feat: tunnel支持通信中的关键信息加密

meethigher · meethigher · commit a96a989ad795 · 2025-07-27T12:45:04.000+08:00
diff --git a/src/main/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelClient.java b/src/main/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelClient.java
@@ -42,7 +42,6 @@ public class ReverseTcpProxyTunnelClient extends TunnelClient {
     protected static final long MAX_DELAY_DEFAULT = 64000;// 毫秒
 
 
-    protected final String secret;
     protected final String name;
 
     protected long heartbeatDelay;
@@ -75,8 +74,7 @@ public static String generateName() {
     protected ReverseTcpProxyTunnelClient(Vertx vertx, NetClient netClient,
                                           long minDelay, long maxDelay,
                                           String secret, String name) {
-        super(vertx, netClient, minDelay, maxDelay);
-        this.secret = secret;
+        super(vertx, netClient, minDelay, maxDelay, secret);
         this.name = name;
         addMessageHandler();
     }
@@ -148,7 +146,7 @@ protected void addMessageHandler() {
             protected boolean doHandle(Vertx vertx, NetSocket netSocket, TunnelMessageType type, byte[] bodyBytes) {
                 boolean result = false;
                 try {
-                    TunnelMessage.OpenDataPortAck parsed = TunnelMessage.OpenDataPortAck.parseFrom(bodyBytes);
+                    TunnelMessage.OpenDataPortAck parsed = TunnelMessage.OpenDataPortAck.parseFrom(aesBase64Decode(bodyBytes));
                     if (parsed.getSuccess()) {
                         // 如果认证 + 开通端口成功，那么就需要进行长连接保持，并开启定期心跳。
                         result = true;
diff --git a/src/main/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelServer.java b/src/main/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelServer.java
@@ -53,12 +53,10 @@ public class ReverseTcpProxyTunnelServer extends TunnelServer {
 
 
     protected final Map<NetSocket, DataProxyServer> authedSockets;// 授权成功的控制连接与数据服务的对应关系
-    protected final String secret; // 鉴权密钥
     protected final String name; // 控制服务的名称
 
     protected ReverseTcpProxyTunnelServer(Vertx vertx, NetServer netServer, String secret, Map<NetSocket, DataProxyServer> authedSockets, String name) {
-        super(vertx, netServer);
-        this.secret = secret;
+        super(vertx, netServer, secret);
         this.name = name;
         this.authedSockets = authedSockets;
         addMessageHandler();
@@ -444,7 +442,7 @@ protected boolean doHandle(Vertx vertx, NetSocket netSocket, TunnelMessageType t
                 // 如果授权通过，并且成功开通端口。则返回成功；否则则返回失败，并关闭连接
                 boolean result = false;
                 try {
-                    TunnelMessage.OpenDataPort parsed = TunnelMessage.OpenDataPort.parseFrom(bodyBytes);
+                    TunnelMessage.OpenDataPort parsed = TunnelMessage.OpenDataPort.parseFrom(aesBase64Decode(bodyBytes));
                     TunnelMessage.OpenDataPortAck.Builder builder = TunnelMessage.OpenDataPortAck
                             .newBuilder();
                     builder.setHeartbeatDelay(heartbeatDelay);
@@ -507,7 +505,7 @@ protected boolean doHandle(Vertx vertx, NetSocket netSocket, TunnelMessageType t
             protected boolean doHandle(Vertx vertx, NetSocket netSocket, TunnelMessageType type, byte[] bodyBytes) {
                 boolean result = false;
                 try {
-                    TunnelMessage.OpenDataConnAck openDataConnAck = TunnelMessage.OpenDataConnAck.parseFrom(bodyBytes);
+                    TunnelMessage.OpenDataConnAck openDataConnAck = TunnelMessage.OpenDataConnAck.parseFrom(aesBase64Decode(bodyBytes));
                     result = openDataConnAck.getSuccess();
                 } catch (Exception ignore) {
                 }
diff --git a/src/main/java/top/meethigher/proxy/tcp/tunnel/Tunnel.java b/src/main/java/top/meethigher/proxy/tcp/tunnel/Tunnel.java
@@ -10,9 +10,13 @@
 import top.meethigher.proxy.tcp.tunnel.codec.TunnelMessageType;
 import top.meethigher.proxy.tcp.tunnel.handler.TunnelHandler;
 
+import javax.crypto.SecretKey;
+import java.nio.charset.StandardCharsets;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import static top.meethigher.proxy.FastAes.*;
+
 /**
  * 封装通用的 TCP 交互API
  * 参考<a href="https://github.com/socketio/socket.io-client-java/blob/socket.io-client-2.1.0/src/main/java/io/socket/client/Socket.java">socket.io-client-java</a>
@@ -24,18 +28,20 @@ public abstract class Tunnel {
 
     private static final Logger log = LoggerFactory.getLogger(Tunnel.class);
     protected final Vertx vertx;
-    protected static final String SECRET_DEFAULT = "0123456789";
+    protected final String secret;
+    public static final String SECRET_DEFAULT = "hello,meethigher";
 
     // 数据连接建立后立马发送4字节标识符cafebabe
-    protected static final byte[] DATA_CONN_FLAG = new byte[]{
+    public static final byte[] DATA_CONN_FLAG = new byte[]{
             (byte) 0xca,
             (byte) 0xfe,
             (byte) 0xba,
             (byte) 0xbe
     };
 
-    protected Tunnel(Vertx vertx) {
+    protected Tunnel(Vertx vertx, String secret) {
         this.vertx = vertx;
+        this.secret = secret;
     }
 
     /**
@@ -62,6 +68,23 @@ public void on(TunnelMessageType type, TunnelHandler tunnelHandler) {
         tunnelHandlers.put(type, tunnelHandler);
     }
 
+
+    /**
+     * 返回加密base64串(无换行)
+     */
+    public byte[] aesBase64Encode(byte[] bodyBytes) {
+        SecretKey key = restoreKey(secret.getBytes(StandardCharsets.UTF_8));
+        return encrypt(bodyBytes, key);
+    }
+
+    /**
+     * 将加密内容还原
+     */
+    public byte[] aesBase64Decode(byte[] bodyBytes) {
+        SecretKey key = restoreKey(secret.getBytes(StandardCharsets.UTF_8));
+        return decrypt(bodyBytes, key);
+    }
+
     /**
      * 将请求体按照{@code TunnelMessageCodec} 规范进行编码
      *
@@ -70,7 +93,7 @@ public void on(TunnelMessageType type, TunnelHandler tunnelHandler) {
      * @return 编码结果
      */
     public Buffer encode(TunnelMessageType type, byte[] bodyBytes) {
-        return TunnelMessageCodec.encode(type.code(), bodyBytes);
+        return TunnelMessageCodec.encode(type.code(), aesBase64Encode(bodyBytes));
     }
 
     /**
diff --git a/src/main/java/top/meethigher/proxy/tcp/tunnel/TunnelClient.java b/src/main/java/top/meethigher/proxy/tcp/tunnel/TunnelClient.java
@@ -49,8 +49,8 @@ public abstract class TunnelClient extends Tunnel {
     protected NetSocket netSocket;
 
 
-    protected TunnelClient(Vertx vertx, NetClient netClient, long minDelay, long maxDelay) {
-        super(vertx);
+    protected TunnelClient(Vertx vertx, NetClient netClient, long minDelay, long maxDelay, String secret) {
+        super(vertx, secret);
         this.netClient = netClient;
         this.minDelay = minDelay;
         this.maxDelay = maxDelay;
diff --git a/src/main/java/top/meethigher/proxy/tcp/tunnel/TunnelServer.java b/src/main/java/top/meethigher/proxy/tcp/tunnel/TunnelServer.java
@@ -16,8 +16,8 @@ public abstract class TunnelServer extends Tunnel {
 
     protected final NetServer netServer;
 
-    protected TunnelServer(Vertx vertx, NetServer netServer) {
-        super(vertx);
+    protected TunnelServer(Vertx vertx, NetServer netServer, String secret) {
+        super(vertx, secret);
         this.netServer = netServer;
     }
 }
diff --git a/src/test/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelClientTest.java b/src/test/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelClientTest.java
@@ -132,8 +132,8 @@ public void client() {
                 new AddressResolverOptions().setQueryTimeout(2000)
         ));
         // ssh内网穿透
-        ReverseTcpProxyTunnelClient.create(ReverseTcpProxyTunnelClientTest.vertx, vertx.createNetClient(), "helloworld")
-                .backendHost("10.0.0.9")
+        ReverseTcpProxyTunnelClient.create(ReverseTcpProxyTunnelClientTest.vertx, vertx.createNetClient(), Tunnel.SECRET_DEFAULT)
+                .backendHost("10.0.0.30")
                 .backendPort(22)
                 .dataProxyName("ssh-proxy")
                 .dataProxyHost("10.0.0.1")
diff --git a/src/test/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelServerTest.java b/src/test/java/top/meethigher/proxy/tcp/tunnel/ReverseTcpProxyTunnelServerTest.java
@@ -14,8 +14,8 @@ public class ReverseTcpProxyTunnelServerTest {
     public void server() {
         Vertx vertx = Vertx.vertx();
         ReverseTcpProxyTunnelServer server = ReverseTcpProxyTunnelServer.create(vertx, vertx.createNetServer(
-                new NetServerOptions().setTcpNoDelay(true)
-                ), "helloworld", new ConcurrentHashMap<>())
+                        new NetServerOptions().setTcpNoDelay(true)
+                ), Tunnel.SECRET_DEFAULT, new ConcurrentHashMap<>())
                 .port(44444)
                 .judgeDelay(300);
         server.start();
diff --git a/src/test/java/top/meethigher/proxy/tcp/tunnel/codec/ClientCodecTest.java b/src/test/java/top/meethigher/proxy/tcp/tunnel/codec/ClientCodecTest.java
@@ -6,6 +6,7 @@
 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import top.meethigher.proxy.tcp.tunnel.Tunnel;
 import top.meethigher.proxy.tcp.tunnel.TunnelClient;
 import top.meethigher.proxy.tcp.tunnel.handler.AbstractTunnelHandler;
 
@@ -26,7 +27,7 @@ public class ClientCodecTest {
     @Test
     public void client() {
         Vertx vertx = Vertx.vertx(new VertxOptions().setMaxWorkerExecuteTimeUnit(TimeUnit.DAYS));
-        TunnelClient tunnelClient = new TunnelClient(vertx, vertx.createNetClient(), 1000, 64000) {
+        TunnelClient tunnelClient = new TunnelClient(vertx, vertx.createNetClient(), 1000, 64000, Tunnel.SECRET_DEFAULT) {
 
         };
         tunnelClient.connect("127.0.0.1", 8080);

Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,8 @@ public abstract class TunnelServer extends Tunnel {`
`16`	`16`
`17`	`17`	`protected final NetServer netServer;`
`18`	`18`
`19`		`- protected TunnelServer(Vertx vertx, NetServer netServer) {`
`20`		`- super(vertx);`
	`19`	`+ protected TunnelServer(Vertx vertx, NetServer netServer, String secret) {`
	`20`	`+ super(vertx, secret);`
`21`	`21`	`this.netServer = netServer;`
`22`	`22`	`}`
`23`	`23`	`}`