-- Leo's gemini proxy
-- Connecting to git.thebackupbox.net:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
repo: urcd action: commit revision: path_from: revision_from: 2b36a1ddacbb6d8f8fa1a1b4a8c99e376afcc937: path_to: revision_to:
commit 2b36a1ddacbb6d8f8fa1a1b4a8c99e376afcc937
Author: root <root@ip-10-56-75-16.(none)>
Date: Wed Aug 28 05:08:51 2013 +0000
[urcd.pyx, urc2sd.pyx][security] randombytes upgraded to use /dev/urandom
diff --git a/src/urc2sd.pyx b/src/urc2sd.pyx
--- a/src/urc2sd.pyx
+++ b/src/urc2sd.pyx
@@ -1,5 +1,4 @@
#!/usr/bin/env python
-from random import randrange
import unicodedata
import collections
import subprocess
@@ -40,6 +39,7 @@ EXCEPT = dict()
seen = time.time()
ping = time.time()
user = str(os.getpid())
+bytes = [(chr(i),i) for i in xrange(0,256)]
nick = open('nick','rb').read().split('\n')[0]
channels = collections.deque([],CHANLIMIT)
@@ -72,6 +72,10 @@ if os.access('stdout',1):
del p
else: pipefd = os.pipe()
+### nacl-20110221's randombytes() not compatible with chroot ###
+devurandomfd = os.open("/dev/urandom",os.O_RDONLY)
+def randombytes(n): return try_read(devurandomfd,n)
+
uid, gid = pwd.getpwnam('urcd')[2:4]
os.chdir(os.path.dirname(URCHUB)) if URCHUB else os.chdir(sys.argv[1])
os.chroot(os.getcwd())
@@ -113,13 +117,18 @@ def try_write(fd,buffer):
except: sock_close(15,0)
if URCHUB:
- def randombytes(n): return ''.join(chr(randrange(0,256)) for i in xrange(0,n))
- def taia_now(): return { 'sec':4611686018427387914L+long(now),'nano':long(1000000000*(now%1)+500),'atto':0 }
+ ### version of taia_now is randomized by +/- 4 seconds ###
+ def taia_now(): return {
+ 'sec':4611686018427387914L+long(now+[-1,-2,-3,-4,1,2,3,4][ord(randombytes(1))%8]),
+ 'nano':long(1000000000*(now%1)+500),
+ 'atto':0
+ }
def tai_pack(s): return chr(s['sec']>>56&255)+chr(s['sec']>>48&255)+chr(s['sec']>>40&255)+chr(s['sec']>>32&255)+chr(s['sec']>>24&255)+chr(s['sec']>>16&255)+chr(s['sec']>>8&255)+chr(s['sec']&255)
def taia_pack(s): return tai_pack(s)+chr(s['nano']>>24&255)+chr(s['nano']>>16&255)+chr(s['nano']>>8&255)+chr(s['nano']&255)+chr(s['atto']>>24&255)+chr(s['atto']>>16&255)+chr(s['atto']>>8&255)+chr(s['atto']&255)
def sock_write(buffer):
buflen = len(buffer)
- try: sock.sendto(chr(buflen>>8)+chr(buflen%256)+taia_pack(taia_now())+randombytes(8)+buffer,'hub')
+ buffer = chr(buflen>>8)+chr(buflen%256)+taia_pack(taia_now())+randombytes(8)+buffer
+ try: sock.sendto(buffer,'hub')
except: pass
else:
def sock_write(buffer):
diff --git a/src/urcd.pyx b/src/urcd.pyx
--- a/src/urcd.pyx
+++ b/src/urcd.pyx
@@ -1,5 +1,4 @@
#!/usr/bin/env python
-from random import choice
from errno import EAGAIN
import unicodedata
import collections
@@ -124,6 +123,10 @@ if os.access('stdout',os.X_OK):
del p
else: wr = 1
+### nacl-20110221's randombytes() not compatible with chroot ###
+devurandomfd = os.open("/dev/urandom",os.O_RDONLY)
+def randombytes(n): return try_read(devurandomfd,n)
+
uid, gid = pwd.getpwnam('urcd')[2:4]
os.chdir(os.path.dirname(URCHUB)) if URCHUB else os.chdir(sys.argv[1])
os.chroot(os.getcwd())
@@ -168,9 +171,12 @@ def try_write(fd,buffer):
time.sleep(1)
if URCHUB:
- def randombytes(n): return ''.join(choice(bytes)[0] for i in xrange(0,n))
### version of taia_now is randomized by +/- 4 seconds ###
- def taia_now(): return { 'sec':4611686018427387914L+long(now+choice([-1,-2,-3,-4,1,2,3,4])),'nano':long(1000000000*(now%1)+500),'atto':0 }
+ def taia_now(): return {
+ 'sec':4611686018427387914L+long(now+[-1,-2,-3,-4,1,2,3,4][ord(randombytes(1))%8]),
+ 'nano':long(1000000000*(now%1)+500),
+ 'atto':0
+ }
def tai_pack(s): return chr(s['sec']>>56&255)+chr(s['sec']>>48&255)+chr(s['sec']>>40&255)+chr(s['sec']>>32&255)+chr(s['sec']>>24&255)+chr(s['sec']>>16&255)+chr(s['sec']>>8&255)+chr(s['sec']&255)
def taia_pack(s): return tai_pack(s)+chr(s['nano']>>24&255)+chr(s['nano']>>16&255)+chr(s['nano']>>8&255)+chr(s['nano']&255)+chr(s['atto']>>24&255)+chr(s['atto']>>16&255)+chr(s['atto']>>8&255)+chr(s['atto']&255)
def sock_write(buffer):
@@ -410,13 +416,13 @@ while 1:
if URCSIGNDB and buffer[2+12:][:4] == '\x01\x00\x00\x00':
buflen = len(buffer)
try:
- if crypto_hash_sha256(buffer[:buflen-96]) == crypto_sign_open(buffer[buflen-96:],urcsigndb[buffer[2+12+4+8+1:].split('!',1)[0].lower()][:32]): buffer = re_USER('!VERIFIED@',buffer[2+12+4+8:].split('\n',1)[0],1)
+ if crypto_sign_open(buffer[buflen-96:],urcsigndb[buffer[2+12+4+8+1:].split('!',1)[0].lower()][:32]) == crypto_hash_sha256(buffer[:buflen-96]): buffer = re_USER('!VERIFIED@',buffer[2+12+4+8:].split('\n',1)[0],1)
else: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1)
except: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1)
else: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1)
else: buffer = re_USER('!URCD@',try_read(sd,1024).split('\n',1)[0],1)
- server_revents(choice(bytes)[1]<<4) ### may reduce some side channels ###
+ server_revents(ord(randombytes(1))<<4) ### may reduce some side channels ###
buffer = re_BUFFER_CTCP_DCC('',buffer) + '\x01' if '\x01ACTION ' in buffer.upper() else buffer.replace('\x01','')
if not COLOUR: buffer = re_BUFFER_COLOUR('',buffer)
-----END OF PAGE-----
-- Response ended
-- Page fetched on Sun Jun 2 19:05:56 2024