khcloud-python
diff --git a/‎pproxy/__init__.py‎
Lines changed: 154 additions & 0 deletions b/‎pproxy/__init__.py‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎pproxy/__main__.py‎
Lines changed: 8 additions & 0 deletions b/‎pproxy/__main__.py‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pproxy/ciphers.py‎
Lines changed: 156 additions & 0 deletions b/‎pproxy/ciphers.py‎
Lines changed: 156 additions & 0 deletions
@@ -0,0 +1,154 @@
+import argparse, time, re, pickle, asyncio, functools, types, os, urllib.parse
+from pproxy import proto
+
+__title__ = 'pproxy'
+__version__ = "0.9.2"
+__description__ = "Proxy server that can tunnel among remote servers by regex rules."
+__author__ = "Qian Wenjie"
+__license__ = "MIT License"
+
+SOCKET_TIMEOUT = 300
+PACKET_SIZE = 65536
+DUMMY = lambda s: None
+
+asyncio.StreamReader.read_ = lambda self: self.read(PACKET_SIZE)
+asyncio.StreamReader.read_n = lambda self, n: asyncio.wait_for(self.readexactly(n), timeout=SOCKET_TIMEOUT)
+asyncio.StreamReader.read_until = lambda self, s: asyncio.wait_for(self.readuntil(s), timeout=SOCKET_TIMEOUT)
+
+async def proxy_handler(reader, writer, protos, auth, rserver, block, auth_tables, cipher, pac, pactext, unix_path, verbose=DUMMY, modstat=lambda r,h:lambda i:DUMMY, **kwargs):
+    try:
+        remote_ip = writer.get_extra_info('peername')[0] if not unix_path else None
+        reader_cipher = (await cipher(reader, writer))[0] if cipher else None
+        header = await reader.read_n(1)
+        lproto, host_name, port, initbuf = await proto.parse(protos, reader=reader, writer=writer, header=header, auth=auth, auth_tables=auth_tables, remote_ip=remote_ip, pac=pac, pactext=pactext, reader_cipher=reader_cipher)
+        if host_name is None:
+            writer.close()
+            return
+        if block and block(host_name):
+            raise Exception('BLOCK ' + host_name)
+        roption = None
+        for option in rserver:
+            if not option.match or option.match(host_name):
+                roption = option
+                break
+        viaproxy = bool(roption)
+        if viaproxy:
+            verbose(f'{lproto.__name__} {host_name}:{port} -> {roption.protos[0].__name__} {roption.bind}')
+            connect = roption.connect
+        else:
+            verbose(f'{lproto.__name__} {host_name}:{port}')
+            connect = functools.partial(asyncio.open_connection, host=host_name, port=port)
+        try:
+            reader_remote, writer_remote = await asyncio.wait_for(connect(), timeout=SOCKET_TIMEOUT)
+        except asyncio.TimeoutError:
+            raise Exception(f'Connection timeout {rserver}')
+        try:
+            if viaproxy:
+                writer_cipher_r = (await roption.cipher(reader_remote, writer_remote))[1] if roption.cipher else None
+                await roption.protos[0].connect(reader_remote=reader_remote, writer_remote=writer_remote, rauth=roption.auth, host_name=host_name, port=port, initbuf=initbuf, writer_cipher_r=writer_cipher_r)
+            else:
+                writer_remote.write(initbuf)
+        except Exception:
+            writer_remote.close()
+            raise Exception('Unknown remote protocol')
+        m = modstat(remote_ip, host_name)
+        asyncio.ensure_future(proto.base.channel(reader_remote, writer, m(2+viaproxy), m(4+viaproxy)))
+        asyncio.ensure_future(lproto.channel(reader, writer_remote, m(viaproxy), DUMMY))
+    except Exception as ex:
+        if not isinstance(ex, asyncio.TimeoutError):
+            verbose(f'{str(ex) or "Unsupported protocol"} from {remote_ip}')
+        try: writer.close()
+        except Exception: pass
+        raise
+
+def pattern_compile(file_name):
+    with open(file_name) as f:
+        return re.compile('|'.join(i.strip() for i in f if i.strip() and not i.startswith('#'))).fullmatch
+
+def uri_compile(uri):
+    url = urllib.parse.urlparse(uri)
+    rawprotos = url.scheme.split('+')
+    protos = list(set(filter(None, (proto.find(i) for i in rawprotos))))
+    if 'ssl' in rawprotos or 'secure' in rawprotos:
+        import ssl
+        sslserver = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        sslclient = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        if 'ssl' in rawprotos:
+            sslclient.check_hostname = False
+            sslclient.verify_mode = ssl.CERT_NONE
+    else:
+        sslserver = None
+        sslclient = None
+    cipher, _, loc = url.netloc.rpartition('@')
+    if cipher:
+        from pproxy import ciphers
+        cipher = ciphers.get_cipher(cipher)
+    match = pattern_compile(url.query) if url.query else None
+    if loc:
+        host, _, port = loc.partition(':')
+        port = int(port) if port else 8080
+        connect = functools.partial(asyncio.open_connection, host=host, port=port, ssl=sslclient)
+        server = functools.partial(asyncio.start_server, host=host, port=port, ssl=sslserver)
+    else:
+        connect = functools.partial(asyncio.open_unix_connection, path=url.path, ssl=sslclient, server_hostname='' if sslclient else None)
+        server = functools.partial(asyncio.start_unix_server, path=url.path, ssl=sslserver)
+    return types.SimpleNamespace(sslclient=sslclient, protos=protos, cipher=cipher, auth=url.fragment.encode(), match=match, server=server, connect=connect, bind=loc or url.path, unix_path=not loc, sslserver=sslserver)
+
+def main():
+    parser = argparse.ArgumentParser(description=__description__+'\nSupported protocols: http,socks,shadowsocks', epilog='Online help: <https://github.com/qwj/python-proxy>')
+    parser.add_argument('-i', dest='listen', default=[], action='append', type=uri_compile, help='proxy server setting uri (default: http+socks://:8080/)')
+    parser.add_argument('-r', dest='rserver', default=[], action='append', type=uri_compile, help='remote server setting uri (default: direct)')
+    parser.add_argument('-b', dest='block', type=pattern_compile, help='block regex rules')
+    parser.add_argument('-v', dest='v', action='store_true', help='print verbose output')
+    parser.add_argument('--ssl', dest='sslfile', help='certfile[,keyfile] if server listen in ssl mode')
+    parser.add_argument('--pac', dest='pac', help='http pac file path')
+    parser.add_argument('--version', action='version', version=f'%(prog)s {__version__}')
+    args = parser.parse_args()
+    if not args.listen:
+        args.listen.append(uri_compile('http+socks://:/'))
+    if os.path.exists('.auth_tables'):
+        with open('.auth_tables', 'rb') as f:
+            args.auth_tables = pickle.load(f)
+    else:
+        args.auth_tables = {}
+    if args.pac:
+        pactext = 'function FindProxyForURL(u,h){' + (f'var b=/^(:?{args.block.__self__.pattern})$/i;if(b.test(h))return "";' if args.block else '')
+        for i, option in enumerate(args.rserver):
+            pactext += (f'var m{i}=/^(:?{option.match.__self__.pattern})$/i;if(m{i}.test(h))' if option.match else '') + f'return "PROXY %(host)s";'
+        args.pactext = (pactext+'return "DIRECT";}', 'function FindProxyForURL(u,h){{return "PROXY %(host)s";}}', 'function FindProxyForURL(u,h){return "DIRECT";}')
+    else:
+        args.pactext = None
+    if args.sslfile:
+        sslfile = args.sslfile.split(',')
+        for option in args.listen:
+            if option.sslclient:
+                option.sslclient.load_cert_chain(*sslfile)
+                option.sslserver.load_cert_chain(*sslfile)
+    elif any(map(lambda o: o.sslclient, args.listen)):
+        print(f'You must specify --ssl when open ssl server mode')
+        return
+    loop = asyncio.get_event_loop()
+    if args.v:
+        from pproxy import verbose
+        verbose.setup(loop, args)
+    servers = []
+    for option in args.listen:
+        print(f'Serving on {option.bind} by {",".join(i.__name__ for i in option.protos)}', '(SSL)' if option.sslclient else '')
+        handler = functools.partial(proxy_handler, **vars(args), **vars(option))
+        server = loop.run_until_complete(option.server(handler))
+        servers.append(server)
+    try:
+        loop.run_forever()
+    except KeyboardInterrupt:
+        print('exit')
+    if args.auth_tables:
+        with open('.auth_tables', 'wb') as f:
+            pickle.dump(args.auth_tables, f, pickle.HIGHEST_PROTOCOL)
+    for task in asyncio.Task.all_tasks():
+        task.cancel()
+    for server in servers:
+        server.close()
+    for server in servers:
+        loop.run_until_complete(server.wait_closed())
+    loop.close()
+
@@ -0,0 +1,8 @@
+if __package__ == '':
+    import os, sys
+    path = os.path.dirname(os.path.dirname(__file__))
+    sys.path.insert(0, path)
+
+if __name__ == '__main__':
+    import pproxy
+    pproxy.main()
@@ -0,0 +1,156 @@
+import os, hashlib, struct, functools, argparse, hmac
+
+#pip install pycryptodome
+from Crypto.Cipher import ARC4, ChaCha20, Salsa20, AES, DES, CAST, Blowfish, ARC2
+
+class BaseCipher(object):
+    CACHE = {}
+    def __init__(self, key, iv=None, ota=False):
+        if self.KEY_LENGTH > 0:
+            self.key = self.CACHE.get(b'key'+key)
+            if self.key is None:
+                keybuf = []
+                while len(b''.join(keybuf)) < self.KEY_LENGTH:
+                    keybuf.append(hashlib.md5((keybuf[-1] if keybuf else b'') + key).digest())
+                self.key = self.CACHE[b'key'+key] = b''.join(keybuf)[:self.KEY_LENGTH]
+        else:
+            self.key = key
+        self.iv = os.urandom(self.IV_LENGTH) if iv is None else iv
+        self.ota = ota
+        self.setup()
+    def decrypt(self, s):
+        return self.cipher.decrypt(s)
+    def encrypt(self, s):
+        return self.cipher.encrypt(s)
+    def patch_ota_reader(self, reader):
+        chunk_id = 0
+        async def patched_read():
+            nonlocal chunk_id
+            try:
+                data_len = int.from_bytes(await reader.readexactly(2), 'big')
+            except Exception:
+                return None
+            checksum = await reader.readexactly(10)
+            data = await reader.readexactly(data_len)
+            checksum_server = hmac.new(self.iv+chunk_id.to_bytes(4, 'big'), data, 'sha1').digest()
+            assert checksum_server[:10] == checksum
+            chunk_id += 1
+            return data
+        reader.read_ = patched_read
+    def patch_ota_writer(self, writer):
+        chunk_id = 0
+        write = writer.write
+        def patched_write(data):
+            nonlocal chunk_id
+            if not data: return
+            checksum = hmac.new(self.iv+chunk_id.to_bytes(4, 'big'), data, 'sha1').digest()
+            chunk_id += 1
+            return write(len(data).to_bytes(2, 'big') + checksum[:10] + data)
+        writer.write = patched_write
+
+class TableCipher(BaseCipher):
+    KEY_LENGTH = 0
+    IV_LENGTH = 0
+    def setup(self):
+        if self.key in self.CACHE:
+            self.encrypt_table, self.decrypt_table = self.CACHE[self.key]
+        else:
+            a, _ = struct.unpack('<QQ', hashlib.md5(self.key).digest())
+            table = list(range(256))
+            for i in range(1, 1024):
+                table.sort(key = lambda x: a % (x + i))
+            self.encrypt_table = bytes(table)
+            self.decrypt_table = bytes.maketrans(self.encrypt_table, bytes(range(256)))
+            self.CACHE[self.key] = self.encrypt_table, self.decrypt_table
+    def decrypt(self, s):
+        return bytes.translate(s, self.decrypt_table)
+    def encrypt(self, s):
+        return bytes.translate(s, self.encrypt_table)
+
+class RC4Cipher(BaseCipher):
+    KEY_LENGTH = 16
+    IV_LENGTH = 0
+    def setup(self):
+        self.cipher = ARC4.new(self.key)
+
+class RC4MD5Cipher(BaseCipher):
+    KEY_LENGTH = 16
+    IV_LENGTH = 16
+    def setup(self):
+        self.cipher = ARC4.new(hashlib.md5(self.key + self.iv).digest())
+
+class ChaCha20Cipher(BaseCipher):
+    KEY_LENGTH = 32
+    IV_LENGTH = 8
+    def setup(self):
+        self.cipher = ChaCha20.new(key=self.key, nonce=self.iv)
+
+class Salsa20Cipher(BaseCipher):
+    KEY_LENGTH = 32
+    IV_LENGTH = 8
+    def setup(self):
+        self.cipher = Salsa20.new(key=self.key, nonce=self.iv)
+
+class AES256CFBCipher(BaseCipher):
+    KEY_LENGTH = 32
+    IV_LENGTH = 16
+    def setup(self):
+        self.cipher = AES.new(self.key, AES.MODE_CFB, iv=self.iv, segment_size=128)
+
+class AES128CFBCipher(AES256CFBCipher):
+    KEY_LENGTH = 16
+
+class AES192CFBCipher(AES256CFBCipher):
+    KEY_LENGTH = 24
+
+class BFCFBCipher(BaseCipher):
+    KEY_LENGTH = 16
+    IV_LENGTH = 8
+    def setup(self):
+        self.cipher = Blowfish.new(self.key, Blowfish.MODE_CFB, iv=self.iv, segment_size=64)
+
+class CAST5CFBCipher(BaseCipher):
+    KEY_LENGTH = 16
+    IV_LENGTH = 8
+    def setup(self):
+        self.cipher = CAST.new(self.key, CAST.MODE_CFB, iv=self.iv, segment_size=64)
+
+class DESCFBCipher(BaseCipher):
+    KEY_LENGTH = 8
+    IV_LENGTH = 8
+    def setup(self):
+        self.cipher = DES.new(self.key, DES.MODE_CFB, iv=self.iv, segment_size=64)
+
+MAPPINGS = {\
+    'table': TableCipher,
+    'rc4': RC4Cipher,
+    'rc4-md5': RC4MD5Cipher,
+    'chacha20': ChaCha20Cipher,
+    'salsa20': Salsa20Cipher,
+    'aes-128-cfb': AES128CFBCipher,
+    'aes-192-cfb': AES192CFBCipher,
+    'aes-256-cfb': AES256CFBCipher,
+    'bf-cfb': BFCFBCipher,
+    'cast5-cfb': CAST5CFBCipher,
+    'des-cfb': DESCFBCipher,
+}
+
+def get_cipher(cipher_key):
+    cipher, _, key = cipher_key.partition(':')
+    cipher, ota, _ = cipher.partition('!')
+    if not key:
+        raise argparse.ArgumentTypeError('empty key')
+    if cipher not in MAPPINGS:
+        raise argparse.ArgumentTypeError(f'existing ciphers: {list(MAPPINGS.keys())}')
+    cipher, key, ota = MAPPINGS[cipher], key.encode(), bool(ota) if ota else False
+    async def apply_cipher(reader, writer):
+        writer_cipher = cipher(key, ota=ota)
+        writer.write(writer_cipher.iv)
+        writer.write = lambda s, o=writer.write, p=writer_cipher.encrypt: o(p(s))
+        reader_cipher = cipher(key, await reader.read_n(len(writer_cipher.iv)), ota=ota)
+        reader._buffer = bytearray(reader_cipher.decrypt(bytes(reader._buffer)))
+        reader.feed_data = lambda s, o=reader.feed_data, p=reader_cipher.decrypt: o(p(s))
+        return reader_cipher, writer_cipher
+    apply_cipher.ota = ota
+    return apply_cipher
+