def teredoAddrExtractInfo(x): """ Extract information from a Teredo address. Return value is a 4-tuple made of IPv4 address of Teredo server, flag value (int), mapped address (non obfuscated) and mapped port (non obfuscated). No specific checks are performed on passed address. """ addr = inet_pton(socket.AF_INET6, x) server = inet_ntop(socket.AF_INET, addr[4:8]) flag = struct.unpack("!H", addr[8:10])[0] mappedport = struct.unpack("!H", strxor(addr[10:12], b'\xff' * 2))[0] mappedaddr = inet_ntop(socket.AF_INET, strxor(addr[12:16], b'\xff' * 4)) return server, flag, mappedaddr, mappedport
def _tls_PRF(secret, label, seed, req_len): """ Provides the implementation of TLS PRF function as defined in section 5 of RFC 4346: PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed) Parameters are: - secret: the secret used by the HMAC in the 2 expansion functions (S1 and S2 are the halves of this secret). - label: specific label as defined in various sections of the RFC depending on the use of the generated PRF keystream - seed: the seed used by the expansion functions. - req_len: amount of keystream to be generated """ l = (len(secret) + 1) / 2 S1 = secret[:l] S2 = secret[-l:] a1 = _tls_P_MD5(S1, label + seed, req_len) a2 = _tls_P_SHA1(S2, label + seed, req_len) return strxor(a1, a2)
def _tls_PRF(secret, label, seed, req_len): """ Provides the implementation of TLS PRF function as defined in section 5 of RFC 4346: PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed) Parameters are: - secret: the secret used by the HMAC in the 2 expansion functions (S1 and S2 are the halves of this secret). - label: specific label as defined in various sections of the RFC depending on the use of the generated PRF keystream - seed: the seed used by the expansion functions. - req_len: amount of keystream to be generated """ tmp_len = (len(secret) + 1) // 2 S1 = secret[:tmp_len] S2 = secret[-tmp_len:] a1 = _tls_P_MD5(S1, label + seed, req_len) a2 = _tls_P_SHA1(S2, label + seed, req_len) return strxor(a1, a2)
def pkcs_emsa_pss_verify(M, EM, emBits, h, mgf, sLen): """ Implements EMSA-PSS-VERIFY() function described in Sect. 9.1.2 of RFC 3447 Input: M : message to be encoded, an octet string EM : encoded message, an octet string of length emLen=ceil(emBits/8) emBits: maximal bit length of the integer resulting of pkcs_os2ip(EM) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. mgf : the mask generation function f : seed, maskLen -> mask sLen : intended length in octets of the salt Output: True if the verification is ok, False otherwise. """ # 1) is not done hLen = _hashFuncParams[h][0] # 2) hFunc = _hashFuncParams[h][2] mHash = hFunc(M) emLen = int(math.ceil(emBits / 8.)) # 3) if emLen < hLen + sLen + 2: return False if EM[-1] != '\xbc': # 4) return False l = emLen - hLen - 1 # 5) maskedDB = EM[:l] H = EM[l:l + hLen] l = (8 * emLen - emBits) / 8 # 6) rem = 8 * emLen - emBits - 8 * l # additionnal bits andMask = l * '\xff' if rem: val = reduce(lambda x, y: x + y, map(lambda x: 1 << x, range(8 - rem))) j = chr(~val & 0xff) andMask += j l += 1 if strand(maskedDB[:l], andMask) != '\x00' * l: return False dbMask = mgf(H, emLen - hLen - 1) # 7) DB = strxor(maskedDB, dbMask) # 8) l = (8 * emLen - emBits) / 8 # 9) rem = 8 * emLen - emBits - 8 * l # additionnal bits andMask = l * '\x00' if rem: j = chr( reduce(lambda x, y: x + y, map(lambda x: 1 << x, range(8 - rem)))) andMask += j l += 1 DB = strand(DB[:l], andMask) + DB[l:] l = emLen - hLen - sLen - 1 # 10) if DB[:l] != '\x00' * (l - 1) + '\x01': return False salt = DB[-sLen:] # 11) MPrime = '\x00' * 8 + mHash + salt # 12) HPrime = hFunc(MPrime) # 13) return H == HPrime # 14)
def pkcs_emsa_pss_verify(M, EM, emBits, h, mgf, sLen): """ Implements EMSA-PSS-VERIFY() function described in Sect. 9.1.2 of RFC 3447 Input: M : message to be encoded, an octet string EM : encoded message, an octet string of length emLen = ceil(emBits/8) emBits: maximal bit length of the integer resulting of pkcs_os2ip(EM) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. mgf : the mask generation function f : seed, maskLen -> mask sLen : intended length in octets of the salt Output: True if the verification is ok, False otherwise. """ # 1) is not done hLen = _hashFuncParams[h][0] # 2) hFunc = _hashFuncParams[h][1] mHash = hFunc(M) emLen = int(math.ceil(emBits/8.)) # 3) if emLen < hLen + sLen + 2: return False if EM[-1] != '\xbc': # 4) return False l = emLen - hLen - 1 # 5) maskedDB = EM[:l] H = EM[l:l+hLen] l = (8*emLen - emBits)/8 # 6) rem = 8*emLen - emBits - 8*l # additionnal bits andMask = l*'\xff' if rem: val = reduce(lambda x,y: x+y, map(lambda x: 1<<x, range(8-rem))) j = chr(~val & 0xff) andMask += j l += 1 if strand(maskedDB[:l], andMask) != '\x00'*l: return False dbMask = mgf(H, emLen - hLen - 1) # 7) DB = strxor(maskedDB, dbMask) # 8) l = (8*emLen - emBits)/8 # 9) rem = 8*emLen - emBits - 8*l # additionnal bits andMask = l*'\x00' if rem: j = chr(reduce(lambda x,y: x+y, map(lambda x: 1<<x, range(8-rem)))) andMask += j l += 1 DB = strand(DB[:l], andMask) + DB[l:] l = emLen - hLen - sLen - 1 # 10) if DB[:l] != '\x00'*(l-1) + '\x01': return False salt = DB[-sLen:] # 11) MPrime = '\x00'*8 + mHash + salt # 12) HPrime = hFunc(MPrime) # 13) return H == HPrime # 14)
def hash(self): s1 = struct.pack("!H", self.sport) s2 = struct.pack("!H", self.dport) family = socket.AF_INET if ':' in self.ipsrc: family = socket.AF_INET6 s1 += socket.inet_pton(family, self.ipsrc) s2 += socket.inet_pton(family, self.ipdst) return strxor(s1, s2)
def hashret(self): if (self.proto == socket.IPPROTO_ICMP) and (isinstance( self.payload, ICMP)) and (self.payload.type in [3, 4, 5, 11, 12]): return self.payload.payload.hashret() if not conf.checkIPinIP and self.proto in [4, 41]: # IP, IPv6 return self.payload.hashret() if self.dst == "224.0.0.251": # mDNS return struct.pack("B", self.proto) + self.payload.hashret() if conf.checkIPsrc and conf.checkIPaddr: return strxor(socket.inet_pton(socket.AF_INET, self.src), socket.inet_pton( socket.AF_INET, self.dst)) + struct.pack( "B", self.proto) + self.payload.hashret() return struct.pack("B", self.proto) + self.payload.hashret()
def pkcs_emsa_pss_encode(M, emBits, h, mgf, sLen): """ Implements EMSA-PSS-ENCODE() function described in Sect. 9.1.1 of RFC 3447 Input: M : message to be encoded, an octet string emBits: maximal bit length of the integer resulting of pkcs_os2ip(EM), where EM is the encoded message, output of the function. h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. mgf : the mask generation function f : seed, maskLen -> mask sLen : intended length in octets of the salt Output: encoded message, an octet string of length emLen = ceil(emBits/8) On error, None is returned. """ # 1) is not done hLen = _hashFuncParams[h][0] # 2) hFunc = _hashFuncParams[h][2] mHash = hFunc(M) emLen = int(math.ceil(emBits / 8.)) if emLen < hLen + sLen + 2: # 3) warning("encoding error (emLen < hLen + sLen + 2)") return None salt = randstring(sLen) # 4) MPrime = '\x00' * 8 + mHash + salt # 5) H = hFunc(MPrime) # 6) PS = '\x00' * (emLen - sLen - hLen - 2) # 7) DB = PS + '\x01' + salt # 8) dbMask = mgf(H, emLen - hLen - 1) # 9) maskedDB = strxor(DB, dbMask) # 10) l = (8 * emLen - emBits) / 8 # 11) rem = 8 * emLen - emBits - 8 * l # additionnal bits andMask = l * '\x00' if rem: j = chr( reduce(lambda x, y: x + y, map(lambda x: 1 << x, range(8 - rem)))) andMask += j l += 1 maskedDB = strand(maskedDB[:l], andMask) + maskedDB[l:] EM = maskedDB + H + '\xbc' # 12) return EM # 13)
def pkcs_emsa_pss_encode(M, emBits, h, mgf, sLen): """ Implements EMSA-PSS-ENCODE() function described in Sect. 9.1.1 of RFC 3447 Input: M : message to be encoded, an octet string emBits: maximal bit length of the integer resulting of pkcs_os2ip(EM), where EM is the encoded message, output of the function. h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. mgf : the mask generation function f : seed, maskLen -> mask sLen : intended length in octets of the salt Output: encoded message, an octet string of length emLen = ceil(emBits/8) On error, None is returned. """ # 1) is not done hLen = _hashFuncParams[h][0] # 2) hFunc = _hashFuncParams[h][1] mHash = hFunc(M) emLen = int(math.ceil(emBits/8.)) if emLen < hLen + sLen + 2: # 3) warning("encoding error (emLen < hLen + sLen + 2)") return None salt = randstring(sLen) # 4) MPrime = '\x00'*8 + mHash + salt # 5) H = hFunc(MPrime) # 6) PS = '\x00'*(emLen - sLen - hLen - 2) # 7) DB = PS + '\x01' + salt # 8) dbMask = mgf(H, emLen - hLen - 1) # 9) maskedDB = strxor(DB, dbMask) # 10) l = (8*emLen - emBits)/8 # 11) rem = 8*emLen - emBits - 8*l # additionnal bits andMask = l*'\x00' if rem: j = chr(reduce(lambda x,y: x+y, map(lambda x: 1<<x, range(8-rem)))) andMask += j l += 1 maskedDB = strand(maskedDB[:l], andMask) + maskedDB[l:] EM = maskedDB + H + '\xbc' # 12) return EM # 13)
def _rsaes_oaep_encrypt(self, M, h=None, mgf=None, L=None): """ Internal method providing RSAES-OAEP-ENCRYPT as defined in Sect. 7.1.1 of RFC 3447. Not intended to be used directly. Please, see encrypt() method for type "OAEP". Input: M : message to be encrypted, an octet string of length mLen where mLen <= k - 2*hLen - 2 (k denotes the length in octets of the RSA modulus and hLen the length in octets of the hash function output) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. 'sha1' is used by default if not provided. mgf: the mask generation function f : seed, maskLen -> mask L : optional label to be associated with the message; the default value for L, if not provided is the empty string Output: ciphertext, an octet string of length k On error, None is returned. """ # The steps below are the one described in Sect. 7.1.1 of RFC 3447. # 1) Length Checking # 1.a) is not done mLen = len(M) if h is None: h = "sha1" if not _hashFuncParams.has_key(h): warning("Key._rsaes_oaep_encrypt(): unknown hash function %s.", h) return None hLen = _hashFuncParams[h][0] hFun = _hashFuncParams[h][1] k = self.modulusLen / 8 if mLen > k - 2 * hLen - 2: # 1.b) warning("Key._rsaes_oaep_encrypt(): message too long.") return None # 2) EME-OAEP encoding if L is None: # 2.a) L = "" lHash = hFun(L) PS = '\x00' * (k - mLen - 2 * hLen - 2) # 2.b) DB = lHash + PS + '\x01' + M # 2.c) seed = randstring(hLen) # 2.d) if mgf is None: # 2.e) mgf = lambda x, y: pkcs_mgf1(x, y, h) dbMask = mgf(seed, k - hLen - 1) maskedDB = strxor(DB, dbMask) # 2.f) seedMask = mgf(maskedDB, hLen) # 2.g) maskedSeed = strxor(seed, seedMask) # 2.h) EM = '\x00' + maskedSeed + maskedDB # 2.i) # 3) RSA Encryption m = pkcs_os2ip(EM) # 3.a) c = self._rsaep(m) # 3.b) C = pkcs_i2osp(c, k) # 3.c) return C # 4)
def _get_nonce(self, seq_num): padlen = self.fixed_iv_len - len(seq_num) padded_seq_num = b"\x00" * padlen + seq_num return strxor(padded_seq_num, self.fixed_iv)
def _rsaes_oaep_encrypt(self, M, h=None, mgf=None, L=None): """ Internal method providing RSAES-OAEP-ENCRYPT as defined in Sect. 7.1.1 of RFC 3447. Not intended to be used directly. Please, see encrypt() method for type "OAEP". Input: M : message to be encrypted, an octet string of length mLen where mLen <= k - 2*hLen - 2 (k denotes the length in octets of the RSA modulus and hLen the length in octets of the hash function output) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). hLen denotes the length in octets of the hash function output. 'sha1' is used by default if not provided. mgf: the mask generation function f : seed, maskLen -> mask L : optional label to be associated with the message; the default value for L, if not provided is the empty string Output: ciphertext, an octet string of length k On error, None is returned. """ # The steps below are the one described in Sect. 7.1.1 of RFC 3447. # 1) Length Checking # 1.a) is not done mLen = len(M) if h is None: h = "sha1" if not _hashFuncParams.has_key(h): warning("Key._rsaes_oaep_encrypt(): unknown hash function %s.", h) return None hLen = _hashFuncParams[h][0] hFun = _hashFuncParams[h][1] k = self.modulusLen / 8 if mLen > k - 2*hLen - 2: # 1.b) warning("Key._rsaes_oaep_encrypt(): message too long.") return None # 2) EME-OAEP encoding if L is None: # 2.a) L = "" lHash = hFun(L) PS = '\x00'*(k - mLen - 2*hLen - 2) # 2.b) DB = lHash + PS + '\x01' + M # 2.c) seed = randstring(hLen) # 2.d) if mgf is None: # 2.e) mgf = lambda x,y: pkcs_mgf1(x,y,h) dbMask = mgf(seed, k - hLen - 1) maskedDB = strxor(DB, dbMask) # 2.f) seedMask = mgf(maskedDB, hLen) # 2.g) maskedSeed = strxor(seed, seedMask) # 2.h) EM = '\x00' + maskedSeed + maskedDB # 2.i) # 3) RSA Encryption m = pkcs_os2ip(EM) # 3.a) c = self._rsaep(m) # 3.b) C = pkcs_i2osp(c, k) # 3.c) return C # 4)
def _rsaes_oaep_decrypt(self, C, h=None, mgf=None, L=None): """ Internal method providing RSAES-OAEP-DECRYPT as defined in Sect. 7.1.2 of RFC 3447. Not intended to be used directly. Please, see encrypt() method for type "OAEP". Input: C : ciphertext to be decrypted, an octet string of length k, where k = 2*hLen + 2 (k denotes the length in octets of the RSA modulus and hLen the length in octets of the hash function output) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). 'sha1' is used if none is provided. mgf: the mask generation function f : seed, maskLen -> mask L : optional label whose association with the message is to be verified; the default value for L, if not provided is the empty string. Output: message, an octet string of length k mLen, where mLen <= k - 2*hLen - 2 On error, None is returned. """ # The steps below are the one described in Sect. 7.1.2 of RFC 3447. # 1) Length Checking # 1.a) is not done if h is None: h = "sha1" if not _hashFuncParams.has_key(h): warning("Key._rsaes_oaep_decrypt(): unknown hash function %s.", h) return None hLen = _hashFuncParams[h][0] hFun = _hashFuncParams[h][1] k = self.modulusLen / 8 cLen = len(C) if cLen != k: # 1.b) warning("Key._rsaes_oaep_decrypt(): decryption error. " "(cLen != k)") return None if k < 2*hLen + 2: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(k < 2*hLen + 2)") return None # 2) RSA decryption c = pkcs_os2ip(C) # 2.a) m = self._rsadp(c) # 2.b) EM = pkcs_i2osp(m, k) # 2.c) # 3) EME-OAEP decoding if L is None: # 3.a) L = "" lHash = hFun(L) Y = EM[:1] # 3.b) if Y != '\x00': warning("Key._rsaes_oaep_decrypt(): decryption error. " "(Y is not zero)") return None maskedSeed = EM[1:1+hLen] maskedDB = EM[1+hLen:] if mgf is None: mgf = lambda x,y: pkcs_mgf1(x, y, h) seedMask = mgf(maskedDB, hLen) # 3.c) seed = strxor(maskedSeed, seedMask) # 3.d) dbMask = mgf(seed, k - hLen - 1) # 3.e) DB = strxor(maskedDB, dbMask) # 3.f) # I am aware of the note at the end of 7.1.2 regarding error # conditions reporting but the one provided below are for _local_ # debugging purposes. --arno lHashPrime = DB[:hLen] # 3.g) tmp = DB[hLen:].split('\x01', 1) if len(tmp) != 2: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(0x01 separator not found)") return None PS, M = tmp if PS != '\x00'*len(PS): warning("Key._rsaes_oaep_decrypt(): decryption error. " "(invalid padding string)") return None if lHash != lHashPrime: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(invalid hash)") return None return M # 4)
def _rsaes_oaep_decrypt(self, C, h=None, mgf=None, L=None): """ Internal method providing RSAES-OAEP-DECRYPT as defined in Sect. 7.1.2 of RFC 3447. Not intended to be used directly. Please, see encrypt() method for type "OAEP". Input: C : ciphertext to be decrypted, an octet string of length k, where k = 2*hLen + 2 (k denotes the length in octets of the RSA modulus and hLen the length in octets of the hash function output) h : hash function name (in 'md2', 'md4', 'md5', 'sha1', 'tls', 'sha256', 'sha384'). 'sha1' is used if none is provided. mgf: the mask generation function f : seed, maskLen -> mask L : optional label whose association with the message is to be verified; the default value for L, if not provided is the empty string. Output: message, an octet string of length k mLen, where mLen <= k - 2*hLen - 2 On error, None is returned. """ # The steps below are the one described in Sect. 7.1.2 of RFC 3447. # 1) Length Checking # 1.a) is not done if h is None: h = "sha1" if not _hashFuncParams.has_key(h): warning("Key._rsaes_oaep_decrypt(): unknown hash function %s.", h) return None hLen = _hashFuncParams[h][0] hFun = _hashFuncParams[h][1] k = self.modulusLen / 8 cLen = len(C) if cLen != k: # 1.b) warning("Key._rsaes_oaep_decrypt(): decryption error. " "(cLen != k)") return None if k < 2 * hLen + 2: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(k < 2*hLen + 2)") return None # 2) RSA decryption c = pkcs_os2ip(C) # 2.a) m = self._rsadp(c) # 2.b) EM = pkcs_i2osp(m, k) # 2.c) # 3) EME-OAEP decoding if L is None: # 3.a) L = "" lHash = hFun(L) Y = EM[:1] # 3.b) if Y != '\x00': warning("Key._rsaes_oaep_decrypt(): decryption error. " "(Y is not zero)") return None maskedSeed = EM[1:1 + hLen] maskedDB = EM[1 + hLen:] if mgf is None: mgf = lambda x, y: pkcs_mgf1(x, y, h) seedMask = mgf(maskedDB, hLen) # 3.c) seed = strxor(maskedSeed, seedMask) # 3.d) dbMask = mgf(seed, k - hLen - 1) # 3.e) DB = strxor(maskedDB, dbMask) # 3.f) # I am aware of the note at the end of 7.1.2 regarding error # conditions reporting but the one provided below are for _local_ # debugging purposes. --arno lHashPrime = DB[:hLen] # 3.g) tmp = DB[hLen:].split('\x01', 1) if len(tmp) != 2: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(0x01 separator not found)") return None PS, M = tmp if PS != '\x00' * len(PS): warning("Key._rsaes_oaep_decrypt(): decryption error. " "(invalid padding string)") return None if lHash != lHashPrime: warning("Key._rsaes_oaep_decrypt(): decryption error. " "(invalid hash)") return None return M # 4)