luci-app-ssr-plus: drop ss stream-cipher support

They're totally unsafe, and deprecated in new designs. All of your data encrypted in these way could be replayed and decrypted. For details, see: https://shadowsocks.org/assets/whitepaper.pdf https://phuker.github.io/shadowsocks-active-probing.html https://github.com/edwardz246003/shadowsocks Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2021-05-03 03:02:05 +08:00 · 2021-05-03 03:02:05 +08:00 · 9433ca3567
commit 9433ca3567
parent 795397e7dd
3 changed files with 48 additions and 8 deletions
--- a/package/lean/luci-app-ssr-plus/Makefile
+++ b/package/lean/luci-app-ssr-plus/Makefile
@ -1,8 +1,8 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-ssr-plus
-PKG_VERSION:=183
-PKG_RELEASE:=11
+PKG_VERSION:=184
+PKG_RELEASE:=1

 PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Kcptun \
--- a/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua
+++ b/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua
@ -45,8 +45,8 @@ local encrypt_methods_ss = {
 	"aes-192-gcm",
 	"aes-256-gcm",
 	"chacha20-ietf-poly1305",
-	"xchacha20-ietf-poly1305",
-	-- stream
+	"xchacha20-ietf-poly1305"
+	--[[ stream
 	"table",
 	"rc4",
 	"rc4-md5",
@ -62,17 +62,18 @@ local encrypt_methods_ss = {
 	"camellia-256-cfb",
 	"salsa20",
 	"chacha20",
-	"chacha20-ietf"
+	"chacha20-ietf" ]]
 }

 local encrypt_methods_v2ray_ss = {
 	-- xray_ss
 	"none",
 	"plain",
+	--[[ stream
 	"aes-128-cfb",
 	"aes-256-cfb",
 	"chacha20",
-	"chacha20-ietf",
+	"chacha20-ietf", ]]
 	-- aead
 	"aes-128-gcm",
 	"aes-256-gcm",
--- a/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua
+++ b/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua
@ -28,6 +28,31 @@ local v2_tj = luci.sys.exec('type -t -p trojan') ~= "" and "trojan" or "v2ray"
 local log = function(...)
 	print(os.date("%Y-%m-%d %H:%M:%S ") .. table.concat({...}, " "))
 end
+local encrypt_methods_ss = {
+	-- aead
+	"aes-128-gcm",
+	"aes-192-gcm",
+	"aes-256-gcm",
+	"chacha20-ietf-poly1305",
+	"xchacha20-ietf-poly1305"
+	--[[ stream
+	"table",
+	"rc4",
+	"rc4-md5",
+	"aes-128-cfb",
+	"aes-192-cfb",
+	"aes-256-cfb",
+	"aes-128-ctr",
+	"aes-192-ctr",
+	"aes-256-ctr",
+	"bf-cfb",
+	"camellia-128-cfb",
+	"camellia-192-cfb",
+	"camellia-256-cfb",
+	"salsa20",
+	"chacha20",
+	"chacha20-ietf" ]]
+}
 -- 分割字符串
 local function split(full, sep)
 	full = full:gsub("%z", "") -- 这里不是很清楚 有时候结尾带个\0
@ -96,6 +121,15 @@ local function base64Decode(text)
 		return raw
 	end
 end
+-- 检查数组(table)中是否存在某个字符值
+-- https://www.04007.cn/article/135.html
+local function checkTabValue(tab)
+	local revtab = {}
+	for k,v in pairs(tab) do
+		revtab[v] = true
+	end
+	return revtab
+end
 -- 处理数据
 local function processData(szType, content)
 	local result = {type = szType, local_port = 1234, kcp_param = '--nocomp'}
@ -209,8 +243,13 @@ local function processData(szType, content)
 		else
 			result.server_port = host[2]
 		end
-		result.encrypt_method_ss = method
-		result.password = password
+		if checkTabValue(encrypt_methods_ss)[method] then
+			result.encrypt_method_ss = method
+			result.password = password
+		else
+			-- 1202 年了还不支持 SS AEAD 的屑机场
+			result = nil
+		end
 	elseif szType == "ssd" then
 		result.type = "ss"
 		result.server = content.server