Ensure nacl 1.4.0+; add tests for small subgroups

Several of the sodium bindings we use weren't added until nacl 1.4.0, so
fail if we don't have that.

(I've also pushed Debian's 1.5.0-2 python3-nacl package from sid to the
focal oxen repo, which works just fine on focal).

Author: jagerman

sogs/crypto.py

@@ -2,6 +2,7 @@
 
 import os
 
+import nacl
 from nacl.public import PrivateKey
 from nacl.signing import SigningKey, VerifyKey
 from nacl.encoding import Base64Encoder, HexEncoder
@@ -21,6 +22,10 @@
 
 import pyonionreq
 
+if [int(v) for v in nacl.__version__.split('.')] < [1, 4]:
+    raise ImportError("SOGS requires nacl v1.4.0+")
+
+
 # generate seed as needed
 if not os.path.exists(config.KEY_FILE):
     with open(os.open(config.KEY_FILE, os.O_CREAT | os.O_WRONLY, 0o400), 'wb') as f:

sogs/routes/auth.py

@@ -6,8 +6,9 @@
 
 from flask import request, abort, Response, g
 import time
+import nacl
 from nacl.signing import VerifyKey
-from nacl.exceptions import BadSignatureError
+import nacl.exceptions
 import nacl.bindings as salt
 import sqlalchemy.exc
 from functools import wraps
@@ -206,17 +207,25 @@ def handle_http_auth():
         )
     blinded_pk = pk[0] == 0x15
     pk = pk[1:]
+
     if not salt.crypto_core_ed25519_is_valid_point(pk):
         abort_with_reason(
             http.BAD_REQUEST,
-            "Invalid authentication: given X-SOGS-Signature is not a valid Ed25519 pubkey",
+            "Invalid authentication: given X-SOGS-Pubkey is not a valid Ed25519 pubkey",
         )
+
     pk = VerifyKey(pk)
     if blinded_pk:
         session_id = '15' + pk.encode().hex()
     else:
         # TODO: if "blinding required" config option is set then reject the request here
-        session_id = '05' + pk.to_curve25519_public_key().encode().hex()
+        try:
+            session_id = '05' + pk.to_curve25519_public_key().encode().hex()
+        except nacl.exceptions.RuntimeError:
+            abort_with_reason(
+                http.BAD_REQUEST,
+                "Invalid authentication: given X-SOGS-Pubkey is not a valid Ed25519 pubkey",
+            )
 
     try:
         nonce = utils.decode_hex_or_b64(nonce, 16)
@@ -283,7 +292,7 @@ def handle_http_auth():
 
     try:
         pk.verify(to_verify, sig_in)
-    except BadSignatureError:
+    except nacl.exceptions.BadSignatureError:
         abort_with_reason(
             http.UNAUTHORIZED, "Invalid authentication: X-SOGS-Signature verification failed"
         )

tests/test_auth.py

@@ -6,6 +6,7 @@
 
 import json
 from nacl.signing import SigningKey
+import nacl.bindings as salt
 
 
 @app.get("/auth_test/whoami")
@@ -492,3 +493,49 @@ def test_auth_legacy(client, db, admin, user, room):
             'body': {'status_code': 200, 'banned_members': []},
         },
     ]
+
+
+def test_small_subgroups(client, db):
+    # Make some public keys with small subgroup components to make sure sodium rejects them (it
+    # does, everythwere that matters here).
+    a = SigningKey.generate()
+    B = server_pubkey
+    headers = x_sogs(a, B, 'GET', '/auth_test/whoami')
+
+    assert headers['X-SOGS-Pubkey'].startswith('00')
+    A = bytes.fromhex(headers['X-SOGS-Pubkey'][2:])
+
+    assert A == a.verify_key.encode()
+
+    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
+        assert salt.crypto_core_ed25519_is_valid_point(A)
+
+    Abad = salt.crypto_core_ed25519_add(
+        A, bytes.fromhex('0000000000000000000000000000000000000000000000000000000000000000')
+    )
+
+    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
+        assert not salt.crypto_core_ed25519_is_valid_point(Abad)
+
+    headers['X-SOGS-Pubkey'] = '00' + Abad.hex()
+
+    r = client.get("/auth_test/whoami", headers=headers)
+    assert r.status_code == 400
+    assert r.data == b'Invalid authentication: given X-SOGS-Pubkey is not a valid Ed25519 pubkey'
+
+    # Now try with a blinded id:
+    headers = x_sogs(a, B, 'GET', '/auth_test/whoami', blinded=True)
+    assert headers['X-SOGS-Pubkey'].startswith('15')
+    A = bytes.fromhex(headers['X-SOGS-Pubkey'][2:])
+
+    Abad = salt.crypto_core_ed25519_add(
+        A, bytes.fromhex('c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a')
+    )
+
+    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
+        assert not salt.crypto_core_ed25519_is_valid_point(Abad)
+
+    headers['X-SOGS-Pubkey'] = '15' + Abad.hex()
+    r = client.get("/auth_test/whoami", headers=headers)
+    assert r.status_code == 400
+    assert r.data == b'Invalid authentication: given X-SOGS-Pubkey is not a valid Ed25519 pubkey'