From dc7d1c0f409c41c48919047075ff4652555c958e Mon Sep 17 00:00:00 2001
From: hotyue <52734432+hotyue@users.noreply.github.com>
Date: Thu, 16 Apr 2026 03:14:12 +0000
Subject: [PATCH] =?UTF-8?q?feat:=20[v3.5.2]=20=E7=BB=88=E6=9E=81=E5=AE=89?=
 =?UTF-8?q?=E5=85=A8=E4=B8=8E=E9=80=BB=E8=BE=91=E9=97=AD=E7=8E=AF=E8=A1=A5?=
 =?UTF-8?q?=E4=B8=81=201.=20=E5=8D=87=E7=BA=A7=E5=86=9B=E5=B7=A5=E7=BA=A7?=
 =?UTF-8?q?=20HMAC=20=E7=AD=BE=E5=90=8D=EF=BC=9A=E5=B0=86=E6=95=B0?=
 =?UTF-8?q?=E6=8D=AE=E8=B4=9F=E8=BD=BD=20(Base64)=20=E5=8D=B7=E5=85=A5?=
 =?UTF-8?q?=E5=93=88=E5=B8=8C=EF=BC=8C=E5=B0=81=E6=AD=BB=E4=B8=AD=E9=97=B4?=
 =?UTF-8?q?=E4=BA=BA=E7=AF=A1=E6=94=B9=E8=B7=AF=E5=BE=84=E3=80=82=202.=20?=
 =?UTF-8?q?=E5=BC=95=E5=85=A5=E9=AB=98=E7=86=B5=E5=A4=8D=E5=90=88=E5=AF=86?=
 =?UTF-8?q?=E9=92=A5=EF=BC=9A=E7=BB=93=E5=90=88=20CHAT=5FID=20=E4=B8=8E=20?=
 =?UTF-8?q?TG=5FTOKEN=EF=BC=8C=E5=A4=A7=E5=B9=85=E6=8F=90=E5=8D=87?=
 =?UTF-8?q?=E6=8A=97=E6=9A=B4=E5=8A=9B=E7=A0=B4=E8=A7=A3=E5=BC=BA=E5=BA=A6?=
 =?UTF-8?q?=E3=80=82=203.=20=E5=AE=9E=E7=8E=B0=E5=85=A8=E8=87=AA=E5=8A=A8?=
 =?UTF-8?q?=E6=94=B9=E5=90=8D=E9=97=AD=E7=8E=AF=EF=BC=9AMaster=20=E7=A1=AE?=
 =?UTF-8?q?=E8=AE=A4=20Agent=20=E4=BF=AE=E6=94=B9=E6=88=90=E5=8A=9F?=
 =?UTF-8?q?=E5=90=8E=E8=87=AA=E5=8A=A8=E5=90=8C=E6=AD=A5=E6=95=B0=E6=8D=AE?=
 =?UTF-8?q?=E5=BA=93=EF=BC=8C=E5=BD=BB=E5=BA=95=E5=91=8A=E5=88=AB=E6=89=8B?=
 =?UTF-8?q?=E5=8A=A8=E5=A4=8D=E5=88=B6=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/agent_daemon.sh | 37 +++++++++++++++----------------------
 master/tg_master.sh  | 34 +++++++++++++++++++++++-----------
 2 files changed, 38 insertions(+), 33 deletions(-)

diff --git a/core/agent_daemon.sh b/core/agent_daemon.sh
index d096ad6..c28f64b 100755
--- a/core/agent_daemon.sh
+++ b/core/agent_daemon.sh
@@ -83,15 +83,19 @@ import time
 
 PORT = int(sys.argv[1])
 
-# 🛡️ 提取全局鉴权 Token (利用 CHAT_ID 作为 PSK 预共享密钥)
+# 🛡️ [军工级升级] 提取全局复合鉴权 Token
 AUTH_TOKEN = ""
+TG_TOKEN = ""
 if os.path.exists('/opt/ip_sentinel/config.conf'):
     with open('/opt/ip_sentinel/config.conf', 'r') as f:
         for line in f:
             line = line.strip()
             if line.startswith('CHAT_ID='):
                 AUTH_TOKEN = line.split('=', 1)[1].strip('"\'')
-                break
+            elif line.startswith('TG_TOKEN='):
+                TG_TOKEN = line.split('=', 1)[1].strip('"\'')
+# 构建高熵密钥
+SECRET_KEY = f"{AUTH_TOKEN}:{TG_TOKEN}"
 
 class AgentHandler(http.server.BaseHTTPRequestHandler):
     def do_GET(self):
@@ -123,9 +127,14 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
                 self.end_headers()
                 return
                 
-            # 校验 3：HMAC 数据完整性与身份合法性校验
-            msg = f"{req_path}:{req_t}".encode('utf-8')
-            expected_sign = hmac.new(AUTH_TOKEN.encode('utf-8'), msg, hashlib.sha256).hexdigest()
+            # 校验 3：HMAC 数据完整性与身份合法性校验 (全参数卷入)
+            msg_str = f"{req_path}:{req_t}"
+            b64_alias = query.get('b64', [''])[0]
+            if b64_alias:
+                msg_str += f":{b64_alias}"
+                
+            msg = msg_str.encode('utf-8')
+            expected_sign = hmac.new(SECRET_KEY.encode('utf-8'), msg, hashlib.sha256).hexdigest()
             
             # 使用 compare_digest 防御时序攻击
             if not hmac.compare_digest(expected_sign, req_sign):
@@ -276,23 +285,7 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
                         
                     with open(config_path, 'w', encoding='utf-8') as f:
                         f.writelines(lines)
-                        
-                    # 4. 绕过 WAF：交由系统底层 curl 异步发包
-                    region = config_dict.get('REGION_CODE', 'UNKNOWN')
-                    node_name = config_dict.get('NODE_NAME', 'UNKNOWN')
-                    agent_ip = config_dict.get('PUBLIC_IP', '127.0.0.1')
-                    agent_port = config_dict.get('AGENT_PORT', '9527')
-                    chat_id = config_dict.get('CHAT_ID', '')
-                    tg_url = config_dict.get('TG_API_URL', '')
-                    
-                    if tg_url and chat_id:
-                        reg_msg = f"#REGISTER#|{region}|{node_name}|{agent_ip}|{agent_port}|{safe_alias}"
-                        subprocess.Popen([
-                            'curl', '-s', '-m', '10', '-X', 'POST', tg_url,
-                            '-d', f'chat_id={chat_id}',
-                            '-d', f'text={reg_msg}'
-                        ])
-                    
+
                     self.send_response(200)
                     self.send_header("Content-type", "text/plain")
                     self.end_headers()
diff --git a/master/tg_master.sh b/master/tg_master.sh
index b2b9bcf..7a3fba2 100755
--- a/master/tg_master.sh
+++ b/master/tg_master.sh
@@ -41,22 +41,32 @@ db_exec() {
     sqlite3 "$DB_FILE" "$1"
 }
 
-# ================== [v3.0.4 核心: 动态 HMAC 签名生成器] ==================
-# 用法: generate_signed_url <IP> <PORT> <PATH>
+# ================== [v3.5.2 军工级: 全链路 HMAC 签名生成器] ==================
+# 用法: generate_signed_url <IP> <PORT> <PATH> [B64_PAYLOAD]
 generate_signed_url() {
     local target_ip=$1
     local target_port=$2
     local action_path=$3
+    local extra_payload=$4
     local current_t=$(date +%s)
     
-    # 构建加密载荷: "路径:时间戳"
+    # 构建基础加密载荷: "路径:时间戳"
     local payload="${action_path}:${current_t}"
     
-    # 使用 CHAT_ID 作为密钥，生成 SHA256 HMAC 签名
-    local signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$CHAT_ID" | awk '{print $NF}')
+    # [安全升级] 如果存在 B64 数据，将其卷入签名载荷，彻底封死中间人篡改漏洞
+    if [ -n "$extra_payload" ]; then
+        payload="${payload}:${extra_payload}"
+    fi
     
-    # 返回最终带签名的 URL
-    echo "http://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}"
+    # [安全升级] 引入高熵复合密钥 (CHAT_ID + TG_TOKEN)，防暴力破解与社工泄露
+    local secret_key="${CHAT_ID}:${TG_TOKEN}"
+    local signature=$(echo -n "$payload" | openssl dgst -sha256 -hmac "$secret_key" | awk '{print $NF}')
+    
+    local final_url="http://${target_ip}:${target_port}${action_path}?t=${current_t}&sign=${signature}"
+    if [ -n "$extra_payload" ]; then
+        final_url="${final_url}&b64=${extra_payload}"
+    fi
+    echo "$final_url"
 }
 # ========================================================================
 
@@ -337,18 +347,20 @@ while true; do
                     if [ -n "$AGENT_IP" ] && [ -n "$AGENT_PORT" ]; then
                         send_msg "$CHAT_ID" "⏳ 正在向 \`$TARGET_NODE\` 下发重命名指令，正在建立加密隧道..."
                         
-                        TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_rename")
-                        
                         # [绝密防线: Base64 编码绕过一切传输限制与 WAF 拦截]
                         ALIAS_B64=$(echo -n "$NEW_ALIAS" | base64 | tr -d '\n' | tr '+/' '-_')
-                        TARGET_URL="${TARGET_URL}&b64=${ALIAS_B64}"
+                        
+                        # [安全升级] 将 B64 数据作为第4个参数传入，完美卷入 HMAC 签名引擎
+                        TARGET_URL=$(generate_signed_url "$AGENT_IP" "$AGENT_PORT" "/trigger_rename" "$ALIAS_B64")
                         
                         RESPONSE=$(curl -s -m 5 "$TARGET_URL" || echo "FAILED")
                         
                         if [ "$RESPONSE" == "FAILED" ]; then
                             send_msg "$CHAT_ID" "❌ 指令下发超时！请检查节点连通性。"
                         elif [[ "$RESPONSE" == *"Action Accepted"* ]]; then
-                            send_msg "$CHAT_ID" "✅ 通讯成功！节点别名已下发: \`$NEW_ALIAS\`\n*(注: 节点随后将自动向中枢报备刷新面板)*"
+                            # [极致丝滑] 确认 Agent 修改成功后，Master 立即自动同步本地 SQLite，终结手动复制！
+                            db_exec "UPDATE nodes SET node_alias='$NEW_ALIAS' WHERE chat_id='$CHAT_ID' AND node_name='$TARGET_NODE';"
+                            send_msg "$CHAT_ID" "✅ 通讯成功！节点别名已下发: \`$NEW_ALIAS\`\n*(司令部档案已自动刷新，雷达面板已同步)*"
                         else
                             # 增加输出 RESPONSE 调试信息，排查任何拦截死因
                             send_msg "$CHAT_ID" "⚠️ 节点拒绝了请求，请确保 Agent 已更新至 v3.5.2\n(回传信息: \`${RESPONSE}\`)"