Merge pull request #84 from jagerman/perm-blinding-migration

User permission blinding migration

Author: jagerman

contrib/auth-example.py

@@ -1,6 +1,6 @@
 # Example script for demonstrating X-SOGS-* authentication calculation.
 
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.signing import SigningKey
 from hashlib import blake2b, sha512
 from base64 import b64encode
@@ -29,10 +29,12 @@ def blinded_ed25519_signature(message_parts, s: SigningKey, ka: bytes, kA: bytes
     domain separation for different blinded pubkeys.  (This doesn't affect verification at all).
     """
     H_rh = sha512(s.encode()).digest()[32:]
-    r = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
-    sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
-    HRAM = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
-    sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
+    r = sodium.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
+    sig_R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+    HRAM = sodium.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
+    sig_s = sodium.crypto_core_ed25519_scalar_add(
+        r, sodium.crypto_core_ed25519_scalar_mul(HRAM, ka)
+    )
     return sig_R + sig_s
 
 
@@ -52,7 +54,7 @@ def get_signing_headers(
 
     if blinded:
         # 64-byte blake2b hash then reduce to get the blinding factor:
-        k = salt.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
+        k = sodium.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
 
         # Calculate k*a.  To get 'a' (the Ed25519 private key scalar) we call the sodium function to
         # convert to an *x* secret key, which seems wrong--but isn't because converted keys use the
@@ -61,8 +63,8 @@ def get_signing_headers(
         a = s.to_curve25519_private_key().encode()
 
         # Our blinded keypair:
-        ka = salt.crypto_core_ed25519_scalar_mul(k, a)
-        kA = salt.crypto_scalarmult_ed25519_base_noclamp(ka)
+        ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
+        kA = sodium.crypto_scalarmult_ed25519_base_noclamp(ka)
 
         # Blinded session id:
         pubkey = '15' + kA.hex()

contrib/blinding.py

@@ -1,5 +1,5 @@
 from nacl.signing import SigningKey, VerifyKey
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.utils import random
 import nacl.hash
 from hashlib import blake2b
@@ -16,24 +16,26 @@
 
     # This seems a bit weird, but: sodium's sk-to-curve uses the same private key scalar (a) for
     # both curves, so getting `a` for the curve25519 implicitly gives us the ed25519 `a` as well.
-    a = salt.crypto_sign_ed25519_sk_to_curve25519(s.encode() + A)
+    a = sodium.crypto_sign_ed25519_sk_to_curve25519(s.encode() + A)
 
     A_xpk = s.to_curve25519_private_key().public_key.encode()  # session id is 05 + this
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(a) == A
-    assert salt.crypto_scalarmult_base(a) == A_xpk
-    assert salt.crypto_core_ed25519_is_valid_point(A)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(a) == A
+    assert sodium.crypto_scalarmult_base(a) == A_xpk
+    assert sodium.crypto_core_ed25519_is_valid_point(A)
 
     server_pubkey = random(32)
-    k = salt.crypto_core_ed25519_scalar_reduce(nacl.hash.generichash(server_pubkey, digest_size=64))
+    k = sodium.crypto_core_ed25519_scalar_reduce(
+        nacl.hash.generichash(server_pubkey, digest_size=64)
+    )
 
-    ka = salt.crypto_core_ed25519_scalar_mul(k, a)
+    ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
     # kA will be my blinded pubkey visible from my posts, with '15' prepended, and is an *Ed*
     # pubkey, not an X pubkey.
-    kA = salt.crypto_scalarmult_ed25519_noclamp(k, A)
+    kA = sodium.crypto_scalarmult_ed25519_noclamp(k, A)
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(ka) == kA
-    assert salt.crypto_core_ed25519_is_valid_point(kA)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(ka) == kA
+    assert sodium.crypto_core_ed25519_is_valid_point(kA)
 
     #############################
     # Signing (e.g. for X-SOGS-*) with a blinded keypair ka/kA
@@ -45,13 +47,17 @@
     # which gives us a bog standard Ed25519 that can be verified using the kA pubkey with standard
     # verification code.
     message_to_sign = b'omg happy days'
-    H_rh = salt.crypto_hash_sha512(s.encode())[32:]
-    r = salt.crypto_core_ed25519_scalar_reduce(salt.crypto_hash_sha512(H_rh + kA + message_to_sign))
-    sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
-    HRAM = salt.crypto_core_ed25519_scalar_reduce(
-        salt.crypto_hash_sha512(sig_R + kA + message_to_sign)
+    H_rh = sodium.crypto_hash_sha512(s.encode())[32:]
+    r = sodium.crypto_core_ed25519_scalar_reduce(
+        sodium.crypto_hash_sha512(H_rh + kA + message_to_sign)
+    )
+    sig_R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+    HRAM = sodium.crypto_core_ed25519_scalar_reduce(
+        sodium.crypto_hash_sha512(sig_R + kA + message_to_sign)
+    )
+    sig_s = sodium.crypto_core_ed25519_scalar_add(
+        r, sodium.crypto_core_ed25519_scalar_mul(HRAM, ka)
     )
-    sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
     full_sig = sig_R + sig_s
 
     assert VerifyKey(kA).verify(message_to_sign, full_sig)
@@ -62,29 +68,29 @@
     # Our user A above wants to send a SOGS DM to another user B:
     s2 = SigningKey.generate()
     B = s2.verify_key.encode()
-    b = salt.crypto_sign_ed25519_sk_to_curve25519(s2.encode() + B)
+    b = sodium.crypto_sign_ed25519_sk_to_curve25519(s2.encode() + B)
 
     # with blinded keys:
-    kb = salt.crypto_core_ed25519_scalar_mul(k, b)
-    kB = salt.crypto_scalarmult_ed25519_noclamp(k, B)
+    kb = sodium.crypto_core_ed25519_scalar_mul(k, b)
+    kB = sodium.crypto_scalarmult_ed25519_noclamp(k, B)
 
     B_xpk = s2.to_curve25519_private_key().public_key.encode()
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(kb) == kB
-    assert salt.crypto_core_ed25519_is_valid_point(kB)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(kb) == kB
+    assert sodium.crypto_core_ed25519_is_valid_point(kB)
 
     #############################
     # Finding friends:
 
     # For example (in reality this would come directly from the known session id):
-    friend_xpk = salt.crypto_sign_ed25519_pk_to_curve25519(A)
+    friend_xpk = sodium.crypto_sign_ed25519_pk_to_curve25519(A)
 
     # From the session id (ignoring 05 prefix) we have two possible ed25519 pubkeys; the first is
     # the positive (which is what Signal's XEd25519 conversion always uses):
     pk1 = xed25519.pubkey(friend_xpk)
 
     # Blind it:
-    pk1 = salt.crypto_scalarmult_ed25519_noclamp(k, pk1)
+    pk1 = sodium.crypto_scalarmult_ed25519_noclamp(k, pk1)
 
     # For the negative, what we're going to get out of the above is simply the negative of pk1, so
     # flip the sign bit to get pk2:
@@ -102,7 +108,7 @@
     # around gives the same result as the shortcut:
     pk2_alt = xed25519.pubkey(friend_xpk)
     pk2_alt = pk2_alt[0:31] + bytes([pk2_alt[31] | 0b1000_0000])
-    pk2_alt = salt.crypto_scalarmult_ed25519_noclamp(k, pk2_alt)
+    pk2_alt = sodium.crypto_scalarmult_ed25519_noclamp(k, pk2_alt)
     assert pk2 == pk2_alt
 
     # Now, if this is really my friend, his blinded key will equal one of these blinded keys:
@@ -128,15 +134,15 @@
     # BLAKE2b(b kA || kA || kB)
     #
     enc_key = blake2b(
-        salt.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32
+        sodium.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32
     ).digest()
 
     # Inner data: msg || A   (i.e. the sender's ed25519 master pubkey, *not* kA blinded pubkey)
     plaintext = msg.encode() + A
 
     # Encrypt using xchacha20-poly1305
     nonce = random(24)
-    ciphertext = salt.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
         plaintext, aad=None, nonce=nonce, key=enc_key
     )
 
@@ -151,7 +157,7 @@
 
     # Calculate the shared encryption key (see above)
     dec_key = blake2b(
-        salt.crypto_scalarmult_ed25519_noclamp(b, kA) + kA + kB, digest_size=32
+        sodium.crypto_scalarmult_ed25519_noclamp(b, kA) + kA + kB, digest_size=32
     ).digest()
 
     assert enc_key == dec_key
@@ -162,19 +168,21 @@
     assert v == 0x00  # Make sure our encryption version is okay
 
     # Decrypt
-    plaintext = salt.crypto_aead_xchacha20poly1305_ietf_decrypt(ct, aad=None, nonce=nc, key=dec_key)
+    plaintext = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(
+        ct, aad=None, nonce=nc, key=dec_key
+    )
 
     assert len(plaintext) > 32
 
     # Split up: the last 32 bytes are the sender's *unblinded* ed25519 key
     message, sender_edpk = plaintext[:-32], plaintext[-32:]
 
     # Verify that the inner sender_edpk (A) yields the same outer kA we got with the message
-    assert kA == salt.crypto_scalarmult_ed25519_noclamp(k, sender_edpk)
+    assert kA == sodium.crypto_scalarmult_ed25519_noclamp(k, sender_edpk)
 
     message = message.decode()  # utf-8 bytes back to str
 
-    sender_session_id = '05' + salt.crypto_sign_ed25519_pk_to_curve25519(sender_edpk).hex()
+    sender_session_id = '05' + sodium.crypto_sign_ed25519_pk_to_curve25519(sender_edpk).hex()
 
     assert message == msg
     assert sender_edpk == A

contrib/pg-import.py

@@ -65,6 +65,7 @@
     "user_ban_futures",
     "user_request_nonces",
     "inbox",
+    "needs_blinding",
 ]
 
 with pgsql.transaction():

sogs/__main__.py

@@ -265,7 +265,7 @@ def print_room(room: Room):
 
     if args.rooms == ['+']:
         for sid in args.add_moderators:
-            u = User(session_id=sid)
+            u = User(session_id=sid, try_blinding=True)
             u.set_moderator(admin=args.admin, visible=args.visible, added_by=sysadmin)
             print(
                 "Added {} as {} global {}".format(
@@ -284,7 +284,7 @@ def print_room(room: Room):
                 print(f"No such room: '{nsr.token}'", file=sys.stderr)
 
         for sid in args.add_moderators:
-            u = User(session_id=sid)
+            u = User(session_id=sid, try_blinding=True)
             for room in rooms:
                 room.set_moderator(u, admin=args.admin, visible=not args.hidden, added_by=sysadmin)
                 print(
@@ -315,7 +315,7 @@ def print_room(room: Room):
 
     if args.rooms == ['+']:
         for sid in args.delete_moderators:
-            u = User(session_id=sid)
+            u = User(session_id=sid, try_blinding=True)
             was_admin = u.global_admin
             if not u.global_admin and not u.global_moderator:
                 print(f"{u.session_id} was not a global moderator")
@@ -332,7 +332,7 @@ def print_room(room: Room):
                 print(f"No such room: '{nsr.token}'", file=sys.stderr)
 
         for sid in args.delete_moderators:
-            u = User(session_id=sid)
+            u = User(session_id=sid, try_blinding=True)
             for room in rooms:
                 room.remove_moderator(u, removed_by=sysadmin)
                 print(f"Removed {u.session_id} as moderator/admin of {room.name} ({room.token})")

sogs/crypto.py

@@ -6,16 +6,14 @@
 from nacl.public import PrivateKey
 from nacl.signing import SigningKey, VerifyKey
 from nacl.encoding import Base64Encoder, HexEncoder
-from nacl.bindings import crypto_scalarmult
+import nacl.bindings as sodium
 
 
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
 
-from .utils import decode_hex_or_b64
 from .hashing import blake2b
 
-import binascii
 import secrets
 import hmac
 import functools
@@ -93,15 +91,63 @@ def server_encrypt(pk, data):
 xed25519_verify = pyonionreq.xed25519.verify
 xed25519_pubkey = pyonionreq.xed25519.pubkey
 
+# AKA "k" for blinding crypto:
+blinding_factor = sodium.crypto_core_ed25519_scalar_reduce(
+    blake2b(server_pubkey_bytes, digest_size=64)
+)
+
 
 @functools.lru_cache(maxsize=1024)
-def compute_derived_key_bytes(pk_bytes):
-    """compute derived key as bytes with no prefix"""
-    return crypto_scalarmult(server_pubkey_hash_bytes, pk_bytes)
+def compute_blinded_abs_key(x_pk: bytes, *, k: bytes = blinding_factor):
+    """
+    Computes the *positive* blinded Ed25519 pubkey from an unprefixed session X25519 pubkey (i.e. 32
+    bytes).  The returned value will always have the sign bit (i.e. the most significant bit of the
+    last byte) set to 0; the actual derived key associated with this session id could have either
+    sign.
+
+    Input and result are in bytes, without the 0x05 or 0x15 prefix.
+
+    k allows you to compute for an alternative blinding factor, but should normally be omitted.
+    """
+    A = xed25519_pubkey(x_pk)
+    kA = sodium.crypto_scalarmult_ed25519_noclamp(k, A)
 
+    if kA[31] & 0x80:
+        return kA[0:31] + bytes([kA[31] & 0x7F])
+    return kA
+
+
+def compute_blinded_abs_id(session_id: str, *, k: bytes = blinding_factor):
+    """
+    Computes the *positive* blinded id, as hex, from a prefixed, hex session id.  This function is a
+    wrapper around compute_derived_key_bytes that handles prefixes and hex conversions.
+
+    k allows you to compute for an alternative blinding factor, but should normally be omitted.
+    """
+    return '15' + compute_blinded_abs_key(bytes.fromhex(session_id[2:]), k=k).hex()
+
+
+def blinded_abs(blinded_id: str):
+    """
+    Takes a blinded hex pubkey (i.e. length 66, prefixed with 15) and returns the positive pubkey
+    alternative: that is, if the pubkey is already positive, it is returned as-is; otherwise the
+    returned value is a copy with the sign bit cleared.
+    """
+
+    # Sign bit is the MSB of the last byte, which will be at [31] of the private key, hence 64 is
+    # the most significant nibble once we convert to hex and add 2 for the prefix:
+    msn = int(blinded_id[64], 16)
+    if msn & 0x8:
+        return blinded_id[0:64] + str(msn & 0x7) + blinded_id[65:]
+    return blinded_id
+
+
+def blinded_neg(blinded_id: str):
+    """
+    Counterpart to blinded_abs that always returns the *negative* pubkey alternative.
+    """
 
-def compute_derived_id(session_id, prefix='15'):
-    """compute derived session"""
-    return prefix + binascii.hexlify(
-        compute_derived_key_bytes(decode_hex_or_b64(session_id[2:], 32))
-    ).decode('ascii')
+    msn = int(blinded_id[64], 16)
+    if msn & 0x8:
+        return blinded_id
+    return blinded_id[0:64] + f"{msn | 0x8:x}" + blinded_id[65:]

sogs/db.py

@@ -174,6 +174,8 @@ def database_init(create=None, upgrade=True):
     # Make sure the system admin users exists
     create_admin_user(conn)
 
+    check_needs_blinding(conn)
+
     return created or migrated
 
 
@@ -195,6 +197,36 @@ def create_admin_user(dbconn):
     )
 
 
+def check_needs_blinding(dbconn):
+    if not config.REQUIRE_BLIND_KEYS:
+        return
+
+    with transaction(dbconn):
+        for uid, sid in query(
+            """
+            SELECT id, session_id FROM users WHERE id IN (
+                SELECT "user" FROM user_permission_overrides
+                UNION
+                SELECT "user" FROM user_permission_futures
+                UNION
+                SELECT "user" FROM user_ban_futures
+                UNION
+                SELECT id FROM users WHERE session_id LIKE '05%' AND (admin OR moderator OR banned)
+                EXCEPT
+                SELECT "user" FROM needs_blinding
+            )
+            """,
+            dbconn=dbconn,
+        ):
+            pos_derived = crypto.compute_blinded_abs_id(sid)
+            query(
+                'INSERT INTO needs_blinding (blinded_abs, "user") VALUES (:blinded, :uid)',
+                blinded=pos_derived,
+                uid=uid,
+                dbconn=dbconn,
+            )
+
+
 engine, engine_initial_pid, metadata = None, None, None