Skip to content

Commit

Permalink
Merge pull request shadowsocks#40 from riobard/stable
Browse files Browse the repository at this point in the history
Bugfix: AEAD stream cipher incorrectly handled leftover bytes
  • Loading branch information
riobard authored Apr 26, 2017
2 parents aced562 + cab529f commit 9baef5e
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 29 deletions.
14 changes: 7 additions & 7 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,27 +101,27 @@ func main() {
if flags.UDPTun != "" {
for _, tun := range strings.Split(flags.UDPTun, ",") {
p := strings.Split(tun, "=")
go udpLocal(p[0], addr, p[1], ciph)
go udpLocal(p[0], addr, p[1], ciph.PacketConn)
}
}

if flags.TCPTun != "" {
for _, tun := range strings.Split(flags.TCPTun, ",") {
p := strings.Split(tun, "=")
go tcpTun(p[0], addr, p[1], ciph)
go tcpTun(p[0], addr, p[1], ciph.StreamConn)
}
}

if flags.Socks != "" {
go socksLocal(flags.Socks, addr, ciph)
go socksLocal(flags.Socks, addr, ciph.StreamConn)
}

if flags.RedirTCP != "" {
go redirLocal(flags.RedirTCP, addr, ciph)
go redirLocal(flags.RedirTCP, addr, ciph.StreamConn)
}

if flags.RedirTCP6 != "" {
go redir6Local(flags.RedirTCP6, addr, ciph)
go redir6Local(flags.RedirTCP6, addr, ciph.StreamConn)
}
}

Expand All @@ -143,8 +143,8 @@ func main() {
log.Fatal(err)
}

go udpRemote(addr, ciph)
go tcpRemote(addr, ciph)
go udpRemote(addr, ciph.PacketConn)
go tcpRemote(addr, ciph.StreamConn)
}

sigCh := make(chan os.Signal, 1)
Expand Down
10 changes: 10 additions & 0 deletions shadowaead/stream.go
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,16 @@ func (r *reader) Read(b []byte) (int, error) {
// there's no more data to write or when an error occurs. Return number of
// bytes written to w and any error encountered.
func (r *reader) WriteTo(w io.Writer) (n int64, err error) {
// write decrypted bytes left over from previous record
for len(r.leftover) > 0 {
nw, ew := w.Write(r.leftover)
r.leftover = r.leftover[nw:]
n += int64(nw)
if ew != nil {
return n, ew
}
}

for {
nr, er := r.read()
if nr > 0 {
Expand Down
17 changes: 8 additions & 9 deletions tcp.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,29 +5,28 @@ import (
"net"
"time"

"github.com/shadowsocks/go-shadowsocks2/core"
"github.com/shadowsocks/go-shadowsocks2/socks"
)

// Create a SOCKS server listening on addr and proxy to server.
func socksLocal(addr, server string, ciph core.StreamConnCipher) {
func socksLocal(addr, server string, shadow func(net.Conn) net.Conn) {
logf("SOCKS proxy %s <-> %s", addr, server)
tcpLocal(addr, server, ciph, func(c net.Conn) (socks.Addr, error) { return socks.Handshake(c) })
tcpLocal(addr, server, shadow, func(c net.Conn) (socks.Addr, error) { return socks.Handshake(c) })
}

// Create a TCP tunnel from addr to target via server.
func tcpTun(addr, server, target string, ciph core.StreamConnCipher) {
func tcpTun(addr, server, target string, shadow func(net.Conn) net.Conn) {
tgt := socks.ParseAddr(target)
if tgt == nil {
logf("invalid target address %q", target)
return
}
logf("TCP tunnel %s <-> %s <-> %s", addr, server, target)
tcpLocal(addr, server, ciph, func(net.Conn) (socks.Addr, error) { return tgt, nil })
tcpLocal(addr, server, shadow, func(net.Conn) (socks.Addr, error) { return tgt, nil })
}

// Listen on addr and proxy to server to reach target from getAddr.
func tcpLocal(addr, server string, ciph core.StreamConnCipher, getAddr func(net.Conn) (socks.Addr, error)) {
func tcpLocal(addr, server string, shadow func(net.Conn) net.Conn, getAddr func(net.Conn) (socks.Addr, error)) {
l, err := net.Listen("tcp", addr)
if err != nil {
logf("failed to listen on %s: %v", addr, err)
Expand Down Expand Up @@ -58,7 +57,7 @@ func tcpLocal(addr, server string, ciph core.StreamConnCipher, getAddr func(net.
}
defer rc.Close()
rc.(*net.TCPConn).SetKeepAlive(true)
rc = ciph.StreamConn(rc)
rc = shadow(rc)

if _, err = rc.Write(tgt); err != nil {
logf("failed to send target address: %v", err)
Expand All @@ -78,7 +77,7 @@ func tcpLocal(addr, server string, ciph core.StreamConnCipher, getAddr func(net.
}

// Listen on addr for incoming connections.
func tcpRemote(addr string, ciph core.StreamConnCipher) {
func tcpRemote(addr string, shadow func(net.Conn) net.Conn) {
l, err := net.Listen("tcp", addr)
if err != nil {
logf("failed to listen on %s: %v", addr, err)
Expand All @@ -96,7 +95,7 @@ func tcpRemote(addr string, ciph core.StreamConnCipher) {
go func() {
defer c.Close()
c.(*net.TCPConn).SetKeepAlive(true)
c = ciph.StreamConn(c)
c = shadow(c)

tgt, err := socks.ReadAddr(c)
if err != nil {
Expand Down
9 changes: 4 additions & 5 deletions tcp_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"syscall"
"unsafe"

"github.com/shadowsocks/go-shadowsocks2/core"
"github.com/shadowsocks/go-shadowsocks2/socks"
)

Expand All @@ -16,15 +15,15 @@ const (
)

// Listen on addr for netfilter redirected TCP connections
func redirLocal(addr, server string, ciph core.StreamConnCipher) {
func redirLocal(addr, server string, shadow func(net.Conn) net.Conn) {
logf("TCP redirect %s <-> %s", addr, server)
tcpLocal(addr, server, ciph, func(c net.Conn) (socks.Addr, error) { return getOrigDst(c, false) })
tcpLocal(addr, server, shadow, func(c net.Conn) (socks.Addr, error) { return getOrigDst(c, false) })
}

// Listen on addr for netfilter redirected TCP IPv6 connections.
func redir6Local(addr, server string, ciph core.StreamConnCipher) {
func redir6Local(addr, server string, shadow func(net.Conn) net.Conn) {
logf("TCP6 redirect %s <-> %s", addr, server)
tcpLocal(addr, server, ciph, func(c net.Conn) (socks.Addr, error) { return getOrigDst(c, true) })
tcpLocal(addr, server, shadow, func(c net.Conn) (socks.Addr, error) { return getOrigDst(c, true) })
}

// Get the original destination of a TCP connection.
Expand Down
6 changes: 3 additions & 3 deletions tcp_other.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@

package main

import "github.com/shadowsocks/go-shadowsocks2/core"
import "net"

func redirLocal(addr, server string, ciph core.StreamConnCipher) {
func redirLocal(addr, server string, shadow func(net.Conn) net.Conn) {
logf("TCP redirect not supported")
}

func redir6Local(addr, server string, ciph core.StreamConnCipher) {
func redir6Local(addr, server string, shadow func(net.Conn) net.Conn) {
logf("TCP6 redirect not supported")
}
10 changes: 5 additions & 5 deletions udp.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ import (

"sync"

"github.com/shadowsocks/go-shadowsocks2/core"
"github.com/shadowsocks/go-shadowsocks2/socks"
)

const udpBufSize = 64 * 1024

// Listen on laddr for UDP packets, encrypt and send to server to reach target.
func udpLocal(laddr, server, target string, ciph core.PacketConnCipher) {
func udpLocal(laddr, server, target string, shadow func(net.PacketConn) net.PacketConn) {
srvAddr, err := net.ResolveUDPAddr("udp", server)
if err != nil {
logf("UDP server address error: %v", err)
Expand Down Expand Up @@ -55,7 +54,7 @@ func udpLocal(laddr, server, target string, ciph core.PacketConnCipher) {
continue
}

pc = ciph.PacketConn(pc)
pc = shadow(pc)
nm.Add(raddr, c, pc, false)
}

Expand All @@ -68,13 +67,14 @@ func udpLocal(laddr, server, target string, ciph core.PacketConnCipher) {
}

// Listen on addr for encrypted packets and basically do UDP NAT.
func udpRemote(addr string, ciph core.PacketConnCipher) {
c, err := core.ListenPacket("udp", addr, ciph)
func udpRemote(addr string, shadow func(net.PacketConn) net.PacketConn) {
c, err := net.ListenPacket("udp", addr)
if err != nil {
logf("UDP remote listen error: %v", err)
return
}
defer c.Close()
c = shadow(c)

nm := newNATmap(config.UDPTimeout)
buf := make([]byte, udpBufSize)
Expand Down

0 comments on commit 9baef5e

Please sign in to comment.