merge

missing pgp part

door/addtoken.lua

@@ -49,6 +49,18 @@ if name == "" then
     end
     token = set_prefix(prefix,token)
 
+    while true do
+        io.stdout:write("enter gpg id: [] ")
+        gpg_id = io.stdin:read()
+        if prefix == "" then
+            break
+        end
+        if os.execute("gpg --batch --recv-keys "..gpg_id) == 0 then
+            break
+        end
+    end
+
+
     if 0 ~= con:execute("select ttl from tokens where token='"..token.."';"):numrows() then
       print(token)
       print "ERROR - token already exists .. please try again."
@@ -66,6 +78,16 @@ if name == "" then
     print "* add token:"
     print(token)
     print("* prefix to remember: "..prefix)
+        while true do
+        io.stdout:write("enter gpg id: [] ")
+        gpg_id = io.stdin:read()
+        if prefix == "" then
+            break
+        end
+        if os.execute("gpg --batch --recv-keys "..gpg_id) == 0 then
+            break
+        end
+    end
 end
 
 exit(env,con)

door/config.lua

@@ -3,6 +3,7 @@
 config = {
   ['db'] = "cricket",
   ['prefix_len'] = 4,
+  ['check_len'] = 8,                -- size of bytes to use as unique identifier
   ['open_cmd'] = "ssh root@fe80::218:84ff:fe1d:3fbc%eth0 door &",
   ['key_len'] = 164,				-- key_len/8*6 must be an integer!!!1!
   ['ttl'] = 60 * 60 * 24 * 7 * 8,	-- s m h d w factor Time To Life (while alive)

door/createdb.lua

@@ -10,9 +10,9 @@ len = config.key_len
 env = luasql.postgres()
 con = env:connect(config.db)
 
-assert(con:execute("create table tokens ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttl int );")) -- ttl - time to live
-assert(con:execute("create table graveyard ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttrd int );")) -- ttrd - time to real death
-assert(con:execute("create table users ( name text primary key, ntc int );")) -- ntc - new token count
+assert(con:execute("create table tokens ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttl int, gpg_id char(15) null);")) -- ttl - time to live
+assert(con:execute("create table graveyard ( prefix char("..pl..") primary key, token char("..len..") unique not null, ttrd int, gpg_id char(15) null);")) -- ttrd - time to real death
+assert(con:execute("create table users ( name text primary key, ntc int);")) -- ntc - new token count
 assert(con:execute("create table lock (death int, host text);"))
 
 con:close()

door/helper.lua

@@ -17,3 +17,21 @@ function rows(con, stmt)
   end
 end
 
+function is_bruteforce(con)
+  if not os.getenv('REMOTE_ADDR') then
+     return false
+  end
+  now = os.time()
+  host = md5.sumhexa(os.getenv('REMOTE_ADDR'))
+  clean = "delete from lock where death<" .. now .. ";"
+  check = "select count(*) from lock where host='" .. host .. "';"
+  rn = tonumber(con:execute(clean .. check):fetch())
+
+  if rn < config.lock then
+    con:execute("insert into lock (death, host) values(" .. (now + config.lock_time) .. ", '".. host .."');")
+    return false
+  else
+    return true
+  end
+end
+

door/open.lua

@@ -13,21 +13,6 @@ function fail(msg)
     print("Error: " .. msg)
 end
 
-function is_bruteforce(con)
-  now = os.time()
-  host = md5.sumhexa(os.getenv('REMOTE_ADDR'))
-  clean = "delete from lock where death<" .. now .. ";"
-  check = "select count(*) from lock where host='" .. host .. "';"
-  rn = tonumber(con:execute(clean .. check):fetch())
-
-  if rn < config.lock then
-    con:execute("insert into lock (death, host) values(" .. (now + config.lock_time) .. ", '".. host .."');")
-    return false
-  else
-    return true
-  end
-end
-
 print "Content-Type: text/plain"
 
 token = os.getenv("QUERY_STRING")

door/token.lua

@@ -5,21 +5,35 @@ require 'config'
 require 'base64'
 local base64 = enc
 
-function generate_token() -- generates a new token (the next)
+function generate_token(old) -- generates a new token (the next)
   local len = config.key_len / 8 * 6
   local f = io.open("/dev/urandom","r")
-  local r = f:read(len)
-  return base64(r)
+  while true do
+    local r = f:read(len)
+    new = base64(r)
+    if old then
+      if string.sub(new, 0, config.check_len) ~= string.sub(old, 0, config.check_len) then
+        break
+      end
+    else
+      break
+    end
+  end
+  return new
 end
 
-function add_token(con, token) -- add token to the database
+function add_token(con, token, gpg_id) -- add token to the database
   local now = os.time()
   math.randomseed(now)
   local prefix = token:sub(1, config.prefix_len)
+  if not gpg_id then
+    gpg_id = con:execute("select trim(gpg_id) from tokens where prefix='"..prefix.."';"):fetch() 
+  end
+
   local ttl = now + config.ttl + math.floor(math.random() * config.ruttl)
   local update = "delete from tokens where prefix='"..prefix.."';"
-  local insert = "insert into tokens (prefix, token, ttl) values ('"..prefix.."', '"..token.."', "..ttl..");"
-  local gravedigger = "insert into graveyard (prefix, token, ttrd) select prefix, token, ttl+"..config.ttrd.." from tokens where ttl<"..now..";"
+  local insert = "insert into tokens (prefix, token, ttl, gpg_id) values ('"..prefix.."', '"..token.."', "..ttl..", '"..gpg_id.."');"
+  local gravedigger = "insert into graveyard (prefix, token, ttrd, gpg_id) select prefix, token, ttl+"..config.ttrd..",gpg_id from tokens where ttl<"..now..";"
   local clean = "delete from tokens where ttl<"..now..";"
   local dig = "delete from graveyard where ttrd<"..now..";"
   con:execute(gravedigger .. clean .. dig .. update .. insert .. update .. insert)
@@ -34,8 +48,108 @@ function check_token(con, token) -- checks if the token is valid
   return result
 end
 
-function set_prefix(old, new) -- sets the prefix from the old token on the new token
+function set_prefix(old, new) -- sets the prefix from the old token to the new token
   local prefix = old:sub(1, config.prefix_len)
   return prefix .. new:sub(config.prefix_len+1)
 end
 
+function get_pgp_key(prefix)
+  local pgp_id = con:execute("select gpg_id from tokens where prefix='"..prefix.."';"):fetch() 
+  return pgp_id
+end
+
+function encrypt_key(prefix)
+  if prefix:len() ~= config.prefix_len then
+    return false
+  end
+  local token, pgp_id = con:execute("select token, gpg_id from tokens where prefix='"..prefix.."';"):fetch() 
+
+  if not pgp_id or not token then
+    return false, "No pgp key"
+  end
+
+  local out = ""
+  local fp = io.popen("echo -n "..token.." | gpg --batch --logger-file /dev/null -a -e --recipient "..pgp_id.."", "r")
+  while true do
+    msg = fp:read()
+    if not msg then
+      break
+    end
+    out = out.."\n"..msg
+  end
+  if out == "" then
+    return false, "Could not build pgp msg"
+  end
+  return string.sub(token, 0, config.check_len).."\n"..out
+end
+
+function set_pgp(prefix, gpg_id) -- add token to the database
+  if not gpg_id then
+    gpg_id = ""
+  end
+  local update = "update tokens set gpg_id='"..gpg_id.."' where prefix='"..prefix.."';"
+  con:execute(update)
+end
+
+function ask_pgp(prefix, gpg_id) -- add token to the database
+    if prefix == "" then
+        return
+    end
+
+    local buffer = ""
+    while true do
+        if string.len(buffer) == 0 then
+            io.stdout:write("enter gpg id or key: [] ")
+        end
+        gpg_id = io.stdin:read()
+        if string.len(gpg_id) == 0 and string.len(buffer) == 0 then
+            return false
+        end
+        if string.len(gpg_id) == 8 then
+            if os.execute("gpg --batch --recv-keys "..gpg_id) == 0 then
+                return gpg_id
+            -- test if already in db
+            elseif os.execute("gpg --batch --list-sigs "..gpg_id) == 0 then
+                return gpg_id
+            end
+        else
+            buffer = buffer.."\n"..gpg_id
+            if gpg_id == "-----END PGP PUBLIC KEY BLOCK-----" then
+                local tmp_name = os.tmpname()
+                fp = io.open(tmp_name, "w")
+                fp:write(buffer)
+                io.close(fp)
+                local fp, err = io.popen("gpg --import "..tmp_name.." 2>&1")
+                local out = fp:read()
+                for x in string.gmatch(out, "gpg: key (%w+): ") do
+                    print("Found key: "..x)
+                    gpg_id = x
+                    os.remove(tmp_name)
+                    return gpg_id
+                end
+                os.remove(tmp_name)
+            end
+        end
+    end
+end
+
+function display_pgp(pgp_id)
+    os.execute("gpg --list-sigs "..pgp_id)
+end
+
+function trust_pgp(pgp_id)
+    os.execute("gpg --edit-key "..pgp_id.." trust save")
+end
+
+function edit_pgp(prefix)
+    new_id = ask_pgp()
+    if new_id then
+        set_pgp(prefix, new_id)
+        print("set to new id: "..new_id)
+    else
+        new_id = get_pgp_key(prefix)
+    end
+    display_pgp(new_id)
+    trust_pgp(new_id)
+end
+

www/index.html

@@ -7,6 +7,7 @@
 		<form action="open" method="get"><textarea name="t" cols="41" rows="4" wrap="soft"></textarea><br/>
 		<input type="submit" value="Open Door Please!"></form><br/>
 		Or use the <a href="opendoor">script</a>!<br/><br/>
+        <a href="recover.html">Recover your key</a><br/><br/>
 		<small>Powered by<br/><img width="80" height="121" src="./mole_people.jpg" alt="Mole People" border="0"/>
 	</body>
 </html>

www/opendoor

@@ -4,11 +4,23 @@ echo "* try to open tronlab's moleflap"
 HOST='moleflap.hq.c3d2.de'
 STORE=~/.moletoken.c3d2
 WLAN_NAME="<<</>>"
+PREFIX_LEN=4
+
+# END CONFIG
+PORT=8888
+STORE_ENC="$STORE.enc"
+STORE_TMP="$STORE.tmp"
+
+FORCE_PGP=0
+WGET="wget"
 
 checkhost() {
 	# checks if host is reachable. returns 0 on success
 	ping6 -c 1 $HOST >/dev/null 2>/dev/null
-	if [ $? -eq 0 ]; then return 0; fi
+	if [ $? -eq 0 ]; then 
+        WGET="wget --prefer-family=IPv6"
+        return 0; 
+    fi
 	ping -c 1 $HOST >/dev/null 2>/dev/null
 	if [ $? -eq 0 ]; then return 0; fi
 	return 1;
@@ -33,6 +45,49 @@ n800() {
         done;
 }
 
+PREFIX=""
+prefix() {
+    if [ -e $STORE ]; then
+        PREFIX=`cat $STORE | cut -c1-$PREFIX_LEN`
+    fi
+    if [ "$PREFIX" = "" ]; then
+    	echo "Please enter your prefix:"
+    	read PREFIX
+    fi
+}
+
+do_pgp() {
+	# do pgp handling
+
+    prefix
+
+    if [ "$PREFIX" = "" ]; then
+        return 1
+    else
+        $WGET -qO $STORE_ENC http://$HOST:$PORT/recover?$PREFIX
+        # download failed
+        if [ $? != 0 ]; then
+            return 2
+        fi
+        CSUM=`head -n 1 $STORE_ENC`
+        OSUM=`cat $STORE | cut -c1-${#CSUM}`
+        if [ "x$CSUM" != "x$OSUM" ] || [ $FORCE_PGP != 0 ]; then
+            rm -f $STORE_TMP
+            tail -n +3 $STORE_ENC | gpg --decrypt --output $STORE_TMP
+            if [ $? = 0 ]; then
+                mv $STORE_TMP $STORE
+                NSUM=`cat $STORE | cut -c1-${#CSUM}`
+                return 0
+            else
+                return 3
+            fi
+        fi
+        return 0
+    fi
+
+}
+
+
 usage()
 {
 cat << EOF
@@ -40,6 +95,7 @@ usage: $0 options
 
 try to open tronlab's moleflap
 
+   --force-pgp force pgp decrypt
    --n800      nokia n8xx/n9xx connect mode
    --help      help
 EOF
@@ -49,23 +105,13 @@ exit
 # Process command line arguments
 for i in $@; do
         case "$i" in
+                "--force-pgp") FORCE_PGP=1;;
                 "--n800" ) CONNECT=n800;;
                 "--help" ) usage;;
                 * ) echo "Error!"; usage;;
         esac
 done
 
-
-if [ -e $STORE ]
-then
-	token=`cat $STORE`
-else
-	echo "Please enter your valid token:"
-	read token
-	# save new token first
-        echo "$token" > $STORE
-fi
-
 # test for connection
 checkhost
 if [ "$?" -eq "1" ]
@@ -78,7 +124,24 @@ then
 	fi
 fi
 
-newtoken=`wget -qO - http://$HOST/open?$token`
+
+do_pgp
+if [[ $? -gt 2 ]]; then
+    echo "fatal error"
+    exit
+fi 
+
+if [ -e $STORE ]
+then
+	token=`cat $STORE`
+else
+	echo "Please enter your valid token:"
+	read token
+	# save new token first
+    echo "$token" > $STORE
+fi
+
+newtoken=`$WGET -qO - http://$HOST:$PORT/open?$token`
 
 if [ "$?" -eq "0" ]
 then