probably broken
This commit is contained in:
parent
aa3cf130b3
commit
86b3d3ce62
@ -10,7 +10,6 @@ import (
|
||||
"encoding/base32"
|
||||
"fmt"
|
||||
"github.com/majestrate/configparser"
|
||||
"github.com/majestrate/nacl"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
@ -240,7 +239,7 @@ func GenSRNdConfig() *configparser.Configuration {
|
||||
sect.Add("json-api", "0")
|
||||
sect.Add("json-api-username", "fucking-change-this-value")
|
||||
sect.Add("json-api-password", "seriously-fucking-change-this-value")
|
||||
secret_bytes := nacl.RandBytes(8)
|
||||
secret_bytes := randbytes(8)
|
||||
secret := base32.StdEncoding.EncodeToString(secret_bytes)
|
||||
sect.Add("api-secret", secret)
|
||||
|
||||
|
15
contrib/backends/srndv2/src/srnd/crypto_nacl.go
Normal file
15
contrib/backends/srndv2/src/srnd/crypto_nacl.go
Normal file
@ -0,0 +1,15 @@
|
||||
package srnd
|
||||
|
||||
import "github.com/majestrate/nacl"
|
||||
|
||||
func nacl_cryptoVerifyFucky(hash, sig, pk []byte) bool {
|
||||
return nacl.CryptoVerifyFucky(hash, sig, pk)
|
||||
}
|
||||
|
||||
func nacl_cryptoSignFucky(hash, sk []byte) (sig []byte) {
|
||||
return nacl.CryptoSignFucky(hash, sk)
|
||||
}
|
||||
|
||||
func nacl_cryptoVerifyDetached(hash, sig, pk []byte) bool {
|
||||
return nacl.CryptoVerifyDetached(hash, sig, pk)
|
||||
}
|
@ -7,7 +7,6 @@ import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/majestrate/nacl"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
@ -166,14 +165,10 @@ func (self *NNTPDaemon) WrapSign(nntp NNTPMessage) {
|
||||
if seed == nil {
|
||||
log.Println("invalid secretkey will not sign")
|
||||
} else {
|
||||
kp := nacl.LoadSignKey(seed)
|
||||
defer kp.Free()
|
||||
sec := kp.Secret()
|
||||
pk, sec := seedToKeyPair(seed)
|
||||
sig := msgidFrontendSign(sec, nntp.MessageID())
|
||||
pk := hexify(kp.Public())
|
||||
nntp.Headers().Add("X-Frontend-Signature", sig)
|
||||
nntp.Headers().Add("X-Frontend-Pubkey", pk)
|
||||
log.Println("signed", nntp.MessageID(), "as from", pk)
|
||||
nntp.Headers().Add("X-Frontend-Pubkey", hexify(pk))
|
||||
}
|
||||
} else {
|
||||
log.Println("sending", nntp.MessageID(), "unsigned")
|
||||
@ -467,8 +462,7 @@ func (self *NNTPDaemon) syncPull(proxy_type, proxy_addr, remote_addr string) {
|
||||
if reader {
|
||||
// we can do it
|
||||
err = nntp.scrapeServer(self, conn)
|
||||
if err == nil {
|
||||
// we succeeded
|
||||
if err == nil { // we succeeded
|
||||
log.Println(nntp.name, "Scrape successful")
|
||||
nntp.Quit(conn)
|
||||
conn.Close()
|
||||
|
@ -16,7 +16,6 @@ import (
|
||||
"github.com/gorilla/mux"
|
||||
"github.com/gorilla/sessions"
|
||||
"github.com/gorilla/websocket"
|
||||
"github.com/majestrate/nacl"
|
||||
"io"
|
||||
"log"
|
||||
"mime"
|
||||
@ -921,14 +920,9 @@ func (self *httpFrontend) handle_postRequest(pr *postRequest, b bannedFunc, e er
|
||||
}
|
||||
// pack it before sending so that the article is well formed
|
||||
// sign if needed
|
||||
if len(tripcode_privkey) == nacl.CryptoSignSeedLen() {
|
||||
kp := nacl.LoadSignKey(tripcode_privkey)
|
||||
if kp == nil {
|
||||
e(errors.New("seed keypair was nil?"))
|
||||
return
|
||||
}
|
||||
defer kp.Free()
|
||||
nntp.headers.Set("X-PubKey-Ed25519", hexify(kp.Public()))
|
||||
if len(tripcode_privkey) == 32 {
|
||||
pk, _ := seedToKeyPair(tripcode_privkey)
|
||||
nntp.headers.Set("X-PubKey-Ed25519", hexify(pk))
|
||||
nntp.Pack()
|
||||
err = self.daemon.store.RegisterPost(nntp)
|
||||
if err != nil {
|
||||
|
@ -10,7 +10,6 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/dchest/blake2b"
|
||||
"github.com/majestrate/nacl"
|
||||
"io"
|
||||
"log"
|
||||
"mime"
|
||||
@ -181,22 +180,15 @@ func signArticle(nntp NNTPMessage, seed []byte) (signed *nntpArticle, err error)
|
||||
mw.Write([]byte{10})
|
||||
if err == nil {
|
||||
// build keypair
|
||||
kp := nacl.LoadSignKey(seed)
|
||||
if kp == nil {
|
||||
log.Println("failed to load seed for signing article")
|
||||
return
|
||||
}
|
||||
defer kp.Free()
|
||||
sk := kp.Secret()
|
||||
pk := getSignPubkey(sk)
|
||||
pk, sk := seedToKeyPair(seed)
|
||||
// sign it nigguh
|
||||
digest := sha.Sum(nil)
|
||||
sig := cryptoSign(digest, sk)
|
||||
sig := cryptoSignFucky(digest, sk)
|
||||
// log that we signed it
|
||||
// log.Printf("signed %s pubkey=%s sig=%s hash=%s", nntp.MessageID(), pk, sig, hexify(digest))
|
||||
signed.headers.Set("X-Signature-Ed25519-SHA512", sig)
|
||||
signed.headers.Set("X-PubKey-Ed25519", pk)
|
||||
sig = cryptoSignNew(blake.Sum(nil), sk)
|
||||
signed.headers.Set("X-PubKey-Ed25519", hexify(pk[:]))
|
||||
sig = cryptoSignProper(blake.Sum(nil), sk)
|
||||
signed.headers.Set("X-Signature-Ed25519-BLAKE2B", sig)
|
||||
}
|
||||
return
|
||||
@ -472,7 +464,7 @@ func verifyMessageSHA512(pk, sig string, body *io.LimitedReader, innerHandler fu
|
||||
hash := h.Sum(nil)
|
||||
log.Printf("hash=%s", hexify(hash))
|
||||
log.Printf("sig=%s", hexify(sig_bytes))
|
||||
if nacl.CryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
|
||||
if nacl_cryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
|
||||
log.Println("signature is valid :^)")
|
||||
} else {
|
||||
err = errors.New("invalid signature")
|
||||
@ -510,7 +502,7 @@ func verifyMessageBLAKE2B(pk, sig string, body *io.LimitedReader, innerHandler f
|
||||
hash := h.Sum(nil)
|
||||
log.Printf("hash=%s", hexify(hash))
|
||||
log.Printf("sig=%s", hexify(sig_bytes))
|
||||
if nacl.CryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
|
||||
if nacl_cryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
|
||||
log.Println("signature is valid :^)")
|
||||
} else {
|
||||
err = errors.New("invalid signature")
|
||||
|
@ -13,7 +13,6 @@ import (
|
||||
"fmt"
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/sessions"
|
||||
"github.com/majestrate/nacl"
|
||||
"io"
|
||||
"log"
|
||||
"net"
|
||||
@ -416,13 +415,10 @@ func (self httpModUI) CheckPubkey(pubkey, scope string) (bool, error) {
|
||||
func (self httpModUI) CheckKey(privkey, scope string) (bool, error) {
|
||||
privkey_bytes, err := hex.DecodeString(privkey)
|
||||
if err == nil {
|
||||
kp := nacl.LoadSignKey(privkey_bytes)
|
||||
if kp != nil {
|
||||
defer kp.Free()
|
||||
pubkey := hex.EncodeToString(kp.Public())
|
||||
pk, _ := seedToKeyPair(privkey_bytes)
|
||||
pubkey := hex.EncodeToString(pk)
|
||||
return self.CheckPubkey(pubkey, scope)
|
||||
}
|
||||
}
|
||||
log.Println("invalid key format for key", privkey)
|
||||
return false, err
|
||||
}
|
||||
|
@ -6,12 +6,12 @@ package srnd
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"crypto/rand"
|
||||
"crypto/sha1"
|
||||
"crypto/sha512"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"github.com/majestrate/nacl"
|
||||
"golang.org/x/crypto/curve25519"
|
||||
"golang.org/x/crypto/ed25519"
|
||||
"io"
|
||||
@ -104,9 +104,15 @@ func OpenFileWriter(fname string) (io.WriteCloser, error) {
|
||||
return os.Create(fname)
|
||||
}
|
||||
|
||||
func randbytes(l int) []byte {
|
||||
b := make([]byte, l)
|
||||
io.ReadFull(rand.Reader, b)
|
||||
return b
|
||||
}
|
||||
|
||||
// make a random string
|
||||
func randStr(length int) string {
|
||||
return hex.EncodeToString(nacl.RandBytes(length))[length:]
|
||||
return hex.EncodeToString(randbytes(length))[length:]
|
||||
}
|
||||
|
||||
// time for right now as int64
|
||||
@ -212,7 +218,7 @@ func i2pDestHashLen() int {
|
||||
// generate a new encryption key for it
|
||||
// return the encryption key and the encrypted address
|
||||
func newAddrEnc(addr string) (string, string) {
|
||||
key_bytes := nacl.RandBytes(encAddrBytes())
|
||||
key_bytes := randbytes(encAddrBytes())
|
||||
key := base64.StdEncoding.EncodeToString(key_bytes)
|
||||
return key, encAddr(addr, key)
|
||||
}
|
||||
@ -291,13 +297,16 @@ func ValidNewsgroup(newsgroup string) bool {
|
||||
return newsgroupValidFormat(newsgroup)
|
||||
}
|
||||
|
||||
func genKeypair() (pk, sk []byte) {
|
||||
sk = randbytes(32)
|
||||
pk, _ = seedToKeyPair(sk)
|
||||
return
|
||||
}
|
||||
|
||||
// generate a new signing keypair
|
||||
// public, secret
|
||||
func newSignKeypair() (string, string) {
|
||||
kp := nacl.GenSignKeypair()
|
||||
defer kp.Free()
|
||||
pk := kp.Public()
|
||||
sk := kp.Seed()
|
||||
pk, sk := genKeypair()
|
||||
return hex.EncodeToString(pk), hex.EncodeToString(sk)
|
||||
}
|
||||
|
||||
@ -387,15 +396,16 @@ func hexify(data []byte) string {
|
||||
// extract pubkey from secret key
|
||||
// return as hex
|
||||
func getSignPubkey(sk []byte) string {
|
||||
k, _ := nacl.GetSignPubkey(sk)
|
||||
return hexify(k)
|
||||
_, pk := seedToKeyPair(sk)
|
||||
return hexify(pk)
|
||||
}
|
||||
|
||||
// sign data with secret key the fucky srnd way
|
||||
// return signature as hex
|
||||
func cryptoSign(h, sk []byte) string {
|
||||
// XXX: DEPRECATED
|
||||
func cryptoSignFucky(h, sk []byte) string {
|
||||
// sign
|
||||
sig := nacl.CryptoSignFucky(h, sk)
|
||||
sig := nacl_cryptoSignFucky(h, sk)
|
||||
if sig == nil {
|
||||
return "[failed to sign]"
|
||||
}
|
||||
@ -403,19 +413,20 @@ func cryptoSign(h, sk []byte) string {
|
||||
}
|
||||
|
||||
// convert seed to secret key
|
||||
func seedToSecretNew(seed []byte) (full ed25519.PrivateKey) {
|
||||
var out [32]byte
|
||||
func seedToKeyPair(seed []byte) (full ed25519.PrivateKey, pub ed25519.PublicKey) {
|
||||
var in [32]byte
|
||||
var out [32]byte
|
||||
copy(in[:], seed[0:32])
|
||||
curve25519.ScalarBaseMult(&out, &in)
|
||||
copy(pub[:], out[:])
|
||||
copy(full[:], in[:])
|
||||
copy(full[:32], out[:])
|
||||
copy(full[:32], pub[:])
|
||||
return
|
||||
}
|
||||
|
||||
func cryptoSignNew(h, sk []byte) string {
|
||||
func cryptoSignProper(h, sk []byte) string {
|
||||
// convert key
|
||||
key := seedToSecretNew(sk)
|
||||
key, _ := seedToKeyPair(sk)
|
||||
// sign
|
||||
sig := ed25519.Sign(key, h)
|
||||
if sig == nil {
|
||||
@ -429,7 +440,7 @@ func cryptoSignNew(h, sk []byte) string {
|
||||
func parseTripcodeSecret(str string) []byte {
|
||||
// try decoding hex
|
||||
raw := unhex(str)
|
||||
keylen := nacl.CryptoSignSeedLen()
|
||||
keylen := 32
|
||||
if raw == nil || len(raw) != keylen {
|
||||
// treat this as a "regular" chan tripcode
|
||||
// decode as bytes then pad the rest with 0s if it doesn't fit
|
||||
@ -670,17 +681,17 @@ func extractRealIP(r *http.Request) (ip string, err error) {
|
||||
|
||||
func serverPubkeyIsValid(pubkey string) bool {
|
||||
b := unhex(pubkey)
|
||||
return b != nil && len(b) == nacl.CryptoSignPubKeySize()
|
||||
return b != nil && len(b) == 32
|
||||
}
|
||||
|
||||
func verifyFrontendSig(pubkey, sig, msgid string) bool {
|
||||
s := unhex(sig)
|
||||
k := unhex(pubkey)
|
||||
h := sha512.Sum512([]byte(msgid))
|
||||
return nacl.CryptoVerifyFucky(h[:], s, k)
|
||||
return nacl_cryptoVerifyFucky(h[:], s, k)
|
||||
}
|
||||
|
||||
func msgidFrontendSign(sk []byte, msgid string) string {
|
||||
h := sha512.Sum512([]byte(msgid))
|
||||
return cryptoSign(h[:], sk)
|
||||
return cryptoSignFucky(h[:], sk)
|
||||
}
|
||||
|
Reference in New Issue
Block a user