From 46de195bf8640fa77c859165ca4adb7162221659 Mon Sep 17 00:00:00 2001 From: Kevin F Date: Sat, 31 Dec 2022 00:34:03 -0600 Subject: [PATCH] + Started ThreatModel.md * Switched from uuids to the system random device --- .gitignore | 1 + Dependencies.md | 9 --------- Makefile | 10 ++++++++-- ReadMe.md | 4 +++- Server.md | 6 +++--- ThreatModel.md | 1 + security/Authentication.md | 23 ++++++++++++++--------- smartkeyboard/auth/auth_test.go | 9 +++++---- 8 files changed, 35 insertions(+), 28 deletions(-) create mode 100644 ThreatModel.md diff --git a/.gitignore b/.gitignore index 355c880..f888b44 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ docs/* +bin/* *.go !smartkeyboard/auth/*_test.go go.mod diff --git a/Dependencies.md b/Dependencies.md index f9f32a9..5bb9b6e 100644 --- a/Dependencies.md +++ b/Dependencies.md @@ -3,15 +3,6 @@ This project has the following dependencies, excluding the Go standard library: -# uuid - -We use uuidv4s to generate authentication tokens - ---- uuid import string - - "github.com/google/uuid" - ---- # xdg diff --git a/Makefile b/Makefile index 2a35f81..27f89e0 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,19 @@ weave: - srcweave --formatter srcweave-format --weave docs/ ReadMe.md security/Authentication.md EnvironmentVariables.md Dependencies.md Server.md + srcweave --formatter srcweave-format --weave docs/ ReadMe.md security/Authentication.md EnvironmentVariables.md Dependencies.md Server.md Streaming.md tangle: - srcweave --formatter srcweave-format --tangle smartkeyboard/ ReadMe.md security/Authentication.md EnvironmentVariables.md Dependencies.md Server.md + srcweave --formatter srcweave-format --tangle smartkeyboard/ ReadMe.md security/Authentication.md EnvironmentVariables.md Dependencies.md Server.md Streaming.md clean: rm -rf docs find smartkeyboard/ -type f -not -name "*_test.go" -delete rm go.mod rm go.sum +build: tangle + - cd smartkeyboard && go mod init keyboard.voidnet.tech + - cd smartkeyboard && go mod tidy + - cd smartkeyboard && go build -o ../bin/keyboard + + test: tangle -cd smartkeyboard && go mod init keyboard.voidnet.tech -cd smartkeyboard && go mod tidy diff --git a/ReadMe.md b/ReadMe.md index 9f47095..b0ce13d 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -60,7 +60,8 @@ Then we can start the web server and listen for websocket connections. --- entrypoint func main(){ - auth.ProvisionToken() + tokenBase64, _ := auth.ProvisionToken() + fmt.Println(tokenBase64) server.StartServer() } @@ -71,6 +72,7 @@ Then we can start the web server and listen for websocket connections. package main import( + "fmt" "keyboard.voidnet.tech/server" "keyboard.voidnet.tech/auth" ) diff --git a/Server.md b/Server.md index 4150eea..bb0fe5d 100644 --- a/Server.md +++ b/Server.md @@ -42,7 +42,7 @@ func StartServer() { @{create listener} http.HandleFunc("/sendkeys", clientConnected) - http.HandleFunc("/activewindow", ) + //http.HandleFunc("/activewindow", ) http.Serve(listener, nil) @@ -70,8 +70,8 @@ var listener net.Listener var upgrader = websocket.Upgrader{} // use default options - -@{start http server} @{streaming keyboard input} +@{start http server} + --- ``` \ No newline at end of file diff --git a/ThreatModel.md b/ThreatModel.md new file mode 100644 index 0000000..f8f4102 --- /dev/null +++ b/ThreatModel.md @@ -0,0 +1 @@ +# GoSmartKeyboard Threat Model \ No newline at end of file diff --git a/security/Authentication.md b/security/Authentication.md index 5fe795e..b0caab4 100644 --- a/security/Authentication.md +++ b/security/Authentication.md @@ -12,10 +12,13 @@ KDF. ``` go --- token generation -authToken = uuid.New().String() + uuid.New().String() -hashedID := sha3.Sum256([]byte(authToken)) +authToken := [32]byte{} +rand.Read(authToken[:]) -fmt.Println("This is your authentication token, it will only be shown once: " + authToken) +authTokenString := base64.StdEncoding.EncodeToString(authToken[:]) +hashedID := sha3.Sum256(authToken[:]) + +fmt.Println("This is your authentication token, it will only be shown once: " + authTokenString) --- ``` @@ -53,7 +56,8 @@ We use a constant time comparison to avoid timing attacks. func CheckAuthToken(token string) error { @{define authentication token file} // compare sha3_256 hash to hash in file - hashedToken := sha3.Sum256([]byte(token)) + tokenBytes, err := base64.StdEncoding.DecodeString(token) + hashedToken := sha3.Sum256(tokenBytes) storedToken, err := os.ReadFile(authTokenFile) if err != nil { return err @@ -66,11 +70,11 @@ func CheckAuthToken(token string) error { --- --- provision token function -func ProvisionToken() (error){ +func ProvisionToken() (base64Token string, failed error){ @{define authentication token file} if _, err := os.Stat(authTokenFile); err == nil { - return nil + return "", nil } @{token generation} @@ -83,7 +87,7 @@ func ProvisionToken() (error){ panic(err) } fo.Write(hashedID[:]) - return nil + return base64Token, nil } --- @@ -102,13 +106,14 @@ import( "path/filepath" "fmt" "errors" + "encoding/base64" + "crypto/rand" "crypto/subtle" @{sha3 import string} -@{uuid import string} @{xdg import string} ) -var authToken = "" +//var authToken = "" @{provision token function} diff --git a/smartkeyboard/auth/auth_test.go b/smartkeyboard/auth/auth_test.go index 0f3c092..fbaf1d3 100644 --- a/smartkeyboard/auth/auth_test.go +++ b/smartkeyboard/auth/auth_test.go @@ -1,6 +1,7 @@ package auth import ( + "encoding/base64" "golang.org/x/crypto/sha3" "os" "testing" @@ -14,7 +15,7 @@ func TestAuthPasswordHashBad(t *testing.T) { password := "wrong password" - result := checkAuthToken(password) + result := CheckAuthToken(password) if result == nil { t.Errorf("Expected error, got nil") } @@ -29,7 +30,7 @@ func TestAuthPasswordEmpty(t *testing.T) { password := "" - result := checkAuthToken(password) + result := CheckAuthToken(password) if result == nil { t.Errorf("Expected error, got nil") } @@ -48,9 +49,9 @@ func TestAuthPasswordHashGood(t *testing.T) { fo.Write(expectedHash[:]) t.Log("TestAuthPasswordHash") - password := "password" + password := base64.StdEncoding.EncodeToString([]byte("password")) - result := checkAuthToken(password) + result := CheckAuthToken(password) if result != nil { t.Errorf("Expected nil, got error") }