Replace nonce cache with a ping-pong bloom filter (#1282)

* Add Ping-Pong bloom filter

* Refine bloom filter insertion

* Reduce the error rate to 0.00001

* Avoid alignment issue in murmurhash2

* Fix a memory leak

* Fix build on non-GPU targets

* Detect get_current_dir_name in configure

* Update README.md

* Remove redudant bfree()

* Reduce the memory usage for local client

* Fix #1275

* Refine #1275

* Use IP when bypassing SNI domains

* Also apply replay detector on UDP traffic

* Update deb build script

Now build script is able to auto detect system and choose libraries
necessary to build.

Also update the README accordingly.

* Update build script to enable jessie/stretch etc

Also include a few cleanup that simplified pkg installation from
backports repository.

Author: madeye

Diff for: .gitmodules

@@ -6,3 +6,7 @@
 	path = libipset
 	url = https://github.com/shadowsocks/ipset.git
     ignore = dirty
+[submodule "libbloom"]
+	path = libbloom
+	url = https://github.com/shadowsocks/libbloom.git
+    ignore = dirty

Diff for: Makefile.am

@@ -1,7 +1,7 @@
 if USE_SYSTEM_SHARED_LIB
-SUBDIRS = src
+SUBDIRS = src libbloom
 else
-SUBDIRS = libcork libipset src
+SUBDIRS = libcork libipset libbloom src
 endif
 
 if ENABLE_DOCUMENTATION
@@ -14,6 +14,7 @@ pkgconfiglibdir = $(libdir)/pkgconfig
 pkgconfiglib_DATA = shadowsocks-libev.pc
 
 EXTRA_DIST = acl Changes completions debian docker rpm README.md
+EXTRA_DIST += libbloom
 EXTRA_DIST += libcork/include libipset/include
 EXTRA_DIST += libipset/src/libipset/map/inspection-template.c.in
 EXTRA_DIST += libipset/src/libipset/set/inspection-template.c.in

Diff for: configure.ac

@@ -230,7 +230,8 @@ AC_CHECK_LIB([ev], [ev_loop_destroy], [LIBS="-lev $LIBS"], [AC_MSG_ERROR([Couldn
 
 AC_CONFIG_FILES([shadowsocks-libev.pc
                  Makefile
-                 src/Makefile])
+                 src/Makefile
+                 libbloom/Makefile])
 
 AM_COND_IF([USE_SYSTEM_SHARED_LIB],
 		   [AC_DEFINE([USE_SYSTEM_SHARED_LIB], [1], [Define if use system shared lib.])],

Diff for: libbloom

@@ -2,13 +2,15 @@ VERSION_INFO = 2:0:0
 
 AM_CFLAGS = -g -O2 -Wall -Werror -Wno-deprecated-declarations -fno-strict-aliasing -std=gnu99 -D_GNU_SOURCE
 AM_CFLAGS += $(PTHREAD_CFLAGS)
+AM_CFLAGS += -I$(top_srcdir)/libbloom
 if !USE_SYSTEM_SHARED_LIB
 AM_CFLAGS += -I$(top_srcdir)/libipset/include
 AM_CFLAGS += -I$(top_srcdir)/libcork/include
 endif
 AM_CFLAGS += $(LIBPCRE_CFLAGS)
 
 SS_COMMON_LIBS = $(INET_NTOP_LIB) $(LIBPCRE_LIBS)
+SS_COMMON_LIBS += $(top_builddir)/libbloom/libbloom.la
 if !USE_SYSTEM_SHARED_LIB
 SS_COMMON_LIBS += $(top_builddir)/libipset/libipset.la \
                   $(top_builddir)/libcork/libcork.la
@@ -26,6 +28,7 @@ sni_src = http.c \
 crypto_src = crypto.c \
              aead.c \
              stream.c \
+			 ppbloom.c \
              base64.c
 
 plugin_src = plugin.c
@@ -112,6 +115,6 @@ libshadowsocks_libev_la_LIBADD = $(ss_local_LDADD)
 include_HEADERS = shadowsocks.h
 
 noinst_HEADERS = acl.h crypto.h stream.h aead.h json.h netutils.h redir.h server.h tls.h uthash.h \
-                 cache.h http.h local.h plugin.h resolv.h tunnel.h utils.h base64.h \
+                 cache.h http.h local.h plugin.h resolv.h tunnel.h utils.h base64.h ppbloom.h \
                  common.h jconf.h manager.h protocol.h rule.h socks5.h udprelay.h
 EXTRA_DIST = ss-nat

Diff for: src/Makefile.am

@@ -33,7 +33,7 @@
 #include <sodium.h>
 #include <arpa/inet.h>
 
-#include "cache.h"
+#include "ppbloom.h"
 #include "aead.h"
 #include "utils.h"
 
@@ -405,13 +405,11 @@ aead_encrypt_all(buffer_t *plaintext, cipher_t *cipher, size_t capacity)
                               (uint8_t *)plaintext->data, plaintext->len,
                               NULL, 0, cipher_ctx.nonce, cipher_ctx.skey);
 
-    if (err) {
-        bfree(plaintext);
-        aead_ctx_release(&cipher_ctx);
+    aead_ctx_release(&cipher_ctx);
+
+    if (err)
         return CRYPTO_ERROR;
-    }
 
-    aead_ctx_release(&cipher_ctx);
     assert(ciphertext->len == clen);
 
     brealloc(plaintext, salt_len + ciphertext->len, capacity);
@@ -444,6 +442,11 @@ aead_decrypt_all(buffer_t *ciphertext, cipher_t *cipher, size_t capacity)
     uint8_t *salt = cipher_ctx.salt;
     memcpy(salt, ciphertext->data, salt_len);
 
+    if (ppbloom_check((void *)salt, salt_len) == 1) {
+        LOGE("crypto: AEAD: repeat salt detected");
+        return CRYPTO_ERROR;
+    }
+
     aead_cipher_ctx_set_key(&cipher_ctx, 0);
 
     size_t plen = plaintext->len;
@@ -453,13 +456,12 @@ aead_decrypt_all(buffer_t *ciphertext, cipher_t *cipher, size_t capacity)
                               ciphertext->len - salt_len, NULL, 0,
                               cipher_ctx.nonce, cipher_ctx.skey);
 
-    if (err) {
-        bfree(ciphertext);
-        aead_ctx_release(&cipher_ctx);
+    aead_ctx_release(&cipher_ctx);
+
+    if (err)
         return CRYPTO_ERROR;
-    }
 
-    aead_ctx_release(&cipher_ctx);
+    ppbloom_add((void *)salt, salt_len);
 
     brealloc(ciphertext, plaintext->len, capacity);
     memcpy(ciphertext->data, plaintext->data, plaintext->len);
@@ -488,6 +490,7 @@ aead_chunk_encrypt(cipher_ctx_t *ctx, uint8_t *p, uint8_t *c,
                                NULL, 0, n, ctx->skey);
     if (err)
         return CRYPTO_ERROR;
+
     assert(clen == CHUNK_SIZE_LEN + tlen);
 
     sodium_increment(n, nlen);
@@ -497,6 +500,7 @@ aead_chunk_encrypt(cipher_ctx_t *ctx, uint8_t *p, uint8_t *c,
                                NULL, 0, n, ctx->skey);
     if (err)
         return CRYPTO_ERROR;
+
     assert(clen == plen + tlen);
 
     sodium_increment(n, nlen);
@@ -634,19 +638,20 @@ aead_decrypt(buffer_t *ciphertext, cipher_ctx_t *cipher_ctx, size_t capacity)
 
         aead_cipher_ctx_set_key(cipher_ctx, 0);
 
-        if (cache_key_exist(nonce_cache, (char *)cipher_ctx->salt, salt_len)) {
+        if (ppbloom_check((void *)cipher_ctx->salt, salt_len) == 1) {
             LOGE("crypto: AEAD: repeat salt detected");
-            bfree(ciphertext);
             return CRYPTO_ERROR;
-        } else {
-            cache_insert(nonce_cache, (char *)cipher_ctx->salt, salt_len, NULL);
         }
 
         memmove(cipher_ctx->chunk->data, cipher_ctx->chunk->data + salt_len,
                 cipher_ctx->chunk->len - salt_len);
         cipher_ctx->chunk->len -= salt_len;
 
         cipher_ctx->init = 1;
+
+    } else if (cipher_ctx->init == 1) {
+        ppbloom_add((void *)cipher_ctx->salt, salt_len);
+        cipher_ctx->init = 2;
     }
 
     size_t plen = 0;
@@ -685,9 +690,6 @@ aead_key_init(int method, const char *pass, const char *key)
         return NULL;
     }
 
-    // Initialize cache
-    cache_create(&nonce_cache, 1024, NULL);
-
     cipher_t *cipher = (cipher_t *)ss_malloc(sizeof(cipher_t));
     memset(cipher, 0, sizeof(cipher_t));
 

Diff for: src/aead.c

@@ -29,13 +29,11 @@
 #include <mbedtls/md5.h>
 
 #include "base64.h"
-#include "cache.h"
 #include "crypto.h"
 #include "stream.h"
 #include "aead.h"
 #include "utils.h"
-
-struct cache *nonce_cache;
+#include "ppbloom.h"
 
 int
 balloc(buffer_t *ptr, size_t capacity)
@@ -111,8 +109,12 @@ crypto_init(const char *password, const char *key, const char *method)
         FATAL("Failed to initialize sodium");
     }
 
-    // Initialize NONCE cache
-    cache_create(&nonce_cache, 1024, NULL);
+    // Initialize NONCE bloom filter
+#ifdef MODULE_REMOTE
+    ppbloom_init(1000000, 0.00001);
+#else
+    ppbloom_init(100000,  0.0000001);
+#endif
 
     if (method != NULL) {
         for (i = 0; i < STREAM_CIPHER_NUM; i++)

Diff for: src/crypto.c

@@ -84,7 +84,7 @@ typedef struct {
 } cipher_t;
 
 typedef struct {
-    uint8_t init;
+    uint32_t init;
     uint64_t counter;
     cipher_evp_t *evp;
     cipher_t *cipher;

Diff for: src/crypto.h

@@ -223,9 +223,7 @@ read_jconf(const char *file)
                         "invalid config file: option 'reuse_port' must be a boolean");
                 conf.reuse_port = value->u.boolean;
             } else if (strcmp(name, "auth") == 0) {
-                check_json_value_type(value, json_boolean,
-                        "invalid config file: option 'auth' must be a boolean");
-                conf.auth = value->u.boolean;
+                FATAL("One time auth has been deprecated. Try AEAD ciphers instead.");
             } else if (strcmp(name, "nofile") == 0) {
                 check_json_value_type(value, json_integer,
                     "invalid config file: option 'nofile' must be an integer");

Diff for: src/jconf.c

@@ -59,7 +59,6 @@ typedef struct {
     char *user;
     char *plugin;
     char *plugin_opts;
-    int auth;
     int fast_open;
     int reuse_port;
     int nofile;

Diff for: src/jconf.h

@@ -676,7 +676,7 @@ server_recv_cb(EV_P_ ev_io *w, int revents)
                     struct sockaddr_storage storage;
                     memset(&storage, 0, sizeof(struct sockaddr_storage));
 #ifndef ANDROID
-                    if (sni_detected || atyp == 3)
+                    if (atyp == 3)
                        err = get_sockaddr(host, port, &storage, 0, ipv6first);
                     else
 #endif
@@ -1211,10 +1211,10 @@ main(int argc, char **argv)
     USE_TTY();
 
 #ifdef ANDROID
-    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvV6",
+    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUvV6A",
                             long_options, NULL)) != -1) {
 #else
-    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUv6",
+    while ((c = getopt_long(argc, argv, "f:s:p:l:k:t:m:i:c:b:a:n:huUv6A",
                             long_options, NULL)) != -1) {
 #endif
         switch (c) {
@@ -1309,6 +1309,9 @@ main(int argc, char **argv)
             vpn = 1;
             break;
 #endif
+        case 'A':
+            FATAL("One time auth has been deprecated. Try AEAD ciphers instead.");
+            break;
         case '?':
             // The option character is not recognized.
             LOGE("Unrecognized option: %s", optarg);

Diff for: src/local.c

@@ -151,10 +151,6 @@ construct_command_line(struct manager_ctx *manager, struct server *server)
         int len = strlen(cmd);
         snprintf(cmd + len, BUF_SIZE - len, " -u");
     }
-    if (manager->auth) {
-        int len = strlen(cmd);
-        snprintf(cmd + len, BUF_SIZE - len, " -A");
-    }
     if (manager->fast_open) {
         int len = strlen(cmd);
         snprintf(cmd + len, BUF_SIZE - len, " --fast-open");
@@ -884,7 +880,6 @@ main(int argc, char **argv)
     char *plugin          = NULL;
     char *plugin_opts     = NULL;
 
-    int auth       = 0;
     int fast_open  = 0;
     int reuse_port = 0;
     int mode       = TCP_ONLY;
@@ -999,14 +994,14 @@ main(int argc, char **argv)
         case 'h':
             usage();
             exit(EXIT_SUCCESS);
-        case 'A':
-            auth = 1;
-            break;
 #ifdef HAVE_SETRLIMIT
         case 'n':
             nofile = atoi(optarg);
             break;
 #endif
+        case 'A':
+            FATAL("One time auth has been deprecated. Try AEAD ciphers instead.");
+            break;
         case '?':
             // The option character is not recognized.
             LOGE("Unrecognized option: %s", optarg);
@@ -1047,9 +1042,6 @@ main(int argc, char **argv)
         if (conf->nameserver != NULL) {
             nameservers[nameserver_num++] = conf->nameserver;
         }
-        if (auth == 0) {
-            auth = conf->auth;
-        }
         if (mode == TCP_ONLY) {
             mode = conf->mode;
         }
@@ -1107,10 +1099,6 @@ main(int argc, char **argv)
 #endif
     }
 
-    if (auth) {
-        LOGI("onetime authentication enabled");
-    }
-
     // ignore SIGPIPE
     signal(SIGPIPE, SIG_IGN);
     signal(SIGCHLD, SIG_IGN);
@@ -1130,7 +1118,6 @@ main(int argc, char **argv)
     manager.fast_open       = fast_open;
     manager.verbose         = verbose;
     manager.mode            = mode;
-    manager.auth            = auth;
     manager.password        = password;
     manager.timeout         = timeout;
     manager.method          = method;

Diff for: src/manager.c

@@ -38,7 +38,6 @@ struct manager_ctx {
     int reuse_port;
     int verbose;
     int mode;
-    int auth;
     char *password;
     char *key;
     char *timeout;