-- Leo's gemini proxy
-- Connecting to git.thebackupbox.net:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
repo: urcd action: commit revision: path_from: revision_from: 2b36a1ddacbb6d8f8fa1a1b4a8c99e376afcc937: path_to: revision_to:
commit 2b36a1ddacbb6d8f8fa1a1b4a8c99e376afcc937 Author: root <root@ip-10-56-75-16.(none)> Date: Wed Aug 28 05:08:51 2013 +0000 [urcd.pyx, urc2sd.pyx][security] randombytes upgraded to use /dev/urandom diff --git a/src/urc2sd.pyx b/src/urc2sd.pyx
--- a/src/urc2sd.pyx +++ b/src/urc2sd.pyx @@ -1,5 +1,4 @@ #!/usr/bin/env python -from random import randrange import unicodedata import collections import subprocess @@ -40,6 +39,7 @@ EXCEPT = dict() seen = time.time() ping = time.time() user = str(os.getpid()) +bytes = [(chr(i),i) for i in xrange(0,256)] nick = open('nick','rb').read().split('\n')[0] channels = collections.deque([],CHANLIMIT) @@ -72,6 +72,10 @@ if os.access('stdout',1): del p else: pipefd = os.pipe() +### nacl-20110221's randombytes() not compatible with chroot ### +devurandomfd = os.open("/dev/urandom",os.O_RDONLY) +def randombytes(n): return try_read(devurandomfd,n) + uid, gid = pwd.getpwnam('urcd')[2:4] os.chdir(os.path.dirname(URCHUB)) if URCHUB else os.chdir(sys.argv[1]) os.chroot(os.getcwd()) @@ -113,13 +117,18 @@ def try_write(fd,buffer): except: sock_close(15,0) if URCHUB: - def randombytes(n): return ''.join(chr(randrange(0,256)) for i in xrange(0,n)) - def taia_now(): return { 'sec':4611686018427387914L+long(now),'nano':long(1000000000*(now%1)+500),'atto':0 } + ### version of taia_now is randomized by +/- 4 seconds ### + def taia_now(): return { + 'sec':4611686018427387914L+long(now+[-1,-2,-3,-4,1,2,3,4][ord(randombytes(1))%8]), + 'nano':long(1000000000*(now%1)+500), + 'atto':0 + } def tai_pack(s): return chr(s['sec']>>56&255)+chr(s['sec']>>48&255)+chr(s['sec']>>40&255)+chr(s['sec']>>32&255)+chr(s['sec']>>24&255)+chr(s['sec']>>16&255)+chr(s['sec']>>8&255)+chr(s['sec']&255) def taia_pack(s): return tai_pack(s)+chr(s['nano']>>24&255)+chr(s['nano']>>16&255)+chr(s['nano']>>8&255)+chr(s['nano']&255)+chr(s['atto']>>24&255)+chr(s['atto']>>16&255)+chr(s['atto']>>8&255)+chr(s['atto']&255) def sock_write(buffer): buflen = len(buffer) - try: sock.sendto(chr(buflen>>8)+chr(buflen%256)+taia_pack(taia_now())+randombytes(8)+buffer,'hub') + buffer = chr(buflen>>8)+chr(buflen%256)+taia_pack(taia_now())+randombytes(8)+buffer + try: sock.sendto(buffer,'hub') except: pass else: def sock_write(buffer): diff --git a/src/urcd.pyx b/src/urcd.pyx
--- a/src/urcd.pyx +++ b/src/urcd.pyx @@ -1,5 +1,4 @@ #!/usr/bin/env python -from random import choice from errno import EAGAIN import unicodedata import collections @@ -124,6 +123,10 @@ if os.access('stdout',os.X_OK): del p else: wr = 1 +### nacl-20110221's randombytes() not compatible with chroot ### +devurandomfd = os.open("/dev/urandom",os.O_RDONLY) +def randombytes(n): return try_read(devurandomfd,n) + uid, gid = pwd.getpwnam('urcd')[2:4] os.chdir(os.path.dirname(URCHUB)) if URCHUB else os.chdir(sys.argv[1]) os.chroot(os.getcwd()) @@ -168,9 +171,12 @@ def try_write(fd,buffer): time.sleep(1) if URCHUB: - def randombytes(n): return ''.join(choice(bytes)[0] for i in xrange(0,n)) ### version of taia_now is randomized by +/- 4 seconds ### - def taia_now(): return { 'sec':4611686018427387914L+long(now+choice([-1,-2,-3,-4,1,2,3,4])),'nano':long(1000000000*(now%1)+500),'atto':0 } + def taia_now(): return { + 'sec':4611686018427387914L+long(now+[-1,-2,-3,-4,1,2,3,4][ord(randombytes(1))%8]), + 'nano':long(1000000000*(now%1)+500), + 'atto':0 + } def tai_pack(s): return chr(s['sec']>>56&255)+chr(s['sec']>>48&255)+chr(s['sec']>>40&255)+chr(s['sec']>>32&255)+chr(s['sec']>>24&255)+chr(s['sec']>>16&255)+chr(s['sec']>>8&255)+chr(s['sec']&255) def taia_pack(s): return tai_pack(s)+chr(s['nano']>>24&255)+chr(s['nano']>>16&255)+chr(s['nano']>>8&255)+chr(s['nano']&255)+chr(s['atto']>>24&255)+chr(s['atto']>>16&255)+chr(s['atto']>>8&255)+chr(s['atto']&255) def sock_write(buffer): @@ -410,13 +416,13 @@ while 1: if URCSIGNDB and buffer[2+12:][:4] == '\x01\x00\x00\x00': buflen = len(buffer) try: - if crypto_hash_sha256(buffer[:buflen-96]) == crypto_sign_open(buffer[buflen-96:],urcsigndb[buffer[2+12+4+8+1:].split('!',1)[0].lower()][:32]): buffer = re_USER('!VERIFIED@',buffer[2+12+4+8:].split('\n',1)[0],1) + if crypto_sign_open(buffer[buflen-96:],urcsigndb[buffer[2+12+4+8+1:].split('!',1)[0].lower()][:32]) == crypto_hash_sha256(buffer[:buflen-96]): buffer = re_USER('!VERIFIED@',buffer[2+12+4+8:].split('\n',1)[0],1) else: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1) except: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1) else: buffer = re_USER('!URCD@',buffer[2+12+4+8:].split('\n',1)[0],1) else: buffer = re_USER('!URCD@',try_read(sd,1024).split('\n',1)[0],1) - server_revents(choice(bytes)[1]<<4) ### may reduce some side channels ### + server_revents(ord(randombytes(1))<<4) ### may reduce some side channels ### buffer = re_BUFFER_CTCP_DCC('',buffer) + '\x01' if '\x01ACTION ' in buffer.upper() else buffer.replace('\x01','') if not COLOUR: buffer = re_BUFFER_COLOUR('',buffer)
-----END OF PAGE-----
-- Response ended
-- Page fetched on Sun Jun 2 19:05:56 2024