feat: 1. 封装tcpmux的通用aes对称加解密代码 2. 初步实现tcpmuxclient

Author: meethigher

src/main/java/top/meethigher/proxy/FastAes.java

@@ -0,0 +1,117 @@
+package top.meethigher.proxy;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+/**
+ * 高性能 AES/GCM 对称加解密工具类（仅依赖 JDK 标准库）
+ */
+public final class FastAes {
+
+    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
+    private static final int    AES_KEY_LEN    = 128;          // bit
+    private static final int    GCM_TAG_LEN    = 128;          // bit
+    private static final int    GCM_IV_LEN     = 12;           // byte
+
+    private static final SecureRandom RAND = new SecureRandom();
+
+    /* 每个线程复用自己的 Cipher 实例 */
+    private static final ThreadLocal<Cipher> CIPHER_HOLDER = ThreadLocal.withInitial(() -> {
+        try {
+            return Cipher.getInstance(TRANSFORMATION);
+        } catch (Exception e) {
+            throw new RuntimeException("AES/GCM not available", e);
+        }
+    });
+
+    private FastAes() {}   // utility class
+
+    /* ---------------------------------- 对外 API ---------------------------------- */
+
+    /**
+     * 随机生成 AES-128 密钥
+     */
+    public static SecretKey generateKey() {
+        try {
+            KeyGenerator kg = KeyGenerator.getInstance("AES");
+            kg.init(AES_KEY_LEN);
+            return kg.generateKey();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * 将原始密钥字节数组包装成 SecretKey
+     */
+    public static SecretKey restoreKey(byte[] rawKey) {
+        if (rawKey.length != AES_KEY_LEN / 8) {
+            throw new IllegalArgumentException("Key length != 16 byte");
+        }
+        return new SecretKeySpec(rawKey, "AES");
+    }
+
+    /**
+     * 加密：返回 byte[]，格式为 IV(12B) + CipherText + Tag(16B)
+     */
+    public static byte[] encrypt(byte[] plain, SecretKey key) {
+        try {
+            byte[] iv = new byte[GCM_IV_LEN];
+            RAND.nextBytes(iv);
+
+            Cipher cipher = CIPHER_HOLDER.get();
+            cipher.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(GCM_TAG_LEN, iv));
+
+            byte[] cipherText = cipher.doFinal(plain);
+
+            return ByteBuffer.allocate(iv.length + cipherText.length)
+                             .put(iv)
+                             .put(cipherText)
+                             .array();
+        } catch (Exception e) {
+            throw new RuntimeException("Encrypt error", e);
+        }
+    }
+
+    /**
+     * 解密：输入格式须为 IV(12B) + CipherText + Tag(16B)
+     */
+    public static byte[] decrypt(byte[] ivPlusCipherText, SecretKey key) {
+        try {
+            if (ivPlusCipherText.length < GCM_IV_LEN) {
+                throw new IllegalArgumentException("Bad input length");
+            }
+            ByteBuffer buf = ByteBuffer.wrap(ivPlusCipherText);
+
+            byte[] iv = new byte[GCM_IV_LEN];
+            buf.get(iv);
+
+            byte[] cipherAndTag = new byte[buf.remaining()];
+            buf.get(cipherAndTag);
+
+            Cipher cipher = CIPHER_HOLDER.get();
+            cipher.init(Cipher.DECRYPT_MODE, key, new GCMParameterSpec(GCM_TAG_LEN, iv));
+
+            return cipher.doFinal(cipherAndTag);
+        } catch (Exception e) {
+            throw new RuntimeException("Decrypt error", e);
+        }
+    }
+
+    /* ----------------------------- 简易 Base64 封装 ----------------------------- */
+
+    public static String encryptToBase64(byte[] plain, SecretKey key) {
+        return Base64.getEncoder().encodeToString(encrypt(plain, key));
+    }
+
+    public static byte[] decryptFromBase64(String base64, SecretKey key) {
+        return decrypt(Base64.getDecoder().decode(base64), key);
+    }
+
+}

src/main/java/top/meethigher/proxy/NetAddress.java

@@ -38,4 +38,13 @@ public boolean equals(Object o) {
     public int hashCode() {
         return Objects.hashCode(this.toString());
     }
+
+    public static NetAddress parse(String addr) {
+        try {
+            String[] addrArr = addr.split(":");
+            return new NetAddress(addrArr[0], Integer.parseInt(addrArr[1]));
+        } catch (Exception e) {
+            return null;
+        }
+    }
 }

src/main/java/top/meethigher/proxy/tcp/mux/Mux.java

@@ -0,0 +1,88 @@
+package top.meethigher.proxy.tcp.mux;
+
+import io.vertx.core.Vertx;
+import io.vertx.core.buffer.Buffer;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import top.meethigher.proxy.NetAddress;
+import top.meethigher.proxy.tcp.tunnel.codec.TunnelMessageCodec;
+
+import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.List;
+
+import static top.meethigher.proxy.FastAes.*;
+
+/**
+ * TCP Port Service Multiplexer (TCPMUX)
+ * <p>
+ * 单端口多路复用
+ *
+ * @author <a href="https://meethigher.top">chenchuancheng</a>
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc1078">RFC 1078 - TCP port service Multiplexer (TCPMUX)</a>
+ * @since 2025/07/26 16:18
+ */
+public abstract class Mux {
+
+    private static final Logger log = LoggerFactory.getLogger(Mux.class);
+    /**
+     * 默认对称加密密钥
+     */
+    protected static final String SECRET_DEFAULT = "1234567890abcdef";
+
+    protected static final char[] ID_CHARACTERS = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ".toCharArray();
+
+
+    protected final Vertx vertx;
+
+    protected final String secret;
+
+
+    public Mux(Vertx vertx, String secret) {
+        this.vertx = vertx;
+        this.secret = secret;
+    }
+
+    /**
+     * 将host与port通过英文冒号连接，返回加密base64串(无换行)
+     */
+    public Buffer encode(List<NetAddress> netAddresses) {
+        String[] array = new String[netAddresses.size()];
+        for (int i = 0; i < array.length; i++) {
+            array[i] = netAddresses.get(i).toString();
+        }
+        String addr = String.join(",", array);
+        SecretKey key = restoreKey(secret.getBytes(StandardCharsets.UTF_8));
+        String encryptedAddr = encryptToBase64(addr.getBytes(StandardCharsets.UTF_8), key);
+        return TunnelMessageCodec.encode((short) 0, encryptedAddr.getBytes(StandardCharsets.UTF_8));
+    }
+
+    /**
+     * 将加密内容还原
+     */
+    public List<NetAddress> decode(Buffer buffer) {
+        TunnelMessageCodec.DecodedMessage decode = TunnelMessageCodec.decode(buffer);
+        String encryptedAddr = new String(decode.body, StandardCharsets.UTF_8);
+        SecretKey key = restoreKey(secret.getBytes(StandardCharsets.UTF_8));
+        String addr = new String(decryptFromBase64(encryptedAddr, key),
+                StandardCharsets.UTF_8);
+        List<NetAddress> list = new ArrayList<>();
+        if (addr.contains(",")) {
+            String[] split = addr.split(",");
+            for (String s : split) {
+                add(s, list);
+            }
+        } else {
+            add(addr, list);
+        }
+        return list;
+    }
+
+    private void add(String addr, List<NetAddress> list) {
+        NetAddress parse = NetAddress.parse(addr);
+        if (parse != null) {
+            list.add(parse);
+        }
+    }
+}

src/main/java/top/meethigher/proxy/tcp/mux/ReverseTcpProxyMuxClient.java

@@ -0,0 +1,172 @@
+package top.meethigher.proxy.tcp.mux;
+
+import io.vertx.core.Handler;
+import io.vertx.core.Vertx;
+import io.vertx.core.net.NetClient;
+import io.vertx.core.net.NetServer;
+import io.vertx.core.net.NetServerOptions;
+import io.vertx.core.net.NetSocket;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import top.meethigher.proxy.NetAddress;
+import top.meethigher.proxy.tcp.mux.model.MuxNetAddress;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ThreadLocalRandom;
+
+/**
+ * ReverseTcpProxyMuxClient
+ * <p>
+ * 本地启动多个端口，以{@code top.meethigher.proxy.tcp.mux.ReverseTcpProxyMuxServer }一个固定端口为内网的流量出入口，进而实现本地不通端口转发不同的内网服务功能
+ *
+ * @author <a href="https://meethigher.top">chenchuancheng</a>
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc1078">RFC 1078 - TCP port service Multiplexer (TCPMUX)</a>
+ * @since 2025/07/26 20:43
+ */
+public class ReverseTcpProxyMuxClient extends Mux {
+
+    private static final Logger log = LoggerFactory.getLogger(ReverseTcpProxyMuxClient.class);
+    /**
+     * 端口映射关系
+     * key: 本地监听的TCP服务
+     * value: 经过 {@code top.meethigher.proxy.tcp.mux.ReverseTcpProxyMuxServer }转发的内网服务
+     */
+    protected final Map<MuxNetAddress, List<NetAddress>> mapper;
+
+    protected final NetServerOptions netServerOptions;
+
+    protected final NetClient netClient;
+
+    protected final NetAddress muxServer;
+
+    protected final String name;
+
+    protected final List<NetServer> netServers = new ArrayList<>();
+
+    protected ReverseTcpProxyMuxClient(Vertx vertx, String secret, Map<MuxNetAddress, List<NetAddress>> mapper, NetServerOptions netServerOptions, NetClient netClient, NetAddress muxServer, String name) {
+        super(vertx, secret);
+        this.mapper = mapper;
+        this.netServerOptions = netServerOptions;
+        this.netClient = netClient;
+        this.muxServer = muxServer;
+        this.name = name;
+    }
+
+
+    protected void handleConnect(NetSocket src, MuxNetAddress local, List<NetAddress> backendServers) {
+        src.pause();
+        log.debug("{}: source {} -- {} connected", local.getName(), src.localAddress(), src.remoteAddress());
+        src.closeHandler(v -> log.debug("{}: source {} -- {} closed", local.getName(), src.localAddress(), src.remoteAddress()));
+        netClient.connect(muxServer.getPort(), muxServer.getHost())
+                .onFailure(e -> {
+                    log.error("{}: failed to connect to {}", local.getName(), muxServer, e);
+                    src.close();
+                })
+                .onSuccess(dst -> {
+                    dst.pause();
+                    log.debug("{}: target {} -- {} connected", local.getName(), dst.localAddress(), dst.remoteAddress());
+                    dst.closeHandler(v -> log.debug("{}: target {} -- {} closed", local.getName(), dst.localAddress(), dst.remoteAddress()));
+                    Handler<Void> writeSuccessHandler = t -> {
+                        // https://github.com/meethigher/tcp-reverse-proxy/issues/12
+                        // 将日志记录详细，便于排查问题
+                        src.pipeTo(dst)
+                                .onSuccess(v -> log.debug("{}: source {} -- {} pipe to target {} -- {} succeeded",
+                                        local.getName(), src.localAddress(), src.remoteAddress(), dst.localAddress(), dst.remoteAddress()))
+                                .onFailure(e -> log.error("{}: source {} -- {} pipe to target {} -- {} failed",
+                                        local.getName(), src.localAddress(), src.remoteAddress(), dst.localAddress(), dst.remoteAddress(), e));
+                        dst.pipeTo(src)
+                                .onSuccess(v -> log.debug("{}: target {} -- {} pipe to source {} -- {} succeeded",
+                                        local.getName(), dst.localAddress(), dst.remoteAddress(), src.localAddress(), src.remoteAddress()))
+                                .onFailure(e -> log.error("{}: target {} -- {} pipe to source {} -- {} failed",
+                                        local.getName(), dst.localAddress(), dst.remoteAddress(), src.localAddress(), src.remoteAddress(), e));
+                        log.debug("{}: source {} -- {} bound to target {} -- {} with backend server {}",
+                                local.getName(),
+                                src.localAddress(), src.remoteAddress(),
+                                dst.localAddress(), dst.remoteAddress(),
+                                backendServers);
+                        src.resume();
+                        dst.resume();
+                    };
+                    dst.write(this.encode(backendServers))
+                            .onSuccess(writeSuccessHandler)
+                            .onFailure(e -> {
+                                dst.close();
+                                src.close();
+                            });
+                });
+    }
+
+    public void start() {
+        for (MuxNetAddress local : mapper.keySet()) {
+            vertx.createNetServer(netServerOptions)
+                    .connectHandler(src ->
+                            this.handleConnect(src, local, mapper.get(local)))
+                    .exceptionHandler(e -> log.error("{} {} socket errors happening before the connection is passed to the connectHandler", name, local.getName(), e))
+                    .listen(local.getPort(), local.getHost())
+                    .onFailure(e -> log.error("{} {} start failed on {}", name, local.getName(), local, e))
+                    .onSuccess(v -> {
+                        log.info("{} {} started on {}. mux server {}, backend server {}",
+                                name,
+                                local.getName(),
+                                local,
+                                muxServer,
+                                mapper.get(local)
+                        );
+                        netServers.add(v);
+                    });
+        }
+    }
+
+    public void stop() {
+        for (NetServer netServer : netServers) {
+            netServer.close()
+                    .onSuccess(v -> log.info("{} port {} closed", name, netServer.actualPort()))
+                    .onFailure(e -> log.error("{} port {} close failed", name, netServer.actualPort(), e));
+        }
+        netServers.clear();
+    }
+
+    public static String generateName() {
+        final String prefix = ReverseTcpProxyMuxClient.class.getSimpleName() + "-";
+        try {
+            // 池号对于虚拟机来说是全局的，以避免在类加载器范围的环境中池号重叠
+            synchronized (System.getProperties()) {
+                final String next = String.valueOf(Integer.getInteger(ReverseTcpProxyMuxClient.class.getName() + ".name", 0) + 1);
+                System.setProperty(ReverseTcpProxyMuxClient.class.getName() + ".name", next);
+                return prefix + next;
+            }
+        } catch (Exception e) {
+            final ThreadLocalRandom random = ThreadLocalRandom.current();
+            final StringBuilder sb = new StringBuilder(prefix);
+            for (int i = 0; i < 4; i++) {
+                sb.append(ID_CHARACTERS[random.nextInt(62)]);
+            }
+            return sb.toString();
+        }
+    }
+
+    public static ReverseTcpProxyMuxClient create() {
+        Vertx vertx = Vertx.vertx();
+        return new ReverseTcpProxyMuxClient(vertx, Mux.SECRET_DEFAULT,
+                new HashMap<MuxNetAddress, List<NetAddress>>() {{
+                    put(new MuxNetAddress("0.0.0.0", 6666, "ssh1"),
+                            new ArrayList<NetAddress>() {{
+                                add(new NetAddress("127.0.0.1", 22));
+                                add(new NetAddress("127.0.0.1", 23));
+                            }});
+                    put(new MuxNetAddress("0.0.0.0", 6667, "ssh2"),
+                            new ArrayList<NetAddress>() {{
+                                add(new NetAddress("127.0.0.1", 22));
+                                add(new NetAddress("127.0.0.1", 23));
+                            }});
+
+                }}, new NetServerOptions(), vertx.createNetClient(),
+                new NetAddress("10.0.0.30", 22),
+                generateName());
+    }
+
+
+}