fix auth_sha1

fix tls1.0_session_auth
2015-12-21 18:03:52 +08:00 · 2015-12-21 18:03:52 +08:00 · 80604a9421
commit 80604a9421
parent 68a77ddc70
3 changed files with 20 additions and 16 deletions
--- a/shadowsocks/obfsplugin/auth.py
+++ b/shadowsocks/obfsplugin/auth.py
@ -374,7 +374,7 @@ class auth_sha1(verify_base):
        rnd_data = os.urandom(common.ord(os.urandom(1)[0]) % 128)
        data = common.chr(len(rnd_data) + 1) + rnd_data + buf
        data = struct.pack('>H', len(data) + 16) + data
-        crc = binascii.crc32(self.server_info.key)
+        crc = binascii.crc32(self.server_info.key) & 0xFFFFFFFF
        data = struct.pack('<I', crc) + data
        data += hmac.new(self.server_info.iv + self.server_info.key, data, hashlib.sha1).digest()[:10]
        return data
@ -416,20 +416,14 @@ class auth_sha1(verify_base):
            if length >= 8192 or length < 7:
                self.raw_trans = True
                self.recv_buf = b''
-                if self.decrypt_packet_num == 0:
-                    return None
-                else:
-                    raise Exception('client_post_decrypt data error')
+                raise Exception('client_post_decrypt data error')
            if length > len(self.recv_buf):
                break

            if struct.pack('<I', zlib.adler32(self.recv_buf[:length - 4]) & 0xFFFFFFFF) != self.recv_buf[length - 4:length]:
                self.raw_trans = True
                self.recv_buf = b''
-                if self.decrypt_packet_num == 0:
-                    return None
-                else:
-                    raise Exception('client_post_decrypt data uncorrect checksum')
+                raise Exception('client_post_decrypt data uncorrect checksum')

            pos = common.ord(self.recv_buf[2]) + 2
            out_buf += self.recv_buf[pos:length - 4]
--- a/shadowsocks/obfsplugin/obfs_tls.py
+++ b/shadowsocks/obfsplugin/obfs_tls.py
@ -164,7 +164,7 @@ class tls_auth(plain.plain):
            return data
        if self.has_recv_header:
            data = b"\x14" + self.tls_version + "\x00\x01\x01" #ChangeCipherSpec
-            data += b"\x16" + self.tls_version + "\x00\x01\x20" + os.urandom(22) #Finished
+            data += b"\x16" + self.tls_version + "\x00\x20" + os.urandom(22) #Finished
            data += hmac.new(self.server_info.key + self.server_info.data.client_id, data, hashlib.sha1).digest()[:10]
            ret = data + self.send_buffer
            self.send_buffer = b''
@ -175,6 +175,13 @@ class tls_auth(plain.plain):
    def client_decode(self, buf):
        if self.has_recv_header:
            return (buf, False)
+        if len(buf) < 11 + 32 + 1 + 32:
+            logging.error('client_decode data error')
+            return (b'', True)
+        verify = buf[11:33]
+        if hmac.new(self.server_info.key + self.server_info.data.client_id, verify, hashlib.sha1).digest()[:10] != buf[33:43]:
+            logging.error('client_decode data error')
+            return (b'', True)
        self.has_recv_header = True
        return (b'', True)

@ -186,7 +193,7 @@ class tls_auth(plain.plain):
        data = b"\x02\x00" + struct.pack('>H', len(data)) + data #server hello
        data = b"\x16" + self.tls_version + struct.pack('>H', len(data)) + data
        data += b"\x14" + self.tls_version + "\x00\x01\x01" #ChangeCipherSpec
-        data += b"\x16" + self.tls_version + "\x00\x01\x20" + os.urandom(22) #Finished
+        data += b"\x16" + self.tls_version + "\x00\x20" + os.urandom(22) #Finished
        data += hmac.new(self.server_info.key + self.client_id, data, hashlib.sha1).digest()[:10]
        return data

@ -203,8 +210,8 @@ class tls_auth(plain.plain):

        if self.has_recv_header:
            verify = buf
-            verify_len = 44 - 10
-            if len(buf) < 44:
+            verify_len = 43 - 10
+            if len(buf) < 43:
                logging.error('server_decode data error')
                return self.decode_error_return(b'')
            if not match_begin(buf, b"\x14" + self.tls_version + "\x00\x01\x01"): #ChangeCipherSpec
@ -217,10 +224,10 @@ class tls_auth(plain.plain):
            if hmac.new(self.server_info.key + self.client_id, verify[:verify_len], hashlib.sha1).digest()[:10] != verify[verify_len:verify_len+10]:
                logging.error('server_decode data error')
                return self.decode_error_return(b'')
-            if len(buf) < 38:
+            if len(buf) < 37:
                logging.error('server_decode data error')
                return self.decode_error_return(b'')
-            buf = buf[38:]
+            buf = buf[37:]
            self.raw_trans_recv = True
            return (buf, True, False)

--- a/shadowsocks/tcprelay.py
+++ b/shadowsocks/tcprelay.py
@ -333,7 +333,10 @@ class TCPRelayHandler(object):
            addr = struct.unpack('>I', address_bytes)[0]
        else:
            addr = 0
-        host_post = common.to_str(host_list[((hash_code & 0xffffffff) + addr) % len(host_list)])
+        if type(host_list) == list:
+            host_post = common.to_str(host_list[((hash_code & 0xffffffff) + addr) % len(host_list)])
+        else:
+            host_post = host_list
        items = host_post.rsplit(':', 1)
        if len(items) > 1:
            try: