update crypto

WMMJC · Feb 24, 2023 · 805cd9f · 805cd9f
1 parent 71857c3
commit 805cd9f
Show file tree

Hide file tree

Showing 21 changed files with 1,392 additions and 1,333 deletions.
diff --git a/app/conn/internal/config/config.go b/app/conn/internal/config/config.go
@@ -21,5 +21,4 @@ type Config struct {
 	NoticeRpc     zrpc.RpcClientConf
 	RsaPublicKey  string // 客户端使用公钥来加密
 	RsaPrivateKey string // 服务端使用私钥来解密
-	AesIv         string // 客户端使用iv来加密
 }
diff --git a/app/conn/internal/logic/connLogic.go b/app/conn/internal/logic/connLogic.go
@@ -55,6 +55,7 @@ func (l *ConnLogic) BeforeConnect(ctx context.Context, param types.ConnParam) (i
 			NetworkUsed: param.NetworkUsed,
 			Headers:     param.Headers,
 			AesKey:      param.AesKey,
+			AesIv:       param.AesIv,
 		},
 	})
 	if err != nil {
@@ -114,6 +115,7 @@ func (l *ConnLogic) AddSubscriber(c *types.UserConn) {
 					Headers:     param.Headers,
 					PodIp:       l.svcCtx.PodIp,
 					AesKey:      param.AesKey,
+					AesIv:       param.AesIv,
 				},
 				ConnectedAt: utils.AnyToString(c.ConnectedAt.UnixMilli()),
 			})
@@ -157,6 +159,7 @@ func (l *ConnLogic) DeleteSubscriber(c *types.UserConn) {
 					Headers:     c.ConnParam.Headers,
 					PodIp:       l.svcCtx.PodIp,
 					AesKey:      c.ConnParam.AesKey,
+					AesIv:       c.ConnParam.AesIv,
 				},
 				ConnectedAt:    utils.AnyToString(c.ConnectedAt.UnixMilli()),
 				DisconnectedAt: utils.AnyToString(time.Now().UnixMilli()),
@@ -286,9 +289,9 @@ func (l *ConnLogic) GetConnsByFilter(filter func(c *types.UserConn) bool) []*typ
 func (l *ConnLogic) SendMsgToConn(c *types.UserConn, data []byte) error {
 	// 加密
 	{
-		if c.ConnParam.AesKey != nil {
+		if c.ConnParam.AesKey != nil && c.ConnParam.AesIv != nil {
 			// aes加密
-			data = xaes.Encrypt([]byte(l.svcCtx.Config.AesIv), []byte(*c.ConnParam.AesKey), data)
+			data = xaes.Encrypt([]byte(*c.ConnParam.AesIv), []byte(*c.ConnParam.AesKey), data)
 		}
 	}
 	return c.Conn.Write(c.Ctx, int(websocket.MessageBinary), data)

diff --git a/app/conn/internal/logic/connReceiveLogic.go b/app/conn/internal/logic/connReceiveLogic.go
@@ -36,10 +36,10 @@ func (l *ConnLogic) OnReceive(ctx context.Context, c *types.UserConn, typ int, m
 		// 接收到消息
 		{
 			// 解密
-			if c.ConnParam.AesKey != nil {
+			if c.ConnParam.AesKey != nil && c.ConnParam.AesIv != nil {
 				// aes解密
 				var err error
-				msg, err = xaes.Decrypt([]byte(l.svcCtx.Config.AesIv), []byte(*c.ConnParam.AesKey), msg)
+				msg, err = xaes.Decrypt([]byte(*c.ConnParam.AesIv), []byte(*c.ConnParam.AesKey), msg)
 				if err != nil {
 					l.Errorf("【疑似攻击】userId: %s, ip: %s, ip2region: %s", c.ConnParam.UserId, c.ConnParam.Ips, ip2region.Ip2Region(c.ConnParam.Ips).String())
 					c.Conn.Close(int(websocket.StatusPolicyViolation), "protocol error")

diff --git a/app/conn/internal/logic/getUserConnLogic.go b/app/conn/internal/logic/getUserConnLogic.go
@@ -36,6 +36,7 @@ func (l *GetUserConnLogic) GetUserConn(in *pb.GetUserConnReq) (*pb.GetUserConnRe
 			PodIp:       l.svcCtx.PodIp,
 			Timestamp:   conn.ConnParam.Timestamp,
 			AesKey:      conn.ConnParam.AesKey,
+			AesIv:       conn.ConnParam.AesIv,
 		})
 	}
 	return &pb.GetUserConnResp{ConnParams: resp}, nil

diff --git a/app/conn/internal/logic/sendMsgLogic.go b/app/conn/internal/logic/sendMsgLogic.go
@@ -61,6 +61,7 @@ func (l *SendMsgLogic) SendMsg(in *pb.SendMsgReq) (*pb.SendMsgResp, error) {
 			Headers:     c.ConnParam.Headers,
 			PodIp:       l.svcCtx.PodIp,
 			AesKey:      c.ConnParam.AesKey,
+			AesIv:       c.ConnParam.AesIv,
 		}
 		if err != nil {
 			l.Infof("SendMsg error: %v, uid: %s, platform: %s", err, c.ConnParam.UserId, c.ConnParam.Platform)

diff --git a/app/conn/internal/logic/setConnParamsLogic.go b/app/conn/internal/logic/setConnParamsLogic.go
@@ -37,6 +37,7 @@ func (l *SetConnParamsLogic) SetConnParams(ctx context.Context, req *pb.SetCxnPa
 		NetworkUsed: req.GetNetworkUsed(),
 		Ext:         req.GetExt(),
 		AesKey:      req.GetAesKey(),
+		AesIv:       req.GetAesIv(),
 	}, nil
 }
 
@@ -56,6 +57,20 @@ func (l *SetConnParamsLogic) Callback(ctx context.Context, resp *pb.SetCxnParams
 		// 设置 aesKey
 		aesKey = utils.AnyPtr(utils.Md5Bytes(decrypt))
 	}
+	// rsa加密后的 aesIv
+	aesIvEncrypted := resp.GetAesIv()
+	var aesIv *string
+	// 是否不为空
+	if len(aesIvEncrypted) > 0 {
+		decrypt, err := xrsa.Decrypt(aesIvEncrypted, []byte(l.svcCtx.Config.RsaPrivateKey))
+		if err != nil {
+			// 断开连接
+			c.Conn.Close(types.WebsocketStatusCodeRsaFailed(), "rsa decrypt failed")
+			return
+		}
+		// 设置 aesIv
+		aesIv = utils.AnyPtr(utils.Md5Bytes16(decrypt))
+	}
 	c.SetConnParams(&pb.ConnParam{
 		UserId:      c.ConnParam.UserId,
 		Token:       c.ConnParam.Token,
@@ -70,5 +85,6 @@ func (l *SetConnParamsLogic) Callback(ctx context.Context, resp *pb.SetCxnParams
 		AppVersion:  resp.AppVersion,
 		Language:    resp.Language,
 		AesKey:      aesKey,
+		AesIv:       aesIv,
 	})
 }
diff --git a/app/conn/internal/logic/setUserParamsLogic.go b/app/conn/internal/logic/setUserParamsLogic.go
@@ -86,6 +86,7 @@ func (l *SetUserParamsLogic) Callback(ctx context.Context, resp *pb.SetUserParam
 		AppVersion:  c.ConnParam.AppVersion,
 		Language:    c.ConnParam.Language,
 		AesKey:      c.ConnParam.AesKey,
+		AesIv:       c.ConnParam.AesIv,
 	})
 	GetConnLogic().AddSubscriber(c)
 }
diff --git a/app/conn/internal/types/types.go b/app/conn/internal/types/types.go
@@ -44,6 +44,7 @@ type (
 		Headers     map[string]string // 其他参数
 		Timestamp   int64             // 时间戳
 		AesKey      *string           // aes key
+		AesIv       *string           // aes iv
 	}
 )
 
@@ -60,6 +61,7 @@ func (c *UserConn) SetConnParams(connParam *pb.ConnParam) {
 	c.ConnParam.NetworkUsed = connParam.NetworkUsed
 	c.ConnParam.Headers = connParam.Headers
 	c.ConnParam.AesKey = connParam.AesKey
+	c.ConnParam.AesIv = connParam.AesIv
 }
 
 func WebsocketStatusCodeAuthFailed(code int) int {

diff --git a/app/mgmt/internal/logic/getServerAllConfigLogic.go b/app/mgmt/internal/logic/getServerAllConfigLogic.go
@@ -59,7 +59,6 @@ func (l *GetServerAllConfigLogic) GetServerAllConfig(in *pb.GetServerAllConfigRe
 			WebsocketPort: config.ConnRpc.WebsocketPort,
 			RsaPublicKey:  config.ConnRpc.RsaPublicKey,
 			RsaPrivateKey: config.ConnRpc.RsaPrivateKey,
-			AesIv:         config.ConnRpc.AesIv,
 		},
 		ImRpc: &pb.GetServerAllConfigResp_ImRpcConfig{Port: config.ImRpc.Port},
 		MsgRpc: &pb.GetServerAllConfigResp_MsgRpcConfig{

diff --git a/app/mgmt/internal/logic/getServerConfigLogic.go b/app/mgmt/internal/logic/getServerConfigLogic.go
@@ -194,7 +194,6 @@ func GetConfig(serverConfig *mgmtmodel.ServerConfig, name string) map[string]any
 		c["ListenOn"] = fmt.Sprintf("%s:%d", serverConfig.Common.Host, serverConfig.ConnRpc.Port)
 		c["RsaPublicKey"] = serverConfig.ConnRpc.RsaPublicKey
 		c["RsaPrivateKey"] = serverConfig.ConnRpc.RsaPrivateKey
-		c["AesIv"] = serverConfig.ConnRpc.AesIv
 	case "im":
 		c["ListenOn"] = fmt.Sprintf("%s:%d", serverConfig.Common.Host, serverConfig.ImRpc.Port)
 	case "appmgmt":

diff --git a/app/mgmt/internal/logic/updateServerConfigLogic.go b/app/mgmt/internal/logic/updateServerConfigLogic.go
@@ -61,7 +61,6 @@ func (l *UpdateServerConfigLogic) UpdateServerConfig(in *pb.UpdateServerConfigRe
 			Port:          in.Config.ConnRpc.Port,
 			WebsocketPort: in.Config.ConnRpc.WebsocketPort,
 			RsaPublicKey:  in.Config.ConnRpc.RsaPublicKey,
-			AesIv:         in.Config.ConnRpc.AesIv,
 			RsaPrivateKey: in.Config.ConnRpc.RsaPrivateKey,
 		},
 		ImRpc: mgmtmodel.ImRpcConfig{Port: in.Config.ImRpc.Port},

diff --git a/app/mgmt/mgmtmodel/serverconfig.go b/app/mgmt/mgmtmodel/serverconfig.go
@@ -95,7 +95,6 @@ type (
 		WebsocketPort int64  // default: 6701
 		RsaPublicKey  string // 客户端使用公钥来加密
 		RsaPrivateKey string // 服务端使用私钥来解密
-		AesIv         string
 	}
 	ImRpcConfig struct {
 		Port int64 // default: 6702
@@ -191,7 +190,6 @@ func defaultServerConfig(redisConfig redis.RedisConf) *ServerConfig {
 			WebsocketPort: 6701,
 			RsaPublicKey:  "",
 			RsaPrivateKey: "",
-			AesIv:         "",
 		},
 		ImRpc: ImRpcConfig{
 			Port: 6702,