UDP requests doesnt need replay protect

crates/shadowsocks/src/context.rs

@@ -59,7 +59,7 @@ impl Context {
     }
 
     /// Generate nonce (IV or SALT)
-    pub fn generate_nonce(&self, nonce: &mut [u8]) {
+    pub fn generate_nonce(&self, nonce: &mut [u8], unique: bool) {
         if nonce.is_empty() {
             return;
         }
@@ -68,7 +68,7 @@ impl Context {
             random_iv_or_salt(nonce);
 
             // Salt already exists, generate a new one.
-            if self.check_nonce_and_set(nonce) {
+            if unique && self.check_nonce_and_set(nonce) {
                 continue;
             }
 

crates/shadowsocks/src/relay/tcprelay/crypto_io.rs

@@ -129,13 +129,13 @@ impl<S> CryptoStream<S> {
             #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => {
                 let mut local_iv = vec![0u8; prev_len];
-                context.generate_nonce(&mut local_iv);
+                context.generate_nonce(&mut local_iv, true);
                 trace!("generated Stream cipher IV {:?}", ByteStr::new(&local_iv));
                 local_iv
             }
             CipherCategory::Aead => {
                 let mut local_salt = vec![0u8; prev_len];
-                context.generate_nonce(&mut local_salt);
+                context.generate_nonce(&mut local_salt, true);
                 trace!("generated AEAD cipher salt {:?}", ByteStr::new(&local_salt));
                 local_salt
             }

crates/shadowsocks/src/relay/udprelay/crypto_io.rs

@@ -72,7 +72,7 @@ fn encrypt_payload_stream(
     let iv = &mut dst[..iv_len];
 
     if iv_len > 0 {
-        context.generate_nonce(iv);
+        context.generate_nonce(iv, false);
         trace!("UDP packet generated stream iv {:?}", ByteStr::new(iv));
     }
 
@@ -103,7 +103,7 @@ fn encrypt_payload_aead(
     let salt = &mut dst[..salt_len];
 
     if salt_len > 0 {
-        context.generate_nonce(salt);
+        context.generate_nonce(salt, false);
         trace!("UDP packet generated aead salt {:?}", ByteStr::new(salt));
     }
 
@@ -151,7 +151,7 @@ pub async fn decrypt_payload(
 
 #[cfg(feature = "stream-cipher")]
 async fn decrypt_payload_stream(
-    context: &Context,
+    _context: &Context,
     method: CipherKind,
     key: &[u8],
     payload: &mut [u8],
@@ -165,7 +165,7 @@ async fn decrypt_payload_stream(
     }
 
     let (iv, data) = payload.split_at_mut(iv_len);
-    context.check_nonce_replay(iv)?;
+    // context.check_nonce_replay(iv)?;
 
     trace!("UDP packet got stream IV {:?}", ByteStr::new(iv));
     let mut cipher = Cipher::new(method, key, iv);
@@ -182,7 +182,7 @@ async fn decrypt_payload_stream(
 }
 
 async fn decrypt_payload_aead(
-    context: &Context,
+    _context: &Context,
     method: CipherKind,
     key: &[u8],
     payload: &mut [u8],
@@ -195,7 +195,7 @@ async fn decrypt_payload_aead(
     }
 
     let (salt, data) = payload.split_at_mut(salt_len);
-    context.check_nonce_replay(salt)?;
+    // context.check_nonce_replay(salt)?;
 
     trace!("UDP packet got AEAD salt {:?}", ByteStr::new(salt));
 

crates/shadowsocks/src/security/replay/ppbloom.rs

@@ -1,4 +1,5 @@
 use bloomfilter::Bloom;
+use log::debug;
 use spin::Mutex as SpinMutex;
 
 use crate::config::ServerType;
@@ -75,6 +76,12 @@ impl PingPongBloom {
 
             self.bloom_count[self.current] = 0;
             self.blooms[self.current].clear();
+
+            debug!(
+                "bloom filter based replay protector full, each capacity: {}, total filters: {}",
+                self.item_count,
+                self.blooms.len(),
+            );
         }
 
         // Cannot be optimized by `check_and_set`