tMake the client also sign the decrypted secret. - tordam - A library for peer discovery inside the Tor network
HTML git clone https://git.parazyd.org/tordam
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
DIR commit 4f05f88997bce535ef0cc782633172330ac16c11
DIR parent dd43f9caef84f6fb5fd7d0d21fb1a95bdeb46a0d
HTML Author: parazyd <parazyd@dyne.org>
Date: Sat, 9 Dec 2017 20:32:29 +0100
Make the client also sign the decrypted secret.
This gets verified on the directory's end again. If the verification
fails at any point, the client will be deleted from the database. The
server now also replies back with a message if verification fails.
(Possible errors in logic, need fuel.)
Diffstat:
M cmd/dam-client/main.go | 6 ++++++
M cmd/dam-dir/main.go | 37 ++++++++++++++++++++++++++++---
2 files changed, 40 insertions(+), 3 deletions(-)
---
DIR diff --git a/cmd/dam-client/main.go b/cmd/dam-client/main.go
t@@ -76,7 +76,13 @@ func announce(dir string, vals map[string]string, privkey *rsa.PrivateKey) (bool
decryptedEncode := base64.StdEncoding.EncodeToString(decrypted)
+ sig, err := lib.SignMsgRsa([]byte(decryptedEncode), privkey)
+ lib.CheckError(err)
+ encodedSig := base64.StdEncoding.EncodeToString(sig)
+
vals["secret"] = decryptedEncode
+ vals["message"] = decryptedEncode
+ vals["signature"] = encodedSig
msg, err := json.Marshal(vals)
if err != nil {
return false, err
DIR diff --git a/cmd/dam-dir/main.go b/cmd/dam-dir/main.go
t@@ -155,22 +155,53 @@ func handlePost(rw http.ResponseWriter, request *http.Request) {
}
}
- if len(req["secret"]) == 88 {
+ if len(req["secret"]) == 88 && len(req["message"]) == 88 {
// Client sent a decrypted secret.
var correct = false
localSec, err := RedisCli.HGet(n.Address, "secret").Result()
lib.CheckError(err)
- if localSec == req["secret"] {
+ if localSec == req["secret"] && localSec == req["message"] {
log.Println("Secrets match!")
correct = true
+ } else {
+ log.Println("Secrets don't match!")
+ correct = false
}
+
+ msg := []byte(req["message"])
+ sig := []byte(req["signature"])
+ pub, err := lib.ParsePubkeyRsa([]byte(n.Pubkey))
+ lib.CheckError(err)
+ val, err := lib.VerifyMsgRsa(msg, sig, pub)
+ lib.CheckError(err)
+ if val {
+ log.Println("Signature valid!")
+ correct = true
+ } else {
+ log.Println("Signature invalid!")
+ correct = false
+ }
+
if correct {
log.Printf("Welcoming %s to the network\n", n.Address)
ret := map[string]string{
"secret": "Welcome to the DAM network!",
}
- n.Valid = 0
+ jsonVal, err := json.Marshal(ret)
+ lib.CheckError(err)
+
+ rw.Header().Set("Content-Type", "application/json")
+ rw.WriteHeader(http.StatusOK)
+ rw.Write(jsonVal)
+ return
+ } else {
+ // Delete it from redis.
+ _, err := RedisCli.Del(n.Address).Result()
+ lib.CheckError(err)
+ ret := map[string]string{
+ "secret": "Verification failed. Bye.",
+ }
jsonVal, err := json.Marshal(ret)
lib.CheckError(err)