Bug#1009818: V2Ray 4.34.0-5 (Debian Unstable ver.) Crashes when VMess Protocol is Used because an unsynchronized update of Golang and V2Ray - HMAC constructor fix not applied on Debian

[Shelikhoo]

Package: v2ray
Version: 4.34.0-5

This bug is submitted by upstream developers on behalf of end-users for
a Debian specific bug.  We are ready to cooperate with the Debian side
to resolve this bug.

V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is
used because an unsynchronized update of Golang and V2Ray as HMAC
constructor fix is not applied on Debian version of V2Ray.

The version of the source code currently included in Debian will not
work if compiled with Golang 1.15+(or possibly 1.16+). We have already
fixed this issue more than 1 year
ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c)
however this changeset is not included in Debian. We recommend this
commit be backported to the Debian version of V2Ray(I will exercise
self-control to refrain from asking you to keep the package up to date.).

The original issue on the upstream issue tracker:
https://github.com/v2fly/v2ray-core/issues/1730 [Chinese, some comments
are in English] Translated below:

Issue Title:
Debian/Unstable 's v2ray package panic: crypto/hmac

Which version of V2Ray are you using:
4.34.0-5 (Debian/Unstable)

What are you using it for:
Server

What is the anomaly observed by you:
Run v2ray will report the error "panic: crypto/hmac: hash generation
function does not produce unique values"

What is the expected behaviour:
V2Ray operates normally

Please submit your configuration file:
server:
================================
{
  "inbounds": [
    {
      "port": 3334,
      "protocol": "vmess",
      "settings":{
        "clients":[
          {
          "id": "3e3343e2-13d8-44c3-887f-46675e7bf313"
          }
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}
===============================
Please attach error message:
command: v2ray --test --config /etc/v2ray/config.json
message:
===============================
V2Ray 4.34.0 (user) 20220118-150717 (go1.17.6 linux/amd64)
A unified platform for anti-censorship.
panic: crypto/hmac: hash generation function does not produce unique values

goroutine 1 [running]:
crypto/hmac.New(0xc00015b5f0, {0xc000038a80, 0x16, 0x18})
    crypto/hmac/hmac.go:143 +0x292
v2ray.com/core/proxy/vmess/aead.KDF({0xc000171c20, 0x10, 0x10},
{0xc00015b640, 0x1, 0x10})
    v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127
v2ray.com/core/proxy/vmess/aead.KDF16(...)
    v2ray.com/core/proxy/vmess/aead/kdf.go:22
v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171c20,
0x618573, 0xc0000d4180})
    v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:53
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...)
    v2ray.com/core/proxy/vmess/aead/authid.go:84
v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0,
{0x92, 0x5, 0x5d, 0x4b, 0x26, 0xcf, 0xe5, 0xf3, 0xed, ...}, ...)
    v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50
v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172e70,
0xc000165980)
    v2ray.com/core/proxy/vmess/validator.go:152 +0x365
v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000174300,
{0xb03000, 0x0}, 0x2)
    v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52
v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc0001655f0},
0xc00007f5e0)
    v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0
v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0,
0xc0001655f0}, {0xc1a500, 0xc00007f5e0})
    v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c
v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc1a500,
0xc00007f5e0})
    v2ray.com/core/common/type.go:32 +0x1a5
v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0,
0xc0001655f0}, {0x0, 0x624e0}, 0xc000172e00, {0xc1a500, 0xc00007f5e0})
    v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71
v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc0001655f0},
0xc0001740c0)
    v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5
v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0,
0xc0001655f0}, {0xc0cbc0, 0xc0001740c0})
    v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c
v2ray.com/core/common.CreateObject({0xd654c0, 0xc0001655f0}, {0xc0cbc0,
0xc0001740c0})
    v2ray.com/core/common/type.go:32 +0x1a5
v2ray.com/core.CreateObject(0x6, {0xc0cbc0, 0xc0001740c0})
    v2ray.com/core/functions.go:21 +0x78
v2ray.com/core.AddInboundHandler(0xc00007f0e0, 0x4)
    v2ray.com/core/v2ray.go:101 +0x65
v2ray.com/core.addInboundHandlers(0xc00007f0e0, {0xc000010fd0, 0x1,
0xc00007f0e0})
    v2ray.com/core/v2ray.go:117 +0x56
v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc00007f0e0)
    v2ray.com/core/v2ray.go:229 +0x42b
v2ray.com/core.New(0xc4ce5c)
    v2ray.com/core/v2ray.go:164 +0x77
main.startV2Ray()
    v2ray.com/core/main/main.go:115 +0x230
main.main()
    v2ray.com/core/main/main.go:139 +0x9f
===================================

Please attach the journal log if running it as a service:
===================================
Apr 17 09:46:54 iruru systemd[1]: Started V2Ray Service.
Apr 17 09:46:54 iruru v2ray[2678]: V2Ray 4.34.0 (user) 20220118-150717
(go1.17.6 linux/amd64)
Apr 17 09:46:54 iruru v2ray[2678]: A unified platform for anti-censorship.
Apr 17 09:46:54 iruru v2ray[2678]: panic: crypto/hmac: hash generation
function does not produce unique values
Apr 17 09:46:54 iruru v2ray[2678]: goroutine 1 [running]:
Apr 17 09:46:54 iruru v2ray[2678]: crypto/hmac.New(0xc00015b5f0,
{0xc00003ca38, 0x16, 0x18})
Apr 17 09:46:54 iruru v2ray[2678]:         crypto/hmac/hmac.go:143 +0x292
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.KDF({0xc000171bb0, 0x10, 0x10},
{0xc00015b640, 0x1, 0x10})
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead/kdf.go:13 +0x127
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.KDF16(...)
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/proxy/vmess/aead/kdf.go:22
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.NewCipherFromKey({0xc000171bb0,
0x618573, 0xc0000d2180})
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead/authid.go:41 +0x4a
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoder(...)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead/authid.go:53
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.NewAuthIDDecoderItem(...)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead/authid.go:84
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead.(*AuthIDDecoderHolder).AddUser(0xc00016e6a0,
{0x92, 0x5, 0x5d, 0x4b>
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/aead/authid.go:90 +0x50
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess.(*TimedUserValidator).Add(0xc000172d20,
0xc0001659e0)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/validator.go:152 +0x365
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound.(*Handler).AddUser(0xc000176280,
{0xb03000, 0x0}, 0x2)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound/inbound.go:166 +0x52
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound.New({0xd654c0, 0xc000165650},
0xc00007f5e0)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound/inbound.go:133 +0x3b0
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound.init.2.func1({0xd654c0,
0xc000165650}, {0xc1a500, 0xc00007f5e0})
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/proxy/vmess/inbound/inbound.go:355 +0x3c
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/common.CreateObject({0xd654c0, 0xc000165650}, {0xc1a500,
0xc00007f5e0})
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common/type.go:32 +0x1a5
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound.NewAlwaysOnInboundHandler({0xd654c0,
0xc000165650}, {0x0, 0x624>
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound/always.go:52 +0x71
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound.NewHandler({0xd654c0, 0xc000165650},
0xc000176040)
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound/inbound.go:162 +0x2c5
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound.init.0.func2({0xd654c0,
0xc000165650}, {0xc0cbc0, 0xc000176040})
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/app/proxyman/inbound/inbound.go:176 +0x3c
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core/common.CreateObject({0xd654c0, 0xc000165650}, {0xc0cbc0,
0xc000176040})
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/common/type.go:32 +0x1a5
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.CreateObject(0x6,
{0xc0cbc0, 0xc000176040})
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/functions.go:21 +0x78
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core.AddInboundHandler(0xc00007f0e0, 0x4)
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:101 +0x65
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core.addInboundHandlers(0xc00007f0e0, {0xc000010fd0, 0x1,
0xc00007f0e0})
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:117 +0x56
Apr 17 09:46:54 iruru v2ray[2678]:
v2ray.com/core.initInstanceWithConfig(0xc000166fc0, 0xc00007f0e0)
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:229 +0x42b
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core.New(0xc4ce5c)
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/v2ray.go:164 +0x77
Apr 17 09:46:54 iruru v2ray[2678]: main.startV2Ray()
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/main/main.go:115 +0x230
Apr 17 09:46:54 iruru v2ray[2678]: main.main()
Apr 17 09:46:54 iruru v2ray[2678]: v2ray.com/core/main/main.go:139 +0x9f
Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Main process exited,
code=exited, status=2/INVALIDARGUMENT
Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Failed with result
'exit-code'.
Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Scheduled restart job,
restart counter is at 5.
Apr 17 09:46:54 iruru systemd[1]: Stopped V2Ray Service.
Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Start request repeated
too quickly.
Apr 17 09:46:54 iruru systemd[1]: v2ray.service: Failed with result
'exit-code'.
Apr 17 09:46:54 iruru systemd[1]: Failed to start V2Ray Service.
===========================


See also: https://github.com/v2fly/v2ray-core/issues/744

See also; https://github.com/v2fly/v2ray-core/pull/686 (Some changes
from this pull request are reverted.)

[Antoine Beaupré]

Control: tags -1 +patch
Control: found -1 4.34.0-1
Control: severity -1 grave

On 2022-04-18 17:40:13, Shelikhoo wrote:
> This bug is submitted by upstream developers on behalf of end-users for
> a Debian specific bug.  We are ready to cooperate with the Debian side
> to resolve this bug.
>
> V2Ray 4.34.0-5 (Debian Unstable ver.) crashes when VMess protocol is
> used because an unsynchronized update of Golang and V2Ray as HMAC
> constructor fix is not applied on Debian version of V2Ray.
>
> The version of the source code currently included in Debian will not
> work if compiled with Golang 1.15+(or possibly 1.16+). We have already
> fixed this issue more than 1 year
> ago(https://github.com/v2fly/v2ray-core/commit/0024c6e028768d8516bdee11be9834b2617ff00c)
> however this changeset is not included in Debian. We recommend this
> commit be backported to the Debian version of V2Ray(I will exercise
> self-control to refrain from asking you to keep the package up to date.).

No need for self control! The package should be kept up to date, and
feel free to file a bug to report this problem. :)

I think this probably also applies to stable (because it doesn't have a
different set of patches than unstable), so I marked it as affecting
that as well.

Finally, this seems to be more serious than "normal", as it completely
crashes the program ("makes the package in question unusable or mostly
so"), so I bumped the severity as well.

I think the way forward here is to update to latest upstream in
unstable. I don't see why that should be kept out. For stable, that
would need a stable update and it's a little more involved,
specifically:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security

or:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable

a.

--
The idea that Bill Gates has appeared like a knight in shining armour to
lead all customers out of a mire of technological chaos neatly ignores
the fact that it was he who, by peddling second-rate technology, led
them into it in the first place. - Douglas Adams (1952-2001)

[Shelikhoo]

The reason this package is often out of update is that whenever a new
dependency is introduced, that dependency will need to be packaged.


We, the developer, could develop with the dependency availability in
mind. Or create make dependencies and associated functions optional. If
that is necessary for other functional updates to be delivered in a
timely manner.