diff options
| -rw-r--r-- | pkg/server/hook/aes.go | 22 | ||||
| -rw-r--r-- | pkg/server/hook/auth.go | 20 | ||||
| -rw-r--r-- | pkg/test/auth_test.go | 44 | ||||
| -rw-r--r-- | pkg/test/test.go | 11 | ||||
| -rwxr-xr-x | test/auth.sh | 12 |
5 files changed, 59 insertions, 50 deletions
diff --git a/pkg/server/hook/aes.go b/pkg/server/hook/aes.go index 184d18d..6bb43fa 100644 --- a/pkg/server/hook/aes.go +++ b/pkg/server/hook/aes.go @@ -5,7 +5,11 @@ import ( "crypto/cipher" "crypto/md5" "crypto/rand" + "errors" + "fmt" "io" + "os" + "strings" "tunnel/pkg/server/env" "tunnel/pkg/server/queue" @@ -65,11 +69,23 @@ func (a *aesPipe) Recv(rq, wq queue.Q) error { } func (aesHook) New(env env.Env) (interface{}, error) { - s := env.Value("secret") - h := md5.Sum([]byte(s)) + file := env.Value("aesfile") + if file == "" { + return nil, errors.New("no aesfile configured") + } + b, err := os.ReadFile(file) + if err != nil { + return nil, fmt.Errorf("aesfile: %w", err) + } + s := strings.TrimSpace(string(b)) + if s == "" { + return nil, errors.New("aesfile: no secret") + } + + key := md5.Sum([]byte(s)) a := &aesPipe{key: make([]byte, 16)} - copy(a.key, h[:]) + copy(a.key, key[:]) return a, nil } diff --git a/pkg/server/hook/auth.go b/pkg/server/hook/auth.go index 0f70d88..9c8ca35 100644 --- a/pkg/server/hook/auth.go +++ b/pkg/server/hook/auth.go @@ -68,19 +68,18 @@ func hashsum(args ...string) string { func getpass(f *os.File, salt string, user string) string { f.Seek(0, 0) + match := func(s, t string) bool { + if salt == "" { + return s == t + } + return hashsum(salt, s) == t + } + for scanner := bufio.NewScanner(f); scanner.Scan(); { splitted := strings.SplitN(scanner.Text(), "#", 2) tokens := strings.Fields(splitted[0]) - if len(tokens) > 1 { - if salt == "" { - if tokens[0] == user { - return tokens[1] - } - } else { - if hashsum(salt, tokens[0]) == user { - return tokens[1] - } - } + if len(tokens) > 1 && match(tokens[0], user) { + return tokens[1] } } @@ -226,7 +225,6 @@ func (a *auth) Close() { func (h *authHook) New(env env.Env) (interface{}, error) { file := env.Value("authfile") - if file == "" { return nil, errors.New("no authfile configured") } diff --git a/pkg/test/auth_test.go b/pkg/test/auth_test.go index 1741d68..ece17d3 100644 --- a/pkg/test/auth_test.go +++ b/pkg/test/auth_test.go @@ -1,9 +1,8 @@ package test import ( - "testing" - "fmt" "os" + "testing" ) func TestAuthHook(t *testing.T) { @@ -12,25 +11,17 @@ func TestAuthHook(t *testing.T) { c := e.newInstance() - var secrets string - - f, err := os.CreateTemp("", "test-auth-") - if err != nil { - e.Fatalf("create temp: %v", err) - } - - secrets = f.Name() - - fmt.Fprintln(f, "T t") - fmt.Fprintln(f, "X x") - f.Close() + authfile := e.NewTempFile("test-auth-", "T t\nX x\n") + defer os.Remove(authfile) - defer os.Remove(secrets) + aesfile := e.NewTempFile("test-aes-", "secret") + defer os.Remove(aesfile) c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]") c.Exec("add name X listen,addr=%%0 /aes /auth dial,addr=@[addr]") - c.Exec("set authfile %s", secrets) + c.Exec("set aesfile %s", aesfile) + c.Exec("set authfile %s", authfile) c.Exec("set tunnel.T.authuser T") c.Exec("set tunnel.X.authuser X") @@ -56,24 +47,13 @@ func TestAuthPassiveHook(t *testing.T) { c := e.newInstance() - var secrets string + authfile := e.NewTempFile("test-auth-", "T t\n") + defer os.Remove(authfile) - f, err := os.CreateTemp("", "test-auth-passive-") - if err != nil { - e.Fatalf("create temp: %v", err) - } - - secrets = f.Name() - - fmt.Fprintln(f, "T t") - f.Close() - - defer os.Remove(secrets) - - c.Exec("add name T listen,addr=%%0 auth aes dial,addr=@[tunnel.X.listen]") - c.Exec("add name X listen,addr=%%0 /aes /auth,passive dial,addr=@[addr]") + c.Exec("add name T listen,addr=%%0 auth dial,addr=@[tunnel.X.listen]") + c.Exec("add name X listen,addr=%%0 /auth,passive dial,addr=@[addr]") - c.Exec("set authfile %s", secrets) + c.Exec("set authfile %s", authfile) c.Exec("set tunnel.T.authuser T") listen := e.Listen("tcp", "127.0.0.1:0") diff --git a/pkg/test/test.go b/pkg/test/test.go index 1237fe7..16860b1 100644 --- a/pkg/test/test.go +++ b/pkg/test/test.go @@ -178,3 +178,14 @@ func (e *env) ReadFull(conn net.Conn, buf []byte) { } conn.SetDeadline(time.Time{}) } + +func (e *env) NewTempFile(pattern string, data string) string { + f, err := os.CreateTemp("", pattern) + if err != nil { + e.Fatalf("create temp: %v", err) + } + defer f.Close() + + io.WriteString(f, data) + return f.Name() +} diff --git a/test/auth.sh b/test/auth.sh index 608b4fd..1baf2bb 100755 --- a/test/auth.sh +++ b/test/auth.sh @@ -1,20 +1,24 @@ #!/bin/bash -FILE=`mktemp` +AESFILE=`mktemp` +AUTHFILE=`mktemp` -cat > $FILE <<EOF +echo secret > $AESFILE + +cat > $AUTHFILE <<EOF T t X x EOF -trap 'unlink $FILE' EXIT +trap 'rm -f $AESFILE $AUTHFILE' EXIT ROOT=$(dirname $0)/.. PATH=$ROOT/bin:$PATH tunnel add name T listen,addr=%2000 auth dump aes dial,addr=%3000 tunnel add name X listen,addr=%3000 /aes /auth dial,addr=%4000 -tunnel set authfile $FILE +tunnel set aesfile $AESFILE +tunnel set authfile $AUTHFILE tunnel set tunnel.T.authuser T tunnel set tunnel.X.authuser X nc -l 4000 & |