VMess inbound: Optimize replay filter (#5562)

And https://github.com/XTLS/Xray-core/pull/5562#issuecomment-3765387903

proxy/shadowsocks/config.go

@@ -5,11 +5,11 @@ import (
 	"crypto/cipher"
 	"crypto/md5"
 	"crypto/sha1"
-	"google.golang.org/protobuf/proto"
 	"io"
 
+	"google.golang.org/protobuf/proto"
+
 	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/antireplay"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/crypto"
 	"github.com/xtls/xray-core/common/errors"
@@ -24,8 +24,6 @@ type MemoryAccount struct {
 	CipherType CipherType
 	Key        []byte
 	Password   string
-
-	replayFilter antireplay.GeneralizedReplayFilter
 }
 
 var ErrIVNotUnique = errors.New("IV is not unique")
@@ -42,20 +40,9 @@ func (a *MemoryAccount) ToProto() proto.Message {
 	return &Account{
 		CipherType: a.CipherType,
 		Password:   a.Password,
-		IvCheck:    a.replayFilter != nil,
 	}
 }
 
-func (a *MemoryAccount) CheckIV(iv []byte) error {
-	if a.replayFilter == nil {
-		return nil
-	}
-	if a.replayFilter.Check(iv) {
-		return nil
-	}
-	return ErrIVNotUnique
-}
-
 func createAesGcm(key []byte) cipher.AEAD {
 	return crypto.NewAesGcm(key)
 }
@@ -116,12 +103,6 @@ func (a *Account) AsAccount() (protocol.Account, error) {
 		CipherType: a.CipherType,
 		Key:        passwordToCipherKey([]byte(a.Password), Cipher.KeySize()),
 		Password:   a.Password,
-		replayFilter: func() antireplay.GeneralizedReplayFilter {
-			if a.IvCheck {
-				return antireplay.NewBloomRing()
-			}
-			return nil
-		}(),
 	}, nil
 }
 

proxy/shadowsocks/protocol.go

@@ -139,9 +139,6 @@ func WriteTCPRequest(request *protocol.RequestHeader, writer io.Writer) (buf.Wri
 	if account.Cipher.IVSize() > 0 {
 		iv = make([]byte, account.Cipher.IVSize())
 		common.Must2(rand.Read(iv))
-		if ivError := account.CheckIV(iv); ivError != nil {
-			return nil, errors.New("failed to mark outgoing iv").Base(ivError)
-		}
 		if err := buf.WriteAllBytes(writer, iv, nil); err != nil {
 			return nil, errors.New("failed to write IV")
 		}
@@ -188,10 +185,6 @@ func ReadTCPResponse(user *protocol.MemoryUser, reader io.Reader) (buf.Reader, e
 		}
 	}
 
-	if ivError := account.CheckIV(iv); ivError != nil {
-		return nil, drain.WithError(drainer, reader, errors.New("failed iv check").Base(ivError))
-	}
-
 	return account.Cipher.NewDecryptionReader(account.Key, iv, reader)
 }
 
@@ -203,9 +196,6 @@ func WriteTCPResponse(request *protocol.RequestHeader, writer io.Writer) (buf.Wr
 	if account.Cipher.IVSize() > 0 {
 		iv = make([]byte, account.Cipher.IVSize())
 		common.Must2(rand.Read(iv))
-		if ivError := account.CheckIV(iv); ivError != nil {
-			return nil, errors.New("failed to mark outgoing iv").Base(ivError)
-		}
 		if err := buf.WriteAllBytes(writer, iv, nil); err != nil {
 			return nil, errors.New("failed to write IV.").Base(err)
 		}

proxy/shadowsocks/validator.go

@@ -140,7 +140,6 @@ func (v *Validator) Get(bs []byte, command protocol.RequestCommand) (u *protocol
 
 			if matchErr == nil {
 				u = user
-				err = account.CheckIV(iv)
 				return
 			}
 		} else {

proxy/vmess/aead/authid.go

@@ -68,12 +68,12 @@ func (aidd *AuthIDDecoder) Decode(data [16]byte) (int64, uint32, int32, []byte)
 }
 
 func NewAuthIDDecoderHolder() *AuthIDDecoderHolder {
-	return &AuthIDDecoderHolder{make(map[string]*AuthIDDecoderItem), antireplay.NewReplayFilter(120)}
+	return &AuthIDDecoderHolder{make(map[string]*AuthIDDecoderItem), antireplay.NewMapFilter[[16]byte](120)}
 }
 
 type AuthIDDecoderHolder struct {
 	decoders map[string]*AuthIDDecoderItem
-	filter   *antireplay.ReplayFilter
+	filter   *antireplay.ReplayFilter[[16]byte]
 }
 
 type AuthIDDecoderItem struct {
@@ -111,7 +111,7 @@ func (a *AuthIDDecoderHolder) Match(authID [16]byte) (interface{}, error) {
 			return nil, ErrInvalidTime
 		}
 
-		if !a.filter.Check(authID[:]) {
+		if !a.filter.Check(authID) {
 			return nil, ErrReplay
 		}