security start

2025-01-23 21:56:53 +00:00 · 2017-05-05 07:34:20 -04:00 · 2017-05-05 07:34:20 -04:00 · cc4f8a0afc
commit cc4f8a0afc
parent 2e5267896e
5 changed files with 148 additions and 8 deletions
--- a/apps/password.lua
+++ b/apps/password.lua
@ -0,0 +1,18 @@
+require = requireInjector(getfenv(1))
+local Config = require('config')
+local SHA1 = require('sha1')
+
+local config = {
+  enable = false,
+  pocketId = 10,
+  distance = 8,
+}
+
+Config.load('os', config)
+
+print('Enter new password')
+local password = read()
+
+config.password = SHA1.sha1(password)
+
+Config.update('os', config)
--- a/apps/trust.lua
+++ b/apps/trust.lua
@ -0,0 +1,56 @@
+require = requireInjector(getfenv(1))
+local Socket = require('socket')
+local SHA1 = require('sha1')
+
+local remoteId
+local args = { ... }
+local exchange = {
+  base = 11,
+  primeMod = 625210769
+}
+
+if #args == 1 then
+  remoteId = tonumber(args[1])
+else
+  print('Enter host ID')
+  remoteId = tonumber(read())
+end
+
+if not remoteId then
+  error('Syntax: trust <host ID>')
+end
+
+print('Password')
+local password = read()
+
+print('connecting...')
+local socket = Socket.connect(remoteId, 19)
+
+if not socket then
+  error('Unable to connect to ' .. remoteId .. ' on port 19')
+end
+
+local function modexp(base, exponent, modulo)
+  local remainder = base
+
+  for i = 1, exponent-1 do
+    remainder = remainder * remainder
+    if remainder >= modulo then
+      remainder = remainder % modulo
+    end
+  end
+
+  return remainder
+end
+
+local secretKey = os.getSecretKey()
+local publicKey = modexp(exchange.base, secretKey, exchange.primeMod)
+
+socket:write({
+  password = SHA1.sha1(password),
+  publicKey = publicKey,
+})
+
+print(socket:read(2) or 'No response')
+
+socket:close()
--- a/sys/apis/socket.lua
+++ b/sys/apis/socket.lua
@ -1,7 +1,28 @@
 local Logger = require('logger')

 local socketClass = { }
-local trustList = Util.readTable('.known_hosts')
+local trustList = Util.readTable('.known_hosts') or { }
+
+local exchange = {
+  base = 11,
+  primeMod = 625210769
+}
+
+local function modexp(base, exponent, modulo)
+  local remainder = base
+
+  for i = 1, exponent-1 do
+    remainder = remainder * remainder
+    if remainder >= modulo then
+      remainder = remainder % modulo
+    end
+  end
+
+  return remainder
+end
+
+exchange.secretKey = os.getSecretKey()
+exchange.publicKey = modexp(exchange.base, exchange.secretKey, exchange.primeMod)

 function socketClass:read(timeout)

@ -148,6 +169,7 @@ function Socket.connect(host, port)
    type = 'OPEN',
    shost = socket.shost,
    dhost = socket.dhost,
+    sharedKey = exchange.publicKey,
  })

  local timerId = os.startTimer(3)
@ -175,11 +197,18 @@ function Socket.connect(host, port)
  socket:close()
 end

-function trusted(msg)
-  if trustList then
-    return trustList[msg.shost]
+function trusted(msg, port)
+
+  if port == 19 then -- no auth for trust server
+    return true
+  end
+
+  local pubKey = trustList[msg.shost]
+
+  if pubKey then
+    --local sharedKey = modexp(pubKey, exchange.secretKey, public.primeMod)
+    return pubKey == msg.sharedKey
  end
-  return true
 end

 function Socket.server(port, keepAlive)
@ -195,7 +224,7 @@ function Socket.server(port, keepAlive)
       msg.dhost == os.getComputerID() and
       msg.type == 'OPEN' then

-      if trusted(msg) then
+      if trusted(msg, port) then
        local socket = newSocket(msg.shost == os.getComputerID())
        socket.dport = dport
        socket.dhost = msg.shost
--- a/sys/extensions/os.lua
+++ b/sys/extensions/os.lua
@ -7,8 +7,6 @@ local config = {
  distance = 8,
 }

-Config.load('lock', config)
-
 local lockId

 function lockScreen()
@ -40,6 +38,7 @@ function lockScreen()

  function page:eventHandler(event)
    if event.type == 'key' and event.key == 'enter' then
+      Config.load('os', config)
      if SHA1.sha1(self.password.value) == config.password then
        os.locked = false
        Event.exitPullEvents()
@ -56,6 +55,18 @@ function lockScreen()
  Event.pullEvents()
 end

+function os.verifyPassword(password)
+  Config.load('os', config)
+  return config.password and password == config.password
+end
+
+function os.getSecretKey()
+  if not fs.exists('.secret') then
+    Util.writeFile('.secret', math.random(100000, 999999))
+  end
+  return Util.readFile('.secret')
+end
+
 os.lock = function()
  --os.locked = true

--- a/sys/network/trust.lua
+++ b/sys/network/trust.lua
@ -0,0 +1,26 @@
+local Socket = require('socket')
+local process = require('process')
+
+process:newThread('trust_server', function()
+
+  print('trust: listening on port 19')
+  while true do
+    local socket = Socket.server(19)
+
+    print('trust: connection from ' .. socket.dhost)
+
+    local data = socket:read(2)
+    if data then
+      if os.verifyPassword(data.password) then
+        local trustList = Util.readTable('.known_hosts') or { }
+        trustList[socket.dhost] = data.publicKey
+        Util.writeTable('.known_hosts', trustList)
+
+        socket:write('Trust accepted')
+      else
+        socket:write('Invalid password or password is not set')
+      end
+    end
+    socket:close()
+  end
+end)