tor-dam

tor distributed announce mechanism (not a dht)
git clone https://git.parazyd.org/tor-dam
Log | Files | Refs | README | LICENSE

commit 4f05f88997bce535ef0cc782633172330ac16c11
parent dd43f9caef84f6fb5fd7d0d21fb1a95bdeb46a0d
Author: parazyd <parazyd@dyne.org>
Date:   Sat,  9 Dec 2017 20:32:29 +0100

Make the client also sign the decrypted secret.

This gets verified on the directory's end again. If the verification
fails at any point, the client will be deleted from the database. The
server now also replies back with a message if verification fails.

(Possible errors in logic, need fuel.)

Diffstat:
Mcmd/dam-client/main.go | 6++++++
Mcmd/dam-dir/main.go | 37++++++++++++++++++++++++++++++++++---
2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/cmd/dam-client/main.go b/cmd/dam-client/main.go @@ -76,7 +76,13 @@ func announce(dir string, vals map[string]string, privkey *rsa.PrivateKey) (bool decryptedEncode := base64.StdEncoding.EncodeToString(decrypted) + sig, err := lib.SignMsgRsa([]byte(decryptedEncode), privkey) + lib.CheckError(err) + encodedSig := base64.StdEncoding.EncodeToString(sig) + vals["secret"] = decryptedEncode + vals["message"] = decryptedEncode + vals["signature"] = encodedSig msg, err := json.Marshal(vals) if err != nil { return false, err diff --git a/cmd/dam-dir/main.go b/cmd/dam-dir/main.go @@ -155,22 +155,53 @@ func handlePost(rw http.ResponseWriter, request *http.Request) { } } - if len(req["secret"]) == 88 { + if len(req["secret"]) == 88 && len(req["message"]) == 88 { // Client sent a decrypted secret. var correct = false localSec, err := RedisCli.HGet(n.Address, "secret").Result() lib.CheckError(err) - if localSec == req["secret"] { + if localSec == req["secret"] && localSec == req["message"] { log.Println("Secrets match!") correct = true + } else { + log.Println("Secrets don't match!") + correct = false } + + msg := []byte(req["message"]) + sig := []byte(req["signature"]) + pub, err := lib.ParsePubkeyRsa([]byte(n.Pubkey)) + lib.CheckError(err) + val, err := lib.VerifyMsgRsa(msg, sig, pub) + lib.CheckError(err) + if val { + log.Println("Signature valid!") + correct = true + } else { + log.Println("Signature invalid!") + correct = false + } + if correct { log.Printf("Welcoming %s to the network\n", n.Address) ret := map[string]string{ "secret": "Welcome to the DAM network!", } - n.Valid = 0 + jsonVal, err := json.Marshal(ret) + lib.CheckError(err) + + rw.Header().Set("Content-Type", "application/json") + rw.WriteHeader(http.StatusOK) + rw.Write(jsonVal) + return + } else { + // Delete it from redis. + _, err := RedisCli.Del(n.Address).Result() + lib.CheckError(err) + ret := map[string]string{ + "secret": "Verification failed. Bye.", + } jsonVal, err := json.Marshal(ret) lib.CheckError(err)