one time auth server side
This commit is contained in:
parent
173323c0f8
commit
767b9217f8
5 changed files with 130 additions and 21 deletions
|
@ -21,6 +21,21 @@ from __future__ import absolute_import, division, print_function, \
|
|||
import socket
|
||||
import struct
|
||||
import logging
|
||||
import hashlib
|
||||
import hmac
|
||||
|
||||
|
||||
ONETIMEAUTH_BYTES = 10
|
||||
ONETIMEAUTH_CHUNK_BYTES = 12
|
||||
ONETIMEAUTH_CHUNK_DATA_LEN = 2
|
||||
|
||||
|
||||
def sha1_hmac(secret, data):
|
||||
return hmac.new(secret, data, hashlib.sha1).digest()
|
||||
|
||||
|
||||
def onetimeauth_verify(_hash, data, key):
|
||||
return _hash == sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
|
||||
|
||||
|
||||
def compat_ord(s):
|
||||
|
@ -118,9 +133,11 @@ def patch_socket():
|
|||
patch_socket()
|
||||
|
||||
|
||||
ADDRTYPE_IPV4 = 1
|
||||
ADDRTYPE_IPV6 = 4
|
||||
ADDRTYPE_HOST = 3
|
||||
ADDRTYPE_IPV4 = 0x01
|
||||
ADDRTYPE_IPV6 = 0x04
|
||||
ADDRTYPE_HOST = 0x03
|
||||
ADDRTYPE_AUTH = 0x10
|
||||
ADDRTYPE_MASK = 0xF
|
||||
|
||||
|
||||
def pack_addr(address):
|
||||
|
@ -144,14 +161,14 @@ def parse_header(data):
|
|||
dest_addr = None
|
||||
dest_port = None
|
||||
header_length = 0
|
||||
if addrtype == ADDRTYPE_IPV4:
|
||||
if addrtype & ADDRTYPE_MASK == ADDRTYPE_IPV4:
|
||||
if len(data) >= 7:
|
||||
dest_addr = socket.inet_ntoa(data[1:5])
|
||||
dest_port = struct.unpack('>H', data[5:7])[0]
|
||||
header_length = 7
|
||||
else:
|
||||
logging.warn('header is too short')
|
||||
elif addrtype == ADDRTYPE_HOST:
|
||||
elif addrtype & ADDRTYPE_MASK == ADDRTYPE_HOST:
|
||||
if len(data) > 2:
|
||||
addrlen = ord(data[1])
|
||||
if len(data) >= 4 + addrlen:
|
||||
|
@ -163,7 +180,7 @@ def parse_header(data):
|
|||
logging.warn('header is too short')
|
||||
else:
|
||||
logging.warn('header is too short')
|
||||
elif addrtype == ADDRTYPE_IPV6:
|
||||
elif addrtype & ADDRTYPE_MASK == ADDRTYPE_IPV6:
|
||||
if len(data) >= 19:
|
||||
dest_addr = socket.inet_ntop(socket.AF_INET6, data[1:17])
|
||||
dest_port = struct.unpack('>H', data[17:19])[0]
|
||||
|
|
|
@ -69,17 +69,18 @@ def EVP_BytesToKey(password, key_len, iv_len):
|
|||
|
||||
|
||||
class Encryptor(object):
|
||||
def __init__(self, key, method):
|
||||
self.key = key
|
||||
def __init__(self, password, method):
|
||||
self.password = password
|
||||
self.key = None
|
||||
self.method = method
|
||||
self.iv = None
|
||||
self.iv_sent = False
|
||||
self.cipher_iv = b''
|
||||
self.decipher = None
|
||||
self.decipher_iv = None
|
||||
method = method.lower()
|
||||
self._method_info = self.get_method_info(method)
|
||||
if self._method_info:
|
||||
self.cipher = self.get_cipher(key, method, 1,
|
||||
self.cipher = self.get_cipher(password, method, 1,
|
||||
random_string(self._method_info[1]))
|
||||
else:
|
||||
logging.error('method %s not supported' % method)
|
||||
|
@ -101,7 +102,7 @@ class Encryptor(object):
|
|||
else:
|
||||
# key_length == 0 indicates we should use the key directly
|
||||
key, iv = password, b''
|
||||
|
||||
self.key = key
|
||||
iv = iv[:m[1]]
|
||||
if op == 1:
|
||||
# this iv is for cipher not decipher
|
||||
|
@ -123,7 +124,8 @@ class Encryptor(object):
|
|||
if self.decipher is None:
|
||||
decipher_iv_len = self._method_info[1]
|
||||
decipher_iv = buf[:decipher_iv_len]
|
||||
self.decipher = self.get_cipher(self.key, self.method, 0,
|
||||
self.decipher_iv = decipher_iv
|
||||
self.decipher = self.get_cipher(self.password, self.method, 0,
|
||||
iv=decipher_iv)
|
||||
buf = buf[decipher_iv_len:]
|
||||
if len(buf) == 0:
|
||||
|
@ -135,6 +137,7 @@ def encrypt_all(password, method, op, data):
|
|||
result = []
|
||||
method = method.lower()
|
||||
(key_len, iv_len, m) = method_supported[method]
|
||||
key = None
|
||||
if key_len > 0:
|
||||
key, _ = EVP_BytesToKey(password, key_len, iv_len)
|
||||
else:
|
||||
|
|
|
@ -174,6 +174,8 @@ def get_config(is_local):
|
|||
v_count += 1
|
||||
# '-vv' turns on more verbose mode
|
||||
config['verbose'] = v_count
|
||||
elif key == '-a':
|
||||
config['one_time_auth'] = True
|
||||
elif key == '-t':
|
||||
config['timeout'] = int(value)
|
||||
elif key == '--fast-open':
|
||||
|
@ -315,6 +317,7 @@ Proxy options:
|
|||
-k PASSWORD password
|
||||
-m METHOD encryption method, default: aes-256-cfb
|
||||
-t TIMEOUT timeout in seconds, default: 300
|
||||
-a ONE_TIME_AUTH one time auth
|
||||
--fast-open use TCP_FASTOPEN, requires Linux 3.7+
|
||||
--workers WORKERS number of workers, available on Unix/Linux
|
||||
--forbidden-ip IPLIST comma seperated IP list forbidden to connect
|
||||
|
|
|
@ -27,7 +27,8 @@ import traceback
|
|||
import random
|
||||
|
||||
from shadowsocks import encrypt, eventloop, shell, common
|
||||
from shadowsocks.common import parse_header
|
||||
from shadowsocks.common import parse_header, onetimeauth_verify, \
|
||||
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
|
||||
|
||||
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
|
||||
TIMEOUTS_CLEAN_SIZE = 512
|
||||
|
@ -107,6 +108,14 @@ class TCPRelayHandler(object):
|
|||
self._stage = STAGE_INIT
|
||||
self._encryptor = encrypt.Encryptor(config['password'],
|
||||
config['method'])
|
||||
if 'one_time_auth' in config and config['one_time_auth']:
|
||||
self._one_time_auth_enable = True
|
||||
else:
|
||||
self._one_time_auth_enable = False
|
||||
self._one_time_auth_buff_head = ''
|
||||
self._one_time_auth_buff_data = ''
|
||||
self._one_time_auth_len = 0
|
||||
self._one_time_auth_chunk_idx = 0
|
||||
self._fastopen_connected = False
|
||||
self._data_to_write_to_local = []
|
||||
self._data_to_write_to_remote = []
|
||||
|
@ -225,7 +234,11 @@ class TCPRelayHandler(object):
|
|||
def _handle_stage_connecting(self, data):
|
||||
if self._is_local:
|
||||
data = self._encryptor.encrypt(data)
|
||||
self._data_to_write_to_remote.append(data)
|
||||
if self._one_time_auth_enable:
|
||||
self._one_time_auth_chunk_data(data,
|
||||
self._data_to_write_to_remote.append)
|
||||
else:
|
||||
self._data_to_write_to_remote.append(data)
|
||||
if self._is_local and not self._fastopen_connected and \
|
||||
self._config['fast_open']:
|
||||
# for sslocal and fastopen, we basically wait for data and use
|
||||
|
@ -293,6 +306,17 @@ class TCPRelayHandler(object):
|
|||
logging.info('connecting %s:%d from %s:%d' %
|
||||
(common.to_str(remote_addr), remote_port,
|
||||
self._client_address[0], self._client_address[1]))
|
||||
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
||||
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
||||
logging.warn('one time auth header is too short')
|
||||
return None
|
||||
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
|
||||
data[:header_length],
|
||||
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
||||
logging.warn('one time auth fail')
|
||||
self.destroy()
|
||||
header_length += ONETIMEAUTH_BYTES
|
||||
self._remote_address = (common.to_str(remote_addr), remote_port)
|
||||
# pause reading
|
||||
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
|
||||
|
@ -308,7 +332,11 @@ class TCPRelayHandler(object):
|
|||
self._dns_resolver.resolve(self._chosen_server[0],
|
||||
self._handle_dns_resolved)
|
||||
else:
|
||||
if len(data) > header_length:
|
||||
if self._one_time_auth_enable:
|
||||
data = data[header_length:]
|
||||
self._one_time_auth_chunk_data(data,
|
||||
self._data_to_write_to_remote.append)
|
||||
elif len(data) > header_length:
|
||||
self._data_to_write_to_remote.append(data[header_length:])
|
||||
# notice here may go into _handle_dns_resolved directly
|
||||
self._dns_resolver.resolve(remote_addr,
|
||||
|
@ -344,7 +372,6 @@ class TCPRelayHandler(object):
|
|||
if result:
|
||||
ip = result[1]
|
||||
if ip:
|
||||
|
||||
try:
|
||||
self._stage = STAGE_CONNECTING
|
||||
remote_addr = ip
|
||||
|
@ -384,6 +411,50 @@ class TCPRelayHandler(object):
|
|||
traceback.print_exc()
|
||||
self.destroy()
|
||||
|
||||
def _write_to_sock_remote(self, data):
|
||||
self._write_to_sock(data, self._remote_sock)
|
||||
|
||||
def _one_time_auth_chunk_data(self, data, data_cb):
|
||||
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||
while len(data) > 0:
|
||||
if self._one_time_auth_len == 0:
|
||||
# get DATA.LEN + HMAC-SHA1
|
||||
length = ONETIMEAUTH_CHUNK_BYTES - len(self._one_time_auth_buff_head)
|
||||
self._one_time_auth_buff_head += data[:length]
|
||||
data = data[length:]
|
||||
if len(self._one_time_auth_buff_head) < ONETIMEAUTH_CHUNK_BYTES:
|
||||
# wait more data
|
||||
return
|
||||
self._one_time_auth_len = struct.unpack('>H',
|
||||
self._one_time_auth_buff_head[:ONETIMEAUTH_CHUNK_DATA_LEN])[0]
|
||||
length = min(self._one_time_auth_len, len(data))
|
||||
self._one_time_auth_buff_data += data[:length]
|
||||
data = data[length:]
|
||||
if len(self._one_time_auth_buff_data) == self._one_time_auth_len:
|
||||
# get a chunk data
|
||||
if onetimeauth_verify(self._one_time_auth_buff_head[ONETIMEAUTH_CHUNK_DATA_LEN:],
|
||||
self._one_time_auth_buff_data,
|
||||
self._encryptor.decipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx)) \
|
||||
is False:
|
||||
#
|
||||
logging.warn('one time auth fail, drop chunk !')
|
||||
else:
|
||||
data_cb(self._one_time_auth_buff_data)
|
||||
self._one_time_auth_buff_head = ''
|
||||
self._one_time_auth_buff_data = ''
|
||||
self._one_time_auth_chunk_idx += 1
|
||||
self._one_time_auth_len = 0
|
||||
return
|
||||
|
||||
def _handle_stage_stream(self, data):
|
||||
if self._is_local:
|
||||
data = self._encryptor.encrypt(data)
|
||||
if self._one_time_auth_enable:
|
||||
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
|
||||
else:
|
||||
self._write_to_sock(data, self._remote_sock)
|
||||
return
|
||||
|
||||
def _on_local_read(self):
|
||||
# handle all local read events and dispatch them to methods for
|
||||
# each stage
|
||||
|
@ -406,9 +477,7 @@ class TCPRelayHandler(object):
|
|||
if not data:
|
||||
return
|
||||
if self._stage == STAGE_STREAM:
|
||||
if self._is_local:
|
||||
data = self._encryptor.encrypt(data)
|
||||
self._write_to_sock(data, self._remote_sock)
|
||||
self._handle_stage_stream(data)
|
||||
return
|
||||
elif is_local and self._stage == STAGE_INIT:
|
||||
# TODO check auth method
|
||||
|
|
|
@ -69,7 +69,8 @@ import errno
|
|||
import random
|
||||
|
||||
from shadowsocks import encrypt, eventloop, lru_cache, common, shell
|
||||
from shadowsocks.common import parse_header, pack_addr
|
||||
from shadowsocks.common import parse_header, pack_addr, \
|
||||
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
|
||||
|
||||
|
||||
BUF_SIZE = 65536
|
||||
|
@ -97,6 +98,10 @@ class UDPRelay(object):
|
|||
self._password = common.to_bytes(config['password'])
|
||||
self._method = config['method']
|
||||
self._timeout = config['timeout']
|
||||
if 'one_time_auth' in config and config['one_time_auth']:
|
||||
self._one_time_auth_enable = True
|
||||
else:
|
||||
self._one_time_auth_enable = False
|
||||
self._is_local = is_local
|
||||
self._cache = lru_cache.LRUCache(timeout=config['timeout'],
|
||||
close_callback=self._close_client)
|
||||
|
@ -243,7 +248,19 @@ class UDPRelay(object):
|
|||
header_result = parse_header(data)
|
||||
if header_result is None:
|
||||
return
|
||||
# addrtype, dest_addr, dest_port, header_length = header_result
|
||||
addrtype, dest_addr, dest_port, header_length = header_result
|
||||
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
||||
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
||||
logging.warn('one time auth header is too short')
|
||||
return None
|
||||
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
|
||||
data[header_length: -ONETIMEAUTH_BYTES],
|
||||
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
||||
logging.warn('one time auth fail')
|
||||
return None
|
||||
self._one_time_authed = True
|
||||
header_length += ONETIMEAUTH_BYTES
|
||||
response = b'\x00\x00\x00' + data
|
||||
client_addr = self._client_fd_to_server_addr.get(sock.fileno())
|
||||
if client_addr:
|
||||
|
|
Loading…
Reference in a new issue