dualcone 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b2cefd1451fcbb7e091ab48f74b5cbca1eb8a585e3cc28edb34ff5a6f04beaac
+  data.tar.gz: 5ba6021faa19db6e737f669459f86c464fc6878bfad7250bead60004f0f60c60
+SHA512:
+  metadata.gz: 5b1a2bc0687e734ec4b7a103825a2b698f15ae01a3d8efca9a0fd27b6b8d41e42b66b103c93770b7fc2df46ce5deccdce81723eb0cb406578ae8a52b6ebf5c3e
+  data.tar.gz: 98f13c8cc8c35459f34698d84f119fb7e5550128c76af207151ba3438b6ac056f5c199b17a54c8f95848e427ec3dcd71e05c5c58ba84e5f1ef4b486e95f8ad68

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Tom Richards
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,116 @@
+# Dualcone
+
+[![CircleCI](https://circleci.com/gh/t-richards/dualcone.svg?style=svg)](https://circleci.com/gh/t-richards/dualcone)
+
+Dualcone is a Ruby source code protection system. Dualcone uses symmetric encryption to protect your source code.
+
+Dualcone is a self-contained gem. It brings along its own copy of the lightweight cryptographic library, [libhydrogen][libhydrogen].
+
+Dualcone supports GNU + Linux and other Unix-like operating systems. Windows is not supported.
+
+## Roadmap
+
+### Part 1
+ - [x] Key generation: `Dualcone.generate_key`
+ - [x] Encrypted code running: `Dualcone.run(code)`
+ - [x] Encrypted code generation: `Dualcone.encrypt(path)`
+ - [x] Specs passing
+
+### Part 2
+ - [x] Runnable trivial ruby script
+ - [ ] Runnable non-trivial ruby script
+ - [ ] Runnable sinatra app
+ - [ ] Runnable rails app
+
+## Installation
+
+Add this gem to your application's Gemfile:
+
+```ruby
+gem 'dualcone'
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+Or install it yourself as:
+
+```bash
+$ gem install dualcone
+```
+
+You need to have a C compiler and `make` installed on your system to be able to build this gem's native code and the included version of `libhydrogen`.
+
+## Usage
+
+1. Generate a secret encryption key.
+
+    ```ruby
+    require 'dualcone'
+    Dualcone.generate_key
+    => "764888c92f3059c88524225b622cd178856877cf3537230a9d7f5b5b6d8850c5"
+    ```
+
+2. Place your encryption key in the `DUALCONE_HEX_KEY` environment variable:
+
+    ```bash
+    $ export DUALCONE_HEX_KEY="8c8f91f84d8e554dc03277ce2f038af95cd932e2b65011969e77d3ac18d7bdd9"
+    ```
+
+    This environment variable is required for both encrypting files as well as running already-encrypted files.
+
+3. Encrypt your Ruby source code file(s).
+
+    :warning: Your source code file will be modified in-place. This is a one-way operation! :warning:
+
+    For example, let's say we have a file named `hello.rb` with the following contents:
+
+    ```ruby
+    puts 'Hello, world!'
+    ```
+
+    You can encrypt this file using `Dualcone.encrypt(path)`
+
+    ```ruby
+    Dualcone.encrypt('hello.rb')
+    ```
+
+    The entire contents of the file `hello.rb` will be replaced with a call to `Dualcone.run(code)`:
+
+    ```ruby
+    require 'dualcone'
+    Dualcone.run('7f1a1b6a047aee2403e415044b72f2ac2997cef689960df46afdfe6d7c657e18dbae1bea3bbe33ae9157cb2f7b22f34db69b2eb41e05aa512151')
+    ```
+
+4. Finally, test your encrypted code by running it.
+
+    ```bash
+    $ ruby hello.rb
+    ```
+
+## Development
+
+1. `git clone git@github.com:t-richards/dualcone.git` to clone the repo.
+2. `bin/setup` to install dependencies and fetch git submodules.
+3. `bin/rake compile` to build the gem's native extensions.
+4. `bin/rspec` to run the tests.
+5. `bin/rubocop` to check code style.
+
+You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bin/rake install`. To release a new version, update the version number in `version.rb`, and then run `bin/rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org][rubygems].
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/t-richards/dualcone.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License][mit-license].
+
+[libhydrogen]: https://github.com/jedisct1/libhydrogen
+[mit-license]: https://opensource.org/licenses/MIT
+[rubygems]: https://rubygems.org

data/ext/dualcone/dualcone.c

@@ -0,0 +1,288 @@
+#include "dualcone.h"
+
+VALUE rb_mDualcone;
+
+void rb_dualcone_cleanup(DualconeContext *ctx) {
+  if (ctx->input_path != NULL) {
+    free(ctx->input_path);
+  }
+
+  if (ctx->output_path != NULL) {
+    unlink(ctx->output_path); /* temporary file */
+    hydro_memzero(ctx->output_path, PATH_MAX);
+    free(ctx->output_path);
+  }
+
+  if (ctx->plaintext != NULL) {
+    hydro_memzero(ctx->plaintext, ctx->plaintext_len);
+    free(ctx->plaintext);
+  }
+
+  if (ctx->ciphertext_hex != NULL) {
+    hydro_memzero(ctx->ciphertext_hex, ctx->ciphertext_hex_len);
+    free(ctx->ciphertext_hex);
+  }
+
+  if (ctx->ciphertext != NULL) {
+    hydro_memzero(ctx->ciphertext, ctx->ciphertext_len);
+    free(ctx->ciphertext);
+  }
+
+  hydro_memzero(ctx, sizeof(DualconeContext));
+}
+
+void rb_dualcone_get_key(DualconeContext *ctx) {
+  int result = 0;
+  int errno_sv = 0;
+
+  /* Hex-encoded encryption key from environment */
+  char *hex_key = getenv(DUALCONE_HEX_KEY);
+  if (hex_key == NULL) {
+    rb_dualcone_cleanup(ctx);
+    rb_raise(rb_eKeyError, "environment variable not found: " DUALCONE_HEX_KEY);
+  }
+
+  /* Convert encryption key (hex encoded) to binary */
+  result = hydro_hex2bin(ctx->binary_key, hydro_secretbox_KEYBYTES, hex_key, strlen(hex_key), NULL, NULL);
+  if (result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(ctx);
+    rb_raise(rb_eFatal, "unable to hex-decode encryption key: %s", strerror(errno_sv));
+  }
+}
+
+VALUE rb_dualcone_run(VALUE _self, VALUE code) {
+  int result = 0;
+  int errno_sv = 0;
+
+  /* Check args */
+  rb_check_type(code, T_STRING);
+
+  /* Dualcone private memory allocations */
+  DualconeContext ctx = {0};
+  rb_dualcone_get_key(&ctx);
+
+  /* Encrypted ruby code (hex-encoded) */
+  char *hex_code = StringValuePtr(code);
+  long hex_code_len = RSTRING_LEN(code);
+
+  /* Check message length */
+  if (hex_code_len < DUALCONE_MIN_HEX_LEN) {
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to run code: too short (got %ld chars, expected at least %d chars)", hex_code_len, DUALCONE_MIN_HEX_LEN);
+  }
+
+  /* Allocate memory for ciphertext */
+  ctx.ciphertext_len = hex_code_len / 2;
+  ctx.ciphertext = calloc(1, ctx.ciphertext_len);
+  if (RB_UNLIKELY(ctx.ciphertext == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for ciphertext: %s", strerror(errno_sv));
+  }
+
+  /* Convert code (hex encoded) to binary */
+  result = hydro_hex2bin(ctx.ciphertext, ctx.ciphertext_len, hex_code, hex_code_len, NULL, NULL);
+  if (result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to hex-decode ruby code: %s", strerror(errno_sv));
+  }
+
+  /* Allocate memory for plaintext */
+  ctx.plaintext_len = ctx.ciphertext_len - hydro_secretbox_HEADERBYTES + 1; // Null byte
+  ctx.plaintext = calloc(1, ctx.plaintext_len);
+  if (RB_UNLIKELY(ctx.plaintext == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for plaintext: %s", strerror(errno_sv));
+  }
+
+  /* Decrypt binary code to plaintext code */
+  result = hydro_secretbox_decrypt(ctx.plaintext, ctx.ciphertext, ctx.ciphertext_len, 0, DUALCONE_CONTEXT, ctx.binary_key);
+  if (result == -1) {
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to decrypt ruby code");
+  }
+
+  /* Evaluate the plaintext code */
+  rb_eval_string_protect(ctx.plaintext, &result);
+  if (result != 0) {
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to evaluate ruby code");
+  }
+
+  /* Done */
+  rb_dualcone_cleanup(&ctx);
+  return Qnil;
+}
+
+VALUE rb_dualcone_generate_key(VALUE _self) {
+  uint8_t key[hydro_secretbox_KEYBYTES];
+  char hex[hydro_secretbox_KEYBYTES * 2 + 1];
+
+  /* Generate key */
+  hydro_secretbox_keygen(key);
+  char *retval = hydro_bin2hex(hex, hydro_secretbox_KEYBYTES * 2 + 1, key, hydro_secretbox_KEYBYTES);
+  if (retval == NULL) {
+    rb_raise(rb_eFatal, "unable to generate key");
+  }
+
+  return rb_str_new_cstr(hex);
+}
+
+VALUE rb_dualcone_encrypt(VALUE _self, VALUE path) {
+  int result = 0;
+  int errno_sv = 0;
+
+  /* Check args */
+  rb_check_type(path, T_STRING);
+
+  /* Dualcone private memory allocations */
+  DualconeContext ctx = {0};
+  rb_dualcone_get_key(&ctx);
+
+  /* The path of the input file (ruby code, plaintext) */
+  /* This value is modified by dirname(), so strdup() is necessary */
+  ctx.input_path = strdup(StringValuePtr(path));
+  if (RB_UNLIKELY(ctx.input_path == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for input path: %s", strerror(errno_sv));
+  }
+
+  /* Check if input file is readable */
+  int plaintext_fd = open(ctx.input_path, O_RDONLY);
+  if (plaintext_fd == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to read input file '%s': %s", ctx.input_path, strerror(errno_sv));
+  }
+
+  /* Allocate memory for temporary path template */
+  ctx.output_path = calloc(1, PATH_MAX);
+  if (RB_UNLIKELY(ctx.output_path == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for output path: %s", strerror(errno_sv));
+  }
+
+  /* Construct path template for temporary file */
+  char *output_dir = dirname(ctx.input_path);
+  strncat(ctx.output_path, output_dir, PATH_MAX - strlen(ctx.output_path) - 1);
+  strncat(ctx.output_path, "/.dualcone.XXXXXX", PATH_MAX - strlen(ctx.output_path) - 1);
+
+  /* Create temporary file */
+  int output_fd = mkstemp(ctx.output_path);
+  if (RB_UNLIKELY(output_fd == -1)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to create temporary file: %s", strerror(errno_sv));
+  }
+
+  /* Get input file length */
+  struct stat plaintext_stat = {0};
+  result = fstat(plaintext_fd, &plaintext_stat);
+  if (result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to determine length of input file: %s", strerror(errno_sv));
+  }
+
+  /* Allocate buffer for input file */
+  ctx.plaintext_len = plaintext_stat.st_size;
+  ctx.plaintext = calloc(1, ctx.plaintext_len);
+  if (RB_UNLIKELY(ctx.plaintext == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for input data: %s", strerror(errno_sv));
+  }
+
+  /* Read entire input file */
+  ssize_t read_result = read(plaintext_fd, ctx.plaintext, ctx.plaintext_len);
+  if (read_result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to read ruby code: %s", strerror(errno_sv));
+  }
+  close(plaintext_fd);
+
+  /* Allocate memory for encryption result */
+  ctx.ciphertext_len = hydro_secretbox_HEADERBYTES + ctx.plaintext_len;
+  ctx.ciphertext = calloc(1, ctx.ciphertext_len);
+  if (RB_UNLIKELY(ctx.ciphertext == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for encryption: %s", strerror(errno_sv));
+  }
+
+  /* Encrypt data! */
+  result = hydro_secretbox_encrypt(ctx.ciphertext, ctx.plaintext, ctx.plaintext_len, 0, DUALCONE_CONTEXT, ctx.binary_key);
+  if (result != 0) {
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to encrypt ruby code");
+  }
+
+  /* Allocate memory for hex-encoded encrypted data */
+  ctx.ciphertext_hex_len = ctx.ciphertext_len * 2 + 1;
+  ctx.ciphertext_hex = calloc(1, ctx.ciphertext_hex_len);
+  if (RB_UNLIKELY(ctx.ciphertext_hex == NULL)) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to allocate memory for hex-encoding: %s", strerror(errno_sv));
+  }
+
+  /* Hex encode encrypted data */
+  hydro_bin2hex(ctx.ciphertext_hex, ctx.ciphertext_hex_len, ctx.ciphertext, ctx.ciphertext_len);
+
+  /* Write preamble */
+  ssize_t write_result = 0;
+  write_result = write(output_fd, DUALCONE_PREAMBLE, sizeof(DUALCONE_PREAMBLE) - 1);
+  if (write_result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to write to temporary file: %s", strerror(errno_sv));
+  }
+
+  /* Write hex-encoded data */
+  write_result = write(output_fd, ctx.ciphertext_hex, ctx.ciphertext_hex_len - 1);
+  if (write_result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to write to temporary file: %s", strerror(errno_sv));
+  }
+
+  /* Write postamble */
+  write_result = write(output_fd, DUALCONE_POSTAMBLE, sizeof(DUALCONE_POSTAMBLE) - 1);
+  if (write_result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to write to temporary file: %s", strerror(errno_sv));
+  }
+
+  /* Rename tempfile over original */
+  close(output_fd);
+  char *plaintext_path = StringValuePtr(path);
+  result = rename(ctx.output_path, plaintext_path);
+  if (result == -1) {
+    errno_sv = errno;
+    rb_dualcone_cleanup(&ctx);
+    rb_raise(rb_eFatal, "unable to rename temporary file: %s", strerror(errno_sv));
+  }
+
+  /* Done */
+  rb_dualcone_cleanup(&ctx);
+  return Qnil;
+}
+
+void Init_dualcone(void) {
+  if (RB_UNLIKELY(hydro_init() != 0)) {
+    rb_raise(rb_eFatal, "unable to initialize libhydrogen");
+    return;
+  }
+
+  rb_mDualcone = rb_define_module("Dualcone");
+  rb_define_module_function(rb_mDualcone, "encrypt", rb_dualcone_encrypt, 1);
+  rb_define_module_function(rb_mDualcone, "generate_key", rb_dualcone_generate_key, 0);
+  rb_define_module_function(rb_mDualcone, "run", rb_dualcone_run, 1);
+}

data/ext/dualcone/dualcone.h

@@ -0,0 +1,49 @@
+#ifndef __DUALCONE_H
+#define __DUALCONE_H
+
+#include <stdio.h>
+#include <errno.h>
+#include <limits.h>
+#include <libgen.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <ruby.h>
+#include <hydrogen.h>
+
+#define DUALCONE_CONTEXT "DUALCONE"
+#define DUALCONE_HEX_KEY "DUALCONE_HEX_KEY"
+#define DUALCONE_MIN_HEX_LEN hydro_secretbox_HEADERBYTES * 2
+#define DUALCONE_PREAMBLE "require 'dualcone'\nDualcone.run('"
+#define DUALCONE_POSTAMBLE "')\n"
+
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
+typedef struct {
+    /* Symmetric key */
+    uint8_t  binary_key[hydro_secretbox_KEYBYTES];
+
+    /* Input file path */
+    char    *input_path;
+
+    /* Temporary output file path */
+    char    *output_path;
+
+    /* Encrypted code (hex-encoded) */
+    char    *ciphertext_hex;
+    size_t   ciphertext_hex_len;
+
+    /* Encrypted code (binary) */
+    uint8_t *ciphertext;
+    size_t   ciphertext_len;
+
+    /* Plaintext ruby code */
+    char    *plaintext;
+    size_t   plaintext_len;
+} DualconeContext;
+
+#endif /* __DUALCONE_H */