vbatts/shadowsocks
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #1 from shadowsocks/master

Browse source 
update base fork
This commit is contained in:
michael 2015-05-25 15:15:31 +08:00
commit f022ac0de4
41 changed files with 1872 additions and 1171 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -17,7 +17,8 @@ develop-eggs
pip-log.txt pip-log.txt
# Unit test / coverage reports # Unit test / coverage reports
.coverage htmlcov
.coverage*
.tox .tox
#Translations #Translations

29
.travis.yml
View file

@ -9,28 +9,13 @@ cache:
- dante-1.4.0 - dante-1.4.0
before_install: before_install:
- sudo apt-get update -qq - sudo apt-get update -qq
- sudo apt-get install -qq build-essential libssl-dev swig python-m2crypto python-numpy dnsutils - sudo apt-get install -qq build-essential dnsutils iproute nginx bc
- pip install m2crypto salsa20 pep8 pyflakes nose coverage - sudo dd if=/dev/urandom of=/usr/share/nginx/www/file bs=1M count=10
- sudo sh -c "echo '127.0.0.1 localhost' > /etc/hosts"
- sudo service nginx restart
- pip install pep8 pyflakes nose coverage
- sudo tests/socksify/install.sh - sudo tests/socksify/install.sh
- sudo tests/libsodium/install.sh - sudo tests/libsodium/install.sh
- sudo tests/setup_tc.sh
script: script:
- pep8 . - tests/jenkins.sh
- pyflakes .
- coverage run tests/nose_plugin.py -v
- python setup.py sdist
- python tests/test.py --with-coverage -c tests/aes.json
- python tests/test.py --with-coverage -c tests/aes-ctr.json
- python tests/test.py --with-coverage -c tests/aes-cfb1.json
- python tests/test.py --with-coverage -c tests/aes-cfb8.json
- python tests/test.py --with-coverage -c tests/rc4-md5.json
- python tests/test.py --with-coverage -c tests/salsa20.json
- python tests/test.py --with-coverage -c tests/chacha20.json
- python tests/test.py --with-coverage -c tests/salsa20-ctr.json
- python tests/test.py --with-coverage -c tests/table.json
- python tests/test.py --with-coverage -c tests/server-multi-ports.json
- python tests/test.py --with-coverage -s tests/server-multi-passwd.json -c tests/server-multi-passwd-client-side.json
- python tests/test.py --with-coverage -c tests/workers.json
- python tests/test.py --with-coverage -s tests/ipv6.json -c tests/ipv6-client-side.json
- python tests/test.py --with-coverage -b "-m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388" -a "-m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -l 1081"
- python tests/test.py --with-coverage -b "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388" -a "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 -l 1081"
- coverage combine && coverage report --include=shadowsocks/*

37
CHANGES
View file

@ -1,3 +1,40 @@
2.6.9 2015-05-19
- Fix a stability issue on Windows
2.6.8 2015-02-10
- Support multiple server ip on client side
- Support --version
- Minor fixes
2.6.7 2015-02-02
- Support --user
- Support CIDR format in --forbidden-ip
- Minor fixes
2.6.6 2015-01-23
- Fix a crash in forbidden list
2.6.5 2015-01-18
- Try both 32 bit and 64 bit dll on Windows
2.6.4 2015-01-14
- Also search lib* when searching libraries
2.6.3 2015-01-12
- Support --forbidden-ip to ban some IP, i.e. localhost
- Search OpenSSL and libsodium harder
- Now works on OpenWRT
2.6.2 2015-01-03
- Log client IP
2.6.1 2014-12-26
- Fix a problem with TCP Fast Open on local side
- Fix sometimes daemon_start returns wrong exit status
2.6 2014-12-21
- Add daemon support
2.5 2014-12-11 2.5 2014-12-11
- Add salsa20 and chacha20 - Add salsa20 and chacha20

47
CONTRIBUTING.md
View file

@ -1,38 +1,29 @@
How to contribute How to Contribute
================= =================
在你提交问题前,请先[自行诊断]一下。提交时附上诊断过程中的问题和下列结果, Pull Requests
否则如果我们无法重现你的问题,也就不能帮助你。 -------------
Before you submit issues, please read [Troubleshooting] and take a few minutes 1. Pull requests are welcome. If you would like to add a large feature
to read this guide. or make a significant change, make sure to open an issue to discuss with
people first.
问题反馈 2. Follow PEP8.
------- 3. Make sure to pass the unit tests. Write unit tests for new modules if
needed.
请提交下面的信息:
1. 你是如何搭建环境的操作系统Shadowsocks 版本)
2. 操作步骤是什么?
3. 浏览器里的现象是什么?一直转菊花,还是有提示错误?
4. 发生错误时,客户端和服务端最后一部分日志。
5. 其它你认为可能和问题有关的信息。
如果你不清楚其中某条的含义, 可以直接跳过那一条。
Issues Issues
------ ------
Please include the following information in your submission: 1. Only bugs and feature requests are accepted here.
2. We'll only work on important features. If the feature you're asking only
benefits a few people, you'd better implement the feature yourself and send us
a pull request, or ask some of your friends to do so.
3. We don't answer questions of any other types here. Since very few people
are watching the issue tracker here, you'll probably get no help from here.
Read [Troubleshooting] and get help from forums or [mailing lists].
4. Issues in languages other than English will be Google translated into English
later.
1. How did you set up your environment? (OS, version of Shadowsocks)
2. Steps to reproduce the problem.
3. What happened in your browser? Just no response, or any error message?
4. 10 lines of log on the local side of shadowsocks when the error happened.
5. 10 lines of log on the server side of shadowsocks when the error happened.
6. Any other useful information.
Skip any of them if you don't know its meaning.
[Troubleshooting]: https://github.com/clowwindy/shadowsocks/wiki/Troubleshooting [Troubleshooting]: https://github.com/clowwindy/shadowsocks/wiki/Troubleshooting
[自行诊断]: https://github.com/clowwindy/shadowsocks/wiki/Troubleshooting [mailing lists]: https://groups.google.com/forum/#!forum/shadowsocks

215
LICENSE
View file

@ -1,21 +1,202 @@
Shadowsocks
Copyright (c) 2014 clowwindy Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
Permission is hereby granted, free of charge, to any person obtaining a copy TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in 1. Definitions.
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR "License" shall mean the terms and conditions for use, reproduction,
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, and distribution as defined by Sections 1 through 9 of this document.
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER "Licensor" shall mean the copyright owner or entity authorized by
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, the copyright owner that is granting the License.
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. "Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

2
MANIFEST.in
View file

@ -1,3 +1,3 @@
recursive-include *.py recursive-include shadowsocks *.py
include README.rst include README.rst
include LICENSE include LICENSE

185
README.md
View file

@ -1,120 +1,81 @@
shadowsocks shadowsocks
=========== ===========
[![PyPI version]][PyPI] [![Build Status]][Travis CI] [![PyPI version]][PyPI]
[![Build Status]][Travis CI]
[![Coverage Status]][Coverage]
A fast tunnel proxy that helps you bypass firewalls. A fast tunnel proxy that helps you bypass firewalls.
[中文说明][Chinese Readme] Server
------
Install ### Install
-------
You'll have a client on your local side, and setup a server on a Debian / Ubuntu:
remote server.
### Client apt-get install python-pip
pip install shadowsocks
CentOS:
yum install python-setuptools && easy_install pip
pip install shadowsocks
Windows:
See [Install Server on Windows]
### Usage
ssserver -p 443 -k password -m aes-256-cfb
To run in the background:
sudo ssserver -p 443 -k password -m aes-256-cfb --user nobody -d start
To stop:
sudo ssserver -d stop
To check the log:
sudo less /var/log/shadowsocks.log
Check all the options via `-h`. You can also use a [Configuration] file
instead.
Client
------
* [Windows] / [OS X] * [Windows] / [OS X]
* [Android] / [iOS] * [Android] / [iOS]
* [OpenWRT] * [OpenWRT]
### Server Use GUI clients on your local PC/phones. Check the README of your client
for more information.
#### Debian / Ubuntu: Documentation
apt-get install python-pip
pip install shadowsocks
Or simply `apt-get install shadowsocks` if you have [Debian sid] in your
source list.
#### CentOS:
yum install python-setuptools
easy_install pip
pip install shadowsocks
#### Windows:
Download [OpenSSL for Windows] and install. Then install shadowsocks via
easy_install and pip as Linux. If you don't know how to use them, you can
directly download [the package], and use `python shadowsocks/server.py`
instead of `ssserver` command below.
Configuration
------------- -------------
On your server create a config file `/etc/shadowsocks.json`. You can find all the documentation in the [Wiki].
Example:
{
"server":"my_server_ip",
"server_port":8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"mypassword",
"timeout":300,
"method":"aes-256-cfb",
"fast_open": false,
"workers": 1
}
Explanation of the fields:
| Name | Explanation |
| ------------- | ----------------------------------------------- |
| server | the address your server listens |
| server_port | server port |
| local_address | the address your local listens |
| local_port | local port |
| password | password used for encryption |
| timeout | in seconds |
| method | default: "aes-256-cfb", see [Encryption] |
| fast_open | use [TCP_FASTOPEN], true / false |
| workers | number of workers, available on Unix/Linux |
Run `ssserver -c /etc/shadowsocks.json` on your server. To run it in the
background, use [Supervisor].
On your client machine, use the same configuration as your server, and
start your client.
If you use Chrome, it's recommended to use [SwitchySharp]. Change the proxy
settings to
protocol: socks5
hostname: 127.0.0.1
port: your local_port
If you can't install [SwitchySharp], you can launch Chrome with the following
arguments to force Chrome to use the proxy:
Chrome.exe --proxy-server="socks5://127.0.0.1:1080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost"
If you can't even download Chrome, find a friend to download a
[Chrome Standalone] installer for you.
Command line args
------------------
You can use args to override settings from `config.json`.
sslocal -s server_name -p server_port -l local_port -k password -m bf-cfb
ssserver -p server_port -k password -m bf-cfb --workers 2
ssserver -c /etc/shadowsocks/config.json
List all available args with `-h`.
Wiki
----
You can find all the documentation in the wiki:
https://github.com/clowwindy/shadowsocks/wiki
License License
------- -------
MIT
Copyright 2015 clowwindy
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Bugs and Issues Bugs and Issues
---------------- ----------------
@ -124,24 +85,22 @@ Bugs and Issues
* [Mailing list] * [Mailing list]
[Android]: https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#android
[Build Status]: https://img.shields.io/travis/clowwindy/shadowsocks/master.svg?style=flat [Android]: https://github.com/shadowsocks/shadowsocks-android
[Chinese Readme]: https://github.com/clowwindy/shadowsocks/wiki/Shadowsocks-%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E [Build Status]: https://img.shields.io/travis/shadowsocks/shadowsocks/master.svg?style=flat
[Chrome Standalone]: https://support.google.com/installer/answer/126299 [Configuration]: https://github.com/shadowsocks/shadowsocks/wiki/Configuration-via-Config-File
[Coverage Status]: https://jenkins.shadowvpn.org/result/shadowsocks
[Coverage]: https://jenkins.shadowvpn.org/job/Shadowsocks/ws/PYENV/py34/label/linux/htmlcov/index.html
[Debian sid]: https://packages.debian.org/unstable/python/shadowsocks [Debian sid]: https://packages.debian.org/unstable/python/shadowsocks
[the package]: https://pypi.python.org/pypi/shadowsocks
[Encryption]: https://github.com/clowwindy/shadowsocks/wiki/Encryption
[iOS]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help [iOS]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help
[Issue Tracker]: https://github.com/clowwindy/shadowsocks/issues?state=open [Issue Tracker]: https://github.com/shadowsocks/shadowsocks/issues?state=open
[Mailing list]: http://groups.google.com/group/shadowsocks [Install Server on Windows]: https://github.com/shadowsocks/shadowsocks/wiki/Install-Shadowsocks-Server-on-Windows
[OpenSSL for Windows]: http://slproweb.com/products/Win32OpenSSL.html [Mailing list]: https://groups.google.com/group/shadowsocks
[OpenWRT]: https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#openwrt [OpenWRT]: https://github.com/shadowsocks/openwrt-shadowsocks
[OS X]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help [OS X]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help
[PyPI]: https://pypi.python.org/pypi/shadowsocks [PyPI]: https://pypi.python.org/pypi/shadowsocks
[PyPI version]: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat [PyPI version]: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat
[Supervisor]: https://github.com/clowwindy/shadowsocks/wiki/Configure-Shadowsocks-with-Supervisor [Travis CI]: https://travis-ci.org/shadowsocks/shadowsocks
[TCP_FASTOPEN]: https://github.com/clowwindy/shadowsocks/wiki/TCP-Fast-Open [Troubleshooting]: https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting
[Travis CI]: https://travis-ci.org/clowwindy/shadowsocks [Wiki]: https://github.com/shadowsocks/shadowsocks/wiki
[Troubleshooting]: https://github.com/clowwindy/shadowsocks/wiki/Troubleshooting [Windows]: https://github.com/shadowsocks/shadowsocks-csharp
[SwitchySharp]: https://chrome.google.com/webstore/detail/proxy-switchysharp/dpplabbmogkhghncfbfdeeokoefdjegm
[Windows]: https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#windows

202
README.rst
View file

@ -1,167 +1,113 @@
shadowsocks shadowsocks
=========== ===========
|PyPI version| |Build Status| |PyPI version| |Build Status| |Coverage Status|
A fast tunnel proxy that helps you bypass firewalls. A fast tunnel proxy that helps you bypass firewalls.
`中文说明 <https://github.com/clowwindy/shadowsocks/wiki/Shadowsocks-%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E>`__ Server
------
Install Install
------- ~~~~~~~
You'll have a client on your local side, and setup a server on a remote
server.
Client
~~~~~~
- `Windows <https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#windows>`__
/ `OS
X <https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help>`__
- `Android <https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#android>`__
/ `iOS <https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help>`__
- `OpenWRT <https://github.com/clowwindy/shadowsocks/wiki/Ports-and-Clients#openwrt>`__
Server
~~~~~~
Debian / Ubuntu: Debian / Ubuntu:
^^^^^^^^^^^^^^^^
:: ::
apt-get install python-pip apt-get install python-pip
pip install shadowsocks pip install shadowsocks
Or simply ``apt-get install shadowsocks`` if you have `Debian
sid <https://packages.debian.org/unstable/python/shadowsocks>`__ in your
source list.
CentOS: CentOS:
^^^^^^^
:: ::
yum install python-setuptools yum install python-setuptools && easy_install pip
easy_install pip
pip install shadowsocks pip install shadowsocks
Windows: Windows:
^^^^^^^^
Download OpenSSL for Windows and install. Then install shadowsocks via See `Install Server on
easy\_install and pip as Linux. If you don't know how to use them, you Windows <https://github.com/shadowsocks/shadowsocks/wiki/Install-Shadowsocks-Server-on-Windows>`__
can directly download `the
package <https://pypi.python.org/pypi/shadowsocks>`__, and use
``python shadowsocks/server.py`` instead of ``ssserver`` command below.
Configuration Usage
~~~~~
::
ssserver -p 443 -k password -m rc4-md5
To run in the background:
::
sudo ssserver -p 443 -k password -m rc4-md5 --user nobody -d start
To stop:
::
sudo ssserver -d stop
To check the log:
::
sudo less /var/log/shadowsocks.log
Check all the options via ``-h``. You can also use a
`Configuration <https://github.com/shadowsocks/shadowsocks/wiki/Configuration-via-Config-File>`__
file instead.
Client
------
- `Windows <https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#windows>`__
/ `OS
X <https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help>`__
- `Android <https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#android>`__
/ `iOS <https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help>`__
- `OpenWRT <https://github.com/shadowsocks/openwrt-shadowsocks>`__
Use GUI clients on your local PC/phones. Check the README of your client
for more information.
Documentation
------------- -------------
On your server create a config file ``/etc/shadowsocks.json``. Example: You can find all the documentation in the
`Wiki <https://github.com/shadowsocks/shadowsocks/wiki>`__.
::
{
"server":"my_server_ip",
"server_port":8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"mypassword",
"timeout":300,
"method":"aes-256-cfb",
"fast_open": false,
"workers": 1
}
Explanation of the fields:
+------------------+---------------------------------------------------------------------------------------------------------+
| Name | Explanation |
+==================+=========================================================================================================+
| server | the address your server listens |
+------------------+---------------------------------------------------------------------------------------------------------+
| server\_port | server port |
+------------------+---------------------------------------------------------------------------------------------------------+
| local\_address | the address your local listens |
+------------------+---------------------------------------------------------------------------------------------------------+
| local\_port | local port |
+------------------+---------------------------------------------------------------------------------------------------------+
| password | password used for encryption |
+------------------+---------------------------------------------------------------------------------------------------------+
| timeout | in seconds |
+------------------+---------------------------------------------------------------------------------------------------------+
| method | default: "aes-256-cfb", see `Encryption <https://github.com/clowwindy/shadowsocks/wiki/Encryption>`__ |
+------------------+---------------------------------------------------------------------------------------------------------+
| fast\_open | use `TCP\_FASTOPEN <https://github.com/clowwindy/shadowsocks/wiki/TCP-Fast-Open>`__, true / false |
+------------------+---------------------------------------------------------------------------------------------------------+
| workers | number of workers, available on Unix/Linux |
+------------------+---------------------------------------------------------------------------------------------------------+
Run ``ssserver -c /etc/shadowsocks.json`` on your server. To run it in
the background, use
`Supervisor <https://github.com/clowwindy/shadowsocks/wiki/Configure-Shadowsocks-with-Supervisor>`__.
On your client machine, use the same configuration as your server, and
start your client.
If you use Chrome, it's recommended to use
`SwitchySharp <https://chrome.google.com/webstore/detail/proxy-switchysharp/dpplabbmogkhghncfbfdeeokoefdjegm>`__.
Change the proxy settings to
::
protocol: socks5
hostname: 127.0.0.1
port: your local_port
If you can't install
`SwitchySharp <https://chrome.google.com/webstore/detail/proxy-switchysharp/dpplabbmogkhghncfbfdeeokoefdjegm>`__,
you can launch Chrome with the following arguments to force Chrome to
use the proxy:
::
Chrome.exe --proxy-server="socks5://127.0.0.1:1080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost"
If you can't even download Chrome, find a friend to download a `Chrome
Standalone <https://support.google.com/installer/answer/126299>`__
installer for you.
Command line args
-----------------
You can use args to override settings from ``config.json``.
::
sslocal -s server_name -p server_port -l local_port -k password -m bf-cfb
ssserver -p server_port -k password -m bf-cfb --workers 2
ssserver -c /etc/shadowsocks/config.json
List all available args with ``-h``.
Wiki
----
You can find all the documentation in the wiki:
https://github.com/clowwindy/shadowsocks/wiki
License License
------- -------
MIT Copyright 2015 clowwindy
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
::
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Bugs and Issues Bugs and Issues
--------------- ---------------
- `Troubleshooting <https://github.com/clowwindy/shadowsocks/wiki/Troubleshooting>`__ - `Troubleshooting <https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting>`__
- `Issue - `Issue
Tracker <https://github.com/clowwindy/shadowsocks/issues?state=open>`__ Tracker <https://github.com/shadowsocks/shadowsocks/issues?state=open>`__
- `Mailing list <http://groups.google.com/group/shadowsocks>`__ - `Mailing list <https://groups.google.com/group/shadowsocks>`__
.. |PyPI version| image:: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat .. |PyPI version| image:: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat
:target: https://pypi.python.org/pypi/shadowsocks :target: https://pypi.python.org/pypi/shadowsocks
.. |Build Status| image:: https://img.shields.io/travis/clowwindy/shadowsocks/master.svg?style=flat .. |Build Status| image:: https://img.shields.io/travis/shadowsocks/shadowsocks/master.svg?style=flat
:target: https://travis-ci.org/clowwindy/shadowsocks :target: https://travis-ci.org/shadowsocks/shadowsocks
.. |Coverage Status| image:: https://jenkins.shadowvpn.org/result/shadowsocks
:target: https://jenkins.shadowvpn.org/job/Shadowsocks/ws/PYENV/py34/label/linux/htmlcov/index.html

8
setup.py
View file

@ -7,12 +7,12 @@ with codecs.open('README.rst', encoding='utf-8') as f:
setup( setup(
name="shadowsocks", name="shadowsocks",
version="2.5", version="2.6.10",
license='MIT', license='http://www.apache.org/licenses/LICENSE-2.0',
description="A fast tunnel proxy that help you get through firewalls", description="A fast tunnel proxy that help you get through firewalls",
author='clowwindy', author='clowwindy',
author_email='clowwindy42@gmail.com', author_email='clowwindy42@gmail.com',
url='https://github.com/clowwindy/shadowsocks', url='https://github.com/shadowsocks/shadowsocks',
packages=['shadowsocks', 'shadowsocks.crypto'], packages=['shadowsocks', 'shadowsocks.crypto'],
package_data={ package_data={
'shadowsocks': ['README.rst', 'LICENSE'] 'shadowsocks': ['README.rst', 'LICENSE']
@ -24,7 +24,7 @@ setup(
ssserver = shadowsocks.server:main ssserver = shadowsocks.server:main
""", """,
classifiers=[ classifiers=[
'License :: OSI Approved :: MIT License', 'License :: OSI Approved :: Apache Software License',
'Programming Language :: Python :: 2', 'Programming Language :: Python :: 2',
'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.6',
'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 2.7',

28
shadowsocks/__init__.py
View file

@ -1,24 +1,18 @@
#!/usr/bin/python #!/usr/bin/python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2012-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement

65
shadowsocks/asyncdns.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2014-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -31,7 +25,7 @@ import struct
import re import re
import logging import logging
from shadowsocks import common, lru_cache, eventloop from shadowsocks import common, lru_cache, eventloop, shell
CACHE_SWEEP_INTERVAL = 30 CACHE_SWEEP_INTERVAL = 30
@ -93,11 +87,12 @@ def build_address(address):
return b''.join(results) return b''.join(results)
def build_request(address, qtype, request_id): def build_request(address, qtype):
header = struct.pack('!HBBHHHH', request_id, 1, 0, 1, 0, 0, 0) request_id = os.urandom(2)
header = struct.pack('!BBHHHH', 1, 0, 1, 0, 0, 0)
addr = build_address(address) addr = build_address(address)
qtype_qclass = struct.pack('!HH', qtype, QCLASS_IN) qtype_qclass = struct.pack('!HH', qtype, QCLASS_IN)
return header + addr + qtype_qclass return request_id + header + addr + qtype_qclass
def parse_ip(addrtype, data, length, offset): def parse_ip(addrtype, data, length, offset):
@ -226,24 +221,10 @@ def parse_response(data):
response.answers.append((an[1], an[2], an[3])) response.answers.append((an[1], an[2], an[3]))
return response return response
except Exception as e: except Exception as e:
import traceback shell.print_exception(e)
traceback.print_exc()
logging.error(e)
return None return None
def is_ip(address):
for family in (socket.AF_INET, socket.AF_INET6):
try:
if type(address) != str:
address = address.decode('utf8')
socket.inet_pton(family, address)
return family
except (TypeError, ValueError, OSError, IOError):
pass
return False
def is_valid_hostname(hostname): def is_valid_hostname(hostname):
if len(hostname) > 255: if len(hostname) > 255:
return False return False
@ -270,7 +251,6 @@ class DNSResolver(object):
def __init__(self): def __init__(self):
self._loop = None self._loop = None
self._request_id = 1
self._hosts = {} self._hosts = {}
self._hostname_status = {} self._hostname_status = {}
self._hostname_to_cb = {} self._hostname_to_cb = {}
@ -296,7 +276,7 @@ class DNSResolver(object):
parts = line.split() parts = line.split()
if len(parts) >= 2: if len(parts) >= 2:
server = parts[1] server = parts[1]
if is_ip(server) == socket.AF_INET: if common.is_ip(server) == socket.AF_INET:
if type(server) != str: if type(server) != str:
server = server.decode('utf8') server = server.decode('utf8')
self._servers.append(server) self._servers.append(server)
@ -316,7 +296,7 @@ class DNSResolver(object):
parts = line.split() parts = line.split()
if len(parts) >= 2: if len(parts) >= 2:
ip = parts[0] ip = parts[0]
if is_ip(ip): if common.is_ip(ip):
for i in range(1, len(parts)): for i in range(1, len(parts)):
hostname = parts[i] hostname = parts[i]
if hostname: if hostname:
@ -412,10 +392,7 @@ class DNSResolver(object):
del self._hostname_status[hostname] del self._hostname_status[hostname]
def _send_req(self, hostname, qtype): def _send_req(self, hostname, qtype):
self._request_id += 1 req = build_request(hostname, qtype)
if self._request_id > 32768:
self._request_id = 1
req = build_request(hostname, qtype, self._request_id)
for server in self._servers: for server in self._servers:
logging.debug('resolving %s with type %d using server %s', logging.debug('resolving %s with type %d using server %s',
hostname, qtype, server) hostname, qtype, server)
@ -426,7 +403,7 @@ class DNSResolver(object):
hostname = hostname.encode('utf8') hostname = hostname.encode('utf8')
if not hostname: if not hostname:
callback(None, Exception('empty hostname')) callback(None, Exception('empty hostname'))
elif is_ip(hostname): elif common.is_ip(hostname):
callback((hostname, hostname), None) callback((hostname, hostname), None)
elif hostname in self._hosts: elif hostname in self._hosts:
logging.debug('hit hosts: %s', hostname) logging.debug('hit hosts: %s', hostname)

111
shadowsocks/common.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2013-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -101,6 +95,18 @@ def inet_pton(family, addr):
raise RuntimeError("What family?") raise RuntimeError("What family?")
def is_ip(address):
for family in (socket.AF_INET, socket.AF_INET6):
try:
if type(address) != str:
address = address.decode('utf8')
inet_pton(family, address)
return family
except (TypeError, ValueError, OSError, IOError):
pass
return False
def patch_socket(): def patch_socket():
if not hasattr(socket, 'inet_pton'): if not hasattr(socket, 'inet_pton'):
socket.inet_pton = inet_pton socket.inet_pton = inet_pton
@ -172,6 +178,61 @@ def parse_header(data):
return addrtype, to_bytes(dest_addr), dest_port, header_length return addrtype, to_bytes(dest_addr), dest_port, header_length
class IPNetwork(object):
ADDRLENGTH = {socket.AF_INET: 32, socket.AF_INET6: 128, False: 0}
def __init__(self, addrs):
self._network_list_v4 = []
self._network_list_v6 = []
if type(addrs) == str:
addrs = addrs.split(',')
list(map(self.add_network, addrs))
def add_network(self, addr):
if addr is "":
return
block = addr.split('/')
addr_family = is_ip(block[0])
addr_len = IPNetwork.ADDRLENGTH[addr_family]
if addr_family is socket.AF_INET:
ip, = struct.unpack("!I", socket.inet_aton(block[0]))
elif addr_family is socket.AF_INET6:
hi, lo = struct.unpack("!QQ", inet_pton(addr_family, block[0]))
ip = (hi << 64) | lo
else:
raise Exception("Not a valid CIDR notation: %s" % addr)
if len(block) is 1:
prefix_size = 0
while (ip & 1) == 0 and ip is not 0:
ip >>= 1
prefix_size += 1
logging.warn("You did't specify CIDR routing prefix size for %s, "
"implicit treated as %s/%d" % (addr, addr, addr_len))
elif block[1].isdigit() and int(block[1]) <= addr_len:
prefix_size = addr_len - int(block[1])
ip >>= prefix_size
else:
raise Exception("Not a valid CIDR notation: %s" % addr)
if addr_family is socket.AF_INET:
self._network_list_v4.append((ip, prefix_size))
else:
self._network_list_v6.append((ip, prefix_size))
def __contains__(self, addr):
addr_family = is_ip(addr)
if addr_family is socket.AF_INET:
ip, = struct.unpack("!I", socket.inet_aton(addr))
return any(map(lambda n_ps: n_ps[0] == ip >> n_ps[1],
self._network_list_v4))
elif addr_family is socket.AF_INET6:
hi, lo = struct.unpack("!QQ", inet_pton(addr_family, addr))
ip = (hi << 64) | lo
return any(map(lambda n_ps: n_ps[0] == ip >> n_ps[1],
self._network_list_v6))
else:
return False
def test_inet_conv(): def test_inet_conv():
ipv4 = b'8.8.4.4' ipv4 = b'8.8.4.4'
b = inet_pton(socket.AF_INET, ipv4) b = inet_pton(socket.AF_INET, ipv4)
@ -198,7 +259,23 @@ def test_pack_header():
assert pack_addr(b'www.google.com') == b'\x03\x0ewww.google.com' assert pack_addr(b'www.google.com') == b'\x03\x0ewww.google.com'
def test_ip_network():
ip_network = IPNetwork('127.0.0.0/24,::ff:1/112,::1,192.168.1.1,192.0.2.0')
assert '127.0.0.1' in ip_network
assert '127.0.1.1' not in ip_network
assert ':ff:ffff' in ip_network
assert '::ffff:1' not in ip_network
assert '::1' in ip_network
assert '::2' not in ip_network
assert '192.168.1.1' in ip_network
assert '192.168.1.2' not in ip_network
assert '192.0.2.1' in ip_network
assert '192.0.3.1' in ip_network # 192.0.2.0 is treated as 192.0.2.0/23
assert 'www.google.com' not in ip_network
if __name__ == '__main__': if __name__ == '__main__':
test_inet_conv() test_inet_conv()
test_parse_header() test_parse_header()
test_pack_header() test_pack_header()
test_ip_network()

28
shadowsocks/crypto/__init__.py
View file

@ -1,24 +1,18 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement

119
shadowsocks/crypto/m2.py
View file

@ -1,119 +0,0 @@
#!/usr/bin/env python
# Copyright (c) 2014 clowwindy
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
from __future__ import absolute_import, division, print_function, \
with_statement
import sys
import logging
__all__ = ['ciphers']
has_m2 = True
try:
__import__('M2Crypto')
except ImportError:
has_m2 = False
if bytes != str:
has_m2 = False
def create_cipher(alg, key, iv, op, key_as_bytes=0, d=None, salt=None, i=1,
padding=1):
import M2Crypto.EVP
return M2Crypto.EVP.Cipher(alg.replace('-', '_'), key, iv, op,
key_as_bytes=0, d='md5', salt=None, i=1,
padding=1)
def err(alg, key, iv, op, key_as_bytes=0, d=None, salt=None, i=1, padding=1):
logging.error(('M2Crypto is required to use %s, please run'
' `apt-get install python-m2crypto`') % alg)
sys.exit(1)
if has_m2:
ciphers = {
b'aes-128-cfb': (16, 16, create_cipher),
b'aes-192-cfb': (24, 16, create_cipher),
b'aes-256-cfb': (32, 16, create_cipher),
b'bf-cfb': (16, 8, create_cipher),
b'camellia-128-cfb': (16, 16, create_cipher),
b'camellia-192-cfb': (24, 16, create_cipher),
b'camellia-256-cfb': (32, 16, create_cipher),
b'cast5-cfb': (16, 8, create_cipher),
b'des-cfb': (8, 8, create_cipher),
b'idea-cfb': (16, 8, create_cipher),
b'rc2-cfb': (16, 8, create_cipher),
b'rc4': (16, 0, create_cipher),
b'seed-cfb': (16, 16, create_cipher),
}
else:
ciphers = {}
def run_method(method):
from shadowsocks.crypto import util
cipher = create_cipher(method, b'k' * 32, b'i' * 16, 1)
decipher = create_cipher(method, b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher)
def check_env():
# skip this test on pypy and Python 3
try:
import __pypy__
del __pypy__
from nose.plugins.skip import SkipTest
raise SkipTest
except ImportError:
pass
if bytes != str:
from nose.plugins.skip import SkipTest
raise SkipTest
def test_aes_128_cfb():
check_env()
run_method(b'aes-128-cfb')
def test_aes_256_cfb():
check_env()
run_method(b'aes-256-cfb')
def test_bf_cfb():
check_env()
run_method(b'bf-cfb')
def test_rc4():
check_env()
run_method(b'rc4')
if __name__ == '__main__':
test_aes_128_cfb()

123
shadowsocks/crypto/ctypes_openssl.py → shadowsocks/crypto/openssl.py
View file

@ -1,32 +1,28 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
import logging from ctypes import c_char_p, c_int, c_long, byref,\
from ctypes import CDLL, c_char_p, c_int, c_long, byref,\
create_string_buffer, c_void_p create_string_buffer, c_void_p
from shadowsocks import common
from shadowsocks.crypto import util
__all__ = ['ciphers'] __all__ = ['ciphers']
libcrypto = None libcrypto = None
@ -38,15 +34,12 @@ buf_size = 2048
def load_openssl(): def load_openssl():
global loaded, libcrypto, buf global loaded, libcrypto, buf
from ctypes.util import find_library libcrypto = util.find_library(('crypto', 'eay32'),
for p in ('crypto', 'eay32', 'libeay32'): 'EVP_get_cipherbyname',
libcrypto_path = find_library(p) 'libcrypto')
if libcrypto_path: if libcrypto is None:
break
else:
raise Exception('libcrypto(OpenSSL) not found') raise Exception('libcrypto(OpenSSL) not found')
logging.info('loading libcrypto from %s', libcrypto_path)
libcrypto = CDLL(libcrypto_path)
libcrypto.EVP_get_cipherbyname.restype = c_void_p libcrypto.EVP_get_cipherbyname.restype = c_void_p
libcrypto.EVP_CIPHER_CTX_new.restype = c_void_p libcrypto.EVP_CIPHER_CTX_new.restype = c_void_p
@ -66,7 +59,7 @@ def load_openssl():
def load_cipher(cipher_name): def load_cipher(cipher_name):
func_name = b'EVP_' + cipher_name.replace(b'-', b'_') func_name = 'EVP_' + cipher_name.replace('-', '_')
if bytes != str: if bytes != str:
func_name = str(func_name, 'utf-8') func_name = str(func_name, 'utf-8')
cipher = getattr(libcrypto, func_name, None) cipher = getattr(libcrypto, func_name, None)
@ -76,11 +69,12 @@ def load_cipher(cipher_name):
return None return None
class CtypesCrypto(object): class OpenSSLCrypto(object):
def __init__(self, cipher_name, key, iv, op): def __init__(self, cipher_name, key, iv, op):
self._ctx = None
if not loaded: if not loaded:
load_openssl() load_openssl()
self._ctx = None cipher_name = common.to_bytes(cipher_name)
cipher = libcrypto.EVP_get_cipherbyname(cipher_name) cipher = libcrypto.EVP_get_cipherbyname(cipher_name)
if not cipher: if not cipher:
cipher = load_cipher(cipher_name) cipher = load_cipher(cipher_name)
@ -119,69 +113,68 @@ class CtypesCrypto(object):
ciphers = { ciphers = {
b'aes-128-cfb': (16, 16, CtypesCrypto), 'aes-128-cfb': (16, 16, OpenSSLCrypto),
b'aes-192-cfb': (24, 16, CtypesCrypto), 'aes-192-cfb': (24, 16, OpenSSLCrypto),
b'aes-256-cfb': (32, 16, CtypesCrypto), 'aes-256-cfb': (32, 16, OpenSSLCrypto),
b'aes-128-ofb': (16, 16, CtypesCrypto), 'aes-128-ofb': (16, 16, OpenSSLCrypto),
b'aes-192-ofb': (24, 16, CtypesCrypto), 'aes-192-ofb': (24, 16, OpenSSLCrypto),
b'aes-256-ofb': (32, 16, CtypesCrypto), 'aes-256-ofb': (32, 16, OpenSSLCrypto),
b'aes-128-ctr': (16, 16, CtypesCrypto), 'aes-128-ctr': (16, 16, OpenSSLCrypto),
b'aes-192-ctr': (24, 16, CtypesCrypto), 'aes-192-ctr': (24, 16, OpenSSLCrypto),
b'aes-256-ctr': (32, 16, CtypesCrypto), 'aes-256-ctr': (32, 16, OpenSSLCrypto),
b'aes-128-cfb8': (16, 16, CtypesCrypto), 'aes-128-cfb8': (16, 16, OpenSSLCrypto),
b'aes-192-cfb8': (24, 16, CtypesCrypto), 'aes-192-cfb8': (24, 16, OpenSSLCrypto),
b'aes-256-cfb8': (32, 16, CtypesCrypto), 'aes-256-cfb8': (32, 16, OpenSSLCrypto),
b'aes-128-cfb1': (16, 16, CtypesCrypto), 'aes-128-cfb1': (16, 16, OpenSSLCrypto),
b'aes-192-cfb1': (24, 16, CtypesCrypto), 'aes-192-cfb1': (24, 16, OpenSSLCrypto),
b'aes-256-cfb1': (32, 16, CtypesCrypto), 'aes-256-cfb1': (32, 16, OpenSSLCrypto),
b'bf-cfb': (16, 8, CtypesCrypto), 'bf-cfb': (16, 8, OpenSSLCrypto),
b'camellia-128-cfb': (16, 16, CtypesCrypto), 'camellia-128-cfb': (16, 16, OpenSSLCrypto),
b'camellia-192-cfb': (24, 16, CtypesCrypto), 'camellia-192-cfb': (24, 16, OpenSSLCrypto),
b'camellia-256-cfb': (32, 16, CtypesCrypto), 'camellia-256-cfb': (32, 16, OpenSSLCrypto),
b'cast5-cfb': (16, 8, CtypesCrypto), 'cast5-cfb': (16, 8, OpenSSLCrypto),
b'des-cfb': (8, 8, CtypesCrypto), 'des-cfb': (8, 8, OpenSSLCrypto),
b'idea-cfb': (16, 8, CtypesCrypto), 'idea-cfb': (16, 8, OpenSSLCrypto),
b'rc2-cfb': (16, 8, CtypesCrypto), 'rc2-cfb': (16, 8, OpenSSLCrypto),
b'rc4': (16, 0, CtypesCrypto), 'rc4': (16, 0, OpenSSLCrypto),
b'seed-cfb': (16, 16, CtypesCrypto), 'seed-cfb': (16, 16, OpenSSLCrypto),
} }
def run_method(method): def run_method(method):
from shadowsocks.crypto import util
cipher = CtypesCrypto(method, b'k' * 32, b'i' * 16, 1) cipher = OpenSSLCrypto(method, b'k' * 32, b'i' * 16, 1)
decipher = CtypesCrypto(method, b'k' * 32, b'i' * 16, 0) decipher = OpenSSLCrypto(method, b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)
def test_aes_128_cfb(): def test_aes_128_cfb():
run_method(b'aes-128-cfb') run_method('aes-128-cfb')
def test_aes_256_cfb(): def test_aes_256_cfb():
run_method(b'aes-256-cfb') run_method('aes-256-cfb')
def test_aes_128_cfb8(): def test_aes_128_cfb8():
run_method(b'aes-128-cfb8') run_method('aes-128-cfb8')
def test_aes_256_ofb(): def test_aes_256_ofb():
run_method(b'aes-256-ofb') run_method('aes-256-ofb')
def test_aes_256_ctr(): def test_aes_256_ctr():
run_method(b'aes-256-ctr') run_method('aes-256-ctr')
def test_bf_cfb(): def test_bf_cfb():
run_method(b'bf-cfb') run_method('bf-cfb')
def test_rc4(): def test_rc4():
run_method(b'rc4') run_method('rc4')
if __name__ == '__main__': if __name__ == '__main__':

45
shadowsocks/crypto/rc4_md5.py
View file

@ -1,30 +1,25 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
import hashlib import hashlib
from shadowsocks.crypto import openssl
__all__ = ['ciphers'] __all__ = ['ciphers']
@ -35,27 +30,19 @@ def create_cipher(alg, key, iv, op, key_as_bytes=0, d=None, salt=None,
md5.update(key) md5.update(key)
md5.update(iv) md5.update(iv)
rc4_key = md5.digest() rc4_key = md5.digest()
return openssl.OpenSSLCrypto(b'rc4', rc4_key, b'', op)
try:
from shadowsocks.crypto import ctypes_openssl
return ctypes_openssl.CtypesCrypto(b'rc4', rc4_key, b'', op)
except:
import M2Crypto.EVP
return M2Crypto.EVP.Cipher(b'rc4', rc4_key, b'', op,
key_as_bytes=0, d='md5', salt=None, i=1,
padding=1)
ciphers = { ciphers = {
b'rc4-md5': (16, 16, create_cipher), 'rc4-md5': (16, 16, create_cipher),
} }
def test(): def test():
from shadowsocks.crypto import util from shadowsocks.crypto import util
cipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 1) cipher = create_cipher('rc4-md5', b'k' * 32, b'i' * 16, 1)
decipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 0) decipher = create_cipher('rc4-md5', b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)

140
shadowsocks/crypto/salsa20_ctr.py
View file

@ -1,140 +0,0 @@
#!/usr/bin/env python
# Copyright (c) 2014 clowwindy
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
from __future__ import absolute_import, division, print_function, \
with_statement
import struct
import logging
import sys
slow_xor = False
imported = False
salsa20 = None
numpy = None
BLOCK_SIZE = 16384
def run_imports():
global imported, slow_xor, salsa20, numpy
if not imported:
imported = True
try:
numpy = __import__('numpy')
except ImportError:
logging.error('can not import numpy, using SLOW XOR')
logging.error('please install numpy if you use salsa20')
slow_xor = True
try:
salsa20 = __import__('salsa20')
except ImportError:
logging.error('you have to install salsa20 before you use salsa20')
sys.exit(1)
def numpy_xor(a, b):
if slow_xor:
return py_xor_str(a, b)
dtype = numpy.byte
if len(a) % 4 == 0:
dtype = numpy.uint32
elif len(a) % 2 == 0:
dtype = numpy.uint16
ab = numpy.frombuffer(a, dtype=dtype)
bb = numpy.frombuffer(b, dtype=dtype)
c = numpy.bitwise_xor(ab, bb)
r = c.tostring()
return r
def py_xor_str(a, b):
c = []
if bytes == str:
for i in range(0, len(a)):
c.append(chr(ord(a[i]) ^ ord(b[i])))
return ''.join(c)
else:
for i in range(0, len(a)):
c.append(a[i] ^ b[i])
return bytes(c)
class Salsa20Cipher(object):
"""a salsa20 CTR implemetation, provides m2crypto like cipher API"""
def __init__(self, alg, key, iv, op, key_as_bytes=0, d=None, salt=None,
i=1, padding=1):
run_imports()
if alg != b'salsa20-ctr':
raise Exception('unknown algorithm')
self._key = key
self._nonce = struct.unpack('<Q', iv)[0]
self._pos = 0
self._next_stream()
def _next_stream(self):
self._nonce &= 0xFFFFFFFFFFFFFFFF
self._stream = salsa20.Salsa20_keystream(BLOCK_SIZE,
struct.pack('<Q',
self._nonce),
self._key)
self._nonce += 1
def update(self, data):
results = []
while True:
remain = BLOCK_SIZE - self._pos
cur_data = data[:remain]
cur_data_len = len(cur_data)
cur_stream = self._stream[self._pos:self._pos + cur_data_len]
self._pos = self._pos + cur_data_len
data = data[remain:]
results.append(numpy_xor(cur_data, cur_stream))
if self._pos >= BLOCK_SIZE:
self._next_stream()
self._pos = 0
if not data:
break
return b''.join(results)
ciphers = {
b'salsa20-ctr': (32, 8, Salsa20Cipher),
}
def test():
from shadowsocks.crypto import util
cipher = Salsa20Cipher(b'salsa20-ctr', b'k' * 32, b'i' * 8, 1)
decipher = Salsa20Cipher(b'salsa20-ctr', b'k' * 32, b'i' * 8, 1)
util.run_cipher(cipher, decipher)
if __name__ == '__main__':
test()

69
shadowsocks/crypto/ctypes_libsodium.py → shadowsocks/crypto/sodium.py
View file

@ -1,32 +1,27 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
import logging from ctypes import c_char_p, c_int, c_ulonglong, byref, \
from ctypes import CDLL, c_char_p, c_int, c_ulonglong, byref, \
create_string_buffer, c_void_p create_string_buffer, c_void_p
from shadowsocks.crypto import util
__all__ = ['ciphers'] __all__ = ['ciphers']
libsodium = None libsodium = None
@ -41,16 +36,11 @@ BLOCK_SIZE = 64
def load_libsodium(): def load_libsodium():
global loaded, libsodium, buf global loaded, libsodium, buf
from ctypes.util import find_library libsodium = util.find_library('sodium', 'crypto_stream_salsa20_xor_ic',
for p in ('sodium',): 'libsodium')
libsodium_path = find_library(p) if libsodium is None:
if libsodium_path:
break
else:
raise Exception('libsodium not found') raise Exception('libsodium not found')
logging.info('loading libsodium from %s', libsodium_path)
libsodium = CDLL(libsodium_path)
libsodium.sodium_init.restype = c_int
libsodium.crypto_stream_salsa20_xor_ic.restype = c_int libsodium.crypto_stream_salsa20_xor_ic.restype = c_int
libsodium.crypto_stream_salsa20_xor_ic.argtypes = (c_void_p, c_char_p, libsodium.crypto_stream_salsa20_xor_ic.argtypes = (c_void_p, c_char_p,
c_ulonglong, c_ulonglong,
@ -62,13 +52,11 @@ def load_libsodium():
c_char_p, c_ulonglong, c_char_p, c_ulonglong,
c_char_p) c_char_p)
libsodium.sodium_init()
buf = create_string_buffer(buf_size) buf = create_string_buffer(buf_size)
loaded = True loaded = True
class Salsa20Crypto(object): class SodiumCrypto(object):
def __init__(self, cipher_name, key, iv, op): def __init__(self, cipher_name, key, iv, op):
if not loaded: if not loaded:
load_libsodium() load_libsodium()
@ -76,9 +64,9 @@ class Salsa20Crypto(object):
self.iv = iv self.iv = iv
self.key_ptr = c_char_p(key) self.key_ptr = c_char_p(key)
self.iv_ptr = c_char_p(iv) self.iv_ptr = c_char_p(iv)
if cipher_name == b'salsa20': if cipher_name == 'salsa20':
self.cipher = libsodium.crypto_stream_salsa20_xor_ic self.cipher = libsodium.crypto_stream_salsa20_xor_ic
elif cipher_name == b'chacha20': elif cipher_name == 'chacha20':
self.cipher = libsodium.crypto_stream_chacha20_xor_ic self.cipher = libsodium.crypto_stream_chacha20_xor_ic
else: else:
raise Exception('Unknown cipher') raise Exception('Unknown cipher')
@ -107,25 +95,22 @@ class Salsa20Crypto(object):
ciphers = { ciphers = {
b'salsa20': (32, 8, Salsa20Crypto), 'salsa20': (32, 8, SodiumCrypto),
b'chacha20': (32, 8, Salsa20Crypto), 'chacha20': (32, 8, SodiumCrypto),
} }
def test_salsa20(): def test_salsa20():
from shadowsocks.crypto import util cipher = SodiumCrypto('salsa20', b'k' * 32, b'i' * 16, 1)
decipher = SodiumCrypto('salsa20', b'k' * 32, b'i' * 16, 0)
cipher = Salsa20Crypto(b'salsa20', b'k' * 32, b'i' * 16, 1)
decipher = Salsa20Crypto(b'salsa20', b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)
def test_chacha20(): def test_chacha20():
from shadowsocks.crypto import util
cipher = Salsa20Crypto(b'chacha20', b'k' * 32, b'i' * 16, 1) cipher = SodiumCrypto('chacha20', b'k' * 32, b'i' * 16, 1)
decipher = Salsa20Crypto(b'chacha20', b'k' * 32, b'i' * 16, 0) decipher = SodiumCrypto('chacha20', b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)

34
shadowsocks/crypto/table.py
View file

@ -1,24 +1,18 @@
# !/usr/bin/env python # !/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -73,7 +67,7 @@ class TableCipher(object):
ciphers = { ciphers = {
b'table': (0, 0, TableCipher) 'table': (0, 0, TableCipher)
} }
@ -169,8 +163,8 @@ def test_table_result():
def test_encryption(): def test_encryption():
from shadowsocks.crypto import util from shadowsocks.crypto import util
cipher = TableCipher(b'table', b'test', b'', 1) cipher = TableCipher('table', b'test', b'', 1)
decipher = TableCipher(b'table', b'test', b'', 0) decipher = TableCipher('table', b'test', b'', 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)

125
shadowsocks/crypto/util.py
View file

@ -1,24 +1,95 @@
#!/usr/bin/env python #!/usr/bin/env python
#
# Copyright 2015 clowwindy
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Copyright (c) 2014 clowwindy from __future__ import absolute_import, division, print_function, \
# with_statement
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal import os
# in the Software without restriction, including without limitation the rights import logging
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions: def find_library_nt(name):
# # modified from ctypes.util
# The above copyright notice and this permission notice shall be included in # ctypes.util.find_library just returns first result he found
# all copies or substantial portions of the Software. # but we want to try them all
# # because on Windows, users may have both 32bit and 64bit version installed
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR results = []
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, for directory in os.environ['PATH'].split(os.pathsep):
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE fname = os.path.join(directory, name)
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER if os.path.isfile(fname):
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, results.append(fname)
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE if fname.lower().endswith(".dll"):
# SOFTWARE. continue
fname = fname + ".dll"
if os.path.isfile(fname):
results.append(fname)
return results
def find_library(possible_lib_names, search_symbol, library_name):
import ctypes.util
from ctypes import CDLL
paths = []
if type(possible_lib_names) not in (list, tuple):
possible_lib_names = [possible_lib_names]
lib_names = []
for lib_name in possible_lib_names:
lib_names.append(lib_name)
lib_names.append('lib' + lib_name)
for name in lib_names:
if os.name == "nt":
paths.extend(find_library_nt(name))
else:
path = ctypes.util.find_library(name)
if path:
paths.append(path)
if not paths:
# We may get here when find_library fails because, for example,
# the user does not have sufficient privileges to access those
# tools underlying find_library on linux.
import glob
for name in lib_names:
patterns = [
'/usr/local/lib*/lib%s.*' % name,
'/usr/lib*/lib%s.*' % name,
'lib%s.*' % name,
'%s.dll' % name]
for pat in patterns:
files = glob.glob(pat)
if files:
paths.extend(files)
for path in paths:
try:
lib = CDLL(path)
if hasattr(lib, search_symbol):
logging.info('loading %s from %s', library_name, path)
return lib
else:
logging.warn('can\'t find symbol %s in %s', search_symbol,
path)
except Exception:
pass
return None
def run_cipher(cipher, decipher): def run_cipher(cipher, decipher):
@ -49,3 +120,19 @@ def run_cipher(cipher, decipher):
end = time.time() end = time.time()
print('speed: %d bytes/s' % (BLOCK_SIZE * rounds / (end - start))) print('speed: %d bytes/s' % (BLOCK_SIZE * rounds / (end - start)))
assert b''.join(results) == plain assert b''.join(results) == plain
def test_find_library():
assert find_library('c', 'strcpy', 'libc') is not None
assert find_library(['c'], 'strcpy', 'libc') is not None
assert find_library(('c',), 'strcpy', 'libc') is not None
assert find_library(('crypto', 'eay32'), 'EVP_CipherUpdate',
'libcrypto') is not None
assert find_library('notexist', 'strcpy', 'libnotexist') is None
assert find_library('c', 'symbol_not_exist', 'c') is None
assert find_library(('notexist', 'c', 'crypto', 'eay32'),
'EVP_CipherUpdate', 'libc') is not None
if __name__ == '__main__':
test_find_library()

208
shadowsocks/daemon.py Normal file
View file

@ -0,0 +1,208 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014-2015 clowwindy
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from __future__ import absolute_import, division, print_function, \
with_statement
import os
import sys
import logging
import signal
import time
from shadowsocks import common, shell
# this module is ported from ShadowVPN daemon.c
def daemon_exec(config):
if 'daemon' in config:
if os.name != 'posix':
raise Exception('daemon mode is only supported on Unix')
command = config['daemon']
if not command:
command = 'start'
pid_file = config['pid-file']
log_file = config['log-file']
if command == 'start':
daemon_start(pid_file, log_file)
elif command == 'stop':
daemon_stop(pid_file)
# always exit after daemon_stop
sys.exit(0)
elif command == 'restart':
daemon_stop(pid_file)
daemon_start(pid_file, log_file)
else:
raise Exception('unsupported daemon command %s' % command)
def write_pid_file(pid_file, pid):
import fcntl
import stat
try:
fd = os.open(pid_file, os.O_RDWR | os.O_CREAT,
stat.S_IRUSR | stat.S_IWUSR)
except OSError as e:
shell.print_exception(e)
return -1
flags = fcntl.fcntl(fd, fcntl.F_GETFD)
assert flags != -1
flags |= fcntl.FD_CLOEXEC
r = fcntl.fcntl(fd, fcntl.F_SETFD, flags)
assert r != -1
# There is no platform independent way to implement fcntl(fd, F_SETLK, &fl)
# via fcntl.fcntl. So use lockf instead
try:
fcntl.lockf(fd, fcntl.LOCK_EX | fcntl.LOCK_NB, 0, 0, os.SEEK_SET)
except IOError:
r = os.read(fd, 32)
if r:
logging.error('already started at pid %s' % common.to_str(r))
else:
logging.error('already started')
os.close(fd)
return -1
os.ftruncate(fd, 0)
os.write(fd, common.to_bytes(str(pid)))
return 0
def freopen(f, mode, stream):
oldf = open(f, mode)
oldfd = oldf.fileno()
newfd = stream.fileno()
os.close(newfd)
os.dup2(oldfd, newfd)
def daemon_start(pid_file, log_file):
def handle_exit(signum, _):
if signum == signal.SIGTERM:
sys.exit(0)
sys.exit(1)
signal.signal(signal.SIGINT, handle_exit)
signal.signal(signal.SIGTERM, handle_exit)
# fork only once because we are sure parent will exit
pid = os.fork()
assert pid != -1
if pid > 0:
# parent waits for its child
time.sleep(5)
sys.exit(0)
# child signals its parent to exit
ppid = os.getppid()
pid = os.getpid()
if write_pid_file(pid_file, pid) != 0:
os.kill(ppid, signal.SIGINT)
sys.exit(1)
os.setsid()
signal.signal(signal.SIG_IGN, signal.SIGHUP)
print('started')
os.kill(ppid, signal.SIGTERM)
sys.stdin.close()
try:
freopen(log_file, 'a', sys.stdout)
freopen(log_file, 'a', sys.stderr)
except IOError as e:
shell.print_exception(e)
sys.exit(1)
def daemon_stop(pid_file):
import errno
try:
with open(pid_file) as f:
buf = f.read()
pid = common.to_str(buf)
if not buf:
logging.error('not running')
except IOError as e:
shell.print_exception(e)
if e.errno == errno.ENOENT:
# always exit 0 if we are sure daemon is not running
logging.error('not running')
return
sys.exit(1)
pid = int(pid)
if pid > 0:
try:
os.kill(pid, signal.SIGTERM)
except OSError as e:
if e.errno == errno.ESRCH:
logging.error('not running')
# always exit 0 if we are sure daemon is not running
return
shell.print_exception(e)
sys.exit(1)
else:
logging.error('pid is not positive: %d', pid)
# sleep for maximum 10s
for i in range(0, 200):
try:
# query for the pid
os.kill(pid, 0)
except OSError as e:
if e.errno == errno.ESRCH:
break
time.sleep(0.05)
else:
logging.error('timed out when stopping pid %d', pid)
sys.exit(1)
print('stopped')
os.unlink(pid_file)
def set_user(username):
if username is None:
return
import pwd
import grp
try:
pwrec = pwd.getpwnam(username)
except KeyError:
logging.error('user not found: %s' % username)
raise
user = pwrec[0]
uid = pwrec[2]
gid = pwrec[3]
cur_uid = os.getuid()
if uid == cur_uid:
return
if cur_uid != 0:
logging.error('can not set user as nonroot user')
# will raise later
# inspired by supervisor
if hasattr(os, 'setgroups'):
groups = [grprec[2] for grprec in grp.getgrall() if user in grprec[3]]
groups.insert(0, gid)
os.setgroups(groups)
os.setgid(gid)
os.setuid(uid)

60
shadowsocks/encrypt.py
View file

@ -1,24 +1,18 @@
#!/usr/bin/env python #!/usr/bin/env python
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2012-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -28,25 +22,18 @@ import sys
import hashlib import hashlib
import logging import logging
from shadowsocks.crypto import m2, rc4_md5, salsa20_ctr,\ from shadowsocks import common
ctypes_openssl, ctypes_libsodium, table from shadowsocks.crypto import rc4_md5, openssl, sodium, table
method_supported = {} method_supported = {}
method_supported.update(rc4_md5.ciphers) method_supported.update(rc4_md5.ciphers)
method_supported.update(salsa20_ctr.ciphers) method_supported.update(openssl.ciphers)
method_supported.update(ctypes_openssl.ciphers) method_supported.update(sodium.ciphers)
method_supported.update(ctypes_libsodium.ciphers)
# let M2Crypto override ctypes_openssl
method_supported.update(m2.ciphers)
method_supported.update(table.ciphers) method_supported.update(table.ciphers)
def random_string(length): def random_string(length):
try:
import M2Crypto.Rand
return M2Crypto.Rand.rand_bytes(length)
except ImportError:
return os.urandom(length) return os.urandom(length)
@ -60,8 +47,6 @@ def try_cipher(key, method=None):
def EVP_BytesToKey(password, key_len, iv_len): def EVP_BytesToKey(password, key_len, iv_len):
# equivalent to OpenSSL's EVP_BytesToKey() with count 1 # equivalent to OpenSSL's EVP_BytesToKey() with count 1
# so that we make the same key and iv as nodejs version # so that we make the same key and iv as nodejs version
if hasattr(password, 'encode'):
password = password.encode('utf-8')
cached_key = '%s-%d-%d' % (password, key_len, iv_len) cached_key = '%s-%d-%d' % (password, key_len, iv_len)
r = cached_keys.get(cached_key, None) r = cached_keys.get(cached_key, None)
if r: if r:
@ -109,8 +94,7 @@ class Encryptor(object):
return len(self.cipher_iv) return len(self.cipher_iv)
def get_cipher(self, password, method, op, iv): def get_cipher(self, password, method, op, iv):
if hasattr(password, 'encode'): password = common.to_bytes(password)
password = password.encode('utf-8')
m = self._method_info m = self._method_info
if m[0] > 0: if m[0] > 0:
key, iv_ = EVP_BytesToKey(password, m[0], m[1]) key, iv_ = EVP_BytesToKey(password, m[0], m[1])
@ -167,12 +151,12 @@ def encrypt_all(password, method, op, data):
CIPHERS_TO_TEST = [ CIPHERS_TO_TEST = [
b'aes-128-cfb', 'aes-128-cfb',
b'aes-256-cfb', 'aes-256-cfb',
b'rc4-md5', 'rc4-md5',
b'salsa20', 'salsa20',
b'chacha20', 'chacha20',
b'table', 'table',
] ]

35
shadowsocks/eventloop.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2013-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
# from ssloop # from ssloop
# https://github.com/clowwindy/ssloop # https://github.com/clowwindy/ssloop
@ -34,6 +28,8 @@ import errno
import logging import logging
from collections import defaultdict from collections import defaultdict
from shadowsocks import shell
__all__ = ['EventLoop', 'POLL_NULL', 'POLL_IN', 'POLL_OUT', 'POLL_ERR', __all__ = ['EventLoop', 'POLL_NULL', 'POLL_IN', 'POLL_OUT', 'POLL_ERR',
'POLL_HUP', 'POLL_NVAL', 'EVENT_NAMES'] 'POLL_HUP', 'POLL_NVAL', 'EVENT_NAMES']
@ -229,9 +225,8 @@ class EventLoop(object):
try: try:
handler(events) handler(events)
except (OSError, IOError) as e: except (OSError, IOError) as e:
logging.error(e) shell.print_exception(e)
import traceback if self._handlers_to_remove:
traceback.print_exc()
for handler in self._handlers_to_remove: for handler in self._handlers_to_remove:
self._handlers.remove(handler) self._handlers.remove(handler)
self._handlers_to_remove = [] self._handlers_to_remove = []

53
shadowsocks/local.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2012-2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -30,11 +24,11 @@ import logging
import signal import signal
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../')) sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../'))
from shadowsocks import utils, encrypt, eventloop, tcprelay, udprelay, asyncdns from shadowsocks import shell, daemon, eventloop, tcprelay, udprelay, asyncdns
def main(): def main():
utils.check_python() shell.check_python()
# fix py2exe # fix py2exe
if hasattr(sys, "frozen") and sys.frozen in \ if hasattr(sys, "frozen") and sys.frozen in \
@ -42,11 +36,9 @@ def main():
p = os.path.dirname(os.path.abspath(sys.executable)) p = os.path.dirname(os.path.abspath(sys.executable))
os.chdir(p) os.chdir(p)
config = utils.get_config(True) config = shell.get_config(True)
utils.print_shadowsocks() daemon.daemon_exec(config)
encrypt.try_cipher(config['password'], config['method'])
try: try:
logging.info("starting local at %s:%d" % logging.info("starting local at %s:%d" %
@ -65,13 +57,16 @@ def main():
tcp_server.close(next_tick=True) tcp_server.close(next_tick=True)
udp_server.close(next_tick=True) udp_server.close(next_tick=True)
signal.signal(getattr(signal, 'SIGQUIT', signal.SIGTERM), handler) signal.signal(getattr(signal, 'SIGQUIT', signal.SIGTERM), handler)
def int_handler(signum, _):
sys.exit(1)
signal.signal(signal.SIGINT, int_handler)
daemon.set_user(config.get('user', None))
loop.run() loop.run()
except (KeyboardInterrupt, IOError, OSError) as e: except Exception as e:
logging.error(e) shell.print_exception(e)
if config['verbose']: sys.exit(1)
import traceback
traceback.print_exc()
os._exit(1)
if __name__ == '__main__': if __name__ == '__main__':
main() main()

48
shadowsocks/lru_cache.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -47,6 +41,7 @@ class LRUCache(collections.MutableMapping):
self._time_to_keys = collections.defaultdict(list) self._time_to_keys = collections.defaultdict(list)
self._keys_to_last_time = {} self._keys_to_last_time = {}
self._last_visits = collections.deque() self._last_visits = collections.deque()
self._closed_values = set()
self.update(dict(*args, **kwargs)) # use the free update to set keys self.update(dict(*args, **kwargs)) # use the free update to set keys
def __getitem__(self, key): def __getitem__(self, key):
@ -89,7 +84,9 @@ class LRUCache(collections.MutableMapping):
if key in self._store: if key in self._store:
if now - self._keys_to_last_time[key] > self.timeout: if now - self._keys_to_last_time[key] > self.timeout:
value = self._store[key] value = self._store[key]
if value not in self._closed_values:
self.close_callback(value) self.close_callback(value)
self._closed_values.add(value)
for key in self._time_to_keys[least]: for key in self._time_to_keys[least]:
self._last_visits.popleft() self._last_visits.popleft()
if key in self._store: if key in self._store:
@ -99,6 +96,7 @@ class LRUCache(collections.MutableMapping):
c += 1 c += 1
del self._time_to_keys[least] del self._time_to_keys[least]
if c: if c:
self._closed_values.clear()
logging.debug('%d keys swept' % c) logging.debug('%d keys swept' % c)
@ -132,5 +130,21 @@ def test():
assert 'a' not in c assert 'a' not in c
assert 'b' not in c assert 'b' not in c
global close_cb_called
close_cb_called = False
def close_cb(t):
global close_cb_called
assert not close_cb_called
close_cb_called = True
c = LRUCache(timeout=0.1, close_callback=close_cb)
c['s'] = 1
c['s']
time.sleep(0.1)
c['s']
time.sleep(0.3)
c.sweep()
if __name__ == '__main__': if __name__ == '__main__':
test() test()

54
shadowsocks/server.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -30,15 +24,15 @@ import logging
import signal import signal
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../')) sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../'))
from shadowsocks import utils, encrypt, eventloop, tcprelay, udprelay, asyncdns from shadowsocks import shell, daemon, eventloop, tcprelay, udprelay, asyncdns
def main(): def main():
utils.check_python() shell.check_python()
config = utils.get_config(False) config = shell.get_config(False)
utils.print_shadowsocks() daemon.daemon_exec(config)
if config['port_password']: if config['port_password']:
if config['password']: if config['password']:
@ -54,7 +48,6 @@ def main():
else: else:
config['port_password'][str(server_port)] = config['password'] config['port_password'][str(server_port)] = config['password']
encrypt.try_cipher(config['password'], config['method'])
tcp_servers = [] tcp_servers = []
udp_servers = [] udp_servers = []
dns_resolver = asyncdns.DNSResolver() dns_resolver = asyncdns.DNSResolver()
@ -74,17 +67,21 @@ def main():
tcp_servers + udp_servers)) tcp_servers + udp_servers))
signal.signal(getattr(signal, 'SIGQUIT', signal.SIGTERM), signal.signal(getattr(signal, 'SIGQUIT', signal.SIGTERM),
child_handler) child_handler)
def int_handler(signum, _):
sys.exit(1)
signal.signal(signal.SIGINT, int_handler)
try: try:
loop = eventloop.EventLoop() loop = eventloop.EventLoop()
dns_resolver.add_to_loop(loop) dns_resolver.add_to_loop(loop)
list(map(lambda s: s.add_to_loop(loop), tcp_servers + udp_servers)) list(map(lambda s: s.add_to_loop(loop), tcp_servers + udp_servers))
daemon.set_user(config.get('user', None))
loop.run() loop.run()
except (KeyboardInterrupt, IOError, OSError) as e: except Exception as e:
logging.error(e) shell.print_exception(e)
if config['verbose']: sys.exit(1)
import traceback
traceback.print_exc()
os._exit(1)
if int(config['workers']) > 1: if int(config['workers']) > 1:
if os.name == 'posix': if os.name == 'posix':
@ -110,6 +107,7 @@ def main():
sys.exit() sys.exit()
signal.signal(signal.SIGTERM, handler) signal.signal(signal.SIGTERM, handler)
signal.signal(signal.SIGQUIT, handler) signal.signal(signal.SIGQUIT, handler)
signal.signal(signal.SIGINT, handler)
# master # master
for a_tcp_server in tcp_servers: for a_tcp_server in tcp_servers:

203
shadowsocks/utils.py → shadowsocks/shell.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -29,11 +23,14 @@ import json
import sys import sys
import getopt import getopt
import logging import logging
from shadowsocks.common import to_bytes from shadowsocks.common import to_bytes, to_str, IPNetwork
from shadowsocks import encrypt
VERBOSE_LEVEL = 5 VERBOSE_LEVEL = 5
verbose = 0
def check_python(): def check_python():
info = sys.version_info info = sys.version_info
@ -48,6 +45,14 @@ def check_python():
sys.exit(1) sys.exit(1)
def print_exception(e):
global verbose
logging.error(e)
if verbose > 0:
import traceback
traceback.print_exc()
def print_shadowsocks(): def print_shadowsocks():
version = '' version = ''
try: try:
@ -55,7 +60,7 @@ def print_shadowsocks():
version = pkg_resources.get_distribution('shadowsocks').version version = pkg_resources.get_distribution('shadowsocks').version
except Exception: except Exception:
pass pass
print('shadowsocks %s' % version) print('Shadowsocks %s' % version)
def find_config(): def find_config():
@ -68,16 +73,37 @@ def find_config():
return None return None
def check_config(config): def check_config(config, is_local):
if config.get('daemon', None) == 'stop':
# no need to specify configuration for daemon stop
return
if is_local and not config.get('password', None):
logging.error('password not specified')
print_help(is_local)
sys.exit(2)
if not is_local and not config.get('password', None) \
and not config.get('port_password', None):
logging.error('password or port_password not specified')
print_help(is_local)
sys.exit(2)
if 'local_port' in config:
config['local_port'] = int(config['local_port'])
if 'server_port' in config and type(config['server_port']) != list:
config['server_port'] = int(config['server_port'])
if config.get('local_address', '') in [b'0.0.0.0']: if config.get('local_address', '') in [b'0.0.0.0']:
logging.warn('warning: local set to listen 0.0.0.0, which is not safe') logging.warn('warning: local set to listen on 0.0.0.0, it\'s not safe')
if config.get('server', '') in [b'127.0.0.1', b'localhost']: if config.get('server', '') in ['127.0.0.1', 'localhost']:
logging.warn('warning: server set to listen %s:%s, are you sure?' % logging.warn('warning: server set to listen on %s:%s, are you sure?' %
(config['server'], config['server_port'])) (to_str(config['server']), config['server_port']))
if (config.get('method', '') or '').lower() == b'table': if (config.get('method', '') or '').lower() == 'table':
logging.warn('warning: table is not safe; please use a safer cipher, ' logging.warn('warning: table is not safe; please use a safer cipher, '
'like AES-256-CFB') 'like AES-256-CFB')
if (config.get('method', '') or '').lower() == b'rc4': if (config.get('method', '') or '').lower() == 'rc4':
logging.warn('warning: RC4 is not safe; please use a safer cipher, ' logging.warn('warning: RC4 is not safe; please use a safer cipher, '
'like AES-256-CFB') 'like AES-256-CFB')
if config.get('timeout', 300) < 100: if config.get('timeout', 300) < 100:
@ -89,18 +115,28 @@ def check_config(config):
if config.get('password') in [b'mypassword']: if config.get('password') in [b'mypassword']:
logging.error('DON\'T USE DEFAULT PASSWORD! Please change it in your ' logging.error('DON\'T USE DEFAULT PASSWORD! Please change it in your '
'config.json!') 'config.json!')
exit(1) sys.exit(1)
if config.get('user', None) is not None:
if os.name != 'posix':
logging.error('user can be used only on Unix')
sys.exit(1)
encrypt.try_cipher(config['password'], config['method'])
def get_config(is_local): def get_config(is_local):
global verbose
logging.basicConfig(level=logging.INFO, logging.basicConfig(level=logging.INFO,
format='%(levelname)-s: %(message)s') format='%(levelname)-s: %(message)s')
if is_local: if is_local:
shortopts = 'hs:b:p:k:l:m:c:t:vq' shortopts = 'hd:s:b:p:k:l:m:c:t:vq'
longopts = ['fast-open'] longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'user=',
'version']
else: else:
shortopts = 'hs:p:k:m:c:t:vq' shortopts = 'hd:s:p:k:m:c:t:vq'
longopts = ['fast-open', 'workers='] longopts = ['help', 'fast-open', 'pid-file=', 'log-file=', 'workers=',
'forbidden-ip=', 'user=', 'version']
try: try:
config_path = find_config() config_path = find_config()
optlist, args = getopt.getopt(sys.argv[1:], shortopts, longopts) optlist, args = getopt.getopt(sys.argv[1:], shortopts, longopts)
@ -121,7 +157,6 @@ def get_config(is_local):
else: else:
config = {} config = {}
optlist, args = getopt.getopt(sys.argv[1:], shortopts, longopts)
v_count = 0 v_count = 0
for key, value in optlist: for key, value in optlist:
if key == '-p': if key == '-p':
@ -131,11 +166,11 @@ def get_config(is_local):
elif key == '-l': elif key == '-l':
config['local_port'] = int(value) config['local_port'] = int(value)
elif key == '-s': elif key == '-s':
config['server'] = to_bytes(value) config['server'] = to_str(value)
elif key == '-m': elif key == '-m':
config['method'] = to_bytes(value) config['method'] = to_str(value)
elif key == '-b': elif key == '-b':
config['local_address'] = to_bytes(value) config['local_address'] = to_str(value)
elif key == '-v': elif key == '-v':
v_count += 1 v_count += 1
# '-vv' turns on more verbose mode # '-vv' turns on more verbose mode
@ -146,12 +181,25 @@ def get_config(is_local):
config['fast_open'] = True config['fast_open'] = True
elif key == '--workers': elif key == '--workers':
config['workers'] = int(value) config['workers'] = int(value)
elif key == '-h': elif key == '--user':
config['user'] = to_str(value)
elif key == '--forbidden-ip':
config['forbidden_ip'] = to_str(value).split(',')
elif key in ('-h', '--help'):
if is_local: if is_local:
print_local_help() print_local_help()
else: else:
print_server_help() print_server_help()
sys.exit(0) sys.exit(0)
elif key == '--version':
print_shadowsocks()
sys.exit(0)
elif key == '-d':
config['daemon'] = to_str(value)
elif key == '--pid-file':
config['pid-file'] = to_str(value)
elif key == '--log-file':
config['log-file'] = to_str(value)
elif key == '-q': elif key == '-q':
v_count -= 1 v_count -= 1
config['verbose'] = v_count config['verbose'] = v_count
@ -165,14 +213,16 @@ def get_config(is_local):
print_help(is_local) print_help(is_local)
sys.exit(2) sys.exit(2)
config['password'] = config.get('password', '') config['password'] = to_bytes(config.get('password', b''))
config['method'] = config.get('method', 'aes-256-cfb') config['method'] = to_str(config.get('method', 'aes-256-cfb'))
config['port_password'] = config.get('port_password', None) config['port_password'] = config.get('port_password', None)
config['timeout'] = int(config.get('timeout', 300)) config['timeout'] = int(config.get('timeout', 300))
config['fast_open'] = config.get('fast_open', False) config['fast_open'] = config.get('fast_open', False)
config['workers'] = config.get('workers', 1) config['workers'] = config.get('workers', 1)
config['pid-file'] = config.get('pid-file', '/var/run/shadowsocks.pid')
config['log-file'] = config.get('log-file', '/var/log/shadowsocks.log')
config['verbose'] = config.get('verbose', False) config['verbose'] = config.get('verbose', False)
config['local_address'] = config.get('local_address', '127.0.0.1') config['local_address'] = to_str(config.get('local_address', '127.0.0.1'))
config['local_port'] = config.get('local_port', 1080) config['local_port'] = config.get('local_port', 1080)
if is_local: if is_local:
if config.get('server', None) is None: if config.get('server', None) is None:
@ -180,26 +230,17 @@ def get_config(is_local):
print_local_help() print_local_help()
sys.exit(2) sys.exit(2)
else: else:
config['server'] = config.get('server', '0.0.0.0') config['server'] = to_str(config['server'])
else:
config['server'] = to_str(config.get('server', '0.0.0.0'))
try:
config['forbidden_ip'] = \
IPNetwork(config.get('forbidden_ip', '127.0.0.0/8,::1/128'))
except Exception as e:
logging.error(e)
sys.exit(2)
config['server_port'] = config.get('server_port', 8388) config['server_port'] = config.get('server_port', 8388)
if is_local and not config.get('password', None):
logging.error('password not specified')
print_help(is_local)
sys.exit(2)
if not is_local and not config.get('password', None) \
and not config.get('port_password', None):
logging.error('password or port_password not specified')
print_help(is_local)
sys.exit(2)
if 'local_port' in config:
config['local_port'] = int(config['local_port'])
if 'server_port' in config and type(config['server_port']) != list:
config['server_port'] = int(config['server_port'])
logging.getLogger('').handlers = [] logging.getLogger('').handlers = []
logging.addLevelName(VERBOSE_LEVEL, 'VERBOSE') logging.addLevelName(VERBOSE_LEVEL, 'VERBOSE')
if config['verbose'] >= 2: if config['verbose'] >= 2:
@ -212,11 +253,12 @@ def get_config(is_local):
level = logging.ERROR level = logging.ERROR
else: else:
level = logging.INFO level = logging.INFO
verbose = config['verbose']
logging.basicConfig(level=level, logging.basicConfig(level=level,
format='%(asctime)s %(levelname)-8s %(message)s', format='%(asctime)s %(levelname)-8s %(message)s',
datefmt='%Y-%m-%d %H:%M:%S') datefmt='%Y-%m-%d %H:%M:%S')
check_config(config) check_config(config, is_local)
return config return config
@ -229,12 +271,13 @@ def print_help(is_local):
def print_local_help(): def print_local_help():
print('''usage: sslocal [-h] -s SERVER_ADDR [-p SERVER_PORT] print('''usage: sslocal [OPTION]...
[-b LOCAL_ADDR] [-l LOCAL_PORT] -k PASSWORD [-m METHOD] A fast tunnel proxy that helps you bypass firewalls.
[-t TIMEOUT] [-c CONFIG] [--fast-open] [-v] [-q]
optional arguments: You can supply configurations via either config file or command line arguments.
-h, --help show this help message and exit
Proxy options:
-c CONFIG path to config file
-s SERVER_ADDR server address -s SERVER_ADDR server address
-p SERVER_PORT server port, default: 8388 -p SERVER_PORT server port, default: 8388
-b LOCAL_ADDR local binding address, default: 127.0.0.1 -b LOCAL_ADDR local binding address, default: 127.0.0.1
@ -242,34 +285,50 @@ optional arguments:
-k PASSWORD password -k PASSWORD password
-m METHOD encryption method, default: aes-256-cfb -m METHOD encryption method, default: aes-256-cfb
-t TIMEOUT timeout in seconds, default: 300 -t TIMEOUT timeout in seconds, default: 300
-c CONFIG path to config file
--fast-open use TCP_FASTOPEN, requires Linux 3.7+ --fast-open use TCP_FASTOPEN, requires Linux 3.7+
General options:
-h, --help show this help message and exit
-d start/stop/restart daemon mode
--pid-file PID_FILE pid file for daemon mode
--log-file LOG_FILE log file for daemon mode
--user USER username to run as
-v, -vv verbose mode -v, -vv verbose mode
-q, -qq quiet mode, only show warnings/errors -q, -qq quiet mode, only show warnings/errors
--version show version information
Online help: <https://github.com/clowwindy/shadowsocks> Online help: <https://github.com/shadowsocks/shadowsocks>
''') ''')
def print_server_help(): def print_server_help():
print('''usage: ssserver [-h] [-s SERVER_ADDR] [-p SERVER_PORT] -k PASSWORD print('''usage: ssserver [OPTION]...
-m METHOD [-t TIMEOUT] [-c CONFIG] [--fast-open] A fast tunnel proxy that helps you bypass firewalls.
[--workers WORKERS] [-v] [-q]
optional arguments: You can supply configurations via either config file or command line arguments.
-h, --help show this help message and exit
Proxy options:
-c CONFIG path to config file
-s SERVER_ADDR server address, default: 0.0.0.0 -s SERVER_ADDR server address, default: 0.0.0.0
-p SERVER_PORT server port, default: 8388 -p SERVER_PORT server port, default: 8388
-k PASSWORD password -k PASSWORD password
-m METHOD encryption method, default: aes-256-cfb -m METHOD encryption method, default: aes-256-cfb
-t TIMEOUT timeout in seconds, default: 300 -t TIMEOUT timeout in seconds, default: 300
-c CONFIG path to config file
--fast-open use TCP_FASTOPEN, requires Linux 3.7+ --fast-open use TCP_FASTOPEN, requires Linux 3.7+
--workers WORKERS number of workers, available on Unix/Linux --workers WORKERS number of workers, available on Unix/Linux
--forbidden-ip IPLIST comma seperated IP list forbidden to connect
General options:
-h, --help show this help message and exit
-d start/stop/restart daemon mode
--pid-file PID_FILE pid file for daemon mode
--log-file LOG_FILE log file for daemon mode
--user USER username to run as
-v, -vv verbose mode -v, -vv verbose mode
-q, -qq quiet mode, only show warnings/errors -q, -qq quiet mode, only show warnings/errors
--version show version information
Online help: <https://github.com/clowwindy/shadowsocks> Online help: <https://github.com/shadowsocks/shadowsocks>
''') ''')

115
shadowsocks/tcprelay.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -32,7 +26,7 @@ import logging
import traceback import traceback
import random import random
from shadowsocks import encrypt, eventloop, utils, common from shadowsocks import encrypt, eventloop, shell, common
from shadowsocks.common import parse_header from shadowsocks.common import parse_header
# we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time # we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time
@ -43,30 +37,22 @@ TIMEOUT_PRECISION = 4
MSG_FASTOPEN = 0x20000000 MSG_FASTOPEN = 0x20000000
# SOCKS CMD defination # SOCKS command definition
CMD_CONNECT = 1 CMD_CONNECT = 1
CMD_BIND = 2 CMD_BIND = 2
CMD_UDP_ASSOCIATE = 3 CMD_UDP_ASSOCIATE = 3
# TCP Relay can be either sslocal or ssserver
# for sslocal it is called is_local=True
# for each opening port, we have a TCP Relay # for each opening port, we have a TCP Relay
# for each connection, we have a TCP Relay Handler to handle the connection # for each connection, we have a TCP Relay Handler to handle the connection
# for each handler, we have 2 sockets: # for each handler, we have 2 sockets:
# local: connected to the client # local: connected to the client
# remote: connected to remote server # remote: connected to remote server
# for each handler, we have 2 streams:
# upstream: from client to server direction
# read local and write to remote
# downstream: from server to client direction
# read remote and write to local
# for each handler, it could be at one of several stages: # for each handler, it could be at one of several stages:
# sslocal: # as sslocal:
# stage 0 SOCKS hello received from local, send hello to local # stage 0 SOCKS hello received from local, send hello to local
# stage 1 addr received from local, query DNS for remote # stage 1 addr received from local, query DNS for remote
# stage 2 UDP assoc # stage 2 UDP assoc
@ -74,7 +60,7 @@ CMD_UDP_ASSOCIATE = 3
# stage 4 still connecting, more data from local received # stage 4 still connecting, more data from local received
# stage 5 remote connected, piping local and remote # stage 5 remote connected, piping local and remote
# ssserver: # as ssserver:
# stage 0 just jump to stage 1 # stage 0 just jump to stage 1
# stage 1 addr received from local, query DNS for remote # stage 1 addr received from local, query DNS for remote
# stage 3 DNS resolved, connect to remote # stage 3 DNS resolved, connect to remote
@ -89,11 +75,16 @@ STAGE_CONNECTING = 4
STAGE_STREAM = 5 STAGE_STREAM = 5
STAGE_DESTROYED = -1 STAGE_DESTROYED = -1
# stream direction # for each handler, we have 2 stream directions:
# upstream: from client to server direction
# read local and write to remote
# downstream: from server to client direction
# read remote and write to local
STREAM_UP = 0 STREAM_UP = 0
STREAM_DOWN = 1 STREAM_DOWN = 1
# stream wait status, indicating it's waiting for reading, etc # for each stream, it's waiting for reading, or writing, or both
WAIT_STATUS_INIT = 0 WAIT_STATUS_INIT = 0
WAIT_STATUS_READING = 1 WAIT_STATUS_READING = 1
WAIT_STATUS_WRITING = 2 WAIT_STATUS_WRITING = 2
@ -112,6 +103,9 @@ class TCPRelayHandler(object):
self._remote_sock = None self._remote_sock = None
self._config = config self._config = config
self._dns_resolver = dns_resolver self._dns_resolver = dns_resolver
# TCP Relay works as either sslocal or ssserver
# if is_local, this is sslocal
self._is_local = is_local self._is_local = is_local
self._stage = STAGE_INIT self._stage = STAGE_INIT
self._encryptor = encrypt.Encryptor(config['password'], self._encryptor = encrypt.Encryptor(config['password'],
@ -121,7 +115,12 @@ class TCPRelayHandler(object):
self._data_to_write_to_remote = [] self._data_to_write_to_remote = []
self._upstream_status = WAIT_STATUS_READING self._upstream_status = WAIT_STATUS_READING
self._downstream_status = WAIT_STATUS_INIT self._downstream_status = WAIT_STATUS_INIT
self._client_address = local_sock.getpeername()[:2]
self._remote_address = None self._remote_address = None
if 'forbidden_ip' in config:
self._forbidden_iplist = config['forbidden_ip']
else:
self._forbidden_iplist = None
if is_local: if is_local:
self._chosen_server = self._get_a_server() self._chosen_server = self._get_a_server()
fd_to_handlers[local_sock.fileno()] = self fd_to_handlers[local_sock.fileno()] = self
@ -145,8 +144,9 @@ class TCPRelayHandler(object):
server_port = self._config['server_port'] server_port = self._config['server_port']
if type(server_port) == list: if type(server_port) == list:
server_port = random.choice(server_port) server_port = random.choice(server_port)
if type(server) == list:
server = random.choice(server)
logging.debug('chosen server: %s:%d', server, server_port) logging.debug('chosen server: %s:%d', server, server_port)
# TODO support multiple server IP
return server, server_port return server, server_port
def _update_activity(self): def _update_activity(self):
@ -203,9 +203,7 @@ class TCPRelayHandler(object):
errno.EWOULDBLOCK): errno.EWOULDBLOCK):
uncomplete = True uncomplete = True
else: else:
logging.error(e) shell.print_exception(e)
if self._config['verbose']:
traceback.print_exc()
self.destroy() self.destroy()
return False return False
if uncomplete: if uncomplete:
@ -241,26 +239,25 @@ class TCPRelayHandler(object):
self._create_remote_socket(self._chosen_server[0], self._create_remote_socket(self._chosen_server[0],
self._chosen_server[1]) self._chosen_server[1])
self._loop.add(remote_sock, eventloop.POLL_ERR) self._loop.add(remote_sock, eventloop.POLL_ERR)
data = b''.join(self._data_to_write_to_local) data = b''.join(self._data_to_write_to_remote)
l = len(data) l = len(data)
s = remote_sock.sendto(data, MSG_FASTOPEN, self._chosen_server) s = remote_sock.sendto(data, MSG_FASTOPEN, self._chosen_server)
if s < l: if s < l:
data = data[s:] data = data[s:]
self._data_to_write_to_local = [data] self._data_to_write_to_remote = [data]
self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING)
else: else:
self._data_to_write_to_local = [] self._data_to_write_to_remote = []
self._update_stream(STREAM_UP, WAIT_STATUS_READING) self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING)
self._stage = STAGE_STREAM
except (OSError, IOError) as e: except (OSError, IOError) as e:
if eventloop.errno_from_exception(e) == errno.EINPROGRESS: if eventloop.errno_from_exception(e) == errno.EINPROGRESS:
# in this case data is not sent at all
self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING) self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING)
elif eventloop.errno_from_exception(e) == errno.ENOTCONN: elif eventloop.errno_from_exception(e) == errno.ENOTCONN:
logging.error('fast open not supported on this OS') logging.error('fast open not supported on this OS')
self._config['fast_open'] = False self._config['fast_open'] = False
self.destroy() self.destroy()
else: else:
logging.error(e) shell.print_exception(e)
if self._config['verbose']: if self._config['verbose']:
traceback.print_exc() traceback.print_exc()
self.destroy() self.destroy()
@ -295,9 +292,10 @@ class TCPRelayHandler(object):
if header_result is None: if header_result is None:
raise Exception('can not parse header') raise Exception('can not parse header')
addrtype, remote_addr, remote_port, header_length = header_result addrtype, remote_addr, remote_port, header_length = header_result
logging.info('connecting %s:%d' % (common.to_str(remote_addr), logging.info('connecting %s:%d from %s:%d' %
remote_port)) (common.to_str(remote_addr), remote_port,
self._remote_address = (remote_addr, remote_port) self._client_address[0], self._client_address[1]))
self._remote_address = (common.to_str(remote_addr), remote_port)
# pause reading # pause reading
self._update_stream(STREAM_UP, WAIT_STATUS_WRITING) self._update_stream(STREAM_UP, WAIT_STATUS_WRITING)
self._stage = STAGE_DNS self._stage = STAGE_DNS
@ -318,7 +316,7 @@ class TCPRelayHandler(object):
self._dns_resolver.resolve(remote_addr, self._dns_resolver.resolve(remote_addr,
self._handle_dns_resolved) self._handle_dns_resolved)
except Exception as e: except Exception as e:
logging.error(e) self._log_error(e)
if self._config['verbose']: if self._config['verbose']:
traceback.print_exc() traceback.print_exc()
# TODO use logging when debug completed # TODO use logging when debug completed
@ -330,6 +328,10 @@ class TCPRelayHandler(object):
if len(addrs) == 0: if len(addrs) == 0:
raise Exception("getaddrinfo failed for %s:%d" % (ip, port)) raise Exception("getaddrinfo failed for %s:%d" % (ip, port))
af, socktype, proto, canonname, sa = addrs[0] af, socktype, proto, canonname, sa = addrs[0]
if self._forbidden_iplist:
if common.to_str(sa[0]) in self._forbidden_iplist:
raise Exception('IP %s is in forbidden list, reject' %
common.to_str(sa[0]))
remote_sock = socket.socket(af, socktype, proto) remote_sock = socket.socket(af, socktype, proto)
self._remote_sock = remote_sock self._remote_sock = remote_sock
self._fd_to_handlers[remote_sock.fileno()] = self self._fd_to_handlers[remote_sock.fileno()] = self
@ -339,12 +341,13 @@ class TCPRelayHandler(object):
def _handle_dns_resolved(self, result, error): def _handle_dns_resolved(self, result, error):
if error: if error:
logging.error(error) self._log_error(error)
self.destroy() self.destroy()
return return
if result: if result:
ip = result[1] ip = result[1]
if ip: if ip:
try: try:
self._stage = STAGE_CONNECTING self._stage = STAGE_CONNECTING
remote_addr = ip remote_addr = ip
@ -377,8 +380,8 @@ class TCPRelayHandler(object):
self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING) self._update_stream(STREAM_UP, WAIT_STATUS_READWRITING)
self._update_stream(STREAM_DOWN, WAIT_STATUS_READING) self._update_stream(STREAM_DOWN, WAIT_STATUS_READING)
return return
except (OSError, IOError) as e: except Exception as e:
logging.error(e) shell.print_exception(e)
if self._config['verbose']: if self._config['verbose']:
traceback.print_exc() traceback.print_exc()
self.destroy() self.destroy()
@ -440,7 +443,7 @@ class TCPRelayHandler(object):
try: try:
self._write_to_sock(data, self._local_sock) self._write_to_sock(data, self._local_sock)
except Exception as e: except Exception as e:
logging.error(e) shell.print_exception(e)
if self._config['verbose']: if self._config['verbose']:
traceback.print_exc() traceback.print_exc()
# TODO use logging when debug completed # TODO use logging when debug completed
@ -508,6 +511,10 @@ class TCPRelayHandler(object):
else: else:
logging.warn('unknown socket') logging.warn('unknown socket')
def _log_error(self, e):
logging.error('%s when handling connection from %s:%d' %
(e, self._client_address[0], self._client_address[1]))
def destroy(self): def destroy(self):
# destroy the handler and release any resources # destroy the handler and release any resources
# promises: # promises:
@ -623,7 +630,7 @@ class TCPRelay(object):
# we just need a sorted last_activity queue and it's faster than heapq # we just need a sorted last_activity queue and it's faster than heapq
# in fact we can do O(1) insertion/remove so we invent our own # in fact we can do O(1) insertion/remove so we invent our own
if self._timeouts: if self._timeouts:
logging.log(utils.VERBOSE_LEVEL, 'sweeping timeouts') logging.log(shell.VERBOSE_LEVEL, 'sweeping timeouts')
now = time.time() now = time.time()
length = len(self._timeouts) length = len(self._timeouts)
pos = self._timeout_offset pos = self._timeout_offset
@ -656,7 +663,7 @@ class TCPRelay(object):
# handle events and dispatch to handlers # handle events and dispatch to handlers
for sock, fd, event in events: for sock, fd, event in events:
if sock: if sock:
logging.log(utils.VERBOSE_LEVEL, 'fd %d %s', fd, logging.log(shell.VERBOSE_LEVEL, 'fd %d %s', fd,
eventloop.EVENT_NAMES.get(event, event)) eventloop.EVENT_NAMES.get(event, event))
if sock == self._server_socket: if sock == self._server_socket:
if event & eventloop.POLL_ERR: if event & eventloop.POLL_ERR:
@ -674,7 +681,7 @@ class TCPRelay(object):
errno.EWOULDBLOCK): errno.EWOULDBLOCK):
continue continue
else: else:
logging.error(e) shell.print_exception(e)
if self._config['verbose']: if self._config['verbose']:
traceback.print_exc() traceback.print_exc()
else: else:

45
shadowsocks/udprelay.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
# SOCKS5 UDP Request # SOCKS5 UDP Request
# +----+------+------+----------+----------+----------+ # +----+------+------+----------+----------+----------+
@ -75,7 +69,7 @@ import struct
import errno import errno
import random import random
from shadowsocks import encrypt, eventloop, lru_cache, common from shadowsocks import encrypt, eventloop, lru_cache, common, shell
from shadowsocks.common import parse_header, pack_addr from shadowsocks.common import parse_header, pack_addr
@ -112,6 +106,10 @@ class UDPRelay(object):
self._closed = False self._closed = False
self._last_time = time.time() self._last_time = time.time()
self._sockets = set() self._sockets = set()
if 'forbidden_ip' in config:
self._forbidden_iplist = config['forbidden_ip']
else:
self._forbidden_iplist = None
addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0, addrs = socket.getaddrinfo(self._listen_addr, self._listen_port, 0,
socket.SOCK_DGRAM, socket.SOL_UDP) socket.SOCK_DGRAM, socket.SOL_UDP)
@ -129,8 +127,9 @@ class UDPRelay(object):
server_port = self._config['server_port'] server_port = self._config['server_port']
if type(server_port) == list: if type(server_port) == list:
server_port = random.choice(server_port) server_port = random.choice(server_port)
if type(server) == list:
server = random.choice(server)
logging.debug('chosen server: %s:%d', server, server_port) logging.debug('chosen server: %s:%d', server, server_port)
# TODO support multiple server IP
return server, server_port return server, server_port
def _close_client(self, client): def _close_client(self, client):
@ -178,6 +177,12 @@ class UDPRelay(object):
socket.SOCK_DGRAM, socket.SOL_UDP) socket.SOCK_DGRAM, socket.SOL_UDP)
if addrs: if addrs:
af, socktype, proto, canonname, sa = addrs[0] af, socktype, proto, canonname, sa = addrs[0]
if self._forbidden_iplist:
if common.to_str(sa[0]) in self._forbidden_iplist:
logging.debug('IP %s is in forbidden list, drop' %
common.to_str(sa[0]))
# drop
return
client = socket.socket(af, socktype, proto) client = socket.socket(af, socktype, proto)
client.setblocking(False) client.setblocking(False)
self._cache[key] = client self._cache[key] = client
@ -203,7 +208,7 @@ class UDPRelay(object):
if err in (errno.EINPROGRESS, errno.EAGAIN): if err in (errno.EINPROGRESS, errno.EAGAIN):
pass pass
else: else:
logging.error(e) shell.print_exception(e)
def _handle_client(self, sock): def _handle_client(self, sock):
data, r_addr = sock.recvfrom(BUF_SIZE) data, r_addr = sock.recvfrom(BUF_SIZE)

148
tests/assert.sh Normal file
View file

@ -0,0 +1,148 @@
#!/bin/bash
# assert.sh 1.0 - bash unit testing framework
# Copyright (C) 2009, 2010, 2011, 2012 Robert Lehmann
#
# http://github.com/lehmannro/assert.sh
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
export DISCOVERONLY=${DISCOVERONLY:-}
export DEBUG=${DEBUG:-}
export STOP=${STOP:-}
export INVARIANT=${INVARIANT:-}
export CONTINUE=${CONTINUE:-}
args="$(getopt -n "$0" -l \
verbose,help,stop,discover,invariant,continue vhxdic $*)" \
|| exit -1
for arg in $args; do
case "$arg" in
-h)
echo "$0 [-vxidc]" \
"[--verbose] [--stop] [--invariant] [--discover] [--continue]"
echo "`sed 's/./ /g' <<< "$0"` [-h] [--help]"
exit 0;;
--help)
cat <<EOF
Usage: $0 [options]
Language-agnostic unit tests for subprocesses.
Options:
-v, --verbose generate output for every individual test case
-x, --stop stop running tests after the first failure
-i, --invariant do not measure timings to remain invariant between runs
-d, --discover collect test suites only, do not run any tests
-c, --continue do not modify exit code to test suite status
-h show brief usage information and exit
--help show this help message and exit
EOF
exit 0;;
-v|--verbose)
DEBUG=1;;
-x|--stop)
STOP=1;;
-i|--invariant)
INVARIANT=1;;
-d|--discover)
DISCOVERONLY=1;;
-c|--continue)
CONTINUE=1;;
esac
done
printf -v _indent "\n\t" # local format helper
_assert_reset() {
tests_ran=0
tests_failed=0
tests_errors=()
tests_starttime="$(date +%s.%N)" # seconds_since_epoch.nanoseconds
}
assert_end() {
# assert_end [suite ..]
tests_endtime="$(date +%s.%N)"
tests="$tests_ran ${*:+$* }tests"
[[ -n "$DISCOVERONLY" ]] && echo "collected $tests." && _assert_reset && return
[[ -n "$DEBUG" ]] && echo
[[ -z "$INVARIANT" ]] && report_time=" in $(bc \
<<< "${tests_endtime%.N} - ${tests_starttime%.N}" \
| sed -e 's/\.\([0-9]\{0,3\}\)[0-9]*/.\1/' -e 's/^\./0./')s" \
|| report_time=
if [[ "$tests_failed" -eq 0 ]]; then
echo "all $tests passed$report_time."
else
for error in "${tests_errors[@]}"; do echo "$error"; done
echo "$tests_failed of $tests failed$report_time."
fi
tests_failed_previous=$tests_failed
[[ $tests_failed -gt 0 ]] && tests_suite_status=1
_assert_reset
return $tests_failed_previous
}
assert() {
# assert <command> <expected stdout> [stdin]
(( tests_ran++ )) || :
[[ -n "$DISCOVERONLY" ]] && return || true
# printf required for formatting
printf -v expected "x${2:-}" # x required to overwrite older results
result="$(eval 2>/dev/null $1 <<< ${3:-})" || true
# Note: $expected is already decorated
if [[ "x$result" == "$expected" ]]; then
[[ -n "$DEBUG" ]] && echo -n . || true
return
fi
result="$(sed -e :a -e '$!N;s/\n/\\n/;ta' <<< "$result")"
[[ -z "$result" ]] && result="nothing" || result="\"$result\""
[[ -z "$2" ]] && expected="nothing" || expected="\"$2\""
_assert_fail "expected $expected${_indent}got $result" "$1" "$3"
}
assert_raises() {
# assert_raises <command> <expected code> [stdin]
(( tests_ran++ )) || :
[[ -n "$DISCOVERONLY" ]] && return || true
status=0
(eval $1 <<< ${3:-}) > /dev/null 2>&1 || status=$?
expected=${2:-0}
if [[ "$status" -eq "$expected" ]]; then
[[ -n "$DEBUG" ]] && echo -n . || true
return
fi
_assert_fail "program terminated with code $status instead of $expected" "$1" "$3"
}
_assert_fail() {
# _assert_fail <failure> <command> <stdin>
[[ -n "$DEBUG" ]] && echo -n X
report="test #$tests_ran \"$2${3:+ <<< $3}\" failed:${_indent}$1"
if [[ -n "$STOP" ]]; then
[[ -n "$DEBUG" ]] && echo
echo "$report"
exit 1
fi
tests_errors[$tests_failed]="$report"
(( tests_failed++ )) || :
}
_assert_reset
: ${tests_suite_status:=0} # remember if any of the tests failed so far
_assert_cleanup() {
local status=$?
# modify exit code if it's not already non-zero
[[ $status -eq 0 && -z $CONTINUE ]] && exit $tests_suite_status
}
trap _assert_cleanup EXIT

10
tests/client-multi-server-ip.json Normal file
View file

@ -0,0 +1,10 @@
{
"server":["127.0.0.1", "127.0.0.1"],
"server_port":8388,
"local_port":1081,
"password":"aes_password",
"timeout":60,
"method":"aes-256-cfb",
"local_address":"127.0.0.1",
"fast_open":false
}

45
tests/coverage_server.py Normal file
View file

@ -0,0 +1,45 @@
#!/usr/bin/env python
#
# Copyright 2015 clowwindy
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
if __name__ == '__main__':
import tornado.ioloop
import tornado.web
import urllib
class MainHandler(tornado.web.RequestHandler):
def get(self, project):
try:
with open('/tmp/%s-coverage' % project, 'rb') as f:
coverage = f.read().strip()
n = int(coverage.strip('%'))
if n >= 80:
color = 'brightgreen'
else:
color = 'yellow'
self.redirect(('https://img.shields.io/badge/'
'coverage-%s-%s.svg'
'?style=flat') %
(urllib.quote(coverage), color))
except IOError:
raise tornado.web.HTTPError(404)
application = tornado.web.Application([
(r"/([a-zA-Z0-9\-_]+)", MainHandler),
])
if __name__ == "__main__":
application.listen(8888, address='127.0.0.1')
tornado.ioloop.IOLoop.instance().start()

82
tests/jenkins.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
result=0
function run_test {
printf '\e[0;36m'
echo "running test: $command $@"
printf '\e[0m'
$command "$@"
status=$?
if [ $status -ne 0 ]; then
printf '\e[0;31m'
echo "test failed: $command $@"
printf '\e[0m'
echo
result=1
else
printf '\e[0;32m'
echo OK
printf '\e[0m'
echo
fi
return 0
}
python --version
coverage erase
mkdir tmp
run_test pep8 --ignore=E402 .
run_test pyflakes .
run_test coverage run tests/nose_plugin.py -v
run_test python setup.py sdist
run_test tests/test_daemon.sh
run_test python tests/test.py --with-coverage -c tests/aes.json
run_test python tests/test.py --with-coverage -c tests/aes-ctr.json
run_test python tests/test.py --with-coverage -c tests/aes-cfb1.json
run_test python tests/test.py --with-coverage -c tests/aes-cfb8.json
run_test python tests/test.py --with-coverage -c tests/rc4-md5.json
run_test python tests/test.py --with-coverage -c tests/salsa20.json
run_test python tests/test.py --with-coverage -c tests/chacha20.json
run_test python tests/test.py --with-coverage -c tests/table.json
run_test python tests/test.py --with-coverage -c tests/server-multi-ports.json
run_test python tests/test.py --with-coverage -s tests/aes.json -c tests/client-multi-server-ip.json
run_test python tests/test.py --with-coverage -s tests/server-multi-passwd.json -c tests/server-multi-passwd-client-side.json
run_test python tests/test.py --with-coverage -c tests/workers.json
run_test python tests/test.py --with-coverage -s tests/ipv6.json -c tests/ipv6-client-side.json
run_test python tests/test.py --with-coverage -b "-m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -q" -a "-m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -l 1081 -vv"
run_test python tests/test.py --with-coverage -b "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 --workers 1" -a "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 -l 1081 -t 30 -qq -b 127.0.0.1"
run_test python tests/test.py --with-coverage --should-fail --url="http://127.0.0.1/" -b "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 --forbidden-ip=127.0.0.1,::1,8.8.8.8" -a "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 -l 1081 -t 30 -b 127.0.0.1"
# test if DNS works
run_test python tests/test.py --with-coverage -c tests/aes.json --url="https://clients1.google.com/generate_204"
# test localhost is in the forbidden list by default
run_test python tests/test.py --with-coverage --should-fail --tcp-only --url="http://127.0.0.1/" -b "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388" -a "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 -l 1081 -t 30 -b 127.0.0.1"
# test localhost is available when forbidden list is empty
run_test python tests/test.py --with-coverage --tcp-only --url="http://127.0.0.1/" -b "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 --forbidden-ip=" -a "-m aes-256-cfb -k testrc4 -s 127.0.0.1 -p 8388 -l 1081 -t 30 -b 127.0.0.1"
if [ -f /proc/sys/net/ipv4/tcp_fastopen ] ; then
if [ 3 -eq `cat /proc/sys/net/ipv4/tcp_fastopen` ] ; then
# we have to run it twice:
# the first time there's no syn cookie
# the second time there is syn cookie
run_test python tests/test.py --with-coverage -c tests/fastopen.json
run_test python tests/test.py --with-coverage -c tests/fastopen.json
fi
fi
run_test tests/test_large_file.sh
run_test tests/test_command.sh
coverage combine && coverage report --include=shadowsocks/*
rm -rf htmlcov
rm -rf tmp
coverage html --include=shadowsocks/*
coverage report --include=shadowsocks/* | tail -n1 | rev | cut -d' ' -f 1 | rev > /tmp/shadowsocks-coverage
exit $result

16
tests/nose_plugin.py
View file

@ -1,3 +1,19 @@
#!/usr/bin/env python
#
# Copyright 2015 clowwindy
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import nose import nose
from nose.plugins.base import Plugin from nose.plugins.base import Plugin

18
tests/setup_tc.sh Executable file
View file

@ -0,0 +1,18 @@
#!/bin/bash
DEV=lo
PORT=8388
DELAY=100ms
type tc 2> /dev/null && (
tc qdisc add dev $DEV root handle 1: htb
tc class add dev $DEV parent 1: classid 1:1 htb rate 2mbps
tc class add dev $DEV parent 1:1 classid 1:6 htb rate 2mbps ceil 1mbps prio 0
tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 6 fw flowid 1:6
tc filter add dev $DEV parent 1:0 protocol ip u32 match ip dport $PORT 0xffff flowid 1:6
tc filter add dev $DEV parent 1:0 protocol ip u32 match ip sport $PORT 0xffff flowid 1:6
tc qdisc show dev lo
)

56
tests/test.py
View file

@ -1,25 +1,19 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright (c) 2014 clowwindy
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Copyright 2015 clowwindy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in # Licensed under the Apache License, Version 2.0 (the "License"); you may
# all copies or substantial portions of the Software. # not use this file except in compliance with the License. You may obtain
# a copy of the License at
# #
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # http://www.apache.org/licenses/LICENSE-2.0
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # Unless required by applicable law or agreed to in writing, software
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # License for the specific language governing permissions and limitations
# SOFTWARE. # under the License.
from __future__ import absolute_import, division, print_function, \ from __future__ import absolute_import, division, print_function, \
with_statement with_statement
@ -34,12 +28,18 @@ from subprocess import Popen, PIPE
python = ['python'] python = ['python']
default_url = 'http://localhost/'
parser = argparse.ArgumentParser(description='test Shadowsocks') parser = argparse.ArgumentParser(description='test Shadowsocks')
parser.add_argument('-c', '--client-conf', type=str, default=None) parser.add_argument('-c', '--client-conf', type=str, default=None)
parser.add_argument('-s', '--server-conf', type=str, default=None) parser.add_argument('-s', '--server-conf', type=str, default=None)
parser.add_argument('-a', '--client-args', type=str, default=None) parser.add_argument('-a', '--client-args', type=str, default=None)
parser.add_argument('-b', '--server-args', type=str, default=None) parser.add_argument('-b', '--server-args', type=str, default=None)
parser.add_argument('--with-coverage', action='store_true', default=None) parser.add_argument('--with-coverage', action='store_true', default=None)
parser.add_argument('--should-fail', action='store_true', default=None)
parser.add_argument('--tcp-only', action='store_true', default=None)
parser.add_argument('--url', type=str, default=default_url)
parser.add_argument('--dns', type=str, default='8.8.8.8')
config = parser.parse_args() config = parser.parse_args()
@ -61,6 +61,8 @@ if config.client_args:
server_args.extend(config.server_args.split()) server_args.extend(config.server_args.split())
else: else:
server_args.extend(config.client_args.split()) server_args.extend(config.client_args.split())
if config.url == default_url:
server_args.extend(['--forbidden-ip', ''])
p1 = Popen(server_args, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True) p1 = Popen(server_args, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
p2 = Popen(client_args, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True) p2 = Popen(client_args, stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
@ -94,7 +96,7 @@ try:
stage = 5 stage = 5
if bytes != str: if bytes != str:
line = str(line, 'utf8') line = str(line, 'utf8')
sys.stdout.write(line) sys.stderr.write(line)
if line.find('starting local') >= 0: if line.find('starting local') >= 0:
local_ready = True local_ready = True
if line.find('starting server') >= 0: if line.find('starting server') >= 0:
@ -103,7 +105,7 @@ try:
if stage == 1: if stage == 1:
time.sleep(2) time.sleep(2)
p3 = Popen(['curl', 'http://www.example.com/', '-v', '-L', p3 = Popen(['curl', config.url, '-v', '-L',
'--socks5-hostname', '127.0.0.1:1081', '--socks5-hostname', '127.0.0.1:1081',
'-m', '15', '--connect-timeout', '10'], '-m', '15', '--connect-timeout', '10'],
stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True) stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
@ -118,9 +120,16 @@ try:
fdset.remove(p3.stdout) fdset.remove(p3.stdout)
fdset.remove(p3.stderr) fdset.remove(p3.stderr)
r = p3.wait() r = p3.wait()
if config.should_fail:
if r == 0:
sys.exit(1)
else:
if r != 0: if r != 0:
sys.exit(1) sys.exit(1)
p4 = Popen(['socksify', 'dig', '@8.8.8.8', 'www.google.com'], if config.tcp_only:
break
p4 = Popen(['socksify', 'dig', '@%s' % config.dns,
'www.google.com'],
stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True) stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
if p4 is not None: if p4 is not None:
fdset.append(p4.stdout) fdset.append(p4.stdout)
@ -131,6 +140,11 @@ try:
if stage == 5: if stage == 5:
r = p4.wait() r = p4.wait()
if config.should_fail:
if r == 0:
sys.exit(1)
print('test passed (expecting failure)')
else:
if r != 0: if r != 0:
sys.exit(1) sys.exit(1)
print('test passed') print('test passed')
@ -138,7 +152,7 @@ try:
finally: finally:
for p in [p1, p2]: for p in [p1, p2]:
try: try:
os.kill(p.pid, signal.SIGQUIT) os.kill(p.pid, signal.SIGINT)
os.waitpid(p.pid, 0) os.waitpid(p.pid, 0)
except OSError: except OSError:
pass pass

45
tests/test_command.sh Executable file
View file

@ -0,0 +1,45 @@
#!/bin/bash
. tests/assert.sh
PYTHON="coverage run -a -p"
LOCAL="$PYTHON shadowsocks/local.py"
SERVER="$PYTHON shadowsocks/server.py"
assert "$LOCAL --version 2>&1 | grep Shadowsocks | awk -F\" \" '{print \$1}'" "Shadowsocks"
assert "$SERVER --version 2>&1 | grep Shadowsocks | awk -F\" \" '{print \$1}'" "Shadowsocks"
assert "$LOCAL 2>&1 | grep ERROR" "ERROR: config not specified"
assert "$LOCAL 2>&1 | grep usage | cut -d: -f1" "usage"
assert "$SERVER 2>&1 | grep ERROR" "ERROR: config not specified"
assert "$SERVER 2>&1 | grep usage | cut -d: -f1" "usage"
assert "$LOCAL 2>&1 -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d start | grep WARNING | awk -F\"WARNING\" '{print \$2}'" " warning: server set to listen on 127.0.0.1:8388, are you sure?"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4-md5 -k testrc4 -s 0.0.0.0 -p 8388 -t10 -d start | grep WARNING | awk -F\"WARNING\" '{print \$2}'" " warning: your timeout 10 seems too short"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4-md5 -k testrc4 -s 0.0.0.0 -p 8388 -t1000 -d start | grep WARNING | awk -F\"WARNING\" '{print \$2}'" " warning: your timeout 1000 seems too long"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4 -k testrc4 -s 0.0.0.0 -p 8388 -d start | grep WARNING | awk -F\"WARNING\" '{print \$2}'" " warning: RC4 is not safe; please use a safer cipher, like AES-256-CFB"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4-md5 -k mypassword -s 0.0.0.0 -p 8388 -d start | grep ERROR | awk -F\"ERROR\" '{print \$2}'" " DON'T USE DEFAULT PASSWORD! Please change it in your config.json!"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4-md5 -p 8388 -k testrc4 -d start | grep ERROR | awk -F\"ERROR\" '{print \$2}'" ": server addr not specified"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$LOCAL 2>&1 -m rc4-md5 -p 8388 -s 0.0.0.0 -d start | grep ERROR | awk -F\"ERROR\" '{print \$2}'" " password not specified"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$SERVER 2>&1 -m rc4-md5 -p 8388 -s 0.0.0.0 -d start | grep ERROR | awk -F\"ERROR\" '{print \$2}'" " password or port_password not specified"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert "$SERVER 2>&1 --forbidden-ip 127.0.0.1/4a -m rc4-md5 -k 12345 -p 8388 -s 0.0.0.0 -d start | grep ERROR | awk -F\"ERROR\" '{print \$2}'" ": Not a valid CIDR notation: 127.0.0.1/4a"
$LOCAL 2>/dev/null 1>/dev/null -m rc4-md5 -k testrc4 -s 127.0.0.1 -p 8388 -d stop
assert_end command

43
tests/test_daemon.sh Executable file
View file

@ -0,0 +1,43 @@
#!/bin/bash
function run_test {
expected=$1
shift
echo "running test: $command $@"
$command $@
status=$?
if [ $status -ne $expected ]; then
echo "exit $status != $expected"
exit 1
fi
echo "exit status $status == $expected"
echo OK
return
}
for module in local server
do
command="coverage run -p -a shadowsocks/$module.py"
mkdir -p tmp
run_test 0 -c tests/aes.json -d stop --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d start --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d stop --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d start --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 1 -c tests/aes.json -d start --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d stop --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d start --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d restart --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d stop --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d restart --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 0 -c tests/aes.json -d stop --pid-file tmp/shadowsocks.pid --log-file tmp/shadowsocks.log
run_test 1 -c tests/aes.json -d start --pid-file tmp/not_exist/shadowsocks.pid --log-file tmp/shadowsocks.log
done

24
tests/test_large_file.sh Executable file
View file

@ -0,0 +1,24 @@
#!/bin/bash
PYTHON="coverage run -p -a"
URL=http://127.0.0.1/file
mkdir -p tmp
$PYTHON shadowsocks/local.py -c tests/aes.json &
LOCAL=$!
$PYTHON shadowsocks/server.py -c tests/aes.json --forbidden-ip "" &
SERVER=$!
sleep 3
time curl -o tmp/expected $URL
time curl -o tmp/result --socks5-hostname 127.0.0.1:1081 $URL
kill -s SIGINT $LOCAL
kill -s SIGINT $SERVER
sleep 2
diff tmp/expected tmp/result || exit 1

9
utils/README.md Normal file
View file

@ -0,0 +1,9 @@
Useful Tools
===========
autoban.py
----------
Automatically ban IPs that try to brute force crack the server.
See https://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers

53
utils/autoban.py Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2015 clowwindy
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
from __future__ import absolute_import, division, print_function, \
with_statement
import os
import sys
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='See README')
parser.add_argument('-c', '--count', default=3, type=int,
help='with how many failure times it should be '
'considered as an attack')
config = parser.parse_args()
ips = {}
banned = set()
for line in sys.stdin:
if 'can not parse header when' in line:
ip = line.split()[-1].split(':')[0]
if ip not in ips:
ips[ip] = 1
print(ip)
sys.stdout.flush()
else:
ips[ip] += 1
if ip not in banned and ips[ip] >= config.count:
banned.add(ip)
cmd = 'iptables -A INPUT -s %s -j DROP' % ip
print(cmd, file=sys.stderr)
sys.stderr.flush()
os.system(cmd)