mirror of
https://github.com/fatedier/frp.git
synced 2024-12-14 02:31:21 +01:00
utils/pcrypto: fix the bug of using aes
1. The aes IV needs to be unique, but not secure. 2. The key should be 16, 24 or 32 bytes. Fixes #85.
This commit is contained in:
parent
2b1c39e03d
commit
c8e5096f48
@ -229,6 +229,7 @@ func doLogin(req *msg.ControlReq, c *conn.Conn) (ret int64, info string) {
|
|||||||
} else if req.PrivilegeKey != privilegeKey {
|
} else if req.PrivilegeKey != privilegeKey {
|
||||||
info = fmt.Sprintf("ProxyName [%s], privilege mode authorization failed", req.ProxyName)
|
info = fmt.Sprintf("ProxyName [%s], privilege mode authorization failed", req.ProxyName)
|
||||||
log.Warn(info)
|
log.Warn(info)
|
||||||
|
log.Debug("PrivilegeKey [%s] and get [%s]", privilegeKey, req.PrivilegeKey)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -241,6 +242,7 @@ func doLogin(req *msg.ControlReq, c *conn.Conn) (ret int64, info string) {
|
|||||||
} else if req.AuthKey != authKey {
|
} else if req.AuthKey != authKey {
|
||||||
info = fmt.Sprintf("ProxyName [%s], authorization failed", req.ProxyName)
|
info = fmt.Sprintf("ProxyName [%s], authorization failed", req.ProxyName)
|
||||||
log.Warn(info)
|
log.Warn(info)
|
||||||
|
log.Debug("AuthKey [%s] and get [%s]", authKey, req.AuthKey)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -20,9 +20,10 @@ import (
|
|||||||
"crypto/aes"
|
"crypto/aes"
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
|
"crypto/rand"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -33,35 +34,47 @@ type Pcrypto struct {
|
|||||||
|
|
||||||
func (pc *Pcrypto) Init(key []byte) error {
|
func (pc *Pcrypto) Init(key []byte) error {
|
||||||
var err error
|
var err error
|
||||||
pc.pkey = pKCS7Padding(key, aes.BlockSize)
|
pc.pkey = pkKeyPadding(key)
|
||||||
pc.paes, err = aes.NewCipher(pc.pkey)
|
pc.paes, err = aes.NewCipher(pc.pkey)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pc *Pcrypto) Encrypt(src []byte) ([]byte, error) {
|
func (pc *Pcrypto) Encrypt(src []byte) ([]byte, error) {
|
||||||
// aes
|
// aes
|
||||||
src = pKCS7Padding(src, aes.BlockSize)
|
src = pKCS5Padding(src, aes.BlockSize)
|
||||||
blockMode := cipher.NewCBCEncrypter(pc.paes, pc.pkey)
|
ciphertext := make([]byte, aes.BlockSize+len(src))
|
||||||
crypted := make([]byte, len(src))
|
|
||||||
blockMode.CryptBlocks(crypted, src)
|
// The IV needs to be unique, but not secure. Therefore it's common to
|
||||||
return crypted, nil
|
// include it at the beginning of the ciphertext.
|
||||||
|
iv := ciphertext[:aes.BlockSize]
|
||||||
|
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
blockMode := cipher.NewCBCEncrypter(pc.paes, iv)
|
||||||
|
blockMode.CryptBlocks(ciphertext[aes.BlockSize:], src)
|
||||||
|
return ciphertext, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pc *Pcrypto) Decrypt(str []byte) ([]byte, error) {
|
func (pc *Pcrypto) Decrypt(str []byte) ([]byte, error) {
|
||||||
// aes
|
// aes
|
||||||
decryptText, err := hex.DecodeString(fmt.Sprintf("%x", str))
|
ciphertext, err := hex.DecodeString(fmt.Sprintf("%x", str))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(decryptText)%aes.BlockSize != 0 {
|
if len(ciphertext) < aes.BlockSize {
|
||||||
return nil, errors.New("crypto/cipher: ciphertext is not a multiple of the block size")
|
return nil, fmt.Errorf("ciphertext too short")
|
||||||
|
}
|
||||||
|
iv := ciphertext[:aes.BlockSize]
|
||||||
|
ciphertext = ciphertext[aes.BlockSize:]
|
||||||
|
|
||||||
|
if len(ciphertext)%aes.BlockSize != 0 {
|
||||||
|
return nil, fmt.Errorf("crypto/cipher: ciphertext is not a multiple of the block size")
|
||||||
}
|
}
|
||||||
|
|
||||||
blockMode := cipher.NewCBCDecrypter(pc.paes, pc.pkey)
|
blockMode := cipher.NewCBCDecrypter(pc.paes, iv)
|
||||||
|
blockMode.CryptBlocks(ciphertext, ciphertext)
|
||||||
blockMode.CryptBlocks(decryptText, decryptText)
|
return pKCS5UnPadding(ciphertext), nil
|
||||||
return pKCS7UnPadding(decryptText), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pc *Pcrypto) Compression(src []byte) ([]byte, error) {
|
func (pc *Pcrypto) Compression(src []byte) ([]byte, error) {
|
||||||
@ -87,13 +100,32 @@ func (pc *Pcrypto) Decompression(src []byte) ([]byte, error) {
|
|||||||
return str, nil
|
return str, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func pKCS7Padding(ciphertext []byte, blockSize int) []byte {
|
func pkKeyPadding(key []byte) []byte {
|
||||||
|
l := len(key)
|
||||||
|
if l == 16 || l == 24 || l == 32 {
|
||||||
|
return key
|
||||||
|
}
|
||||||
|
if l < 16 {
|
||||||
|
return append(key, bytes.Repeat([]byte{byte(0)}, 16-l)...)
|
||||||
|
} else if l < 24 {
|
||||||
|
return append(key, bytes.Repeat([]byte{byte(0)}, 24-l)...)
|
||||||
|
} else if l < 32 {
|
||||||
|
return append(key, bytes.Repeat([]byte{byte(0)}, 32-l)...)
|
||||||
|
} else {
|
||||||
|
md5Ctx := md5.New()
|
||||||
|
md5Ctx.Write(key)
|
||||||
|
md5Str := md5Ctx.Sum(nil)
|
||||||
|
return []byte(hex.EncodeToString(md5Str))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func pKCS5Padding(ciphertext []byte, blockSize int) []byte {
|
||||||
padding := blockSize - len(ciphertext)%blockSize
|
padding := blockSize - len(ciphertext)%blockSize
|
||||||
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
|
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
|
||||||
return append(ciphertext, padtext...)
|
return append(ciphertext, padtext...)
|
||||||
}
|
}
|
||||||
|
|
||||||
func pKCS7UnPadding(origData []byte) []byte {
|
func pKCS5UnPadding(origData []byte) []byte {
|
||||||
length := len(origData)
|
length := len(origData)
|
||||||
unpadding := int(origData[length-1])
|
unpadding := int(origData[length-1])
|
||||||
return origData[:(length - unpadding)]
|
return origData[:(length - unpadding)]
|
||||||
|
@ -24,7 +24,7 @@ var (
|
|||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
pp = &Pcrypto{}
|
pp = &Pcrypto{}
|
||||||
pp.Init([]byte("Hana"))
|
pp.Init([]byte("12234567890123451223456789012345321:wq"))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestEncrypt(t *testing.T) {
|
func TestEncrypt(t *testing.T) {
|
||||||
@ -60,3 +60,18 @@ func TestCompression(t *testing.T) {
|
|||||||
t.Fatalf("test compression error, from [%s] to [%s]", testStr, string(res))
|
t.Fatalf("test compression error, from [%s] to [%s]", testStr, string(res))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func BenchmarkEncrypt(b *testing.B) {
|
||||||
|
testStr := "Test Encrypt!"
|
||||||
|
for i := 0; i < b.N; i++ {
|
||||||
|
pp.Encrypt([]byte(testStr))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func BenchmarkDecrypt(b *testing.B) {
|
||||||
|
testStr := "Test Encrypt!"
|
||||||
|
res, _ := pp.Encrypt([]byte(testStr))
|
||||||
|
for i := 0; i < b.N; i++ {
|
||||||
|
pp.Decrypt([]byte(res))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user