From 8de7bd16c6170a373496783831b1444a141d2119 Mon Sep 17 00:00:00 2001
From: Kevin Froman <beardog@firemail.cc>
Date: Sat, 6 Oct 2018 13:06:46 -0500
Subject: [PATCH] work on foward secrecy

---
 onionr/core.py        | 10 +++++++++-
 onionr/onionrusers.py | 17 +++++++++++++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/onionr/core.py b/onionr/core.py
index 8a6f5b15..691f1739 100644
--- a/onionr/core.py
+++ b/onionr/core.py
@@ -21,7 +21,7 @@ import sqlite3, os, sys, time, math, base64, tarfile, getpass, simplecrypt, hash
 from onionrblockapi import Block
 
 import onionrutils, onionrcrypto, onionrproofs, onionrevents as events, onionrexceptions, onionrvalues
-import onionrblacklist, onionrchat
+import onionrblacklist, onionrchat, onionrusers
 import dbcreator
 if sys.version_info < (3, 6):
     try:
@@ -731,8 +731,16 @@ class Core:
         if len(jsonMeta) > 1000:
             raise onionrexceptions.InvalidMetadata('meta in json encoded form must not exceed 1000 bytes')
 
+        user = onionrusers.OnionrUser(self, symKey)
+
         # encrypt block metadata/sig/content
         if encryptType == 'sym':
+
+            # Encrypt block data with forward secrecy key first, but not meta
+            forwardEncrypted = onionrusers.OnionrUser(self, key=symKey).forwardEncrypt(data)
+            data = forwardEncrypted[0]
+            jsonMeta['newFSKey'] = forwardEncrypted[1]
+
             if len(symKey) < self.requirements.passwordLength:
                 raise onionrexceptions.SecurityError('Weak encryption key')
             jsonMeta = self._crypto.symmetricEncrypt(jsonMeta, key=symKey, returnEncoded=True).decode()
diff --git a/onionr/onionrusers.py b/onionr/onionrusers.py
index d950ec33..ea664839 100644
--- a/onionr/onionrusers.py
+++ b/onionr/onionrusers.py
@@ -55,20 +55,23 @@ class OnionrUser:
         return decrypted
     
     def forwardEncrypt(self, data):
+        self.generateForwardKey()
         retData = ''
         forwardKey = self._getLatestForwardKey()
         if self._core._utils.validatePubKey(forwardKey):
             encrypted = self._core._crypto.pubKeyEncrypt(data, forwardKey, encodedData=True)
         else:
-            raise Exception("No valid forward key available for this user")
-        return
+            raise onionrexceptions.InvalidPubkey("No valid forward key available for this user")
+        return (data, forwardKey)
     
     def forwardDecrypt(self, encrypted):
         retData = ''
+        for key in self
         return
 
     def _getLatestForwardKey(self):
         # Get the latest forward secrecy key for a peer
+        key = ""
         conn = sqlite3.connect(self._core.peerDB, timeout=10)
         c = conn.cursor()
 
@@ -111,7 +114,17 @@ class OnionrUser:
 
         conn.commit()
         conn.close()
+        return newPub
 
+    def getGeneratedForwardKeys(self, peer):
+        # Fetch the keys we generated for the peer, that are still around
+        conn = sqlite3.connect(self._core.peerDB, timeout=10)
+        c = conn.cursor()
+        command = (peer,)
+        keyList = [] # list of tuples containing pub, private for peer
+        for result in c.execute("SELECT * FROM myForwardKeys where peer=?", command):
+            keyList.append((result[1], result[2]))
+        return keyList
 
     def addForwardKey(self, newKey):
         if not self._core._utils.validatePubKey(newKey):