初步接入米家小爱音箱 #250

Soulter · 2025-01-24T18:30:21Z

No description provided.

astrbot/core/platform/sources/mispeaker/miservice/miaccount.py

+                    '_sign': resp['_sign'],
+                    'callback': resp['callback'],
+                    'user': self.username,
+                    'hash': hashlib.md5(self.password.encode()).hexdigest().upper()


To fix the problem, we need to replace the use of the MD5 hashing algorithm with a more secure and computationally expensive hashing algorithm suitable for passwords. One of the best options is to use the argon2 algorithm, which is designed for secure password hashing. This will involve importing the argon2 library and updating the code to use argon2 for hashing the password.

Install the argon2-cffi package if it is not already installed.

Import the PasswordHasher class from the argon2 library.

Replace the MD5 hashing code with argon2 hashing.

astrbot/core/platform/sources/mispeaker/miservice/miioservice.py

+    def miot_decode(ssecurity, nonce, data, gzip=False):
+        from Crypto.Cipher import ARC4
+        r = ARC4.new(base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce)))
+        r.encrypt(bytes(1024))


To fix the problem, we need to replace the use of the ARC4 algorithm with a more secure algorithm, such as AES. This involves:

Importing the AES module from Crypto.Cipher.

Modifying the miot_decode method to use AES for decryption.

Ensuring that the key and data are appropriately handled for AES encryption/decryption.

astrbot/core/platform/sources/mispeaker/miservice/miioservice.py

+        from Crypto.Cipher import ARC4
+        r = ARC4.new(base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce)))
+        r.encrypt(bytes(1024))
+        decrypted = r.encrypt(base64.b64decode(data))


To fix the problem, we should replace the use of the ARC4 algorithm with a stronger, modern cryptographic algorithm such as AES. The pycryptodome library provides an implementation of AES that we can use. Specifically, we will use AES in CTR (Counter) mode, which is suitable for stream encryption and is a direct replacement for ARC4 in this context.

We need to:

Import the AES module from Crypto.Cipher.

Replace the ARC4 cipher initialization with AES.

Adjust the encryption process to use AES.

feat: 初步接入米家小爱音箱

6c18971

github-advanced-security bot found potential problems Jan 24, 2025

View reviewed changes

Soulter force-pushed the feat-platform-mispeaker branch from 99edcc5 to 6c18971 Compare March 7, 2025 02:32

Soulter force-pushed the master branch from 336ce39 to 7de27ab Compare March 7, 2025 02:32

Soulter force-pushed the master branch from 88f9973 to 02f21e0 Compare March 31, 2025 02:59

@@ -1,3 +1,2 @@
             import base64
-            import hashlib
             import json
@@ -10,2 +9,3 @@
             from aiofiles import open as async_open
+            from argon2 import PasswordHasher
@@ -51,2 +51,3 @@
                     self.token = None
+                    self.ph = PasswordHasher()
@@ -65,3 +66,3 @@
                                 'user': self.username,
-                                'hash': hashlib.md5(self.password.encode()).hexdigest().upper()
+                                'hash': self.ph.hash(self.password)
                             }

@@ -19,2 +19,3 @@
             aiodocker
-            silk-python
+            silk-python
+            argon2-cffi==23.1.0

Package	Version	Security advisories
argon2-cffi (pypi)	23.1.0	None

@@ -165,6 +165,6 @@
                 def miot_decode(ssecurity, nonce, data, gzip=False):
-                    from Crypto.Cipher import ARC4
-                    r = ARC4.new(base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce)))
-                    r.encrypt(bytes(1024))
-                    decrypted = r.encrypt(base64.b64decode(data))
+                    from Crypto.Cipher import AES
+                    key = base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce))
+                    cipher = AES.new(key, AES.MODE_EAX, nonce=base64.b64decode(nonce))
+                    decrypted = cipher.decrypt(base64.b64decode(data))
                     if gzip:

@@ -165,6 +165,8 @@
                 def miot_decode(ssecurity, nonce, data, gzip=False):
-                    from Crypto.Cipher import ARC4
-                    r = ARC4.new(base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce)))
-                    r.encrypt(bytes(1024))
-                    decrypted = r.encrypt(base64.b64decode(data))
+                    from Crypto.Cipher import AES
+                    from Crypto.Util import Counter
+                    key = base64.b64decode(MiIOService.sign_nonce(ssecurity, nonce))
+                    ctr = Counter.new(128, initial_value=int.from_bytes(base64.b64decode(nonce), byteorder='big'))
+                    cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
+                    decrypted = cipher.decrypt(base64.b64decode(data))
                     if gzip:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

初步接入米家小爱音箱 #250

初步接入米家小爱音箱 #250

Soulter commented Jan 24, 2025

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

初步接入米家小爱音箱 #250

Are you sure you want to change the base?

初步接入米家小爱音箱 #250

Conversation

Soulter commented Jan 24, 2025

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix