use constant time comparison (#3452)

This commit is contained in:
fatedier 2023-05-29 00:27:27 +08:00 committed by GitHub
parent 756dd1ad5e
commit 4915852b9c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 45 additions and 35 deletions

View File

@ -48,7 +48,7 @@ func (svr *Service) RunAdminServer(address string) (err error) {
subRouter := router.NewRoute().Subrouter() subRouter := router.NewRoute().Subrouter()
user, passwd := svr.cfg.AdminUser, svr.cfg.AdminPwd user, passwd := svr.cfg.AdminUser, svr.cfg.AdminPwd
subRouter.Use(frpNet.NewHTTPAuthMiddleware(user, passwd).Middleware) subRouter.Use(frpNet.NewHTTPAuthMiddleware(user, passwd).SetAuthFailDelay(200 * time.Millisecond).Middleware)
// api, see admin_api.go // api, see admin_api.go
subRouter.HandleFunc("/api/reload", svr.apiReload).Methods("GET") subRouter.HandleFunc("/api/reload", svr.apiReload).Methods("GET")

View File

@ -73,30 +73,30 @@ func (auth *TokenAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkC
return nil return nil
} }
func (auth *TokenAuthSetterVerifier) VerifyLogin(loginMsg *msg.Login) error { func (auth *TokenAuthSetterVerifier) VerifyLogin(m *msg.Login) error {
if util.GetAuthKey(auth.token, loginMsg.Timestamp) != loginMsg.PrivilegeKey { if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
return fmt.Errorf("token in login doesn't match token from configuration") return fmt.Errorf("token in login doesn't match token from configuration")
} }
return nil return nil
} }
func (auth *TokenAuthSetterVerifier) VerifyPing(pingMsg *msg.Ping) error { func (auth *TokenAuthSetterVerifier) VerifyPing(m *msg.Ping) error {
if !auth.AuthenticateHeartBeats { if !auth.AuthenticateHeartBeats {
return nil return nil
} }
if util.GetAuthKey(auth.token, pingMsg.Timestamp) != pingMsg.PrivilegeKey { if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
return fmt.Errorf("token in heartbeat doesn't match token from configuration") return fmt.Errorf("token in heartbeat doesn't match token from configuration")
} }
return nil return nil
} }
func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error { func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(m *msg.NewWorkConn) error {
if !auth.AuthenticateNewWorkConns { if !auth.AuthenticateNewWorkConns {
return nil return nil
} }
if util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp) != newWorkConnMsg.PrivilegeKey { if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
return fmt.Errorf("token in NewWorkConn doesn't match token from configuration") return fmt.Errorf("token in NewWorkConn doesn't match token from configuration")
} }
return nil return nil

View File

@ -174,7 +174,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
if !ok { if !ok {
return fmt.Errorf("xtcp server for [%s] doesn't exist", m.ProxyName) return fmt.Errorf("xtcp server for [%s] doesn't exist", m.ProxyName)
} }
if m.SignKey != util.GetAuthKey(clientCfg.sk, m.Timestamp) { if !util.ConstantTimeEqString(m.SignKey, util.GetAuthKey(clientCfg.sk, m.Timestamp)) {
return fmt.Errorf("xtcp connection of [%s] auth failed", m.ProxyName) return fmt.Errorf("xtcp connection of [%s] auth failed", m.ProxyName)
} }
c.sessions[sid] = session c.sessions[sid] = session

View File

@ -21,11 +21,13 @@ import (
"net" "net"
"net/http" "net/http"
"strings" "strings"
"time"
frpIo "github.com/fatedier/golib/io" frpIo "github.com/fatedier/golib/io"
gnet "github.com/fatedier/golib/net" gnet "github.com/fatedier/golib/net"
frpNet "github.com/fatedier/frp/pkg/util/net" frpNet "github.com/fatedier/frp/pkg/util/net"
"github.com/fatedier/frp/pkg/util/util"
) )
const PluginHTTPProxy = "http_proxy" const PluginHTTPProxy = "http_proxy"
@ -179,7 +181,9 @@ func (hp *HTTPProxy) Auth(req *http.Request) bool {
return false return false
} }
if pair[0] != hp.AuthUser || pair[1] != hp.AuthPasswd { if !util.ConstantTimeEqString(pair[0], hp.AuthUser) ||
!util.ConstantTimeEqString(pair[1], hp.AuthPasswd) {
time.Sleep(200 * time.Millisecond)
return false return false
} }
return true return true

View File

@ -18,6 +18,7 @@ import (
"io" "io"
"net" "net"
"net/http" "net/http"
"time"
"github.com/gorilla/mux" "github.com/gorilla/mux"
@ -64,7 +65,7 @@ func NewStaticFilePlugin(params map[string]string) (Plugin, error) {
} }
router := mux.NewRouter() router := mux.NewRouter()
router.Use(frpNet.NewHTTPAuthMiddleware(httpUser, httpPasswd).Middleware) router.Use(frpNet.NewHTTPAuthMiddleware(httpUser, httpPasswd).SetAuthFailDelay(200 * time.Millisecond).Middleware)
router.PathPrefix(prefix).Handler(frpNet.MakeHTTPGzipHandler(http.StripPrefix(prefix, http.FileServer(http.Dir(localPath))))).Methods("GET") router.PathPrefix(prefix).Handler(frpNet.MakeHTTPGzipHandler(http.StripPrefix(prefix, http.FileServer(http.Dir(localPath))))).Methods("GET")
sp.s = &http.Server{ sp.s = &http.Server{
Handler: router, Handler: router,

View File

@ -19,6 +19,9 @@ import (
"io" "io"
"net/http" "net/http"
"strings" "strings"
"time"
"github.com/fatedier/frp/pkg/util/util"
) )
type HTTPAuthWraper struct { type HTTPAuthWraper struct {
@ -48,6 +51,7 @@ func (aw *HTTPAuthWraper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
type HTTPAuthMiddleware struct { type HTTPAuthMiddleware struct {
user string user string
passwd string passwd string
authFailDelay time.Duration
} }
func NewHTTPAuthMiddleware(user, passwd string) *HTTPAuthMiddleware { func NewHTTPAuthMiddleware(user, passwd string) *HTTPAuthMiddleware {
@ -57,32 +61,28 @@ func NewHTTPAuthMiddleware(user, passwd string) *HTTPAuthMiddleware {
} }
} }
func (authMid *HTTPAuthMiddleware) SetAuthFailDelay(delay time.Duration) *HTTPAuthMiddleware {
authMid.authFailDelay = delay
return authMid
}
func (authMid *HTTPAuthMiddleware) Middleware(next http.Handler) http.Handler { func (authMid *HTTPAuthMiddleware) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
reqUser, reqPasswd, hasAuth := r.BasicAuth() reqUser, reqPasswd, hasAuth := r.BasicAuth()
if (authMid.user == "" && authMid.passwd == "") || if (authMid.user == "" && authMid.passwd == "") ||
(hasAuth && reqUser == authMid.user && reqPasswd == authMid.passwd) { (hasAuth && util.ConstantTimeEqString(reqUser, authMid.user) &&
util.ConstantTimeEqString(reqPasswd, authMid.passwd)) {
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
} else { } else {
if authMid.authFailDelay > 0 {
time.Sleep(authMid.authFailDelay)
}
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
} }
}) })
} }
func HTTPBasicAuth(h http.HandlerFunc, user, passwd string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
reqUser, reqPasswd, hasAuth := r.BasicAuth()
if (user == "" && passwd == "") ||
(hasAuth && reqUser == user && reqPasswd == passwd) {
h.ServeHTTP(w, r)
} else {
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
}
}
}
type HTTPGzipWraper struct { type HTTPGzipWraper struct {
h http.Handler h http.Handler
} }

View File

@ -17,6 +17,7 @@ package util
import ( import (
"crypto/md5" "crypto/md5"
"crypto/rand" "crypto/rand"
"crypto/subtle"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
mathrand "math/rand" mathrand "math/rand"
@ -139,3 +140,7 @@ func RandomSleep(duration time.Duration, minRatio, maxRatio float64) time.Durati
time.Sleep(d) time.Sleep(d)
return d return d
} }
func ConstantTimeEqString(a, b string) bool {
return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1
}

View File

@ -50,7 +50,7 @@ func (svr *Service) RunDashboardServer(address string) (err error) {
subRouter := router.NewRoute().Subrouter() subRouter := router.NewRoute().Subrouter()
user, passwd := svr.cfg.DashboardUser, svr.cfg.DashboardPwd user, passwd := svr.cfg.DashboardUser, svr.cfg.DashboardPwd
subRouter.Use(frpNet.NewHTTPAuthMiddleware(user, passwd).Middleware) subRouter.Use(frpNet.NewHTTPAuthMiddleware(user, passwd).SetAuthFailDelay(200 * time.Millisecond).Middleware)
// metrics // metrics
if svr.cfg.EnablePrometheus { if svr.cfg.EnablePrometheus {

View File

@ -66,8 +66,8 @@ func NewDefaultFramework() *Framework {
options := Options{ options := Options{
TotalParallelNode: suiteConfig.ParallelTotal, TotalParallelNode: suiteConfig.ParallelTotal,
CurrentNodeIndex: suiteConfig.ParallelProcess, CurrentNodeIndex: suiteConfig.ParallelProcess,
FromPortIndex: 20000, FromPortIndex: 10000,
ToPortIndex: 50000, ToPortIndex: 60000,
} }
return NewFramework(options) return NewFramework(options)
} }
@ -118,14 +118,14 @@ func (f *Framework) AfterEach() {
// stop processor // stop processor
for _, p := range f.serverProcesses { for _, p := range f.serverProcesses {
_ = p.Stop() _ = p.Stop()
if TestContext.Debug { if TestContext.Debug || ginkgo.CurrentSpecReport().Failed() {
fmt.Println(p.ErrorOutput()) fmt.Println(p.ErrorOutput())
fmt.Println(p.StdOutput()) fmt.Println(p.StdOutput())
} }
} }
for _, p := range f.clientProcesses { for _, p := range f.clientProcesses {
_ = p.Stop() _ = p.Stop()
if TestContext.Debug { if TestContext.Debug || ginkgo.CurrentSpecReport().Failed() {
fmt.Println(p.ErrorOutput()) fmt.Println(p.ErrorOutput())
fmt.Println(p.StdOutput()) fmt.Println(p.StdOutput())
} }

View File

@ -38,7 +38,7 @@ func (f *Framework) RunProcesses(serverTemplates []string, clientTemplates []str
err = p.Start() err = p.Start()
ExpectNoError(err) ExpectNoError(err)
} }
time.Sleep(2 * time.Second) time.Sleep(1 * time.Second)
currentClientProcesses := make([]*process.Process, 0, len(clientTemplates)) currentClientProcesses := make([]*process.Process, 0, len(clientTemplates))
for i := range clientTemplates { for i := range clientTemplates {
@ -56,7 +56,7 @@ func (f *Framework) RunProcesses(serverTemplates []string, clientTemplates []str
ExpectNoError(err) ExpectNoError(err)
time.Sleep(500 * time.Millisecond) time.Sleep(500 * time.Millisecond)
} }
time.Sleep(5 * time.Second) time.Sleep(2 * time.Second)
return currentServerProcesses, currentClientProcesses return currentServerProcesses, currentClientProcesses
} }

View File

@ -58,7 +58,7 @@ func (pa *Allocator) GetByName(portName string) int {
return 0 return 0
} }
l, err := net.Listen("tcp", net.JoinHostPort("127.0.0.1", strconv.Itoa(port))) l, err := net.Listen("tcp", net.JoinHostPort("0.0.0.0", strconv.Itoa(port)))
if err != nil { if err != nil {
// Maybe not controlled by us, mark it used. // Maybe not controlled by us, mark it used.
pa.used.Insert(port) pa.used.Insert(port)
@ -66,7 +66,7 @@ func (pa *Allocator) GetByName(portName string) int {
} }
l.Close() l.Close()
udpAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort("127.0.0.1", strconv.Itoa(port))) udpAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort("0.0.0.0", strconv.Itoa(port)))
if err != nil { if err != nil {
continue continue
} }