v1.5

add aead ciphers

Author: qwj

pproxy/__init__.py

@@ -2,7 +2,7 @@
 from pproxy import proto
 
 __title__ = 'pproxy'
-__version__ = "1.4.2"
+__version__ = "1.5"
 __description__ = "Proxy server that can tunnel among remote servers by regex rules."
 __author__ = "Qian Wenjie"
 __license__ = "MIT License"
@@ -152,7 +152,7 @@ def uri_compile(uri):
     return types.SimpleNamespace(protos=protos, rproto=protos[0], cipher=cipher, auth=url.fragment.encode(), match=match, server=server, connect=connect, bind=loc or urlpath, unix=not loc, lbind=lbind, sslclient=sslclient, sslserver=sslserver, alive=True)
 
 def main():
-    parser = argparse.ArgumentParser(description=__description__+'\nSupported protocols: http,socks,shadowsocks,redirect', epilog='Online help: <https://github.com/qwj/python-proxy>')
+    parser = argparse.ArgumentParser(description=__description__+'\nSupported protocols: http,socks,shadowsocks,shadowsocksr,redirect', epilog='Online help: <https://github.com/qwj/python-proxy>')
     parser.add_argument('-i', dest='listen', default=[], action='append', type=uri_compile, help='proxy server setting uri (default: http+socks://:8080/)')
     parser.add_argument('-r', dest='rserver', default=[], action='append', type=uri_compile, help='remote server setting uri (default: direct)')
     parser.add_argument('-b', dest='block', type=pattern_compile, help='block regex rules')

pproxy/cipher.py

@@ -1,10 +1,10 @@
-import os, hashlib
+import os, hashlib, hmac
 
 class BaseCipher(object):
     PYTHON = False
     CACHE = {}
-    def __init__(self, key, ota=False):
-        if self.KEY_LENGTH > 0:
+    def __init__(self, key, ota=False, setup_key=True):
+        if self.KEY_LENGTH > 0 and setup_key:
             self.key = self.CACHE.get(b'key'+key)
             if self.key is None:
                 keybuf = []
@@ -18,6 +18,7 @@ def __init__(self, key, ota=False):
     def setup_iv(self, iv=None):
         self.iv = os.urandom(self.IV_LENGTH) if iv is None else iv
         self.setup()
+        return self
     def decrypt(self, s):
         return self.cipher.decrypt(s)
     def encrypt(self, s):
@@ -26,6 +27,52 @@ def encrypt(self, s):
     def name(cls):
         return cls.__name__.replace('_Cipher', '').replace('_', '-').lower()
 
+class AEADCipher(BaseCipher):
+    def setup_iv(self, iv=None):
+        self.iv = os.urandom(self.IV_LENGTH) if iv is None else iv
+        randkey = hmac.new(self.iv, self.key, hashlib.sha1).digest()
+        blocks_needed = (self.KEY_LENGTH + len(randkey) - 1) // len(randkey)
+        okm = bytearray()
+        output_block = b''
+        for counter in range(blocks_needed):
+            output_block = hmac.new(randkey, output_block + b'ss-subkey' + bytes([counter+1]), hashlib.sha1).digest()
+            okm.extend(output_block)
+        self.key = bytes(okm[:self.KEY_LENGTH])
+        self._nonce = 0
+        self._buffer = bytearray()
+        self._declen = None
+        self.setup()
+    @property
+    def nonce(self):
+        ret = self._nonce.to_bytes(self.NONCE_LENGTH, 'little')
+        self._nonce = (self._nonce+1) & ((1<<self.NONCE_LENGTH)-1)
+        return ret
+    def decrypt(self, s):
+        self._buffer.extend(s)
+        ret = bytearray()
+        while 1:
+            if self._declen is None:
+                if len(self._buffer) < 2+self.TAG_LENGTH:
+                    break
+                self._declen = int.from_bytes(self.decrypt_and_verify(self._buffer[:2], self._buffer[2:2+self.TAG_LENGTH]), 'big')
+                assert self._declen <= 16*1024-1
+                del self._buffer[:2+self.TAG_LENGTH]
+            else:
+                if len(self._buffer) < self._declen+self.TAG_LENGTH:
+                    break
+                ret.extend(self.decrypt_and_verify(self._buffer[:self._declen], self._buffer[self._declen:self._declen+self.TAG_LENGTH]))
+                del self._buffer[:self._declen+self.TAG_LENGTH]
+                self._declen = None
+        return bytes(ret)
+    def encrypt(self, s):
+        ret = bytearray()
+        for i in range(0, len(s), 16*1024-1):
+            buf = s[i:i+16*1024-1]
+            len_chunk, len_tag = self.encrypt_and_digest(len(buf).to_bytes(2, 'big'))
+            body_chunk, body_tag = self.encrypt_and_digest(buf)
+            ret.extend(len_chunk+len_tag+body_chunk+body_tag)
+        return bytes(ret)
+
 class RC4_Cipher(BaseCipher):
     KEY_LENGTH = 16
     IV_LENGTH = 0
@@ -45,6 +92,8 @@ class ChaCha20_Cipher(BaseCipher):
     def setup(self):
         from Crypto.Cipher import ChaCha20
         self.cipher = ChaCha20.new(key=self.key, nonce=self.iv)
+class ChaCha20_IETF_Cipher(ChaCha20_Cipher):
+    IV_LENGTH = 12
 
 class Salsa20_Cipher(BaseCipher):
     KEY_LENGTH = 32
@@ -60,19 +109,15 @@ class AES_256_CFB_Cipher(BaseCipher):
     def setup(self):
         from Crypto.Cipher import AES
         self.cipher = AES.new(self.key, AES.MODE_CFB, iv=self.iv, segment_size=self.SEGMENT_SIZE)
-
 class AES_128_CFB_Cipher(AES_256_CFB_Cipher):
     KEY_LENGTH = 16
-
 class AES_192_CFB_Cipher(AES_256_CFB_Cipher):
     KEY_LENGTH = 24
 
 class AES_256_CFB8_Cipher(AES_256_CFB_Cipher):
     SEGMENT_SIZE = 8
-
 class AES_192_CFB8_Cipher(AES_256_CFB8_Cipher):
     KEY_LENGTH = 24
-
 class AES_128_CFB8_Cipher(AES_256_CFB8_Cipher):
     KEY_LENGTH = 16
 
@@ -82,13 +127,39 @@ class AES_256_OFB_Cipher(BaseCipher):
     def setup(self):
         from Crypto.Cipher import AES
         self.cipher = AES.new(self.key, AES.MODE_OFB, iv=self.iv)
-
 class AES_192_OFB_Cipher(AES_256_OFB_Cipher):
     KEY_LENGTH = 24
-
 class AES_128_OFB_Cipher(AES_256_OFB_Cipher):
     KEY_LENGTH = 16
 
+class AES_256_CTR_Cipher(BaseCipher):
+    KEY_LENGTH = 32
+    IV_LENGTH = 16
+    def setup(self):
+        from Crypto.Cipher import AES
+        self.cipher = AES.new(self.key, AES.MODE_CTR, nonce=b'', initial_value=self.iv)
+class AES_192_CTR_Cipher(AES_256_CTR_Cipher):
+    KEY_LENGTH = 24
+class AES_128_CTR_Cipher(AES_256_CTR_Cipher):
+    KEY_LENGTH = 16
+
+class AES_256_GCM_Cipher(AEADCipher):
+    KEY_LENGTH = 32
+    IV_LENGTH = 32
+    NONCE_LENGTH = 12
+    TAG_LENGTH = 16
+    def decrypt_and_verify(self, buffer, tag):
+        return self.cipher_new(self.nonce).decrypt_and_verify(buffer, tag)
+    def encrypt_and_digest(self, buffer):
+        return self.cipher_new(self.nonce).encrypt_and_digest(buffer)
+    def setup(self):
+        from Crypto.Cipher import AES
+        self.cipher_new = lambda nonce: AES.new(self.key, AES.MODE_GCM, nonce=nonce, mac_len=self.TAG_LENGTH)
+class AES_192_GCM_Cipher(AES_256_GCM_Cipher):
+    KEY_LENGTH = IV_LENGTH = 24
+class AES_128_GCM_Cipher(AES_256_GCM_Cipher):
+    KEY_LENGTH = IV_LENGTH = 16
+
 class BF_CFB_Cipher(BaseCipher):
     KEY_LENGTH = 16
     IV_LENGTH = 8
@@ -118,7 +189,7 @@ def get_cipher(cipher_key):
     cipher_name, ota, _ = cipher.partition('!')
     if not key:
         return 'empty key', None
-    if cipher_name not in MAP and cipher_name not in MAP_PY:
+    if cipher_name not in MAP and cipher_name not in MAP_PY and not (cipher_name.endswith('-py') and cipher_name[:-3] in MAP_PY):
         return f'existing ciphers: {sorted(set(MAP)|set(MAP_PY))}', None
     key, ota = key.encode(), bool(ota) if ota else False
     cipher = MAP.get(cipher_name)
@@ -129,6 +200,9 @@ def get_cipher(cipher_key):
             cipher = None
     if cipher is None:
         cipher = MAP_PY.get(cipher_name)
+        if cipher is None and cipher_name.endswith('-py'):
+            cipher_name = cipher_name[:-3]
+            cipher = MAP_PY.get(cipher_name)
     if cipher is None:
         return 'this cipher needs library: "pip3 install pycryptodome"', None
     def apply_cipher(reader, writer):

pproxy/cipherpy.py

@@ -1,6 +1,6 @@
 import hashlib, struct, base64
 
-from pproxy.cipher import BaseCipher
+from pproxy.cipher import BaseCipher, AEADCipher
 
 # Pure Python Ciphers
 
@@ -62,8 +62,11 @@ def setup(self):
 class ChaCha20_Cipher(StreamCipher):
     KEY_LENGTH = 32
     IV_LENGTH = 8
+    def __init__(self, key, ota=False, setup_key=True, *, counter=0):
+        super().__init__(key, ota, setup_key)
+        self.counter = counter
     def core(self):
-        data = list(struct.unpack('<16I', b'expand 32-byte k' + self.key + self.iv.rjust(16, b'\x00')))
+        data = list(struct.unpack('<16I', b'expand 32-byte k' + self.key + self.counter.to_bytes(4, 'little') + self.iv.rjust(12, b'\x00')))
         ORDERS = ((0,4,8,12),(1,5,9,13),(2,6,10,14),(3,7,11,15),(0,5,10,15),(1,6,11,12),(2,7,8,13),(3,4,9,14)) * 10
         while 1:
             H = data[:]
@@ -82,6 +85,33 @@ def core(self):
 class ChaCha20_IETF_Cipher(ChaCha20_Cipher):
     IV_LENGTH = 12
 
+def poly1305(cipher_new, nonce, ciphertext):
+    otk = cipher_new(nonce).encrypt(bytes(32))
+    mac_data = ciphertext + bytes((-len(ciphertext))%16 + 8) + len(ciphertext).to_bytes(8, 'little')
+    acc, r, s = 0, int.from_bytes(otk[:16], 'little') & 0x0ffffffc0ffffffc0ffffffc0fffffff, int.from_bytes(otk[16:], 'little')
+    for i in range(0, len(mac_data), 16):
+        acc = (r * (acc+int.from_bytes(mac_data[i:i+16]+b'\x01', 'little'))) % ((1<<130)-5)
+    return ((acc + s) & ((1<<128)-1)).to_bytes(16, 'little')
+
+class ChaCha20_IETF_POLY1305_Cipher(AEADCipher):
+    PYTHON = True
+    KEY_LENGTH = 32
+    IV_LENGTH = 32
+    NONCE_LENGTH = 12
+    TAG_LENGTH = 16
+    def process(self, s, tag=None):
+        nonce = self.nonce
+        if tag is not None:
+            assert tag == poly1305(self.cipher_new, nonce, s)
+        data = self.cipher_new(nonce, counter=1).encrypt(s)
+        if tag is None:
+            return data, poly1305(self.cipher_new, nonce, data)
+        else:
+            return data
+    encrypt_and_digest = decrypt_and_verify = process
+    def setup(self):
+        self.cipher_new = lambda nonce, counter=0: ChaCha20_IETF_Cipher(self.key, setup_key=False, counter=counter).setup_iv(nonce)
+
 class Salsa20_Cipher(StreamCipher):
     KEY_LENGTH = 32
     IV_LENGTH = 8
@@ -135,7 +165,7 @@ def core_bit(self, segment_bit):
         next_iv = int.from_bytes(self.iv, 'big')
         mask = (1 << self.IV_LENGTH*8) - 1
         while 1:
-            data = self.cipher.encrypt(next_iv.to_bytes(self.IV_LENGTH, 'big'))
+            data = self.cipher.encrypt(next_iv)
             next_iv = next_iv<<segment_bit & mask
             for i in range(segment_bit):
                 next_iv |= (yield data[i//8]>>(7-i%8)&1)<<(segment_bit-1-i)
@@ -153,7 +183,7 @@ def setup(self):
     def core(self):
         next_iv = int.from_bytes(self.iv, 'big')
         while 1:
-            yield from self.cipher.encrypt(next_iv.to_bytes(self.IV_LENGTH, 'big'))
+            yield from self.cipher.encrypt(next_iv)
             next_iv = 0 if next_iv >= (1<<(self.IV_LENGTH*8))-1 else next_iv+1
 
 class OFBCipher(CTRCipher):
@@ -163,6 +193,41 @@ def core(self):
             data = self.cipher.encrypt(data)
             yield from data
 
+class GCMCipher(AEADCipher):
+    PYTHON = True
+    NONCE_LENGTH = 12
+    TAG_LENGTH = 16
+    def setup(self):
+        self.cipher = self.CIPHER.new(self.key)
+        self.hkey = []
+        x = int.from_bytes(self.cipher.encrypt(0), 'big')
+        for i in range(128):
+            self.hkey.insert(0, x)
+            x = (x>>1)^(0xe1<<120) if x&1 else x>>1
+    def process(self, s, tag=None):
+        def multh(y):
+            z = 0
+            for i in range(128):
+                if y & (1<<i):
+                    z ^= self.hkey[i]
+            return z
+        def ghash(d):
+            dt = d + bytes((-len(d))%16)
+            z = 0
+            for i in range(0, len(dt), 16):
+                z = multh(z^int.from_bytes(dt[i:i+16], 'big'))
+            return multh(z^(len(d)*8))
+        z = int.from_bytes(self.nonce, 'big')<<32
+        h = int.from_bytes(self.cipher.encrypt(z|1), 'big')
+        if tag is not None:
+            assert (ghash(s)^h).to_bytes(self.TAG_LENGTH, 'big') == tag
+        ret = bytes(s[i*16+j]^o for i in range((len(s)+15)//16) for j, o in enumerate(self.cipher.encrypt(z|(i+2)&((1<<32)-1))) if i*16+j < len(s))
+        if tag is None:
+            return ret, (ghash(ret)^h).to_bytes(self.TAG_LENGTH, 'big')
+        else:
+            return ret
+    encrypt_and_digest = decrypt_and_verify = process
+
 class RAW:
     CACHE = {}
     @classmethod
@@ -191,15 +256,16 @@ def __init__(self, key):
             ekey.extend(m^ekey[i-size] for i, m in enumerate(t))
         self.ekey = tuple(ekey[i*16:i*16+16] for i in range(nbr+1))
     def encrypt(self, data):
+        data = data.to_bytes(16, 'big') if isinstance(data, int) else data
         s = [data[j]^self.ekey[0][j] for j in range(16)]
         for key in self.ekey[1:-1]:
             s = [self.g2[s[a]]^self.g1[s[b]]^self.g1[s[c]]^self.g3[s[d]]^key[j] for j,a,b,c,d in self.shifts]
         return bytes([self.g1[s[self.shifts[j][1]]]^self.ekey[-1][j] for j in range(16)])
 
-for method in (CFBCipher, CFB8Cipher, CFB1Cipher, CTRCipher, OFBCipher):
+for method in (CFBCipher, CFB8Cipher, CFB1Cipher, CTRCipher, OFBCipher, GCMCipher):
     for key in (32, 24, 16):
         name = 'AES_{}_{}_Cipher'.format(key*8, method.__name__[:-6])
-        globals()[name] = type(name, (method,), dict(KEY_LENGTH=key, IV_LENGTH=16, CIPHER=AES))
+        globals()[name] = type(name, (method,), dict(KEY_LENGTH=key, IV_LENGTH=key if method is GCMCipher else 16, CIPHER=AES))
 
 class Blowfish(RAW):
     P = None
@@ -220,6 +286,7 @@ def __init__(self, key):
             buf = self.encrypt(buf)
             self.p[i:i+2] = struct.unpack('>II', buf)
     def encrypt(self, s):
+        s = data.to_bytes(8, 'big') if isinstance(s, int) else s
         sl, sr = struct.unpack('>II', s)
         sl ^= self.p[0]
         for i in self.p[1:17]:
@@ -250,7 +317,7 @@ def __init__(self, key):
         e = [(q[n]<<m>>o|q[n]>>128-m+o)&(1<<64)-1 for n, m, o in ks]
         self.e = [e[i+i//7]<<64|e[i+i//7+1] if i%7==0 else e[i+i//7+1] for i in range(nr)]
     def encrypt(self, s):
-        s = int.from_bytes(s, 'big')^self.e[0]
+        s = (s if isinstance(s, int) else int.from_bytes(s, 'big'))^self.e[0]
         for idx, k in enumerate(self.e[1:-1]):
             s = s^((s&k)>>95&0xfffffffe|(s&k)>>127)<<64^((s&k)<<1&~1<<96^(s&k)>>31^s<<32|k<<32)&0xffffffff<<96 ^ ((s|k)&0xffffffff)<<32^((s|k)<<1^s>>31)&k>>31&0xfffffffe^((s|k)>>31^s>>63)&k>>63&1 if (idx+1)%7==0 else self.R(s, k)
         return (s>>64^(s&(1<<64)-1)<<64^self.e[-1]).to_bytes(16, 'big')
@@ -273,6 +340,7 @@ def __init__(self, key):
             e.append((e[i-8&0xf8|i+1&0x7]&0x7f)<<9|e[i-8&0xf8|i+2&0x7]>>7)
         self.e = [e[i*6:i*6+6] for i in range(9)]
     def encrypt(self, s):
+        s = data.to_bytes(8, 'big') if isinstance(s, int) else s
         M = lambda a,b: (a*b-(a*b>>16)+(a*b&0xffff<a*b>>16) if a else 1-b if b else 1-a)&0xffff
         s0, s1, s2, s3 = struct.unpack('>4H', s)
         for e in self.e[:-1]:
@@ -299,6 +367,7 @@ def __init__(self, key):
             self.e.append((self.G((key0>>32)+(key1>>32)-kc), self.G(key0-key1+kc)))
             key0, key1 = (key0, (key1<<8|key1>>56)&(1<<64)-1) if i&1 else ((key0<<56|key0>>8)&(1<<64)-1, key1)
     def encrypt(self, s):
+        s = data.to_bytes(16, 'big') if isinstance(s, int) else s
         s0, s1, s2, s3 = struct.unpack('>4I', s)
         for k0, k1 in self.e:
             t0 = self.G(s2^k0^s3^k1)
@@ -324,6 +393,7 @@ def __init__(self, key):
             e[i] = self.S[e[i+1]^e[i+len(key)]]
         self.e = struct.unpack('<64H', e)
     def encrypt(self, s):
+        s = data.to_bytes(8, 'big') if isinstance(s, int) else s
         s = list(struct.unpack('<4H', s))
         for j in self.B:
             s[j&3] = s[j&3]+self.e[j]+(s[j+3&3]&s[j+2&3])+(~s[j+3&3]&s[j+1&3])<<j%4*4//3+1&0xffff|(s[j&3]+self.e[j]+(s[j+3&3]&s[j+2&3])+(~s[j+3&3]&s[j+1&3])&0xffff)>>15-j%4*4//3 if j>=0 else s[j]+self.e[s[j+3]&0x3f]