From 7fab5a37fffce5dd4d076bc3d6ffe8904033b96b Mon Sep 17 00:00:00 2001
From: dumbmoron <log@riseup.net>
Date: Tue, 5 Mar 2024 16:49:00 +0000
Subject: [PATCH] crypto: use secret directly instead of deriving key

---
 src/core/api.js              |  2 +-
 src/modules/stream/manage.js |  2 +-
 src/modules/sub/crypto.js    | 11 ++++-------
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/core/api.js b/src/core/api.js
index 8f6060fe..a439cddf 100644
--- a/src/core/api.js
+++ b/src/core/api.js
@@ -128,7 +128,7 @@ export function runAPI(express, app, gitCommit, gitBranch, __dirname) {
                     const q = req.query;
                     const checkQueries = q.t && q.e && q.h && q.s && q.i;
                     const checkBaseLength = q.t.length === 21 && q.e.length === 13;
-                    const checkSafeLength = q.h.length === 43 && q.s.length === 342 && q.i.length === 22;
+                    const checkSafeLength = q.h.length === 43 && q.s.length === 43 && q.i.length === 22;
 
                     if (checkQueries && checkBaseLength && checkSafeLength) {
                         let streamInfo = verifyStream(q.t, q.h, q.e, q.s, q.i);
diff --git a/src/modules/stream/manage.js b/src/modules/stream/manage.js
index c8bcd979..120b6f00 100644
--- a/src/modules/stream/manage.js
+++ b/src/modules/stream/manage.js
@@ -20,7 +20,7 @@ const hmacSalt = randomBytes(64).toString('hex');
 export function createStream(obj) {
     const streamID = nanoid(),
         iv = randomBytes(16).toString('base64url'),
-        secret = randomBytes(256).toString('base64url'),
+        secret = randomBytes(32).toString('base64url'),
         exp = new Date().getTime() + streamLifespan,
         hmac = generateHmac(`${streamID},${exp},${iv},${secret}`, hmacSalt),
         streamData = {
diff --git a/src/modules/sub/crypto.js b/src/modules/sub/crypto.js
index 2fba1efc..b3a0539b 100644
--- a/src/modules/sub/crypto.js
+++ b/src/modules/sub/crypto.js
@@ -1,25 +1,22 @@
 import { createHmac, createCipheriv, createDecipheriv, scryptSync } from "crypto";
 
 const algorithm = "aes256"
-const keyLength = 32;
 
 export function generateHmac(str, salt) {
     return createHmac("sha256", salt).update(str).digest("base64url");
 }
 
 export function encryptStream(plaintext, iv, secret) {
-    const buff = Buffer.from(JSON.stringify(plaintext), "utf-8");
-
-    const key = scryptSync(Buffer.from(secret, "base64url"), "salt", keyLength);
+    const buff = Buffer.from(JSON.stringify(plaintext));
+    const key = Buffer.from(secret, "base64url");
     const cipher = createCipheriv(algorithm, key, Buffer.from(iv, "base64url"));
 
     return Buffer.concat([ cipher.update(buff), cipher.final() ])
 }
 
 export function decryptStream(ciphertext, iv, secret) {
-    const buff = Buffer.from(ciphertext, "binary");
-
-    const key = scryptSync(Buffer.from(secret, "base64url"), "salt", keyLength);
+    const buff = Buffer.from(ciphertext);
+    const key = Buffer.from(secret, "base64url");
     const decipher = createDecipheriv(algorithm, key, Buffer.from(iv, "base64url"));
 
     return Buffer.concat([ decipher.update(buff), decipher.final() ])