Browse Source

refactor table into a single cipher plugin

auth
clowwindy 10 years ago
parent
commit
cbf8c6705b
  1. 1
      .travis.yml
  2. 2
      shadowsocks/crypto/rc4_md5.py
  3. 178
      shadowsocks/crypto/table.py
  4. 146
      shadowsocks/encrypt.py
  5. 2
      shadowsocks/local.py
  6. 2
      shadowsocks/server.py
  7. 10
      shadowsocks/utils.py

1
.travis.yml

@ -24,6 +24,7 @@ script:
- python tests/test.py -c tests/aes-cfb8.json - python tests/test.py -c tests/aes-cfb8.json
- python tests/test.py -c tests/rc4-md5.json - python tests/test.py -c tests/rc4-md5.json
- python tests/test.py -c tests/salsa20.json - python tests/test.py -c tests/salsa20.json
- python tests/test.py -c tests/table.json
- python tests/test.py -c tests/server-multi-ports.json - python tests/test.py -c tests/server-multi-ports.json
- python tests/test.py -c tests/server-multi-passwd.json tests/server-multi-passwd-client-side.json - python tests/test.py -c tests/server-multi-passwd.json tests/server-multi-passwd-client-side.json
- python tests/test.py -c tests/workers.json - python tests/test.py -c tests/workers.json

2
shadowsocks/crypto/rc4_md5.py

@ -55,7 +55,7 @@ def test():
from shadowsocks.crypto import util from shadowsocks.crypto import util
cipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 1) cipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 1)
decipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 1) decipher = create_cipher(b'rc4-md5', b'k' * 32, b'i' * 16, 0)
util.run_cipher(cipher, decipher) util.run_cipher(cipher, decipher)

178
shadowsocks/crypto/table.py

@ -0,0 +1,178 @@
# !/usr/bin/env python
# Copyright (c) 2014 clowwindy
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
from __future__ import absolute_import, division, print_function, \
with_statement
import string
import struct
import hashlib
__all__ = ['ciphers']
cached_tables = {}
if hasattr(string, 'maketrans'):
maketrans = string.maketrans
translate = string.translate
else:
maketrans = bytes.maketrans
translate = bytes.translate
def get_table(key):
m = hashlib.md5()
m.update(key)
s = m.digest()
a, b = struct.unpack('<QQ', s)
table = maketrans(b'', b'')
table = [table[i: i + 1] for i in range(len(table))]
for i in range(1, 1024):
table.sort(key=lambda x: int(a % (ord(x) + i)))
return table
def init_table(key):
if key not in cached_tables:
encrypt_table = b''.join(get_table(key))
decrypt_table = maketrans(encrypt_table, maketrans(b'', b''))
cached_tables[key] = [encrypt_table, decrypt_table]
return cached_tables[key]
class TableCipher(object):
def __init__(self, cipher_name, key, iv, op):
self._encrypt_table, self._decrypt_table = init_table(key)
self._op = op
def update(self, data):
if self._op:
return translate(data, self._encrypt_table)
else:
return translate(data, self._decrypt_table)
ciphers = {
b'table': (0, 0, TableCipher)
}
def test_table_result():
target1 = [
[60, 53, 84, 138, 217, 94, 88, 23, 39, 242, 219, 35, 12, 157, 165, 181,
255, 143, 83, 247, 162, 16, 31, 209, 190, 171, 115, 65, 38, 41, 21,
245, 236, 46, 121, 62, 166, 233, 44, 154, 153, 145, 230, 49, 128, 216,
173, 29, 241, 119, 64, 229, 194, 103, 131, 110, 26, 197, 218, 59, 204,
56, 27, 34, 141, 221, 149, 239, 192, 195, 24, 155, 170, 183, 11, 254,
213, 37, 137, 226, 75, 203, 55, 19, 72, 248, 22, 129, 33, 175, 178,
10, 198, 71, 77, 36, 113, 167, 48, 2, 117, 140, 142, 66, 199, 232,
243, 32, 123, 54, 51, 82, 57, 177, 87, 251, 150, 196, 133, 5, 253,
130, 8, 184, 14, 152, 231, 3, 186, 159, 76, 89, 228, 205, 156, 96,
163, 146, 18, 91, 132, 85, 80, 109, 172, 176, 105, 13, 50, 235, 127,
0, 189, 95, 98, 136, 250, 200, 108, 179, 211, 214, 106, 168, 78, 79,
74, 210, 30, 73, 201, 151, 208, 114, 101, 174, 92, 52, 120, 240, 15,
169, 220, 182, 81, 224, 43, 185, 40, 99, 180, 17, 212, 158, 42, 90, 9,
191, 45, 6, 25, 4, 222, 67, 126, 1, 116, 124, 206, 69, 61, 7, 68, 97,
202, 63, 244, 20, 28, 58, 93, 134, 104, 144, 227, 147, 102, 118, 135,
148, 47, 238, 86, 112, 122, 70, 107, 215, 100, 139, 223, 225, 164,
237, 111, 125, 207, 160, 187, 246, 234, 161, 188, 193, 249, 252],
[151, 205, 99, 127, 201, 119, 199, 211, 122, 196, 91, 74, 12, 147, 124,
180, 21, 191, 138, 83, 217, 30, 86, 7, 70, 200, 56, 62, 218, 47, 168,
22, 107, 88, 63, 11, 95, 77, 28, 8, 188, 29, 194, 186, 38, 198, 33,
230, 98, 43, 148, 110, 177, 1, 109, 82, 61, 112, 219, 59, 0, 210, 35,
215, 50, 27, 103, 203, 212, 209, 235, 93, 84, 169, 166, 80, 130, 94,
164, 165, 142, 184, 111, 18, 2, 141, 232, 114, 6, 131, 195, 139, 176,
220, 5, 153, 135, 213, 154, 189, 238, 174, 226, 53, 222, 146, 162,
236, 158, 143, 55, 244, 233, 96, 173, 26, 206, 100, 227, 49, 178, 34,
234, 108, 207, 245, 204, 150, 44, 87, 121, 54, 140, 118, 221, 228,
155, 78, 3, 239, 101, 64, 102, 17, 223, 41, 137, 225, 229, 66, 116,
171, 125, 40, 39, 71, 134, 13, 193, 129, 247, 251, 20, 136, 242, 14,
36, 97, 163, 181, 72, 25, 144, 46, 175, 89, 145, 113, 90, 159, 190,
15, 183, 73, 123, 187, 128, 248, 252, 152, 24, 197, 68, 253, 52, 69,
117, 57, 92, 104, 157, 170, 214, 81, 60, 133, 208, 246, 172, 23, 167,
160, 192, 76, 161, 237, 45, 4, 58, 10, 182, 65, 202, 240, 185, 241,
79, 224, 132, 51, 42, 126, 105, 37, 250, 149, 32, 243, 231, 67, 179,
48, 9, 106, 216, 31, 249, 19, 85, 254, 156, 115, 255, 120, 75, 16]]
target2 = [
[124, 30, 170, 247, 27, 127, 224, 59, 13, 22, 196, 76, 72, 154, 32,
209, 4, 2, 131, 62, 101, 51, 230, 9, 166, 11, 99, 80, 208, 112, 36,
248, 81, 102, 130, 88, 218, 38, 168, 15, 241, 228, 167, 117, 158, 41,
10, 180, 194, 50, 204, 243, 246, 251, 29, 198, 219, 210, 195, 21, 54,
91, 203, 221, 70, 57, 183, 17, 147, 49, 133, 65, 77, 55, 202, 122,
162, 169, 188, 200, 190, 125, 63, 244, 96, 31, 107, 106, 74, 143, 116,
148, 78, 46, 1, 137, 150, 110, 181, 56, 95, 139, 58, 3, 231, 66, 165,
142, 242, 43, 192, 157, 89, 175, 109, 220, 128, 0, 178, 42, 255, 20,
214, 185, 83, 160, 253, 7, 23, 92, 111, 153, 26, 226, 33, 176, 144,
18, 216, 212, 28, 151, 71, 206, 222, 182, 8, 174, 205, 201, 152, 240,
155, 108, 223, 104, 239, 98, 164, 211, 184, 34, 193, 14, 114, 187, 40,
254, 12, 67, 93, 217, 6, 94, 16, 19, 82, 86, 245, 24, 197, 134, 132,
138, 229, 121, 5, 235, 238, 85, 47, 103, 113, 179, 69, 250, 45, 135,
156, 25, 61, 75, 44, 146, 189, 84, 207, 172, 119, 53, 123, 186, 120,
171, 68, 227, 145, 136, 100, 90, 48, 79, 159, 149, 39, 213, 236, 126,
52, 60, 225, 199, 105, 73, 233, 252, 118, 215, 35, 115, 64, 37, 97,
129, 161, 177, 87, 237, 141, 173, 191, 163, 140, 234, 232, 249],
[117, 94, 17, 103, 16, 186, 172, 127, 146, 23, 46, 25, 168, 8, 163, 39,
174, 67, 137, 175, 121, 59, 9, 128, 179, 199, 132, 4, 140, 54, 1, 85,
14, 134, 161, 238, 30, 241, 37, 224, 166, 45, 119, 109, 202, 196, 93,
190, 220, 69, 49, 21, 228, 209, 60, 73, 99, 65, 102, 7, 229, 200, 19,
82, 240, 71, 105, 169, 214, 194, 64, 142, 12, 233, 88, 201, 11, 72,
92, 221, 27, 32, 176, 124, 205, 189, 177, 246, 35, 112, 219, 61, 129,
170, 173, 100, 84, 242, 157, 26, 218, 20, 33, 191, 155, 232, 87, 86,
153, 114, 97, 130, 29, 192, 164, 239, 90, 43, 236, 208, 212, 185, 75,
210, 0, 81, 227, 5, 116, 243, 34, 18, 182, 70, 181, 197, 217, 95, 183,
101, 252, 248, 107, 89, 136, 216, 203, 68, 91, 223, 96, 141, 150, 131,
13, 152, 198, 111, 44, 222, 125, 244, 76, 251, 158, 106, 24, 42, 38,
77, 2, 213, 207, 249, 147, 113, 135, 245, 118, 193, 47, 98, 145, 66,
160, 123, 211, 165, 78, 204, 80, 250, 110, 162, 48, 58, 10, 180, 55,
231, 79, 149, 74, 62, 50, 148, 143, 206, 28, 15, 57, 159, 139, 225,
122, 237, 138, 171, 36, 56, 115, 63, 144, 154, 6, 230, 133, 215, 41,
184, 22, 104, 254, 234, 253, 187, 226, 247, 188, 156, 151, 40, 108,
51, 83, 178, 52, 3, 31, 255, 195, 53, 235, 126, 167, 120]]
encrypt_table = ''.join(get_table('foobar!'))
decrypt_table = string.maketrans(encrypt_table, string.maketrans('', ''))
for i in range(0, 256):
assert (target1[0][i] == ord(encrypt_table[i]))
assert (target1[1][i] == ord(decrypt_table[i]))
encrypt_table = ''.join(get_table('barfoo!'))
decrypt_table = string.maketrans(encrypt_table, string.maketrans('', ''))
for i in range(0, 256):
assert (target2[0][i] == ord(encrypt_table[i]))
assert (target2[1][i] == ord(decrypt_table[i]))
def test_encryption():
from shadowsocks.crypto import util
cipher = TableCipher(b'table', b'test', b'', 1)
decipher = TableCipher(b'rc4-md5', b'test', b'', 0)
util.run_cipher(cipher, decipher)
if __name__ == '__main__':
test_encryption()

146
shadowsocks/encrypt.py

@ -26,11 +26,9 @@ from __future__ import absolute_import, division, print_function, \
import os import os
import sys import sys
import hashlib import hashlib
import string
import struct
import logging import logging
from shadowsocks.crypto import m2, rc4_md5, salsa20_ctr, ctypes_openssl from shadowsocks.crypto import m2, rc4_md5, salsa20_ctr, ctypes_openssl, table
method_supported = {} method_supported = {}
@ -39,13 +37,7 @@ method_supported.update(salsa20_ctr.ciphers)
method_supported.update(ctypes_openssl.ciphers) method_supported.update(ctypes_openssl.ciphers)
# let M2Crypto override ctypes_openssl # let M2Crypto override ctypes_openssl
method_supported.update(m2.ciphers) method_supported.update(m2.ciphers)
method_supported.update(table.ciphers)
if hasattr(string, 'maketrans'):
maketrans = string.maketrans
translate = string.translate
else:
maketrans = bytes.maketrans
translate = bytes.translate
def random_string(length): def random_string(length):
@ -56,33 +48,11 @@ def random_string(length):
return os.urandom(length) return os.urandom(length)
cached_tables = {}
cached_keys = {} cached_keys = {}
def get_table(key): def test_cipher(key, method=None):
m = hashlib.md5() Encryptor(key, method)
m.update(key)
s = m.digest()
(a, b) = struct.unpack('<QQ', s)
table = maketrans(b'', b'')
table = [table[i: i + 1] for i in range(len(table))]
for i in range(1, 1024):
table.sort(key=lambda x: int(a % (ord(x) + i)))
return table
def init_table(key, method=None):
if method is not None and method == 'table':
method = None
if not method:
if key not in cached_tables:
encrypt_table = b''.join(get_table(key))
decrypt_table = maketrans(encrypt_table, maketrans(b'', b''))
cached_tables[key] = [encrypt_table, decrypt_table]
return cached_tables[key]
else:
Encryptor(key, method) # test if the settings if OK
def EVP_BytesToKey(password, key_len, iv_len): def EVP_BytesToKey(password, key_len, iv_len):
@ -111,96 +81,80 @@ def EVP_BytesToKey(password, key_len, iv_len):
class Encryptor(object): class Encryptor(object):
def __init__(self, key, method=None): def __init__(self, key, method):
if method == b'table':
method = None
self.key = key self.key = key
self.method = method self.method = method
self.iv = None self.iv = None
self.iv_sent = False self.iv_sent = False
self.cipher_iv = b'' self.cipher_iv = b''
self.decipher = None self.decipher = None
if method: method = method.lower()
self.cipher = self.get_cipher(key, method, 1, iv=random_string(32)) self._method_info = self.get_method_info(method)
if self._method_info:
self.cipher = self.get_cipher(key, method, 1,
random_string(self._method_info[1]))
else: else:
self.encrypt_table, self.decrypt_table = init_table(key) logging.error('method %s not supported' % method)
self.cipher = None sys.exit(1)
def get_cipher_param(self, method): def get_method_info(self, method):
method = method.lower() method = method.lower()
m = method_supported.get(method, None) m = method_supported.get(method)
return m return m
def iv_len(self): def iv_len(self):
return len(self.cipher_iv) return len(self.cipher_iv)
def get_cipher(self, password, method, op, iv=None): def get_cipher(self, password, method, op, iv):
if hasattr(password, 'encode'): if hasattr(password, 'encode'):
password = password.encode('utf-8') password = password.encode('utf-8')
method = method.lower() m = self._method_info
m = self.get_cipher_param(method) if m[0] > 0:
if m:
key, iv_ = EVP_BytesToKey(password, m[0], m[1]) key, iv_ = EVP_BytesToKey(password, m[0], m[1])
if iv is None: else:
iv = iv_ # key_length == 0 indicates we should use the key directly
iv = iv[:m[1]] key, iv = password, b''
if op == 1:
# this iv is for cipher not decipher
self.cipher_iv = iv[:m[1]]
return m[2](method, key, iv, op)
logging.error('method %s not supported' % method) iv = iv[:m[1]]
sys.exit(1) if op == 1:
# this iv is for cipher not decipher
self.cipher_iv = iv[:m[1]]
return m[2](method, key, iv, op)
def encrypt(self, buf): def encrypt(self, buf):
if len(buf) == 0: if len(buf) == 0:
return buf return buf
if not self.method: if self.iv_sent:
return translate(buf, self.encrypt_table) return self.cipher.update(buf)
else: else:
if self.iv_sent: self.iv_sent = True
return self.cipher.update(buf) return self.cipher_iv + self.cipher.update(buf)
else:
self.iv_sent = True
return self.cipher_iv + self.cipher.update(buf)
def decrypt(self, buf): def decrypt(self, buf):
if len(buf) == 0: if len(buf) == 0:
return buf return buf
if not self.method: if self.decipher is None:
return translate(buf, self.decrypt_table) decipher_iv_len = self._method_info[1]
else: decipher_iv = buf[:decipher_iv_len]
if self.decipher is None: self.decipher = self.get_cipher(self.key, self.method, 0,
decipher_iv_len = self.get_cipher_param(self.method)[1] iv=decipher_iv)
decipher_iv = buf[:decipher_iv_len] buf = buf[decipher_iv_len:]
self.decipher = self.get_cipher(self.key, self.method, 0, if len(buf) == 0:
iv=decipher_iv) return buf
buf = buf[decipher_iv_len:] return self.decipher.update(buf)
if len(buf) == 0:
return buf
return self.decipher.update(buf)
def encrypt_all(password, method, op, data): def encrypt_all(password, method, op, data):
if method is not None and method.lower() == b'table': result = []
method = None method = method.lower()
if not method: (key_len, iv_len, m) = method_supported[method]
[encrypt_table, decrypt_table] = init_table(password) (key, _) = EVP_BytesToKey(password, key_len, iv_len)
if op: if op:
return translate(data, encrypt_table) iv = random_string(iv_len)
else: result.append(iv)
return translate(data, decrypt_table)
else: else:
result = [] iv = data[:iv_len]
method = method.lower() data = data[iv_len:]
(key_len, iv_len, m) = method_supported[method] cipher = m(method, key, iv, op)
(key, _) = EVP_BytesToKey(password, key_len, iv_len) result.append(cipher.update(data))
if op: return b''.join(result)
iv = random_string(iv_len)
result.append(iv)
else:
iv = data[:iv_len]
data = data[iv_len:]
cipher = m(method, key, iv, op)
result.append(cipher.update(data))
return b''.join(result)

2
shadowsocks/local.py

@ -46,7 +46,7 @@ def main():
utils.print_shadowsocks() utils.print_shadowsocks()
encrypt.init_table(config['password'], config['method']) encrypt.test_cipher(config['password'], config['method'])
try: try:
logging.info("starting local at %s:%d" % logging.info("starting local at %s:%d" %

2
shadowsocks/server.py

@ -54,7 +54,7 @@ def main():
else: else:
config['port_password'][str(server_port)] = config['password'] config['port_password'][str(server_port)] = config['password']
encrypt.init_table(config['password'], config['method']) encrypt.test_cipher(config['password'], config['method'])
tcp_servers = [] tcp_servers = []
udp_servers = [] udp_servers = []
dns_resolver = asyncdns.DNSResolver() dns_resolver = asyncdns.DNSResolver()

10
shadowsocks/utils.py

@ -68,15 +68,15 @@ def find_config():
def check_config(config): def check_config(config):
if config.get('local_address', '') in ['0.0.0.0']: if config.get('local_address', '') in [b'0.0.0.0']:
logging.warn('warning: local set to listen 0.0.0.0, which is not safe') logging.warn('warning: local set to listen 0.0.0.0, which is not safe')
if config.get('server', '') in ['127.0.0.1', 'localhost']: if config.get('server', '') in [b'127.0.0.1', b'localhost']:
logging.warn('warning: server set to listen %s:%s, are you sure?' % logging.warn('warning: server set to listen %s:%s, are you sure?' %
(config['server'], config['server_port'])) (config['server'], config['server_port']))
if (config.get('method', '') or '').lower() == '': if (config.get('method', '') or '').lower() == b'table':
logging.warn('warning: table is not safe; please use a safer cipher, ' logging.warn('warning: table is not safe; please use a safer cipher, '
'like AES-256-CFB') 'like AES-256-CFB')
if (config.get('method', '') or '').lower() == 'rc4': if (config.get('method', '') or '').lower() == b'rc4':
logging.warn('warning: RC4 is not safe; please use a safer cipher, ' logging.warn('warning: RC4 is not safe; please use a safer cipher, '
'like AES-256-CFB') 'like AES-256-CFB')
if config.get('timeout', 300) < 100: if config.get('timeout', 300) < 100:
@ -85,7 +85,7 @@ def check_config(config):
if config.get('timeout', 300) > 600: if config.get('timeout', 300) > 600:
logging.warn('warning: your timeout %d seems too long' % logging.warn('warning: your timeout %d seems too long' %
int(config.get('timeout'))) int(config.get('timeout')))
if config.get('password') in ['mypassword']: if config.get('password') in [b'mypassword']:
logging.error('DON\'T USE DEFAULT PASSWORD! Please change it in your ' logging.error('DON\'T USE DEFAULT PASSWORD! Please change it in your '
'config.json!') 'config.json!')
exit(1) exit(1)

Loading…
Cancel
Save