typhoon-protocol 0.1.0

A sample implementation of TYPHOON protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

/// Server-side flow manager implementation.
use std::collections::HashMap;
use std::future::Future;
use std::hash::Hash;
use std::net::SocketAddr;
use std::pin::Pin;
use std::sync::atomic::AtomicU32;
use std::sync::{Arc, Weak};

use log::{debug, warn};
use rand::Rng;

use crate::bytes::{ByteBuffer, ByteBufferMut, DynamicByteBuffer};
use crate::cache::DerivedValue;
use crate::capture::{record_flow_config, record_server_send};
use crate::crypto::{ObfuscationTranscript, ServerCryptoTool};
use crate::defaults::NoopProbeHandler;
use crate::flow::config::{FakeBodyMode, FakeHeaderConfig, FlowConfig};
use crate::flow::decoy::{DecoyFactory, DecoyFlowSender, DecoyProvider};
use crate::flow::error::FlowControllerError;
use crate::flow::probe::{ActiveProbeHandler, ProbeFactory, ProbeFlowSender};
use crate::settings::Settings;
use crate::tailer::{IdentityType, PacketFlags, Tailer};
use crate::utils::random::get_rng;
use crate::utils::socket::{Socket, SocketError};
use crate::utils::sync::{AsyncExecutor, Mutex, RwLock};

/// Raw received packet from the server flow manager before session-level processing.
pub(crate) struct RawReceivedPacket<T: IdentityType> {
    pub(crate) body: DynamicByteBuffer,
    pub(crate) tailer: Tailer<T>,
    pub(crate) source_addr: SocketAddr,
    pub(crate) handshake_transcript: Option<ObfuscationTranscript>,
    pub(crate) original_wire_packet: Option<DynamicByteBuffer>,
}

/// Per-(flow, identity) path-binding state: the current return source address
/// for this client on this flow, and the latest PN we have seen.
///
/// Path-rebinding gate: the stored `addr` is updated only when an authenticated
/// non-handshake packet arrives with `pn > latest_pn` on this flow.  Out-of-order
/// data packets are still accepted into session processing — they just don't
/// move the binding.  Out-of-order decoys are dropped at the usual discardable
/// exit point.  See PROTOCOL.md §Identification and rebinding.
struct PathBinding {
    addr: SocketAddr,
    latest_pn: u64,
}

/// Server-side flow manager that handles per-user packet encryption, decoy traffic, and socket I/O.
/// Per-user crypto state is in the global SharedMap (accessed via ServerCryptoTool).
/// Send and receive crypto are split into independent instances so their locks never contend.
/// Per-user source addresses and decoy providers are local to each flow manager instance.
/// When built with multiple sockets (SO_REUSEPORT on Linux), each socket is polled by its own
/// drain task in the listener; the kernel distributes incoming datagrams across all sockets.
pub struct ServerFlowManager<T: IdentityType + Clone + Eq + Hash + Send + ToString, AE: AsyncExecutor> {
    user_bindings: RwLock<HashMap<T, RwLock<PathBinding>>>,
    decoy_providers: RwLock<HashMap<T, Arc<dyn DecoyProvider>>>,
    decoy_factory: DecoyFactory<T, AE>,
    crypto_send: Mutex<ServerCryptoTool<T>>,
    crypto_recv: Mutex<ServerCryptoTool<T>>,
    fake_body_mode: FakeBodyMode,
    fake_header_mode: Mutex<FakeHeaderConfig>,
    max_overhead: usize,
    socks: Vec<Arc<Socket>>,
    mtu: usize,
    settings: Arc<Settings<AE>>,
    probe_handler: Mutex<Box<dyn ActiveProbeHandler<AE>>>,
}

impl<T: IdentityType + Clone + Eq + Hash + Send + ToString + 'static, AE: AsyncExecutor + 'static> ServerFlowManager<T, AE> {
    /// Create a new server flow manager.
    /// `crypto_send` and `crypto_recv` must be independent instances (e.g. two `create_cache()` calls
    /// on the same `SharedMap`) so their mutexes never contend between the send and receive paths.
    /// `socks` must contain at least one socket; on Linux with SO_REUSEPORT multiple sockets may be
    /// supplied so that the listener can spawn one drain task per socket.
    pub(crate) async fn new(config: FlowConfig, probe_factory: Option<&ProbeFactory<AE>>, crypto_send: ServerCryptoTool<T>, crypto_recv: ServerCryptoTool<T>, settings: Arc<Settings<AE>>, socks: Vec<Arc<Socket>>, decoy_factory: DecoyFactory<T, AE>) -> Arc<Self> {
        let max_overhead = config.max_overhead();
        let handler_factory = probe_factory.cloned();
        let settings_for_start = Arc::clone(&settings);

        let manager = Arc::new_cyclic(|_: &Weak<ServerFlowManager<T, AE>>| {
            let handler: Box<dyn ActiveProbeHandler<AE>> = match &handler_factory {
                Some(f) => f(),
                None => Box::new(NoopProbeHandler),
            };
            let mtu = settings.mtu();
            ServerFlowManager {
                user_bindings: RwLock::new(HashMap::new()),
                decoy_providers: RwLock::new(HashMap::new()),
                decoy_factory,
                crypto_send: Mutex::new(crypto_send),
                crypto_recv: Mutex::new(crypto_recv),
                fake_body_mode: config.fake_body_mode,
                fake_header_mode: Mutex::new(config.fake_header_mode),
                max_overhead,
                socks,
                mtu,
                settings,
                probe_handler: Mutex::new(handler),
            }
        });
        let weak: Weak<dyn ProbeFlowSender> = Arc::downgrade(&manager) as Weak<dyn ProbeFlowSender>;
        manager.probe_handler.lock().await.start(weak, settings_for_start).await;
        manager
    }

    /// Return the slice of sockets owned by this flow manager.
    /// The listener spawns one drain task per socket so that all sockets are polled concurrently.
    pub(crate) fn recv_socks(&self) -> &[Arc<Socket>] {
        &self.socks
    }

    /// Forward a wire packet to this flow's active probe handler.
    /// Used by the listener to route handshake-flagged packets whose deferred HMAC verification failed.
    pub(crate) async fn forward_to_probe(&self, packet: DynamicByteBuffer, source_addr: SocketAddr) {
        self.probe_handler.lock().await.process(packet, Some(source_addr)).await;
    }

    /// Insert (or replace) the path binding for a user on this flow.
    pub async fn register_user_binding(&self, id: T, addr: SocketAddr, latest_pn: u64) {
        self.user_bindings.write().await.insert(
            id,
            RwLock::new(PathBinding {
                addr,
                latest_pn,
            }),
        );
    }

    /// Register a per-user decoy provider and start its background timer.
    /// The user's crypto state must already be in the global SharedMap.
    pub async fn register_user(self: &Arc<Self>, id: T, counter: Arc<AtomicU32>) {
        let weak: Weak<Self> = Arc::downgrade(self);
        let mgr: Weak<dyn DecoyFlowSender> = weak;
        let dp = (self.decoy_factory)(mgr, self.settings.clone(), DerivedValue::constant(id.clone()), counter);
        dp.start().await;
        let decoy_name = dp.name();
        self.decoy_providers.write().await.insert(id.clone(), Arc::from(dp));
        if let Some(binding) = self.user_bindings.read().await.get(&id) {
            let addr = binding.read().await.addr;
            let header_len = self.max_overhead - self.fake_body_mode.max_len();
            record_flow_config(addr, "s2c", || (self.fake_body_mode.description(), header_len, decoy_name));
        }
    }

    /// Lazily register the per-user decoy provider on this flow if not already
    /// present.  Called from the route task when a non-handshake packet from a
    /// known session arrives on a flow that has not yet seen this user; the
    /// path binding has already been anchored by `receive_raw`'s first-packet
    /// branch by the time we get here.
    pub async fn ensure_user(self: &Arc<Self>, id: T, counter: Arc<AtomicU32>) {
        if !self.decoy_providers.read().await.contains_key(&id) {
            self.register_user(id, counter).await;
        }
    }

    /// Remove a user's decoy provider and path binding from this flow manager.
    pub async fn remove_user(&self, id: &T) {
        self.decoy_providers.write().await.remove(id);
        self.user_bindings.write().await.remove(id);
    }

    /// Receive a raw packet, deobfuscating the tailer but returning the full body + tailer view.
    /// For handshake packets, per-user verification is skipped (user not registered yet).
    /// Decoy packets are filtered. Non-handshake packets are verified per-user and fed to decoy providers.
    /// `sock` is the specific socket to read from; the caller (drain task) owns one socket per task.
    pub(crate) async fn receive_raw(&self, packet: DynamicByteBuffer, sock: &Socket) -> Result<RawReceivedPacket<T>, FlowControllerError> {
        let encrypted_tailer_len = Tailer::<T>::encrypted_len_c2s();

        loop {
            let (packet, source_addr) = sock.recv_from(packet.clone()).await.map_err(FlowControllerError::SocketError)?;

            // Undersized wire packets (shorter than the encrypted tailer) can't be valid Typhoon; forward to the probe handler and keep draining.
            if packet.len() < encrypted_tailer_len {
                warn!("server flow: undersized wire packet from {source_addr} ({} < {})", packet.len(), encrypted_tailer_len);
                self.probe_handler.lock().await.process(packet, Some(source_addr)).await;
                continue;
            }

            let (encrypted_packet, encrypted_tailer) = packet.split_buf_end(encrypted_tailer_len);

            // Deobfuscate tailer; for non-handshake packets verify immediately, for handshake packets defer the HMAC check until the listener has decapsulated the body and can recompute the initial-data encryption key.
            let (tailer, handshake_transcript) = {
                let mut crypto = self.crypto_recv.lock().await;
                let (tailer_buf, transcript) = match crypto.deobfuscate_tailer(encrypted_tailer, self.settings.pool()) {
                    Ok(result) => result,
                    Err(err) => {
                        warn!("server flow: tailer decryption failed from {source_addr}: {err}");
                        self.probe_handler.lock().await.process(encrypted_packet.expand_end(encrypted_tailer_len), Some(source_addr)).await;
                        continue;
                    }
                };
                let Some(tailer) = Tailer::<T>::validated(tailer_buf, encrypted_packet.len()) else {
                    warn!("server flow: malformed tailer from {source_addr} (size, flags or payload_length out of range)");
                    self.probe_handler.lock().await.process(encrypted_packet.expand_end(encrypted_tailer_len), Some(source_addr)).await;
                    continue;
                };
                if tailer.flags().contains(PacketFlags::HANDSHAKE) {
                    (tailer, Some(transcript))
                } else {
                    let identity = tailer.identity();
                    if let Err(err) = crypto.verify_tailer(&identity, transcript).await {
                        debug!("error verifying packet tailer: {err}");
                        self.probe_handler.lock().await.process(encrypted_packet.expand_end(encrypted_tailer_len), Some(source_addr)).await;
                        continue;
                    }
                    (tailer, None)
                }
            };

            let packet_flags = tailer.flags();
            let identity = tailer.identity();

            // For non-handshake packets, refresh the path binding for this
            // identity on this flow and feed the decoy provider if one has
            // already been instantiated locally.
            if !packet_flags.contains(PacketFlags::HANDSHAKE) {
                let pn = tailer.packet_number();
                let bindings = self.user_bindings.read().await;
                if let Some(binding_rw) = bindings.get(&identity) {
                    let latest = binding_rw.read().await.latest_pn;
                    if pn > latest {
                        let mut binding = binding_rw.write().await;
                        if pn > binding.latest_pn {
                            binding.latest_pn = pn;
                            if binding.addr != source_addr {
                                binding.addr = source_addr;
                            }
                        }
                    }
                } else {
                    drop(bindings);
                    self.user_bindings.write().await.entry(identity.clone()).or_insert_with(|| {
                        RwLock::new(PathBinding {
                            addr: source_addr,
                            latest_pn: pn,
                        })
                    });
                }

                let dp = self.decoy_providers.read().await.get(&identity).cloned();
                if let Some(dp) = dp {
                    let notified = dp.feed_input(encrypted_packet.clone(), tailer.buffer().clone()).await;
                    if notified.is_none() {
                        continue;
                    }
                }
            }

            // Decoy packets are always discarded at flow level.
            if packet_flags.is_discardable() {
                continue;
            }

            // Preserve a view over the original wire bytes so a failed deferred handshake verification can route the packet to the flow's probe handler.
            let original_wire_packet = packet_flags.contains(PacketFlags::HANDSHAKE).then(|| encrypted_packet.expand_end(encrypted_tailer_len));

            // For handshake packets, strip fake header/body using payload_length so the
            // session layer receives only the raw handshake data.
            let body = if packet_flags.contains(PacketFlags::HANDSHAKE) {
                let payload_len = tailer.payload_length() as usize;
                encrypted_packet.rebuffer_start(encrypted_packet.len().saturating_sub(payload_len))
            } else {
                encrypted_packet
            };

            debug!("server flow: received {packet_flags:?} packet from {source_addr}");
            return Ok(RawReceivedPacket {
                body,
                tailer,
                source_addr,
                handshake_transcript,
                original_wire_packet,
            });
        }
    }
}

impl<T: IdentityType + Clone + Eq + Hash + Send + ToString + 'static, AE: AsyncExecutor + 'static> ProbeFlowSender for ServerFlowManager<T, AE> {
    fn send_raw<'a>(&'a self, packet: DynamicByteBuffer, target: SocketAddr) -> Pin<Box<dyn Future<Output = Result<(), SocketError>> + Send + 'a>> {
        Box::pin(async move { self.socks[0].send_to(packet, target).await.map(|_| ()) })
    }
}

impl<T: IdentityType + Clone + Eq + Hash + Send + ToString + 'static, AE: AsyncExecutor + 'static> DecoyFlowSender for ServerFlowManager<T, AE> {
    fn send_decoy_packet<'a>(&'a self, packet: DynamicByteBuffer, fallthrough: bool, is_maintenance: bool) -> Pin<Box<dyn Future<Output = Result<(), FlowControllerError>> + Send + 'a>> {
        Box::pin(self.send_packet(packet, fallthrough, is_maintenance))
    }
}

impl<T: IdentityType + Clone + Eq + Hash + Send + ToString + 'static, AE: AsyncExecutor + 'static> ServerFlowManager<T, AE> {
    /// Send a packet through this flow.
    pub(crate) async fn send_packet(&self, packet: DynamicByteBuffer, fallthrough: bool, is_maintenance: bool) -> Result<(), FlowControllerError> {
        let tailer_len = Tailer::<T>::len();
        let (body, tailer_buf) = packet.split_buf_end(tailer_len);
        let identity = ServerCryptoTool::<T>::extract_identity(&tailer_buf);

        // Feed decoy provider for rate tracking.
        let notified_packet = {
            let dp = self.decoy_providers.read().await.get(&identity).cloned();
            if let Some(dp) = dp {
                let notified = dp.feed_output(body, tailer_buf.clone()).await;
                match notified {
                    None => return Ok(()),
                    Some(b) => b.expand_end(tailer_len),
                }
            } else {
                body.expand_end(tailer_len)
            }
        };

        let addr = {
            let bindings = self.user_bindings.read().await;
            let binding = bindings.get(&identity).ok_or_else(|| FlowControllerError::UserNotFound {
                identity: identity.to_string(),
            })?;
            binding.read().await.addr
        };

        // Fallthrough decoys: drop the plaintext tailer, skip encryption, treat the remaining body as opaque random bytes.  Non-fallthrough path is unchanged.
        let (encrypted_packet, packet_flags, data_len, tailer_overhead) = if fallthrough {
            let body_only = notified_packet.rebuffer_end(notified_packet.len() - tailer_len);
            let body_len = body_only.len();
            (body_only, PacketFlags::DECOY, body_len, 0_usize)
        } else {
            let (packet_data, packet_tailer) = notified_packet.split_buf_end(tailer_len);
            let flags = PacketFlags::from_bits_truncate(*packet_tailer.get(0));
            let data_len = packet_data.len();
            let encrypted_tailer = {
                let mut crypto = self.crypto_send.lock().await;
                crypto.obfuscate_tailer(packet_tailer, self.settings.pool()).await.map_err(FlowControllerError::TailerEncryption)?
            };
            let tailer_overhead = crate::crypto::TAILER_S2C_OVERHEAD;
            let encrypted = packet_data.expand_end(encrypted_tailer.len());
            (encrypted, flags, data_len, tailer_overhead)
        };

        // Add fake header and body (single lock scope: len + fill must be consistent).
        let (full_packet, cap_header, cap_body) = {
            let mut mode = self.fake_header_mode.lock().await;
            let fake_header_len = mode.len();
            let body_len = self.fake_body_mode.get_length(self.mtu, fake_header_len + encrypted_packet.len(), is_maintenance);
            let full_packet_len = fake_header_len + body_len;
            let full_packet = encrypted_packet.expand_start(full_packet_len);
            mode.fill(full_packet.rebuffer_end(fake_header_len));
            get_rng().fill(&mut full_packet.rebuffer_both(fake_header_len, full_packet_len));
            (full_packet, fake_header_len, body_len)
        };

        if full_packet.len() == 0 {
            return Ok(());
        }
        debug!("server flow: sending {packet_flags:?} packet to {addr}");
        self.socks[0].send_to(full_packet, addr).await.map_err(FlowControllerError::SocketError)?;
        record_server_send(addr, || {
            let kind = if fallthrough {
                "DecoyFallthrough"
            } else if is_maintenance {
                "DecoyMaintenance"
            } else if packet_flags.is_discardable() {
                "Decoy"
            } else {
                "Data"
            };
            let tailer_len = if fallthrough {
                0
            } else {
                Tailer::<T>::len()
            };
            (kind, tailer_len, tailer_overhead, cap_header, data_len, cap_body)
        });
        Ok(())
    }
}