Plugins - CAPTCHA

captcha.ini.sample

@@ -0,0 +1,43 @@
+; SOGS CAPTCHA plugin configuration.
+
+[plugin]
+
+; The name of the CAPTCHA plugin. This will be displayed to Session clients when they interact with the plugin.
+;
+name = CAPTCHA Plugin
+
+; Path to the x25519 private key file. This is a 32-byte file containing the raw private key data.
+; A new key is generated by default if a key is not found at this location.
+;
+key_file = captcha_x25519
+
+; This is the total number of unique CAPTCHAs the SOGS will provide to the user if they fail a CAPTCHA or refresh the CAPTCHA.
+; If the user exceeds the retry limit, they will need to contact the SOGS operator to have their permissions manually updated.
+;
+retry_limit = 3
+
+; This is the number of seconds the SOGS will wait after a user successfully solves a CAPTCHA before the user is given write permissions.
+;
+write_timeout = 0
+
+; This is the number of seconds the SOGS will wait before allowing a user to refresh the CAPTCHA.
+;
+refresh_timeout = 60
+
+; This is the number of seconds the SOGS will wait before providing the next CAPTCHA if a user fails the CAPTCHA.
+;
+retry_timeout = 120
+
+[sogs]
+
+; The public key of your SOGS. This can be found in your room URLs.
+; For example, if the URL to join your room was http://xx.xx.xx.xx/roomname?public_key=e6c5c8afb023a02fc2cbb6c6bc34929df5985c87b320b3d9cc360b7d47becf0b
+; your sogs_pubkey_hex would be sogs_pubkey_hex = e6c5c8afb023a02fc2cbb6c6bc34929df5985c87b320b3d9cc360b7d47becf0b
+; Your SOGS public key is shared across all rooms on your server; Your SOGS public key is NOT unique per room.
+;
+sogs_pubkey_hex = 
+
+; Your SOGS OMQ address. This address can be found in sogs.ini under the [net] section with the title omq_listen.
+; Make sure in sogs.ini, omq_listen is uncommented, and ensure the port listed matches.
+;
+sogs_address = tcp://127.0.0.1:22028

conftest.py

@@ -251,17 +251,31 @@ def banned_user(db):
 
 
 @pytest.fixture
-def blind_user(db):
+def blind15_user(db):
     import user
 
-    return user.User(blinded=True)
+    return user.User(blinded15=True)
 
 
 @pytest.fixture
-def blind_user2(db):
+def blind15_user2(db):
     import user
 
-    return user.User(blinded=True)
+    return user.User(blinded15=True)
+
+
+@pytest.fixture
+def blind25_user(db):
+    import user
+
+    return user.User(blinded25=True)
+
+
+@pytest.fixture
+def blind25_user2(db):
+    import user
+
+    return user.User(blinded25=True)
 
 
 @pytest.fixture

contrib/auth-example.py

@@ -71,7 +71,6 @@ def get_signing_headers(
     body,
     blinded: bool = True,
 ):
-
     assert len(server_pk) == 32
     assert len(nonce) == 16
 

contrib/blind.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+
+import sys
+import nacl.bindings as sodium
+import nacl.hash
+import nacl.signing
+from nacl.encoding import RawEncoder
+from pyonionreq import xed25519
+
+if len(sys.argv) < 3:
+    print(
+        f"Usage: {sys.argv[0]} SERVERPUBKEY {{SESSIONID|\"RANDOM\"}} [SESSIONID ...] -- blinds IDs",
+        file=sys.stderr,
+    )
+    sys.exit(1)
+
+server_pk = sys.argv[1]
+sids = sys.argv[2:]
+
+if len(server_pk) != 64 or not all(c in '0123456789ABCDEFabcdef' for c in server_pk):
+    print(f"Invalid argument: expected 64 hex digit server pk as first argument")
+    sys.exit(2)
+
+server_pk = bytes.fromhex(server_pk)
+
+print(nacl.hash.blake2b(server_pk, digest_size=64, encoder=RawEncoder))
+
+k15 = sodium.crypto_core_ed25519_scalar_reduce(
+    nacl.hash.blake2b(server_pk, digest_size=64, encoder=RawEncoder)
+)
+
+
+for i in range(len(sids)):
+    if sids[i] == "RANDOM":
+        sids[i] = (
+            "05"
+            + nacl.signing.SigningKey.generate()
+            .verify_key.to_curve25519_public_key()
+            .encode()
+            .hex()
+        )
+    if (
+        len(sids[i]) != 66
+        or not sids[i].startswith('05')
+        or not all(c in '0123456789ABCDEFabcdef' for c in sids[i])
+    ):
+        print(f"Invalid session id: expected 66 hex digit id as first argument")
+
+print(f"SOGS pubkey: {server_pk.hex()}")
+
+for s in sids:
+    s = bytes.fromhex(s)
+
+    if s[0] == 0x05:
+        k25 = sodium.crypto_core_ed25519_scalar_reduce(
+            nacl.hash.blake2b(s[1:] + server_pk, digest_size=64, encoder=RawEncoder)
+        )
+
+        pk15 = sodium.crypto_scalarmult_ed25519_noclamp(k15, xed25519.pubkey(s[1:]))
+        pk25 = sodium.crypto_scalarmult_ed25519_noclamp(k25, xed25519.pubkey(s[1:]))
+
+        print(
+            f"{s.hex()} blinds to:\n    - 15{pk15.hex()} or …{pk15[31] ^ 0x80:02x}\n    - 25{pk25.hex()} or …{pk25[31] ^ 0x80:02x}"
+        )

contrib/blind25-testing.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+
+import sys
+import nacl.bindings as sodium
+import nacl.hash
+import nacl.signing
+from nacl.encoding import RawEncoder
+from pyonionreq import xed25519
+
+server_pk = bytes.fromhex("0000000000000000000000000000000000000000000000000000000000000001")
+
+to_sign = "hello!"
+
+for i in range(1000):
+    sk = nacl.signing.SigningKey.generate()
+    pk = sk.verify_key
+    xpk = pk.to_curve25519_public_key()
+    sid = "05" + xpk.encode().hex()
+
+    k25 = sodium.crypto_core_ed25519_scalar_reduce(
+        nacl.hash.blake2b(
+            bytes.fromhex(sid) + server_pk, digest_size=64, encoder=RawEncoder, key=b"SOGS_blind_v2"
+        )
+    )
+
+    # Comment notation:
+    # P = server pubkey
+    # a/A = ed25519 keypair
+    # b/B = x25519 keypair, converted from a/A
+    # S = session id = 0x05 || B
+    # T = |A|, that is, A with the sign bit cleared
+    # t = private scalar s.t. tG = T (which is ± the private scalar associated with A)
+    # k = blinding factor = H_64(S || P, key="SOGS_blind_v2")
+
+    # This is simulating what the blinding client (i.e. with full keys) can compute:
+
+    # k * A
+    pk25a = sodium.crypto_scalarmult_ed25519_noclamp(k25, pk.encode())
+    # -k * A
+    neg_k25 = sodium.crypto_core_ed25519_scalar_negate(k25)
+    pk25b = sodium.crypto_scalarmult_ed25519_noclamp(neg_k25, pk.encode())
+
+    #    print(f"k: {k25.hex()}")
+    #    print(f"-k: {neg_k25.hex()}")
+    #
+    #    print(f"a: {pk25a.hex()}")
+    #    print(f"b: {pk25b.hex()}")
+
+    assert pk25a != pk25b
+    assert pk25a[0:31] == pk25b[0:31]
+    assert pk25a[31] ^ 0x80 == pk25b[31]
+
+    # The one we want to use is what we would end up with *if* our Ed25519 had been positive (but of
+    # course there's a 50% chance it's negative).
+    ed_pk_is_positive = pk.encode()[31] & 0x80 == 0
+
+    pk25 = pk25a if ed_pk_is_positive else pk25b
+
+    ###########
+    # Make sure we can get to pk25 from the session id
+    # We know sid and server_pk, so we can compute k25
+    T_pk25 = sodium.crypto_scalarmult_ed25519_noclamp(k25, xed25519.pubkey(xpk.encode()))
+    assert T_pk25 == pk25
+
+    # To sign something that validates with pk25 we have a bit more work
+
+    # First get our blinded, private scalar; we'll call it j
+
+    # We want to pick j such that it is always associated with |A|, that is, our positive pubkey,
+    # even if our pubkey is negative, so that someone with our session id can get our signing pubkey
+    # deterministically.
+
+    t = (
+        sk.to_curve25519_private_key().encode()
+    )  # The value we get here is actually our private scalar, despite the name
+    if pk.encode()[31] & 0x80:
+        # If our actual pubkey is negative then negate j so that it is as if we are working from the
+        # positive version of our pubkey
+        t = sodium.crypto_core_ed25519_scalar_negate(t)
+
+    kt = sodium.crypto_core_ed25519_scalar_mul(k25, t)
+
+    kT = sodium.crypto_scalarmult_ed25519_base_noclamp(kt)
+    assert kT == pk25
+
+    # Now we more or less follow EdDSA, but with our blinded scalar instead of real scalar, and with
+    # a different hash function.  (See comments in libsession-util config/groups/keys.cpp for more
+    # details).
+    hseed = nacl.hash.blake2b(
+        sk.encode()[0:31], key=b"SOGS25Seed", encoder=nacl.encoding.RawEncoder
+    )
+    r = sodium.crypto_core_ed25519_scalar_reduce(
+        nacl.hash.blake2b(
+            hseed + pk25 + to_sign.encode(), 64, key=b"SOGS25Sig", encoder=nacl.encoding.RawEncoder
+        )
+    )
+    R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+
+    # S = r + H(R || A || M) a  (with A=kT, a=kt)
+    hram = nacl.hash.sha512(R + kT + to_sign.encode(), encoder=nacl.encoding.RawEncoder)
+    S = sodium.crypto_core_ed25519_scalar_reduce(hram)
+    S = sodium.crypto_core_ed25519_scalar_mul(S, kt)
+    S = sodium.crypto_core_ed25519_scalar_add(S, r)
+
+    sig = R + S
+
+    ###########################################
+    # Test bog standard Ed25519 signature verification:
+
+    vk = nacl.signing.VerifyKey(pk25)
+    vk.verify(to_sign.encode(), sig)

contrib/pg-import.py

@@ -86,7 +86,6 @@
 
 
 with pgsql.transaction():
-
     curin = old.cursor()
     curout = pgsql.cursor()
 
@@ -131,7 +130,6 @@
     curout.execute("ALTER TABLE rooms DROP CONSTRAINT room_image_fk")
 
     def copy(table):
-
         cols = [r['name'] for r in curin.execute(f"PRAGMA table_info({table})")]
         if not cols:
             raise RuntimeError(f"Expected table {table} does not exist in sqlite db")

contrib/upgrade-tests/dump-db.py

@@ -63,13 +63,15 @@ def dump_rows(table, extra=None, where=None, order="id", skip=set()):
     for r in cur:
         table.add_row(
             [
-                'NULL'
-                if r[i] is None
-                else int(r[i])
-                if isinstance(r[i], bool)
-                else f"{r[i]:.3f}"
-                if isinstance(r[i], float)
-                else r[i]
+                (
+                    'NULL'
+                    if r[i] is None
+                    else (
+                        int(r[i])
+                        if isinstance(r[i], bool)
+                        else f"{r[i]:.3f}" if isinstance(r[i], float) else r[i]
+                    )
+                )
                 for i in indices
             ]
         )

contrib/uwsgi-sogs-standalone.ini

@@ -28,6 +28,7 @@ enable-threads = true
 http = :80
 mount = /=sogs.web:app
 mule = sogs.mule:run
+;mule = sogs.mule:run_captcha
 log-4xx = true
 log-5xx = true
 disable-logging = true

install-uwsgi.md

@@ -28,7 +28,7 @@ Python using:
 sudo curl -so /etc/apt/trusted.gpg.d/oxen.gpg https://deb.oxen.io/pub.gpg
 echo "deb https://deb.oxen.io $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/oxen.list
 sudo apt update
-sudo apt install python3-{oxenmq,oxenc,pyonionreq,coloredlogs,uwsgidecorators,flask,cryptography,nacl,pil,protobuf,openssl,qrcode,better-profanity,sqlalchemy,sqlalchemy-utils} uwsgi-plugin-python3
+sudo apt install python3-{oxenmq,oxenc,session-util,coloredlogs,uwsgidecorators,flask,cryptography,nacl,pil,protobuf,openssl,qrcode,better-profanity,sqlalchemy,sqlalchemy-utils} uwsgi-plugin-python3
 ```
 
 If you want to use a postgresql database backend then you will also need the python3-psycopg2
@@ -45,7 +45,7 @@ Copy the `sogs.ini.sample` to `sogs.ini`:
 cp sogs.ini.sample sogs.ini
 ```
 
-and edit it to change settings as desired.  At a minimum you must uncomment and set the `base_url`
+Use a text editor like nano to open the file and edit it to change settings as desired.  At a minimum you must uncomment and set the `base_url`
 setting to your SOGS URL; this can be a domain name or a public ip address.  Using a domain name is
 recommended over a bare IP as it can later be moved to a new host or new ISP, while while a bare IP
 cannot.
@@ -55,7 +55,7 @@ For example:
 base_url = http://sogs.example.com
 ```
 
-### uwsgi.ini
+### uwsgi-sogs.ini
 
 SOGS requires uwsgi to manage processes; sample configurations are available in the contrib/
 directory.  For a simple setup listening directly on a public IP/port you can use the standalone