guoswork/frp
1
0
Fork 0
mirror of https://gitee.com/IrisVega/frp.git synced 2024-11-01 22:31:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

utils/pcrypto: fix the bug of using aes

Browse Source 
1. The aes IV needs to be unique, but not secure.
2. The key should be 16, 24 or 32 bytes.

Fixes #85.
This commit is contained in:
fatedier 2016-08-21 23:28:01 +08:00
parent 2b1c39e03d
commit c8e5096f48
3 changed files with 66 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/cmd/frps/control.go
View File

@ -229,6 +229,7 @@ func doLogin(req *msg.ControlReq, c *conn.Conn) (ret int64, info string) {
} else if req.PrivilegeKey != privilegeKey { } else if req.PrivilegeKey != privilegeKey {
info = fmt.Sprintf("ProxyName [%s], privilege mode authorization failed", req.ProxyName) info = fmt.Sprintf("ProxyName [%s], privilege mode authorization failed", req.ProxyName)
log.Warn(info) log.Warn(info)
log.Debug("PrivilegeKey [%s] and get [%s]", privilegeKey, req.PrivilegeKey)
return return
} }
} else { } else {
@ -241,6 +242,7 @@ func doLogin(req *msg.ControlReq, c *conn.Conn) (ret int64, info string) {
} else if req.AuthKey != authKey { } else if req.AuthKey != authKey {
info = fmt.Sprintf("ProxyName [%s], authorization failed", req.ProxyName) info = fmt.Sprintf("ProxyName [%s], authorization failed", req.ProxyName)
log.Warn(info) log.Warn(info)
log.Debug("AuthKey [%s] and get [%s]", authKey, req.AuthKey)
return return
} }
} }

64
src/utils/pcrypto/pcrypto.go
View File

@ -20,9 +20,10 @@ import (
"crypto/aes" "crypto/aes"
"crypto/cipher" "crypto/cipher"
"crypto/md5" "crypto/md5"
"crypto/rand"
"encoding/hex" "encoding/hex"
"errors"
"fmt" "fmt"
"io"
"io/ioutil" "io/ioutil"
) )
@ -33,35 +34,47 @@ type Pcrypto struct {
func (pc *Pcrypto) Init(key []byte) error { func (pc *Pcrypto) Init(key []byte) error {
var err error var err error
pc.pkey = pKCS7Padding(key, aes.BlockSize) pc.pkey = pkKeyPadding(key)
pc.paes, err = aes.NewCipher(pc.pkey) pc.paes, err = aes.NewCipher(pc.pkey)
return err return err
} }
func (pc *Pcrypto) Encrypt(src []byte) ([]byte, error) { func (pc *Pcrypto) Encrypt(src []byte) ([]byte, error) {
// aes // aes
src = pKCS7Padding(src, aes.BlockSize) src = pKCS5Padding(src, aes.BlockSize)
blockMode := cipher.NewCBCEncrypter(pc.paes, pc.pkey) ciphertext := make([]byte, aes.BlockSize+len(src))
crypted := make([]byte, len(src))
blockMode.CryptBlocks(crypted, src) // The IV needs to be unique, but not secure. Therefore it's common to
return crypted, nil // include it at the beginning of the ciphertext.
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
}
blockMode := cipher.NewCBCEncrypter(pc.paes, iv)
blockMode.CryptBlocks(ciphertext[aes.BlockSize:], src)
return ciphertext, nil
} }
func (pc *Pcrypto) Decrypt(str []byte) ([]byte, error) { func (pc *Pcrypto) Decrypt(str []byte) ([]byte, error) {
// aes // aes
decryptText, err := hex.DecodeString(fmt.Sprintf("%x", str)) ciphertext, err := hex.DecodeString(fmt.Sprintf("%x", str))
if err != nil { if err != nil {
return nil, err return nil, err
} }
if len(decryptText)%aes.BlockSize != 0 { if len(ciphertext) < aes.BlockSize {
return nil, errors.New("crypto/cipher: ciphertext is not a multiple of the block size") return nil, fmt.Errorf("ciphertext too short")
}
iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
if len(ciphertext)%aes.BlockSize != 0 {
return nil, fmt.Errorf("crypto/cipher: ciphertext is not a multiple of the block size")
} }
blockMode := cipher.NewCBCDecrypter(pc.paes, pc.pkey) blockMode := cipher.NewCBCDecrypter(pc.paes, iv)
blockMode.CryptBlocks(ciphertext, ciphertext)
blockMode.CryptBlocks(decryptText, decryptText) return pKCS5UnPadding(ciphertext), nil
return pKCS7UnPadding(decryptText), nil
} }
func (pc *Pcrypto) Compression(src []byte) ([]byte, error) { func (pc *Pcrypto) Compression(src []byte) ([]byte, error) {
@ -87,13 +100,32 @@ func (pc *Pcrypto) Decompression(src []byte) ([]byte, error) {
return str, nil return str, nil
} }
func pKCS7Padding(ciphertext []byte, blockSize int) []byte { func pkKeyPadding(key []byte) []byte {
l := len(key)
if l == 16 || l == 24 || l == 32 {
return key
}
if l < 16 {
return append(key, bytes.Repeat([]byte{byte(0)}, 16-l)...)
} else if l < 24 {
return append(key, bytes.Repeat([]byte{byte(0)}, 24-l)...)
} else if l < 32 {
return append(key, bytes.Repeat([]byte{byte(0)}, 32-l)...)
} else {
md5Ctx := md5.New()
md5Ctx.Write(key)
md5Str := md5Ctx.Sum(nil)
return []byte(hex.EncodeToString(md5Str))
}
}
func pKCS5Padding(ciphertext []byte, blockSize int) []byte {
padding := blockSize - len(ciphertext)%blockSize padding := blockSize - len(ciphertext)%blockSize
padtext := bytes.Repeat([]byte{byte(padding)}, padding) padtext := bytes.Repeat([]byte{byte(padding)}, padding)
return append(ciphertext, padtext...) return append(ciphertext, padtext...)
} }
func pKCS7UnPadding(origData []byte) []byte { func pKCS5UnPadding(origData []byte) []byte {
length := len(origData) length := len(origData)
unpadding := int(origData[length-1]) unpadding := int(origData[length-1])
return origData[:(length - unpadding)] return origData[:(length - unpadding)]

17
src/utils/pcrypto/pcrypto_test.go
View File

@ -24,7 +24,7 @@ var (
func init() { func init() {
pp = &Pcrypto{} pp = &Pcrypto{}
pp.Init([]byte("Hana")) pp.Init([]byte("12234567890123451223456789012345321:wq"))
} }
func TestEncrypt(t *testing.T) { func TestEncrypt(t *testing.T) {
@ -60,3 +60,18 @@ func TestCompression(t *testing.T) {
t.Fatalf("test compression error, from [%s] to [%s]", testStr, string(res)) t.Fatalf("test compression error, from [%s] to [%s]", testStr, string(res))
} }
} }
func BenchmarkEncrypt(b *testing.B) {
testStr := "Test Encrypt!"
for i := 0; i < b.N; i++ {
pp.Encrypt([]byte(testStr))
}
}
func BenchmarkDecrypt(b *testing.B) {
testStr := "Test Encrypt!"
res, _ := pp.Encrypt([]byte(testStr))
for i := 0; i < b.N; i++ {
pp.Decrypt([]byte(res))
}
}