Archived
1
0

probably broken

This commit is contained in:
Jeff Becker 2017-08-25 09:30:34 -04:00
parent aa3cf130b3
commit 86b3d3ce62
No known key found for this signature in database
GPG Key ID: F357B3B42F6F9B05
7 changed files with 62 additions and 61 deletions

View File

@ -10,7 +10,6 @@ import (
"encoding/base32"
"fmt"
"github.com/majestrate/configparser"
"github.com/majestrate/nacl"
"io/ioutil"
"log"
"net"
@ -240,7 +239,7 @@ func GenSRNdConfig() *configparser.Configuration {
sect.Add("json-api", "0")
sect.Add("json-api-username", "fucking-change-this-value")
sect.Add("json-api-password", "seriously-fucking-change-this-value")
secret_bytes := nacl.RandBytes(8)
secret_bytes := randbytes(8)
secret := base32.StdEncoding.EncodeToString(secret_bytes)
sect.Add("api-secret", secret)

View File

@ -0,0 +1,15 @@
package srnd
import "github.com/majestrate/nacl"
func nacl_cryptoVerifyFucky(hash, sig, pk []byte) bool {
return nacl.CryptoVerifyFucky(hash, sig, pk)
}
func nacl_cryptoSignFucky(hash, sk []byte) (sig []byte) {
return nacl.CryptoSignFucky(hash, sk)
}
func nacl_cryptoVerifyDetached(hash, sig, pk []byte) bool {
return nacl.CryptoVerifyDetached(hash, sig, pk)
}

View File

@ -7,7 +7,6 @@ import (
"crypto/tls"
"errors"
"fmt"
"github.com/majestrate/nacl"
"log"
"net"
"net/http"
@ -166,14 +165,10 @@ func (self *NNTPDaemon) WrapSign(nntp NNTPMessage) {
if seed == nil {
log.Println("invalid secretkey will not sign")
} else {
kp := nacl.LoadSignKey(seed)
defer kp.Free()
sec := kp.Secret()
pk, sec := seedToKeyPair(seed)
sig := msgidFrontendSign(sec, nntp.MessageID())
pk := hexify(kp.Public())
nntp.Headers().Add("X-Frontend-Signature", sig)
nntp.Headers().Add("X-Frontend-Pubkey", pk)
log.Println("signed", nntp.MessageID(), "as from", pk)
nntp.Headers().Add("X-Frontend-Pubkey", hexify(pk))
}
} else {
log.Println("sending", nntp.MessageID(), "unsigned")
@ -467,8 +462,7 @@ func (self *NNTPDaemon) syncPull(proxy_type, proxy_addr, remote_addr string) {
if reader {
// we can do it
err = nntp.scrapeServer(self, conn)
if err == nil {
// we succeeded
if err == nil { // we succeeded
log.Println(nntp.name, "Scrape successful")
nntp.Quit(conn)
conn.Close()

View File

@ -16,7 +16,6 @@ import (
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/gorilla/websocket"
"github.com/majestrate/nacl"
"io"
"log"
"mime"
@ -921,14 +920,9 @@ func (self *httpFrontend) handle_postRequest(pr *postRequest, b bannedFunc, e er
}
// pack it before sending so that the article is well formed
// sign if needed
if len(tripcode_privkey) == nacl.CryptoSignSeedLen() {
kp := nacl.LoadSignKey(tripcode_privkey)
if kp == nil {
e(errors.New("seed keypair was nil?"))
return
}
defer kp.Free()
nntp.headers.Set("X-PubKey-Ed25519", hexify(kp.Public()))
if len(tripcode_privkey) == 32 {
pk, _ := seedToKeyPair(tripcode_privkey)
nntp.headers.Set("X-PubKey-Ed25519", hexify(pk))
nntp.Pack()
err = self.daemon.store.RegisterPost(nntp)
if err != nil {

View File

@ -10,7 +10,6 @@ import (
"errors"
"fmt"
"github.com/dchest/blake2b"
"github.com/majestrate/nacl"
"io"
"log"
"mime"
@ -181,22 +180,15 @@ func signArticle(nntp NNTPMessage, seed []byte) (signed *nntpArticle, err error)
mw.Write([]byte{10})
if err == nil {
// build keypair
kp := nacl.LoadSignKey(seed)
if kp == nil {
log.Println("failed to load seed for signing article")
return
}
defer kp.Free()
sk := kp.Secret()
pk := getSignPubkey(sk)
pk, sk := seedToKeyPair(seed)
// sign it nigguh
digest := sha.Sum(nil)
sig := cryptoSign(digest, sk)
sig := cryptoSignFucky(digest, sk)
// log that we signed it
// log.Printf("signed %s pubkey=%s sig=%s hash=%s", nntp.MessageID(), pk, sig, hexify(digest))
signed.headers.Set("X-Signature-Ed25519-SHA512", sig)
signed.headers.Set("X-PubKey-Ed25519", pk)
sig = cryptoSignNew(blake.Sum(nil), sk)
signed.headers.Set("X-PubKey-Ed25519", hexify(pk[:]))
sig = cryptoSignProper(blake.Sum(nil), sk)
signed.headers.Set("X-Signature-Ed25519-BLAKE2B", sig)
}
return
@ -472,7 +464,7 @@ func verifyMessageSHA512(pk, sig string, body *io.LimitedReader, innerHandler fu
hash := h.Sum(nil)
log.Printf("hash=%s", hexify(hash))
log.Printf("sig=%s", hexify(sig_bytes))
if nacl.CryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
if nacl_cryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
log.Println("signature is valid :^)")
} else {
err = errors.New("invalid signature")
@ -510,7 +502,7 @@ func verifyMessageBLAKE2B(pk, sig string, body *io.LimitedReader, innerHandler f
hash := h.Sum(nil)
log.Printf("hash=%s", hexify(hash))
log.Printf("sig=%s", hexify(sig_bytes))
if nacl.CryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
if nacl_cryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
log.Println("signature is valid :^)")
} else {
err = errors.New("invalid signature")

View File

@ -13,7 +13,6 @@ import (
"fmt"
"github.com/gorilla/csrf"
"github.com/gorilla/sessions"
"github.com/majestrate/nacl"
"io"
"log"
"net"
@ -416,13 +415,10 @@ func (self httpModUI) CheckPubkey(pubkey, scope string) (bool, error) {
func (self httpModUI) CheckKey(privkey, scope string) (bool, error) {
privkey_bytes, err := hex.DecodeString(privkey)
if err == nil {
kp := nacl.LoadSignKey(privkey_bytes)
if kp != nil {
defer kp.Free()
pubkey := hex.EncodeToString(kp.Public())
pk, _ := seedToKeyPair(privkey_bytes)
pubkey := hex.EncodeToString(pk)
return self.CheckPubkey(pubkey, scope)
}
}
log.Println("invalid key format for key", privkey)
return false, err
}

View File

@ -6,12 +6,12 @@ package srnd
import (
"bufio"
"crypto/rand"
"crypto/sha1"
"crypto/sha512"
"encoding/base64"
"encoding/hex"
"fmt"
"github.com/majestrate/nacl"
"golang.org/x/crypto/curve25519"
"golang.org/x/crypto/ed25519"
"io"
@ -104,9 +104,15 @@ func OpenFileWriter(fname string) (io.WriteCloser, error) {
return os.Create(fname)
}
func randbytes(l int) []byte {
b := make([]byte, l)
io.ReadFull(rand.Reader, b)
return b
}
// make a random string
func randStr(length int) string {
return hex.EncodeToString(nacl.RandBytes(length))[length:]
return hex.EncodeToString(randbytes(length))[length:]
}
// time for right now as int64
@ -212,7 +218,7 @@ func i2pDestHashLen() int {
// generate a new encryption key for it
// return the encryption key and the encrypted address
func newAddrEnc(addr string) (string, string) {
key_bytes := nacl.RandBytes(encAddrBytes())
key_bytes := randbytes(encAddrBytes())
key := base64.StdEncoding.EncodeToString(key_bytes)
return key, encAddr(addr, key)
}
@ -291,13 +297,16 @@ func ValidNewsgroup(newsgroup string) bool {
return newsgroupValidFormat(newsgroup)
}
func genKeypair() (pk, sk []byte) {
sk = randbytes(32)
pk, _ = seedToKeyPair(sk)
return
}
// generate a new signing keypair
// public, secret
func newSignKeypair() (string, string) {
kp := nacl.GenSignKeypair()
defer kp.Free()
pk := kp.Public()
sk := kp.Seed()
pk, sk := genKeypair()
return hex.EncodeToString(pk), hex.EncodeToString(sk)
}
@ -387,15 +396,16 @@ func hexify(data []byte) string {
// extract pubkey from secret key
// return as hex
func getSignPubkey(sk []byte) string {
k, _ := nacl.GetSignPubkey(sk)
return hexify(k)
_, pk := seedToKeyPair(sk)
return hexify(pk)
}
// sign data with secret key the fucky srnd way
// return signature as hex
func cryptoSign(h, sk []byte) string {
// XXX: DEPRECATED
func cryptoSignFucky(h, sk []byte) string {
// sign
sig := nacl.CryptoSignFucky(h, sk)
sig := nacl_cryptoSignFucky(h, sk)
if sig == nil {
return "[failed to sign]"
}
@ -403,19 +413,20 @@ func cryptoSign(h, sk []byte) string {
}
// convert seed to secret key
func seedToSecretNew(seed []byte) (full ed25519.PrivateKey) {
var out [32]byte
func seedToKeyPair(seed []byte) (full ed25519.PrivateKey, pub ed25519.PublicKey) {
var in [32]byte
var out [32]byte
copy(in[:], seed[0:32])
curve25519.ScalarBaseMult(&out, &in)
copy(pub[:], out[:])
copy(full[:], in[:])
copy(full[:32], out[:])
copy(full[:32], pub[:])
return
}
func cryptoSignNew(h, sk []byte) string {
func cryptoSignProper(h, sk []byte) string {
// convert key
key := seedToSecretNew(sk)
key, _ := seedToKeyPair(sk)
// sign
sig := ed25519.Sign(key, h)
if sig == nil {
@ -429,7 +440,7 @@ func cryptoSignNew(h, sk []byte) string {
func parseTripcodeSecret(str string) []byte {
// try decoding hex
raw := unhex(str)
keylen := nacl.CryptoSignSeedLen()
keylen := 32
if raw == nil || len(raw) != keylen {
// treat this as a "regular" chan tripcode
// decode as bytes then pad the rest with 0s if it doesn't fit
@ -670,17 +681,17 @@ func extractRealIP(r *http.Request) (ip string, err error) {
func serverPubkeyIsValid(pubkey string) bool {
b := unhex(pubkey)
return b != nil && len(b) == nacl.CryptoSignPubKeySize()
return b != nil && len(b) == 32
}
func verifyFrontendSig(pubkey, sig, msgid string) bool {
s := unhex(sig)
k := unhex(pubkey)
h := sha512.Sum512([]byte(msgid))
return nacl.CryptoVerifyFucky(h[:], s, k)
return nacl_cryptoVerifyFucky(h[:], s, k)
}
func msgidFrontendSign(sk []byte, msgid string) string {
h := sha512.Sum512([]byte(msgid))
return cryptoSign(h[:], sk)
return cryptoSignFucky(h[:], sk)
}