syncthing/lib/protocol/deviceid.go
Jakob Borg 439c6c5b7c
lib/api: Add cache busting for basic auth (ref #9208) (#9215)
This adds our short device ID to the basic auth realm. This has at least
two consequences:

- It is different from what's presented by another device on the same
address (e.g., if I use SSH forwards to different dives on the same
local address), preventing credentials for one from being sent to
another.

- It is different from what we did previously, meaning we avoid cached
credentials from old versions interfering with the new login flow.

I don't *think* there should be things that depend on our precise realm
string, so this shouldn't break any existing setups...

Sneakily this also changes the session cookie and CSRF name, because I
think `id.Short().String()` is nicer than `id.String()[:5]` and the
short ID is two characters longer. That's also not a problem...
2023-11-14 11:57:39 +01:00

222 lines
4.3 KiB
Go

// Copyright (C) 2014 The Protocol Authors.
package protocol
import (
"bytes"
"encoding/base32"
"encoding/binary"
"errors"
"fmt"
"strings"
"github.com/syncthing/syncthing/lib/sha256"
)
const (
DeviceIDLength = 32
ShortIDStringLength = 7
)
type (
DeviceID [DeviceIDLength]byte
ShortID uint64
)
var (
LocalDeviceID = repeatedDeviceID(0xff)
GlobalDeviceID = repeatedDeviceID(0xf8)
EmptyDeviceID = DeviceID{ /* all zeroes */ }
)
func repeatedDeviceID(v byte) (d DeviceID) {
for i := range d {
d[i] = v
}
return
}
// NewDeviceID generates a new device ID from the raw bytes of a certificate
func NewDeviceID(rawCert []byte) DeviceID {
return DeviceID(sha256.Sum256(rawCert))
}
func DeviceIDFromString(s string) (DeviceID, error) {
var n DeviceID
err := n.UnmarshalText([]byte(s))
return n, err
}
func DeviceIDFromBytes(bs []byte) (DeviceID, error) {
var n DeviceID
if len(bs) != len(n) {
return n, errors.New("incorrect length of byte slice representing device ID")
}
copy(n[:], bs)
return n, nil
}
// String returns the canonical string representation of the device ID
func (n DeviceID) String() string {
if n == EmptyDeviceID {
return ""
}
id := base32.StdEncoding.EncodeToString(n[:])
id = strings.Trim(id, "=")
id, err := luhnify(id)
if err != nil {
// Should never happen
panic(err)
}
id = chunkify(id)
return id
}
func (n DeviceID) GoString() string {
return n.String()
}
func (n DeviceID) Compare(other DeviceID) int {
return bytes.Compare(n[:], other[:])
}
func (n DeviceID) Equals(other DeviceID) bool {
return bytes.Equal(n[:], other[:])
}
// Short returns an integer representing bits 0-63 of the device ID.
func (n DeviceID) Short() ShortID {
return ShortID(binary.BigEndian.Uint64(n[:]))
}
func (n DeviceID) MarshalText() ([]byte, error) {
return []byte(n.String()), nil
}
func (s ShortID) String() string {
if s == 0 {
return ""
}
var bs [8]byte
binary.BigEndian.PutUint64(bs[:], uint64(s))
return base32.StdEncoding.EncodeToString(bs[:])[:ShortIDStringLength]
}
func (n *DeviceID) UnmarshalText(bs []byte) error {
id := string(bs)
id = strings.Trim(id, "=")
id = strings.ToUpper(id)
id = untypeoify(id)
id = unchunkify(id)
var err error
switch len(id) {
case 0:
*n = EmptyDeviceID
return nil
case 56:
// New style, with check digits
id, err = unluhnify(id)
if err != nil {
return err
}
fallthrough
case 52:
// Old style, no check digits
dec, err := base32.StdEncoding.DecodeString(id + "====")
if err != nil {
return err
}
copy(n[:], dec)
return nil
default:
return fmt.Errorf("%q: device ID invalid: incorrect length", bs)
}
}
func (*DeviceID) ProtoSize() int {
// Used by protobuf marshaller.
return DeviceIDLength
}
func (n *DeviceID) MarshalTo(bs []byte) (int, error) {
// Used by protobuf marshaller.
if len(bs) < DeviceIDLength {
return 0, errors.New("destination too short")
}
copy(bs, (*n)[:])
return DeviceIDLength, nil
}
func (n *DeviceID) Unmarshal(bs []byte) error {
// Used by protobuf marshaller.
if len(bs) < DeviceIDLength {
return fmt.Errorf("%q: not enough data", bs)
}
copy((*n)[:], bs)
return nil
}
func luhnify(s string) (string, error) {
if len(s) != 52 {
panic("unsupported string length")
}
res := make([]byte, 4*(13+1))
for i := 0; i < 4; i++ {
p := s[i*13 : (i+1)*13]
copy(res[i*(13+1):], p)
l, err := luhn32(p)
if err != nil {
return "", err
}
res[(i+1)*(13)+i] = byte(l)
}
return string(res), nil
}
func unluhnify(s string) (string, error) {
if len(s) != 56 {
return "", fmt.Errorf("%q: unsupported string length %d", s, len(s))
}
res := make([]byte, 52)
for i := 0; i < 4; i++ {
p := s[i*(13+1) : (i+1)*(13+1)-1]
copy(res[i*13:], p)
l, err := luhn32(p)
if err != nil {
return "", err
}
if s[(i+1)*14-1] != byte(l) {
return "", fmt.Errorf("%q: check digit incorrect", s)
}
}
return string(res), nil
}
func chunkify(s string) string {
chunks := len(s) / 7
res := make([]byte, chunks*(7+1)-1)
for i := 0; i < chunks; i++ {
if i > 0 {
res[i*(7+1)-1] = '-'
}
copy(res[i*(7+1):], s[i*7:(i+1)*7])
}
return string(res)
}
func unchunkify(s string) string {
s = strings.ReplaceAll(s, "-", "")
s = strings.ReplaceAll(s, " ", "")
return s
}
func untypeoify(s string) string {
s = strings.ReplaceAll(s, "0", "O")
s = strings.ReplaceAll(s, "1", "I")
s = strings.ReplaceAll(s, "8", "B")
return s
}