milis/bin/ncrypt

#!/usr/bin/ruby

require 'openssl'
require 'base64'
require 'securerandom'

require 'net/http'
require 'net/https'

def pbkdf2(password, salt, keylen, opts = {})
	hash = opts[:hash] || 'sha1'
	iterations = (opts[:iterations] || 1) - 1
	def bigendian(val, len)
		len.times.map { val, r = val.divmod 256; r }.reverse.pack('C*')
	end
	key = ''
	blockindex = 1
	while key.length < keylen
		block = OpenSSL::HMAC.digest(hash, password, salt + bigendian(blockindex, 4))
		u = block
		iterations.times do
			u = OpenSSL::HMAC.digest(hash, password, u)
			block.length.times.each do |j|
				block[j] ^= u[j]
			end
		end
		key += block
		blockindex += 1
	end
	key.slice(0, keylen)
end

def aes_decrypt(text, key, opts = {})
	text = text.dup
	iv = text.slice!(0, 16) # aes has fixed blocksize of 128 bits
	key = pbkdf2(key, iv, (opts[:aeskeysize] || 256) / 8, opts)

	cipher = OpenSSL::Cipher::AES.new(8 * key.length, opts[:mode] || :OFB).decrypt
	cipher.key = key
	cipher.iv = iv
	cipher.update(text) + cipher.final
end

def aes_encrypt(text, opts = {})
	key = opts[:key] || generateKey(opts[:keylen] || 24)
	cipher = OpenSSL::Cipher::AES.new(opts[:aeskeysize] || 256, opts[:mode] || :OFB).encrypt
	cipher.iv = iv = opts[:iv] || cipher.random_iv
	cipher.key = pbkdf2(key, iv, (opts[:aeskeysize] || 256) / 8, opts)
	text = cipher.update(text) + cipher.final
	[ iv + text, key ]
end

def generateKey(len = 24)
	chars = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
	len.times.map { chars[SecureRandom.random_number(chars.length)].ord }.pack('c*')
end

def decrypt(text, key, opts = {})
	text = Base64.decode64(text)
	aes_decrypt(text, key, opts)
end

def encrypt(text, opts = {})
	text, key = aes_encrypt(text, opts)
	[ Base64.encode64(text).gsub(/\s+/, ""), key ]
end

def fixipv6host(host)
	if m = /^\[([0-9a-fA-F:]+)\]$/.match(host)
		return m[1]
	end
	host
end

def http_get(uri)
	request = Net::HTTP::Get.new uri.request_uri
	request['Host'] = uri.host
	http = Net::HTTP.new(fixipv6host(uri.host), uri.port)
	http.use_ssl = uri.scheme == 'https'
# 	http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# 	http.verify_depth = 5
	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
	http.start { |http| http.request request }
end

def http_post(uri, args)
	request = Net::HTTP::Post.new(uri.request_uri)
	request['Host'] = uri.host
	request.set_form_data(args)
	http = Net::HTTP.new(fixipv6host(uri.host), uri.port)
	http.use_ssl = uri.scheme == 'https'
# 	http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# 	http.verify_depth = 5
	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
	http.start { |http| http.request request }
end

def hashpw(password)
	return nil if password.nil?
	return OpenSSL::Digest::SHA1.hexdigest(password)
end

require 'optparse'
opts = {}
OptionParser.new do |o|
	o.on('-u', '--url URL', "Retrieve paste from url (conflicts with the posting options)") { |url| opts[:url] = URI(url) }
	o.on('-f', '--file FILENAME', "Upload file") { |fn| opts[:fn] = fn }
	o.on('-m', '--mime MIMETYPE', "Specify mime type for paste") { |mime| opts[:mime] = mime }
	o.on('-t', '--ttl TTL', "Specify Time-To-Live for paste in seconds, default one week (-1 for indefinately, -100 for one time only)") { |ttl| opts[:ttl] = ttl }
	o.on('-p', '--password[PASSWORD]', "Use password protection on server side (no additional encryption)") { |password|
		opts[:pass] = true
		opts[:password] = password unless password.nil?
	}
	o.on('-s', '--site SITE', "Post upload to another ncrypt pastebin (default: https://ncry.pt)") { |s| opts[:site] = s }
	o.separator ""
	o.separator "    If neither url nor filename was given, a final parameter can be used to specify it. Urls are autodetected."
	o.separator ""
	o.on('-h', '--help', "Show this help") { STDERR.puts o; exit }
	o.parse!
	if ARGV.length == 1
		if opts[:url] || opts[:fn]
			STDERR.puts o
			exit 1
		end
		begin
			url = URI(ARGV[0])
			if ("http" == url.scheme || "https" == url.scheme) && url.host
				opts[:url] = url
			else
				opts[:fn] = ARGV[0]
			end
		rescue
			opts[:fn] = ARGV[0]
		end
	end
	if ARGV.length > 1 or (opts[:url] and (opts[:fn] || opts[:ttl] || opts[:mime] || opts[:site] || opts[:pass])) or (!opts[:url] and !opts[:fn])
		STDERR.puts o
		exit 1
	end
end

if opts[:pass] and opts[:password].nil?
	if opts[:fn] == '-'
		STDERR.puts "Can't read post data from stdin and prompt for password"
		exit 1
	end
	STDERR.write "Enter password: "
	STDERR.flush
	opts[:password] = STDIN.readline.chomp
end

if opts[:url]
	uri = opts[:url]
	if !uri.fragment
		STDERR.puts "Specified url has no fragment, cannot decode paste"
		exit 1
	end

	password = nil
	while
		if password.nil?
			resp = http_get(uri)
		else
			resp = http_post(uri, :p => hashpw(password))
		end

		if 200 != resp.code.to_i
			STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"
			STDERR.puts "Location: #{resp['Location']}" if resp['Location']
			exit 1
		end
		html = resp.body

		if m = (/<input type="hidden" name="data" id="data" value="([^"]+)"/m.match(html) || (!password.nil? && /"data":"([^"]+)"/m.match(html)))
			cipher = m[1]
			STDOUT.write decrypt(cipher, uri.fragment)
			exit 0
		elsif html =~ /<div id="askpassword">/ and password.nil?
			STDERR.write "Paste is password protected. Enter password: "
			STDERR.flush
			password = STDIN.readline.chomp
		else
			STDERR.puts "Can't parse response."
			exit 1
		end
	end

else
	uri = URI(opts[:site] || 'https://ncry.pt')
	if opts[:fn] != '-'
		if opts[:mime].nil?
			begin
				opts[:mime] = IO.popen("file --brief --mime-type '#{opts[:fn]}'", "r").read.chomp
			rescue
				# use default mime type text/plain
			end
		end
		text = File.open(opts[:fn], "rb").read
	else
		text = STDIN.read
	end

	cipher, key = encrypt(text)
	resp = http_post(uri, :data => cipher, :syn => opts[:mime] || 'text/plain', :ttl => opts[:ttl] || (7*86400), :p => hashpw(opts[:password]))
	if 200 != resp.code.to_i
		STDERR.puts "Key is #{key}"
		STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"
		resp.each_header { |k,v| STDERR.puts "#{k}: #{v}" }
		STDERR.puts resp.body
		exit 1
	end
	html = resp.body
	if html =~ /^\{"id":".*"\}\s*$/m then
		id = html.gsub(/^\{"id":"/m, "").gsub(/"\}\s*$/m, "")
		uri.path += '/' unless ?/ == uri.path[-1]
		uri.path += id
		uri.fragment = key
		puts uri
	else
		STDERR.puts "Key is #{key}"
		STDERR.puts "Can't parse response #{resp.body}"
		exit 1
	end
end
ncrypt 2017-02-07 17:39:08 +02:00			`#!/usr/bin/ruby`

			`require 'openssl'`
			`require 'base64'`
			`require 'securerandom'`

			`require 'net/http'`
			`require 'net/https'`

			`def pbkdf2(password, salt, keylen, opts = {})`
			`hash = opts[:hash] \|\| 'sha1'`
			`iterations = (opts[:iterations] \|\| 1) - 1`
			`def bigendian(val, len)`
			`len.times.map { val, r = val.divmod 256; r }.reverse.pack('C*')`
			`end`
			`key = ''`
			`blockindex = 1`
			`while key.length < keylen`
			`block = OpenSSL::HMAC.digest(hash, password, salt + bigendian(blockindex, 4))`
			`u = block`
			`iterations.times do`
			`u = OpenSSL::HMAC.digest(hash, password, u)`
			`block.length.times.each do \|j\|`
			`block[j] ^= u[j]`
			`end`
			`end`
			`key += block`
			`blockindex += 1`
			`end`
			`key.slice(0, keylen)`
			`end`

			`def aes_decrypt(text, key, opts = {})`
			`text = text.dup`
			`iv = text.slice!(0, 16) # aes has fixed blocksize of 128 bits`
			`key = pbkdf2(key, iv, (opts[:aeskeysize] \|\| 256) / 8, opts)`

			`cipher = OpenSSL::Cipher::AES.new(8 * key.length, opts[:mode] \|\| :OFB).decrypt`
			`cipher.key = key`
			`cipher.iv = iv`
			`cipher.update(text) + cipher.final`
			`end`

			`def aes_encrypt(text, opts = {})`
			`key = opts[:key] \|\| generateKey(opts[:keylen] \|\| 24)`
			`cipher = OpenSSL::Cipher::AES.new(opts[:aeskeysize] \|\| 256, opts[:mode] \|\| :OFB).encrypt`
			`cipher.iv = iv = opts[:iv] \|\| cipher.random_iv`
			`cipher.key = pbkdf2(key, iv, (opts[:aeskeysize] \|\| 256) / 8, opts)`
			`text = cipher.update(text) + cipher.final`
			`[ iv + text, key ]`
			`end`

			`def generateKey(len = 24)`
			`chars = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
			`len.times.map { chars[SecureRandom.random_number(chars.length)].ord }.pack('c*')`
			`end`

			`def decrypt(text, key, opts = {})`
			`text = Base64.decode64(text)`
			`aes_decrypt(text, key, opts)`
			`end`

			`def encrypt(text, opts = {})`
			`text, key = aes_encrypt(text, opts)`
			`[ Base64.encode64(text).gsub(/\s+/, ""), key ]`
			`end`

			`def fixipv6host(host)`
			`if m = /^\[([0-9a-fA-F:]+)\]$/.match(host)`
			`return m[1]`
			`end`
			`host`
			`end`

			`def http_get(uri)`
			`request = Net::HTTP::Get.new uri.request_uri`
			`request['Host'] = uri.host`
			`http = Net::HTTP.new(fixipv6host(uri.host), uri.port)`
			`http.use_ssl = uri.scheme == 'https'`
			`# http.verify_mode = OpenSSL::SSL::VERIFY_PEER`
			`# http.verify_depth = 5`
			`http.verify_mode = OpenSSL::SSL::VERIFY_NONE`
			`http.start { \|http\| http.request request }`
			`end`

			`def http_post(uri, args)`
			`request = Net::HTTP::Post.new(uri.request_uri)`
			`request['Host'] = uri.host`
			`request.set_form_data(args)`
			`http = Net::HTTP.new(fixipv6host(uri.host), uri.port)`
			`http.use_ssl = uri.scheme == 'https'`
			`# http.verify_mode = OpenSSL::SSL::VERIFY_PEER`
			`# http.verify_depth = 5`
			`http.verify_mode = OpenSSL::SSL::VERIFY_NONE`
			`http.start { \|http\| http.request request }`
			`end`

			`def hashpw(password)`
			`return nil if password.nil?`
			`return OpenSSL::Digest::SHA1.hexdigest(password)`
			`end`

			`require 'optparse'`
			`opts = {}`
			`OptionParser.new do \|o\|`
			`o.on('-u', '--url URL', "Retrieve paste from url (conflicts with the posting options)") { \|url\| opts[:url] = URI(url) }`
			`o.on('-f', '--file FILENAME', "Upload file") { \|fn\| opts[:fn] = fn }`
			`o.on('-m', '--mime MIMETYPE', "Specify mime type for paste") { \|mime\| opts[:mime] = mime }`
			`o.on('-t', '--ttl TTL', "Specify Time-To-Live for paste in seconds, default one week (-1 for indefinately, -100 for one time only)") { \|ttl\| opts[:ttl] = ttl }`
			`o.on('-p', '--password[PASSWORD]', "Use password protection on server side (no additional encryption)") { \|password\|`
			`opts[:pass] = true`
			`opts[:password] = password unless password.nil?`
			`}`
			`o.on('-s', '--site SITE', "Post upload to another ncrypt pastebin (default: https://ncry.pt)") { \|s\| opts[:site] = s }`
			`o.separator ""`
			`o.separator " If neither url nor filename was given, a final parameter can be used to specify it. Urls are autodetected."`
			`o.separator ""`
			`o.on('-h', '--help', "Show this help") { STDERR.puts o; exit }`
			`o.parse!`
			`if ARGV.length == 1`
			`if opts[:url] \|\| opts[:fn]`
			`STDERR.puts o`
			`exit 1`
			`end`
			`begin`
			`url = URI(ARGV[0])`
			`if ("http" == url.scheme \|\| "https" == url.scheme) && url.host`
			`opts[:url] = url`
			`else`
			`opts[:fn] = ARGV[0]`
			`end`
			`rescue`
			`opts[:fn] = ARGV[0]`
			`end`
			`end`
			`if ARGV.length > 1 or (opts[:url] and (opts[:fn] \|\| opts[:ttl] \|\| opts[:mime] \|\| opts[:site] \|\| opts[:pass])) or (!opts[:url] and !opts[:fn])`
			`STDERR.puts o`
			`exit 1`
			`end`
			`end`

			`if opts[:pass] and opts[:password].nil?`
			`if opts[:fn] == '-'`
			`STDERR.puts "Can't read post data from stdin and prompt for password"`
			`exit 1`
			`end`
			`STDERR.write "Enter password: "`
			`STDERR.flush`
			`opts[:password] = STDIN.readline.chomp`
			`end`

			`if opts[:url]`
			`uri = opts[:url]`
			`if !uri.fragment`
			`STDERR.puts "Specified url has no fragment, cannot decode paste"`
			`exit 1`
			`end`

			`password = nil`
			`while`
			`if password.nil?`
			`resp = http_get(uri)`
			`else`
			`resp = http_post(uri, :p => hashpw(password))`
			`end`

			`if 200 != resp.code.to_i`
			`STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"`
			`STDERR.puts "Location: #{resp['Location']}" if resp['Location']`
			`exit 1`
			`end`
			`html = resp.body`

			`if m = (/<input type="hidden" name="data" id="data" value="([^"]+)"/m.match(html) \|\| (!password.nil? && /"data":"([^"]+)"/m.match(html)))`
			`cipher = m[1]`
			`STDOUT.write decrypt(cipher, uri.fragment)`
			`exit 0`
			`elsif html =~ /<div id="askpassword">/ and password.nil?`
			`STDERR.write "Paste is password protected. Enter password: "`
			`STDERR.flush`
			`password = STDIN.readline.chomp`
			`else`
			`STDERR.puts "Can't parse response."`
			`exit 1`
			`end`
			`end`

			`else`
			`uri = URI(opts[:site] \|\| 'https://ncry.pt')`
			`if opts[:fn] != '-'`
			`if opts[:mime].nil?`
			`begin`
			`opts[:mime] = IO.popen("file --brief --mime-type '#{opts[:fn]}'", "r").read.chomp`
			`rescue`
			`# use default mime type text/plain`
			`end`
			`end`
			`text = File.open(opts[:fn], "rb").read`
			`else`
			`text = STDIN.read`
			`end`

			`cipher, key = encrypt(text)`
			`resp = http_post(uri, :data => cipher, :syn => opts[:mime] \|\| 'text/plain', :ttl => opts[:ttl] \|\| (7*86400), :p => hashpw(opts[:password]))`
			`if 200 != resp.code.to_i`
			`STDERR.puts "Key is #{key}"`
			`STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"`
			`resp.each_header { \|k,v\| STDERR.puts "#{k}: #{v}" }`
			`STDERR.puts resp.body`
			`exit 1`
			`end`
			`html = resp.body`
			`if html =~ /^\{"id":"."\}\s$/m then`
			`id = html.gsub(/^\{"id":"/m, "").gsub(/"\}\s*$/m, "")`
			`uri.path += '/' unless ?/ == uri.path[-1]`
			`uri.path += id`
			`uri.fragment = key`
			`puts uri`
			`else`
			`STDERR.puts "Key is #{key}"`
			`STDERR.puts "Can't parse response #{resp.body}"`
			`exit 1`
			`end`
			`end`