ota completed!
This commit is contained in:
parent
767b9217f8
commit
77b2a22055
4 changed files with 61 additions and 38 deletions
|
@ -37,6 +37,8 @@ def sha1_hmac(secret, data):
|
||||||
def onetimeauth_verify(_hash, data, key):
|
def onetimeauth_verify(_hash, data, key):
|
||||||
return _hash == sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
|
return _hash == sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
|
||||||
|
|
||||||
|
def onetimeauth_gen(data, key):
|
||||||
|
return sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
|
||||||
|
|
||||||
def compat_ord(s):
|
def compat_ord(s):
|
||||||
if type(s) == int:
|
if type(s) == int:
|
||||||
|
|
|
@ -130,11 +130,11 @@ def get_config(is_local):
|
||||||
logging.basicConfig(level=logging.INFO,
|
logging.basicConfig(level=logging.INFO,
|
||||||
format='%(levelname)-s: %(message)s')
|
format='%(levelname)-s: %(message)s')
|
||||||
if is_local:
|
if is_local:
|
||||||
shortopts = 'hd:s:b:p:k:l:m:c:t:vq'
|
shortopts = 'hd:s:b:p:k:l:m:c:t:vqa'
|
||||||
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=',
|
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=',
|
||||||
'version']
|
'version']
|
||||||
else:
|
else:
|
||||||
shortopts = 'hd:s:p:k:m:c:t:vq'
|
shortopts = 'hd:s:p:k:m:c:t:vqa'
|
||||||
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=',
|
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=',
|
||||||
'forbidden-ip=', 'user=', 'manager-address=', 'version']
|
'forbidden-ip=', 'user=', 'manager-address=', 'version']
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -27,7 +27,7 @@ import traceback
|
||||||
import random
|
import random
|
||||||
|
|
||||||
from shadowsocks import encrypt, eventloop, shell, common
|
from shadowsocks import encrypt, eventloop, shell, common
|
||||||
from shadowsocks.common import parse_header, onetimeauth_verify, \
|
from shadowsocks.common import parse_header, onetimeauth_verify, onetimeauth_gen, \
|
||||||
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
|
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
|
||||||
|
|
||||||
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
|
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
|
||||||
|
@ -233,12 +233,14 @@ class TCPRelayHandler(object):
|
||||||
|
|
||||||
def _handle_stage_connecting(self, data):
|
def _handle_stage_connecting(self, data):
|
||||||
if self._is_local:
|
if self._is_local:
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
data = self._one_time_auth_chunk_data_gen(data)
|
||||||
data = self._encryptor.encrypt(data)
|
data = self._encryptor.encrypt(data)
|
||||||
if self._one_time_auth_enable:
|
|
||||||
self._one_time_auth_chunk_data(data,
|
|
||||||
self._data_to_write_to_remote.append)
|
|
||||||
else:
|
|
||||||
self._data_to_write_to_remote.append(data)
|
self._data_to_write_to_remote.append(data)
|
||||||
|
else:
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
self._one_time_auth_chunk_data(data,
|
||||||
|
self._data_to_write_to_remote.append)
|
||||||
if self._is_local and not self._fastopen_connected and \
|
if self._is_local and not self._fastopen_connected and \
|
||||||
self._config['fast_open']:
|
self._config['fast_open']:
|
||||||
# for sslocal and fastopen, we basically wait for data and use
|
# for sslocal and fastopen, we basically wait for data and use
|
||||||
|
@ -306,17 +308,18 @@ class TCPRelayHandler(object):
|
||||||
logging.info('connecting %s:%d from %s:%d' %
|
logging.info('connecting %s:%d from %s:%d' %
|
||||||
(common.to_str(remote_addr), remote_port,
|
(common.to_str(remote_addr), remote_port,
|
||||||
self._client_address[0], self._client_address[1]))
|
self._client_address[0], self._client_address[1]))
|
||||||
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
if self._is_local is False:
|
||||||
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||||
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
||||||
logging.warn('one time auth header is too short')
|
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
||||||
return None
|
logging.warn('one time auth header is too short')
|
||||||
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
|
return None
|
||||||
data[:header_length],
|
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
|
||||||
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
data[:header_length],
|
||||||
logging.warn('one time auth fail')
|
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
||||||
self.destroy()
|
logging.warn('one time auth fail')
|
||||||
header_length += ONETIMEAUTH_BYTES
|
self.destroy()
|
||||||
|
header_length += ONETIMEAUTH_BYTES
|
||||||
self._remote_address = (common.to_str(remote_addr), remote_port)
|
self._remote_address = (common.to_str(remote_addr), remote_port)
|
||||||
# pause reading
|
# pause reading
|
||||||
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
|
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
|
||||||
|
@ -326,6 +329,11 @@ class TCPRelayHandler(object):
|
||||||
self._write_to_sock((b'\x05\x00\x00\x01'
|
self._write_to_sock((b'\x05\x00\x00\x01'
|
||||||
b'\x00\x00\x00\x00\x10\x10'),
|
b'\x00\x00\x00\x00\x10\x10'),
|
||||||
self._local_sock)
|
self._local_sock)
|
||||||
|
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||||
|
# ATYP & 0x10 == 1, then OTA is enabled.
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
|
||||||
|
data += onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
|
||||||
data_to_send = self._encryptor.encrypt(data)
|
data_to_send = self._encryptor.encrypt(data)
|
||||||
self._data_to_write_to_remote.append(data_to_send)
|
self._data_to_write_to_remote.append(data_to_send)
|
||||||
# notice here may go into _handle_dns_resolved directly
|
# notice here may go into _handle_dns_resolved directly
|
||||||
|
@ -436,23 +444,30 @@ class TCPRelayHandler(object):
|
||||||
self._one_time_auth_buff_data,
|
self._one_time_auth_buff_data,
|
||||||
self._encryptor.decipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx)) \
|
self._encryptor.decipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx)) \
|
||||||
is False:
|
is False:
|
||||||
#
|
|
||||||
logging.warn('one time auth fail, drop chunk !')
|
logging.warn('one time auth fail, drop chunk !')
|
||||||
else:
|
else:
|
||||||
data_cb(self._one_time_auth_buff_data)
|
data_cb(self._one_time_auth_buff_data)
|
||||||
|
self._one_time_auth_chunk_idx += 1
|
||||||
self._one_time_auth_buff_head = ''
|
self._one_time_auth_buff_head = ''
|
||||||
self._one_time_auth_buff_data = ''
|
self._one_time_auth_buff_data = ''
|
||||||
self._one_time_auth_chunk_idx += 1
|
|
||||||
self._one_time_auth_len = 0
|
self._one_time_auth_len = 0
|
||||||
return
|
return
|
||||||
|
|
||||||
|
def _one_time_auth_chunk_data_gen(self, data):
|
||||||
|
data_len = struct.pack(">H", len(data))
|
||||||
|
sha110 = onetimeauth_gen(data, self._encryptor.cipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx))
|
||||||
|
self._one_time_auth_chunk_idx += 1
|
||||||
|
return data_len + sha110 + data
|
||||||
|
|
||||||
def _handle_stage_stream(self, data):
|
def _handle_stage_stream(self, data):
|
||||||
if self._is_local:
|
if self._is_local:
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
data = self._one_time_auth_chunk_data_gen(data)
|
||||||
data = self._encryptor.encrypt(data)
|
data = self._encryptor.encrypt(data)
|
||||||
if self._one_time_auth_enable:
|
|
||||||
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
|
|
||||||
else:
|
|
||||||
self._write_to_sock(data, self._remote_sock)
|
self._write_to_sock(data, self._remote_sock)
|
||||||
|
else:
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
|
||||||
return
|
return
|
||||||
|
|
||||||
def _on_local_read(self):
|
def _on_local_read(self):
|
||||||
|
|
|
@ -119,7 +119,7 @@ class UDPRelay(object):
|
||||||
addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0,
|
addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0,
|
||||||
socket.SOCK_DGRAM, socket.SOL_UDP)
|
socket.SOCK_DGRAM, socket.SOL_UDP)
|
||||||
if len(addrs) == 0:
|
if len(addrs) == 0:
|
||||||
raise Exception("can't get addrinfo for %s:%d" %
|
raise Exception("UDP can't get addrinfo for %s:%d" %
|
||||||
(self._listen_addr, self._listen_port))
|
(self._listen_addr, self._listen_port))
|
||||||
af, socktype, proto, canonname, sa = addrs[0]
|
af, socktype, proto, canonname, sa = addrs[0]
|
||||||
server_socket = socket.socket(af, socktype, proto)
|
server_socket = socket.socket(af, socktype, proto)
|
||||||
|
@ -157,7 +157,7 @@ class UDPRelay(object):
|
||||||
if self._is_local:
|
if self._is_local:
|
||||||
frag = common.ord(data[2])
|
frag = common.ord(data[2])
|
||||||
if frag != 0:
|
if frag != 0:
|
||||||
logging.warn('drop a message since frag is not 0')
|
logging.warn('UDP drop a message since frag is not 0')
|
||||||
return
|
return
|
||||||
else:
|
else:
|
||||||
data = data[3:]
|
data = data[3:]
|
||||||
|
@ -176,7 +176,18 @@ class UDPRelay(object):
|
||||||
server_addr, server_port = self._get_a_server()
|
server_addr, server_port = self._get_a_server()
|
||||||
else:
|
else:
|
||||||
server_addr, server_port = dest_addr, dest_port
|
server_addr, server_port = dest_addr, dest_port
|
||||||
|
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||||
|
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
||||||
|
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
||||||
|
logging.warn('UDP one time auth header is too short')
|
||||||
|
return None
|
||||||
|
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
|
||||||
|
data[header_length: -ONETIMEAUTH_BYTES],
|
||||||
|
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
||||||
|
logging.warn('UDP one time auth fail')
|
||||||
|
return None
|
||||||
|
self._one_time_authed = True
|
||||||
|
header_length += ONETIMEAUTH_BYTES
|
||||||
addrs = self._dns_cache.get(server_addr, None)
|
addrs = self._dns_cache.get(server_addr, None)
|
||||||
if addrs is None:
|
if addrs is None:
|
||||||
addrs = socket.getaddrinfo(server_addr, server_port, 0,
|
addrs = socket.getaddrinfo(server_addr, server_port, 0,
|
||||||
|
@ -207,6 +218,9 @@ class UDPRelay(object):
|
||||||
self._eventloop.add(client, eventloop.POLL_IN, self)
|
self._eventloop.add(client, eventloop.POLL_IN, self)
|
||||||
|
|
||||||
if self._is_local:
|
if self._is_local:
|
||||||
|
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
||||||
|
if self._one_time_auth_enable:
|
||||||
|
data = _one_time_auth_chunk_data_gen(data)
|
||||||
data = encrypt.encrypt_all(self._password, self._method, 1, data)
|
data = encrypt.encrypt_all(self._password, self._method, 1, data)
|
||||||
if not data:
|
if not data:
|
||||||
return
|
return
|
||||||
|
@ -249,18 +263,6 @@ class UDPRelay(object):
|
||||||
if header_result is None:
|
if header_result is None:
|
||||||
return
|
return
|
||||||
addrtype, dest_addr, dest_port, header_length = header_result
|
addrtype, dest_addr, dest_port, header_length = header_result
|
||||||
# spec https://shadowsocks.org/en/spec/one-time-auth.html
|
|
||||||
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
|
|
||||||
if len(data) < header_length + ONETIMEAUTH_BYTES:
|
|
||||||
logging.warn('one time auth header is too short')
|
|
||||||
return None
|
|
||||||
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
|
|
||||||
data[header_length: -ONETIMEAUTH_BYTES],
|
|
||||||
self._encryptor.decipher_iv + self._encryptor.key) is False:
|
|
||||||
logging.warn('one time auth fail')
|
|
||||||
return None
|
|
||||||
self._one_time_authed = True
|
|
||||||
header_length += ONETIMEAUTH_BYTES
|
|
||||||
response = b'\x00\x00\x00' + data
|
response = b'\x00\x00\x00' + data
|
||||||
client_addr = self._client_fd_to_server_addr.get(sock.fileno())
|
client_addr = self._client_fd_to_server_addr.get(sock.fileno())
|
||||||
if client_addr:
|
if client_addr:
|
||||||
|
@ -270,6 +272,10 @@ class UDPRelay(object):
|
||||||
# simply drop that packet
|
# simply drop that packet
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
def _one_time_auth_chunk_data_gen(self, data):
|
||||||
|
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
|
||||||
|
return data + onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
|
||||||
|
|
||||||
def add_to_loop(self, loop):
|
def add_to_loop(self, loop):
|
||||||
if self._eventloop:
|
if self._eventloop:
|
||||||
raise Exception('already add to loop')
|
raise Exception('already add to loop')
|
||||||
|
|
Loading…
Reference in a new issue