vbatts/shadowsocks
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'feature-ota'

Browse source
This commit is contained in:
jsy 2016-01-11 15:06:59 +08:00
commit 28c4d14b12
5 changed files with 158 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
shadowsocks/common.py
View file

@ -21,8 +21,25 @@ from __future__ import absolute_import, division, print_function, \
import socket import socket
import struct import struct
import logging import logging
import hashlib
import hmac
ONETIMEAUTH_BYTES = 10
ONETIMEAUTH_CHUNK_BYTES = 12
ONETIMEAUTH_CHUNK_DATA_LEN = 2
def sha1_hmac(secret, data):
return hmac.new(secret, data, hashlib.sha1).digest()
def onetimeauth_verify(_hash, data, key):
return _hash == sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
def onetimeauth_gen(data, key):
return sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
def compat_ord(s): def compat_ord(s):
if type(s) == int: if type(s) == int:
return s return s
@ -118,9 +135,11 @@ def patch_socket():
patch_socket() patch_socket()
ADDRTYPE_IPV4 = 1 ADDRTYPE_IPV4 = 0x01
ADDRTYPE_IPV6 = 4 ADDRTYPE_IPV6 = 0x04
ADDRTYPE_HOST = 3 ADDRTYPE_HOST = 0x03
ADDRTYPE_AUTH = 0x10
ADDRTYPE_MASK = 0xF
def pack_addr(address): def pack_addr(address):
@ -144,14 +163,14 @@ def parse_header(data):
dest_addr = None dest_addr = None
dest_port = None dest_port = None
header_length = 0 header_length = 0
if addrtype == ADDRTYPE_IPV4: if addrtype & ADDRTYPE_MASK == ADDRTYPE_IPV4:
if len(data) >= 7: if len(data) >= 7:
dest_addr = socket.inet_ntoa(data[1:5]) dest_addr = socket.inet_ntoa(data[1:5])
dest_port = struct.unpack('>H', data[5:7])[0] dest_port = struct.unpack('>H', data[5:7])[0]
header_length = 7 header_length = 7
else: else:
logging.warn('header is too short') logging.warn('header is too short')
elif addrtype == ADDRTYPE_HOST: elif addrtype & ADDRTYPE_MASK == ADDRTYPE_HOST:
if len(data) > 2: if len(data) > 2:
addrlen = ord(data[1]) addrlen = ord(data[1])
if len(data) >= 4 + addrlen: if len(data) >= 4 + addrlen:
@ -163,7 +182,7 @@ def parse_header(data):
logging.warn('header is too short') logging.warn('header is too short')
else: else:
logging.warn('header is too short') logging.warn('header is too short')
elif addrtype == ADDRTYPE_IPV6: elif addrtype & ADDRTYPE_MASK == ADDRTYPE_IPV6:
if len(data) >= 19: if len(data) >= 19:
dest_addr = socket.inet_ntop(socket.AF_INET6, data[1:17]) dest_addr = socket.inet_ntop(socket.AF_INET6, data[1:17])
dest_port = struct.unpack('>H', data[17:19])[0] dest_port = struct.unpack('>H', data[17:19])[0]

15
shadowsocks/encrypt.py
View file

@ -69,17 +69,18 @@ def EVP_BytesToKey(password, key_len, iv_len):
class Encryptor(object): class Encryptor(object):
def __init__(self, key, method): def __init__(self, password, method):
self.key = key self.password = password
self.key = None
self.method = method self.method = method
self.iv = None
self.iv_sent = False self.iv_sent = False
self.cipher_iv = b'' self.cipher_iv = b''
self.decipher = None self.decipher = None
self.decipher_iv = None
method = method.lower() method = method.lower()
self._method_info = self.get_method_info(method) self._method_info = self.get_method_info(method)
if self._method_info: if self._method_info:
self.cipher = self.get_cipher(key, method, 1, self.cipher = self.get_cipher(password, method, 1,
random_string(self._method_info[1])) random_string(self._method_info[1]))
else: else:
logging.error('method %s not supported' % method) logging.error('method %s not supported' % method)
@ -101,7 +102,7 @@ class Encryptor(object):
else: else:
# key_length == 0 indicates we should use the key directly # key_length == 0 indicates we should use the key directly
key, iv = password, b'' key, iv = password, b''
self.key = key
iv = iv[:m[1]] iv = iv[:m[1]]
if op == 1: if op == 1:
# this iv is for cipher not decipher # this iv is for cipher not decipher
@ -123,7 +124,8 @@ class Encryptor(object):
if self.decipher is None: if self.decipher is None:
decipher_iv_len = self._method_info[1] decipher_iv_len = self._method_info[1]
decipher_iv = buf[:decipher_iv_len] decipher_iv = buf[:decipher_iv_len]
self.decipher = self.get_cipher(self.key, self.method, 0, self.decipher_iv = decipher_iv
self.decipher = self.get_cipher(self.password, self.method, 0,
iv=decipher_iv) iv=decipher_iv)
buf = buf[decipher_iv_len:] buf = buf[decipher_iv_len:]
if len(buf) == 0: if len(buf) == 0:
@ -135,6 +137,7 @@ def encrypt_all(password, method, op, data):
result = [] result = []
method = method.lower() method = method.lower()
(key_len, iv_len, m) = method_supported[method] (key_len, iv_len, m) = method_supported[method]
key = None
if key_len > 0: if key_len > 0:
key, _ = EVP_BytesToKey(password, key_len, iv_len) key, _ = EVP_BytesToKey(password, key_len, iv_len)
else: else:

7
shadowsocks/shell.py
View file

@ -131,11 +131,11 @@ def get_config(is_local):
logging.basicConfig(level=logging.INFO, logging.basicConfig(level=logging.INFO,
format='%(levelname)-s: %(message)s') format='%(levelname)-s: %(message)s')
if is_local: if is_local:
shortopts = 'hd:s:b:p:k:l:m:c:t:vq' shortopts = 'hd:s:b:p:k:l:m:c:t:vqa'
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=', longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=',
'version'] 'version']
else: else:
shortopts = 'hd:s:p:k:m:c:t:vq' shortopts = 'hd:s:p:k:m:c:t:vqa'
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=', longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=',
'forbidden-ip=', 'user=', 'manager-address=', 'version'] 'forbidden-ip=', 'user=', 'manager-address=', 'version']
try: try:
@ -175,6 +175,8 @@ def get_config(is_local):
v_count += 1 v_count += 1
# '-vv' turns on more verbose mode # '-vv' turns on more verbose mode
config['verbose'] = v_count config['verbose'] = v_count
elif key == '-a':
config['one_time_auth'] = True
elif key == '-t': elif key == '-t':
config['timeout'] = int(value) config['timeout'] = int(value)
elif key == '--fast-open': elif key == '--fast-open':
@ -316,6 +318,7 @@ Proxy options:
-k PASSWORD password -k PASSWORD password
-m METHOD encryption method, default: aes-256-cfb -m METHOD encryption method, default: aes-256-cfb
-t TIMEOUT timeout in seconds, default: 300 -t TIMEOUT timeout in seconds, default: 300
-a ONE_TIME_AUTH one time auth
--fast-open use TCP_FASTOPEN, requires Linux 3.7+ --fast-open use TCP_FASTOPEN, requires Linux 3.7+
--workers WORKERS number of workers, available on Unix/Linux --workers WORKERS number of workers, available on Unix/Linux
--forbidden-ip IPLIST comma seperated IP list forbidden to connect --forbidden-ip IPLIST comma seperated IP list forbidden to connect

96
shadowsocks/tcprelay.py
View file

@ -27,7 +27,8 @@ import traceback
import random import random
from shadowsocks import encrypt, eventloop, shell, common from shadowsocks import encrypt, eventloop, shell, common
from shadowsocks.common import parse_header from shadowsocks.common import parse_header, onetimeauth_verify, onetimeauth_gen, \
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time # we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
TIMEOUTS_CLEAN_SIZE = 512 TIMEOUTS_CLEAN_SIZE = 512
@ -107,6 +108,14 @@ class TCPRelayHandler(object):
self._stage = STAGE_INIT self._stage = STAGE_INIT
self._encryptor = encrypt.Encryptor(config['password'], self._encryptor = encrypt.Encryptor(config['password'],
config['method']) config['method'])
if 'one_time_auth' in config and config['one_time_auth']:
self._one_time_auth_enable = True
else:
self._one_time_auth_enable = False
self._one_time_auth_buff_head = ''
self._one_time_auth_buff_data = ''
self._one_time_auth_len = 0
self._one_time_auth_chunk_idx = 0
self._fastopen_connected = False self._fastopen_connected = False
self._data_to_write_to_local = [] self._data_to_write_to_local = []
self._data_to_write_to_remote = [] self._data_to_write_to_remote = []
@ -224,8 +233,14 @@ class TCPRelayHandler(object):
def _handle_stage_connecting(self, data): def _handle_stage_connecting(self, data):
if self._is_local: if self._is_local:
if self._one_time_auth_enable:
data = self._one_time_auth_chunk_data_gen(data)
data = self._encryptor.encrypt(data) data = self._encryptor.encrypt(data)
self._data_to_write_to_remote.append(data) self._data_to_write_to_remote.append(data)
else:
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data,
self._data_to_write_to_remote.append)
if self._is_local and not self._fastopen_connected and \ if self._is_local and not self._fastopen_connected and \
self._config['fast_open']: self._config['fast_open']:
# for sslocal and fastopen, we basically wait for data and use # for sslocal and fastopen, we basically wait for data and use
@ -293,6 +308,18 @@ class TCPRelayHandler(object):
logging.info('connecting %s:%d from %s:%d' % logging.info('connecting %s:%d from %s:%d' %
(common.to_str(remote_addr), remote_port, (common.to_str(remote_addr), remote_port,
self._client_address[0], self._client_address[1])) self._client_address[0], self._client_address[1]))
if self._is_local is False:
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('one time auth header is too short')
return None
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
data[:header_length],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('one time auth fail')
self.destroy()
header_length += ONETIMEAUTH_BYTES
self._remote_address = (common.to_str(remote_addr), remote_port) self._remote_address = (common.to_str(remote_addr), remote_port)
# pause reading # pause reading
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING) self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
@ -302,13 +329,22 @@ class TCPRelayHandler(object):
self._write_to_sock((b'\x05\x00\x00\x01' self._write_to_sock((b'\x05\x00\x00\x01'
b'\x00\x00\x00\x00\x10\x10'), b'\x00\x00\x00\x00\x10\x10'),
self._local_sock) self._local_sock)
# spec https://shadowsocks.org/en/spec/one-time-auth.html
# ATYP & 0x10 == 1, then OTA is enabled.
if self._one_time_auth_enable:
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
data += onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
data_to_send = self._encryptor.encrypt(data) data_to_send = self._encryptor.encrypt(data)
self._data_to_write_to_remote.append(data_to_send) self._data_to_write_to_remote.append(data_to_send)
# notice here may go into _handle_dns_resolved directly # notice here may go into _handle_dns_resolved directly
self._dns_resolver.resolve(self._chosen_server[0], self._dns_resolver.resolve(self._chosen_server[0],
self._handle_dns_resolved) self._handle_dns_resolved)
else: else:
if len(data) > header_length: if self._one_time_auth_enable:
data = data[header_length:]
self._one_time_auth_chunk_data(data,
self._data_to_write_to_remote.append)
elif len(data) > header_length:
self._data_to_write_to_remote.append(data[header_length:]) self._data_to_write_to_remote.append(data[header_length:])
# notice here may go into _handle_dns_resolved directly # notice here may go into _handle_dns_resolved directly
self._dns_resolver.resolve(remote_addr, self._dns_resolver.resolve(remote_addr,
@ -344,7 +380,6 @@ class TCPRelayHandler(object):
if result: if result:
ip = result[1] ip = result[1]
if ip: if ip:
try: try:
self._stage = STAGE_CONNECTING self._stage = STAGE_CONNECTING
remote_addr = ip remote_addr = ip
@ -384,6 +419,57 @@ class TCPRelayHandler(object):
traceback.print_exc() traceback.print_exc()
self.destroy() self.destroy()
def _write_to_sock_remote(self, data):
self._write_to_sock(data, self._remote_sock)
def _one_time_auth_chunk_data(self, data, data_cb):
# spec https://shadowsocks.org/en/spec/one-time-auth.html
while len(data) > 0:
if self._one_time_auth_len == 0:
# get DATA.LEN + HMAC-SHA1
length = ONETIMEAUTH_CHUNK_BYTES - len(self._one_time_auth_buff_head)
self._one_time_auth_buff_head += data[:length]
data = data[length:]
if len(self._one_time_auth_buff_head) < ONETIMEAUTH_CHUNK_BYTES:
# wait more data
return
self._one_time_auth_len = struct.unpack('>H',
self._one_time_auth_buff_head[:ONETIMEAUTH_CHUNK_DATA_LEN])[0]
length = min(self._one_time_auth_len, len(data))
self._one_time_auth_buff_data += data[:length]
data = data[length:]
if len(self._one_time_auth_buff_data) == self._one_time_auth_len:
# get a chunk data
if onetimeauth_verify(self._one_time_auth_buff_head[ONETIMEAUTH_CHUNK_DATA_LEN:],
self._one_time_auth_buff_data,
self._encryptor.decipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx)) \
is False:
logging.warn('one time auth fail, drop chunk !')
else:
data_cb(self._one_time_auth_buff_data)
self._one_time_auth_chunk_idx += 1
self._one_time_auth_buff_head = ''
self._one_time_auth_buff_data = ''
self._one_time_auth_len = 0
return
def _one_time_auth_chunk_data_gen(self, data):
data_len = struct.pack(">H", len(data))
sha110 = onetimeauth_gen(data, self._encryptor.cipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx))
self._one_time_auth_chunk_idx += 1
return data_len + sha110 + data
def _handle_stage_stream(self, data):
if self._is_local:
if self._one_time_auth_enable:
data = self._one_time_auth_chunk_data_gen(data)
data = self._encryptor.encrypt(data)
self._write_to_sock(data, self._remote_sock)
else:
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
return
def _on_local_read(self): def _on_local_read(self):
# handle all local read events and dispatch them to methods for # handle all local read events and dispatch them to methods for
# each stage # each stage
@ -406,9 +492,7 @@ class TCPRelayHandler(object):
if not data: if not data:
return return
if self._stage == STAGE_STREAM: if self._stage == STAGE_STREAM:
if self._is_local: self._handle_stage_stream(data)
data = self._encryptor.encrypt(data)
self._write_to_sock(data, self._remote_sock)
return return
elif is_local and self._stage == STAGE_INIT: elif is_local and self._stage == STAGE_INIT:
# TODO check auth method # TODO check auth method

33
shadowsocks/udprelay.py
View file

@ -69,7 +69,8 @@ import errno
import random import random
from shadowsocks import encrypt, eventloop, lru_cache, common, shell from shadowsocks import encrypt, eventloop, lru_cache, common, shell
from shadowsocks.common import parse_header, pack_addr from shadowsocks.common import parse_header, pack_addr, onetimeauth_verify, onetimeauth_gen, \
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
BUF_SIZE = 65536 BUF_SIZE = 65536
@ -97,6 +98,10 @@ class UDPRelay(object):
self._password = common.to_bytes(config['password']) self._password = common.to_bytes(config['password'])
self._method = config['method'] self._method = config['method']
self._timeout = config['timeout'] self._timeout = config['timeout']
if 'one_time_auth' in config and config['one_time_auth']:
self._one_time_auth_enable = True
else:
self._one_time_auth_enable = False
self._is_local = is_local self._is_local = is_local
self._cache = lru_cache.LRUCache(timeout=config['timeout'], self._cache = lru_cache.LRUCache(timeout=config['timeout'],
close_callback=self._close_client) close_callback=self._close_client)
@ -114,7 +119,7 @@ class UDPRelay(object):
addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0, addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0,
socket.SOCK_DGRAM, socket.SOL_UDP) socket.SOCK_DGRAM, socket.SOL_UDP)
if len(addrs) == 0: if len(addrs) == 0:
raise Exception("can't get addrinfo for %s:%d" % raise Exception("UDP can't get addrinfo for %s:%d" %
(self._listen_addr, self._listen_port)) (self._listen_addr, self._listen_port))
af, socktype, proto, canonname, sa = addrs[0] af, socktype, proto, canonname, sa = addrs[0]
server_socket = socket.socket(af, socktype, proto) server_socket = socket.socket(af, socktype, proto)
@ -152,7 +157,7 @@ class UDPRelay(object):
if self._is_local: if self._is_local:
frag = common.ord(data[2]) frag = common.ord(data[2])
if frag != 0: if frag != 0:
logging.warn('drop a message since frag is not 0') logging.warn('UDP drop a message since frag is not 0')
return return
else: else:
data = data[3:] data = data[3:]
@ -171,7 +176,18 @@ class UDPRelay(object):
server_addr, server_port = self._get_a_server() server_addr, server_port = self._get_a_server()
else: else:
server_addr, server_port = dest_addr, dest_port server_addr, server_port = dest_addr, dest_port
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('UDP one time auth header is too short')
return
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
data[header_length: -ONETIMEAUTH_BYTES],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('UDP one time auth fail')
return
self._one_time_authed = True
header_length += ONETIMEAUTH_BYTES
addrs = self._dns_cache.get(server_addr, None) addrs = self._dns_cache.get(server_addr, None)
if addrs is None: if addrs is None:
addrs = socket.getaddrinfo(server_addr, server_port, 0, addrs = socket.getaddrinfo(server_addr, server_port, 0,
@ -202,6 +218,9 @@ class UDPRelay(object):
self._eventloop.add(client, eventloop.POLL_IN, self) self._eventloop.add(client, eventloop.POLL_IN, self)
if self._is_local: if self._is_local:
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable:
data = _one_time_auth_chunk_data_gen(data)
data = encrypt.encrypt_all(self._password, self._method, 1, data) data = encrypt.encrypt_all(self._password, self._method, 1, data)
if not data: if not data:
return return
@ -243,7 +262,7 @@ class UDPRelay(object):
header_result = parse_header(data) header_result = parse_header(data)
if header_result is None: if header_result is None:
return return
# addrtype, dest_addr, dest_port, header_length = header_result addrtype, dest_addr, dest_port, header_length = header_result
response = b'\x00\x00\x00' + data response = b'\x00\x00\x00' + data
client_addr = self._client_fd_to_server_addr.get(sock.fileno()) client_addr = self._client_fd_to_server_addr.get(sock.fileno())
if client_addr: if client_addr:
@ -253,6 +272,10 @@ class UDPRelay(object):
# simply drop that packet # simply drop that packet
pass pass
def _one_time_auth_chunk_data_gen(self, data):
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
return data + onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
def add_to_loop(self, loop): def add_to_loop(self, loop):
if self._eventloop: if self._eventloop:
raise Exception('already add to loop') raise Exception('already add to loop')