Server: remove encryption when seending requests to other pods

We don't need it anymore since HTTPS is mandatory now
author: Chocobozzz <florian.bigard@gmail.com> 2016-11-27 18:25:35 +0100
committer: Chocobozzz <florian.bigard@gmail.com> 2016-11-27 18:25:35 +0100
commit: 38d78e5b82a30d1318e3cc2532b7ea22b8e163fa (patch)
tree: 3c4cdab683caf1e30c6e76ba78efeb0431fec932 /server
parent: bf57d5eebf8b0fa2361b7973ce9772abd1bb4828 (diff)
download: PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.tar.gz
PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.tar.zst
PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.zip
6 files changed, 7 insertions, 101 deletions
diff --git a/server/controllers/api/remote.js b/server/controllers/api/remote.js
index 35f386ba6..f1046c534 100644
--- a/server/controllers/api/remote.js
+++ b/server/controllers/api/remote.js
@@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
 router.post('/videos',
  validators.signature,
-  validators.dataToDecrypt,
  secureMiddleware.checkSignature,
-  secureMiddleware.decryptBody,
  validators.remoteVideos,
  remoteVideos
 )
diff --git a/server/helpers/peertube-crypto.js b/server/helpers/peertube-crypto.js
index 1ff638b04..2e07df00e 100644
--- a/server/helpers/peertube-crypto.js
+++ b/server/helpers/peertube-crypto.js
@@ -16,8 +16,6 @@ const peertubeCrypto = {
  comparePassword,
  createCertsIfNotExist,
  cryptPassword,
-  decrypt,
-  encrypt,
  sign
 }
@@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
  })
 }
-function decrypt (key, data, callback) {
-  fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
-    if (err) return callback(err)
-    const myPrivateKey = ursa.createPrivateKey(file)
-    const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
-    const decryptedData = symetricDecrypt(data, decryptedKey)
-    return callback(null, decryptedData)
-  })
-}
-function encrypt (publicKey, data, callback) {
-  const crt = ursa.createPublicKey(publicKey)
-  symetricEncrypt(data, function (err, dataEncrypted) {
-    if (err) return callback(err)
-    const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
-    const encrypted = {
-      data: dataEncrypted.crypted,
-      key: key
-    }
-    callback(null, encrypted)
-  })
-}
 function sign (data) {
  const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
  const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
@@ -151,21 +121,3 @@ function generatePassword (callback) {
    callback(null, buf.toString('utf8'))
  })
 }
-function symetricDecrypt (text, password) {
-  const decipher = crypto.createDecipher(algorithm, password)
-  let dec = decipher.update(text, 'hex', 'utf8')
-  dec += decipher.final('utf8')
-  return dec
-}
-function symetricEncrypt (text, callback) {
-  generatePassword(function (err, password) {
-    if (err) return callback(err)
-    const cipher = crypto.createCipher(algorithm, password)
-    let crypted = cipher.update(text, 'utf8', 'hex')
-    crypted += cipher.final('hex')
-    callback(null, { crypted: crypted, password: password })
-  })
-}
diff --git a/server/helpers/requests.js b/server/helpers/requests.js
index 06109ce16..b0cda09fe 100644
--- a/server/helpers/requests.js
+++ b/server/helpers/requests.js
@@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
    // If there are data informations
    if (params.data) {
-      // Encrypt data
+      requestParams.json.data = params.data
-      if (params.encrypt === true) {
+      request.post(requestParams, callback)
-        peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
-          if (err) return callback(err)
-          requestParams.json.data = encrypted.data
-          requestParams.json.key = encrypted.key
-          request.post(requestParams, callback)
-        })
-      } else {
-        // No encryption
-        requestParams.json.data = params.data
-        request.post(requestParams, callback)
-      }
    } else {
      // No data
      request.post(requestParams, callback)
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index fd5bc51d6..ee836beed 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
 const Pod = mongoose.model('Pod')
 const secureMiddleware = {
-  checkSignature,
+  checkSignature
-  decryptBody
 }
 function checkSignature (req, res, next) {
  const host = req.body.signature.host
  Pod.loadByHost(host, function (err, pod) {
    if (err) {
-      logger.error('Cannot get signed host in decryptBody.', { error: err })
+      logger.error('Cannot get signed host in body.', { error: err })
      return res.sendStatus(500)
    }
@@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
      return res.sendStatus(403)
    }
-    logger.debug('Decrypting body from %s.', host)
+    logger.debug('Checking signature from %s.', host)
    const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
@@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
      return next()
    }
-    logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)
+    logger.error('Signature is not okay in body for %s.', req.body.signature.host)
    return res.sendStatus(403)
  })
 }
-function decryptBody (req, res, next) {
-  peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
-    if (err) {
-      logger.error('Cannot decrypt data.', { error: err })
-      return res.sendStatus(500)
-    }
-    try {
-      req.body.data = JSON.parse(decrypted)
-      delete req.body.key
-    } catch (err) {
-      logger.error('Error in JSON.parse', { error: err })
-      return res.sendStatus(500)
-    }
-    next()
-  })
-}
 // ---------------------------------------------------------------------------
 module.exports = secureMiddleware
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js
index c6455e678..858d193cc 100644
--- a/server/middlewares/validators/remote.js
+++ b/server/middlewares/validators/remote.js
@@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
 const logger = require('../../helpers/logger')
 const validatorsRemote = {
-  dataToDecrypt,
  remoteVideos,
  signature
 }
-function dataToDecrypt (req, res, next) {
-  req.checkBody('key', 'Should have a key').notEmpty()
-  req.checkBody('data', 'Should have data').notEmpty()
-  logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
-  checkErrors(req, res, next)
-}
 function remoteVideos (req, res, next) {
  req.checkBody('data').isEachRemoteVideosValid()
diff --git a/server/models/request.js b/server/models/request.js
index 59bf440fe..c2cfe83ce 100644
--- a/server/models/request.js
+++ b/server/models/request.js
@@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
  const params = {
    toPod: toPod,
-    encrypt: true, // Security
+    sign: true, // Prove our identity
-    sign: true, // To prove our identity
    method: 'POST',
    path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
    data: requestsToMake // Requests we need to make
author	Chocobozzz <florian.bigard@gmail.com>	2016-11-27 18:25:35 +0100
committer	Chocobozzz <florian.bigard@gmail.com>	2016-11-27 18:25:35 +0100
commit	38d78e5b82a30d1318e3cc2532b7ea22b8e163fa (patch)
tree	3c4cdab683caf1e30c6e76ba78efeb0431fec932 /server
parent	bf57d5eebf8b0fa2361b7973ce9772abd1bb4828 (diff)
download	PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.tar.gz PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.tar.zst PeerTube-38d78e5b82a30d1318e3cc2532b7ea22b8e163fa.zip

diff --git a/server/controllers/api/remote.js b/server/controllers/api/remote.js index 35f386ba6..f1046c534 100644 --- a/server/controllers/api/remote.js +++ b/server/controllers/api/remote.js
@@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
15		15
16	router.post('/videos',	16	router.post('/videos',
17	validators.signature,	17	validators.signature,
18	validators.dataToDecrypt,
19	secureMiddleware.checkSignature,	18	secureMiddleware.checkSignature,
20	secureMiddleware.decryptBody,
21	validators.remoteVideos,	19	validators.remoteVideos,
22	remoteVideos	20	remoteVideos
23	)	21	)


diff --git a/server/helpers/peertube-crypto.js b/server/helpers/peertube-crypto.js index 1ff638b04..2e07df00e 100644 --- a/server/helpers/peertube-crypto.js +++ b/server/helpers/peertube-crypto.js
@@ -16,8 +16,6 @@ const peertubeCrypto = {
16	comparePassword,	16	comparePassword,
17	createCertsIfNotExist,	17	createCertsIfNotExist,
18	cryptPassword,	18	cryptPassword,
19	decrypt,
20	encrypt,
21	sign	19	sign
22	}	20	}
23		21
@@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
57	})	55	})
58	}	56	}
59		57
60	function decrypt (key, data, callback) {
61	fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
62	if (err) return callback(err)
63
64	const myPrivateKey = ursa.createPrivateKey(file)
65	const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
66	const decryptedData = symetricDecrypt(data, decryptedKey)
67
68	return callback(null, decryptedData)
69	})
70	}
71
72	function encrypt (publicKey, data, callback) {
73	const crt = ursa.createPublicKey(publicKey)
74
75	symetricEncrypt(data, function (err, dataEncrypted) {
76	if (err) return callback(err)
77
78	const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
79	const encrypted = {
80	data: dataEncrypted.crypted,
81	key: key
82	}
83
84	callback(null, encrypted)
85	})
86	}
87
88	function sign (data) {	58	function sign (data) {
89	const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))	59	const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
90	const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')	60	const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
@@ -151,21 +121,3 @@ function generatePassword (callback) {
151	callback(null, buf.toString('utf8'))	121	callback(null, buf.toString('utf8'))
152	})	122	})
153	}	123	}
154
155	function symetricDecrypt (text, password) {
156	const decipher = crypto.createDecipher(algorithm, password)
157	let dec = decipher.update(text, 'hex', 'utf8')
158	dec += decipher.final('utf8')
159	return dec
160	}
161
162	function symetricEncrypt (text, callback) {
163	generatePassword(function (err, password) {
164	if (err) return callback(err)
165
166	const cipher = crypto.createCipher(algorithm, password)
167	let crypted = cipher.update(text, 'utf8', 'hex')
168	crypted += cipher.final('hex')
169	callback(null, { crypted: crypted, password: password })
170	})
171	}


diff --git a/server/helpers/requests.js b/server/helpers/requests.js index 06109ce16..b0cda09fe 100644 --- a/server/helpers/requests.js +++ b/server/helpers/requests.js
@@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
44		44
45	// If there are data informations	45	// If there are data informations
46	if (params.data) {	46	if (params.data) {
47	// Encrypt data	47	requestParams.json.data = params.data
48	if (params.encrypt === true) {	48	request.post(requestParams, callback)
49	peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
50	if (err) return callback(err)
51
52	requestParams.json.data = encrypted.data
53	requestParams.json.key = encrypted.key
54
55	request.post(requestParams, callback)
56	})
57	} else {
58	// No encryption
59	requestParams.json.data = params.data
60	request.post(requestParams, callback)
61	}
62	} else {	49	} else {
63	// No data	50	// No data
64	request.post(requestParams, callback)	51	request.post(requestParams, callback)


diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js index fd5bc51d6..ee836beed 100644 --- a/server/middlewares/secure.js +++ b/server/middlewares/secure.js
@@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
7	const Pod = mongoose.model('Pod')	7	const Pod = mongoose.model('Pod')
8		8
9	const secureMiddleware = {	9	const secureMiddleware = {
10	checkSignature,	10	checkSignature
11	decryptBody
12	}	11	}
13		12
14	function checkSignature (req, res, next) {	13	function checkSignature (req, res, next) {
15	const host = req.body.signature.host	14	const host = req.body.signature.host
16	Pod.loadByHost(host, function (err, pod) {	15	Pod.loadByHost(host, function (err, pod) {
17	if (err) {	16	if (err) {
18	logger.error('Cannot get signed host in decryptBody.', { error: err })	17	logger.error('Cannot get signed host in body.', { error: err })
19	return res.sendStatus(500)	18	return res.sendStatus(500)
20	}	19	}
21		20
@@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
24	return res.sendStatus(403)	23	return res.sendStatus(403)
25	}	24	}
26		25
27	logger.debug('Decrypting body from %s.', host)	26	logger.debug('Checking signature from %s.', host)
28		27
29	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)	28	const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
30		29
@@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
32	return next()	31	return next()
33	}	32	}
34		33
35	logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)	34	logger.error('Signature is not okay in body for %s.', req.body.signature.host)
36	return res.sendStatus(403)	35	return res.sendStatus(403)
37	})	36	})
38	}	37	}
39		38
40	function decryptBody (req, res, next) {
41	peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
42	if (err) {
43	logger.error('Cannot decrypt data.', { error: err })
44	return res.sendStatus(500)
45	}
46
47	try {
48	req.body.data = JSON.parse(decrypted)
49	delete req.body.key
50	} catch (err) {
51	logger.error('Error in JSON.parse', { error: err })
52	return res.sendStatus(500)
53	}
54
55	next()
56	})
57	}
58
59	// ---------------------------------------------------------------------------	39	// ---------------------------------------------------------------------------
60		40
61	module.exports = secureMiddleware	41	module.exports = secureMiddleware


diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js index c6455e678..858d193cc 100644 --- a/server/middlewares/validators/remote.js +++ b/server/middlewares/validators/remote.js
@@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
4	const logger = require('../../helpers/logger')	4	const logger = require('../../helpers/logger')
5		5
6	const validatorsRemote = {	6	const validatorsRemote = {
7	dataToDecrypt,
8	remoteVideos,	7	remoteVideos,
9	signature	8	signature
10	}	9	}
11		10
12	function dataToDecrypt (req, res, next) {
13	req.checkBody('key', 'Should have a key').notEmpty()
14	req.checkBody('data', 'Should have data').notEmpty()
15
16	logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
17
18	checkErrors(req, res, next)
19	}
20
21	function remoteVideos (req, res, next) {	11	function remoteVideos (req, res, next) {
22	req.checkBody('data').isEachRemoteVideosValid()	12	req.checkBody('data').isEachRemoteVideosValid()
23		13


diff --git a/server/models/request.js b/server/models/request.js index 59bf440fe..c2cfe83ce 100644 --- a/server/models/request.js +++ b/server/models/request.js
@@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
108		108
109	const params = {	109	const params = {
110	toPod: toPod,	110	toPod: toPod,
111	encrypt: true, // Security	111	sign: true, // Prove our identity
112	sign: true, // To prove our identity
113	method: 'POST',	112	method: 'POST',
114	path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,	113	path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
115	data: requestsToMake // Requests we need to make	114	data: requestsToMake // Requests we need to make