From 42a05d22d63165fdbb904fab6a3d60f710ad9bfa Mon Sep 17 00:00:00 2001 From: BreakWa11 Date: Wed, 23 Dec 2015 18:13:27 +0800 Subject: [PATCH] support UDP protocol plugin --- shadowsocks/encrypt.py | 34 ++++++++++++++++++++++++++ shadowsocks/obfs.py | 12 ++++++++++ shadowsocks/obfsplugin/plain.py | 12 ++++++++++ shadowsocks/obfsplugin/verify.py | 16 +++++++++++++ shadowsocks/udprelay.py | 41 ++++++++++++++++++++++++++------ 5 files changed, 108 insertions(+), 7 deletions(-) diff --git a/shadowsocks/encrypt.py b/shadowsocks/encrypt.py index 2494395..c3fc069 100644 --- a/shadowsocks/encrypt.py +++ b/shadowsocks/encrypt.py @@ -159,6 +159,40 @@ def encrypt_all(password, method, op, data): result.append(cipher.update(data)) return b''.join(result) +def encrypt_key(password, method): + method = method.lower() + (key_len, iv_len, m) = method_supported[method] + if key_len > 0: + key, _ = EVP_BytesToKey(password, key_len, iv_len) + else: + key = password + return key + +def encrypt_iv_len(method): + method = method.lower() + (key_len, iv_len, m) = method_supported[method] + return iv_len + +def encrypt_new_iv(method): + method = method.lower() + (key_len, iv_len, m) = method_supported[method] + return random_string(iv_len) + +def encrypt_all_iv(key, method, op, data, ref_iv): + result = [] + method = method.lower() + (key_len, iv_len, m) = method_supported[method] + if op: + iv = ref_iv[0] + result.append(iv) + else: + iv = data[:iv_len] + data = data[iv_len:] + ref_iv[0] = iv + cipher = m(method, key, iv, op) + result.append(cipher.update(data)) + return b''.join(result) + CIPHERS_TO_TEST = [ 'aes-128-cfb', diff --git a/shadowsocks/obfs.py b/shadowsocks/obfs.py index 94a14f2..6adb855 100644 --- a/shadowsocks/obfs.py +++ b/shadowsocks/obfs.py @@ -85,6 +85,18 @@ class obfs(object): def server_post_decrypt(self, buf): return self.obfs.server_post_decrypt(buf) + def client_udp_pre_encrypt(self, buf): + return self.obfs.client_udp_pre_encrypt(buf) + + def client_udp_post_decrypt(self, buf): + return self.obfs.client_udp_post_decrypt(buf) + + def server_udp_pre_encrypt(self, buf): + return self.obfs.server_udp_pre_encrypt(buf) + + def server_udp_post_decrypt(self, buf): + return self.obfs.server_udp_post_decrypt(buf) + def dispose(self): self.obfs.dispose() del self.obfs diff --git a/shadowsocks/obfsplugin/plain.py b/shadowsocks/obfsplugin/plain.py index 5bba57c..8bb0000 100644 --- a/shadowsocks/obfsplugin/plain.py +++ b/shadowsocks/obfsplugin/plain.py @@ -69,6 +69,18 @@ class plain(object): def server_post_decrypt(self, buf): return buf + def client_udp_pre_encrypt(self, buf): + return buf + + def client_udp_post_decrypt(self, buf): + return buf + + def server_udp_pre_encrypt(self, buf): + return buf + + def server_udp_post_decrypt(self, buf): + return buf + def dispose(self): pass diff --git a/shadowsocks/obfsplugin/verify.py b/shadowsocks/obfsplugin/verify.py index fada8d9..639ba5c 100644 --- a/shadowsocks/obfsplugin/verify.py +++ b/shadowsocks/obfsplugin/verify.py @@ -342,3 +342,19 @@ class verify_sha1(verify_base): return out_buf + def client_udp_pre_encrypt(self, buf): + ret = self.pack_auth_data(buf) + return chr(ord(buf[0]) | 0x10) + buf[1:] + + def server_udp_post_decrypt(self, buf): + if buf and ((ord(buf[0]) & 0x10) == 0x10): + if len(buf) <= 11: + return b'E' + sha1data = hmac.new(self.server_info.recv_iv + self.server_info.key, buf[:-10], hashlib.sha1).digest()[:10] + if sha1data != buf[-10:]: + logging.error('server_udp_post_decrypt data uncorrect auth HMAC-SHA1') + return b'E' + return to_bytes(chr(ord(buf[0]) & 0xEF)) + buf[1:-10] + else: + return buf + diff --git a/shadowsocks/udprelay.py b/shadowsocks/udprelay.py index 80a30eb..d5cab1b 100644 --- a/shadowsocks/udprelay.py +++ b/shadowsocks/udprelay.py @@ -71,7 +71,7 @@ import random import binascii import traceback -from shadowsocks import encrypt, eventloop, lru_cache, common, shell +from shadowsocks import encrypt, obfs, eventloop, lru_cache, common, shell from shadowsocks.common import pre_parse_header, parse_header, pack_addr # we clear at most TIMEOUTS_CLEAN_SIZE timeouts each time @@ -890,6 +890,20 @@ class UDPRelay(object): self.server_transfer_ul = 0 self.server_transfer_dl = 0 + self.protocol_data = obfs.obfs(config['protocol']).init_data() + self._protocol = obfs.obfs(config['protocol']) + server_info = obfs.server_info(self.protocol_data) + server_info.host = self._listen_addr + server_info.port = self._listen_port + server_info.protocol_param = config['protocol_param'] + server_info.obfs_param = '' + server_info.iv = b'' + server_info.recv_iv = b'' + server_info.key = encrypt.encrypt_key(self._password, self._method) + server_info.head_len = 30 + server_info.tcp_mss = 1440 + self._protocol.set_server_info(server_info) + self._sockets = set() self._fd_to_handlers = {} self._reqid_to_hd = {} @@ -991,11 +1005,14 @@ class UDPRelay(object): else: data = data[3:] else: - data = encrypt.encrypt_all(self._password, self._method, 0, data) + ref_iv = [0] + data = encrypt.encrypt_all_iv(self._protocol.obfs.server_info.key, self._method, 0, data, ref_iv) # decrypt data if not data: logging.debug('UDP handle_server: data is empty after decrypt') return + self._protocol.obfs.server_info.recv_iv = ref_iv[0] + data = self._protocol.server_udp_post_decrypt(data) #logging.info("UDP data %s" % (binascii.hexlify(data),)) if not self._is_local: @@ -1121,7 +1138,11 @@ class UDPRelay(object): r_addr[0], r_addr[1])) if self._is_local: - data = encrypt.encrypt_all(self._password, self._method, 1, data) + ref_iv = [encrypt.encrypt_new_iv(self._method)] + self._protocol.obfs.server_info.iv = ref_iv[0] + data = self._protocol.client_udp_pre_encrypt(data) + logging.info("%s" % (binascii.hexlify(data),)) + data = encrypt.encrypt_all_iv(self._protocol.obfs.server_info.key, self._method, 1, data, ref_iv) if not data: return else: @@ -1151,15 +1172,21 @@ class UDPRelay(object): # drop return data = pack_addr(r_addr[0]) + struct.pack('>H', r_addr[1]) + data - response = encrypt.encrypt_all(self._password, self._method, 1, - data) + ref_iv = [encrypt.encrypt_new_iv(self._method)] + self._protocol.obfs.server_info.iv = ref_iv[0] + data = self._protocol.server_udp_pre_encrypt(data) + response = encrypt.encrypt_all_iv(self._protocol.obfs.server_info.key, self._method, 1, + data, ref_iv) if not response: return else: - data = encrypt.encrypt_all(self._password, self._method, 0, - data) + ref_iv = [0] + data = encrypt.encrypt_all_iv(self._protocol.obfs.server_info.key, self._method, 0, + data, ref_iv) if not data: return + self._protocol.obfs.server_info.recv_iv = ref_iv[0] + data = self._protocol.client_udp_post_decrypt(data) header_result = parse_header(data) if header_result is None: return