Merge pull request #1 from shadowsocks/master

update
2018-07-13 11:37:19 +08:00 · 2018-07-13 11:37:19 +08:00 · 7d82bab83e
commit 7d82bab83e
parent 2ab8c6bf5d e332ec93e9
5 changed files with 47 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -28,6 +28,11 @@ CentOS:
    yum install python-setuptools && easy_install pip
    pip install git+https://github.com/shadowsocks/shadowsocks.git@master

+For CentOS 7, if you need AEAD ciphers, you need install libsodium
+```
+dnf install libsodium python34-pip
+pip3 install  git+https://github.com/shadowsocks/shadowsocks.git@master
+```
 Linux distributions with [snap](http://snapcraft.io/):

    snap install shadowsocks
--- a/shadowsocks/crypto/mbedtls.py
+++ b/shadowsocks/crypto/mbedtls.py
@ -408,22 +408,20 @@ ciphers = {


 def run_method(method):
-    from shadowsocks.crypto import openssl

    print(method, ': [stream]', 32)
    cipher = MbedTLSStreamCrypto(method, b'k' * 32, b'i' * 16, 1)
-    decipher = openssl.OpenSSLStreamCrypto(method, b'k' * 32, b'i' * 16, 0)
+    decipher = MbedTLSStreamCrypto(method, b'k' * 32, b'i' * 16, 0)

    util.run_cipher(cipher, decipher)


 def run_aead_method(method, key_len=16):
-    from shadowsocks.crypto import openssl

    print(method, ': [payload][tag]', key_len)
    key_len = int(key_len)
    cipher = MbedTLSAeadCrypto(method, b'k' * key_len, b'i' * key_len, 1)
-    decipher = openssl.OpenSSLAeadCrypto(
+    decipher = MbedTLSAeadCrypto(
        method,
        b'k' * key_len, b'i' * key_len, 0
    )
@ -432,12 +430,11 @@ def run_aead_method(method, key_len=16):


 def run_aead_method_chunk(method, key_len=16):
-    from shadowsocks.crypto import openssl

    print(method, ': chunk([size][tag][payload][tag]', key_len)
    key_len = int(key_len)
    cipher = MbedTLSAeadCrypto(method, b'k' * key_len, b'i' * key_len, 1)
-    decipher = openssl.OpenSSLAeadCrypto(
+    decipher = MbedTLSAeadCrypto(
        method,
        b'k' * key_len, b'i' * key_len, 0
    )
--- a/shadowsocks/crypto/openssl.py
+++ b/shadowsocks/crypto/openssl.py
@ -346,6 +346,8 @@ def run_method(method):

 def run_aead_method(method, key_len=16):

+    if not loaded:
+        load_openssl(None)
    print(method, ': [payload][tag]', key_len)
    cipher = libcrypto.EVP_get_cipherbyname(common.to_bytes(method))
    if not cipher:
@ -362,6 +364,8 @@ def run_aead_method(method, key_len=16):

 def run_aead_method_chunk(method, key_len=16):

+    if not loaded:
+        load_openssl(None)
    print(method, ': chunk([size][tag][payload][tag]', key_len)
    cipher = libcrypto.EVP_get_cipherbyname(common.to_bytes(method))
    if not cipher:
--- a/tests/libopenssl/install.sh
+++ b/tests/libopenssl/install.sh
@ -10,3 +10,10 @@ pushd openssl-$OPENSSL_VER
 # sudo ldconfig  # test multiple libcrypto
 popd
 rm -rf openssl-$OPENSSL_VER || exit 1
+
+rm /usr/bin/openssl || exit 1
+rm -r /usr/include/openssl || exit 1
+ln -s /usr/local/bin/openssl /usr/bin/openssl || exit 1
+ln -s /usr/local/include/openssl /usr/include/openssl || exit 1
+echo /usr/local/lib >> /etc/ld.so.conf || exit 1
+ldconfig -v || exit 1
--- a/utils/autoban.py
+++ b/utils/autoban.py
@ -24,9 +24,17 @@
 from __future__ import absolute_import, division, print_function, \
    with_statement

-import os
 import sys
+import socket
 import argparse
+import subprocess
+
+
+def inet_pton(str_ip):
+    try:
+        return socket.inet_pton(socket.AF_INET, str_ip)
+    except socket.error:
+        return None

 if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='See README')
@ -37,17 +45,22 @@ if __name__ == '__main__':
    ips = {}
    banned = set()
    for line in sys.stdin:
-        if 'can not parse header when' in line:
-            ip = line.split()[-1].split(':')[-2]
-            if ip not in ips:
-                ips[ip] = 1
-                print(ip)
-                sys.stdout.flush()
-            else:
-                ips[ip] += 1
-            if ip not in banned and ips[ip] >= config.count:
-                banned.add(ip)
-                cmd = 'iptables -A INPUT -s %s -j DROP' % ip
-                print(cmd, file=sys.stderr)
-                sys.stderr.flush()
-                os.system(cmd)
+        if 'can not parse header when' not in line:
+            continue
+        ip_str = line.split()[-1].rsplit(':', 1)[0]
+        ip = inet_pton(ip_str)
+        if ip is None:
+            continue
+        if ip not in ips:
+            ips[ip] = 1
+            sys.stdout.flush()
+        else:
+            ips[ip] += 1
+        if ip not in banned and ips[ip] >= config.count:
+            banned.add(ip)
+            print('ban ip %s' % ip_str)
+            cmd = ['iptables', '-A', 'INPUT', '-s', ip_str, '-j', 'DROP',
+                   '-m', 'comment', '--comment', 'autoban']
+            print(' '.join(cmd), file=sys.stderr)
+            sys.stderr.flush()
+            subprocess.call(cmd)