mirror of https://github.com/Chocobozzz/PeerTube
Server: remove encryption when seending requests to other pods
We don't need it anymore since HTTPS is mandatory nowpull/24/head
parent
bf57d5eebf
commit
38d78e5b82
|
@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
|
|||
|
||||
router.post('/videos',
|
||||
validators.signature,
|
||||
validators.dataToDecrypt,
|
||||
secureMiddleware.checkSignature,
|
||||
secureMiddleware.decryptBody,
|
||||
validators.remoteVideos,
|
||||
remoteVideos
|
||||
)
|
||||
|
|
|
@ -16,8 +16,6 @@ const peertubeCrypto = {
|
|||
comparePassword,
|
||||
createCertsIfNotExist,
|
||||
cryptPassword,
|
||||
decrypt,
|
||||
encrypt,
|
||||
sign
|
||||
}
|
||||
|
||||
|
@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
|
|||
})
|
||||
}
|
||||
|
||||
function decrypt (key, data, callback) {
|
||||
fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
|
||||
if (err) return callback(err)
|
||||
|
||||
const myPrivateKey = ursa.createPrivateKey(file)
|
||||
const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
|
||||
const decryptedData = symetricDecrypt(data, decryptedKey)
|
||||
|
||||
return callback(null, decryptedData)
|
||||
})
|
||||
}
|
||||
|
||||
function encrypt (publicKey, data, callback) {
|
||||
const crt = ursa.createPublicKey(publicKey)
|
||||
|
||||
symetricEncrypt(data, function (err, dataEncrypted) {
|
||||
if (err) return callback(err)
|
||||
|
||||
const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
|
||||
const encrypted = {
|
||||
data: dataEncrypted.crypted,
|
||||
key: key
|
||||
}
|
||||
|
||||
callback(null, encrypted)
|
||||
})
|
||||
}
|
||||
|
||||
function sign (data) {
|
||||
const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
|
||||
const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
|
||||
|
@ -151,21 +121,3 @@ function generatePassword (callback) {
|
|||
callback(null, buf.toString('utf8'))
|
||||
})
|
||||
}
|
||||
|
||||
function symetricDecrypt (text, password) {
|
||||
const decipher = crypto.createDecipher(algorithm, password)
|
||||
let dec = decipher.update(text, 'hex', 'utf8')
|
||||
dec += decipher.final('utf8')
|
||||
return dec
|
||||
}
|
||||
|
||||
function symetricEncrypt (text, callback) {
|
||||
generatePassword(function (err, password) {
|
||||
if (err) return callback(err)
|
||||
|
||||
const cipher = crypto.createCipher(algorithm, password)
|
||||
let crypted = cipher.update(text, 'utf8', 'hex')
|
||||
crypted += cipher.final('hex')
|
||||
callback(null, { crypted: crypted, password: password })
|
||||
})
|
||||
}
|
||||
|
|
|
@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
|
|||
|
||||
// If there are data informations
|
||||
if (params.data) {
|
||||
// Encrypt data
|
||||
if (params.encrypt === true) {
|
||||
peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
|
||||
if (err) return callback(err)
|
||||
|
||||
requestParams.json.data = encrypted.data
|
||||
requestParams.json.key = encrypted.key
|
||||
|
||||
request.post(requestParams, callback)
|
||||
})
|
||||
} else {
|
||||
// No encryption
|
||||
requestParams.json.data = params.data
|
||||
request.post(requestParams, callback)
|
||||
}
|
||||
requestParams.json.data = params.data
|
||||
request.post(requestParams, callback)
|
||||
} else {
|
||||
// No data
|
||||
request.post(requestParams, callback)
|
||||
|
|
|
@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
|
|||
const Pod = mongoose.model('Pod')
|
||||
|
||||
const secureMiddleware = {
|
||||
checkSignature,
|
||||
decryptBody
|
||||
checkSignature
|
||||
}
|
||||
|
||||
function checkSignature (req, res, next) {
|
||||
const host = req.body.signature.host
|
||||
Pod.loadByHost(host, function (err, pod) {
|
||||
if (err) {
|
||||
logger.error('Cannot get signed host in decryptBody.', { error: err })
|
||||
logger.error('Cannot get signed host in body.', { error: err })
|
||||
return res.sendStatus(500)
|
||||
}
|
||||
|
||||
|
@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
|
|||
return res.sendStatus(403)
|
||||
}
|
||||
|
||||
logger.debug('Decrypting body from %s.', host)
|
||||
logger.debug('Checking signature from %s.', host)
|
||||
|
||||
const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
|
||||
|
||||
|
@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
|
|||
return next()
|
||||
}
|
||||
|
||||
logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)
|
||||
logger.error('Signature is not okay in body for %s.', req.body.signature.host)
|
||||
return res.sendStatus(403)
|
||||
})
|
||||
}
|
||||
|
||||
function decryptBody (req, res, next) {
|
||||
peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
|
||||
if (err) {
|
||||
logger.error('Cannot decrypt data.', { error: err })
|
||||
return res.sendStatus(500)
|
||||
}
|
||||
|
||||
try {
|
||||
req.body.data = JSON.parse(decrypted)
|
||||
delete req.body.key
|
||||
} catch (err) {
|
||||
logger.error('Error in JSON.parse', { error: err })
|
||||
return res.sendStatus(500)
|
||||
}
|
||||
|
||||
next()
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
module.exports = secureMiddleware
|
||||
|
|
|
@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
|
|||
const logger = require('../../helpers/logger')
|
||||
|
||||
const validatorsRemote = {
|
||||
dataToDecrypt,
|
||||
remoteVideos,
|
||||
signature
|
||||
}
|
||||
|
||||
function dataToDecrypt (req, res, next) {
|
||||
req.checkBody('key', 'Should have a key').notEmpty()
|
||||
req.checkBody('data', 'Should have data').notEmpty()
|
||||
|
||||
logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
|
||||
|
||||
checkErrors(req, res, next)
|
||||
}
|
||||
|
||||
function remoteVideos (req, res, next) {
|
||||
req.checkBody('data').isEachRemoteVideosValid()
|
||||
|
||||
|
|
|
@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
|
|||
|
||||
const params = {
|
||||
toPod: toPod,
|
||||
encrypt: true, // Security
|
||||
sign: true, // To prove our identity
|
||||
sign: true, // Prove our identity
|
||||
method: 'POST',
|
||||
path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
|
||||
data: requestsToMake // Requests we need to make
|
||||
|
|
Loading…
Reference in New Issue