From a407bcc5684d3c5475d1b39c226bed8c326eb3a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=A0=B4=E5=A8=83=E9=85=B1?= Date: Thu, 22 Sep 2016 15:07:01 +0800 Subject: [PATCH] add auth_aes128 --- config.json | 2 +- mujson_mgr.py | 25 +-- shadowsocks/crypto/openssl.py | 3 + shadowsocks/encrypt.py | 7 +- shadowsocks/obfsplugin/auth.py | 260 ++++++++++++++++++++++++++++++- shadowsocks/obfsplugin/verify.py | 5 +- shadowsocks/tcprelay.py | 12 +- 7 files changed, 291 insertions(+), 23 deletions(-) diff --git a/config.json b/config.json index 0a72c70..f30ce55 100644 --- a/config.json +++ b/config.json @@ -8,7 +8,7 @@ "timeout": 120, "udp_timeout": 60, "method": "aes-256-cfb", - "protocol": "auth_sha1_compatible", + "protocol": "auth_sha1_v2_compatible", "protocol_param": "", "obfs": "http_simple_compatible", "obfs_param": "", diff --git a/mujson_mgr.py b/mujson_mgr.py index e106a9a..df990a9 100644 --- a/mujson_mgr.py +++ b/mujson_mgr.py @@ -204,19 +204,20 @@ def main(): action = None user = {} fast_set_obfs = {'0': 'plain', - '1': 'http_simple_compatible', - '-1': 'http_simple', - '2': 'tls1.2_ticket_auth_compatible', - '-2': 'tls1.2_ticket_auth'} + '+1': 'http_simple_compatible', + '1': 'http_simple', + '+2': 'tls1.2_ticket_auth_compatible', + '2': 'tls1.2_ticket_auth'} fast_set_protocol = {'0': 'origin', - '1': 'verify_sha1_compatible', - '-1': 'verify_sha1', - '2': 'auth_sha1_compatible', - '-2': 'auth_sha1', - '3': 'auth_sha1_v2_compatible', - '-3': 'auth_sha1_v2', - '4': 'auth_sha1_v3_compatible', - '-4': 'auth_sha1_v3'} + '+1': 'verify_sha1_compatible', + '1': 'verify_sha1', + '+2': 'auth_sha1_compatible', + '2': 'auth_sha1', + '+3': 'auth_sha1_v2_compatible', + '3': 'auth_sha1_v2', + '+4': 'auth_sha1_v4_compatible', + '4': 'auth_sha1_v4', + 'a1': 'auth_aes128'} fast_set_method = {'a0': 'aes-128-cfb', 'a1': 'aes-192-cfb', 'a2': 'aes-256-cfb', diff --git a/shadowsocks/crypto/openssl.py b/shadowsocks/crypto/openssl.py index 7a4df2b..630baef 100644 --- a/shadowsocks/crypto/openssl.py +++ b/shadowsocks/crypto/openssl.py @@ -125,6 +125,9 @@ class OpenSSLCrypto(object): ciphers = { + 'aes-128-cbc': (16, 16, OpenSSLCrypto), + 'aes-192-cbc': (24, 16, OpenSSLCrypto), + 'aes-256-cbc': (32, 16, OpenSSLCrypto), 'aes-128-cfb': (16, 16, OpenSSLCrypto), 'aes-192-cfb': (24, 16, OpenSSLCrypto), 'aes-256-cfb': (32, 16, OpenSSLCrypto), diff --git a/shadowsocks/encrypt.py b/shadowsocks/encrypt.py index e8f51b7..44f9052 100644 --- a/shadowsocks/encrypt.py +++ b/shadowsocks/encrypt.py @@ -73,7 +73,7 @@ def EVP_BytesToKey(password, key_len, iv_len): class Encryptor(object): - def __init__(self, key, method): + def __init__(self, key, method, iv = None): self.key = key self.method = method self.iv = None @@ -85,8 +85,11 @@ class Encryptor(object): method = method.lower() self._method_info = self.get_method_info(method) if self._method_info: - self.cipher = self.get_cipher(key, method, 1, + if iv is None or len(iv) != self._method_info[1]: + self.cipher = self.get_cipher(key, method, 1, random_string(self._method_info[1])) + else: + self.cipher = self.get_cipher(key, method, 1, iv) else: logging.error('method %s not supported' % method) sys.exit(1) diff --git a/shadowsocks/obfsplugin/auth.py b/shadowsocks/obfsplugin/auth.py index 10aff0b..bc71959 100644 --- a/shadowsocks/obfsplugin/auth.py +++ b/shadowsocks/obfsplugin/auth.py @@ -32,7 +32,7 @@ import hmac import hashlib import shadowsocks -from shadowsocks import common, lru_cache +from shadowsocks import common, lru_cache, encrypt from shadowsocks.obfsplugin import plain from shadowsocks.common import to_bytes, to_str, ord, chr @@ -48,6 +48,9 @@ def create_auth_sha1_v3(method): def create_auth_sha1_v4(method): return auth_sha1_v4(method) +def create_auth_aes128(method): + return auth_aes128(method) + obfs_map = { 'auth_sha1': (create_auth_sha1,), 'auth_sha1_compatible': (create_auth_sha1,), @@ -57,6 +60,7 @@ obfs_map = { 'auth_sha1_v3_compatible': (create_auth_sha1_v3,), 'auth_sha1_v4': (create_auth_sha1_v4,), 'auth_sha1_v4_compatible': (create_auth_sha1_v4,), + 'auth_aes128': (create_auth_aes128,), } def match_begin(str1, str2): @@ -1048,3 +1052,257 @@ class auth_sha1_v4(verify_base): self.decrypt_packet_num += 1 return (out_buf, sendback) +class auth_aes128(verify_base): + def __init__(self, method): + super(auth_aes128, self).__init__(method) + self.recv_buf = b'' + self.unit_len = 8100 + self.raw_trans = False + self.has_sent_header = False + self.has_recv_header = False + self.client_id = 0 + self.connection_id = 0 + self.max_time_dif = 60 * 60 * 24 # time dif (second) setting + self.salt = b"auth_aes128" + self.no_compatible_method = 'auth_aes128' + self.extra_wait_size = struct.unpack('>H', os.urandom(2))[0] % 1024 + self.pack_id = 0 + self.recv_id = 0 + + def init_data(self): + return obfs_auth_v2_data() + + def set_server_info(self, server_info): + self.server_info = server_info + try: + max_client = int(server_info.protocol_param) + except: + max_client = 64 + self.server_info.data.set_max_client(max_client) + + def rnd_data(self, buf_size): + if buf_size > 1200: + return b'\x01' + + if self.pack_id > 4: + rnd_data = os.urandom(common.ord(os.urandom(1)[0]) % 32) + elif buf_size > 400: + rnd_data = os.urandom(common.ord(os.urandom(1)[0]) % 128) + else: + rnd_data = os.urandom(struct.unpack('>H', os.urandom(2))[0] % 512) + + if len(rnd_data) < 128: + return common.chr(len(rnd_data) + 1) + rnd_data + else: + return common.chr(255) + struct.pack(' 400: + rnd_len = common.ord(os.urandom(1)[0]) % 512 + else: + rnd_len = struct.unpack(' 0xFF000000: + self.server_info.data.local_client_id = b'' + if not self.server_info.data.local_client_id: + self.server_info.data.local_client_id = os.urandom(4) + logging.debug("local_client_id %s" % (binascii.hexlify(self.server_info.data.local_client_id),)) + self.server_info.data.connection_id = struct.unpack(' self.unit_len: + ret += self.pack_data(buf[:self.unit_len]) + buf = buf[self.unit_len:] + ret += self.pack_data(buf) + return ret + + def client_post_decrypt(self, buf): + if self.raw_trans: + return buf + self.recv_buf += buf + out_buf = b'' + while len(self.recv_buf) > 4: + crc = struct.pack('= 8192 or length < 7: + self.raw_trans = True + self.recv_buf = b'' + raise Exception('client_post_decrypt data error') + if length > len(self.recv_buf): + break + + if struct.pack(' self.unit_len: + ret += self.pack_data(buf[:self.unit_len]) + buf = buf[self.unit_len:] + ret += self.pack_data(buf) + return ret + + def server_post_decrypt(self, buf): + if self.raw_trans: + return (buf, False) + self.recv_buf += buf + out_buf = b'' + if not self.has_recv_header: + if len(self.recv_buf) < 30: + return (b'', False) + sha1data = hmac.new(self.server_info.recv_iv + self.server_info.key, self.recv_buf[:20], hashlib.sha1).digest()[:10] + if sha1data != self.recv_buf[20:30]: + logging.error('auth_aes128 data uncorrect auth HMAC-SHA1 from %s:%d, data %s' % (self.server_info.client, self.server_info.client_port, binascii.hexlify(self.recv_buf))) + if len(self.recv_buf) < 30 + self.extra_wait_size: + return (b'', False) + return self.not_match_return(self.recv_buf) + + user_key = self.recv_buf[:4] + encryptor = encrypt.Encryptor(to_bytes(base64.b64encode(user_key + self.server_info.key)) + self.salt, 'aes-128-cbc') + head = encryptor.decrypt(b'\x00' * 16 + self.recv_buf[4:20] + b'\x00') # need an extra byte or recv empty + length = struct.unpack(' self.max_time_dif: + logging.info('auth_aes128: wrong timestamp, time_dif %d, data %s' % (time_dif, binascii.hexlify(head),)) + return self.not_match_return(self.recv_buf) + elif self.server_info.data.insert(client_id, connection_id): + self.has_recv_header = True + out_buf = self.recv_buf[30 + rnd_len:length - 4] + self.client_id = client_id + self.connection_id = connection_id + else: + logging.info('auth_aes128: auth fail, data %s' % (binascii.hexlify(out_buf),)) + return self.not_match_return(self.recv_buf) + self.recv_buf = self.recv_buf[length:] + self.has_recv_header = True + + sendback = False + while len(self.recv_buf) > 4: + crc = struct.pack('= 8192 or length < 7: + self.raw_trans = True + self.recv_buf = b'' + if self.recv_id == 0: + logging.info('auth_aes128: over size') + return (b'E', False) + else: + raise Exception('server_post_decrype data error') + if length > len(self.recv_buf): + break + + if struct.pack('