milis/bin/ncrypt

225 lines
6.3 KiB
Ruby
Executable File

#!/usr/bin/ruby
require 'openssl'
require 'base64'
require 'securerandom'
require 'net/http'
require 'net/https'
def pbkdf2(password, salt, keylen, opts = {})
hash = opts[:hash] || 'sha1'
iterations = (opts[:iterations] || 1) - 1
def bigendian(val, len)
len.times.map { val, r = val.divmod 256; r }.reverse.pack('C*')
end
key = ''
blockindex = 1
while key.length < keylen
block = OpenSSL::HMAC.digest(hash, password, salt + bigendian(blockindex, 4))
u = block
iterations.times do
u = OpenSSL::HMAC.digest(hash, password, u)
block.length.times.each do |j|
block[j] ^= u[j]
end
end
key += block
blockindex += 1
end
key.slice(0, keylen)
end
def aes_decrypt(text, key, opts = {})
text = text.dup
iv = text.slice!(0, 16) # aes has fixed blocksize of 128 bits
key = pbkdf2(key, iv, (opts[:aeskeysize] || 256) / 8, opts)
cipher = OpenSSL::Cipher::AES.new(8 * key.length, opts[:mode] || :OFB).decrypt
cipher.key = key
cipher.iv = iv
cipher.update(text) + cipher.final
end
def aes_encrypt(text, opts = {})
key = opts[:key] || generateKey(opts[:keylen] || 24)
cipher = OpenSSL::Cipher::AES.new(opts[:aeskeysize] || 256, opts[:mode] || :OFB).encrypt
cipher.iv = iv = opts[:iv] || cipher.random_iv
cipher.key = pbkdf2(key, iv, (opts[:aeskeysize] || 256) / 8, opts)
text = cipher.update(text) + cipher.final
[ iv + text, key ]
end
def generateKey(len = 24)
chars = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
len.times.map { chars[SecureRandom.random_number(chars.length)].ord }.pack('c*')
end
def decrypt(text, key, opts = {})
text = Base64.decode64(text)
aes_decrypt(text, key, opts)
end
def encrypt(text, opts = {})
text, key = aes_encrypt(text, opts)
[ Base64.encode64(text).gsub(/\s+/, ""), key ]
end
def fixipv6host(host)
if m = /^\[([0-9a-fA-F:]+)\]$/.match(host)
return m[1]
end
host
end
def http_get(uri)
request = Net::HTTP::Get.new uri.request_uri
request['Host'] = uri.host
http = Net::HTTP.new(fixipv6host(uri.host), uri.port)
http.use_ssl = uri.scheme == 'https'
# http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# http.verify_depth = 5
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.start { |http| http.request request }
end
def http_post(uri, args)
request = Net::HTTP::Post.new(uri.request_uri)
request['Host'] = uri.host
request.set_form_data(args)
http = Net::HTTP.new(fixipv6host(uri.host), uri.port)
http.use_ssl = uri.scheme == 'https'
# http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# http.verify_depth = 5
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.start { |http| http.request request }
end
def hashpw(password)
return nil if password.nil?
return OpenSSL::Digest::SHA1.hexdigest(password)
end
require 'optparse'
opts = {}
OptionParser.new do |o|
o.on('-u', '--url URL', "Retrieve paste from url (conflicts with the posting options)") { |url| opts[:url] = URI(url) }
o.on('-f', '--file FILENAME', "Upload file") { |fn| opts[:fn] = fn }
o.on('-m', '--mime MIMETYPE', "Specify mime type for paste") { |mime| opts[:mime] = mime }
o.on('-t', '--ttl TTL', "Specify Time-To-Live for paste in seconds, default one week (-1 for indefinately, -100 for one time only)") { |ttl| opts[:ttl] = ttl }
o.on('-p', '--password[PASSWORD]', "Use password protection on server side (no additional encryption)") { |password|
opts[:pass] = true
opts[:password] = password unless password.nil?
}
o.on('-s', '--site SITE', "Post upload to another ncrypt pastebin (default: https://ncry.pt)") { |s| opts[:site] = s }
o.separator ""
o.separator " If neither url nor filename was given, a final parameter can be used to specify it. Urls are autodetected."
o.separator ""
o.on('-h', '--help', "Show this help") { STDERR.puts o; exit }
o.parse!
if ARGV.length == 1
if opts[:url] || opts[:fn]
STDERR.puts o
exit 1
end
begin
url = URI(ARGV[0])
if ("http" == url.scheme || "https" == url.scheme) && url.host
opts[:url] = url
else
opts[:fn] = ARGV[0]
end
rescue
opts[:fn] = ARGV[0]
end
end
if ARGV.length > 1 or (opts[:url] and (opts[:fn] || opts[:ttl] || opts[:mime] || opts[:site] || opts[:pass])) or (!opts[:url] and !opts[:fn])
STDERR.puts o
exit 1
end
end
if opts[:pass] and opts[:password].nil?
if opts[:fn] == '-'
STDERR.puts "Can't read post data from stdin and prompt for password"
exit 1
end
STDERR.write "Enter password: "
STDERR.flush
opts[:password] = STDIN.readline.chomp
end
if opts[:url]
uri = opts[:url]
if !uri.fragment
STDERR.puts "Specified url has no fragment, cannot decode paste"
exit 1
end
password = nil
while
if password.nil?
resp = http_get(uri)
else
resp = http_post(uri, :p => hashpw(password))
end
if 200 != resp.code.to_i
STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"
STDERR.puts "Location: #{resp['Location']}" if resp['Location']
exit 1
end
html = resp.body
if m = (/<input type="hidden" name="data" id="data" value="([^"]+)"/m.match(html) || (!password.nil? && /"data":"([^"]+)"/m.match(html)))
cipher = m[1]
STDOUT.write decrypt(cipher, uri.fragment)
exit 0
elsif html =~ /<div id="askpassword">/ and password.nil?
STDERR.write "Paste is password protected. Enter password: "
STDERR.flush
password = STDIN.readline.chomp
else
STDERR.puts "Can't parse response."
exit 1
end
end
else
uri = URI(opts[:site] || 'https://ncry.pt')
if opts[:fn] != '-'
if opts[:mime].nil?
begin
opts[:mime] = IO.popen("file --brief --mime-type '#{opts[:fn]}'", "r").read.chomp
rescue
# use default mime type text/plain
end
end
text = File.open(opts[:fn], "rb").read
else
text = STDIN.read
end
cipher, key = encrypt(text)
resp = http_post(uri, :data => cipher, :syn => opts[:mime] || 'text/plain', :ttl => opts[:ttl] || (7*86400), :p => hashpw(opts[:password]))
if 200 != resp.code.to_i
STDERR.puts "Key is #{key}"
STDERR.puts "Got HTTP/#{resp.http_version} #{resp.code} #{resp.message}"
resp.each_header { |k,v| STDERR.puts "#{k}: #{v}" }
STDERR.puts resp.body
exit 1
end
html = resp.body
if html =~ /^\{"id":".*"\}\s*$/m then
id = html.gsub(/^\{"id":"/m, "").gsub(/"\}\s*$/m, "")
uri.path += '/' unless ?/ == uri.path[-1]
uri.path += id
uri.fragment = key
puts uri
else
STDERR.puts "Key is #{key}"
STDERR.puts "Can't parse response #{resp.body}"
exit 1
end
end