ota completed!

This commit is contained in:
jsy 2016-01-11 10:11:31 +08:00
parent 767b9217f8
commit 77b2a22055
4 changed files with 61 additions and 38 deletions

View file

@ -37,6 +37,8 @@ def sha1_hmac(secret, data):
def onetimeauth_verify(_hash, data, key):
return _hash == sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
def onetimeauth_gen(data, key):
return sha1_hmac(key, data)[:ONETIMEAUTH_BYTES]
def compat_ord(s):
if type(s) == int:

View file

@ -130,11 +130,11 @@ def get_config(is_local):
logging.basicConfig(level=logging.INFO,
format='%(levelname)-s: %(message)s')
if is_local:
shortopts = 'hd:s:b:p:k:l:m:c:t:vq'
shortopts = 'hd:s:b:p:k:l:m:c:t:vqa'
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=',
'version']
else:
shortopts = 'hd:s:p:k:m:c:t:vq'
shortopts = 'hd:s:p:k:m:c:t:vqa'
longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=',
'forbidden-ip=', 'user=', 'manager-address=', 'version']
try:

View file

@ -27,7 +27,7 @@ import traceback
import random
from shadowsocks import encrypt, eventloop, shell, common
from shadowsocks.common import parse_header, onetimeauth_verify, \
from shadowsocks.common import parse_header, onetimeauth_verify, onetimeauth_gen, \
ONETIMEAUTH_BYTES, ONETIMEAUTH_CHUNK_BYTES, ONETIMEAUTH_CHUNK_DATA_LEN, ADDRTYPE_AUTH
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
@ -233,12 +233,14 @@ class TCPRelayHandler(object):
def _handle_stage_connecting(self, data):
if self._is_local:
if self._one_time_auth_enable:
data = self._one_time_auth_chunk_data_gen(data)
data = self._encryptor.encrypt(data)
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data,
self._data_to_write_to_remote.append)
else:
self._data_to_write_to_remote.append(data)
else:
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data,
self._data_to_write_to_remote.append)
if self._is_local and not self._fastopen_connected and \
self._config['fast_open']:
# for sslocal and fastopen, we basically wait for data and use
@ -306,17 +308,18 @@ class TCPRelayHandler(object):
logging.info('connecting %s:%d from %s:%d' %
(common.to_str(remote_addr), remote_port,
self._client_address[0], self._client_address[1]))
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('one time auth header is too short')
return None
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
data[:header_length],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('one time auth fail')
self.destroy()
header_length += ONETIMEAUTH_BYTES
if self._is_local is False:
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('one time auth header is too short')
return None
if onetimeauth_verify(data[header_length: header_length+ONETIMEAUTH_BYTES],
data[:header_length],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('one time auth fail')
self.destroy()
header_length += ONETIMEAUTH_BYTES
self._remote_address = (common.to_str(remote_addr), remote_port)
# pause reading
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
@ -326,6 +329,11 @@ class TCPRelayHandler(object):
self._write_to_sock((b'\x05\x00\x00\x01'
b'\x00\x00\x00\x00\x10\x10'),
self._local_sock)
# spec https://shadowsocks.org/en/spec/one-time-auth.html
# ATYP & 0x10 == 1, then OTA is enabled.
if self._one_time_auth_enable:
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
data += onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
data_to_send = self._encryptor.encrypt(data)
self._data_to_write_to_remote.append(data_to_send)
# notice here may go into _handle_dns_resolved directly
@ -436,23 +444,30 @@ class TCPRelayHandler(object):
self._one_time_auth_buff_data,
self._encryptor.decipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx)) \
is False:
#
logging.warn('one time auth fail, drop chunk !')
else:
data_cb(self._one_time_auth_buff_data)
self._one_time_auth_chunk_idx += 1
self._one_time_auth_buff_head = ''
self._one_time_auth_buff_data = ''
self._one_time_auth_chunk_idx += 1
self._one_time_auth_len = 0
return
def _one_time_auth_chunk_data_gen(self, data):
data_len = struct.pack(">H", len(data))
sha110 = onetimeauth_gen(data, self._encryptor.cipher_iv + struct.pack('>I', self._one_time_auth_chunk_idx))
self._one_time_auth_chunk_idx += 1
return data_len + sha110 + data
def _handle_stage_stream(self, data):
if self._is_local:
if self._one_time_auth_enable:
data = self._one_time_auth_chunk_data_gen(data)
data = self._encryptor.encrypt(data)
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
else:
self._write_to_sock(data, self._remote_sock)
else:
if self._one_time_auth_enable:
self._one_time_auth_chunk_data(data, self._write_to_sock_remote)
return
def _on_local_read(self):

View file

@ -119,7 +119,7 @@ class UDPRelay(object):
addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0,
socket.SOCK_DGRAM, socket.SOL_UDP)
if len(addrs) == 0:
raise Exception("can't get addrinfo for %s:%d" %
raise Exception("UDP can't get addrinfo for %s:%d" %
(self._listen_addr, self._listen_port))
af, socktype, proto, canonname, sa = addrs[0]
server_socket = socket.socket(af, socktype, proto)
@ -157,7 +157,7 @@ class UDPRelay(object):
if self._is_local:
frag = common.ord(data[2])
if frag != 0:
logging.warn('drop a message since frag is not 0')
logging.warn('UDP drop a message since frag is not 0')
return
else:
data = data[3:]
@ -176,7 +176,18 @@ class UDPRelay(object):
server_addr, server_port = self._get_a_server()
else:
server_addr, server_port = dest_addr, dest_port
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('UDP one time auth header is too short')
return None
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
data[header_length: -ONETIMEAUTH_BYTES],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('UDP one time auth fail')
return None
self._one_time_authed = True
header_length += ONETIMEAUTH_BYTES
addrs = self._dns_cache.get(server_addr, None)
if addrs is None:
addrs = socket.getaddrinfo(server_addr, server_port, 0,
@ -207,6 +218,9 @@ class UDPRelay(object):
self._eventloop.add(client, eventloop.POLL_IN, self)
if self._is_local:
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable:
data = _one_time_auth_chunk_data_gen(data)
data = encrypt.encrypt_all(self._password, self._method, 1, data)
if not data:
return
@ -249,18 +263,6 @@ class UDPRelay(object):
if header_result is None:
return
addrtype, dest_addr, dest_port, header_length = header_result
# spec https://shadowsocks.org/en/spec/one-time-auth.html
if self._one_time_auth_enable or addrtype & ADDRTYPE_AUTH:
if len(data) < header_length + ONETIMEAUTH_BYTES:
logging.warn('one time auth header is too short')
return None
if onetimeauth_verify(data[-ONETIMEAUTH_BYTES:],
data[header_length: -ONETIMEAUTH_BYTES],
self._encryptor.decipher_iv + self._encryptor.key) is False:
logging.warn('one time auth fail')
return None
self._one_time_authed = True
header_length += ONETIMEAUTH_BYTES
response = b'\x00\x00\x00' + data
client_addr = self._client_fd_to_server_addr.get(sock.fileno())
if client_addr:
@ -270,6 +272,10 @@ class UDPRelay(object):
# simply drop that packet
pass
def _one_time_auth_chunk_data_gen(self, data):
data = chr(ord(data[0]) | ADDRTYPE_AUTH) + data[1:]
return data + onetimeauth_gen(data, self._encryptor.cipher_iv + self._encryptor.key)
def add_to_loop(self, loop):
if self._eventloop:
raise Exception('already add to loop')