Major update on cryptosystem, all passwords now obsolete..

2025-12-08 20:48:48 +00:00 · 2017-05-16 15:15:47 +02:00
parent b6b19cc8b7
commit 0db90fe416
7 changed files with 77 additions and 37 deletions
--- a/server/public/assets/js/admin.js
+++ b/server/public/assets/js/admin.js
@@ -98,11 +98,11 @@ var Admin = {
    pw: function(msg)
    {
        w_p       = false;
-        adminpass = msg;
+        adminpass = Crypt.tmp_pass;
        names     = ["vote","addsongs","longsongs","frontpage", "allvideos",
        "removeplay", "skip", "shuffle", "userpass"];

-        Crypt.set_pass(chan.toLowerCase(), Crypt.decrypt_pass(msg));
+        Crypt.set_pass(chan.toLowerCase(), Crypt.tmp_pass);

        for (var i = 0; i < names.length; i++) {
            $("input[name="+names[i]+"]").attr("disabled", false);
--- a/server/public/assets/js/crypt.js
+++ b/server/public/assets/js/crypt.js
@@ -2,6 +2,7 @@ var Crypt = {

 	conf_pass: undefined,
 	user_pass: undefined,
+	tmp_pass: "",

 	init: function(){

@@ -36,9 +37,11 @@ var Crypt = {
 		if(Crypt.getCookie(name) === undefined) {
 			cookie = Crypt.create_cookie(name);
 		}
-
+		var key = btoa("0103060703080703080701") + btoa("0103060703080703080701");
+		key = key.substring(0,32);
+		key = btoa(key);
 		var decrypted = CryptoJS.AES.decrypt(
-			cookie,"0103060703080703080701",
+			cookie,key,
 			{
 				mode: CryptoJS.mode.CBC,
 				padding: CryptoJS.pad.Pkcs7
@@ -49,8 +52,11 @@ var Crypt = {
 	},

 	decrypt_pass: function(pass){
+		var key = btoa(socket.id) + btoa(socket.id);
+		key = key.substring(0,32);
+		key = btoa(key);
 		var decrypted = CryptoJS.AES.decrypt(
-			pass,socket.id,
+			pass,key,
 			{
 				mode: CryptoJS.mode.CBC,
 				padding: CryptoJS.pad.Pkcs7
@@ -62,10 +68,12 @@ var Crypt = {

 	encrypt: function(json_formated, cookie){
 		var to_encrypt = JSON.stringify(json_formated);
-
+		var key = btoa("0103060703080703080701") + btoa("0103060703080703080701");
+		key = key.substring(0,32);
+		key = btoa(key);
 		var encrypted = CryptoJS.AES.encrypt(
 			to_encrypt,
-			"0103060703080703080701",
+			key,
 			{
 				mode: CryptoJS.mode.CBC,
 				padding: CryptoJS.pad.Pkcs7
@@ -81,18 +89,6 @@ var Crypt = {
 		}
 	},

-	encrypt_string: function(string){
-		var encrypted = CryptoJS.AES.encrypt(
-			string,
-			socket.id,
-			{
-				mode: CryptoJS.mode.CBC,
-				padding: CryptoJS.pad.Pkcs7
-			}
-		);
-		return encrypted.toString();
-	},
-
 	get_volume: function(){
 		return Crypt.decrypt(Crypt.getCookie("_opt"), "_opt").volume;
 		//return conf_arr.volume;
@@ -118,10 +114,12 @@ var Crypt = {
 		else cookie_object = {passwords: {}};

 		var string_it = JSON.stringify(cookie_object);
-
+		var key = btoa("0103060703080703080701") + btoa("0103060703080703080701");
+		key = key.substring(0,32);
+		key = btoa(key);
 		var encrypted = CryptoJS.AES.encrypt(
 			string_it,
-			"0103060703080703080701",
+			key,
 			{
 				mode: CryptoJS.mode.CBC,
 				padding: CryptoJS.pad.Pkcs7
@@ -196,15 +194,32 @@ var Crypt = {
 	},

 	crypt_pass: function(pass){
+		Crypt.tmp_pass = pass;
+		var key = btoa(socket.id) + btoa(socket.id);
+		key = key.substring(0,32);
+		key = btoa(key);
+		var iv = btoa(Crypt.makeiv());
 		var encrypted = CryptoJS.AES.encrypt(
 			pass,
-			socket.id,
+			CryptoJS.enc.Base64.parse(key),
 			{
 				mode: CryptoJS.mode.CBC,
-				padding: CryptoJS.pad.Pkcs7
+				padding: CryptoJS.pad.Pkcs7,
+				iv: CryptoJS.enc.Base64.parse(iv),
 			}
 		);
-		return encrypted.toString();
+		window.encrypted = encrypted;
+		return encrypted.toString() + "$" + iv;
+	},
+
+	makeiv: function(){
+    var text = "";
+    var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+    for( var i=0; i < 16; i++ )
+        text += possible.charAt(Math.floor(Math.random() * possible.length));
+
+    return text;
 	},

 	get_width: function(){
--- a/server/public/assets/js/list.js
+++ b/server/public/assets/js/list.js
@@ -366,7 +366,7 @@ var List = {
 			}, 305);
 			if(removed) {
 				$("#"+deleted).remove();
-                full_playlist.splice(List.getIndexOfSong(deleted), 1);
+        full_playlist.splice(List.getIndexOfSong(deleted), 1);
 		 	}

 		} catch(err) {
--- a/server/public/assets/js/player.js
+++ b/server/public/assets/js/player.js
@@ -15,7 +15,6 @@ var Player = {
 		}catch(e){
 			state = null;
 		}
-		console.log(video_id);
 		if((((!offline && (state != null || from_frontpage)) || (offline && (!(state != null) || from_frontpage))|| (!offline && (!(state != null) || from_frontpage)) || (offline && state == -1)) && !(offline && prev_chan_player == chan)) || (offline && video_id == undefined)){
 			prev_chan_player = chan;
 			from_frontpage = false;