From 7fb46692a2e7ea49b9ff0e6690fbdeefb7fbdbb8 Mon Sep 17 00:00:00 2001
From: Nat Lasseter <user@4574.co.uk>
Date: Thu, 20 Feb 2025 09:30:02 +0000
Subject: [5.1] Replay Cache

---
 5.1/charon.rb   | 16 +++++++++++++++-
 5.1/get_mail.rb |  2 +-
 5.1/mail.rb     | 16 +++++++++++++++-
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/5.1/charon.rb b/5.1/charon.rb
index 7a69e39..0e4b03c 100755
--- a/5.1/charon.rb
+++ b/5.1/charon.rb
@@ -13,6 +13,17 @@ Services = {
   "Mail" => "{FvM<kgG}VpHxKJO;6Zo"
 }
 
+ReplayCache = []
+
+def update_replaycache!(new_auth)
+  ReplayCache.push(new_auth)
+  now = Time.now.to_i
+  ReplayCache.delete_if { |auth|
+    _, _, als, ats = auth.split(?,)
+    now > als.to_i + ats.to_i
+  }
+end
+
 def encrypt(obj, key)
   cipher = OpenSSL::Cipher::AES.new(256, :CBC).encrypt
   cipher.key = Digest::SHA2.digest(key)
@@ -65,7 +76,10 @@ post '/ticket' do
   next "Invalid ticket\n" unless Time.now.to_i >= ts
   next "Ticket expired\n" unless Time.now.to_i < (ts + ls)
   begin
-    aun, aws, als, ats = decrypt(data["authenticator"], sk).split(?,)
+    auth = decrypt(data["authenticator"], sk)
+    next "Replayed authenticator\n" if ReplayCache.include?(auth)
+    update_replaycache!(auth)
+    aun, aws, als, ats = auth.split(?,)
     als = als.to_i
     ats = ats.to_i
   rescue OpenSSL::Cipher::CipherError
diff --git a/5.1/get_mail.rb b/5.1/get_mail.rb
index 4df3024..fde3dd4 100755
--- a/5.1/get_mail.rb
+++ b/5.1/get_mail.rb
@@ -20,7 +20,7 @@ end
 
 def gen_auth(un, ws, sk)
   ts = Time.now.to_i
-  encrypt("#{un},#{ws},120,#{ts}", sk)
+  encrypt("#{un},#{ws},300,#{ts}", sk)
 end
 
 def get_ticket(un, wsa, tgt, sv, sk)
diff --git a/5.1/mail.rb b/5.1/mail.rb
index f0be986..6adf021 100755
--- a/5.1/mail.rb
+++ b/5.1/mail.rb
@@ -9,6 +9,17 @@ set :port, 4568
 Service = "Mail"
 ServicePassword = "{FvM<kgG}VpHxKJO;6Zo"
 
+ReplayCache = []
+
+def update_replaycache!(new_auth)
+  ReplayCache.push(new_auth)
+  now = Time.now.to_i
+  ReplayCache.delete_if { |auth|
+    _, _, als, ats = auth.split(?,)
+    now > als.to_i + ats.to_i
+  }
+end
+
 def decrypt(obj, key)
   ticket = [obj].pack("H*").unpack("C*").pack("c*")
   cipher = OpenSSL::Cipher::AES.new(256, :CBC).decrypt
@@ -30,7 +41,10 @@ post '/login' do
   next "Ticket expired\n" unless Time.now.to_i < (ts + ls)
 
   begin
-    aun, aws, als, ats = decrypt(data["authenticator"], sk).split(?,)
+    auth = decrypt(data["authenticator"], sk)
+    next "Replayed authenticator\n" if ReplayCache.include?(auth)
+    update_replaycache!(auth)
+    aun, aws, als, ats = auth.split(?,)
     als = als.to_i
     ats = ats.to_i
   rescue OpenSSL::Cipher::CipherError
-- 
cgit v1.2.1