From e37aab492b4862abc01e3404f57a759560776d99 Mon Sep 17 00:00:00 2001 From: yflory Date: Tue, 10 Apr 2018 15:10:28 +0200 Subject: [PATCH] Validate messages not coming from history-keeper --- www/common/outer/async-store.js | 8 ++++++-- www/common/outer/chainpad-netflux-worker.js | 2 +- www/common/sframe-chainpad-netflux-outer.js | 13 +++++++++---- www/common/sframe-common-outer.js | 4 +++- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/www/common/outer/async-store.js b/www/common/outer/async-store.js index e7cc7be9f..f3f1e1450 100644 --- a/www/common/outer/async-store.js +++ b/www/common/outer/async-store.js @@ -918,8 +918,12 @@ define([ channel.data = padData || {}; postMessage("PAD_READY"); }, // post EV_PAD_READY - onMessage: function (m) { - postMessage("PAD_MESSAGE", m); + onMessage: function (user, m, validateKey) { + postMessage("PAD_MESSAGE", { + user: user, + msg: m, + validateKey: validateKey + }); }, // post EV_PAD_MESSAGE onJoin: function (m) { postMessage("PAD_JOIN", m); diff --git a/www/common/outer/chainpad-netflux-worker.js b/www/common/outer/chainpad-netflux-worker.js index adb6242de..40601a6c5 100644 --- a/www/common/outer/chainpad-netflux-worker.js +++ b/www/common/outer/chainpad-netflux-worker.js @@ -130,7 +130,7 @@ define([], function () { message = unBencode(message);//.slice(message.indexOf(':[') + 1); // pass the message into Chainpad - onMessage(message); + onMessage(peer, message, validateKey); //sframeChan.query('Q_RT_MESSAGE', message, function () { }); }; diff --git a/www/common/sframe-chainpad-netflux-outer.js b/www/common/sframe-chainpad-netflux-outer.js index 2d592b65d..b6cc29539 100644 --- a/www/common/sframe-chainpad-netflux-outer.js +++ b/www/common/sframe-chainpad-netflux-outer.js @@ -39,9 +39,11 @@ define([], function () { }); // shim between chainpad and netflux - var msgIn = function (msg) { + var msgIn = function (peer, msg) { try { - var decryptedMsg = Crypto.decrypt(msg, isNewHash); + var isHk = peer.length !== 32; + var key = isNewHash ? validateKey : false; + var decryptedMsg = Crypto.decrypt(msg, key, isHk); return decryptedMsg; } catch (err) { console.error(err); @@ -67,8 +69,11 @@ define([], function () { padRpc.sendPadMsg(msg, cb); }); - var onMessage = function(msg) { - var message = msgIn(msg); + var onMessage = function(msgObj) { + if (msgObj.validateKey && !validateKey) { + validateKey = msgObj.validateKey; + } + var message = msgIn(msgObj.user, msgObj.msg); verbose(message); diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js index a949f8265..c4f18bd09 100644 --- a/www/common/sframe-common-outer.js +++ b/www/common/sframe-common-outer.js @@ -325,7 +325,9 @@ define([ validateKey: secret.keys.validateKey }, function (encryptedMsgs) { cb(encryptedMsgs.map(function (msg) { - return crypto.decrypt(msg, true); + // The 3rd parameter "true" means we're going to skip signature validation. + // We don't need it since the message is already validated serverside by hk + return crypto.decrypt(msg, true, true); })); }); });