youys
/
shadowsocks-windows
Not watched
1
0
Fork 0
Code
Releases 67 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1075 Commits
5 Branches
32 MB
208 Download
Tree: 4d4f1753c7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4d4f1753c7'
${ noResults }
shadowsocks-windows/shadowsocks-csharp/Encryption/AEAD/AEADEncryptor.cs

AEADEncryptor.cs 15 kB
Raw Normal View History

add AEAD support
8 years ago
Replace circular buffer with the blockcopy variant to get rid of deep copy - update NuGet pkg Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
8 years ago
add AEAD support
8 years ago
spare enough space for UDP packet
8 years ago
add AEAD support
8 years ago
Replace circular buffer with the blockcopy variant to get rid of deep copy - update NuGet pkg Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
8 years ago
add AEAD support
8 years ago
fix legacy key derivation
8 years ago
add AEAD support
8 years ago
fix legacy key derivation
8 years ago
add AEAD support
8 years ago
fix legacy key derivation
8 years ago
add AEAD support
8 years ago
Add OpenSSL 1.1.0g support due to hardware acceleration Note: If you want to compile it by yourself, please make sure do NOT use `no-asm` configure option, since the main point of this commit is to utilize assembly in openssl Add OpenSSL test
7 years ago
add AEAD support
8 years ago
Add OpenSSL 1.1.0g support due to hardware acceleration Note: If you want to compile it by yourself, please make sure do NOT use `no-asm` configure option, since the main point of this commit is to utilize assembly in openssl Add OpenSSL test
7 years ago
add AEAD support
8 years ago
Replace circular buffer with the blockcopy variant to get rid of deep copy - update NuGet pkg Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
8 years ago
add AEAD support
8 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347 
  1. using System;

  2. using System.Collections.Generic;

  3. using System.Diagnostics;

  4. using System.Net;

  5. using System.Text;

  6. using Shadowsocks.Encryption.CircularBuffer;

  7. using Shadowsocks.Controller;

  8. using Shadowsocks.Encryption.Exception;

  9. using Shadowsocks.Encryption.Stream;

  10. 

  11. namespace Shadowsocks.Encryption.AEAD

  12. {

  13.     public abstract class AEADEncryptor

  14.         : EncryptorBase

  15.     {

  16.         // We are using the same saltLen and keyLen

  17.         private const string Info = "ss-subkey";

  18.         private static readonly byte[] InfoBytes = Encoding.ASCII.GetBytes(Info);

  19. 

  20.         // for UDP only

  21.         protected static byte[] _udpTmpBuf = new byte[65536];

  22. 

  23.         // every connection should create its own buffer

  24.         private ByteCircularBuffer _encCircularBuffer = new ByteCircularBuffer(MAX_INPUT_SIZE * 2);

  25.         private ByteCircularBuffer _decCircularBuffer = new ByteCircularBuffer(MAX_INPUT_SIZE * 2);

  26. 

  27.         public const int CHUNK_LEN_BYTES = 2;

  28.         public const uint CHUNK_LEN_MASK = 0x3FFFu;

  29. 

  30.         protected Dictionary<string, EncryptorInfo> ciphers;

  31. 

  32.         protected string _method;

  33.         protected int _cipher;

  34.         // internal name in the crypto library

  35.         protected string _innerLibName;

  36.         protected EncryptorInfo CipherInfo;

  37.         protected static byte[] _Masterkey = null;

  38.         protected byte[] _sessionKey;

  39.         protected int keyLen;

  40.         protected int saltLen;

  41.         protected int tagLen;

  42.         protected int nonceLen;

  43. 

  44.         protected byte[] _encryptSalt;

  45.         protected byte[] _decryptSalt;

  46. 

  47.         protected object _nonceIncrementLock = new object();

  48.         protected byte[] _encNonce;

  49.         protected byte[] _decNonce;

  50.         // Is first packet

  51.         protected bool _decryptSaltReceived;

  52.         protected bool _encryptSaltSent;

  53. 

  54.         // Is first chunk(tcp request)

  55.         protected bool _tcpRequestSent;

  56. 

  57.         public AEADEncryptor(string method, string password)

  58.             : base(method, password)

  59.         {

  60.             InitEncryptorInfo(method);

  61.             InitKey(password);

  62.             // Initialize all-zero nonce for each connection

  63.             _encNonce = new byte[nonceLen];

  64.             _decNonce = new byte[nonceLen];

  65.         }

  66. 

  67.         protected abstract Dictionary<string, EncryptorInfo> getCiphers();

  68. 

  69.         protected void InitEncryptorInfo(string method)

  70.         {

  71.             method = method.ToLower();

  72.             _method = method;

  73.             ciphers = getCiphers();

  74.             CipherInfo = ciphers[_method];

  75.             _innerLibName = CipherInfo.InnerLibName;

  76.             _cipher = CipherInfo.Type;

  77.             if (_cipher == 0) {

  78.                 throw new System.Exception("method not found");

  79.             }

  80.             keyLen = CipherInfo.KeySize;

  81.             saltLen = CipherInfo.SaltSize;

  82.             tagLen = CipherInfo.TagSize;

  83.             nonceLen = CipherInfo.NonceSize;

  84.         }

  85. 

  86.         protected void InitKey(string password)

  87.         {

  88.             byte[] passbuf = Encoding.UTF8.GetBytes(password);

  89.             // init master key

  90.             if (_Masterkey == null) _Masterkey = new byte[keyLen];

  91.             if (_Masterkey.Length != keyLen) Array.Resize(ref _Masterkey, keyLen);

  92.             DeriveKey(passbuf, _Masterkey, keyLen);

  93.             // init session key

  94.             if (_sessionKey == null) _sessionKey = new byte[keyLen];

  95.         }

  96. 

  97.         public void DeriveKey(byte[] password, byte[] key, int keylen)

  98.         {

  99.             StreamEncryptor.LegacyDeriveKey(password, key, keylen);

  100.         }

  101. 

  102.         public void DeriveSessionKey(byte[] salt, byte[] masterKey, byte[] sessionKey)

  103.         {

  104.             int ret = MbedTLS.hkdf(salt, saltLen, masterKey, keyLen, InfoBytes, InfoBytes.Length, sessionKey,

  105.                 keyLen);

  106.             if (ret != 0) throw new System.Exception("failed to generate session key");

  107.         }

  108. 

  109.         protected void IncrementNonce(bool isEncrypt)

  110.         {

  111.             lock (_nonceIncrementLock) {

  112.                 Sodium.sodium_increment(isEncrypt ? _encNonce : _decNonce, nonceLen);

  113.             }

  114.         }

  115. 

  116.         public virtual void InitCipher(byte[] salt, bool isEncrypt, bool isUdp)

  117.         {

  118.             if (isEncrypt) {

  119.                 _encryptSalt = new byte[saltLen];

  120.                 Array.Copy(salt, _encryptSalt, saltLen);

  121.             } else {

  122.                 _decryptSalt = new byte[saltLen];

  123.                 Array.Copy(salt, _decryptSalt, saltLen);

  124.             }

  125.             Logging.Dump("Salt", salt, saltLen);

  126.         }

  127. 

  128.         public static void randBytes(byte[] buf, int length) { RNG.GetBytes(buf, length); }

  129. 

  130.         public abstract void cipherEncrypt(byte[] plaintext, uint plen, byte[] ciphertext, ref uint clen);

  131. 

  132.         public abstract void cipherDecrypt(byte[] ciphertext, uint clen, byte[] plaintext, ref uint plen);

  133. 

  134.         #region TCP

  135. 

  136.         public override void Encrypt(byte[] buf, int length, byte[] outbuf, out int outlength)

  137.         {

  138.             Debug.Assert(_encCircularBuffer != null, "_encCircularBuffer != null");

  139. 

  140.             _encCircularBuffer.Put(buf, 0, length);

  141.             outlength = 0;

  142.             Logging.Debug("---Start Encryption");

  143.             if (! _encryptSaltSent) {

  144.                 _encryptSaltSent = true;

  145.                 // Generate salt

  146.                 byte[] saltBytes = new byte[saltLen];

  147.                 randBytes(saltBytes, saltLen);

  148.                 InitCipher(saltBytes, true, false);

  149.                 Array.Copy(saltBytes, 0, outbuf, 0, saltLen);

  150.                 outlength = saltLen;

  151.                 Logging.Debug($"_encryptSaltSent outlength {outlength}");

  152.             }

  153. 

  154.             if (! _tcpRequestSent) {

  155.                 _tcpRequestSent = true;

  156.                 // The first TCP request

  157.                 int encAddrBufLength;

  158.                 byte[] encAddrBufBytes = new byte[AddrBufLength + tagLen * 2 + CHUNK_LEN_BYTES];

  159.                 byte[] addrBytes = _encCircularBuffer.Get(AddrBufLength);

  160.                 ChunkEncrypt(addrBytes, AddrBufLength, encAddrBufBytes, out encAddrBufLength);

  161.                 Debug.Assert(encAddrBufLength == AddrBufLength + tagLen * 2 + CHUNK_LEN_BYTES);

  162.                 Array.Copy(encAddrBufBytes, 0, outbuf, outlength, encAddrBufLength);

  163.                 outlength += encAddrBufLength;

  164.                 Logging.Debug($"_tcpRequestSent outlength {outlength}");

  165.             }

  166. 

  167.             // handle other chunks

  168.             while (true) {

  169.                 uint bufSize = (uint)_encCircularBuffer.Size;

  170.                 if (bufSize <= 0) return;

  171.                 var chunklength = (int)Math.Min(bufSize, CHUNK_LEN_MASK);

  172.                 byte[] chunkBytes = _encCircularBuffer.Get(chunklength);

  173.                 int encChunkLength;

  174.                 byte[] encChunkBytes = new byte[chunklength + tagLen * 2 + CHUNK_LEN_BYTES];

  175.                 ChunkEncrypt(chunkBytes, chunklength, encChunkBytes, out encChunkLength);

  176.                 Debug.Assert(encChunkLength == chunklength + tagLen * 2 + CHUNK_LEN_BYTES);

  177.                 Buffer.BlockCopy(encChunkBytes, 0, outbuf, outlength, encChunkLength);

  178.                 outlength += encChunkLength;

  179.                 Logging.Debug("chunks enc outlength " + outlength);

  180.                 // check if we have enough space for outbuf

  181.                 if (outlength + TCPHandler.ChunkOverheadSize > TCPHandler.BufferSize) {

  182.                     Logging.Debug("enc outbuf almost full, giving up");

  183.                     return;

  184.                 }

  185.                 bufSize = (uint)_encCircularBuffer.Size;

  186.                 if (bufSize <= 0) {

  187.                     Logging.Debug("No more data to encrypt, leaving");

  188.                     return;

  189.                 }

  190.             }

  191.         }

  192. 

  193. 

  194.         public override void Decrypt(byte[] buf, int length, byte[] outbuf, out int outlength)

  195.         {

  196.             Debug.Assert(_decCircularBuffer != null, "_decCircularBuffer != null");

  197.             int bufSize;

  198.             outlength = 0;

  199.             // drop all into buffer

  200.             _decCircularBuffer.Put(buf, 0, length);

  201. 

  202.             Logging.Debug("---Start Decryption");

  203.             if (! _decryptSaltReceived) {

  204.                 bufSize = _decCircularBuffer.Size;

  205.                 // check if we get the leading salt

  206.                 if (bufSize <= saltLen) {

  207.                     // need more

  208.                     return;

  209.                 }

  210.                 _decryptSaltReceived = true;

  211.                 byte[] salt = _decCircularBuffer.Get(saltLen);

  212.                 InitCipher(salt, false, false);

  213.                 Logging.Debug("get salt len " + saltLen);

  214.             }

  215. 

  216.             // handle chunks

  217.             while (true) {

  218.                 bufSize = _decCircularBuffer.Size;

  219.                 // check if we have any data

  220.                 if (bufSize <= 0) {

  221.                     Logging.Debug("No data in _decCircularBuffer");

  222.                     return;

  223.                 }

  224. 

  225.                 // first get chunk length

  226.                 if (bufSize <= CHUNK_LEN_BYTES + tagLen) {

  227.                     // so we only have chunk length and its tag?

  228.                     return;

  229.                 }

  230. 

  231.                 #region Chunk Decryption

  232. 

  233.                 byte[] encLenBytes = _decCircularBuffer.Peek(CHUNK_LEN_BYTES + tagLen);

  234.                 uint decChunkLenLength = 0;

  235.                 byte[] decChunkLenBytes = new byte[CHUNK_LEN_BYTES];

  236.                 // try to dec chunk len

  237.                 cipherDecrypt(encLenBytes, CHUNK_LEN_BYTES + (uint)tagLen, decChunkLenBytes, ref decChunkLenLength);

  238.                 Debug.Assert(decChunkLenLength == CHUNK_LEN_BYTES);

  239.                 // finally we get the real chunk len

  240.                 ushort chunkLen = (ushort) IPAddress.NetworkToHostOrder((short)BitConverter.ToUInt16(decChunkLenBytes, 0));

  241.                 if (chunkLen > CHUNK_LEN_MASK)

  242.                 {

  243.                     // we get invalid chunk

  244.                     Logging.Error($"Invalid chunk length: {chunkLen}");

  245.                     throw new CryptoErrorException();

  246.                 }

  247.                 Logging.Debug("Get the real chunk len:" + chunkLen);

  248.                 bufSize = _decCircularBuffer.Size;

  249.                 if (bufSize < CHUNK_LEN_BYTES + tagLen /* we haven't remove them */+ chunkLen + tagLen) {

  250.                     Logging.Debug("No more data to decrypt one chunk");

  251.                     return;

  252.                 }

  253.                 IncrementNonce(false);

  254. 

  255.                 // we have enough data to decrypt one chunk

  256.                 // drop chunk len and its tag from buffer

  257.                 _decCircularBuffer.Skip(CHUNK_LEN_BYTES + tagLen);

  258.                 byte[] encChunkBytes = _decCircularBuffer.Get(chunkLen + tagLen);

  259.                 byte[] decChunkBytes = new byte[chunkLen];

  260.                 uint decChunkLen = 0;

  261.                 cipherDecrypt(encChunkBytes, chunkLen + (uint)tagLen, decChunkBytes, ref decChunkLen);

  262.                 Debug.Assert(decChunkLen == chunkLen);

  263.                 IncrementNonce(false);

  264. 

  265.                 #endregion

  266. 

  267.                 // output to outbuf

  268.                 Buffer.BlockCopy(decChunkBytes, 0, outbuf, outlength, (int) decChunkLen);

  269.                 outlength += (int)decChunkLen;

  270.                 Logging.Debug("aead dec outlength " + outlength);

  271.                 if (outlength + 100 > TCPHandler.BufferSize)

  272.                 {

  273.                     Logging.Debug("dec outbuf almost full, giving up");

  274.                     return;

  275.                 }

  276.                 bufSize = _decCircularBuffer.Size;

  277.                 // check if we already done all of them

  278.                 if (bufSize <= 0) {

  279.                     Logging.Debug("No data in _decCircularBuffer, already all done");

  280.                     return;

  281.                 }

  282.             }

  283.         }

  284. 

  285.         #endregion

  286. 

  287.         #region UDP

  288. 

  289.         public override void EncryptUDP(byte[] buf, int length, byte[] outbuf, out int outlength)

  290.         {

  291.             // Generate salt

  292.             randBytes(outbuf, saltLen);

  293.             InitCipher(outbuf, true, true);

  294.             uint olen = 0;

  295.             lock (_udpTmpBuf) {

  296.                 cipherEncrypt(buf, (uint) length, _udpTmpBuf, ref olen);

  297.                 Debug.Assert(olen == length + tagLen);

  298.                 Buffer.BlockCopy(_udpTmpBuf, 0, outbuf, saltLen, (int) olen);

  299.                 outlength = (int) (saltLen + olen);

  300.             }

  301.         }

  302. 

  303.         public override void DecryptUDP(byte[] buf, int length, byte[] outbuf, out int outlength)

  304.         {

  305.             InitCipher(buf, false, true);

  306.             uint olen = 0;

  307.             lock (_udpTmpBuf) {

  308.                 // copy remaining data to first pos

  309.                 Buffer.BlockCopy(buf, saltLen, buf, 0, length - saltLen);

  310.                 cipherDecrypt(buf, (uint) (length - saltLen), _udpTmpBuf, ref olen);

  311.                 Buffer.BlockCopy(_udpTmpBuf, 0, outbuf, 0, (int) olen);

  312.                 outlength = (int) olen;

  313.             }

  314.         }

  315. 

  316.         #endregion

  317. 

  318.         // we know the plaintext length before encryption, so we can do it in one operation

  319.         private void ChunkEncrypt(byte[] plaintext, int plainLen, byte[] ciphertext, out int cipherLen)

  320.         {

  321.             if (plainLen > CHUNK_LEN_MASK) {

  322.                 Logging.Error("enc chunk too big");

  323.                 throw new CryptoErrorException();

  324.             }

  325. 

  326.             // encrypt len

  327.             byte[] encLenBytes = new byte[CHUNK_LEN_BYTES + tagLen];

  328.             uint encChunkLenLength = 0;

  329.             byte[] lenbuf = BitConverter.GetBytes((ushort) IPAddress.HostToNetworkOrder((short)plainLen));

  330.             cipherEncrypt(lenbuf, CHUNK_LEN_BYTES, encLenBytes, ref encChunkLenLength);

  331.             Debug.Assert(encChunkLenLength == CHUNK_LEN_BYTES + tagLen);

  332.             IncrementNonce(true);

  333. 

  334.             // encrypt corresponding data

  335.             byte[] encBytes = new byte[plainLen + tagLen];

  336.             uint encBufLength = 0;

  337.             cipherEncrypt(plaintext, (uint) plainLen, encBytes, ref encBufLength);

  338.             Debug.Assert(encBufLength == plainLen + tagLen);

  339.             IncrementNonce(true);

  340. 

  341.             // construct outbuf

  342.             Array.Copy(encLenBytes, 0, ciphertext, 0, (int) encChunkLenLength);

  343.             Buffer.BlockCopy(encBytes, 0, ciphertext, (int) encChunkLenLength, (int) encBufLength);

  344.             cipherLen = (int) (encChunkLenLength + encBufLength);

  345.         }

  346.     }

  347. }

No Description