From 5ae4df94e440c4f6826a679a62687ad27303d89b Mon Sep 17 00:00:00 2001 From: Max Lv Date: Mon, 21 Sep 2015 09:06:48 +0800 Subject: [PATCH] Update the hash function --- src/encrypt.c | 84 ++++++++++++--------------------------------------- src/encrypt.h | 8 ++--- src/local.c | 12 ++++---- src/local.h | 4 +-- src/redir.c | 10 +++--- src/redir.h | 4 +-- src/server.c | 44 ++++++++++++++------------- src/server.h | 4 +-- src/tunnel.c | 10 +++--- src/tunnel.h | 4 +-- 10 files changed, 71 insertions(+), 113 deletions(-) diff --git a/src/encrypt.c b/src/encrypt.c index eb8b3e54..3f397f2a 100644 --- a/src/encrypt.c +++ b/src/encrypt.c @@ -1478,97 +1478,53 @@ int enc_init(const char *pass, const char *method) return m; } -static const unsigned short crc16tab[256]= { - 0x0000,0x1021,0x2042,0x3063,0x4084,0x50a5,0x60c6,0x70e7, - 0x8108,0x9129,0xa14a,0xb16b,0xc18c,0xd1ad,0xe1ce,0xf1ef, - 0x1231,0x0210,0x3273,0x2252,0x52b5,0x4294,0x72f7,0x62d6, - 0x9339,0x8318,0xb37b,0xa35a,0xd3bd,0xc39c,0xf3ff,0xe3de, - 0x2462,0x3443,0x0420,0x1401,0x64e6,0x74c7,0x44a4,0x5485, - 0xa56a,0xb54b,0x8528,0x9509,0xe5ee,0xf5cf,0xc5ac,0xd58d, - 0x3653,0x2672,0x1611,0x0630,0x76d7,0x66f6,0x5695,0x46b4, - 0xb75b,0xa77a,0x9719,0x8738,0xf7df,0xe7fe,0xd79d,0xc7bc, - 0x48c4,0x58e5,0x6886,0x78a7,0x0840,0x1861,0x2802,0x3823, - 0xc9cc,0xd9ed,0xe98e,0xf9af,0x8948,0x9969,0xa90a,0xb92b, - 0x5af5,0x4ad4,0x7ab7,0x6a96,0x1a71,0x0a50,0x3a33,0x2a12, - 0xdbfd,0xcbdc,0xfbbf,0xeb9e,0x9b79,0x8b58,0xbb3b,0xab1a, - 0x6ca6,0x7c87,0x4ce4,0x5cc5,0x2c22,0x3c03,0x0c60,0x1c41, - 0xedae,0xfd8f,0xcdec,0xddcd,0xad2a,0xbd0b,0x8d68,0x9d49, - 0x7e97,0x6eb6,0x5ed5,0x4ef4,0x3e13,0x2e32,0x1e51,0x0e70, - 0xff9f,0xefbe,0xdfdd,0xcffc,0xbf1b,0xaf3a,0x9f59,0x8f78, - 0x9188,0x81a9,0xb1ca,0xa1eb,0xd10c,0xc12d,0xf14e,0xe16f, - 0x1080,0x00a1,0x30c2,0x20e3,0x5004,0x4025,0x7046,0x6067, - 0x83b9,0x9398,0xa3fb,0xb3da,0xc33d,0xd31c,0xe37f,0xf35e, - 0x02b1,0x1290,0x22f3,0x32d2,0x4235,0x5214,0x6277,0x7256, - 0xb5ea,0xa5cb,0x95a8,0x8589,0xf56e,0xe54f,0xd52c,0xc50d, - 0x34e2,0x24c3,0x14a0,0x0481,0x7466,0x6447,0x5424,0x4405, - 0xa7db,0xb7fa,0x8799,0x97b8,0xe75f,0xf77e,0xc71d,0xd73c, - 0x26d3,0x36f2,0x0691,0x16b0,0x6657,0x7676,0x4615,0x5634, - 0xd94c,0xc96d,0xf90e,0xe92f,0x99c8,0x89e9,0xb98a,0xa9ab, - 0x5844,0x4865,0x7806,0x6827,0x18c0,0x08e1,0x3882,0x28a3, - 0xcb7d,0xdb5c,0xeb3f,0xfb1e,0x8bf9,0x9bd8,0xabbb,0xbb9a, - 0x4a75,0x5a54,0x6a37,0x7a16,0x0af1,0x1ad0,0x2ab3,0x3a92, - 0xfd2e,0xed0f,0xdd6c,0xcd4d,0xbdaa,0xad8b,0x9de8,0x8dc9, - 0x7c26,0x6c07,0x5c64,0x4c45,0x3ca2,0x2c83,0x1ce0,0x0cc1, - 0xef1f,0xff3e,0xcf5d,0xdf7c,0xaf9b,0xbfba,0x8fd9,0x9ff8, - 0x6e17,0x7e36,0x4e55,0x5e74,0x2e93,0x3eb2,0x0ed1,0x1ef0 -}; - -uint16_t crc16(const void *buf, int len) -{ - register int counter; - register uint16_t crc = 0; - for( counter = 0; counter < len; counter++) - crc = (crc<<8) ^ crc16tab[((crc>>8) ^ *(char *)buf++)&0x00FF]; - return crc; -} - -int ss_check_crc(char *buf, ssize_t *buf_len, char *crc_buf, ssize_t *crc_idx) +int ss_check_hash(char *buf, ssize_t *buf_len, char *hash_buf, ssize_t *hash_idx) { int i, j; ssize_t blen = *buf_len; - ssize_t cidx = *crc_idx; + ssize_t cidx = *hash_idx; for (i = 0, j = 0; i < blen; i++) { - if (cidx < CRC_BUF_LEN) { + if (cidx < HASH_BUF_LEN) { buf[j] = buf[i]; j++; } - crc_buf[cidx] = buf[i]; + hash_buf[cidx] = buf[i]; cidx++; - if (cidx == CRC_BUF_LEN + CRC_BYTES) { - uint16_t c = crc16((const void*)crc_buf, CRC_BUF_LEN); - c = htons(c); - if (memcmp(&c, crc_buf + CRC_BUF_LEN, CRC_BYTES) != 0) return 0; + if (cidx == HASH_BUF_LEN + HASH_BYTES) { + uint8_t hash[HASH_BYTES]; + crypto_generichash(hash, HASH_BYTES, (uint8_t *)hash_buf, HASH_BUF_LEN, NULL, 0); + if (memcmp(hash, hash_buf + HASH_BUF_LEN, HASH_BYTES) != 0) return 0; cidx = 0; } } *buf_len = j; - *crc_idx = cidx; + *hash_idx = cidx; return 1; } -char *ss_gen_crc(char *buf, ssize_t *buf_len, char *crc_buf, ssize_t *crc_idx, int buf_size) +char *ss_gen_hash(char *buf, ssize_t *buf_len, char *hash_buf, ssize_t *hash_idx, int buf_size) { int i, j; ssize_t blen = *buf_len; - ssize_t cidx = *crc_idx; - int size = max((blen / CRC_BUF_LEN + 1) * CRC_BYTES + blen, buf_size); + ssize_t cidx = *hash_idx; + int size = max((blen / HASH_BUF_LEN + 1) * HASH_BYTES + blen, buf_size); if (buf_size < size) { buf = realloc(buf, size); } for (i = 0, j = 0; i < blen; i++, j++) { - if (cidx == CRC_BUF_LEN) { - uint16_t c = crc16((const void*)crc_buf, CRC_BUF_LEN); - c = htons(c); - memmove(buf + j + CRC_BYTES, buf + j, blen - i); - memcpy(buf + j, &c, CRC_BYTES); - j += CRC_BYTES; cidx = 0; + if (cidx == HASH_BUF_LEN) { + uint8_t hash[HASH_BYTES]; + crypto_generichash(hash, HASH_BYTES, (uint8_t *)hash_buf, HASH_BUF_LEN, NULL, 0); + memmove(buf + j + HASH_BYTES, buf + j, blen - i); + memcpy(buf + j, hash, HASH_BYTES); + j += HASH_BYTES; cidx = 0; } - crc_buf[cidx] = buf[j]; + hash_buf[cidx] = buf[j]; cidx++; } *buf_len = j; - *crc_idx = cidx; + *hash_idx = cidx; return buf; } diff --git a/src/encrypt.h b/src/encrypt.h index f86ed183..3210230e 100644 --- a/src/encrypt.h +++ b/src/encrypt.h @@ -146,8 +146,8 @@ typedef struct { #define ONETIMEAUTH_FLAG 0x10 #define ADDRTYPE_MASK 0xF -#define CRC_BUF_LEN 128 -#define CRC_BYTES 2 +#define HASH_BUF_LEN 128 +#define HASH_BYTES 4 #define min(a, b) (((a) < (b)) ? (a) : (b)) #define max(a, b) (((a) > (b)) ? (a) : (b)) @@ -173,7 +173,7 @@ unsigned char *enc_md5(const unsigned char *d, size_t n, unsigned char *md); int ss_onetimeauth(char *auth, char *msg, int msg_len, struct enc_ctx *ctx); int ss_onetimeauth_verify(char *auth, char *msg, int msg_len, struct enc_ctx *ctx); -int ss_check_crc(char *buf, ssize_t *buf_len, char *crc_buf, ssize_t *crc_idx); -char * ss_gen_crc(char *buf, ssize_t *buf_len, char *crc_buf, ssize_t *crc_idx, int buf_size); +int ss_check_hash(char *buf, ssize_t *buf_len, char *hash_buf, ssize_t *hash_idx); +char * ss_gen_hash(char *buf, ssize_t *buf_len, char *hash_buf, ssize_t *hash_idx, int buf_size); #endif // _ENCRYPT_H diff --git a/src/local.c b/src/local.c index 2357f6ff..6a7c5417 100644 --- a/src/local.c +++ b/src/local.c @@ -245,7 +245,7 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) } if (remote->send_ctx->connected && auth) { - remote->buf = ss_gen_crc(remote->buf, &r, remote->crc_buf, &remote->crc_idx, BUF_SIZE); + remote->buf = ss_gen_hash(remote->buf, &r, remote->hash_buf, &remote->hash_idx, BUF_SIZE); } // insert shadowsocks header @@ -484,7 +484,7 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) memcpy(remote->buf, ss_addr_to_send, addr_len); if (auth) { - buf = ss_gen_crc(buf, &r, remote->crc_buf, &remote->crc_idx, BUF_SIZE); + buf = ss_gen_hash(buf, &r, remote->hash_buf, &remote->hash_idx, BUF_SIZE); } if (r > 0) { @@ -1090,6 +1090,10 @@ int main(int argc, char **argv) #endif } + if (auth) { + LOGI("onetime authentication enabled"); + } + #ifdef __MINGW32__ winsock_init(); #else @@ -1146,10 +1150,6 @@ int main(int argc, char **argv) ev_io_init(&listen_ctx.io, accept_cb, listenfd, EV_READ); ev_io_start(loop, &listen_ctx.io); - if (auth) { - LOGI("onetime authentication enabled"); - } - // Setup UDP if (mode != TCP_ONLY) { LOGI("udprelay enabled"); diff --git a/src/local.h b/src/local.h index f893b5a6..6972f4f0 100644 --- a/src/local.h +++ b/src/local.h @@ -82,8 +82,8 @@ struct remote { struct sockaddr_storage addr; int addr_len; - ssize_t crc_idx; - char crc_buf[CRC_BUF_LEN]; + ssize_t hash_idx; + char hash_buf[HASH_BUF_LEN]; }; #endif // _LOCAL_H diff --git a/src/redir.c b/src/redir.c index 394e4a18..266fd031 100644 --- a/src/redir.c +++ b/src/redir.c @@ -185,7 +185,7 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) } if (auth) { - remote->buf = ss_gen_crc(remote->buf, &r, remote->crc_buf, &remote->crc_idx, BUF_SIZE); + remote->buf = ss_gen_hash(remote->buf, &r, remote->hash_buf, &remote->hash_idx, BUF_SIZE); } remote->buf = ss_encrypt(BUF_SIZE, remote->buf, &r, server->e_ctx); @@ -740,6 +740,10 @@ int main(int argc, char **argv) daemonize(pid_path); } + if (auth) { + LOGI("onetime authentication enabled"); + } + // ignore SIGPIPE signal(SIGPIPE, SIG_IGN); signal(SIGABRT, SIG_IGN); @@ -786,10 +790,6 @@ int main(int argc, char **argv) ev_io_start(loop, &listen_ctx.io); } - if (auth) { - LOGI("onetime authentication enabled"); - } - // Setup UDP if (mode != TCP_ONLY) { LOGI("UDP relay enabled"); diff --git a/src/redir.h b/src/redir.h index 18e9c99d..ec5e32ce 100644 --- a/src/redir.h +++ b/src/redir.h @@ -71,8 +71,8 @@ struct remote { struct remote_ctx *send_ctx; struct server *server; - ssize_t crc_idx; - char crc_buf[CRC_BUF_LEN]; + ssize_t hash_idx; + char hash_buf[HASH_BUF_LEN]; }; #endif // _LOCAL_H diff --git a/src/server.c b/src/server.c index 949b9773..31c5fc4b 100644 --- a/src/server.c +++ b/src/server.c @@ -496,8 +496,8 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) // handshake and transmit data if (server->stage == 5) { if (server->auth - && !ss_check_crc(remote->buf, &r, server->crc_buf, &server->crc_idx)) { - LOGE("crc error"); + && !ss_check_hash(remote->buf, &r, server->hash_buf, &server->hash_idx)) { + LOGE("hash error"); report_addr(server->fd); close_and_free_server(EV_A_ server); close_and_free_remote(EV_A_ remote); @@ -527,25 +527,27 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) } else if (server->stage == 0) { /* - * Shadowsocks TCP Relay Protocol: + * Shadowsocks TCP Relay Header: * - * +------+----------+----------+-----------------+ - * | ATYP | DST.ADDR | DST.PORT | AUTH (Optional) | - * +------+----------+----------+-----------------+ - * | 1 | Variable | 2 | 16 | - * +------+----------+----------+-----------------+ + * +------+----------+----------+---------------------+ + * | ATYP | DST.ADDR | DST.PORT | Poly1305 | + * +------+----------+----------+---------------------+ + * | 1 | Variable | 2 | 16 | + * +------+----------+----------+---------------------+ * - * If ATYP & ONETIMEAUTH_FLAG(0x10) == 1, AUTH and CRC are enabled. + * If ATYP & ONETIMEAUTH_FLAG(0x10) == 1, Authentication (Poly1305) and Hash (BLAKE2b) are enabled. + * + * The key of Poly1305 is BLAKE2b(IV + KEY) and the input is the whole header. */ /* - * Shadowsocks TCP Request Payload CRC (Optional, no CRC for response's payload): + * Shadowsocks TCP Request Payload CRC (Optional, no hash check for response's payload): * - * +------+-------+------+-------+------+ - * | DATA | CRC16 | DATA | CRC16 | ... - * +------+-------+------+-------+------+ - * | 128 | 2 | 128 | 2 | ... - * +------+-------+------+-------+------+ + * +------+---------+------+---------+------+ + * | DATA | BLAKE2b | DATA | BLAKE2b | ... + * +------+---------+------+---------+------+ + * | 128 | 4 | 128 | 4 | ... + * +------+---------+------+---------+------+ */ int offset = 0; @@ -682,8 +684,8 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) } if (server->auth - && !ss_check_crc(server->buf + server->buf_idx, &server->buf_len, server->crc_buf, &server->crc_idx)) { - LOGE("crc error"); + && !ss_check_hash(server->buf + server->buf_idx, &server->buf_len, server->hash_buf, &server->hash_idx)) { + LOGE("hash error"); report_addr(server->fd); close_and_free_server(EV_A_ server); return; @@ -1385,6 +1387,10 @@ int main(int argc, char **argv) #endif } + if (auth) { + LOGI("onetime authentication enabled"); + } + #ifdef __MINGW32__ winsock_init(); #else @@ -1471,10 +1477,6 @@ int main(int argc, char **argv) ev_timer_start(EV_DEFAULT, &stat_update_watcher); } - if (auth) { - LOGI("onetime authentication enabled"); - } - if (mode != TCP_ONLY) { LOGI("UDP relay enabled"); } diff --git a/src/server.h b/src/server.h index 4f5951ea..2114605d 100644 --- a/src/server.h +++ b/src/server.h @@ -57,8 +57,8 @@ struct server { char *buf; // server send from, remote recv into int auth; - ssize_t crc_idx; - char crc_buf[CRC_BUF_LEN + CRC_BYTES]; // 2 bytes for CRC16 + ssize_t hash_idx; + char hash_buf[HASH_BUF_LEN + HASH_BYTES]; // 2 bytes for HASH16 struct enc_ctx *e_ctx; struct enc_ctx *d_ctx; diff --git a/src/tunnel.c b/src/tunnel.c index 1a9b0827..00e26eda 100644 --- a/src/tunnel.c +++ b/src/tunnel.c @@ -197,7 +197,7 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents) } if (auth) { - remote->buf = ss_gen_crc(remote->buf, &r, remote->crc_buf, &remote->crc_idx, BUF_SIZE); + remote->buf = ss_gen_hash(remote->buf, &r, remote->hash_buf, &remote->hash_idx, BUF_SIZE); } remote->buf = ss_encrypt(BUF_SIZE, remote->buf, &r, server->e_ctx); @@ -805,6 +805,10 @@ int main(int argc, char **argv) daemonize(pid_path); } + if (auth) { + LOGI("onetime authentication enabled"); + } + // parse tunnel addr parse_addr(tunnel_addr_str, &tunnel_addr); @@ -864,10 +868,6 @@ int main(int argc, char **argv) ev_io_start(loop, &listen_ctx.io); } - if (auth) { - LOGI("onetime authentication enabled"); - } - // Setup UDP if (mode != TCP_ONLY) { LOGI("UDP relay enabled"); diff --git a/src/tunnel.h b/src/tunnel.h index aca370d0..184be53c 100644 --- a/src/tunnel.h +++ b/src/tunnel.h @@ -75,8 +75,8 @@ struct remote { struct remote_ctx *send_ctx; struct server *server; - ssize_t crc_idx; - char crc_buf[CRC_BUF_LEN]; + ssize_t hash_idx; + char hash_buf[HASH_BUF_LEN]; }; #endif // _TUNNEL_H