`	`aead, _ := chacha20poly1305.New(GenerateChacha20Poly1305Key(s.responseBodyKey[:]))`
`@@ -525,9 +533,9 @@ func (s ServerSession) EncodeResponseBody(request protocol.RequestHeader, writ`
`525`	`533`	`}`
`526`	`534`	`sizeParser = NewAEADSizeParser(lengthAuth)`
`527`	`535`	`}`
`528`		`- return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding)`
	`536`	`+ return crypto.NewAuthenticationWriter(auth, sizeParser, writer, request.Command.TransferType(), padding), nil`
`529`	`537`
`530`	`538`	`default:`
`531`		`- panic("Unknown security type.")`
	`539`	`+ return nil, newError("invalid option: Security")`
`532`	`540`	`}`
`533`	`541`	`}`
Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,10 @@ func (h Handler) Process(ctx context.Context, link transport.Link, dialer inte`
`151`	`151`	`return newError("failed to encode request").Base(err).AtWarning()`
`152`	`152`	`}`
`153`	`153`
`154`		`- bodyWriter := session.EncodeRequestBody(request, writer)`
	`154`	`+ bodyWriter, err := session.EncodeRequestBody(request, writer)`
	`155`	`+ if err != nil {`
	`156`	`+ return newError("failed to start encoding").Base(err)`
	`157`	`+ }`
`155`	`158`	`if err := buf.CopyOnceTimeout(input, bodyWriter, time.Millisecond*100); err != nil && err != buf.ErrNotTimeoutReader && err != buf.ErrReadTimeout {`
`156`	`159`	`return newError("failed to write first payload").Base(err)`
`157`	`160`	`}`
`@@ -183,8 +186,10 @@ func (h Handler) Process(ctx context.Context, link transport.Link, dialer inte`
`183`	`186`	`}`
`184`	`187`	`h.handleCommand(rec.Destination(), header.Command)`
`185`	`188`
`186`		`- bodyReader := session.DecodeResponseBody(request, reader)`
`187`		`-`
	`189`	`+ bodyReader, err := session.DecodeResponseBody(request, reader)`
	`190`	`+ if err != nil {`
	`191`	`+ return newError("failed to start encoding response").Base(err)`
	`192`	`+ }`
`188`	`193`	`return buf.Copy(bodyReader, output, buf.UpdateActivity(timer))`
`189`	`194`	`}`
`190`	`195`