fix: TABLE cipher doesn't need to make a derived key

- fix #887 - Reference Implemetation: shadowsocks-libev, shadowsocks (Python) https://github.com/shadowsocks/shadowsocks-libev/blob/5ff4f27b74be9f390e639b960a6ec8baafc1e850/src/encrypt.c#L1395-L1399
shadowsocks · Jun 14, 2024 · b5f3065 · b5f3065
1 parent fd72325
commit b5f3065
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 22 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "shadowsocks-rust"
-version = "1.19.4"
+version = "1.20.0"
 authors = ["Shadowsocks Contributors"]
 description = "shadowsocks is a fast tunnel proxy that helps you bypass firewalls."
 repository = "https://github.com/shadowsocks/shadowsocks-rust"
@@ -248,7 +248,7 @@ jemallocator = { version = "0.5", optional = true }
 snmalloc-rs = { version = "0.3", optional = true }
 rpmalloc = { version = "0.2", optional = true }
 
-shadowsocks-service = { version = "1.19.4", path = "./crates/shadowsocks-service" }
+shadowsocks-service = { version = "1.20.0", path = "./crates/shadowsocks-service" }
 
 windows-service = { version = "0.7", optional = true }
 

diff --git a/crates/shadowsocks-service/Cargo.toml b/crates/shadowsocks-service/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "shadowsocks-service"
-version = "1.19.4"
+version = "1.20.0"
 authors = ["Shadowsocks Contributors"]
 description = "shadowsocks is a fast tunnel proxy that helps you bypass firewalls."
 repository = "https://github.com/shadowsocks/shadowsocks-rust"
@@ -181,7 +181,7 @@ flate2 = { version = "1.0", optional = true }
 brotli = { version = "6.0", optional = true }
 zstd = { version = "0.13", optional = true }
 
-tun2 = { version = "1", optional = true, features = ["async"] }
+tun2 = { version = "2", optional = true, features = ["async"] }
 etherparse = { version = "0.15", optional = true }
 smoltcp = { version = "0.11", optional = true, default-features = false, features = [
  "std",
@@ -198,7 +198,7 @@ serde = { version = "1.0", features = ["derive"] }
 json5 = "0.4"
 bson = { version = "2.10.0", optional = true }
 
-shadowsocks = { version = "1.19.0", path = "../shadowsocks", default-features = false }
+shadowsocks = { version = "1.20.0", path = "../shadowsocks", default-features = false }
 
 # Just for the ioctl call macro
 [target.'cfg(any(target_os = "macos", target_os = "ios", target_os = "freebsd"))'.dependencies]

diff --git a/crates/shadowsocks/Cargo.toml b/crates/shadowsocks/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "shadowsocks"
-version = "1.19.1"
+version = "1.20.0"
 authors = ["Shadowsocks Contributors"]
 description = "shadowsocks is a fast tunnel proxy that helps you bypass firewalls."
 repository = "https://github.com/shadowsocks/shadowsocks-rust"

diff --git a/crates/shadowsocks/src/config.rs b/crates/shadowsocks/src/config.rs
@@ -405,6 +405,13 @@ where
 {
  let password = password.into();
 
+ if method == CipherKind::SS_TABLE {
+ // TABLE cipher doesn't need key derivation.
+ // Reference implemenation: shadowsocks-libev, shadowsocks (Python)
+ let enc_key = password.clone().into_bytes().into_boxed_slice();
+ return (password, enc_key, Vec::new());
+ }
+
  #[cfg(feature = "aead-cipher-2022")]
  if method_support_eih(method) {
  // Extensible Identity Headers

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+shadowsocks-rust (1.20.0) unstable; urgency=medium
+
+ ## Breaking Changes
+
+ - #887 shadowsocks stream cipher (`TABLE`) doesn't need to make a derived key instead of using user's predefined key directly. This change will make shadowsocks-rust not going to be compatible with its older version. Users who are using `TABLE` cipher should upgrade all your local and server instances to the latest version of shadowsocks-rust. On the other hand, `TABLE` cipher is marked deprecated because it is vulnerable, users **must** migrate to other more secured methods immediately.
+
 shadowsocks-rust (1.19.4) unstable; urgency=medium
 
  ## Features