Implement crypto worker delegated to:

- computation of argon2 for password hashing
- computation of argon2 for renewed proof of work
- future crypto duties

Author: evilaliv3

backend/globaleaks/handlers/base.py

@@ -135,6 +135,7 @@ def get_session(self):
         if token:
             try:
                 self.token = self.state.tokens.validate(token)
+                print(token)
                 if self.token.session is not None:
                     session = self.token.session
             except:

backend/globaleaks/handlers/staticfile.py

@@ -38,10 +38,24 @@ def get(self, filename):
                                    b"frame-src 'self';"
                                    b"img-src 'self';"
                                    b"media-src 'self';"
-                                   b"script-src 'self' 'sha256-l4srTx31TC+tE2K4jVVCnC9XfHivkiSs/v+DPWccDDM=' 'report-sample' 'wasm-unsafe-eval';"
+                                   b"script-src 'self' 'sha256-l4srTx31TC+tE2K4jVVCnC9XfHivkiSs/v+DPWccDDM=' 'report-sample';"
                                    b"style-src 'self' 'report-sample';"
+                                   b"worker-src 'self';"
                                    b"trusted-types angular angular#bundler dompurify default;"
                                    b"require-trusted-types-for 'script';"
                                    b"report-uri /api/report;")
 
+        elif filename == 'workers/crypto.worker.js':
+            self.request.setHeader(b'Content-Security-Policy',
+                                   b"base-uri 'none';"
+                                   b"default-src 'none' 'report-sample';"
+                                   b"form-action 'none';"
+                                   b"frame-ancestors 'none';"
+                                   b"sandbox;"
+                                   b"script-src 'self' 'wasm-unsafe-eval';"
+                                   b"trusted-types;"
+                                   b"require-trusted-types-for 'script';"
+                                   b"report-uri /api/report;")
+
+
         return self.write_file(filename, abspath)

backend/globaleaks/handlers/user/operation.py

@@ -22,9 +22,6 @@ def change_password(session, tid, user_session, key):
 
     config = models.config.ConfigFactory(session, tid)
 
-    if not GCE.is_base64_key(key):
-        raise errors.InputValidationError
-
     key = Base64Encoder.decode(key.encode())
     hash = sha512(key)
 

backend/globaleaks/tests/handlers/auth/test_auth.py

@@ -310,7 +310,6 @@ class TestSessionHandler(helpers.TestHandlerWithPopulatedDB):
     def test_successful_admin_session_setup_renewal_and_logout(self):
         # since all logins for roles admin, receiver and custodian happen
         # in the same way, the following tests are performed on the admin user.
-
         self._handler = auth.AuthenticationHandler
 
         # Login
@@ -330,6 +329,7 @@ def test_successful_admin_session_setup_renewal_and_logout(self):
         session_id = response['id']
         session = Sessions.get(session_id)
         session.token.id = helpers.TOKEN
+        session.token.salt = helpers.TOKEN_SALT
 
         # Wrong Session Renewal
         handler = self.request({'token': 'wrong_token:666'}, headers={'x-session': session_id})

backend/globaleaks/tests/helpers.py

@@ -73,8 +73,11 @@
 GCE_orig_generate_key = GCE.generate_key
 GCE_orig_generate_keypair = GCE.generate_keypair
 
-TOKEN = b"31b780b6eb6357e324eea7c3a5d2542067c4d537f4f4de77473c93d48dd8a758"
-TOKEN_ANSWER = b"31b780b6eb6357e324eea7c3a5d2542067c4d537f4f4de77473c93d48dd8a758:149619"
+TOKEN = b"61af2d7fb2796730c9fb9e357ed4c0f9c87d8c6f6976c4ca3731238db43e87b0"
+TOKEN_SALT = b"eed1d4c5a8e97f4f953d4bddd62957ac5f9e94af6a025c6b95300d72ba41b57e"
+TOKEN_ANSWER = b"61af2d7fb2796730c9fb9e357ed4c0f9c87d8c6f6976c4ca3731238db43e87b0:142"
+
+
 def mock_nullfunction(*args, **kwargs):
     return
 
@@ -179,6 +182,7 @@ def get_token():
     token = State.tokens.new(1)
     State.tokens.pop(token.id)
     token.id = TOKEN
+    token.salt = TOKEN_SALT
     State.tokens[token.id] = token
     return TOKEN_ANSWER
 

backend/globaleaks/utils/token.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8
 # Implement a proof of work token to prevent resources exhaustion
+from nacl.encoding import Base64Encoder
 
 from globaleaks.rest import errors
-from globaleaks.utils.crypto import sha256, generateRandomKey
+from globaleaks.utils.crypto import GCE, generateRandomKey
 from globaleaks.utils.tempdict import TempDict
 from globaleaks.utils.utility import datetime_now
 
@@ -11,18 +12,20 @@ class Token(object):
     def __init__(self, tid):
         self.tid = tid
         self.id = generateRandomKey().encode()
+        self.salt = generateRandomKey().encode()
         self.session = None
         self.creation_date = datetime_now()
 
     def serialize(self):
         return {
             'id': self.id.decode(),
+            'salt': self.salt.decode(),
             'creation_date': self.creation_date
         }
 
     def validate(self, answer):
         try:
-            if not sha256(self.id + answer).endswith(b'00'):
+            if not Base64Encoder.decode(GCE.argon2id(self.id + answer, self.salt, 1, 1 << 20))[31] == 0:
                 raise errors.InternalServerError("TokenFailure: Invalid Token")
         except:
             raise errors.InternalServerError("TokenFailure: Invalid token")

client/Gruntfile.js

@@ -181,7 +181,27 @@ module.exports = function(grunt) {
     },
 
     webpack: {
-      build: {
+      crypto_worker: {
+        entry: {
+          'crypto.worker.js': './app/workers/crypto.worker.ts',
+        },
+        output: {
+          filename: 'crypto.worker.js',
+          path: path.resolve('build/workers/'),
+          libraryTarget: 'umd',
+          globalObject: 'this',
+        },
+        mode: 'production',
+        resolve: {
+          fallback: {
+            fs: false,
+            crypto: false,
+            path: false,
+            stream: false
+          }
+        }
+      },
+      pdfjs: {
         entry: {
           'pdf.min': './node_modules/pdfjs-dist/legacy/build/pdf.min.mjs',
           'pdf.worker.min': './node_modules/pdfjs-dist/legacy/build/pdf.worker.min.mjs',

client/app/src/models/authentication/token-response.ts

@@ -1,4 +1,5 @@
 export class TokenResponse {
   id: string;
+  salt: string;
   answer: string;
-}
+}

client/app/src/pages/admin/users/user-editor/user-editor.component.ts

@@ -86,7 +86,7 @@ export class UserEditorComponent implements OnInit {
 
   async setPassword(setPasswordArgs: { user_id: string, password: string }) {
     this.appDataService.updateShowLoadingPanel(true);
-    setPasswordArgs.password = await this.cryptoService.hashArgon2(setPasswordArgs.password, this.appDataService.public.node.receipt_salt, this.user.username);
+    setPasswordArgs.password = await this.cryptoService.hashArgon2(setPasswordArgs.password, this.user.salt);
     this.appDataService.updateShowLoadingPanel(false);
 
     this.utilsService.runAdminOperation("set_user_password", setPasswordArgs, false).subscribe();

client/app/src/pages/app/app.component.ts

@@ -144,7 +144,7 @@ export class AppComponent implements AfterViewInit, OnInit, OnDestroy{
     this.keepalive.onPing.subscribe(() => {
       if (this.authenticationService.session) {
         const token = this.authenticationService.session.token;
-        this.cryptoService.proofOfWork(token.id).subscribe((result:any) => {
+        this.cryptoService.proofOfWork(token).subscribe((result:any) => {
 	  const param = {'token': token.id + ":" + result};
           this.httpService.requestRefreshUserSession(param).subscribe(((result:any) => {
             this.authenticationService.session.token = result.token;

client/app/src/pages/recipient/tip/tip.component.ts

@@ -388,7 +388,7 @@ export class TipComponent implements OnInit {
     (
       {
         next: async token => {
-          this.cryptoService.proofOfWork(token.id).subscribe(
+          this.cryptoService.proofOfWork(token).subscribe(
             (result: number) => {
               window.open("api/recipient/rtips/" + tipId + "/export" + "?token=" + token.id + ":" + result);
               this.appDataService.updateShowLoadingPanel(false);

client/app/src/pages/whistleblower/submission/submission.component.ts

@@ -308,6 +308,8 @@ export class SubmissionComponent implements OnInit {
         return;
       }
 
+      clearInterval(intervalId);
+
       this.authenticationService.session.receipt = this.cryptoService.generateReceipt();
 
       const res = await firstValueFrom(this.httpService.requestAuthType(JSON.stringify({'username': "" /* whistleblower */ })));
@@ -326,8 +328,6 @@ export class SubmissionComponent implements OnInit {
           this.titleService.setPage("receiptpage");
         }
       });
-
-      clearInterval(intervalId);
     }, 1000);
   }
 

client/app/src/pages/wizard/wizard/wizard.component.ts

@@ -94,8 +94,10 @@ export class WizardComponent implements OnInit {
     this.completed = true;
     this.wizard.node_language = this.translationService.language;
     this.appDataService.updateShowLoadingPanel(true);
-    this.wizard.admin_password = this.admin_password ? await this.cryptoService.hashArgon2(this.admin_password, this.appDataService.public.node.receipt_salt, this.wizard.admin_username) : "";
-    this.wizard.receiver_password = this.receiver_password ? await this.cryptoService.hashArgon2(this.receiver_password, this.appDataService.public.node.receipt_salt, this.wizard.receiver_username) : "";
+    const admin_salt = await this.cryptoService.generateSalt(this.appDataService.public.node.receipt_salt + ":" + this.wizard.admin_username);
+    const receiver_salt = await this.cryptoService.generateSalt(this.appDataService.public.node.receipt_salt + ":" + this.wizard.receiver_username);
+    this.wizard.admin_password = this.admin_password ? await this.cryptoService.hashArgon2(this.admin_password, admin_salt) : "";
+    this.wizard.receiver_password = this.receiver_password ? await this.cryptoService.hashArgon2(this.receiver_password, receiver_salt) : '';
     this.appDataService.updateShowLoadingPanel(false);
 
     const param = JSON.stringify(this.wizard);

client/app/src/services/helper/trusted-types.service.ts

@@ -17,7 +17,11 @@ export class TrustedTypesService {
           throw new Error('Scripts are not allowed by this policy.');
         },
         createScriptURL: (input: string) => {
-          throw new Error('Script URLs are not allowed by this policy.');
+          if (input === '/workers/crypto.worker.js') {
+            return input;
+	  } else {
+            throw new Error('Script URLs are not allowed by this policy.');
+	  }
         }
       });
     }

client/app/src/services/root/app-interceptor.service.ts

@@ -71,7 +71,7 @@ export class appInterceptor implements HttpInterceptor {
     if (httpRequest.url.includes("api/signup") || httpRequest.url.endsWith("api/auth/receiptauth") && !this.authenticationService.session || protectedUrls.includes(httpRequest.url)) {
       return this.httpClient.post("api/auth/token", {}).pipe(
         switchMap((response) =>
-          from(this.cryptoService.proofOfWork(Object.assign(new TokenResponse(), response).id)).pipe(
+          from(this.cryptoService.proofOfWork(Object.assign(new TokenResponse(), response))).pipe(
             switchMap((ans) => next.handle(httpRequest.clone({
               headers: httpRequest.headers.set("x-token", `${Object.assign(new TokenResponse(), response).id}:${ans}`)
                 .set("Accept-Language", this.getAcceptLanguageHeader() || ""),

client/app/src/shared/partials/tip-files-whistleblower/tip-files-whistleblower.component.ts

@@ -39,7 +39,7 @@ export class TipFilesWhistleblowerComponent {
     (
       {
         next: async token => {
-          this.cryptoService.proofOfWork(token.id).subscribe(
+          this.cryptoService.proofOfWork(token).subscribe(
               (ans) => {
                 window.open("api/whistleblower/wbtip/wbfiles/" + wbFile.id + "?token=" + token.id + ":" + ans);
                 this.appDataService.updateShowLoadingPanel(false);

client/app/src/shared/partials/wbfiles/wb-files.component.ts

@@ -50,7 +50,7 @@ export class WbFilesComponent implements OnInit {
     (
       {
         next: async token => {
-          this.cryptoService.proofOfWork(token.id).subscribe(
+          this.cryptoService.proofOfWork(token).subscribe(
             (ans) => {
               if (this.authenticationService.session.role === "receiver") {
                 window.open("api/recipient/rfiles/" + wbFile.id + "?token=" + token.id + ":" + ans);