From 6dfc567d55ace9201b4384e7a93dfd00eb1687ee Mon Sep 17 00:00:00 2001 From: Riobard Date: Sat, 11 Mar 2017 00:16:32 +0800 Subject: [PATCH 1/4] AEAD ciphers follow IANA scheme --- core/cipher.go | 35 ++++++++++++++++++++++------------- main.go | 2 +- shadowaead/cipher.go | 4 ++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/core/cipher.go b/core/cipher.go index 2db490d6..3da49b51 100644 --- a/core/cipher.go +++ b/core/cipher.go @@ -32,10 +32,10 @@ var aeadList = map[string]struct { KeySize int New func([]byte) (shadowaead.Cipher, error) }{ - "aes-128-gcm": {16, shadowaead.AESGCM}, - "aes-192-gcm": {24, shadowaead.AESGCM}, - "aes-256-gcm": {32, shadowaead.AESGCM}, - "chacha20-ietf-poly1305": {32, shadowaead.Chacha20IETFPoly1305}, + "AEAD_AES_128_GCM": {16, shadowaead.AESGCM}, + "AEAD_AES_192_GCM": {24, shadowaead.AESGCM}, + "AEAD_AES_256_GCM": {32, shadowaead.AESGCM}, + "AEAD_CHACHA20_POLY1305": {32, shadowaead.Chacha20Poly1305}, } // List of stream ciphers: key size in bytes and constructor @@ -43,13 +43,13 @@ var streamList = map[string]struct { KeySize int New func(key []byte) (shadowstream.Cipher, error) }{ - "aes-128-ctr": {16, shadowstream.AESCTR}, - "aes-192-ctr": {24, shadowstream.AESCTR}, - "aes-256-ctr": {32, shadowstream.AESCTR}, - "aes-128-cfb": {16, shadowstream.AESCFB}, - "aes-192-cfb": {24, shadowstream.AESCFB}, - "aes-256-cfb": {32, shadowstream.AESCFB}, - "chacha20-ietf": {32, shadowstream.Chacha20IETF}, + "AES-128-CTR": {16, shadowstream.AESCTR}, + "AES-192-CTR": {24, shadowstream.AESCTR}, + "AES-256-CTR": {32, shadowstream.AESCTR}, + "AES-128-CFB": {16, shadowstream.AESCFB}, + "AES-192-CFB": {24, shadowstream.AESCFB}, + "AES-256-CFB": {32, shadowstream.AESCFB}, + "CHACHA20-IETF": {32, shadowstream.Chacha20IETF}, } // ListCipher returns a list of available cipher names sorted alphabetically. @@ -67,10 +67,19 @@ func ListCipher() []string { // PickCipher returns a Cipher of the given name. Derive key from password if given key is empty. func PickCipher(name string, key []byte, password string) (Cipher, error) { - name = strings.ToLower(name) + name = strings.ToUpper(name) - if name == "dummy" { + switch name { + case "DUMMY": return &dummy{}, nil + case "CHACHA20-IETF-POLY1305": + name = "AEAD_CHACHA20_POLY1305" + case "AES-128-GCM": + name = "AEAD_AES_128_GCM" + case "AES-196-GCM": + name = "AEAD_AES_196_GCM" + case "AES-256-GCM": + name = "AEAD_AES_256_GCM" } if choice, ok := aeadList[name]; ok { diff --git a/main.go b/main.go index 085f8ea9..71a50060 100644 --- a/main.go +++ b/main.go @@ -45,7 +45,7 @@ func main() { } flag.BoolVar(&config.Verbose, "verbose", false, "verbose mode") - flag.StringVar(&flags.Cipher, "cipher", "chacha20-ietf-poly1305", "available ciphers: "+strings.Join(core.ListCipher(), " ")) + flag.StringVar(&flags.Cipher, "cipher", "AEAD_CHACHA20_POLY1305", "available ciphers: "+strings.Join(core.ListCipher(), " ")) flag.StringVar(&flags.Key, "key", "", "base64url-encoded key (derive from password if empty)") flag.IntVar(&flags.Keygen, "keygen", 0, "generate a base64url-encoded random key of given length in byte") flag.StringVar(&flags.Password, "password", "", "password") diff --git a/shadowaead/cipher.go b/shadowaead/cipher.go index a8112ae1..952d5b27 100644 --- a/shadowaead/cipher.go +++ b/shadowaead/cipher.go @@ -74,9 +74,9 @@ func AESGCM(psk []byte) (Cipher, error) { return &metaCipher{psk: psk, makeAEAD: aesGCM}, nil } -// Chacha20IETFPoly1305 creates a new Cipher with a pre-shared key. len(psk) +// Chacha20Poly1305 creates a new Cipher with a pre-shared key. len(psk) // must be 32. -func Chacha20IETFPoly1305(psk []byte) (Cipher, error) { +func Chacha20Poly1305(psk []byte) (Cipher, error) { if len(psk) != chacha20poly1305.KeySize { return nil, KeySizeError(chacha20poly1305.KeySize) } From 155e12e5f5402eb0eab700d4858bd21141805e7d Mon Sep 17 00:00:00 2001 From: Riobard Date: Sat, 11 Mar 2017 00:31:33 +0800 Subject: [PATCH 2/4] Update AEAD cipher name in README --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4525bdf9..37806424 100644 --- a/README.md +++ b/README.md @@ -25,10 +25,10 @@ go get -u -v github.com/riobard/go-shadowsocks2 ### Server -Start a server listening on port 8488 using `aes-128-gcm` AEAD cipher with password `your-password`. +Start a server listening on port 8488 using `AEAD_CHACHA20_POLY1305` AEAD cipher with password `your-password`. ```sh -go-shadowsocks2 -s ss://aes-128-gcm:your-password@:8488 -verbose +go-shadowsocks2 -s ss://AEAD_CHACHA20_POLY1305:your-password@:8488 -verbose ``` @@ -39,7 +39,7 @@ connections, and tunnels UDP packets received on port 1080 and port 1081 to 8.8. respectively. ```sh -go-shadowsocks2 -c ss://aes-128-gcm:your-password@[server_address]:8488 \ +go-shadowsocks2 -c ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488 \ -socks :1080 -udptun :1080=8.8.8.8:53,:1081=8.8.4.4:53 -verbose ``` @@ -57,16 +57,16 @@ A random key is almost always better than a password. Generate a base64url-encod go-shadowsocks2 -keygen 16 ``` -Start a server listening on port 8848 using `aes-128-gcm` AEAD cipher with the key generated above. +Start a server listening on port 8848 using `AEAD_AES_128_GCM` AEAD cipher with the key generated above. ```sh -go-shadowsocks2 -s :8488 -cipher aes-128-gcm -key k5yEIX5ciUDpkpdtvZm7zQ== -verbose +go-shadowsocks2 -s :8488 -cipher AEAD_AES_128_GCM -key k5yEIX5ciUDpkpdtvZm7zQ== -verbose ``` And the corresponding client to connect to it. ```sh -go-shadowsocks2 -c [server_address]:8488 -cipher aes-128-gcm -key k5yEIX5ciUDpkpdtvZm7zQ== -verbose +go-shadowsocks2 -c [server_address]:8488 -cipher AEAD_AES_128_GCM -key k5yEIX5ciUDpkpdtvZm7zQ== -verbose ``` @@ -80,7 +80,7 @@ Start a client listening on port 1082 for redirected TCP connections and port 10 TCP IPv6 connections. ```sh -go-shadowsocks2 -c [server_address]:8488 -cipher aes-128-gcm -key k5yEIX5ciUDpkpdtvZm7zQ== \ +go-shadowsocks2 -c [server_address]:8488 -cipher AEAD_AES_128_GCM -key k5yEIX5ciUDpkpdtvZm7zQ== \ -redir :1082 -redir6 :1083 ``` @@ -102,7 +102,7 @@ Start a client on the same machine with the server. The client listens on port 1 and tunnels to localhost:5201 where iperf3 is listening. ```sh -go-shadowsocks2 -c [server_address]:8488 -cipher aes-128-gcm -key k5yEIX5ciUDpkpdtvZm7zQ== \ +go-shadowsocks2 -c [server_address]:8488 -cipher AEAD_AES_128_GCM -key k5yEIX5ciUDpkpdtvZm7zQ== \ -tcptun :1090=localhost:5201 ``` From 81c5976ccce8f66509936a45041403bf4902337c Mon Sep 17 00:00:00 2001 From: Riobard Date: Sat, 11 Mar 2017 00:37:58 +0800 Subject: [PATCH 3/4] Fixed example in README --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37806424..52e7b17e 100644 --- a/README.md +++ b/README.md @@ -35,12 +35,13 @@ go-shadowsocks2 -s ss://AEAD_CHACHA20_POLY1305:your-password@:8488 -verbose ### Client Start a client connecting to the above server. The client listens on port 1080 for incoming SOCKS5 -connections, and tunnels UDP packets received on port 1080 and port 1081 to 8.8.8.8:53 and 8.8.4.4:53 +connections, and tunnels both UDP and TCP on port 8053 and port 8054 to 8.8.8.8:53 and 8.8.4.4:53 respectively. ```sh go-shadowsocks2 -c ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488 \ - -socks :1080 -udptun :1080=8.8.8.8:53,:1081=8.8.4.4:53 -verbose + -verbose -socks :1080 -udptun :8053=8.8.8.8:53,:8054=8.8.4.4:53 \ + -tcptun :8053=8.8.8.8:53,:8054=8.8.4.4:53 ``` Replace `[server_address]` with the server's public address. From c4010958750065a52003dd01fb8181bee5b14fea Mon Sep 17 00:00:00 2001 From: Riobard Date: Sat, 11 Mar 2017 00:38:32 +0800 Subject: [PATCH 4/4] Do not turn on SOCKS by default --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 71a50060..f32c12b6 100644 --- a/main.go +++ b/main.go @@ -51,7 +51,7 @@ func main() { flag.StringVar(&flags.Password, "password", "", "password") flag.StringVar(&flags.Server, "s", "", "server listen address or url") flag.StringVar(&flags.Client, "c", "", "client connect address or url") - flag.StringVar(&flags.Socks, "socks", ":1080", "(client-only) SOCKS listen address") + flag.StringVar(&flags.Socks, "socks", "", "(client-only) SOCKS listen address") flag.StringVar(&flags.RedirTCP, "redir", "", "(client-only) redirect TCP from this address") flag.StringVar(&flags.RedirTCP6, "redir6", "", "(client-only) redirect TCP IPv6 from this address") flag.StringVar(&flags.TCPTun, "tcptun", "", "(client-only) TCP tunnel (laddr1=raddr1,laddr2=raddr2,...)")