From 5062d740411e898b3caa1a9124a14c125589c324 Mon Sep 17 00:00:00 2001 From: Taloth Saldono Date: Sat, 9 Mar 2019 22:33:34 +0100 Subject: [PATCH] Reverted in-memory signalr keypair in favor of a .config directory. --- .../EnvironmentInfo/AppFolderFactory.cs | 24 ++ .../Owin/MiddleWare/SignalRMiddleWare.cs | 2 +- .../NonPersistentManagedProtection.cs | 274 ------------------ src/NzbDrone.SignalR/NzbDrone.SignalR.csproj | 2 - src/NzbDrone.SignalR/SignalRProtectedData.cs | 45 --- 5 files changed, 25 insertions(+), 322 deletions(-) delete mode 100644 src/NzbDrone.SignalR/NonPersistentManagedProtection.cs delete mode 100644 src/NzbDrone.SignalR/SignalRProtectedData.cs diff --git a/src/NzbDrone.Common/EnvironmentInfo/AppFolderFactory.cs b/src/NzbDrone.Common/EnvironmentInfo/AppFolderFactory.cs index 2f0b35185..7d4bdca9e 100644 --- a/src/NzbDrone.Common/EnvironmentInfo/AppFolderFactory.cs +++ b/src/NzbDrone.Common/EnvironmentInfo/AppFolderFactory.cs @@ -58,6 +58,8 @@ public void Register() { throw new SonarrStartupException("AppFolder {0} is not writable", _appFolderInfo.AppDataFolder); } + + InitializeMonoApplicationData(); } private void SetPermissions() @@ -125,6 +127,28 @@ private void MigrateAppDataFolder() } } + + private void InitializeMonoApplicationData() + { + if (OsInfo.IsWindows) return; + + var configHome = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); + if (configHome.EndsWith("/.config") &&! _diskProvider.FolderExists(configHome.GetParentPath()) || + !_diskProvider.FolderExists(configHome)) + { + // Tell mono to use appData/.config as ApplicationData folder. + Environment.SetEnvironmentVariable("XDG_CONFIG_HOME", Path.Combine(_appFolderInfo.AppDataFolder, ".config")); + } + + var dataHome = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData); + if (dataHome.EndsWith("/.local/share") && !_diskProvider.FolderExists(configHome.GetParentPath().GetParentPath()) || + !_diskProvider.FolderExists(dataHome)) + { + // Tell mono to use appData/.config/share as LocalApplicationData folder. + Environment.SetEnvironmentVariable("XDG_DATA_HOME", Path.Combine(_appFolderInfo.AppDataFolder, ".config/share")); + } + } + private void CleanupSqLiteRollbackFiles() { _diskProvider.GetFiles(_appFolderInfo.AppDataFolder, SearchOption.TopDirectoryOnly) diff --git a/src/NzbDrone.Host/Owin/MiddleWare/SignalRMiddleWare.cs b/src/NzbDrone.Host/Owin/MiddleWare/SignalRMiddleWare.cs index 475b933a8..e3413e1b7 100644 --- a/src/NzbDrone.Host/Owin/MiddleWare/SignalRMiddleWare.cs +++ b/src/NzbDrone.Host/Owin/MiddleWare/SignalRMiddleWare.cs @@ -1,6 +1,7 @@ using System; using Microsoft.AspNet.SignalR; using NzbDrone.Common.Composition; +using NzbDrone.Common.EnvironmentInfo; using NzbDrone.SignalR; using Owin; @@ -14,7 +15,6 @@ public SignalRMiddleWare(IContainer container) { SignalRDependencyResolver.Register(container); SignalRJsonSerializer.Register(); - SignalRProtectedData.Register(); // Half the default time (110s) to get under nginx's default 60 proxy_read_timeout GlobalHost.Configuration.ConnectionTimeout = TimeSpan.FromSeconds(55); diff --git a/src/NzbDrone.SignalR/NonPersistentManagedProtection.cs b/src/NzbDrone.SignalR/NonPersistentManagedProtection.cs deleted file mode 100644 index bb31fc87b..000000000 --- a/src/NzbDrone.SignalR/NonPersistentManagedProtection.cs +++ /dev/null @@ -1,274 +0,0 @@ -using System; -using System.IO; -using System.Runtime.InteropServices; -using System.Security; -using System.Security.Cryptography; -using System.Security.Permissions; - - -namespace NzbDrone.SignalR -{ - // Copied from https://github.com/mono/mono/blob/c5b88ec4f323f2bdb7c7d0a595ece28dae66579c/mcs/class/System.Security/Mono.Security.Cryptography/ManagedProtection.cs - // And modified to use an non-persistent encryption key - - // - // ManagedProtection.cs - - // Protect (encrypt) data without (user involved) key management - // - // Author: - // Sebastien Pouliot - // - // Copyright (C) 2005 Novell, Inc (http://www.novell.com) - // - // Permission is hereby granted, free of charge, to any person obtaining - // a copy of this software and associated documentation files (the - // "Software"), to deal in the Software without restriction, including - // without limitation the rights to use, copy, modify, merge, publish, - // distribute, sublicense, and/or sell copies of the Software, and to - // permit persons to whom the Software is furnished to do so, subject to - // the following conditions: - // - // The above copyright notice and this permission notice shall be - // included in all copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE - // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION - // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION - // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - // - internal static class NonPersistentManagedProtection - { - public static byte[] Protect(byte[] userData, byte[] optionalEntropy) - { - if (userData == null) - throw new ArgumentNullException("userData"); - - Rijndael aes = Rijndael.Create(); - aes.KeySize = 128; - - byte[] encdata = null; - using (MemoryStream ms = new MemoryStream()) - { - ICryptoTransform t = aes.CreateEncryptor(); - using (CryptoStream cs = new CryptoStream(ms, t, CryptoStreamMode.Write)) - { - cs.Write(userData, 0, userData.Length); - cs.Close(); - encdata = ms.ToArray(); - } - } - - byte[] key = null; - byte[] iv = null; - byte[] secret = null; - byte[] header = null; - SHA256 hash = SHA256.Create(); - - try - { - key = aes.Key; - iv = aes.IV; - secret = new byte[1 + 1 + 16 + 1 + 16 + 1 + 32]; - - byte[] digest = hash.ComputeHash(userData); - if ((optionalEntropy != null) && (optionalEntropy.Length > 0)) - { - // the same optionalEntropy will be required to get the data back - byte[] mask = hash.ComputeHash(optionalEntropy); - for (int i = 0; i < 16; i++) - { - key[i] ^= mask[i]; - iv[i] ^= mask[i + 16]; - } - secret[0] = 2; // entropy - } - else - { - secret[0] = 1; // without entropy - } - - secret[1] = 16; // key size - Buffer.BlockCopy(key, 0, secret, 2, 16); - secret[18] = 16; // iv size - Buffer.BlockCopy(iv, 0, secret, 19, 16); - secret[35] = 32; // digest size - Buffer.BlockCopy(digest, 0, secret, 36, 32); - - RSAOAEPKeyExchangeFormatter formatter = new RSAOAEPKeyExchangeFormatter(GetKey()); - header = formatter.CreateKeyExchange(secret); - } - finally - { - if (key != null) - { - Array.Clear(key, 0, key.Length); - key = null; - } - if (secret != null) - { - Array.Clear(secret, 0, secret.Length); - secret = null; - } - if (iv != null) - { - Array.Clear(iv, 0, iv.Length); - iv = null; - } - aes.Clear(); - hash.Clear(); - } - - byte[] result = new byte[header.Length + encdata.Length]; - Buffer.BlockCopy(header, 0, result, 0, header.Length); - Buffer.BlockCopy(encdata, 0, result, header.Length, encdata.Length); - return result; - } - - public static byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy) - { - if (encryptedData == null) - throw new ArgumentNullException("encryptedData"); - - byte[] decdata = null; - - Rijndael aes = Rijndael.Create(); - RSA rsa = GetKey(); - int headerSize = (rsa.KeySize >> 3); - bool valid1 = (encryptedData.Length >= headerSize); - if (!valid1) - headerSize = encryptedData.Length; - - byte[] header = new byte[headerSize]; - Buffer.BlockCopy(encryptedData, 0, header, 0, headerSize); - - byte[] secret = null; - byte[] key = null; - byte[] iv = null; - bool valid2 = false; - bool valid3 = false; - bool valid4 = false; - SHA256 hash = SHA256.Create(); - - try - { - try - { - RSAOAEPKeyExchangeDeformatter deformatter = new RSAOAEPKeyExchangeDeformatter(rsa); - secret = deformatter.DecryptKeyExchange(header); - valid2 = (secret.Length == 68); - } - catch - { - valid2 = false; - } - - if (!valid2) - secret = new byte[68]; - - // known values for structure (version 1 or 2) - valid3 = ((secret[1] == 16) && (secret[18] == 16) && (secret[35] == 32)); - - key = new byte[16]; - Buffer.BlockCopy(secret, 2, key, 0, 16); - iv = new byte[16]; - Buffer.BlockCopy(secret, 19, iv, 0, 16); - - if ((optionalEntropy != null) && (optionalEntropy.Length > 0)) - { - // the decrypted data won't be valid if the entropy isn't - // the same as the one used to protect (encrypt) it - byte[] mask = hash.ComputeHash(optionalEntropy); - for (int i = 0; i < 16; i++) - { - key[i] ^= mask[i]; - iv[i] ^= mask[i + 16]; - } - valid3 &= (secret[0] == 2); // with entropy - } - else - { - valid3 &= (secret[0] == 1); // without entropy - } - - using (MemoryStream ms = new MemoryStream()) - { - ICryptoTransform t = aes.CreateDecryptor(key, iv); - using (CryptoStream cs = new CryptoStream(ms, t, CryptoStreamMode.Write)) - { - try - { - cs.Write(encryptedData, headerSize, encryptedData.Length - headerSize); - cs.Close(); - } - catch - { - // whatever, we keep going - } - } - decdata = ms.ToArray(); - } - - byte[] digest = hash.ComputeHash(decdata); - valid4 = true; - for (int i = 0; i < 32; i++) - { - if (digest[i] != secret[36 + i]) - valid4 = false; - } - } - finally - { - if (key != null) - { - Array.Clear(key, 0, key.Length); - key = null; - } - if (secret != null) - { - Array.Clear(secret, 0, secret.Length); - secret = null; - } - if (iv != null) - { - Array.Clear(iv, 0, iv.Length); - iv = null; - } - aes.Clear(); - hash.Clear(); - } - - // single point of error (also limits timing informations) - if (!valid1 || !valid2 || !valid3 || !valid4) - { - if (decdata != null) - { - Array.Clear(decdata, 0, decdata.Length); - decdata = null; - } - throw new CryptographicException("Invalid data."); - } - return decdata; - } - - // private stuff - - private static RSA appstartup; - private readonly static object appstartup_lock = new object(); - - private static RSA GetKey() - { - if (appstartup == null) - { - lock (appstartup_lock) - { - appstartup = new RSACryptoServiceProvider(1536); - } - } - - return appstartup; - } - } -} diff --git a/src/NzbDrone.SignalR/NzbDrone.SignalR.csproj b/src/NzbDrone.SignalR/NzbDrone.SignalR.csproj index f883ff189..287b6bf74 100644 --- a/src/NzbDrone.SignalR/NzbDrone.SignalR.csproj +++ b/src/NzbDrone.SignalR/NzbDrone.SignalR.csproj @@ -81,7 +81,6 @@ Properties\SharedAssemblyInfo.cs - @@ -89,7 +88,6 @@ - diff --git a/src/NzbDrone.SignalR/SignalRProtectedData.cs b/src/NzbDrone.SignalR/SignalRProtectedData.cs deleted file mode 100644 index f196e8bd4..000000000 --- a/src/NzbDrone.SignalR/SignalRProtectedData.cs +++ /dev/null @@ -1,45 +0,0 @@ -using Microsoft.AspNet.SignalR; -using Microsoft.AspNet.SignalR.Infrastructure; -using NzbDrone.Common.EnvironmentInfo; -using System; -using System.Text; - -namespace NzbDrone.SignalR -{ - // This class uses a per-startup key instead of the persistent keystore. - public class SignalRProtectedData : IProtectedData - { - private static readonly UTF8Encoding _encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true); - - public static void Register() - { - // On mono we're not guaranteed to have a DSAPI keystore, and we don't really need it, so use an alternate ProtectedData method. - if (OsInfo.IsNotWindows) - { - GlobalHost.DependencyResolver.Register(typeof(IProtectedData), () => new SignalRProtectedData()); - } - } - - public string Protect(string data, string purpose) - { - byte[] purposeBytes = _encoding.GetBytes(purpose); - - byte[] unprotectedBytes = _encoding.GetBytes(data); - - byte[] protectedBytes = NonPersistentManagedProtection.Protect(unprotectedBytes, purposeBytes); - - return Convert.ToBase64String(protectedBytes); - } - - public string Unprotect(string protectedValue, string purpose) - { - byte[] purposeBytes = _encoding.GetBytes(purpose); - - byte[] protectedBytes = Convert.FromBase64String(protectedValue); - - byte[] unprotectedBytes = NonPersistentManagedProtection.Unprotect(protectedBytes, purposeBytes); - - return _encoding.GetString(unprotectedBytes); - } - } -}