aes: get secret from file

author: Mikhail Osipov <mike.osipov@gmail.com> 2021-09-22 14:08:50 +0300
committer: Mikhail Osipov <mike.osipov@gmail.com> 2021-09-22 14:10:24 +0300
commit: bb5930cfc1852de96296c3a8b19b1e202e5c504c (patch)
tree: e66aad2b93762e88889ce7052cb2e9b1a50e32e6
parent: 8f869ec31d249732e22c609e8dff0a492a47af5a (diff)
5 files changed, 59 insertions, 50 deletions
diff --git a/pkg/server/hook/aes.go b/pkg/server/hook/aes.go
index 184d18d..6bb43fa 100644
--- a/pkg/server/hook/aes.go
+++ b/pkg/server/hook/aes.go
@@ -5,7 +5,11 @@ import (
 	"crypto/cipher"
 	"crypto/md5"
 	"crypto/rand"
+	"errors"
+	"fmt"
 	"io"
+	"os"
+	"strings"
 
 	"tunnel/pkg/server/env"
 	"tunnel/pkg/server/queue"
@@ -65,11 +69,23 @@ func (a *aesPipe) Recv(rq, wq queue.Q) error {
 }
 
 func (aesHook) New(env env.Env) (interface{}, error) {
-	s := env.Value("secret")
-	h := md5.Sum([]byte(s))
+	file := env.Value("aesfile")
+	if file == "" {
+		return nil, errors.New("no aesfile configured")
+	}
+	b, err := os.ReadFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("aesfile: %w", err)
+	}
+	s := strings.TrimSpace(string(b))
+	if s == "" {
+		return nil, errors.New("aesfile: no secret")
+	}
+
+	key := md5.Sum([]byte(s))
 
 	a := &aesPipe{key: make([]byte, 16)}
-	copy(a.key, h[:])
+	copy(a.key, key[:])
 
 	return a, nil
 }
diff --git a/pkg/server/hook/auth.go b/pkg/server/hook/auth.go
index 0f70d88..9c8ca35 100644
--- a/pkg/server/hook/auth.go
+++ b/pkg/server/hook/auth.go
@@ -68,19 +68,18 @@ func hashsum(args ...string) string {
 func getpass(f *os.File, salt string, user string) string {
 	f.Seek(0, 0)
 
+	match := func(s, t string) bool {
+		if salt == "" {
+			return s == t
+		}
+		return hashsum(salt, s) == t
+	}
+
 	for scanner := bufio.NewScanner(f); scanner.Scan(); {
 		splitted := strings.SplitN(scanner.Text(), "#", 2)
 		tokens := strings.Fields(splitted[0])
-		if len(tokens) > 1 {
-			if salt == "" {
-				if tokens[0] == user {
-					return tokens[1]
-				}
-			} else {
-				if hashsum(salt, tokens[0]) == user {
-					return tokens[1]
-				}
-			}
+		if len(tokens) > 1 && match(tokens[0], user) {
+			return tokens[1]
 		}
 	}
 
@@ -226,7 +225,6 @@ func (a *auth) Close() {
 
 func (h *authHook) New(env env.Env) (interface{}, error) {
 	file := env.Value("authfile")
-
 	if file == "" {
 		return nil, errors.New("no authfile configured")
 	}
diff --git a/pkg/test/auth_test.go b/pkg/test/auth_test.go
index 1741d68..ece17d3 100644
--- a/pkg/test/auth_test.go
+++ b/pkg/test/auth_test.go
@@ -1,9 +1,8 @@
 package test
 
 import (
-	"testing"
-	"fmt"
 	"os"
+	"testing"
 )
 
 func TestAuthHook(t *testing.T) {
@@ -12,25 +11,17 @@ func TestAuthHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	var secrets string
-
-	f, err := os.CreateTemp("", "test-auth-")
-	if err != nil {
-		e.Fatalf("create temp: %v", err)
-	}
-
-	secrets = f.Name()
-
-	fmt.Fprintln(f, "T t")
-	fmt.Fprintln(f, "X x")
-	f.Close()
+	authfile := e.NewTempFile("test-auth-", "T t\nX x\n")
+	defer os.Remove(authfile)
 
-	defer os.Remove(secrets)
+	aesfile := e.NewTempFile("test-aes-", "secret")
+	defer os.Remove(aesfile)
 
 	c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]")
 	c.Exec("add name X listen,addr=%%0 /aes /auth dial,addr=@[addr]")
 
-	c.Exec("set authfile %s", secrets)
+	c.Exec("set aesfile %s", aesfile)
+	c.Exec("set authfile %s", authfile)
 	c.Exec("set tunnel.T.authuser T")
 	c.Exec("set tunnel.X.authuser X")
 
@@ -56,24 +47,13 @@ func TestAuthPassiveHook(t *testing.T) {
 
 	c := e.newInstance()
 
-	var secrets string
+	authfile := e.NewTempFile("test-auth-", "T t\n")
+	defer os.Remove(authfile)
 
-	f, err := os.CreateTemp("", "test-auth-passive-")
-	if err != nil {
-		e.Fatalf("create temp: %v", err)
-	}
-
-	secrets = f.Name()
-
-	fmt.Fprintln(f, "T t")
-	f.Close()
-
-	defer os.Remove(secrets)
-
-	c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]")
-	c.Exec("add name X listen,addr=%%0 /aes /auth,passive dial,addr=@[addr]")
+	c.Exec("add name T listen,addr=%%0 auth dial,addr=@[tunnel.X.listen]")
+	c.Exec("add name X listen,addr=%%0 /auth,passive dial,addr=@[addr]")
 
-	c.Exec("set authfile %s", secrets)
+	c.Exec("set authfile %s", authfile)
 	c.Exec("set tunnel.T.authuser T")
 
 	listen := e.Listen("tcp", "127.0.0.1:0")
diff --git a/pkg/test/test.go b/pkg/test/test.go
index 1237fe7..16860b1 100644
--- a/pkg/test/test.go
+++ b/pkg/test/test.go
@@ -178,3 +178,14 @@ func (e *env) ReadFull(conn net.Conn, buf []byte) {
 	}
 	conn.SetDeadline(time.Time{})
 }
+
+func (e *env) NewTempFile(pattern string, data string) string {
+	f, err := os.CreateTemp("", pattern)
+	if err != nil {
+		e.Fatalf("create temp: %v", err)
+	}
+	defer f.Close()
+
+	io.WriteString(f, data)
+	return f.Name()
+}
diff --git a/test/auth.sh b/test/auth.sh
index 608b4fd..1baf2bb 100755
--- a/test/auth.sh
+++ b/test/auth.sh
@@ -1,20 +1,24 @@
 #!/bin/bash
 
-FILE=`mktemp`
+AESFILE=`mktemp`
+AUTHFILE=`mktemp`
 
-cat > $FILE <<EOF
+echo secret > $AESFILE
+
+cat > $AUTHFILE <<EOF
 T t
 X x
 EOF
 
-trap 'unlink $FILE' EXIT
+trap 'rm -f $AESFILE $AUTHFILE' EXIT
 
 ROOT=$(dirname $0)/..
 PATH=$ROOT/bin:$PATH
 
 tunnel add name T listen,addr=%2000 auth dump aes dial,addr=%3000
 tunnel add name X listen,addr=%3000 /aes /auth dial,addr=%4000
-tunnel set authfile $FILE
+tunnel set aesfile $AESFILE
+tunnel set authfile $AUTHFILE
 tunnel set tunnel.T.authuser T
 tunnel set tunnel.X.authuser X
 nc -l 4000 &
author	Mikhail Osipov <mike.osipov@gmail.com>	2021-09-22 14:08:50 +0300
committer	Mikhail Osipov <mike.osipov@gmail.com>	2021-09-22 14:10:24 +0300
commit	bb5930cfc1852de96296c3a8b19b1e202e5c504c (patch)
tree	e66aad2b93762e88889ce7052cb2e9b1a50e32e6
parent	8f869ec31d249732e22c609e8dff0a492a47af5a (diff)