secure telnet

sys/modules/opus/crypto/chacha20.lua

@@ -166,10 +166,10 @@ local function decrypt(data, key)
 end
 
 local obj = {}
-local mt = {['__index'] = obj}
+local rng_mt = {['__index'] = obj}
 
 function obj:nextInt(byte)
-	if byte < 1 or byte > 6 then error("Can only return 1-6 bytes", 2) end
+	if not byte or byte < 1 or byte > 6 then error("Can only return 1-6 bytes", 2) end
 	local output = 0
 	for i = 0, byte-1 do
 		if #self.block == 0 then
@@ -189,7 +189,7 @@ local function newRNG(seed)
 	o.cnt = 0
 	o.block = {}
 
-	return setmetatable(o, mt)
+	return setmetatable(o, rng_mt)
 end
 
 return {

sys/modules/opus/security.lua

@@ -1,6 +1,4 @@
 local Config = require('opus.config')
-local ECC    = require('opus.crypto.ecc')
-local Util   = require('opus.util')
 
 local Security = { }
 
@@ -13,32 +11,18 @@ function Security.hasPassword()
 	return not not Security.getPassword()
 end
 
-local function genKey()
-	local key = { }
-	for _ = 1, 32 do
-		table.insert(key, ("%02x"):format(math.random(0, 0xFF)))
-	end
-	return table.concat(key)
-end
-
-function Security.getSecretKey()
-	local config = Config.load('os')
-	if not config.secretKey then
-		config.secretKey = genKey()
-		Config.update('os', config)
-	end
-	return Util.hexToByteArray(config.secretKey)
-end
-
 function Security.getIdentifier()
 	local config = Config.load('os')
-	if config.identifier then
-		return config.identifier
+
+	if not config.identifier then
+		local key = { }
+		for _ = 1, 32 do
+			table.insert(key, ("%02x"):format(math.random(0, 0xFF)))
+		end
+		config.identifier = table.concat(key)
+
+		Config.update('os', config)
 	end
-	-- preserve the hash the user generated
-	local identifier = ECC.publicKey(Security.getSecretKey())
-	config.identifier = Util.byteArrayToHex(identifier)
-	Config.update('os', config)
 
 	return config.identifier
 end

sys/modules/opus/socket.lua

@@ -47,6 +47,9 @@ end
 
 function socketClass:write(data)
 	if self.connected then
+		if self.options.ENCRYPT then
+			data = Crypto.encrypt({ data }, self.enckey)
+		end
 		network.getTransport().write(self, {
 			type = 'DATA',
 			seq = self.wseq,
@@ -70,7 +73,7 @@ function socketClass:setupEncryption(x)
 		SHA.pbkdf2(self.sharedKey, x and "4sseed" or "3rseed", 1))
 
 	self.sharedKey = ECC.exchange(self.privKey, self.remotePubKey)
-	--self.enckey  = SHA.pbkdf2(self.sharedKey, "1enc", 1)
+	self.enckey  = SHA.pbkdf2(self.sharedKey, "1enc", 1)
 	--self.hmackey  = SHA.pbkdf2(self.sharedKey, "2hmac", 1)
 	self.rseq  = self.rrng:nextInt(5)
 	self.wseq  = self.wrng:nextInt(5)
@@ -144,15 +147,15 @@ function Socket.connect(host, port, options)
 		if e == 'modem_message' and
 			 sport == socket.sport and
 			 type(msg) == 'table' and
-			 msg.dhost == socket.shost and
-			 type(msg.pk) == 'string' then
+			 msg.dhost == socket.shost then
 
 			os.cancelTimer(timerId)
 
-			if msg.type == 'CONN' then
+			if msg.type == 'CONN' and type(msg.pk) == 'string' then
 				socket.dport = dport
 				socket.connected = true
 				socket.remotePubKey = Util.hexToByteArray(msg.pk)
+				socket.options = msg.options or { }
 				socket:setupEncryption(true)
 				network.getTransport().open(socket)
 				return socket
@@ -210,7 +213,7 @@ function Socket.server(port, options)
 			local socket = newSocket(msg.shost == os.getComputerID())
 			socket.dport = dport
 			socket.dhost = msg.shost
-			socket.options = options
+			socket.options = options or { }
 
 			if not Security.hasPassword() then
 				socket.transmit(socket.dport, socket.sport, {
@@ -227,6 +230,7 @@ function Socket.server(port, options)
 					dhost = socket.dhost,
 					shost = socket.shost,
 					pk = Util.byteArrayToHex(socket.pubKey),
+					options = socket.options.ENCRYPT and { ENCRYPT = true },
 				})
 
 				network.getTransport().open(socket)