From 2952429610626e5673431652ccfba06bf9009d6e Mon Sep 17 00:00:00 2001 From: Vladimir Kochnev Date: Fri, 22 Jul 2022 00:27:18 +0300 Subject: [PATCH 1/2] Remove unused core/packet.go and core/stream.go --- core/packet.go | 8 -------- core/stream.go | 23 ----------------------- 2 files changed, 31 deletions(-) delete mode 100644 core/packet.go delete mode 100644 core/stream.go diff --git a/core/packet.go b/core/packet.go deleted file mode 100644 index 641aa134..00000000 --- a/core/packet.go +++ /dev/null @@ -1,8 +0,0 @@ -package core - -import "net" - -func ListenPacket(network, address string, ciph PacketConnCipher) (net.PacketConn, error) { - c, err := net.ListenPacket(network, address) - return ciph.PacketConn(c), err -} diff --git a/core/stream.go b/core/stream.go deleted file mode 100644 index 5c773cd2..00000000 --- a/core/stream.go +++ /dev/null @@ -1,23 +0,0 @@ -package core - -import "net" - -type listener struct { - net.Listener - StreamConnCipher -} - -func Listen(network, address string, ciph StreamConnCipher) (net.Listener, error) { - l, err := net.Listen(network, address) - return &listener{l, ciph}, err -} - -func (l *listener) Accept() (net.Conn, error) { - c, err := l.Listener.Accept() - return l.StreamConn(c), err -} - -func Dial(network, address string, ciph StreamConnCipher) (net.Conn, error) { - c, err := net.Dial(network, address) - return ciph.StreamConn(c), err -} From 35743800b861b724c942aaa48bb7160e921ca648 Mon Sep 17 00:00:00 2001 From: Vladimir Kochnev Date: Fri, 22 Jul 2022 00:56:04 +0300 Subject: [PATCH 2/2] Support -key-file flag Passing keys/passwords in command line is not very good from security standpoint. One could examine password in runner script/process list/etc. So I propose to add an option flag to load base64-encoded key from file. It's also more convenient when running shadowsocks in Kubernetes where one usually mounts secrets as files. --- main.go | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/main.go b/main.go index ee90b773..c35eb55f 100644 --- a/main.go +++ b/main.go @@ -6,6 +6,7 @@ import ( "flag" "fmt" "io" + "io/ioutil" "log" "net/url" "os" @@ -30,6 +31,7 @@ func main() { Client string Server string Cipher string + KeyFile string Key string Password string Keygen int @@ -47,7 +49,8 @@ func main() { flag.BoolVar(&config.Verbose, "verbose", false, "verbose mode") flag.StringVar(&flags.Cipher, "cipher", "AEAD_CHACHA20_POLY1305", "available ciphers: "+strings.Join(core.ListCipher(), " ")) - flag.StringVar(&flags.Key, "key", "", "base64url-encoded key (derive from password if empty)") + flag.StringVar(&flags.KeyFile, "key-file", "", "path of base64url-encoded key file") + flag.StringVar(&flags.Key, "key", "", "base64url-encoded key (derive from password if both key-file and key are empty)") flag.IntVar(&flags.Keygen, "keygen", 0, "generate a base64url-encoded random key of given length in byte") flag.StringVar(&flags.Password, "password", "", "password") flag.StringVar(&flags.Server, "s", "", "server listen address or url") @@ -68,7 +71,10 @@ func main() { if flags.Keygen > 0 { key := make([]byte, flags.Keygen) - io.ReadFull(rand.Reader, key) + _, err := io.ReadFull(rand.Reader, key) + if err != nil { + log.Fatal(err) + } fmt.Println(base64.URLEncoding.EncodeToString(key)) return } @@ -78,9 +84,21 @@ func main() { return } - var key []byte + var encodedKey string + if flags.KeyFile != "" { + e, err := ioutil.ReadFile(flags.KeyFile) + if err != nil { + log.Fatal(err) + } + encodedKey = string(e) + } if flags.Key != "" { - k, err := base64.URLEncoding.DecodeString(flags.Key) + encodedKey = flags.Key + } + + var key []byte + if encodedKey != "" { + k, err := base64.URLEncoding.DecodeString(encodedKey) if err != nil { log.Fatal(err) }