fix ss udp OTA

README.md

@@ -12,7 +12,7 @@ gost - GO Simple Tunnel
 * 支持标准HTTP/HTTPS/SOCKS5代理协议
 * SOCKS5代理支持TLS协商加密
 * Tunnel UDP over TCP
-* 支持Shadowsocks协议 (OTA: 2.2+)
+* 支持Shadowsocks协议 (OTA: 2.2+，UDP: 2.4+)
 * 支持本地/远程端口转发 (2.1+)
 * 支持HTTP 2.0 (2.2+)
 * 实验性支持QUIC (2.3+)
@@ -50,7 +50,9 @@ protocol: 代理协议类型(http, socks5, shadowsocks), transport: 数据传输
 
 > tls - HTTPS/SOCKS5代理，使用tls传输数据: tls://:443
 
-> ss - Shadowsocks代理，ss://aes-256-cfb:123456@:8338
+> ss - Shadowsocks代理，ss://chacha20:123456@:8338
+
+> ssu - Shadowsocks UDP relay，ssu://chacha20:123456@:8338
 
 > quic - QUIC代理，quic://:6121
 
@@ -291,7 +293,7 @@ gost -L=:8080 -F=socks://server_ip:1080
 
 如果两端都是gost(如上)则数据传输会被加密(协商使用tls或tls-auth方法)，否则使用标准SOCKS5进行通讯(no-auth或user/pass方法)。
 
-**注：** 如果transport已经支持加密(wss, tls, http2)，则SOCKS5不会再使用加密方法，防止不必要的双重加密。
+**注：** 如果transport已经支持加密(wss, tls, http2, kcp)，则SOCKS5不会再使用加密方法，防止不必要的双重加密。
 
 #### Shadowsocks
 gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。
@@ -305,6 +307,15 @@ gost -L=ss://aes-128-cfb:123456@:8338?ota=1
 gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1
 ```
 
+##### Shadowsocks UDP relay
+
+目前仅服务端支持UDP，且仅支持OTA模式。
+
+服务端:
+```bash
+gost -L=ssu://aes-128-cfb:123456@:8338
+```
+
 #### TLS
 gost内置了TLS证书，如果需要使用其他TLS证书，有两种方法：
 * 在gost运行目录放置cert.pem(公钥)和key.pem(私钥)两个文件即可，gost会自动加载运行目录下的cert.pem和key.pem文件。

README_en.md

@@ -10,7 +10,7 @@ Features
 * Standard HTTP/HTTPS/SOCKS5 proxy protocols support
 * TLS encryption via negotiation support for SOCKS5 proxy
 * Tunnel UDP over TCP
-* Shadowsocks protocol support (OTA: 2.2+)
+* Shadowsocks protocol support (OTA: 2.2+, UDP: 2.4+)
 * Local/remote port forwarding (2.1+)
 * HTTP 2.0 support (2.2+)
 * Experimental QUIC support (2.3+)
@@ -50,7 +50,9 @@ transport: data transmission mode (ws, wss, tls, http2, quic, kcp), may be used
 
 > tls - HTTPS/SOCKS5 over tls: tls://:443
 
-> ss - standard shadowsocks proxy, ss://aes-256-cfb:123456@:8338
+> ss - standard shadowsocks proxy, ss://chacha20:123456@:8338
+
+> ssu - shadowsocks UDP relay，ssu://chacha20:123456@:8338
 
 > quic - standard QUIC proxy, quic://:6121
 
@@ -295,7 +297,7 @@ gost -L=:8080 -F=socks://server_ip:1080
 If both ends are gosts (as example above), the data transfer will be encrypted (using tls or tls-auth). 
 Otherwise, use standard SOCKS5 for communication (no-auth or user/pass).
 
-**NOTE:** If transport already supports encryption (wss, tls, http2), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption.
+**NOTE:** If transport already supports encryption (wss, tls, http2, kcp), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption.
 
 #### Shadowsocks
 Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go).
@@ -309,6 +311,14 @@ Client (The OTA mode can be enabled by the ota parameter):
 gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1
 ```
 
+##### Shadowsocks UDP relay
+Currently, only the server supports UDP, and only OTA mode is supported.
+
+Server:
+```bash
+gost -L=ssu://aes-128-cfb:123456@:8338
+```
+
 #### TLS
 There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways:
 * Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them.

cmd/gost/vendor/github.com/ginuerzh/gost/ss.go

@@ -270,7 +270,7 @@ func (s *ShadowUdpServer) ListenAndServe() error {
 				continue
 			}
 
-			if b[3]&ss.OneTimeAuthMask > 0 {
+			if b[3]&ss.OneTimeAuthMask == 0 {
 				glog.V(LWARNING).Infof("[ssu] %s -> %s : client does not support OTA", addr, laddr)
 				continue
 			}

cmd/gost/vendor/vendor.json

@@ -21,10 +21,10 @@
 			"revisionTime": "2017-01-19T05:34:58Z"
 		},
 		{
-			"checksumSHA1": "2kMuCJwcxppxWtk9dX1WtWZMGB4=",
+			"checksumSHA1": "tzE0IZDLN5ft/BfJmSMpvWnSjJM=",
 			"path": "github.com/ginuerzh/gost",
-			"revision": "8861ffba01779f3a9f44b205b38d626fce71dff3",
-			"revisionTime": "2017-01-24T13:01:52Z"
+			"revision": "10487dc3def07efaa603beca7b9613db999ad37a",
+			"revisionTime": "2017-01-24T13:41:57Z"
 		},
 		{
 			"checksumSHA1": "URsJa4y/sUUw/STmbeYx9EKqaYE=",

ss.go

@@ -270,12 +270,7 @@ func (s *ShadowUdpServer) ListenAndServe() error {
 				continue
 			}
 
-			if b[3]&ss.OneTimeAuthMask > 0 {
-				glog.V(LWARNING).Infof("[ssu] %s -> %s : client does not support OTA", addr, laddr)
-				continue
-			}
-			b[3] &= ss.AddrMask
-
+			b[3] &= ss.AddrMask // remove OTA flag
 			dgram, err := gosocks5.ReadUDPDatagram(bytes.NewReader(b[:n+3]))
 			if err != nil {
 				glog.V(LWARNING).Infof("[ssu] %s -> %s : %s", addr, laddr, err)