def make_chain_hmac(self, key, start, input, algo='sha1'):
from M2Crypto.EVP import hmac
chain = []
digest = hmac(key, `start`, algo)
chain.append((digest, start))
for i in input:
digest = hmac(digest, `i`, algo)
chain.append((digest, i))
return chain
def verify_chain_hmac(self, key, start, chain, algo='sha1'):
from M2Crypto.EVP import hmac
digest = hmac(key, `start`, algo)
c = chain[0]
if c[0] != digest or c[1] != start:
return 0
for d, v in chain[1:]:
digest = hmac(digest, `v`, algo)
if digest != d:
return 0
return 1
def verify_chain_hmac(key, start, chain, algo="sha1"):
from M2Crypto.EVP import hmac
digest = hmac(key, ` start `, algo)
c = chain[0]
if c[0] != digest or c[1] != start:
print "verify failed"
return 0
for d, v in chain[1:]:
digest = hmac(digest, ` v `, algo)
if digest != d:
print "verify failed"
return 0
print "ok"
return 1
def three(self, m2):
p = self.params.p; q = self.params.q
B = int(m2["A"], 16)
generator = (((self.gx1*self.gx2)%p)*self.gx3) % p
self.checkZKP(generator, B, m2["zkp_A"])
# we want (B/(g^(x2*x4*s)))^x2, using the g^x4 that we got from them
# (stored in gx4). We start with gx4^x2, then (gx4^x2)^-s, then
# (B*(gx4^x2)^-s), then finally apply the ^x2.
t3 = pow(self.gx4, self.x2, p)
t3 = pow(t3, q-self.s, p)
t4 = (B * t3) % p
K = pow(t4, self.x2, p)
# the paper suggests this can be reduced to two pow() calls, but I'm
# not seeing it.
self.K = K # stash it, so that folks trying to be compatible with
# some OpenSSL-based implementation (which returns the raw
# K from JPAKE_get_shared_key()) can use alternative
# hashing schemes to get from K to the final key. It's
# important to hash K before using it, to not expose the
# actual number to anybody.
key = hmac("\0"*32, number_to_string(K, self.params.orderlen), algo="sha256")
return key