mirror
/
oragono
spogulis no https://github.com/oragono/oragono
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Laidieni 69 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
2904 Revīzijas
21 Atzars
Koks: 0fa067e806
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '0fa067e806'
${ noResults }
oragono/irc/utils/crypto.go

crypto.go 2.5KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. // Copyright (c) 2018 Shivaram Lingamneni <slingamn@cs.stanford.edu>

  2. // released under the MIT license

  3. 

  4. package utils

  5. 

  6. import (

  7. 	"crypto/rand"

  8. 	"crypto/subtle"

  9. 	"encoding/base32"

  10. 	"encoding/base64"

  11. 	"encoding/hex"

  12. 	"errors"

  13. 	"strings"

  14. )

  15. 

  16. var (

  17. 	// slingamn's own private b32 alphabet, removing 1, l, o, and 0

  18. 	B32Encoder = base32.NewEncoding("abcdefghijkmnpqrstuvwxyz23456789").WithPadding(base32.NoPadding)

  19. 

  20. 	ErrInvalidCertfp = errors.New("Invalid certfp")

  21. )

  22. 

  23. const (

  24. 	SecretTokenLength = 26

  25. )

  26. 

  27. // generate a secret token that cannot be brute-forced via online attacks

  28. func GenerateSecretToken() string {

  29. 	// 128 bits of entropy are enough to resist any online attack:

  30. 	var buf [16]byte

  31. 	rand.Read(buf[:])

  32. 	// 26 ASCII characters, should be fine for most purposes

  33. 	return B32Encoder.EncodeToString(buf[:])

  34. }

  35. 

  36. // "munge" a secret token to a new value. requirements:

  37. // 1. MUST be roughly as unlikely to collide with `GenerateSecretToken` outputs

  38. // as those outputs are with each other

  39. // 2. SHOULD be deterministic (motivation: if a JOIN line has msgid x,

  40. // create a deterministic msgid y for the fake HistServ PRIVMSG that "replays" it)

  41. // 3. SHOULD be in the same "namespace" as `GenerateSecretToken` outputs

  42. // (same length and character set)

  43. func MungeSecretToken(token string) (result string) {

  44. 	bytes, err := B32Encoder.DecodeString(token)

  45. 	if err != nil {

  46. 		// this should never happen

  47. 		return GenerateSecretToken()

  48. 	}

  49. 	// add 1 with carrying

  50. 	for i := len(bytes) - 1; 0 <= i; i -= 1 {

  51. 		bytes[i] += 1

  52. 		if bytes[i] != 0 {

  53. 			break

  54. 		} // else: overflow, carry to the next place

  55. 	}

  56. 	return B32Encoder.EncodeToString(bytes)

  57. }

  58. 

  59. // securely check if a supplied token matches a stored token

  60. func SecretTokensMatch(storedToken string, suppliedToken string) bool {

  61. 	// XXX fix a potential gotcha: if the stored token is uninitialized,

  62. 	// then nothing should match it, not even supplying an empty token.

  63. 	if len(storedToken) == 0 {

  64. 		return false

  65. 	}

  66. 

  67. 	return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1

  68. }

  69. 

  70. // generate a 256-bit secret key that can be written into a config file

  71. func GenerateSecretKey() string {

  72. 	var buf [32]byte

  73. 	rand.Read(buf[:])

  74. 	return base64.RawURLEncoding.EncodeToString(buf[:])

  75. }

  76. 

  77. // Normalize openssl-formatted certfp's to oragono's format

  78. func NormalizeCertfp(certfp string) (result string, err error) {

  79. 	result = strings.ToLower(strings.Replace(certfp, ":", "", -1))

  80. 	decoded, err := hex.DecodeString(result)

  81. 	if err != nil || len(decoded) != 32 {

  82. 		return "", ErrInvalidCertfp

  83. 	}

  84. 	return

  85. }