From 38d78e5b82a30d1318e3cc2532b7ea22b8e163fa Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Sun, 27 Nov 2016 18:25:35 +0100 Subject: [PATCH] Server: remove encryption when seending requests to other pods We don't need it anymore since HTTPS is mandatory now --- server/controllers/api/remote.js | 2 -- server/helpers/peertube-crypto.js | 48 ------------------------- server/helpers/requests.js | 17 ++------- server/middlewares/secure.js | 28 +++------------ server/middlewares/validators/remote.js | 10 ------ server/models/request.js | 3 +- 6 files changed, 7 insertions(+), 101 deletions(-) diff --git a/server/controllers/api/remote.js b/server/controllers/api/remote.js index 35f386ba6..f1046c534 100644 --- a/server/controllers/api/remote.js +++ b/server/controllers/api/remote.js @@ -15,9 +15,7 @@ const Video = mongoose.model('Video') router.post('/videos', validators.signature, - validators.dataToDecrypt, secureMiddleware.checkSignature, - secureMiddleware.decryptBody, validators.remoteVideos, remoteVideos ) diff --git a/server/helpers/peertube-crypto.js b/server/helpers/peertube-crypto.js index 1ff638b04..2e07df00e 100644 --- a/server/helpers/peertube-crypto.js +++ b/server/helpers/peertube-crypto.js @@ -16,8 +16,6 @@ const peertubeCrypto = { comparePassword, createCertsIfNotExist, cryptPassword, - decrypt, - encrypt, sign } @@ -57,34 +55,6 @@ function cryptPassword (password, callback) { }) } -function decrypt (key, data, callback) { - fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) { - if (err) return callback(err) - - const myPrivateKey = ursa.createPrivateKey(file) - const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8') - const decryptedData = symetricDecrypt(data, decryptedKey) - - return callback(null, decryptedData) - }) -} - -function encrypt (publicKey, data, callback) { - const crt = ursa.createPublicKey(publicKey) - - symetricEncrypt(data, function (err, dataEncrypted) { - if (err) return callback(err) - - const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex') - const encrypted = { - data: dataEncrypted.crypted, - key: key - } - - callback(null, encrypted) - }) -} - function sign (data) { const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem')) const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex') @@ -151,21 +121,3 @@ function generatePassword (callback) { callback(null, buf.toString('utf8')) }) } - -function symetricDecrypt (text, password) { - const decipher = crypto.createDecipher(algorithm, password) - let dec = decipher.update(text, 'hex', 'utf8') - dec += decipher.final('utf8') - return dec -} - -function symetricEncrypt (text, callback) { - generatePassword(function (err, password) { - if (err) return callback(err) - - const cipher = crypto.createCipher(algorithm, password) - let crypted = cipher.update(text, 'utf8', 'hex') - crypted += cipher.final('hex') - callback(null, { crypted: crypted, password: password }) - }) -} diff --git a/server/helpers/requests.js b/server/helpers/requests.js index 06109ce16..b0cda09fe 100644 --- a/server/helpers/requests.js +++ b/server/helpers/requests.js @@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) { // If there are data informations if (params.data) { - // Encrypt data - if (params.encrypt === true) { - peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) { - if (err) return callback(err) - - requestParams.json.data = encrypted.data - requestParams.json.key = encrypted.key - - request.post(requestParams, callback) - }) - } else { - // No encryption - requestParams.json.data = params.data - request.post(requestParams, callback) - } + requestParams.json.data = params.data + request.post(requestParams, callback) } else { // No data request.post(requestParams, callback) diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index fd5bc51d6..ee836beed 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js @@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto') const Pod = mongoose.model('Pod') const secureMiddleware = { - checkSignature, - decryptBody + checkSignature } function checkSignature (req, res, next) { const host = req.body.signature.host Pod.loadByHost(host, function (err, pod) { if (err) { - logger.error('Cannot get signed host in decryptBody.', { error: err }) + logger.error('Cannot get signed host in body.', { error: err }) return res.sendStatus(500) } @@ -24,7 +23,7 @@ function checkSignature (req, res, next) { return res.sendStatus(403) } - logger.debug('Decrypting body from %s.', host) + logger.debug('Checking signature from %s.', host) const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) @@ -32,30 +31,11 @@ function checkSignature (req, res, next) { return next() } - logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host) + logger.error('Signature is not okay in body for %s.', req.body.signature.host) return res.sendStatus(403) }) } -function decryptBody (req, res, next) { - peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) { - if (err) { - logger.error('Cannot decrypt data.', { error: err }) - return res.sendStatus(500) - } - - try { - req.body.data = JSON.parse(decrypted) - delete req.body.key - } catch (err) { - logger.error('Error in JSON.parse', { error: err }) - return res.sendStatus(500) - } - - next() - }) -} - // --------------------------------------------------------------------------- module.exports = secureMiddleware diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js index c6455e678..858d193cc 100644 --- a/server/middlewares/validators/remote.js +++ b/server/middlewares/validators/remote.js @@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors const logger = require('../../helpers/logger') const validatorsRemote = { - dataToDecrypt, remoteVideos, signature } -function dataToDecrypt (req, res, next) { - req.checkBody('key', 'Should have a key').notEmpty() - req.checkBody('data', 'Should have data').notEmpty() - - logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } }) - - checkErrors(req, res, next) -} - function remoteVideos (req, res, next) { req.checkBody('data').isEachRemoteVideosValid() diff --git a/server/models/request.js b/server/models/request.js index 59bf440fe..c2cfe83ce 100644 --- a/server/models/request.js +++ b/server/models/request.js @@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) { const params = { toPod: toPod, - encrypt: true, // Security - sign: true, // To prove our identity + sign: true, // Prove our identity method: 'POST', path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint, data: requestsToMake // Requests we need to make -- 2.41.0