feat: swap xor for sha512

Otherwise the server can make the client decrypt arbitrary things with it's privKey as XOR is reversible. SHA5 is not, so using that instead
libp2p · Jan 6, 2019 · b100396 · b100396
1 parent 3bbbfa2
commit b100396
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 27 deletions.
diff --git a/src/client/index.js b/src/client/index.js
@@ -8,15 +8,7 @@ const {JoinInit, JoinChallenge, JoinChallengeSolution, JoinVerify, DialRequest,
 
 const prom = (f) => new Promise((resolve, reject) => f((err, res) => err ? reject(err) : resolve(res)))
 
-const xor = (a, b) => {
-  const r = Buffer.allocUnsafe(a.length)
-
-  for (var i = 0; i < a.length; i++) {
-    r[i] = a[i] ^ b[i]
-  }
-
-  return r
-}
+const sha5 = (data) => crypto.createHash('sha512').update(data).digest()
 
 const crypto = require('crypto')
 const ID = require('peer-id')
@@ -66,11 +58,11 @@ class Connection {
 
     log('sent rand')
 
-    const {error, xorEncrypted} = await rpc.readProto(JoinChallenge)
+    const {error, saltEncrypted} = await rpc.readProto(JoinChallenge)
     if (error) { translateAndThrow(error) }
-    const xorSecret = await prom(cb => this.client.id.privKey.decrypt(xorEncrypted, cb))
+    const saltSecret = await prom(cb => this.client.id.privKey.decrypt(saltEncrypted, cb))
 
-    const solution = xor(random, xorSecret)
+    const solution = sha5(random, saltSecret)
     rpc.writeProto(JoinChallengeSolution, {solution})
 
     const {error: error2} = await rpc.readProto(JoinVerify)

diff --git a/src/rpc/proto.js b/src/rpc/proto.js
@@ -23,11 +23,11 @@ message JoinInit {
 
 message JoinChallenge {
   Error error = 1;
-  bytes xorEncrypted = 2;
+  bytes saltEncrypted = 2;
 }
 
 message JoinChallengeSolution {
-  bytes solution = 1; // xor(random128, decrypt(xorEncrypted, id.priv))
+  bytes solution = 1; // sha5(random128, decrypt(saltEncrypted, id.priv))
 }
 
 message JoinVerify {

diff --git a/src/server/index.js b/src/server/index.js
@@ -8,15 +8,7 @@ const {JoinInit, JoinChallenge, JoinChallengeSolution, JoinVerify, DialRequest,
 
 const prom = (f) => new Promise((resolve, reject) => f((err, res) => err ? reject(err) : resolve(res)))
 
-const xor = (a, b) => {
-  const r = Buffer.allocUnsafe(a.length)
-
-  for (var i = 0; i < a.length; i++) {
-    r[i] = a[i] ^ b[i]
-  }
-
-  return r
-}
+const sha5 = (data) => crypto.createHash('sha512').update(data).digest()
 
 const crypto = require('crypto')
 const ID = require('peer-id')
@@ -95,12 +87,12 @@ class Server {
 
         log('got rand')
 
-        const xorSecret = crypto.randomBytes(128)
-        const xorEncrypted = await prom(cb => id.pubKey.encrypt(xorSecret, cb))
+        const saltSecret = crypto.randomBytes(128)
+        const saltEncrypted = await prom(cb => id.pubKey.encrypt(saltSecret, cb))
 
-        rpc.writeProto(JoinChallenge, {xorEncrypted})
+        rpc.writeProto(JoinChallenge, {saltEncrypted})
 
-        const solution = xor(random, xorSecret)
+        const solution = sha5(random, saltSecret)
 
         const {solution: solutionClient} = await rpc.readProto(JoinChallengeSolution)