feat: make aead-cipher an optional feature

crates/shadowsocks/Cargo.toml

@@ -15,7 +15,8 @@ rust-version = "1.74"
 maintenance = { status = "passively-maintained" }
 
 [features]
-default = ["hickory-dns", "aead-cipher"]
+# default = ["hickory-dns", "aead-cipher"]
+default = ["hickory-dns"]
 
 # Uses Hickory-DNS instead of tokio's builtin DNS resolver
 hickory-dns = ["hickory-resolver", "arc-swap", "notify"]
@@ -33,7 +34,7 @@ aead-cipher = ["shadowsocks-crypto/v1-aead"]
 
 # Enable extra AEAD ciphers
 # WARN: These non-standard AEAD ciphers are not officially supported by shadowsocks community
-aead-cipher-extra = ["shadowsocks-crypto/v1-aead-extra"]
+aead-cipher-extra = ["aead-cipher", "shadowsocks-crypto/v1-aead-extra"]
 
 # Enable AEAD 2022
 aead-cipher-2022 = [

crates/shadowsocks/src/config.rs

@@ -20,11 +20,9 @@ use log::error;
 use thiserror::Error;
 use url::{self, Url};
 
-use crate::{
-    crypto::{v1::openssl_bytes_to_key, CipherKind},
-    plugin::PluginConfig,
-    relay::socks5::Address,
-};
+#[cfg(any(feature = "stream-cipher", feature = "aead-cipher"))]
+use crate::crypto::v1::openssl_bytes_to_key;
+use crate::{crypto::CipherKind, plugin::PluginConfig, relay::socks5::Address};
 
 const USER_KEY_BASE64_ENGINE: base64::engine::GeneralPurpose = base64::engine::GeneralPurpose::new(
     &base64::alphabet::STANDARD,
@@ -427,9 +425,9 @@ pub struct ServerConfig {
     source: ServerSource,
 }
 
-#[cfg(feature = "aead-cipher-2022")]
 #[inline]
 fn make_derived_key(method: CipherKind, password: &str, enc_key: &mut [u8]) {
+    #[cfg(feature = "aead-cipher-2022")]
     if method.is_aead_2022() {
         // AEAD 2022 password is a base64 form of enc_key
         match AEAD2022_PASSWORD_BASE64_ENGINE.decode(password) {
@@ -449,15 +447,21 @@ fn make_derived_key(method: CipherKind, password: &str, enc_key: &mut [u8]) {
                 panic!("{method} password {password} is not base64 encoded, error: {err}");
             }
         }
-    } else {
-        openssl_bytes_to_key(password.as_bytes(), enc_key);
+
+        return;
     }
-}
 
-#[cfg(not(feature = "aead-cipher-2022"))]
-#[inline]
-fn make_derived_key(_method: CipherKind, password: &str, enc_key: &mut [u8]) {
-    openssl_bytes_to_key(password.as_bytes(), enc_key);
+    cfg_if! {
+        if #[cfg(any(feature = "stream-cipher", feature = "aead-cipher"))] {
+            let _ = method;
+            openssl_bytes_to_key(password.as_bytes(), enc_key);
+        } else {
+            // No default implementation.
+            let _ = password;
+            let _ = enc_key;
+            unreachable!("{method} don't know how to make a derived key");
+        }
+    }
 }
 
 /// Check if method supports Extended Identity Header

crates/shadowsocks/src/context.rs

@@ -7,7 +7,7 @@ use log::warn;
 
 use crate::{
     config::{ReplayAttackPolicy, ServerType},
-    crypto::{v1::random_iv_or_salt, CipherKind},
+    crypto::CipherKind,
     dns_resolver::DnsResolver,
     security::replay::ReplayProtector,
 };
@@ -50,6 +50,7 @@ impl Context {
     /// Check if nonce exist or not
     ///
     /// If not, set into the current bloom filter
+    #[cfg(any(feature = "stream-cipher", feature = "aead-cipher", feature = "aead-cipher-2022"))]
     #[inline(always)]
     fn check_nonce_and_set(&self, method: CipherKind, nonce: &[u8]) -> bool {
         match self.replay_policy {
@@ -64,7 +65,10 @@ impl Context {
             return;
         }
 
+        #[cfg(any(feature = "stream-cipher", feature = "aead-cipher", feature = "aead-cipher-2022"))]
         loop {
+            use crate::crypto::v1::random_iv_or_salt;
+
             random_iv_or_salt(nonce);
 
             // Salt already exists, generate a new one.
@@ -74,6 +78,12 @@ impl Context {
 
             break;
         }
+
+        #[cfg(not(any(feature = "stream-cipher", feature = "aead-cipher", feature = "aead-cipher-2022")))]
+        if !nonce.is_empty() {
+            let _ = unique;
+            panic!("{method} don't know how to generate nonce");
+        }
     }
 
     /// Check nonce replay