replay attack policy "reject" for AEAD-2022 ciphers

- add "default" policy, which is "reject" for AEAD-2022 and "ignore" for
  AEAD, Stream ciphers

Author: zonyitoo

crates/shadowsocks/src/config.rs

@@ -817,6 +817,12 @@ impl From<PathBuf> for ManagerAddr {
 /// Policy for handling replay attack requests
 #[derive(Debug, Clone, Copy, Eq, PartialEq)]
 pub enum ReplayAttackPolicy {
+    /// Default strategy based on protocol
+    ///
+    /// SIP022 (AEAD-2022): Reject
+    /// SIP004 (AEAD): Ignore
+    /// Stream: Ignore
+    Default,
     /// Ignore it completely
     Ignore,
     /// Try to detect replay attack and warn about it
@@ -827,13 +833,14 @@ pub enum ReplayAttackPolicy {
 
 impl Default for ReplayAttackPolicy {
     fn default() -> ReplayAttackPolicy {
-        ReplayAttackPolicy::Ignore
+        ReplayAttackPolicy::Default
     }
 }
 
 impl Display for ReplayAttackPolicy {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match *self {
+            ReplayAttackPolicy::Default => f.write_str("default"),
             ReplayAttackPolicy::Ignore => f.write_str("ignore"),
             ReplayAttackPolicy::Detect => f.write_str("detect"),
             ReplayAttackPolicy::Reject => f.write_str("reject"),
@@ -856,6 +863,7 @@ impl FromStr for ReplayAttackPolicy {
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         match s {
+            "default" => Ok(ReplayAttackPolicy::Default),
             "ignore" => Ok(ReplayAttackPolicy::Ignore),
             "detect" => Ok(ReplayAttackPolicy::Detect),
             "reject" => Ok(ReplayAttackPolicy::Reject),

crates/shadowsocks/src/context.rs

@@ -35,7 +35,7 @@ impl Context {
     pub fn new(config_type: ServerType) -> Context {
         Context {
             replay_protector: ReplayProtector::new(config_type),
-            replay_policy: ReplayAttackPolicy::Reject,
+            replay_policy: ReplayAttackPolicy::Default,
             dns_resolver: Arc::new(DnsResolver::system_resolver()),
             ipv6_first: false,
         }
@@ -101,6 +101,20 @@ impl Context {
         }
 
         match self.replay_policy {
+            ReplayAttackPolicy::Default => {
+                #[cfg(feature = "aead-cipher-2022")]
+                if method.is_aead_2022() {
+                    return if self.replay_protector.check_nonce_and_set(method, nonce) {
+                        let err = io::Error::new(io::ErrorKind::Other, "detected repeated nonce (iv/salt)");
+                        Err(err)
+                    } else {
+                        Ok(())
+                    };
+                }
+
+                // AEAD, Stream should ignore by default
+                Ok(())
+            }
             ReplayAttackPolicy::Ignore => Ok(()),
             ReplayAttackPolicy::Detect => {
                 if self.replay_protector.check_nonce_and_set(method, nonce) {