gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-06-06 18:08:33 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

use generated salts instead of fixed ones

Browse Source
This commit is contained in:
azivner 2017-09-12 21:43:24 -04:00
parent b4f9fc3a5e
commit 8bc1bdd5f7
5 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
setup.py
View File

@ -28,16 +28,16 @@ password1 = getpass.getpass()
password2 = getpass.getpass(prompt='Repeat the same password: ') password2 = getpass.getpass(prompt='Repeat the same password: ')
if password1 == password2: if password1 == password2:
hash = src.my_scrypt.getVerificationHash(password1)
src.sql.setOption('username', username)
src.sql.setOption('password', binascii.hexlify(hash))
# urandom is secure enough, see https://docs.python.org/2/library/os.html # urandom is secure enough, see https://docs.python.org/2/library/os.html
src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(24))) src.sql.setOption('flask_secret_key', base64.b64encode(os.urandom(24)))
src.sql.setOption('verification_salt', base64.b64encode(os.urandom(24))) src.sql.setOption('verification_salt', base64.b64encode(os.urandom(24)))
src.sql.setOption('encryption_salt', base64.b64encode(os.urandom(24))) src.sql.setOption('encryption_salt', base64.b64encode(os.urandom(24)))
hash = src.my_scrypt.getVerificationHash(password1)
src.sql.setOption('username', username)
src.sql.setOption('password', binascii.hexlify(hash))
src.sql.commit() src.sql.commit()
print('Application has been set up. You can now login.') print('Application has been set up. You can now login.')

7
src/my_scrypt.py
View File

@ -1,12 +1,15 @@
import scrypt # pip install scrypt import scrypt # pip install scrypt
import sql
def getVerificationHash(password): def getVerificationHash(password):
salt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6" # getOption returns unicode bytes which scrypt doesn't like
salt = sql.getOption('verification_salt').encode('ascii', 'ignore')
return getScryptHash(password, salt) return getScryptHash(password, salt)
def getEncryptionHash(password): def getEncryptionHash(password):
salt = "2503bfc386bc028772f803887eaaf4d4a5c1019036873e4ba5de79a4efb7e8d8" # getOption returns unicode bytes which scrypt doesn't like
salt = sql.getOption('encryption_salt').encode('ascii', 'ignore')
return getScryptHash(password, salt) return getScryptHash(password, salt)

4
src/tree_api.py
View File

@ -1,7 +1,7 @@
from flask import Blueprint, jsonify from flask import Blueprint, jsonify
from flask_login import login_required from flask_login import login_required
from sql import getResults, getSingleResult from sql import getResults, getSingleResult, getOption
tree_api = Blueprint('tree_api', __name__) tree_api = Blueprint('tree_api', __name__)
@ -40,5 +40,7 @@ def getTree():
retObject = {} retObject = {}
retObject['notes'] = rootNotes retObject['notes'] = rootNotes
retObject['start_note_id'] = getSingleResult('select * from options where opt_name = "start_node"')['opt_value']; retObject['start_note_id'] = getSingleResult('select * from options where opt_name = "start_node"')['opt_value'];
retObject['verification_salt'] = getOption('verification_salt')
retObject['encryption_salt'] = getOption('encryption_salt')
return jsonify(retObject) return jsonify(retObject)

9
static/js/encryption.js
View File

@ -31,10 +31,7 @@ let globalEncryptionKey = null;
let globalLastEncryptionOperationDate = null; let globalLastEncryptionOperationDate = null;
function deriveEncryptionKey(password) { function deriveEncryptionKey(password) {
// why this is done is explained here: https://github.com/ricmoo/scrypt-js - "Encoding notes" const verificationPromise = computeScrypt(password, globalVerificationSalt, (key, resolve, reject) => {
const verificationSalt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6";
const verificationPromise = computeScrypt(password, verificationSalt, (key, resolve, reject) => {
$.ajax({ $.ajax({
url: baseUrl + 'password/verify', url: baseUrl + 'password/verify',
type: 'POST', type: 'POST',
@ -55,9 +52,7 @@ function deriveEncryptionKey(password) {
}); });
}); });
const encryptionKeySalt = "2503bfc386bc028772f803887eaaf4d4a5c1019036873e4ba5de79a4efb7e8d8"; const encryptionKeyPromise = computeScrypt(password, globalEncryptionSalt, (key, resolve, reject) => resolve(key));
const encryptionKeyPromise = computeScrypt(password, encryptionKeySalt, (key, resolve, reject) => resolve(key));
return Promise.all([ verificationPromise, encryptionKeyPromise ]).then(results => results[1]); return Promise.all([ verificationPromise, encryptionKeyPromise ]).then(results => results[1]);
} }

5
static/js/tree.js
View File

@ -83,10 +83,15 @@ function setExpandedToServer(note_id, is_expanded) {
}); });
} }
let globalVerificationSalt;
let globalEncryptionSalt;
$(function(){ $(function(){
$.get(baseUrl + 'tree').then(resp => { $.get(baseUrl + 'tree').then(resp => {
const notes = resp.notes; const notes = resp.notes;
let startNoteId = resp.start_note_id; let startNoteId = resp.start_note_id;
globalVerificationSalt = resp.verification_salt;
globalEncryptionSalt = resp.encryption_salt;
if (document.location.hash) { if (document.location.hash) {
startNoteId = document.location.hash.substr(1); // strip initial # startNoteId = document.location.hash.substr(1); // strip initial #