From 9433ca3567f8728def78ca7044ec1b339efbd7c8 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 3 May 2021 03:02:05 +0800 Subject: [PATCH] luci-app-ssr-plus: drop ss stream-cipher support They're totally unsafe, and deprecated in new designs. All of your data encrypted in these way could be replayed and decrypted. For details, see: https://shadowsocks.org/assets/whitepaper.pdf https://phuker.github.io/shadowsocks-active-probing.html https://github.com/edwardz246003/shadowsocks Signed-off-by: Tianling Shen --- package/lean/luci-app-ssr-plus/Makefile | 4 +- .../model/cbi/shadowsocksr/client-config.lua | 9 ++-- .../root/usr/share/shadowsocksr/subscribe.lua | 43 ++++++++++++++++++- 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/package/lean/luci-app-ssr-plus/Makefile b/package/lean/luci-app-ssr-plus/Makefile index 6d9a21fba1..8336036b93 100644 --- a/package/lean/luci-app-ssr-plus/Makefile +++ b/package/lean/luci-app-ssr-plus/Makefile @@ -1,8 +1,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-ssr-plus -PKG_VERSION:=183 -PKG_RELEASE:=11 +PKG_VERSION:=184 +PKG_RELEASE:=1 PKG_CONFIG_DEPENDS:= \ CONFIG_PACKAGE_$(PKG_NAME)_INCLUDE_Kcptun \ diff --git a/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua b/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua index 36ce13a50c..0c2eae5457 100644 --- a/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua +++ b/package/lean/luci-app-ssr-plus/luasrc/model/cbi/shadowsocksr/client-config.lua @@ -45,8 +45,8 @@ local encrypt_methods_ss = { "aes-192-gcm", "aes-256-gcm", "chacha20-ietf-poly1305", - "xchacha20-ietf-poly1305", - -- stream + "xchacha20-ietf-poly1305" + --[[ stream "table", "rc4", "rc4-md5", @@ -62,17 +62,18 @@ local encrypt_methods_ss = { "camellia-256-cfb", "salsa20", "chacha20", - "chacha20-ietf" + "chacha20-ietf" ]] } local encrypt_methods_v2ray_ss = { -- xray_ss "none", "plain", + --[[ stream "aes-128-cfb", "aes-256-cfb", "chacha20", - "chacha20-ietf", + "chacha20-ietf", ]] -- aead "aes-128-gcm", "aes-256-gcm", diff --git a/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua b/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua index bdafd05d36..f4a431c662 100755 --- a/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua +++ b/package/lean/luci-app-ssr-plus/root/usr/share/shadowsocksr/subscribe.lua @@ -28,6 +28,31 @@ local v2_tj = luci.sys.exec('type -t -p trojan') ~= "" and "trojan" or "v2ray" local log = function(...) print(os.date("%Y-%m-%d %H:%M:%S ") .. table.concat({...}, " ")) end +local encrypt_methods_ss = { + -- aead + "aes-128-gcm", + "aes-192-gcm", + "aes-256-gcm", + "chacha20-ietf-poly1305", + "xchacha20-ietf-poly1305" + --[[ stream + "table", + "rc4", + "rc4-md5", + "aes-128-cfb", + "aes-192-cfb", + "aes-256-cfb", + "aes-128-ctr", + "aes-192-ctr", + "aes-256-ctr", + "bf-cfb", + "camellia-128-cfb", + "camellia-192-cfb", + "camellia-256-cfb", + "salsa20", + "chacha20", + "chacha20-ietf" ]] +} -- 分割字符串 local function split(full, sep) full = full:gsub("%z", "") -- 这里不是很清楚 有时候结尾带个\0 @@ -96,6 +121,15 @@ local function base64Decode(text) return raw end end +-- 检查数组(table)中是否存在某个字符值 +-- https://www.04007.cn/article/135.html +local function checkTabValue(tab) + local revtab = {} + for k,v in pairs(tab) do + revtab[v] = true + end + return revtab +end -- 处理数据 local function processData(szType, content) local result = {type = szType, local_port = 1234, kcp_param = '--nocomp'} @@ -209,8 +243,13 @@ local function processData(szType, content) else result.server_port = host[2] end - result.encrypt_method_ss = method - result.password = password + if checkTabValue(encrypt_methods_ss)[method] then + result.encrypt_method_ss = method + result.password = password + else + -- 1202 年了还不支持 SS AEAD 的屑机场 + result = nil + end elseif szType == "ssd" then result.type = "ss" result.server = content.server