Fix #413 by always generating public keys from private ones instead of trusting public keys supplied by config

2025-11-04 03:05:07 +03:00 · 2019-07-16 09:49:28 +01:00 · 2019-07-16 09:49:28 +01:00 · 145a43e5f0
commit 145a43e5f0
parent a5152f1d44
2 changed files with 37 additions and 9 deletions
--- a/src/crypto/crypto.go
+++ b/src/crypto/crypto.go
@ -15,6 +15,7 @@ import (
 	"crypto/sha512"
 	"encoding/hex"

+	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/nacl/box"

@ -124,6 +125,15 @@ func Verify(pub *SigPubKey, msg []byte, sig *SigBytes) bool {
 	return ed25519.Verify(pub[:], msg, sig[:])
 }

+func (p SigPrivKey) Public() SigPubKey {
+	priv := make(ed25519.PrivateKey, ed25519.PrivateKeySize)
+	copy(priv[:], p[:])
+	pub := priv.Public().(ed25519.PublicKey)
+	var sigPub SigPubKey
+	copy(sigPub[:], pub[:])
+	return sigPub
+}
+
 ////////////////////////////////////////////////////////////////////////////////

 // NaCl-like crypto "box" (curve25519+xsalsa20+poly1305)
@ -204,6 +214,14 @@ func (n *BoxNonce) Increment() {
 	}
 }

+func (p BoxPrivKey) Public() BoxPubKey {
+	var boxPub [BoxPubKeyLen]byte
+	var boxPriv [BoxPrivKeyLen]byte
+	copy(boxPriv[:BoxPrivKeyLen], p[:BoxPrivKeyLen])
+	curve25519.ScalarBaseMult(&boxPub, &boxPriv)
+	return boxPub
+}
+
 // Used to subtract one nonce from another, staying in the range +- 64.
 // This is used by the nonce progression machinery to advance the bitmask of recently received packets (indexed by nonce), or to check the appropriate bit of the bitmask.
 // It's basically part of the machinery that prevents replays and duplicate packets.
--- a/src/yggdrasil/core.go
+++ b/src/yggdrasil/core.go
@ -2,6 +2,7 @@ package yggdrasil

 import (
 	"encoding/hex"
+	"errors"
 	"io/ioutil"
 	"time"

@ -46,28 +47,37 @@ func (c *Core) init() error {

 	current, _ := c.config.Get()

-	boxPubHex, err := hex.DecodeString(current.EncryptionPublicKey)
-	if err != nil {
-		return err
-	}
 	boxPrivHex, err := hex.DecodeString(current.EncryptionPrivateKey)
 	if err != nil {
 		return err
 	}
-	sigPubHex, err := hex.DecodeString(current.SigningPublicKey)
-	if err != nil {
-		return err
+	if len(boxPrivHex) < crypto.BoxPrivKeyLen {
+		return errors.New("EncryptionPrivateKey is incorrect length")
 	}
+
 	sigPrivHex, err := hex.DecodeString(current.SigningPrivateKey)
 	if err != nil {
 		return err
 	}
+	if len(sigPrivHex) < crypto.SigPrivKeyLen {
+		return errors.New("SigningPrivateKey is incorrect length")
+	}

-	copy(c.boxPub[:], boxPubHex)
 	copy(c.boxPriv[:], boxPrivHex)
-	copy(c.sigPub[:], sigPubHex)
 	copy(c.sigPriv[:], sigPrivHex)

+	boxPub, sigPub := c.boxPriv.Public(), c.sigPriv.Public()
+
+	copy(c.boxPub[:], boxPub[:])
+	copy(c.sigPub[:], sigPub[:])
+
+	if bp := hex.EncodeToString(c.boxPub[:]); current.EncryptionPublicKey != bp {
+		c.log.Warnln("EncryptionPublicKey in config is incorrect, should be", bp)
+	}
+	if sp := hex.EncodeToString(c.sigPub[:]); current.SigningPublicKey != sp {
+		c.log.Warnln("SigningPublicKey in config is incorrect, should be", sp)
+	}
+
 	c.searches.init(c)
 	c.dht.init(c)
 	c.sessions.init(c)