shadowsocks-rust cannot communicate with python or libev versions

[dnomd343]

When using table encrypt method, a handshake with shadowsock (python) or shadowsocks-libev will fail, whether shadowsocks-rust is a server or a client, but the python version communicates with libev version normally. This problem is observable under both x86_64 and aarch64, and shadowsocks-rust enables stream-cipher feature, compiled using cargo 1.62.0. Below are the results of my test.

Server mode in landscape and client mode in portrait orientation (they are symmetrical)

	shadowsocks-rust (1.15.0-alpha.5)	shadowsocks (latest)	shadowsocks (2.6.2)	shadowsocks-libev (2.6.3)
shadowsocks-rust (1.15.0-alpha.5)	YES	NO	NO	NO
shadowsocks (latest)	NO	YES	YES	YES
shadowsocks (2.6.2)	NO	YES	YES	YES
shadowsocks-libev (2.6.3)	NO	YES	YES	YES

As the table shows, the rust version can only communicate with itself, and other versions can shake hands normally, but none of them can connect with the rust version. But other encryption methods do not exist this problem, such as rc4-md5, aes-128-ctr, etc., all versions including rust connections are available.

shadowsocks-rust as server and shadowsocks as client

We start a shadowsocks-rust server locally, use shadowsocks as a client connection and expose the socks5 port, and then use curl to test it.

shell> ss-rust-server -v -s 127.0.0.1:12345 -k dnomd343 -m table
2022-07-06T02:55:07.041733600+00:00 INFO  [16168:139956110697200] [shadowsocks_rust::service::server] shadowsocks server 1.15.0-alpha.5 build 2022-07-04T14:13:56.247059100+00:00
2022-07-06T02:55:07.092846900+00:00 WARN  [16168:139956110697200] [shadowsocks_service::server] stream cipher table for server 127.0.0.1:12345 have inherent weaknesses (see discussion in https://github.com/shadowsocks/shadowsocks-org/issues/36). DO NOT USE. It will be removed in the future.
2022-07-06T02:55:07.114177900+00:00 INFO  [16168:139956110697200] [shadowsocks_service::server::tcprelay] shadowsocks tcp server listening on 127.0.0.1:12345, inbound address 127.0.0.1:12345
2022-07-06T02:55:16.283500+00:00 WARN  [16168:139956091091744] [shadowsocks_service::server::tcprelay] handshake failed, maybe wrong method or key, or under replay attacks. peer: 127.0.0.1:39696, error: address type 0xb8 not supported

shell> ss-python-local -vv -s 127.0.0.1 -p 12345 -l 1080 -k dnomd343 -m table
2022-07-06 02:55:14 WARNING  warning: server set to listen on 127.0.0.1:12345, are you sure?
2022-07-06 02:55:14 WARNING  warning: table is not safe; please use a safer cipher, like AES-256-CFB
2022-07-06 02:55:14 INFO     starting local at 127.0.0.1:1080
2022-07-06 02:55:14 DEBUG    using event model: epoll
2022-07-06 02:55:16 VERBOSE  fd 3 POLL_IN
2022-07-06 02:55:16 DEBUG    accept
2022-07-06 02:55:16 DEBUG    chosen server: 127.0.0.1:12345
2022-07-06 02:55:16 VERBOSE  fd 7 POLL_IN
2022-07-06 02:55:16 VERBOSE  fd 7 POLL_IN
2022-07-06 02:55:16 INFO     connecting 220.181.38.148:80 from 127.0.0.1:56646
2022-07-06 02:55:16 VERBOSE  fd 7 POLL_IN
2022-07-06 02:55:16 VERBOSE  fd 8 POLL_OUT
2022-07-06 02:55:26 VERBOSE  sweeping timeouts
2022-07-06 02:55:30 VERBOSE  fd 7 POLL_IN
2022-07-06 02:55:30 DEBUG    destroy: 220.181.38.148:80
2022-07-06 02:55:30 DEBUG    destroying remote
2022-07-06 02:55:30 DEBUG    destroying local

shell> curl baidu.com --socks5 127.0.0.1:1080
# no output until the timeout

shadowsocks-rust as client and shadowsocks as server

We start a shadowsocks server locally, use shadowsocks-rust as a client connection and expose the socks5 port, and then use curl to test it.

shell> ss-rust-local -v -s 127.0.0.1:12345 -b 0.0.0.0:1080 -k dnomd343 -m table
2022-07-06T03:03:01.286877300+00:00 INFO  [16221:139902263984960] [shadowsocks_rust::service::local] shadowsocks local 1.15.0-alpha.5 build 2022-07-04T14:13:56.247059100+00:00
2022-07-06T03:03:01.290595900+00:00 WARN  [16221:139902263984960] [shadowsocks_service::local] stream cipher table for server 127.0.0.1:12345 have inherent weaknesses (see discussion in https://github.com/shadowsocks/shadowsocks-org/issues/36). DO NOT USE. It will be removed in the future.
2022-07-06T03:03:01.291486+00:00 INFO  [16221:139902253194016] [shadowsocks_service::local::socks::server] shadowsocks socks TCP listening on 0.0.0.0:1080
2022-07-06T03:03:04.255113100+00:00 DEBUG [16221:139902253194016] [shadowsocks_service::local::socks::server::socks5::tcprelay] CONNECT 220.181.38.148:80
2022-07-06T03:03:04.350905900+00:00 DEBUG [16221:139902253194016] [shadowsocks_service::local::utils] established tcp tunnel 127.0.0.1:56656 <-> 220.181.38.148:80 through sever 127.0.0.1:12345 (outbound: 127.0.0.1:12345)

shell> ss-python-server -vv -s 127.0.0.1 -p 12345 -k dnomd343 -m table
2022-07-06 03:02:56 WARNING  warning: server set to listen on 127.0.0.1:12345, are you sure?
2022-07-06 03:02:56 WARNING  warning: table is not safe; please use a safer cipher, like AES-256-CFB
2022-07-06 03:02:56 INFO     starting server at 127.0.0.1:12345
2022-07-06 03:02:56 DEBUG    using event model: epoll
2022-07-06 03:03:04 VERBOSE  fd 3 POLL_IN
2022-07-06 03:03:04 DEBUG    accept
2022-07-06 03:03:04 VERBOSE  fd 7 POLL_IN
2022-07-06 03:03:04 WARNING  unsupported addrtype 171, maybe wrong password or encryption method
2022-07-06 03:03:04 ERROR    can not parse header
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/ss-python/shadowsocks/shell.py", line 88, in wrapper
    func(self, *args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/ss-python/shadowsocks/tcprelay.py", line 335, in _handle_stage_addr
    raise Exception('can not parse header')
Exception: can not parse header
2022-07-06 03:03:04 ERROR    can not parse header when handling connection from 127.0.0.1:39706
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/ss-python/shadowsocks/shell.py", line 88, in wrapper
    func(self, *args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/ss-python/shadowsocks/tcprelay.py", line 335, in _handle_stage_addr
    raise Exception('can not parse header')
Exception: can not parse header
2022-07-06 03:03:04 DEBUG    destroy
2022-07-06 03:03:04 DEBUG    destroying local
2022-07-06 03:03:14 VERBOSE  sweeping timeouts

shell> curl baidu.com --socks5 127.0.0.1:1080
curl: (52) Empty reply from server

[zonyitoo]

Does the problem still exist in the latest version? It was quite a long time since the issue was created.

Some tests:

1. shadowsocks-rust sslocal v1.19.4 -> shadowsocks-libev (latest)

$ sslocal -b 127.0.0.1:1080 -s 127.0.0.1:8388 -k abc -m aes-256-gcm
$ ss-server -s 127.0.0.1 -p 8388 -k abc -m aes-256-gcm

# Test with curl
$ curl 'https://www.baidu.com' --socks5-hostname 127.0.0.1:1080 -v
*   Trying 127.0.0.1:1080...
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* SOCKS5 connect to www.baidu.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  6 01:51:06 2023 GMT
*  expire date: Aug  6 01:51:05 2024 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Fri, 14 Jun 2024 07:35:24 GMT
< Etag: "58860401-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:17 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');
                </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
* Connection #0 to host 127.0.0.1 left intact

2. shadowsocks-libev (latest) -> shadowsocks-rust (v1.19.4)

$ ss-local -l 1080 -s 127.0.0.1 -p 8388 -k abc -m aes-256-gcm
$ ssserver -s 127.0.0.1:8388 -k abc -m aes-256-gcm
$ curl 'https://www.baidu.com' --socks5-hostname 127.0.0.1:1080 -v
*   Trying 127.0.0.1:1080...
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* SOCKS5 connect to www.baidu.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  6 01:51:06 2023 GMT
*  expire date: Aug  6 01:51:05 2024 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Fri, 14 Jun 2024 07:39:23 GMT
< Etag: "58860401-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:17 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');
                </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
* Connection #0 to host 127.0.0.1 left intact

[zonyitoo]

Stream ciphers also works correctly. Test case was aes-128-cfb.

[dnomd343]

@zonyitoo I tried the latest version v1.19.4 and the problem still exists.

Normal cipher suites, such as aes-128-cfb

> ss-rust-server -v -s 127.0.0.1:12345 -k passwd -m aes-128-cfb &
> ss-python-local -vv -s 127.0.0.1 -p 12345 -l 1080 -k passwd -m aes-128-cfb &
> curl baidu.com --socks5 127.0.0.1:1080

In this case it works fine.

Abnormal cipher suites, such as table

> ss-rust-server -v -s 127.0.0.1:12345 -k passwd -m table &
> ss-python-local -vv -s 127.0.0.1 -p 12345 -l 1080 -k passwd -m table &
> curl baidu.com --socks5 127.0.0.1:1080

This time the proxy fails and the server gives the following error message:

2024-06-14T16:30:17.995868334+08:00  WARN tokio-runtime-worker ThreadId(04) shadowsocks_service::server::tcprelay: tcp handshake failed. peer: 127.0.0.1:56510, address type 0xb8 not supported
2024-06-14T16:30:17.995963625+08:00 DEBUG tokio-runtime-worker ThreadId(04) shadowsocks_service::server::tcprelay: tcp silent-drop peer: 127.0.0.1:56510

[zonyitoo]

So the only problem is the "table" cipher, right?

The latest version of shadowsocks-libev couldn't start with "table" cipher.

[zonyitoo]

Just made 2 test cases, which expected data are from shadowsocks-libev's TABLE implementation:

#[test]
fn test_table_box() {
    let key: &[u8] = b"password";
    let ebox: [u8; 256] = [
        157, 219, 245, 15, 85, 7, 195, 211, 55, 126, 37, 117, 249, 229, 98, 205, 254, 61, 137, 77, 253, 135, 138, 185,
        45, 100, 75, 97, 46, 22, 28, 84, 143, 160, 175, 136, 194, 2, 201, 173, 132, 155, 23, 174, 95, 54, 0, 239, 6,
        153, 180, 34, 149, 26, 19, 101, 203, 247, 214, 111, 127, 119, 81, 177, 53, 142, 13, 216, 115, 241, 202, 73, 48,
        86, 1, 11, 43, 125, 41, 121, 209, 193, 199, 51, 47, 32, 36, 90, 255, 156, 38, 108, 3, 99, 238, 179, 50, 237,
        158, 186, 110, 217, 76, 223, 118, 196, 107, 83, 39, 63, 9, 129, 72, 5, 56, 234, 91, 250, 224, 228, 251, 146,
        170, 151, 21, 10, 171, 114, 154, 172, 58, 78, 140, 197, 67, 35, 130, 92, 12, 31, 189, 166, 122, 29, 123, 113,
        215, 94, 165, 89, 221, 240, 93, 178, 150, 218, 220, 232, 144, 188, 65, 88, 52, 59, 139, 242, 71, 62, 182, 57,
        225, 147, 30, 17, 68, 243, 80, 44, 141, 4, 200, 42, 16, 102, 134, 246, 70, 244, 145, 124, 213, 8, 187, 66, 183,
        191, 40, 103, 162, 74, 87, 148, 230, 25, 120, 60, 233, 18, 176, 227, 184, 112, 20, 131, 109, 152, 14, 163, 49,
        24, 222, 181, 164, 133, 207, 104, 210, 236, 27, 106, 96, 64, 33, 116, 79, 206, 69, 212, 82, 169, 105, 235, 190,
        128, 226, 208, 168, 192, 167, 159, 161, 231, 204, 198, 248, 252,
    ];
    let dbox: [u8; 256] = [
        46, 74, 37, 92, 179, 113, 48, 5, 191, 110, 125, 75, 138, 66, 216, 3, 182, 173, 207, 54, 212, 124, 29, 42, 219,
        203, 53, 228, 30, 143, 172, 139, 85, 232, 51, 135, 86, 10, 90, 108, 196, 78, 181, 76, 177, 24, 28, 84, 72, 218,
        96, 83, 162, 64, 45, 8, 114, 169, 130, 163, 205, 17, 167, 109, 231, 160, 193, 134, 174, 236, 186, 166, 112, 71,
        199, 26, 102, 19, 131, 234, 176, 62, 238, 107, 31, 4, 73, 200, 161, 149, 87, 116, 137, 152, 147, 44, 230, 27,
        14, 93, 25, 55, 183, 197, 225, 240, 229, 106, 91, 214, 100, 59, 211, 145, 127, 68, 233, 11, 104, 61, 204, 79,
        142, 144, 189, 77, 9, 60, 243, 111, 136, 213, 40, 223, 184, 21, 35, 18, 22, 164, 132, 178, 65, 32, 158, 188,
        121, 171, 201, 52, 154, 123, 215, 49, 128, 41, 89, 0, 98, 249, 33, 250, 198, 217, 222, 148, 141, 248, 246, 239,
        122, 126, 129, 39, 43, 34, 208, 63, 153, 95, 50, 221, 168, 194, 210, 23, 99, 192, 159, 140, 242, 195, 247, 81,
        36, 6, 105, 133, 253, 82, 180, 38, 70, 56, 252, 15, 235, 224, 245, 80, 226, 7, 237, 190, 58, 146, 67, 101, 155,
        1, 156, 150, 220, 103, 118, 170, 244, 209, 119, 13, 202, 251, 157, 206, 115, 241, 227, 97, 94, 47, 151, 69,
        165, 175, 187, 2, 185, 57, 254, 12, 117, 120, 255, 20, 16, 88,
    ];

    let cipher = Table::new(key, b"");
    assert_eq!(cipher.ebox, ebox);
    assert_eq!(cipher.dbox, dbox);
}

#[test]
fn test_table_encrypt() {
    let key: &[u8] = b"password";
    let plain_text: &[u8] = b"hello world";
    let cipher_text: &[u8] = &[118, 217, 39, 39, 129, 143, 228, 129, 56, 39, 110];

    let mut cipher = Table::new(key, b"");

    let mut text_buffer = plain_text.to_vec();
    cipher.encrypt_slice(&mut text_buffer);

    assert_eq!(cipher_text, text_buffer);
}

And tests are running very well. So, why?

[zonyitoo]

Well I see. This is because in the original shadowsocks-libev implementation, the pass was the original password from user without calling bytes_to_key (the key derivation process).

[zonyitoo]

This commit should fix this issue. Please help testing it in your environment.

[dnomd343]

So the only problem is the "table" cipher, right?

The latest version of shadowsocks-libev couldn't start with "table" cipher.

Yes, so I used shadowsocks-python for testing. I also tested the 2.6.3 version of shadowsocks-libev. As described in the issue, they are incompatible with the rust version.

C/S	ss-rust (latest)	ss-python (latest)	ss-libev (2.6.3)
ss-rust (latest)	YES	NO	NO
ss-python (latest)	NO	YES	YES
ss-libev (2.6.3)	NO	YES	YES

[zonyitoo]

Is that Ok in your environment? @dnomd343

[dnomd343]

I tried ss-rust and ss-python as the server and client respectively, using the table cipher suite for communication, and the compiled products on the latest master branch worked well.

Thank you very much, this problem has been solved.