Encrypt session communication
This commit is contained in:
Milos Gajdos
@@ -8,7 +8,7 @@ import (
|
|||||||
"io"
|
"io"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Encrypt encrypts data and returns encrypted payload
|
// Encrypt encrypts data and returns the encrypted data
|
||||||
func Encrypt(data []byte, key string) ([]byte, error) {
|
func Encrypt(data []byte, key string) ([]byte, error) {
|
||||||
// generate a new AES cipher using our 32 byte key
|
// generate a new AES cipher using our 32 byte key
|
||||||
c, err := aes.NewCipher(hash(key))
|
c, err := aes.NewCipher(hash(key))
|
||||||
@@ -37,7 +37,7 @@ func Encrypt(data []byte, key string) ([]byte, error) {
|
|||||||
return gcm.Seal(nonce, nonce, data, nil), nil
|
return gcm.Seal(nonce, nonce, data, nil), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypt decrypts the payload and returns decrypted data
|
// Decrypt decrypts the payload and returns the decrypted data
|
||||||
func Decrypt(data []byte, key string) ([]byte, error) {
|
func Decrypt(data []byte, key string) ([]byte, error) {
|
||||||
// generate AES cipher for decrypting the message
|
// generate AES cipher for decrypting the message
|
||||||
c, err := aes.NewCipher(hash(key))
|
c, err := aes.NewCipher(hash(key))
|
||||||
@@ -64,7 +64,7 @@ func Decrypt(data []byte, key string) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// hash hahes the data into 32 bytes key and returns it
|
// hash hahes the data into 32 bytes key and returns it
|
||||||
// hash uses sha256 to hash the passed in string.
|
// hash uses sha256 underneath to hash the supplied key
|
||||||
func hash(key string) []byte {
|
func hash(key string) []byte {
|
||||||
hasher := sha256.New()
|
hasher := sha256.New()
|
||||||
hasher.Write([]byte(key))
|
hasher.Write([]byte(key))
|
||||||
|
|||||||
@@ -301,13 +301,27 @@ func (s *session) Send(m *transport.Message) error {
|
|||||||
// no op
|
// no op
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// get the token
|
||||||
|
token, ok := m.Header["Micro-Tunnel-Token"]
|
||||||
|
if !ok {
|
||||||
|
// TODO: should we continue or return error
|
||||||
|
log.Debugf("no token found, insecure channel")
|
||||||
|
}
|
||||||
|
|
||||||
|
// encrypt the transport message payload
|
||||||
|
body, err := Encrypt(m.Body, token+s.channel+s.session)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// make copy
|
// make copy
|
||||||
data := &transport.Message{
|
data := &transport.Message{
|
||||||
Header: make(map[string]string),
|
Header: make(map[string]string),
|
||||||
Body: m.Body,
|
Body: body,
|
||||||
}
|
}
|
||||||
|
|
||||||
for k, v := range m.Header {
|
for k, v := range m.Header {
|
||||||
|
// TODO: should we also encrypt headers?
|
||||||
data.Header[k] = v
|
data.Header[k] = v
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -352,7 +366,22 @@ func (s *session) Recv(m *transport.Message) error {
|
|||||||
default:
|
default:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: if we encrypt headers we will have to decrypt them here
|
||||||
|
token, ok := msg.data.Header["Micro-Tunnel-Token"]
|
||||||
|
if !ok {
|
||||||
|
// TODO: should we continue or return error
|
||||||
|
log.Debugf("no token found, insecure channel")
|
||||||
|
}
|
||||||
|
|
||||||
log.Tracef("Received %+v from recv backlog", msg)
|
log.Tracef("Received %+v from recv backlog", msg)
|
||||||
|
|
||||||
|
// decrypt the received payload using the token
|
||||||
|
body, err := Decrypt(msg.data.Body, token+s.channel+s.session)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
msg.data.Body = body
|
||||||
|
|
||||||
// set message
|
// set message
|
||||||
*m = *msg.data
|
*m = *msg.data
|
||||||
// return nil
|
// return nil
|
||||||
|
|||||||
Reference in New Issue
Block a user