From be8486e4884f926c41114ae4829205f4a0080103 Mon Sep 17 00:00:00 2001
From: Aditya Kulkarni <adityapk@gmail.com>
Date: Fri, 25 Jan 2019 17:31:53 -0800
Subject: [PATCH] share secrets

---
 src/mainwindow.cpp | 46 ++++------------------------
 src/websockets.cpp | 76 +++++++++++++++++++++++++++++++++++++++++++---
 src/websockets.h   |  7 ++++-
 3 files changed, 84 insertions(+), 45 deletions(-)

diff --git a/src/mainwindow.cpp b/src/mainwindow.cpp
index d3e0842..880fe74 100644
--- a/src/mainwindow.cpp
+++ b/src/mainwindow.cpp
@@ -64,7 +64,12 @@ MainWindow::MainWindow(QWidget *parent) :
     QObject::connect(ui->actionz_board_net, &QAction::triggered, this, &MainWindow::postToZBoard);
 
     // Connect mobile app
-    QObject::connect(ui->actionConnect_Mobile_App, &QAction::triggered, this, &MainWindow::connectApp);
+    QObject::connect(ui->actionConnect_Mobile_App, &QAction::triggered, this, [=] () {
+        if (rpc->getConnection() == nullptr)
+            return;
+
+        AppDataServer::connectAppDialog(this);
+    });
 
     // Address Book
     QObject::connect(ui->action_Address_Book, &QAction::triggered, this, &MainWindow::addressBook);
@@ -528,45 +533,6 @@ void MainWindow::donate() {
     ui->tabWidget->setCurrentIndex(1);
 }
 
-void MainWindow::connectApp() {
-    QDialog d(this);
-    Ui_MobileAppConnector con;
-    con.setupUi(&d);
-    Settings::saveRestore(&d);
-
-    if (rpc->getConnection() == nullptr)
-        return;
-
-    // Get the address of the localhost
-    auto addrList = QNetworkInterface::allAddresses();
-
-    // Find a suitable address
-    QString ipv4Addr;
-    for (auto addr : addrList) {
-        if (addr.isLoopback() || addr.protocol() == QAbstractSocket::IPv6Protocol)
-            continue;
-
-        ipv4Addr = addr.toString();
-        break;
-    }
-
-    if (ipv4Addr.isEmpty())
-        return;
-    
-    QString uri = "ws://" + ipv4Addr + ":8237";
-
-    con.lblConnStr->setText(uri);
-    con.qrcode->setQrcodeString(uri);
-    con.lblRemoteNonce->setText(AppDataServer::getNonceHex(NonceType::REMOTE));
-    con.lblLocalNonce->setText(AppDataServer::getNonceHex(NonceType::LOCAL));
-
-    QObject::connect(con.btnDisconnect, &QPushButton::clicked, [=]() {
-        AppDataServer::saveNonceHex(NonceType::REMOTE, QString("00").repeated(24));
-        AppDataServer::saveNonceHex(NonceType::LOCAL, QString("00").repeated(24));
-    });
-
-    d.exec();
-}
 
 void MainWindow::postToZBoard() {
     QDialog d(this);
diff --git a/src/websockets.cpp b/src/websockets.cpp
index fb7e9e1..8940343 100644
--- a/src/websockets.cpp
+++ b/src/websockets.cpp
@@ -2,6 +2,7 @@
 
 #include "rpc.h"
 #include "settings.h"
+#include "ui_mobileappconnector.h"
 
 WSServer::WSServer(quint16 port, bool debug, QObject *parent) :
     QObject(parent),
@@ -73,8 +74,67 @@ void WSServer::socketDisconnected()
 // ==============================
 // AppDataServer
 // ==============================
-QString AppDataServer::getSecretHex() {
-    return "secret";
+QList<QString> AppDataServer::getSecretHex() {
+    QSettings s;
+
+    return { s.value("mobileapp/secret", "").toString() };
+}
+
+void AppDataServer::saveNewSecret(QString secretHex) {
+    QSettings s;
+    s.setValue("mobileapp/secret", secretHex);
+}
+
+void AppDataServer::connectAppDialog(QWidget* parent) {
+    QDialog d(parent);
+    Ui_MobileAppConnector con;
+    con.setupUi(&d);
+    Settings::saveRestore(&d);
+
+    // Get the address of the localhost
+    auto addrList = QNetworkInterface::allAddresses();
+
+    // Find a suitable address
+    QString ipv4Addr;
+    for (auto addr : addrList) {
+        if (addr.isLoopback() || addr.protocol() == QAbstractSocket::IPv6Protocol)
+            continue;
+
+        ipv4Addr = addr.toString();
+        break;
+    }
+
+    if (ipv4Addr.isEmpty())
+        return;
+    
+    QString uri = "ws://" + ipv4Addr + ":8237";
+
+    // Get a new secret
+    unsigned char* secretBin = new unsigned char[crypto_secretbox_KEYBYTES];
+    randombytes_buf(secretBin, crypto_secretbox_KEYBYTES);
+    char* secretHex = new char[crypto_secretbox_KEYBYTES*2 + 1];
+    sodium_bin2hex(secretHex, crypto_secretbox_KEYBYTES*2+1, secretBin, crypto_secretbox_KEYBYTES);
+
+    saveNewSecret(secretHex);
+
+    QString secretStr(secretHex);
+
+    QString codeStr = uri + "," + secretHex;
+
+    con.lblConnStr->setText(codeStr);
+    con.qrcode->setQrcodeString(codeStr);
+    con.lblRemoteNonce->setText(AppDataServer::getNonceHex(NonceType::REMOTE));
+    con.lblLocalNonce->setText(AppDataServer::getNonceHex(NonceType::LOCAL));
+
+    AppDataServer::saveNonceHex(NonceType::REMOTE, QString("00").repeated(24));
+    AppDataServer::saveNonceHex(NonceType::LOCAL, QString("00").repeated(24));
+
+    QObject::connect(con.btnDisconnect, &QPushButton::clicked, [=]() {
+        AppDataServer::saveNonceHex(NonceType::REMOTE, QString("00").repeated(24));
+        AppDataServer::saveNonceHex(NonceType::LOCAL, QString("00").repeated(24));
+    });
+
+    d.exec();
 }
 
 QString AppDataServer::getNonceHex(NonceType nt) {
@@ -119,7 +179,8 @@ QString AppDataServer::encryptOutgoing(QString msg) {
     saveNonceHex(NonceType::LOCAL, QString(newLocalNonce));
 
     unsigned char* secret = new unsigned char[crypto_secretbox_KEYBYTES];
-    crypto_hash_sha256(secret, (const unsigned char*)"secret", QString("secret").length());
+    sodium_hex2bin(secret, crypto_secretbox_KEYBYTES, getSecretHex()[0].toStdString().c_str(), crypto_secretbox_KEYBYTES*2, 
+        NULL, NULL, NULL);
 
     int msgSize = strlen(msg.toStdString().c_str());
     unsigned char* encrpyted = new unsigned char[ msgSize + crypto_secretbox_MACBYTES];
@@ -138,6 +199,12 @@ QString AppDataServer::encryptOutgoing(QString msg) {
             {"payload", QString(encryptedHex)}
         });
     
+    delete[] noncebin;
+    delete[] newLocalNonce;
+    delete[] secret;
+    delete[] encrpyted;
+    delete[] encryptedHex;
+
     return json.toJson();
 }
 
@@ -163,7 +230,8 @@ QString AppDataServer::decryptMessage(QJsonDocument msg) {
     saveNonceHex(NonceType::REMOTE, noncehex);
 
     unsigned char* secret = new unsigned char[crypto_secretbox_KEYBYTES];
-    crypto_hash_sha256(secret, (const unsigned char*)"secret", QString("secret").length());
+    sodium_hex2bin(secret, crypto_secretbox_KEYBYTES, getSecretHex()[0].toStdString().c_str(), crypto_secretbox_KEYBYTES*2, 
+        NULL, NULL, NULL);
 
     unsigned char* encrypted = new unsigned char[encryptedhex.length() / 2];
     sodium_hex2bin(encrypted, encryptedhex.length() / 2, encryptedhex.toStdString().c_str(), encryptedhex.length(),
diff --git a/src/websockets.h b/src/websockets.h
index f3e1b84..c70b5f9 100644
--- a/src/websockets.h
+++ b/src/websockets.h
@@ -38,15 +38,20 @@ enum NonceType {
 
 class AppDataServer {
 public:
+    static void          connectAppDialog(QWidget* parent);
+
     static QJsonDocument processSendTx(QJsonObject sendTx, MainWindow* mainwindow);
     static QJsonDocument processMessage(QString message, MainWindow* mainWindow);
+    static QJsonDocument processDecryptedMessage(QString message, MainWindow* mainWindow);
     static QJsonDocument processGetInfo(MainWindow* mainWindow);
     static QJsonDocument processGetTransactions(MainWindow* mainWindow);
 
     static QString       decryptMessage(QJsonDocument msg);
     static QString       encryptOutgoing(QString msg);
 
-    static QString       getSecretHex();
+    static QList<QString>       getSecretHex();
+    static void                 saveNewSecret(QString secretHex);
+
     static QString       getNonceHex(NonceType nt);
     static void          saveNonceHex(NonceType nt, QString noncehex);
 };