Add replay cache and prefixes

rod-hynes · Feb 3, 2025 · 27c5d5f · 27c5d5f
1 parent 680dccb
commit 27c5d5f
Show file tree

Hide file tree

Showing 49 changed files with 3,233 additions and 197 deletions.
diff --git a/go.mod b/go.mod
@@ -32,6 +32,7 @@ replace github.com/pion/webrtc/v3 => ./replace/webrtc
 require (
 	filippo.io/edwards25519 v1.1.0
 	github.com/Jigsaw-Code/outline-sdk v0.0.16
+	github.com/Jigsaw-Code/outline-ss-server v1.8.0
 	github.com/Psiphon-Inc/rotate-safe-writer v0.0.0-20210303140923-464a7a37606e
 	github.com/Psiphon-Labs/bolt v0.0.0-20200624191537-23cedaef7ad7
 	github.com/Psiphon-Labs/consistent v0.0.0-20240322131436-20aaa4e05737
@@ -74,7 +75,6 @@ require (
 	github.com/refraction-networking/conjure v0.7.11-0.20240130155008-c8df96195ab2
 	github.com/refraction-networking/gotapdance v1.7.10
 	github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735
-	github.com/shadowsocks/go-shadowsocks2 v0.1.5
 	github.com/shirou/gopsutil/v4 v4.24.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
@@ -83,7 +83,7 @@ require (
 	github.com/wlynxg/anet v0.0.1
 	golang.org/x/crypto v0.22.0
 	golang.org/x/net v0.24.0
-	golang.org/x/sync v0.5.0
+	golang.org/x/sync v0.6.0
 	golang.org/x/sys v0.20.0
 	golang.org/x/term v0.19.0
 	golang.org/x/time v0.5.0
@@ -138,6 +138,7 @@ require (
 	github.com/refraction-networking/obfs4 v0.1.2 // indirect
 	github.com/refraction-networking/utls v1.3.3 // indirect
 	github.com/sergeyfrolov/bsbuffer v0.0.0-20180903213811-94e85abb8507 // indirect
+	github.com/shadowsocks/go-shadowsocks2 v0.1.5 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 // indirect
@@ -151,10 +152,10 @@ require (
 	go.uber.org/mock v0.4.0 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -10,6 +10,8 @@ github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/Jigsaw-Code/outline-sdk v0.0.16 h1:WbHmv80FKDIpzEmR3GehTbq5CibYTLvcxIIpMMILiEs=
 github.com/Jigsaw-Code/outline-sdk v0.0.16/go.mod h1:e1oQZbSdLJBBuHgfeQsgEkvkuyIePPwstUeZRGq0KO8=
+github.com/Jigsaw-Code/outline-ss-server v1.8.0 h1:6h7CZsyl1vQLz3nvxmL9FbhDug4QxJ1YTxm534eye1E=
+github.com/Jigsaw-Code/outline-ss-server v1.8.0/go.mod h1:slnHH3OZsQmZx/DRKhxvvaGE/8+n3Lkd6363h1ev71E=
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/Psiphon-Inc/rotate-safe-writer v0.0.0-20210303140923-464a7a37606e h1:NPfqIbzmijrl0VclX2t8eO5EPBhqe47LLGKpRrcVjXk=
@@ -162,6 +164,8 @@ github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI
 github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/oschwald/geoip2-golang v1.9.0 h1:uvD3O6fXAXs+usU+UGExshpdP13GAqp4GBrzN7IgKZc=
 github.com/oschwald/geoip2-golang v1.9.0/go.mod h1:BHK6TvDyATVQhKNbQBdrj9eAvuwOMi2zSFXizL3K81Y=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
@@ -307,8 +311,8 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e h1:723BNChdd0c2Wk6WOE320qGBiPtYx0F0Bbm1kriShfE=
+golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -336,8 +340,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -398,8 +402,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

diff --git a/psiphon/common/parameters/parameters.go b/psiphon/common/parameters/parameters.go
@@ -380,6 +380,10 @@ const (
 	OSSHPrefixSplitMaxDelay                            = "OSSHPrefixSplitMaxDelay"
 	OSSHPrefixEnableFragmentor                         = "OSSHPrefixEnableFragmentor"
 	ServerOSSHPrefixSpecs                              = "ServerOSSHPrefixSpecs"
+	ShadowsocksPrefixSpecs                             = "ShadowsocksPrefixSpecs"
+	ShadowsocksPrefixScopedSpecNames                   = "ShadowsocksPrefixScopedSpecNames"
+	ShadowsocksPrefixProbability                       = "ShadowsocksPrefixProbability"
+	ReplayShadowsocksPrefix                            = "ReplayShadowsocksPrefix"
 	TLSTunnelObfuscatedPSKProbability                  = "TLSTunnelObfuscatedPSKProbability"
 	TLSTunnelTrafficShapingProbability                 = "TLSTunnelTrafficShapingProbability"
 	TLSTunnelMinTLSPadding                             = "TLSTunnelMinTLSPadding"
@@ -748,6 +752,7 @@ var defaultParameters = map[string]struct {
 	ReplayHTTPTransformerParameters:        {value: true},
 	ReplayOSSHSeedTransformerParameters:    {value: true},
 	ReplayOSSHPrefix:                       {value: true},
+	ReplayShadowsocksPrefix:                {value: true},
 	ReplayTLSFragmentClientHello:           {value: true},
 	ReplayInproxyWebRTC:                    {value: true},
 	ReplayInproxySTUN:                      {value: true},
@@ -914,6 +919,10 @@ var defaultParameters = map[string]struct {
 	OSSHPrefixEnableFragmentor: {value: false},
 	ServerOSSHPrefixSpecs:      {value: transforms.Specs{}, flags: serverSideOnly},
 
+	ShadowsocksPrefixSpecs:           {value: transforms.Specs{}},
+	ShadowsocksPrefixScopedSpecNames: {value: transforms.ScopedSpecNames{}},
+	ShadowsocksPrefixProbability:     {value: 0.0, minimum: 0.0},
+
 	// TLSTunnelMinTLSPadding/TLSTunnelMaxTLSPadding are subject to TLS server limitations.
 
 	TLSTunnelObfuscatedPSKProbability:  {value: 0.5, minimum: 0.0},
@@ -1275,6 +1284,13 @@ func (p *Parameters) Set(
 	}
 	osshPrefixSpecs, _ := osshPrefixSpecsValue.(transforms.Specs)
 
+	shadowsocksPrefixSpecsValue, err := getAppliedValue(
+		ShadowsocksPrefixSpecs, parameters, applyParameters)
+	if err != nil {
+		return nil, errors.Trace(err)
+	}
+	shadowsocksPrefixSpecs, _ := shadowsocksPrefixSpecsValue.(transforms.Specs)
+
 	// Special case: in-proxy broker public keys in InproxyBrokerSpecs must
 	// appear in InproxyAllBrokerPublicKeys; and inproxy common compartment
 	// IDs must appear in InproxyAllCommonCompartmentIDs. This check is
@@ -1503,7 +1519,7 @@ func (p *Parameters) Set(
 				}
 
 				prefixMode := false
-				if name == OSSHPrefixSpecs || name == ServerOSSHPrefixSpecs {
+				if name == OSSHPrefixSpecs || name == ServerOSSHPrefixSpecs || name == ShadowsocksPrefixSpecs {
 					prefixMode = true
 				}
 				err := v.Validate(prefixMode)
@@ -1528,6 +1544,8 @@ func (p *Parameters) Set(
 					specs = obfuscatedQuicNonceTransformSpecs
 				} else if name == OSSHPrefixScopedSpecNames {
 					specs = osshPrefixSpecs
+				} else if name == ShadowsocksPrefixScopedSpecNames {
+					specs = shadowsocksPrefixSpecs
 				}
 
 				err := v.Validate(specs)

diff --git a/psiphon/common/protocol/packed.go b/psiphon/common/protocol/packed.go
@@ -827,7 +827,11 @@ func init() {
 		{165, "inproxy_broker_is_reuse", intConverter},
 		{166, "inproxy_webrtc_use_media_streams", intConverter},
 
-		// Next key value = 167
+		// Specs: server.baseDialParams
+
+		{167, "shadowsocks_prefix", nil},
+
+		// Next key value = 168
 	}
 
 	for _, spec := range packedAPIParameterSpecs {

diff --git a/psiphon/common/protocol/serverEntry.go b/psiphon/common/protocol/serverEntry.go
@@ -86,6 +86,7 @@ type ServerEntry struct {
 	DisableObfuscatedQUICTransforms     bool     `json:"disableObfuscatedQUICTransforms,omitempty"`
 	DisableOSSHTransforms               bool     `json:"disableOSSHTransforms,omitempty"`
 	DisableOSSHPrefix                   bool     `json:"disableOSSHPrefix,omitempty"`
+	DisableShadowsocksPrefix            bool     `json:"disableShadowsocksPrefix,omitempty"`
 	InproxySessionPublicKey             string   `json:"inproxySessionPublicKey,omitempty"`
 	InproxySessionRootObfuscationSecret string   `json:"inproxySessionRootObfuscationSecret,omitempty"`
 	InproxySSHPort                      int      `json:"inproxySSHPort,omitempty"`

diff --git a/psiphon/config.go b/psiphon/config.go
@@ -977,6 +977,11 @@ type Config struct {
 	OSSHPrefixSplitMaxDelayMilliseconds *int
 	OSSHPrefixEnableFragmentor          *bool
 
+	// ShadowsocksPrefix parameters are for testing purposes only.
+	ShadowsocksPrefixSpecs           transforms.Specs
+	ShadowsocksPrefixScopedSpecNames transforms.ScopedSpecNames
+	ShadowsocksPrefixProbability     *float64
+
 	// TLSTunnelTrafficShapingProbability and associated fields are for testing.
 	TLSTunnelObfuscatedPSKProbability  *float64
 	TLSTunnelTrafficShapingProbability *float64
@@ -2497,6 +2502,18 @@ func (config *Config) makeConfigParameters() map[string]interface{} {
 		applyParameters[parameters.OSSHPrefixEnableFragmentor] = *config.OSSHPrefixEnableFragmentor
 	}
 
+	if config.ShadowsocksPrefixSpecs != nil {
+		applyParameters[parameters.ShadowsocksPrefixSpecs] = config.ShadowsocksPrefixSpecs
+	}
+
+	if config.ShadowsocksPrefixScopedSpecNames != nil {
+		applyParameters[parameters.ShadowsocksPrefixScopedSpecNames] = config.ShadowsocksPrefixScopedSpecNames
+	}
+
+	if config.ShadowsocksPrefixProbability != nil {
+		applyParameters[parameters.ShadowsocksPrefixProbability] = *config.ShadowsocksPrefixProbability
+	}
+
 	if config.TLSTunnelObfuscatedPSKProbability != nil {
 		applyParameters[parameters.TLSTunnelObfuscatedPSKProbability] = *config.TLSTunnelObfuscatedPSKProbability
 	}
@@ -3466,6 +3483,23 @@ func (config *Config) setDialParametersHash() {
 		binary.Write(hash, binary.LittleEndian, *config.OSSHPrefixEnableFragmentor)
 	}
 
+	if config.ShadowsocksPrefixSpecs != nil {
+		hash.Write([]byte("ShadowsocksPrefixSpecs"))
+		encodedShadowsocksPrefixSpecs, _ := json.Marshal(config.ShadowsocksPrefixSpecs)
+		hash.Write(encodedShadowsocksPrefixSpecs)
+	}
+
+	if config.ShadowsocksPrefixScopedSpecNames != nil {
+		hash.Write([]byte("ShadowsocksPrefixScopedSpecNames"))
+		encodedShadowsocksPrefixScopedSpecNames, _ := json.Marshal(config.ShadowsocksPrefixScopedSpecNames)
+		hash.Write(encodedShadowsocksPrefixScopedSpecNames)
+	}
+
+	if config.ShadowsocksPrefixProbability != nil {
+		hash.Write([]byte("ShadowsocksPrefixProbability"))
+		binary.Write(hash, binary.LittleEndian, *config.ShadowsocksPrefixProbability)
+	}
+
 	if config.TLSTunnelObfuscatedPSKProbability != nil {
 		hash.Write([]byte("TLSTunnelObfuscatedPSKProbability"))
 		binary.Write(hash, binary.LittleEndian, *config.TLSTunnelObfuscatedPSKProbability)

diff --git a/psiphon/dialParameters.go b/psiphon/dialParameters.go
@@ -98,6 +98,8 @@ type DialParameters struct {
 	OSSHPrefixSpec        *obfuscator.OSSHPrefixSpec
 	OSSHPrefixSplitConfig *obfuscator.OSSHPrefixSplitConfig
 
+	ShadowsocksPrefixSpec *ShadowsocksPrefixSpec
+
 	FragmentorSeed *prng.Seed
 
 	FrontingProviderID string
@@ -249,6 +251,7 @@ func MakeDialParameters(
 	replayHTTPTransformerParameters := p.Bool(parameters.ReplayHTTPTransformerParameters)
 	replayOSSHSeedTransformerParameters := p.Bool(parameters.ReplayOSSHSeedTransformerParameters)
 	replayOSSHPrefix := p.Bool(parameters.ReplayOSSHPrefix)
+	replayShadowsocksPrefix := p.Bool(parameters.ReplayShadowsocksPrefix)
 	replayInproxySTUN := p.Bool(parameters.ReplayInproxySTUN)
 	replayInproxyWebRTC := p.Bool(parameters.ReplayInproxyWebRTC)
 
@@ -1132,6 +1135,24 @@ func MakeDialParameters(
 
 	}
 
+	if serverEntry.DisableShadowsocksPrefix {
+
+		dialParams.ShadowsocksPrefixSpec = nil
+
+	} else if !isReplay || !replayShadowsocksPrefix {
+
+		prefixSpec, err := makeShadowsocksPrefixSpecParameters(p)
+		if err != nil {
+			return nil, errors.Trace(err)
+		}
+
+		if prefixSpec.Spec != nil {
+			dialParams.ShadowsocksPrefixSpec = prefixSpec
+		} else {
+			dialParams.ShadowsocksPrefixSpec = nil
+		}
+	}
+
 	if protocol.TunnelProtocolUsesMeekHTTP(dialParams.TunnelProtocol) {
 
 		if serverEntry.DisableHTTPTransforms {
@@ -1712,6 +1733,7 @@ func (dialParams *DialParameters) GetShadowsocksConfig() *ShadowsockConfig {
 	return &ShadowsockConfig{
 		dialAddr: dialParams.DirectDialAddress,
 		key:      dialParams.ServerEntry.SshShadowsocksKey,
+		prefix:   dialParams.ShadowsocksPrefixSpec,
 	}
 }
 
@@ -2258,6 +2280,33 @@ func makeOSSHPrefixSplitConfig(p parameters.ParametersAccessor) (*obfuscator.OSS
 	}, nil
 }
 
+func makeShadowsocksPrefixSpecParameters(
+	p parameters.ParametersAccessor) (*ShadowsocksPrefixSpec, error) {
+
+	if !p.WeightedCoinFlip(parameters.ShadowsocksPrefixProbability) {
+		return &ShadowsocksPrefixSpec{}, nil
+	}
+
+	specs := p.ProtocolTransformSpecs(parameters.ShadowsocksPrefixSpecs)
+	scopedSpecNames := p.ProtocolTransformScopedSpecNames(parameters.ShadowsocksPrefixScopedSpecNames)
+
+	name, spec := specs.Select(transforms.SCOPE_ANY, scopedSpecNames)
+
+	if spec == nil {
+		return &ShadowsocksPrefixSpec{}, nil
+	} else {
+		seed, err := prng.NewSeed()
+		if err != nil {
+			return nil, errors.Trace(err)
+		}
+		return &ShadowsocksPrefixSpec{
+			Name: name,
+			Spec: spec,
+			Seed: seed,
+		}, nil
+	}
+}
+
 func selectConjureTransport(
 	p parameters.ParametersAccessor) string {
 

diff --git a/psiphon/server/api.go b/psiphon/server/api.go
@@ -1127,6 +1127,7 @@ var baseDialParams = []requestParamSpec{
 	{"http_transform", isAnyString, requestParamOptional},
 	{"seed_transform", isAnyString, requestParamOptional},
 	{"ossh_prefix", isAnyString, requestParamOptional},
+	{"shadowsocks_prefix", isAnyString, requestParamOptional},
 	{"tls_fragmented", isBooleanFlag, requestParamOptional | requestParamLogFlagAsBool},
 	{"tls_padding", isIntString, requestParamOptional | requestParamLogStringAsInt},
 	{"tls_ossh_sni_server_name", isDomain, requestParamOptional},

diff --git a/psiphon/server/config.go b/psiphon/server/config.go
@@ -973,7 +973,6 @@ func GenerateConfig(params *GenerateConfigParams) ([]byte, []byte, []byte, []byt
 
 	// Shadowsocks config
 
-	// TODO: double check there are enough bytes of entropy
 	shadowsocksKeyBytes, err := common.MakeSecureRandomBytes(SHADOWSOCKS_KEY_BYTE_LENGTH)
 	if err != nil {
 		return nil, nil, nil, nil, nil, errors.Trace(err)