vbatts/shadowsocks
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add verify_sha1 (libev OTA)

Browse source
This commit is contained in:
BreakWa11 2015-11-17 15:42:59 +08:00
parent 8826629741
commit 737b7d9890
4 changed files with 386 additions and 218 deletions
Download patch file Download diff file Expand all files Collapse all files

5
shadowsocks/obfs.py
View file

@ -23,13 +23,14 @@ import hashlib
import logging import logging
from shadowsocks import common from shadowsocks import common
from shadowsocks.obfsplugin import plain, http_simple, verify_simple from shadowsocks.obfsplugin import plain, http_simple, verify, auth
method_supported = {} method_supported = {}
method_supported.update(plain.obfs_map) method_supported.update(plain.obfs_map)
method_supported.update(http_simple.obfs_map) method_supported.update(http_simple.obfs_map)
method_supported.update(verify_simple.obfs_map) method_supported.update(verify.obfs_map)
method_supported.update(auth.obfs_map)
class server_info(object): class server_info(object):
def __init__(self, data): def __init__(self, data):

326
shadowsocks/obfsplugin/auth.py Normal file
View file

@ -0,0 +1,326 @@
#!/usr/bin/env python
#
# Copyright 2015-2015 breakwa11
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from __future__ import absolute_import, division, print_function, \
with_statement
import os
import sys
import hashlib
import logging
import binascii
import base64
import time
import datetime
import random
import struct
import zlib
import hmac
import hashlib
import shadowsocks
from shadowsocks import common
from shadowsocks.obfsplugin import plain
from shadowsocks.common import to_bytes, to_str, ord, chr
def create_auth_obfs(method):
return auth_simple(method)
obfs_map = {
'auth_simple': (create_auth_obfs,),
}
def match_begin(str1, str2):
if len(str1) >= len(str2):
if str1[:len(str2)] == str2:
return True
return False
class obfs_verify_data(object):
def __init__(self):
pass
class verify_base(plain.plain):
def __init__(self, method):
super(verify_base, self).__init__(method)
self.method = method
def init_data(self):
return ''
def set_server_info(self, server_info):
self.server_info = server_info
def client_encode(self, buf):
return buf
def client_decode(self, buf):
return (buf, False)
def server_encode(self, buf):
return buf
def server_decode(self, buf):
return (buf, True, False)
class client_queue(object):
def __init__(self, begin_id):
self.front = begin_id
self.back = begin_id
self.alloc = {}
self.enable = True
self.last_update = time.time()
def update(self):
self.last_update = time.time()
def is_active(self):
return time.time() - self.last_update < 60 * 3
def re_enable(self, connection_id):
self.enable = True
self.alloc = {}
self.front = connection_id
self.back = connection_id
def insert(self, connection_id):
self.update()
if not self.enable:
logging.warn('auth_simple: not enable')
return False
if connection_id < self.front:
logging.warn('auth_simple: duplicate id')
return False
if not self.is_active():
self.re_enable(connection_id)
if connection_id > self.front + 0x4000:
logging.warn('auth_simple: wrong id')
return False
if connection_id in self.alloc:
logging.warn('auth_simple: duplicate id 2')
return False
if self.back <= connection_id:
self.back = connection_id + 1
self.alloc[connection_id] = 1
while (self.front in self.alloc) or self.front + 0x1000 < self.back:
if self.front in self.alloc:
del self.alloc[self.front]
self.front += 1
return True
class obfs_auth_data(object):
def __init__(self):
self.client_id = {}
self.startup_time = int(time.time() - 30) & 0xFFFFFFFF
self.local_client_id = b''
self.connection_id = 0
self.max_client = 16 # max active client count
self.max_buffer = max(self.max_client, 256) # max client id buffer size
def update(self, client_id, connection_id):
if client_id in self.client_id:
self.client_id[client_id].update()
def insert(self, client_id, connection_id):
if client_id not in self.client_id or not self.client_id[client_id].enable:
active = 0
for c_id in self.client_id:
if self.client_id[c_id].is_active():
active += 1
if active >= self.max_client:
logging.warn('auth_simple: max active clients exceeded')
return False
if len(self.client_id) < self.max_client:
if client_id not in self.client_id:
self.client_id[client_id] = client_queue(connection_id)
else:
self.client_id[client_id].re_enable(connection_id)
return self.client_id[client_id].insert(connection_id)
keys = self.client_id.keys()
random.shuffle(keys)
for c_id in keys:
if not self.client_id[c_id].is_active() and self.client_id[c_id].enable:
if len(self.client_id) >= self.max_buffer:
del self.client_id[c_id]
else:
self.client_id[c_id].enable = False
if client_id not in self.client_id:
self.client_id[client_id] = client_queue(connection_id)
else:
self.client_id[client_id].re_enable(connection_id)
return self.client_id[client_id].insert(connection_id)
logging.warn('auth_simple: no inactive client [assert]')
return False
else:
return self.client_id[client_id].insert(connection_id)
class auth_simple(verify_base):
def __init__(self, method):
super(auth_simple, self).__init__(method)
self.recv_buf = b''
self.unit_len = 8100
self.decrypt_packet_num = 0
self.raw_trans = False
self.has_sent_header = False
self.has_recv_header = False
self.client_id = 0
self.connection_id = 0
self.max_time_dif = 60 * 5 # time dif (second) setting
def init_data(self):
return obfs_auth_data()
def pack_data(self, buf):
if len(buf) == 0:
return b''
rnd_data = os.urandom(common.ord(os.urandom(1)[0]) % 16)
data = common.chr(len(rnd_data) + 1) + rnd_data + buf
data = struct.pack('>H', len(data) + 6) + data
crc = (0xffffffff - binascii.crc32(data)) & 0xffffffff
data += struct.pack('<I', crc)
return data
def auth_data(self):
utc_time = int(time.time()) & 0xFFFFFFFF
if self.server_info.data.connection_id > 0xFF000000:
self.server_info.data.local_client_id = b''
if not self.server_info.data.local_client_id:
self.server_info.data.local_client_id = os.urandom(4)
logging.debug("local_client_id %s" % (binascii.hexlify(self.server_info.data.local_client_id),))
self.server_info.data.connection_id = struct.unpack('<I', os.urandom(4))[0] & 0xFFFFFF
self.server_info.data.connection_id += 1
return b''.join([struct.pack('<I', utc_time),
self.server_info.data.local_client_id,
struct.pack('<I', self.server_info.data.connection_id)])
def client_pre_encrypt(self, buf):
ret = b''
if not self.has_sent_header:
head_size = self.get_head_size(buf, 30)
datalen = min(len(buf), random.randint(0, 31) + head_size)
ret += self.pack_data(self.auth_data() + buf[:datalen])
buf = buf[datalen:]
self.has_sent_header = True
while len(buf) > self.unit_len:
ret += self.pack_data(buf[:self.unit_len])
buf = buf[self.unit_len:]
ret += self.pack_data(buf)
return ret
def client_post_decrypt(self, buf):
if self.raw_trans:
return buf
self.recv_buf += buf
out_buf = b''
while len(self.recv_buf) > 2:
length = struct.unpack('>H', self.recv_buf[:2])[0]
if length >= 8192 or length < 7:
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
return None
else:
raise Exception('server_post_decrype data error')
if length > len(self.recv_buf):
break
if (binascii.crc32(self.recv_buf[:length]) & 0xffffffff) != 0xffffffff:
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
return None
else:
raise Exception('server_post_decrype data uncorrect CRC32')
pos = common.ord(self.recv_buf[2]) + 2
out_buf += self.recv_buf[pos:length - 4]
self.recv_buf = self.recv_buf[length:]
if out_buf:
self.decrypt_packet_num += 1
return out_buf
def server_pre_encrypt(self, buf):
ret = b''
while len(buf) > self.unit_len:
ret += self.pack_data(buf[:self.unit_len])
buf = buf[self.unit_len:]
ret += self.pack_data(buf)
return ret
def server_post_decrypt(self, buf):
if self.raw_trans:
return buf
self.recv_buf += buf
out_buf = b''
while len(self.recv_buf) > 2:
length = struct.unpack('>H', self.recv_buf[:2])[0]
if length >= 8192 or length < 7:
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
logging.info('auth_simple: over size')
return b'E'
else:
raise Exception('server_post_decrype data error')
if length > len(self.recv_buf):
break
if (binascii.crc32(self.recv_buf[:length]) & 0xffffffff) != 0xffffffff:
logging.info('auth_simple: crc32 error, data %s' % (binascii.hexlify(self.recv_buf[:length]),))
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
return b'E'
else:
raise Exception('server_post_decrype data uncorrect CRC32')
pos = common.ord(self.recv_buf[2]) + 2
out_buf += self.recv_buf[pos:length - 4]
if not self.has_recv_header:
if len(out_buf) < 12:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: too short')
return b'E'
utc_time = struct.unpack('<I', out_buf[:4])[0]
client_id = struct.unpack('<I', out_buf[4:8])[0]
connection_id = struct.unpack('<I', out_buf[8:12])[0]
time_dif = common.int32((int(time.time()) & 0xffffffff) - utc_time)
if time_dif < -self.max_time_dif or time_dif > self.max_time_dif \
or common.int32(utc_time - self.server_info.data.startup_time) < 0:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: wrong timestamp, time_dif %d, data %s' % (time_dif, binascii.hexlify(out_buf),))
return b'E'
elif self.server_info.data.insert(client_id, connection_id):
self.has_recv_header = True
out_buf = out_buf[12:]
self.client_id = client_id
self.connection_id = connection_id
else:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: auth fail, data %s' % (binascii.hexlify(out_buf),))
return b'E'
self.recv_buf = self.recv_buf[length:]
if out_buf:
self.server_info.data.update(self.client_id, self.connection_id)
self.decrypt_packet_num += 1
return out_buf

256
shadowsocks/obfsplugin/verify_simple.py
View file

@ -28,11 +28,13 @@ import datetime
import random import random
import struct import struct
import zlib import zlib
import hmac
import hashlib
import shadowsocks import shadowsocks
from shadowsocks import common from shadowsocks import common
from shadowsocks.obfsplugin import plain from shadowsocks.obfsplugin import plain
from shadowsocks.common import to_bytes, to_str, ord from shadowsocks.common import to_bytes, to_str, ord, chr
def create_verify_obfs(method): def create_verify_obfs(method):
return verify_simple(method) return verify_simple(method)
@ -40,13 +42,17 @@ def create_verify_obfs(method):
def create_verify_deflate(method): def create_verify_deflate(method):
return verify_deflate(method) return verify_deflate(method)
def create_verify_sha1(method):
return verify_sha1(method)
def create_auth_obfs(method): def create_auth_obfs(method):
return auth_simple(method) return auth_simple(method)
obfs_map = { obfs_map = {
'verify_simple': (create_verify_obfs,), 'verify_simple': (create_verify_obfs,),
'verify_deflate': (create_verify_deflate,), 'verify_deflate': (create_verify_deflate,),
'auth_simple': (create_auth_obfs,), 'verify_sha1': (create_verify_sha1,),
'verify_sha1_compatible': (create_verify_sha1,),
} }
def match_begin(str1, str2): def match_begin(str1, str2):
@ -261,143 +267,35 @@ class verify_deflate(verify_base):
self.decrypt_packet_num += 1 self.decrypt_packet_num += 1
return out_buf return out_buf
class client_queue(object): class verify_sha1(verify_base):
def __init__(self, begin_id):
self.front = begin_id
self.back = begin_id
self.alloc = {}
self.enable = True
self.last_update = time.time()
def update(self):
self.last_update = time.time()
def is_active(self):
return time.time() - self.last_update < 60 * 3
def re_enable(self, connection_id):
self.enable = True
self.alloc = {}
self.front = connection_id
self.back = connection_id
def insert(self, connection_id):
self.update()
if not self.enable:
logging.warn('auth_simple: not enable')
return False
if connection_id < self.front:
logging.warn('auth_simple: duplicate id')
return False
if not self.is_active():
self.re_enable(connection_id)
if connection_id > self.front + 0x4000:
logging.warn('auth_simple: wrong id')
return False
if connection_id in self.alloc:
logging.warn('auth_simple: duplicate id 2')
return False
if self.back <= connection_id:
self.back = connection_id + 1
self.alloc[connection_id] = 1
while (self.front in self.alloc) or self.front + 0x1000 < self.back:
if self.front in self.alloc:
del self.alloc[self.front]
self.front += 1
return True
class obfs_auth_data(object):
def __init__(self):
self.client_id = {}
self.startup_time = int(time.time() - 30) & 0xFFFFFFFF
self.local_client_id = b''
self.connection_id = 0
self.max_client = 16 # max active client count
self.max_buffer = max(self.max_client, 256) # max client id buffer size
def update(self, client_id, connection_id):
if client_id in self.client_id:
self.client_id[client_id].update()
def insert(self, client_id, connection_id):
if client_id not in self.client_id or not self.client_id[client_id].enable:
active = 0
for c_id in self.client_id:
if self.client_id[c_id].is_active():
active += 1
if active >= self.max_client:
logging.warn('auth_simple: max active clients exceeded')
return False
if len(self.client_id) < self.max_client:
if client_id not in self.client_id:
self.client_id[client_id] = client_queue(connection_id)
else:
self.client_id[client_id].re_enable(connection_id)
return self.client_id[client_id].insert(connection_id)
keys = self.client_id.keys()
random.shuffle(keys)
for c_id in keys:
if not self.client_id[c_id].is_active() and self.client_id[c_id].enable:
if len(self.client_id) >= self.max_buffer:
del self.client_id[c_id]
else:
self.client_id[c_id].enable = False
if client_id not in self.client_id:
self.client_id[client_id] = client_queue(connection_id)
else:
self.client_id[client_id].re_enable(connection_id)
return self.client_id[client_id].insert(connection_id)
logging.warn('auth_simple: no inactive client [assert]')
return False
else:
return self.client_id[client_id].insert(connection_id)
class auth_simple(verify_base):
def __init__(self, method): def __init__(self, method):
super(auth_simple, self).__init__(method) super(verify_sha1, self).__init__(method)
self.recv_buf = b'' self.recv_buf = b''
self.unit_len = 8100 self.unit_len = 8100
self.decrypt_packet_num = 0
self.raw_trans = False self.raw_trans = False
self.pack_id = 0
self.recv_id = 0
self.has_sent_header = False self.has_sent_header = False
self.has_recv_header = False self.has_recv_header = False
self.client_id = 0
self.connection_id = 0
self.max_time_dif = 60 * 5 # time dif (second) setting
def init_data(self):
return obfs_auth_data()
def pack_data(self, buf): def pack_data(self, buf):
if len(buf) == 0: if len(buf) == 0:
return b'' return b''
rnd_data = os.urandom(common.ord(os.urandom(1)[0]) % 16) sha1data = hmac.new(self.server_info.iv + struct.pack('>I', self.pack_id), buf, hashlib.sha1).digest()
data = common.chr(len(rnd_data) + 1) + rnd_data + buf data = struct.pack('>H', len(buf)) + sha1data[:10] + buf
data = struct.pack('>H', len(data) + 6) + data self.pack_id += 1
crc = (0xffffffff - binascii.crc32(data)) & 0xffffffff
data += struct.pack('<I', crc)
return data return data
def auth_data(self): def auth_pack_data(self, buf):
utc_time = int(time.time()) & 0xFFFFFFFF data = buf
if self.server_info.data.connection_id > 0xFF000000: data += hmac.new(self.server_info.iv + self.server_info.key, buf, hashlib.sha1).digest()[:10]
self.server_info.data.local_client_id = b'' return data
if not self.server_info.data.local_client_id:
self.server_info.data.local_client_id = os.urandom(4)
logging.debug("local_client_id %s" % (binascii.hexlify(self.server_info.data.local_client_id),))
self.server_info.data.connection_id = struct.unpack('<I', os.urandom(4))[0] & 0xFFFFFF
self.server_info.data.connection_id += 1
return b''.join([struct.pack('<I', utc_time),
self.server_info.data.local_client_id,
struct.pack('<I', self.server_info.data.connection_id)])
def client_pre_encrypt(self, buf): def client_pre_encrypt(self, buf):
ret = b'' ret = b''
if not self.has_sent_header: if not self.has_sent_header:
head_size = self.get_head_size(buf, 30) datalen = self.get_head_size(buf, 30)
datalen = min(len(buf), random.randint(0, 31) + head_size) ret += self.auth_pack_data(buf[datalen:])
ret += self.pack_data(self.auth_data() + buf[:datalen])
buf = buf[datalen:] buf = buf[datalen:]
self.has_sent_header = True self.has_sent_header = True
while len(buf) > self.unit_len: while len(buf) > self.unit_len:
@ -407,105 +305,49 @@ class auth_simple(verify_base):
return ret return ret
def client_post_decrypt(self, buf): def client_post_decrypt(self, buf):
if self.raw_trans: return buf
return buf
self.recv_buf += buf
out_buf = b''
while len(self.recv_buf) > 2:
length = struct.unpack('>H', self.recv_buf[:2])[0]
if length >= 8192 or length < 7:
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
return None
else:
raise Exception('server_post_decrype data error')
if length > len(self.recv_buf):
break
if (binascii.crc32(self.recv_buf[:length]) & 0xffffffff) != 0xffffffff:
self.raw_trans = True
self.recv_buf = b''
if self.decrypt_packet_num == 0:
return None
else:
raise Exception('server_post_decrype data uncorrect CRC32')
pos = common.ord(self.recv_buf[2]) + 2
out_buf += self.recv_buf[pos:length - 4]
self.recv_buf = self.recv_buf[length:]
if out_buf:
self.decrypt_packet_num += 1
return out_buf
def server_pre_encrypt(self, buf): def server_pre_encrypt(self, buf):
ret = b'' return buf
while len(buf) > self.unit_len:
ret += self.pack_data(buf[:self.unit_len])
buf = buf[self.unit_len:]
ret += self.pack_data(buf)
return ret
def server_post_decrypt(self, buf): def server_post_decrypt(self, buf):
if self.raw_trans: if self.raw_trans:
return buf return buf
self.recv_buf += buf self.recv_buf += buf
out_buf = b'' out_buf = b''
while len(self.recv_buf) > 2: if not self.has_recv_header:
length = struct.unpack('>H', self.recv_buf[:2])[0] if len(self.recv_buf) < 2:
if length >= 8192 or length < 7: return b''
self.raw_trans = True if (ord(self.recv_buf[0]) & 0x10) != 0x10:
self.recv_buf = b'' if self.method == 'verify_sha1':
if self.decrypt_packet_num == 0: logging.error('Not One-time authentication header')
logging.info('auth_simple: over size')
return b'E' return b'E'
else: else:
raise Exception('server_post_decrype data error') self.raw_trans = True
return self.recv_buf
head_size = self.get_head_size(self.recv_buf, 30)
if len(self.recv_buf) < head_size + 10:
return b''
sha1data = hmac.new(self.server_info.recv_iv + self.server_info.key, self.recv_buf[:head_size], hashlib.sha1).digest()[:10]
if sha1data != self.recv_buf[head_size:head_size + 10]:
logging.error('server_post_decrype data uncorrect auth HMAC-SHA1')
return b'E'
out_buf = to_bytes(chr(ord(self.recv_buf[0]) & 0xF)) + self.recv_buf[1:head_size]
self.recv_buf = self.recv_buf[head_size + 10:]
self.has_recv_header = True
while len(self.recv_buf) > 2:
length = struct.unpack('>H', self.recv_buf[:2])[0] + 12
if length > len(self.recv_buf): if length > len(self.recv_buf):
break break
if (binascii.crc32(self.recv_buf[:length]) & 0xffffffff) != 0xffffffff: data = self.recv_buf[12:length]
logging.info('auth_simple: crc32 error, data %s' % (binascii.hexlify(self.recv_buf[:length]),)) sha1data = hmac.new(self.server_info.recv_iv + struct.pack('>I', self.recv_id), data, hashlib.sha1).digest()[:10]
self.raw_trans = True if sha1data != self.recv_buf[2:12]:
self.recv_buf = b'' raise Exception('server_post_decrype data uncorrect chunk HMAC-SHA1')
if self.decrypt_packet_num == 0:
return b'E'
else:
raise Exception('server_post_decrype data uncorrect CRC32')
pos = common.ord(self.recv_buf[2]) + 2 self.recv_id += 1
out_buf += self.recv_buf[pos:length - 4] out_buf += data
if not self.has_recv_header:
if len(out_buf) < 12:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: too short')
return b'E'
utc_time = struct.unpack('<I', out_buf[:4])[0]
client_id = struct.unpack('<I', out_buf[4:8])[0]
connection_id = struct.unpack('<I', out_buf[8:12])[0]
time_dif = common.int32((int(time.time()) & 0xffffffff) - utc_time)
if time_dif < -self.max_time_dif or time_dif > self.max_time_dif \
or common.int32(utc_time - self.server_info.data.startup_time) < 0:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: wrong timestamp, time_dif %d, data %s' % (time_dif, binascii.hexlify(out_buf),))
return b'E'
elif self.server_info.data.insert(client_id, connection_id):
self.has_recv_header = True
out_buf = out_buf[12:]
self.client_id = client_id
self.connection_id = connection_id
else:
self.raw_trans = True
self.recv_buf = b''
logging.info('auth_simple: auth fail, data %s' % (binascii.hexlify(out_buf),))
return b'E'
self.recv_buf = self.recv_buf[length:] self.recv_buf = self.recv_buf[length:]
if out_buf:
self.server_info.data.update(self.client_id, self.connection_id)
self.decrypt_packet_num += 1
return out_buf return out_buf

17
shadowsocks/tcprelay.py
View file

@ -30,9 +30,6 @@ import random
from shadowsocks import encrypt, obfs, eventloop, shell, common from shadowsocks import encrypt, obfs, eventloop, shell, common
from shadowsocks.common import pre_parse_header, parse_header from shadowsocks.common import pre_parse_header, parse_header
# set it 'True' if run as a local client and connect to a server which support new protocol
CLIENT_NEW_PROTOCOL = False #deprecated
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time # we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
TIMEOUTS_CLEAN_SIZE = 512 TIMEOUTS_CLEAN_SIZE = 512
@ -120,6 +117,7 @@ class TCPRelayHandler(object):
server_info.port = server._listen_port server_info.port = server._listen_port
server_info.param = config['obfs_param'] server_info.param = config['obfs_param']
server_info.iv = self._encryptor.cipher_iv server_info.iv = self._encryptor.cipher_iv
server_info.recv_iv = b''
server_info.key = self._encryptor.cipher_key server_info.key = self._encryptor.cipher_key
server_info.head_len = 30 server_info.head_len = 30
server_info.tcp_mss = 1440 server_info.tcp_mss = 1440
@ -131,6 +129,7 @@ class TCPRelayHandler(object):
server_info.port = server._listen_port server_info.port = server._listen_port
server_info.param = '' server_info.param = ''
server_info.iv = self._encryptor.cipher_iv server_info.iv = self._encryptor.cipher_iv
server_info.recv_iv = b''
server_info.key = self._encryptor.cipher_key server_info.key = self._encryptor.cipher_key
server_info.head_len = 30 server_info.head_len = 30
server_info.tcp_mss = 1440 server_info.tcp_mss = 1440
@ -460,12 +459,6 @@ class TCPRelayHandler(object):
head_len = self._get_head_size(data, 30) head_len = self._get_head_size(data, 30)
self._obfs.obfs.server_info.head_len = head_len self._obfs.obfs.server_info.head_len = head_len
self._protocol.obfs.server_info.head_len = head_len self._protocol.obfs.server_info.head_len = head_len
if CLIENT_NEW_PROTOCOL:
rnd_len = random.randint(1, 32)
total_len = 7 + rnd_len + len(data)
data = b'\x88' + struct.pack('>H', total_len) + chr(rnd_len) + (b' ' * (rnd_len - 1)) + data
crc = (0xffffffff - binascii.crc32(data)) & 0xffffffff
data += struct.pack('<I', crc)
if self._encryptor is not None: if self._encryptor is not None:
data = self._protocol.client_pre_encrypt(data) data = self._protocol.client_pre_encrypt(data)
data_to_send = self._encryptor.encrypt(data) data_to_send = self._encryptor.encrypt(data)
@ -606,6 +599,9 @@ class TCPRelayHandler(object):
if obfs_decode[2]: if obfs_decode[2]:
self._write_to_sock(b'', self._local_sock) self._write_to_sock(b'', self._local_sock)
if obfs_decode[1]: if obfs_decode[1]:
if not self._protocol.obfs.server_info.recv_iv:
iv_len = len(self._protocol.obfs.server_info.iv)
self._protocol.obfs.server_info.recv_iv = obfs_decode[0][:iv_len]
data = self._encryptor.decrypt(obfs_decode[0]) data = self._encryptor.decrypt(obfs_decode[0])
else: else:
data = obfs_decode[0] data = obfs_decode[0]
@ -673,6 +669,9 @@ class TCPRelayHandler(object):
if obfs_decode[1]: if obfs_decode[1]:
send_back = self._obfs.client_encode(b'') send_back = self._obfs.client_encode(b'')
self._write_to_sock(send_back, self._remote_sock) self._write_to_sock(send_back, self._remote_sock)
if not self._protocol.obfs.server_info.recv_iv:
iv_len = len(self._protocol.obfs.server_info.iv)
self._protocol.obfs.server_info.recv_iv = obfs_decode[0][:iv_len]
data = self._encryptor.decrypt(obfs_decode[0]) data = self._encryptor.decrypt(obfs_decode[0])
data = self._protocol.client_post_decrypt(data) data = self._protocol.client_post_decrypt(data)
else: else: