Merge different places of keyboard input to keyboardCreatePassword() and keyboardGetPassword().

Fix Windows problem with english words array.
Add checksum for english words array verification.
This commit is contained in:
cheatfate 2020-09-29 19:49:09 +03:00 committed by zah
parent d2f8cf9386
commit 9441e912cb
2 changed files with 170 additions and 157 deletions

View File

@ -1,5 +1,5 @@
import
std/[os, strutils, terminal, wordwrap],
std/[os, strutils, terminal, wordwrap, unicode],
chronicles, chronos, web3, stint, json_serialization,
serialization, blscurve, eth/common/eth_types, eth/keys, confutils, bearssl,
spec/[datatypes, digest, crypto, keystore],
@ -116,6 +116,64 @@ proc checkFilePermissions*(filePath: string): bool =
else:
true
proc keyboardCreatePassword(prompt: string, confirm: string): KsResult[string] =
while true:
let password =
try:
readPasswordFromStdin(prompt)
except IOError:
error "Could not read password from stdin"
return err("Could not read password from stdin")
# We treat `password` as UTF-8 encoded string.
if validateUtf8(password) == -1:
if runeLen(password) < minPasswordLen:
echo80 "The entered password should be at least " & $minPasswordLen &
" characters."
continue
elif password in mostCommonPasswords:
echo80 "The entered password is too commonly used and it would be " &
"easy to brute-force with automated tools."
continue
else:
echo80 "Entered password is not valid UTF-8 string"
continue
let confirmedPassword =
try:
readPasswordFromStdin(confirm)
except IOError:
error "Could not read password from stdin"
return err("Could not read password from stdin")
if password != confirmedPassword:
echo "Passwords don't match, please try again"
continue
return ok(password)
proc keyboardGetPassword[T](prompt: string, attempts: int,
pred: proc(p: string): KsResult[T] {.closure.}): KsResult[T] =
var
remainingAttempts = attempts
counter = 1
while remainingAttempts > 0:
let passphrase =
try:
readPasswordFromStdin(prompt)
except IOError as exc:
error "Could not read password from stdin"
return
os.sleep(1000 * counter)
let res = pred(passphrase)
if res.isOk():
return res
else:
inc(counter)
dec(remainingAttempts)
err("Failed to decrypt keystore")
proc loadKeystore(validatorsDir, secretsDir, keyName: string,
nonInteractive: bool): Option[ValidatorPrivKey] =
let
@ -155,21 +213,19 @@ proc loadKeystore(validatorsDir, secretsDir, keyName: string,
keyName, validatorsDir, secretsDir = secretsDir
return
var remainingAttempts = 3
var prompt = "Please enter passphrase for key \"" & validatorsDir/keyName & "\"\n"
while remainingAttempts > 0:
let passphrase = KeystorePass:
try: readPasswordFromStdin(prompt)
except IOError:
error "STDIN not readable. Cannot obtain Keystore password"
return
let decrypted = decryptKeystore(keystore, passphrase)
if decrypted.isOk:
return decrypted.get.some
let prompt = "Please enter passphrase for key \"" &
(validatorsDir / keyName) & "\": "
let res = keyboardGetPassword[ValidatorPrivKey](prompt, 3,
proc (password: string): KsResult[ValidatorPrivKey] =
let decrypted = decryptKeystore(keystore, KeystorePass password)
if decrypted.isErr():
error "Keystore decryption failed. Please try again", keystorePath
decrypted
)
if res.isOk():
some(res.get())
else:
prompt = "Keystore decryption failed. Please try again"
dec remainingAttempts
return
iterator validatorKeysFromDirs*(validatorsDir, secretsDir: string): ValidatorPrivKey =
try:
@ -244,67 +300,34 @@ proc loadNetKeystore*(keyStorePath: string,
error "Network keystore decryption failed", key_store = keyStorePath
return
else:
var remainingAttempts = 3
var counter = 0
var prompt = "Please enter passphrase to unlock networking key: "
while remainingAttempts > 0:
let passphrase = KeystorePass:
try:
readPasswordFromStdin(prompt)
except IOError:
error "Could not read password from stdin"
return
let decrypted = decryptNetKeystore(keystore, passphrase)
if decrypted.isOk:
return some(decrypted.get())
let prompt = "Please enter passphrase to unlock networking key: "
let res = keyboardGetPassword[lcrypto.PrivateKey](prompt, 3,
proc (password: string): KsResult[lcrypto.PrivateKey] =
let decrypted = decryptNetKeystore(keystore, KeystorePass password)
if decrypted.isErr():
error "Keystore decryption failed. Please try again", keystorePath
decrypted
)
if res.isOk():
some(res.get())
else:
dec remainingAttempts
inc counter
os.sleep(1000 * counter)
error "Network keystore decryption failed", key_store = keyStorePath
return
proc saveNetKeystore*(rng: var BrHmacDrbgContext, keyStorePath: string,
netKey: lcrypto.PrivateKey, insecurePwd: Option[string]
): Result[void, KeystoreGenerationError] =
var password, confirmedPassword: TaintedString
let password =
if insecurePwd.isSome():
warn "Using insecure password to lock networking key",
key_path = keyStorePath
password = insecurePwd.get()
insecurePwd.get()
else:
while true:
let prompt = "Please enter NEW password to lock network key storage: "
password =
try:
readPasswordFromStdin(prompt)
except IOError:
error "Could not read password from stdin"
let confirm = "Please confirm, network key storage password: "
let res = keyboardCreatePassword(prompt, confirm)
if res.isErr():
return err(FailedToCreateKeystoreFile)
if len(password) < minPasswordLen:
echo "The entered password should be at least ", minPasswordLen,
" characters"
continue
elif password in mostCommonPasswords:
echo80 "The entered password is too commonly used and it would be " &
"easy to brute-force with automated tools."
continue
confirmedPassword =
try:
readPasswordFromStdin("Please confirm, network key storage " &
"password: ")
except IOError:
error "Could not read password from stdin"
return err(FailedToCreateKeystoreFile)
if password != confirmedPassword:
echo "Passwords don't match, please try again"
continue
break
res.get()
let keyStore = createNetKeystore(kdfScrypt, rng, netKey,
KeystorePass password)
@ -526,41 +549,14 @@ proc pickPasswordAndSaveWallet(rng: var BrHmacDrbgContext,
"installation and can be changed at any time."
echo ""
while true:
var password, confirmedPassword: TaintedString
try:
var firstTry = true
template prompt: string =
if firstTry:
"Please enter a password: "
else:
"Please enter a new password: "
while true:
if not readPasswordInput(prompt, password):
return err "failure to read a password from stdin"
if password.len < minPasswordLen:
try:
echo "The entered password should be at least $1 characters." %
[$minPasswordLen]
except ValueError:
raiseAssert "The format string above is correct"
elif password in mostCommonPasswords:
echo80 "The entered password is too commonly used and it would be easy " &
"to brute-force with automated tools."
else:
break
firstTry = false
if not readPasswordInput("Please repeat the password:", confirmedPassword):
return err "failure to read a password from stdin"
if password != confirmedPassword:
echo "Passwords don't match, please try again"
continue
let password =
block:
let prompt = "Please enter a password: "
let confirm = "Please repeat the password: "
let res = keyboardCreatePassword(prompt, confirm)
if res.isErr():
return err($res.error)
res.get()
var name: WalletName
let outWalletName = config.outWalletName
@ -575,14 +571,16 @@ proc pickPasswordAndSaveWallet(rng: var BrHmacDrbgContext,
while true:
var enteredName = ask "Wallet name"
if enteredName.len > 0:
name = try: WalletName.parseCmdArg(enteredName)
name =
try:
WalletName.parseCmdArg(enteredName)
except CatchableError as err:
echo err.msg & ". Please try again."
continue
break
let nextAccount = if config.cmd == wallets and
config.walletsCmd == WalletsCmd.restore:
let nextAccount =
if config.cmd == wallets and config.walletsCmd == WalletsCmd.restore:
config.restoredDepositsCount
else:
none Natural
@ -593,20 +591,22 @@ proc pickPasswordAndSaveWallet(rng: var BrHmacDrbgContext,
password = KeystorePass password)
let outWalletFileFlag = config.outWalletFile
let outWalletFile = if outWalletFileFlag.isSome:
let outWalletFile =
if outWalletFileFlag.isSome:
string outWalletFileFlag.get
else:
config.walletsDir / addFileExt(string wallet.uuid, "json")
let status = saveWallet(wallet, outWalletFile)
if status.isErr:
return err("failure to create wallet file due to " & status.error)
notice "Wallet file written", path = outWalletFile
return ok WalletPathPair(wallet: wallet, path: outWalletFile)
finally:
burnMem(password)
burnMem(confirmedPassword)
return err("failure to create wallet file due to " & status.error)
info "Wallet file written", path = outWalletFile
burnMem(password)
burnMem(confirmedPassword)
return ok WalletPathPair(wallet: wallet, path: outWalletFile)
proc createWalletInteractively*(
rng: var BrHmacDrbgContext,
@ -685,24 +685,26 @@ proc loadWallet*(fileName: string): Result[Wallet, string] =
err exc.msg
proc unlockWalletInteractively*(wallet: Wallet): Result[Mnemonic, string] =
let prompt = "Please enter the password for unlocking the wallet: "
echo "Please enter the password for unlocking the wallet"
for i in 1..3:
var password: TaintedString
try:
if not readPasswordInput("Password: ", password):
return err "failure to read password from stdin"
let res = keyboardGetPassword[Mnemonic](prompt, 3,
proc (password: string): KsResult[Mnemonic] =
var secret = decryptCryptoField(wallet.crypto, KeystorePass password)
if secret.len > 0:
defer: burnMem(secret)
return ok Mnemonic(string.fromBytes(secret))
if len(secret) > 0:
let mnemonic = Mnemonic(string.fromBytes(secret))
burnMem(secret)
ok(mnemonic)
else:
echo "Unlocking of the wallet failed. Please try again."
finally:
burnMem(password)
let failed = "Unlocking of the wallet failed. Please try again"
echo failed
err(failed)
)
return err "failure to unlock wallet"
if res.isOk():
ok(res.get())
else:
err "Unlocking of the wallet failed."
proc findWallet*(config: BeaconNodeConf,
name: WalletName): Result[WalletPathPair, string] =

View File

@ -202,7 +202,7 @@ macro wordListArray*(filename: static string,
minWordLen: static int = 0,
maxWordLen: static int = high(int)): untyped =
result = newTree(nnkBracket)
var words = slurp(filename).split()
var words = slurp(filename).splitLines()
for word in words:
if word.len >= minWordLen and word.len <= maxWordLen:
result.add newCall("cstring", newLit(word))
@ -213,9 +213,21 @@ const
englishWords = wordListArray("english_word_list.txt",
maxWords = wordListLen,
maxWordLen = maxWordLen)
englishWordsDigest =
"AD90BF3BEB7B0EB7E5ACD74727DC0DA96E0A280A258354E7293FB7E211AC03DB".toDigest
proc checkEnglishWords(): bool =
if len(englishWords) != wordListLen:
false
else:
var ctx: sha256
ctx.init()
for item in englishWords:
ctx.update($item)
ctx.finish() == englishWordsDigest
static:
doAssert englishWords.len == wordListLen
doAssert(checkEnglishWords(), "English words array is corrupted!")
func append*(path: KeyPath, pathNode: Natural): KeyPath =
KeyPath(path.string & "/" & $pathNode)
@ -225,7 +237,8 @@ func validateKeyPath*(path: TaintedString): Result[KeyPath, cstring] =
var number: BiggestUint
try:
for elem in path.string.split("/"):
# TODO: doesn't "m" have to be the first character and is it the only place where it is valid?
# TODO: doesn't "m" have to be the first character and is it the only
# place where it is valid?
if elem == "m":
continue
# parseBiggestUInt can raise if overflow
@ -274,8 +287,6 @@ proc generateMnemonic*(
entropyParam: openarray[byte] = @[]): Mnemonic =
## Generates a valid BIP-0039 mnenomic:
## https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic
doAssert words.len == wordListLen
var entropy: seq[byte]
if entropyParam.len == 0:
setLen(entropy, 32)