shadowsocks_ruby 0.1.0

data/lib/shadowsocks_ruby/app.rb

@@ -0,0 +1,236 @@
+require 'fileutils'
+require 'singleton'
+require 'socket'
+require 'json'
+require 'einhorn'
+
+module ShadowsocksRuby
+  # App is a singleton object which provide either Shadowsocks Client functionality
+  # or Shadowsocks Server functionality. One App startup one EventMachine event loop
+  # on one Native Thread / CPU core.
+  # 
+  # Because Ruby MRI has a GIL, it is unable to utilize execution parallelism on
+  # multi-core CPU.
+  # However, one can use a shared socket manager to spin off a few Apps that can be
+  # executed parallelly and let the Kernel to do the load balance things.
+  #
+  # A few things noticeable when using a shared socket manager:
+  # * At present, only {https://github.com/stripe/einhorn Einhorn socket manager} are supported.
+  #   systemd shared socket manager support is in the plan.
+  #
+  # * At present, using socket manager could cause TLS1.2 obsfucation protocol's 
+  #   replay attact detection malfunctions, because every process have it's own 
+  #   copy of LRUCache. 
+  #
+  # * Shared socket manager does not work on Windows
+  #
+  class App
+    include Singleton
+
+    MAX_FAST_SHUTDOWN_SECONDS = 10
+
+    attr_reader :options
+    attr_reader :logger
+
+    @@options = {}
+    
+    def self.options= options
+      @@options = options
+    end
+
+    def initialize
+      @options = @@options
+
+      @logger = Logger.new(STDOUT).tap do |log|
+      
+        if options[:__server]
+          log.progname = "ssserver-ruby"
+        elsif options[:__client]
+          log.progname = "sslocal-ruby"
+        end
+
+        if options[:verbose]
+          log.level = Logger::DEBUG 
+        elsif options[:quiet]
+          log.level = Logger::WARN 
+        else
+          log.level = Logger::INFO
+        end
+      end
+
+    end
+
+    def run!
+      if options[:__server]
+        start_server
+      elsif options[:__client]
+        start_client
+      end
+    #rescue Exception => e
+    #  logger.fatal { e.message + "\n" + e.backtrace.join("\n")}
+    end
+
+    def trap_signals
+      STDOUT.sync = true
+      STDERR.sync = true
+       trap('QUIT') do
+        self.fast_shutdown('QUIT')
+      end
+      trap('TERM') do
+        self.fast_shutdown('TERM')
+      end
+      trap('INT') do
+        self.fast_shutdown('INT')
+      end
+    end
+
+    # TODO: next_tick can't be called from trap context
+    def graceful_shutdown(signal)
+      EventMachine.stop_server(@server) if @server
+      Thread.new{ logger.info "Received #{signal} signal. No longer accepting new connections." }
+      Thread.new{ logger.info "Waiting for #{EventMachine.connection_count} connections to finish." }
+      @server = nil
+      graceful_shutdown_check
+    end
+
+    # TODO: next_tick can't be called from trap context
+    def graceful_shutdown_check
+      EventMachine.next_tick do
+        count = EventMachine.connection_count
+        if count == 0
+          EventMachine.stop_event_loop
+        else
+          @wait_count ||= count
+          Thread.new{ logger.info "Waiting for #{EventMachine.connection_count} connections to finish." if @wait_count != count }
+          EventMachine.next_tick self.method(:graceful_shutdown_check)
+        end
+      end
+    end
+
+    # TODO: where does EventMachine.connection_count come from?
+    def fast_shutdown(signal)
+      EventMachine.stop_server(@server) if @server
+      Thread.new{ logger.info "Received #{signal} signal. No longer accepting new connections." }
+      Thread.new{ logger.info "Maximum time to wait for connections is #{MAX_FAST_SHUTDOWN_SECONDS} seconds." }
+      Thread.new{ logger.info "Waiting for #{EventMachine.connection_count} connections to finish." }
+      @server = nil
+      EventMachine.stop_event_loop
+      #EventMachine.stop_event_loop if EventMachine.connection_count == 0
+      #Thread.new do
+      #  sleep MAX_FAST_SHUTDOWN_SECONDS
+      #  $kernel.exit!
+      #end
+    end
+    
+
+    def start_server
+      stack3 = Protocols::ProtocolStack.new([
+        get_packet_protocol,
+        get_cipher_protocol,
+        get_obfs_protocol
+      ].compact, options[:cipher_name], options[:password])
+
+      stack4 = Protocols::ProtocolStack.new([
+        ["plain", {}]
+      ], options[:cipher_name], options[:password])
+
+      server_args = [
+        stack3,
+        {},
+        stack4,
+        {}
+      ]
+
+      start_em options[:server], options[:port], Connections::TCP::LocalBackendConnection, server_args
+    end
+
+    def start_client
+      stack1 = Protocols::ProtocolStack.new([
+          ["socks5", {}]
+      ], options[:cipher_name], options[:password])
+
+      stack2 = Protocols::ProtocolStack.new([
+        get_packet_protocol,
+        get_cipher_protocol,
+        get_obfs_protocol
+      ].compact, options[:cipher_name], options[:password])
+
+      local_args = [
+        stack1,
+        {:host => options[:server], :port => options[:port]},
+        stack2,
+        {}
+      ]
+
+      start_em options[:local_addr], options[:local_port], Connections::TCP::ClientConnection, local_args
+    end
+
+    def start_em host, port, klass_server, server_args
+      EventMachine.epoll
+
+      EventMachine.run do
+        if options[:einhorn] != true
+          @server = EventMachine.start_server(host, port, klass_server, *server_args)
+        else
+          fd_num = Einhorn::Worker.socket!
+          socket = Socket.for_fd(fd_num)
+
+          @server = EventMachine.attach_server(socket, klass_server, *server_args)
+        end
+        logger.info "server started"
+        logger.info "Listening on #{host}:#{port}"
+        logger.info "Send QUIT to quit after waiting for all connections to finish."
+        logger.info "Send TERM or INT to quit after waiting for up to #{MAX_FAST_SHUTDOWN_SECONDS} seconds for connections to finish."
+
+        trap_signals
+      end
+    end
+
+    def get_packet_protocol
+      case options[:packet_name]
+      when "origin", "verify_sha1", "verify_sha1_strict"
+        ["shadowsocks", {}]
+      else
+        raise AppError, "no such protocol: #{options[:packet_name]}"
+      end
+    end
+
+    def get_cipher_protocol
+      if options[:cipher_name] == nil ||  options[:cipher_name] == "none"
+        return nil
+      end
+      case options[:cipher_name]
+      when "table"
+        ["no_iv_cipher", {}]
+      else
+        case options[:packet_name]
+        when "origin"
+          ["iv_cipher", {}]
+        when "verify_sha1"
+          ["verify_sha1", {}]
+        when "verify_sha1_strict"
+          ["verify_sha1", {:compatible => false}]
+        end
+      end
+    end
+
+    def get_obfs_protocol
+      if options[:obfs_name] == nil
+        return nil
+      end
+      case options[:obfs_name]
+      when "http_simple"
+        ["http_simple", {:host => options[:server], :port => options[:port], :obfs_param => options[:obfs_param]}]
+      when "http_simple_strict"
+        ["http_simple", {:host => options[:server], :port => options[:port], :obfs_param => options[:obfs_param], :compatible => false}]
+      when "tls_ticket"
+        ["tls_ticket", {:host => options[:server], :obfs_param => options[:obfs_param]}]
+      when "tls_ticket_strict"
+        ["tls_ticket", {:host => options[:server], :obfs_param => options[:obfs_param], :compatible => false}]
+      else
+        raise AppError, "no such protocol: #{options[:obfs_name]}"
+      end
+    end
+
+  end
+end

data/lib/shadowsocks_ruby/cipher/cipher.rb

@@ -0,0 +1,112 @@
+require 'openssl'
+module ShadowsocksRuby
+  
+  # This module provide classes to encapsulate different underlying crypto library,
+  # to utilize them with an unique interface.
+  #
+  # It also provide some useful utility functions like 
+  # {.hmac_sha1_digest} and {.bytes_to_key}.
+  #
+  # @example
+  #    # Demonstrate how to build a cipher object and it's typical use case.
+  #    cipher = ShadowsocksRuby::Cipher.build('aes-256-cfb', 'secret123')
+  #    iv = cipher.random_id
+  #    encrypted_text = cipher.encrypt("hello world!", iv)
+  #    puts cipher.decrypt(encrypted_text, iv) # hello world!
+  #    puts cipher.key # ...... # in case key need to be used in some Digest algorithm.
+
+  module Cipher
+    extend self
+
+    # Builder for cipher object
+    #
+    # Supported methods are:
+    # * table
+    # * rc4-md5
+    # * chacha20, chacha2-ietf, salsa20 which are provided by RbNaCl
+    # * all cipher methods supported by ruby gems OpenSSL, use
+    #
+    #        ruby -e "require 'openssl'; puts OpenSSL::Cipher.ciphers" 
+    #
+    #   to get a full list.
+    # @param [String] method         Cipher methods
+    # @param [String] password       Password
+    # @return [OpenSSL, Table, RC4_MD5, RbNaCl] A duck type cipher object
+    #
+    def build method, password
+      case method
+      when 'table'
+        ShadowsocksRuby::Cipher::Table.new password
+      when 'rc4-md5'
+        ShadowsocksRuby::Cipher::RC4_MD5.new password
+      when 'chacha20','chacha20-ietf','salsa20'
+        ShadowsocksRuby::Cipher::RbNaCl.new method, password
+      else
+        ShadowsocksRuby::Cipher::OpenSSL.new method, password
+      end
+    end
+
+    # Generate <b>first 10 bytes</b> of HMAC using sha1 Digest
+    #
+    # @param [String] key             Key, use {#bytes_to_key} to convert a password to key if you need
+    # @param [String] message         Message to digest
+    # @return [String]                Digest, <b> only first 10 bytes</b>
+    def hmac_sha1_digest(key, message)
+      @digest ||= ::OpenSSL::Digest.new('sha1')
+      ::OpenSSL::HMAC.digest(@digest, key, message)[0,10]
+    end
+
+    # Equivalent to OpenSSL's EVP_BytesToKey() with count = 1
+    #
+    # @param [String] Password        Password bytes
+    # @param [Integer] key_len        Key length, the length of key bytes to generate 
+    # @param [Integer] iv_len         IV length, needed by internal algorithm
+    # @return [String]                Key bytes, of *key_len* length
+    def bytes_to_key(password, key_len, iv_len)
+      bytes_to_key1(nil, password, 1, key_len, iv_len)[0]
+    end
+
+    private
+
+    def bytes_to_key0(md_buf, salt, data, count)
+      src = md_buf.empty? ? '' : md_buf
+      src << data
+      src << salt if salt
+
+      dst = ::OpenSSL::Digest::MD5.digest(src)
+
+      (count - 1).times do
+        dst = ::OpenSSL::Digest::MD5.digest(dst)
+      end
+
+      return dst
+    end
+
+    # Equivalent to OpenSSL's EVP_BytesToKey()
+    # Taken from http://d.hatena.ne.jp/winebarrel/20081208/p1
+    # Fixed by Zhenkyle
+    def bytes_to_key1(salt, data, count, nkey, niv)
+      key = ''
+      iv = ''
+      md_buf = ''
+
+      loop do
+        md_buf = bytes_to_key0(md_buf, salt, data, count)
+
+        if nkey.nonzero?
+          key << (nkey > md_buf.length ? md_buf : md_buf[0, nkey])
+          nkey -= nkey > md_buf.length ? md_buf.length : nkey
+        elsif niv.nonzero?
+          iv << (niv > md_buf.length ? md_buf : md_buf[0, niv])
+          niv -= niv > md_buf.length ? md_buf.length : niv
+        end
+
+        if nkey.zero? and niv.zero?
+          break
+        end
+      end
+
+      return [key, iv]
+    end
+  end
+end

data/lib/shadowsocks_ruby/cipher/openssl.rb

@@ -0,0 +1,81 @@
+require 'openssl'
+
+module ShadowsocksRuby
+  module Cipher
+
+    # Encapsulate RubyGems version of OpenSSL, the gems version is newer than
+    # the version in Ruby Standand Library.
+    #
+    # Cipher methods provided by Ruby OpenSSL library is dicided by
+    # the OpenSSL library comes with ruby on your system.
+    # To work with specific version of OpenSSL library other than the version
+    # comes with ruby, you may need to specify the path where OpenSSL is installed.
+    #
+    #    gem install openssl -- --with-openssl-dir=/opt/openssl
+    #
+    # Use this command to get a full list of cipher methods supported on your system.
+    #    ruby -e "require 'openssl'; puts OpenSSL::Cipher.ciphers" 
+    # 
+    #
+    # See https://github.com/ruby/openssl for more detail.
+    #
+    # Normally you should use {ShadowsocksRuby::Cipher#build} to get an
+    # instance of this class.
+    class OpenSSL
+
+      # Return the key, which length is decided by the cipher method.
+      # @return [String] key
+      attr_reader :key
+
+      # @param [String] method           Cipher methods
+      # @param [String] password         Password
+      def initialize method, password
+        @cipher_encrypt = ::OpenSSL::Cipher.new(method).encrypt
+        @cipher_decrypt = ::OpenSSL::Cipher.new(method).decrypt
+        key_len = @cipher_encrypt.key_len
+        iv_len = @cipher_encrypt.iv_len
+        @key = Cipher.bytes_to_key(password, key_len, iv_len)
+        @cipher_encrypt.key = @key
+        @cipher_decrypt.key = @key
+        @encrypt_iv = nil
+        @decrypt_iv = nil
+      end
+
+      # Generate a random IV for the cipher method
+      # @return [String]                 random IV of the length of the cipher method
+      def random_iv
+        @encrypt_iv = @cipher_encrypt.random_iv
+      end
+
+      # Encrypt message by provided IV
+      # @param [String] message
+      # @param [String] iv
+      # @return [String]                  Encrypted Message
+      def encrypt(message, iv)
+        if @encrypt_iv != iv
+          @encrypt_iv = iv
+          @cipher_encrypt.iv = iv
+        end
+        @cipher_encrypt.update(message) << @cipher_encrypt.final
+      end
+
+      # Decrypt message by provided IV
+      # @param [String] message
+      # @param [String] iv
+      # @return [String]                   Decrypted Message
+      def decrypt(message, iv)
+        if @decrypt_iv != iv
+          @decrypt_iv = iv
+          @cipher_decrypt.iv = iv
+        end
+        @cipher_decrypt.update(message) << @cipher_decrypt.final
+      end
+
+      # Get the cipher object's IV length
+      # @return [Integer]
+      def iv_len
+        @cipher_encrypt.iv_len
+      end
+    end
+  end
+end

data/lib/shadowsocks_ruby/cipher/rbnacl.rb

@@ -0,0 +1,64 @@
+require 'rbnacl'
+
+module ShadowsocksRuby
+  module Cipher
+
+    # Encapsulate RbNaCl ruby library, cipher methods provided by this Class are:
+    # * chacha20 -- ChaCha20Poly1305Legacy without ad
+    # * chacha2-ietf -- ChaCha20Poly1305IETF without ad
+    # * salsa20 -- XSalsa20Poly1305 without ad
+    #
+    # Normally you should use {ShadowsocksRuby::Cipher#build} to get an
+    # instance of this class.
+
+    class RbNaCl
+
+      attr_reader :key
+      # (see OpenSSL#initialize)
+      def initialize method, password
+        klass = case method
+          when 'chacha20'
+            ::RbNaCl::AEAD::ChaCha20Poly1305Legacy
+          when 'chacha20-ietf'
+            ::RbNaCl::AEAD::ChaCha20Poly1305IETF
+          when 'salsa20'
+            ::RbNaCl::SecretBoxes::XSalsa20Poly1305
+          else
+            raise CipherError, "unsupported method: " + method
+          end
+        key_len = klass.key_bytes
+        iv_len = klass.nonce_bytes
+        @key = ShadowsocksRuby::Cipher.bytes_to_key(password, key_len, iv_len)
+        @cipher = klass.new(@key)
+      end
+
+      # (see OpenSSL#random_iv)
+      def random_iv
+        ::RbNaCl::Random.random_bytes(@cipher.nonce_bytes)
+      end
+
+      # (see OpenSSL#encrypt)
+      def encrypt(message, iv)
+        if @cipher.class == ::RbNaCl::SecretBoxes::XSalsa20Poly1305
+          @cipher.encrypt(iv, message)
+        else
+          @cipher.encrypt(iv, message, nil)
+        end
+      end
+
+      # (see OpenSSL#decrypt)
+      def decrypt(message, iv)
+        if @cipher.class == ::RbNaCl::SecretBoxes::XSalsa20Poly1305
+          @cipher.decrypt(iv, message)
+        else
+          @cipher.decrypt(iv, message, nil)
+        end
+      end
+
+      # (see OpenSSL#iv_len)
+      def iv_len
+        @cipher.iv_bytes
+      end
+    end
+  end
+end

data/lib/shadowsocks_ruby/cipher/rc4_md5.rb

@@ -0,0 +1,54 @@
+require 'openssl'
+
+module ShadowsocksRuby
+  module Cipher
+
+    # Implementation of the RC4_MD5 cipher method.
+    #
+    # Normally you should use {ShadowsocksRuby::Cipher#build} to get an
+    # instance of this class.
+
+    class RC4_MD5
+      attr_reader :key
+
+      # (see OpenSSL#initialize)
+      def initialize password
+        @key = ShadowsocksRuby::Cipher.bytes_to_key(password, 16, 16)
+        @cipher_encrypt = ::OpenSSL::Cipher.new('rc4').encrypt
+        @cipher_decrypt = ::OpenSSL::Cipher.new('rc4').decrypt
+        @encrypt_iv = nil
+        @decrypt_iv = nil
+      end
+
+      # (see OpenSSL#random_iv)
+      def random_iv
+        Random.new.bytes(16)
+      end
+
+      # (see OpenSSL#encrypt)
+      def encrypt(message, iv)
+        if @encrypt_iv != iv
+          @encrypt_iv = iv
+          key = ::OpenSSL::Digest::MD5.digest(@key + iv)
+          @cipher_encrypt.key = key
+        end
+        @cipher_encrypt.update(message) << @cipher_encrypt.final
+      end
+
+      # (see OpenSSL#decrypt)
+      def decrypt(message, iv)
+        if @decrypt_iv != iv
+          @decrypt_iv = iv
+          key = ::OpenSSL::Digest::MD5.digest(@key + iv)
+          @cipher_decrypt.key = key
+        end
+        @cipher_decrypt.update(message) << @cipher_decrypt.final
+      end
+
+      # (see OpenSSL#iv_len)
+      def iv_len
+        16
+      end
+    end
+  end
+end

data/lib/shadowsocks_ruby/cipher/table.rb

@@ -0,0 +1,65 @@
+require 'openssl'
+
+module ShadowsocksRuby
+  module Cipher
+
+    # Implementation of the Table cipher method.
+    #
+    # Note: this cipher method have neither IV or key, so may be
+    # incompatible with protocols which needs IV or key.
+    # 
+    # Normally you should use {ShadowsocksRuby::Cipher#build} to get an
+    # instance of this class.
+    class Table
+      # (see OpenSSL#initialize)
+      def initialize password
+        @encrypt_table, @decrypt_table = get_table(password)
+      end
+
+      # (see OpenSSL#encrypt)
+      def encrypt(message)
+        translate @encrypt_table, message
+      end
+
+      # (see OpenSSL#decrypt)
+      def decrypt(message)
+        translate @decrypt_table, message
+      end
+
+      # (see OpenSSL#iv_len)
+      #
+      # returns 0 for Table
+      def iv_len
+        0
+      end
+
+      # (see OpenSSL#key)
+      #
+      # returns nil for Table
+      def key
+        nil
+      end
+
+      private
+
+      def get_table(key)
+        table = [*0..255]
+        a = ::OpenSSL::Digest::MD5.digest(key).unpack('Q<')[0]
+
+        (1...1024).each do |i|
+          table.sort! { |x, y| a % (x + i) - a % (y + i) }
+        end
+
+        decrypt_table = Array.new(256)
+        table.each_with_index {|x, i| decrypt_table[x] = i}
+
+        [table, decrypt_table]
+      end
+
+      def translate(table, buf)
+        buf.bytes.map!{|x| table[x]}.pack("C*")
+      end
+
+    end
+  end
+end