tanner/bwb
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Protect main OTP against unauthed changes

Browse Source 
This is a problem if someone sends:

000000handshake xyz

...because they will have set our OTP to xyz and could guess codes.

Fixed by using a separate OTP object for handshaking only.
This commit is contained in:
Tanner Collin
2019-09-23 04:52:24 +00:00
parent 03e37f5601
commit 47ad8b575a
3 changed files with 42 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+6 -4
View File
@@ -31,11 +31,10 @@ event.respond('000000handshake ' + bwb.handshake(data))
On `000000handshake [data]`:
```text
event.respond(bwb.wrap('secret ' + bwb.secret(data)))
bwb.set_otp(bwb.init_secret)
event.respond(bwb.wrap('secret ' + bwb.secret(data), handshake=True))
```
On _OTP authed_ `123456secret [data]`:
On _Handshake OTP authed_ `123456secret [data]`:
```text
bwb.set_secret(data)
@@ -62,6 +61,9 @@ if text.startswith('!'):
...
elif text.startswith('000000'):
text = text[6:]
elif bwb.check_auth(text, handshake=True):
handshake_authed = True
text = text[6:]
elif bwb.check_auth(text):
authed = True
text = text[6:]
@@ -74,7 +76,7 @@ Use `bwb.wrap()` to auth and encode outgoing commands.
Params:
```text
wrap(text, target=None, b58=False, enc=False)
wrap(text, handshake=False, target=None, b58=False, enc=False)
```
Examples: