v1.14.0 release

1. Avoid GFW passive detection by using printable ASCII
   characters in initial vector.

Makefile

@@ -32,7 +32,7 @@ PROJECT_NAME=$(shell basename "${ROOT}")
 # - pkg/version/current.go
 #
 # Use `tools/bump_version.sh` script to change all those files at one shot.
-VERSION="1.13.0"
+VERSION="1.14.0"
 
 # Build binaries and installation packages.
 .PHONY: build

build/package/mieru/amd64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mieru
-Version: 1.13.0
+Version: 1.14.0
 Section: net
 Priority: optional
 Architecture: amd64

build/package/mieru/amd64/rpm/mieru.spec

@@ -1,5 +1,5 @@
 Name: mieru
-Version: 1.13.0
+Version: 1.14.0
 Release: 1%{?dist}
 Summary: Mieru proxy client
 License: GPLv3+

build/package/mieru/arm64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mieru
-Version: 1.13.0
+Version: 1.14.0
 Section: net
 Priority: optional
 Architecture: arm64

build/package/mieru/arm64/rpm/mieru.spec

@@ -1,5 +1,5 @@
 Name: mieru
-Version: 1.13.0
+Version: 1.14.0
 Release: 1%{?dist}
 Summary: Mieru proxy client
 License: GPLv3+

build/package/mita/amd64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mita
-Version: 1.13.0
+Version: 1.14.0
 Section: net
 Priority: optional
 Architecture: amd64

build/package/mita/amd64/rpm/mita.spec

@@ -1,5 +1,5 @@
 Name: mita
-Version: 1.13.0
+Version: 1.14.0
 Release: 1%{?dist}
 Summary: Mieru proxy server
 License: GPLv3+

build/package/mita/arm64/debian/DEBIAN/control

@@ -1,5 +1,5 @@
 Package: mita
-Version: 1.13.0
+Version: 1.14.0
 Section: net
 Priority: optional
 Architecture: arm64

build/package/mita/arm64/rpm/mita.spec

@@ -1,5 +1,5 @@
 Name: mita
-Version: 1.13.0
+Version: 1.14.0
 Release: 1%{?dist}
 Summary: Mieru proxy server
 License: GPLv3+

docs/server-install.md

@@ -10,16 +10,16 @@ Before installation and configuration, connect to the server via SSH and then ex
 
 ```sh
 # Debian / Ubuntu - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita_1.13.0_amd64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita_1.14.0_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita_1.13.0_arm64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita_1.14.0_arm64.deb
 
 # Fedora / CentOS / Red Hat Enterprise Linux - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita-1.13.0-1.x86_64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita-1.14.0-1.x86_64.rpm
 
 # Fedora / CentOS / Red Hat Enterprise Linux - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita-1.13.0-1.aarch64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita-1.14.0-1.aarch64.rpm
 ```
 
 If the above link is blocked, please use your browser to download and install from the GitHub Releases page.
@@ -28,16 +28,16 @@ If the above link is blocked, please use your browser to download and install fr
 
 ```sh
 # Debian / Ubuntu - X86_64
-sudo dpkg -i mita_1.13.0_amd64.deb
+sudo dpkg -i mita_1.14.0_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-sudo dpkg -i mita_1.13.0_arm64.deb
+sudo dpkg -i mita_1.14.0_arm64.deb
 
 # Fedora / CentOS / Red Hat Enterprise Linux - X86_64
-sudo rpm -Uvh --force mita-1.13.0-1.x86_64.rpm
+sudo rpm -Uvh --force mita-1.14.0-1.x86_64.rpm
 
 # Fedora / CentOS / Red Hat Enterprise Linux - ARM 64
-sudo rpm -Uvh --force mita-1.13.0-1.aarch64.rpm
+sudo rpm -Uvh --force mita-1.14.0-1.aarch64.rpm
 ```
 
 ## Grant permissions

docs/server-install.zh_CN.md

@@ -10,16 +10,16 @@
 
 ```sh
 # Debian / Ubuntu - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita_1.13.0_amd64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita_1.14.0_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita_1.13.0_arm64.deb
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita_1.14.0_arm64.deb
 
 # Fedora / CentOS / Red Hat Enterprise Linux - X86_64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita-1.13.0-1.x86_64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita-1.14.0-1.x86_64.rpm
 
 # Fedora / CentOS / Red Hat Enterprise Linux - ARM 64
-curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita-1.13.0-1.aarch64.rpm
+curl -LSO https://github.com/enfein/mieru/releases/download/v1.14.0/mita-1.14.0-1.aarch64.rpm
 ```
 
 如果上述链接被墙，请翻墙后使用浏览器从 GitHub Releases 页面下载安装。
@@ -28,16 +28,16 @@ curl -LSO https://github.com/enfein/mieru/releases/download/v1.13.0/mita-1.13.0-
 
 ```sh
 # Debian / Ubuntu - X86_64
-sudo dpkg -i mita_1.13.0_amd64.deb
+sudo dpkg -i mita_1.14.0_amd64.deb
 
 # Debian / Ubuntu - ARM 64
-sudo dpkg -i mita_1.13.0_arm64.deb
+sudo dpkg -i mita_1.14.0_arm64.deb
 
 # Fedora / CentOS / Red Hat Enterprise Linux - X86_64
-sudo rpm -Uvh --force mita-1.13.0-1.x86_64.rpm
+sudo rpm -Uvh --force mita-1.14.0-1.x86_64.rpm
 
 # Fedora / CentOS / Red Hat Enterprise Linux - ARM 64
-sudo rpm -Uvh --force mita-1.13.0-1.aarch64.rpm
+sudo rpm -Uvh --force mita-1.14.0-1.aarch64.rpm
 ```
 
 ## 赋予当前用户操作 mita 的权限，需要重启服务器使此设置生效

pkg/cipher/cipher.go

@@ -20,11 +20,20 @@ import (
 	"crypto/cipher"
 	crand "crypto/rand"
 	"fmt"
+	"math/big"
 	"sync"
 )
 
+const (
+	noncePrintablePrefixLen = 8
+	printableCharSub        = 0x20 // 0x20, e.g. ' ', is the first printable ASCII character
+	printableCharSup        = 0x7E // 0x7E, e.g. '~', is the last printable ASCII character
+)
+
 var (
 	_ BlockCipher = &AESGCMBlockCipher{}
+
+	printableCharRange = big.NewInt(printableCharSup - printableCharSub + 1)
 )
 
 // AESGCMBlockCipher implements BlockCipher interface with AES-GCM algorithm.
@@ -187,6 +196,21 @@ func (c *AESGCMBlockCipher) newNonce() ([]byte, error) {
 	if _, err := crand.Read(nonce); err != nil {
 		return nil, err
 	}
+
+	// Adjust the nonce such that the first a few bytes are printable ASCII characters.
+	rewriteLen := noncePrintablePrefixLen
+	if rewriteLen > c.NonceSize() {
+		rewriteLen = c.NonceSize()
+	}
+	for i := 0; i < rewriteLen; i++ {
+		if nonce[i] < printableCharSub || nonce[i] > printableCharSup {
+			randBigInt, err := crand.Int(crand.Reader, printableCharRange)
+			if err != nil {
+				return nil, err
+			}
+			nonce[i] = byte(randBigInt.Int64() + printableCharSub)
+		}
+	}
 	return nonce, nil
 }
 

pkg/cipher/cipher_test.go

@@ -201,6 +201,31 @@ func TestAESGCMBlockCipherIncreaseNonce(t *testing.T) {
 	}
 }
 
+func TestAESGCMBlockCipherNewNonce(t *testing.T) {
+	key := make([]byte, 32)
+	if _, err := crand.Read(key); err != nil {
+		t.Fatalf("fail to generate key: %v", err)
+	}
+	c, err := newAESGCMBlockCipher(key)
+	if err != nil {
+		t.Fatalf("newAESGCMBlockCipher() failed: %v", err)
+	}
+	for i := 0; i < 1000; i++ {
+		nonce, err := c.newNonce()
+		if err != nil {
+			t.Fatalf("newNonce() failed: %v", err)
+		}
+		for j, b := range nonce {
+			if j >= noncePrintablePrefixLen {
+				break
+			}
+			if b < printableCharSub || b > printableCharSup {
+				t.Fatalf("Byte %v in position %d is not a printable ASCII character", b, j)
+			}
+		}
+	}
+}
+
 func TestAESGCMBlockCipherValidateKeySize(t *testing.T) {
 	testdata := []struct {
 		key []byte

pkg/version/current.go

@@ -16,5 +16,5 @@
 package version
 
 const (
-	AppVersion = "1.13.0"
+	AppVersion = "1.14.0"
 )