38c87148d7
Currently `Util.java` uses the SHA1PRNG algorithm by Sun/Oracle
to get randomness for `nextBytes` etc. - from the documentation"
```
** On Solaris, Linux, and OS X, if the entropy gathering device in
java.security is set to file:/dev/urandom or file:/dev/random, then
NativePRNG is preferred to SHA1PRNG. Otherwise, SHA1PRNG is preferred.
```
and:
```
The following algorithms are available in the SUN provider:
[...]
SecureRandom
{
SHA1PRNG (Initial seeding is currently done via a combination of system attributes and the java.security entropy gathering device)
NativePRNG (nextBytes() uses /dev/urandom, generateSeed() uses /dev/random)
NativePRNGBlocking (nextBytes() and generateSeed() use /dev/random)
NativePRNGNonBlocking (nextBytes() and generateSeed() use /dev/urandom)
}
```
via: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SecureRandomImp
Using `/dev/urandom` (non-blocking, reworked in new linux kernel
releases) also reflects the opinion of many leading cryptographers over
any other solution of PRNGs out there, here's two blog posts to
underline this/my statement:
- https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
- https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
- https://www.2uo.de/myths-about-urandom
Since we're not re-seeding a lot we're good using a blocking /dev/random
for seed generation (which is thus also more secure) and a faster, newly
re-written implementation of /dev/urandom for random bytes. I think this
is the best choice we have available here.
I did also give a talk on the subject matter, in case you're interested
a year ago: https://www.youtube.com/watch?v=Yx4RroggBzI (including
mentioned changes to Linux's CSPRNG design).
|
||
|---|---|---|
| .idea/codeStyles | ||
| data | ||
| gradle/wrapper | ||
| man | ||
| src/main | ||
| .gitignore | ||
| .travis.yml | ||
| build.gradle | ||
| gradlew | ||
| gradlew.bat | ||
| LICENSE | ||
| README.md | ||
| settings.gradle | ||
signal-cli
signal-cli is a commandline interface for libsignal-service-java. It supports registering, verifying, sending and receiving messages. To be able to link to an existing Signal-Android/signal-cli instance, signal-cli uses a patched libsignal-service-java, because libsignal-service-java does not yet support provisioning as a slave device. For registering you need a phone number where you can receive SMS or incoming calls. signal-cli is primarily intended to be used on servers to notify admins of important events. For this use-case, it has a dbus interface, that can be used to send messages from any programming language that has dbus bindings.
Installation
You can build signal-cli yourself, or use the provided binary files, which should work on Linux, macOS and Windows. For Arch Linux there is also a package in AUR. You need to have at least JRE 7 installed, to run signal-cli.
Install system-wide on Linux
See latest version.
export VERSION=<latest version, format "x.y.z">
wget https://github.com/AsamK/signal-cli/releases/download/v"${VERSION}"/signal-cli-"${VERSION}".tar.gz
sudo tar xf signal-cli-"${VERSION}".tar.gz -C /opt
sudo ln -sf /opt/signal-cli-"${VERSION}"/bin/signal-cli /usr/local/bin/
You can find further instructions on the Wiki:
Usage
Important: The USERNAME (your phone number) must include the country calling code, i.e. the number must start with a "+" sign. (See Wikipedia for a list of all country codes.
-
Register a number (with SMS verification)
signal-cli -u USERNAME register -
Verify the number using the code received via SMS or voice
signal-cli -u USERNAME verify CODE -
Send a message
signal-cli -u USERNAME send -m "This is a message" RECIPIENT -
Pipe the message content from another process.
uname -a | signal-cli -u USERNAME send RECIPIENT -
Receive messages
signal-cli -u USERNAME receive
For more information read the man page and the wiki.
Storage
The password and cryptographic keys are created when registering and stored in the current users home directory:
$HOME/.config/signal/data/
For legacy users, the old config directory is used as a fallback:
$HOME/.config/textsecure/data/
Building
This project uses Gradle for building and maintaining
dependencies. If you have a recent gradle version installed, you can replace ./gradlew with gradle in the following steps.
-
Checkout the source somewhere on your filesystem with
git clone https://github.com/AsamK/signal-cli.git -
Execute Gradle:
./gradlew build -
Create shell wrapper in build/install/signal-cli/bin:
./gradlew installDist -
Create tar file in build/distributions:
./gradlew distTar
Troubleshooting
If you use a version of the Oracle JRE and get an InvalidKeyException you need to enable unlimited strength crypto. See https://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters for instructions.
License
This project uses libsignal-service-java from Open Whisper Systems:
https://github.com/WhisperSystems/libsignal-service-java
Licensed under the GPLv3: http://www.gnu.org/licenses/gpl-3.0.html