Disable deprecated stream ciphers by default

- Enable stream ciphers explicitly with stream-cipher feature - Upgraded shadowsocks-crypto to v0.1.2 fixes #373
shadowsocks · Jan 4, 2021 · 9000b31 · 9000b31
1 parent 47169d6
commit 9000b31
Show file tree

Hide file tree

Showing 14 changed files with 67 additions and 27 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Build & Test (--no-default-features)
         run: cargo test --verbose --no-default-features --no-fail-fast
       - name: Build with All Features Enabled
-        run: cargo build --verbose --features "local-redir local-dns dns-over-tls"
+        run: cargo build --verbose --features "local-redir local-dns dns-over-tls dns-over-https stream-cipher"
 
   build-windows:
     runs-on: windows-latest
@@ -56,7 +56,7 @@ jobs:
       - name: Build & Test (--no-default-features)
         run: cargo test --verbose --no-default-features --no-fail-fast
       - name: Build with All Features Enabled
-        run: cargo build --verbose --features "local-dns dns-over-tls"
+        run: cargo build --verbose --features "local-dns dns-over-tls dns-over-https stream-cipher"
 
   build-macos:
     runs-on: macos-latest
@@ -84,4 +84,4 @@ jobs:
       - name: Build & Test (--no-default-features)
         run: cargo test --verbose --no-default-features --no-fail-fast
       - name: Build with All Features Enabled
-        run: cargo build --verbose --features "local-redir local-dns dns-over-tls"
+        run: cargo build --verbose --features "local-redir local-dns dns-over-tls dns-over-https stream-cipher"
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -101,6 +101,12 @@ tcmalloc-vendored = ["tcmalloc/bundled"]
 # Enable tokio's multi-threaded runtime
 multi-threaded = ["tokio/rt-multi-thread"]
 
+# Enable Stream Cipher Protocol
+# WARN: Stream Cipher Protocol is proved to be insecured
+# https://github.com/shadowsocks/shadowsocks-rust/issues/373
+# Users should always avoid using these ciphers in practice
+stream-cipher = ["shadowsocks-service/stream-cipher"]
+
 [dependencies]
 log = "0.4"
 log4rs = { version = "1.0", optional = true }

diff --git a/crates/shadowsocks-service/Cargo.toml b/crates/shadowsocks-service/Cargo.toml
@@ -56,6 +56,12 @@ local-tunnel = ["local"]
 # Enable socks4 protocol for sslocal
 local-socks4 = ["local"]
 
+# Enable Stream Cipher Protocol
+# WARN: Stream Cipher Protocol is proved to be insecured
+# https://github.com/shadowsocks/shadowsocks-rust/issues/373
+# Users should always avoid using these ciphers in practice
+stream-cipher = ["shadowsocks/stream-cipher"]
+
 [dependencies]
 log = "0.4"
 log4rs = "1.0"

diff --git a/crates/shadowsocks-service/src/local/mod.rs b/crates/shadowsocks-service/src/local/mod.rs
@@ -44,6 +44,7 @@ pub async fn run(mut config: Config) -> io::Result<()> {
     trace!("{:?}", config);
 
     // Warning for Stream Ciphers
+    #[cfg(feature = "stream-cipher")]
     for server in config.server.iter() {
         if server.method().is_stream() {
             warn!("stream cipher {} for server {} have inherent weaknesses (see discussion in https://github.com/shadowsocks/shadowsocks-org/issues/36). \

diff --git a/crates/shadowsocks-service/src/server/mod.rs b/crates/shadowsocks-service/src/server/mod.rs
@@ -31,6 +31,7 @@ pub async fn run(config: Config) -> io::Result<()> {
     trace!("{:?}", config);
 
     // Warning for Stream Ciphers
+    #[cfg(feature = "stream-cipher")]
     for server in config.server.iter() {
         if server.method().is_stream() {
             warn!("stream cipher {} for server {} have inherent weaknesses (see discussion in https://github.com/shadowsocks/shadowsocks-org/issues/36). \

diff --git a/crates/shadowsocks/Cargo.toml b/crates/shadowsocks/Cargo.toml
@@ -21,6 +21,12 @@ default = [
 # Uses trust-dns instead of tokio's builtin DNS resolver
 trust-dns = ["trust-dns-resolver"]
 
+# Enable Stream Cipher Protocol
+# WARN: Stream Cipher Protocol is proved to be insecured
+# https://github.com/shadowsocks/shadowsocks-rust/issues/373
+# Users should always avoid using these ciphers in practice
+stream-cipher = ["shadowsocks-crypto/v1-stream"]
+
 [dependencies]
 log = "0.4"
 
@@ -50,10 +56,10 @@ tokio = { version = "1.0", features = ["io-util", "macros", "net", "parking_lot"
 trust-dns-resolver = { version = "0.20", optional = true }
 
 [target.'cfg(any(target_arch = "x86_64", target_arch = "aarch64"))'.dependencies]
-shadowsocks-crypto = { version = "0.1", features = ["ring"] }
+shadowsocks-crypto = { version = "0.1.2", features = ["ring"] }
 
 [target.'cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))'.dependencies]
-shadowsocks-crypto = { version = "0.1", features = [] }
+shadowsocks-crypto = { version = "0.1.2", features = [] }
 
 
 [target.'cfg(windows)'.dependencies]

diff --git a/crates/shadowsocks/src/relay/tcprelay/crypto_io.rs b/crates/shadowsocks/src/relay/tcprelay/crypto_io.rs
@@ -16,22 +16,23 @@ use crate::{
     crypto::v1::{random_iv_or_salt, CipherCategory, CipherKind},
 };
 
-use super::{
-    aead::{DecryptedReader as AeadDecryptedReader, EncryptedWriter as AeadEncryptedWriter},
-    stream::{DecryptedReader as StreamDecryptedReader, EncryptedWriter as StreamEncryptedWriter},
-};
+use super::aead::{DecryptedReader as AeadDecryptedReader, EncryptedWriter as AeadEncryptedWriter};
+#[cfg(feature = "stream-cipher")]
+use super::stream::{DecryptedReader as StreamDecryptedReader, EncryptedWriter as StreamEncryptedWriter};
 
 /// Reader for reading encrypted data stream from shadowsocks' tunnel
 pub enum DecryptedReader {
     None,
     Aead(AeadDecryptedReader),
+    #[cfg(feature = "stream-cipher")]
     Stream(StreamDecryptedReader),
 }
 
 impl DecryptedReader {
     /// Create a new reader for reading encrypted data
     pub fn new(method: CipherKind, key: &[u8]) -> DecryptedReader {
         match method.category() {
+            #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => DecryptedReader::Stream(StreamDecryptedReader::new(method, key)),
             CipherCategory::Aead => DecryptedReader::Aead(AeadDecryptedReader::new(method, key)),
             CipherCategory::None => DecryptedReader::None,
@@ -51,6 +52,7 @@ impl DecryptedReader {
         S: AsyncRead + Unpin + ?Sized,
     {
         match *self {
+            #[cfg(feature = "stream-cipher")]
             DecryptedReader::Stream(ref mut reader) => reader.poll_read_decrypted(cx, context, stream, buf),
             DecryptedReader::Aead(ref mut reader) => reader.poll_read_decrypted(cx, context, stream, buf),
             DecryptedReader::None => Pin::new(stream).poll_read(cx, buf),
@@ -62,13 +64,15 @@ impl DecryptedReader {
 pub enum EncryptedWriter {
     None,
     Aead(AeadEncryptedWriter),
+    #[cfg(feature = "stream-cipher")]
     Stream(StreamEncryptedWriter),
 }
 
 impl EncryptedWriter {
     /// Create a new writer for writing encrypted data
     pub fn new(method: CipherKind, key: &[u8], nonce: &[u8]) -> EncryptedWriter {
         match method.category() {
+            #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => EncryptedWriter::Stream(StreamEncryptedWriter::new(method, key, nonce)),
             CipherCategory::Aead => EncryptedWriter::Aead(AeadEncryptedWriter::new(method, key, nonce)),
             CipherCategory::None => EncryptedWriter::None,
@@ -87,6 +91,7 @@ impl EncryptedWriter {
         S: AsyncWrite + Unpin + ?Sized,
     {
         match *self {
+            #[cfg(feature = "stream-cipher")]
             EncryptedWriter::Stream(ref mut writer) => writer.poll_write_encrypted(cx, stream, buf),
             EncryptedWriter::Aead(ref mut writer) => writer.poll_write_encrypted(cx, stream, buf),
             EncryptedWriter::None => Pin::new(stream).poll_write(cx, buf),
@@ -113,12 +118,14 @@ impl<S> CryptoStream<S> {
         }
 
         let prev_len = match category {
+            #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => method.iv_len(),
             CipherCategory::Aead => method.salt_len(),
             CipherCategory::None => 0,
         };
 
         let iv = match category {
+            #[cfg(feature = "stream-cipher")]
             CipherCategory::Stream => {
                 let local_iv = loop {
                     let mut iv = vec![0u8; prev_len];

diff --git a/crates/shadowsocks/src/relay/tcprelay/mod.rs b/crates/shadowsocks/src/relay/tcprelay/mod.rs
@@ -9,5 +9,6 @@ mod aead;
 pub mod crypto_io;
 pub mod proxy_listener;
 pub mod proxy_stream;
+#[cfg(feature = "stream-cipher")]
 mod stream;
 pub mod utils;
diff --git a/crates/shadowsocks/src/relay/tcprelay/utils.rs b/crates/shadowsocks/src/relay/tcprelay/utils.rs
@@ -116,14 +116,18 @@ where
 pub fn alloc_encrypted_read_buffer(method: CipherKind) -> Box<[u8]> {
     match method.category() {
         CipherCategory::Aead => vec![0u8; super::aead::MAX_PACKET_SIZE + method.tag_len()].into_boxed_slice(),
-        CipherCategory::Stream | CipherCategory::None => vec![0u8; 1 << 14].into_boxed_slice(),
+        #[cfg(feature = "stream-cipher")]
+        CipherCategory::Stream => vec![0u8; 1 << 14].into_boxed_slice(),
+        CipherCategory::None => vec![0u8; 1 << 14].into_boxed_slice(),
     }
 }
 
 /// Create a buffer for reading from plain channel (not encrypted), for copying data into encrypted channel
 pub fn alloc_plain_read_buffer(method: CipherKind) -> Box<[u8]> {
     match method.category() {
         CipherCategory::Aead => vec![0u8; super::aead::MAX_PACKET_SIZE].into_boxed_slice(),
-        CipherCategory::Stream | CipherCategory::None => vec![0u8; 1 << 14].into_boxed_slice(),
+        #[cfg(feature = "stream-cipher")]
+        CipherCategory::Stream => vec![0u8; 1 << 14].into_boxed_slice(),
+        CipherCategory::None => vec![0u8; 1 << 14].into_boxed_slice(),
     }
 }
diff --git a/crates/shadowsocks/src/relay/udprelay/crypto_io.rs b/crates/shadowsocks/src/relay/udprelay/crypto_io.rs
@@ -46,11 +46,13 @@ pub fn encrypt_payload(
             addr.write_to_buf(dst);
             dst.put_slice(payload);
         }
+        #[cfg(feature = "stream-cipher")]
         CipherCategory::Stream => encrypt_payload_stream(context, method, key, addr, payload, dst),
         CipherCategory::Aead => encrypt_payload_aead(context, method, key, addr, payload, dst),
     }
 }
 
+#[cfg(feature = "stream-cipher")]
 fn encrypt_payload_stream(
     context: &Context,
     method: CipherKind,
@@ -157,10 +159,13 @@ pub async fn decrypt_payload(
                 }
             }
         }
+        #[cfg(feature = "stream-cipher")]
         CipherCategory::Stream => decrypt_payload_stream(context, method, key, payload).await,
         CipherCategory::Aead => decrypt_payload_aead(context, method, key, payload).await,
     }
 }
+
+#[cfg(feature = "stream-cipher")]
 async fn decrypt_payload_stream(
     context: &Context,
     method: CipherKind,

diff --git a/crates/shadowsocks/tests/tcp.rs b/crates/shadowsocks/tests/tcp.rs
@@ -163,6 +163,7 @@ async fn tcp_tunnel_aead() {
         .unwrap();
 }
 
+#[cfg(feature = "stream-cipher")]
 #[tokio::test]
 async fn tcp_tunnel_stream() {
     let _ = env_logger::try_init();

diff --git a/crates/shadowsocks/tests/udp.rs b/crates/shadowsocks/tests/udp.rs
@@ -148,6 +148,7 @@ async fn udp_tunnel_aead() {
         .unwrap();
 }
 
+#[cfg(feature = "stream-cipher")]
 #[tokio::test]
 async fn udp_tunnel_stream() {
     let _ = env_logger::try_init();

diff --git a/tests/socks5.rs b/tests/socks5.rs
@@ -71,6 +71,7 @@ impl Socks5TestServer {
     }
 }
 
+#[cfg(feature = "stream-cipher")]
 #[tokio::test]
 async fn socks5_relay_stream() {
     let _ = env_logger::try_init();