Example #1
0
    def test_sha256(self):
        user = b'SYSDBA'
        password = b'masterkey'

        A, a = srp.client_seed(srp.DEBUG_PRIVATE_KEY)

        salt = srp.DEBUG_SALT
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v, srp.DEBUG_PRIVATE_KEY)

        serverKey = srp.server_session(user, password, salt, A, B, b)

        M, clientKey = srp.client_proof(user, password, salt, A, B, a, hashlib.sha256)
        self.assertEqual(clientKey, serverKey)
        self.assertEqual(M, binascii.unhexlify('4675c18056c04b00cc2b991662324c22c6f08bb90beb3677416b03469a770308'))
Example #2
0
    def test_sha1(self):
        user = b'SYSDBA'
        password = b'masterkey'

        A, a = srp.client_seed(srp.DEBUG_PRIVATE_KEY)

        salt = srp.DEBUG_SALT
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v, srp.DEBUG_PRIVATE_KEY)

        serverKey = srp.server_session(user, password, salt, A, B, b)

        M, clientKey = srp.client_proof(user, password, salt, A, B, a, hashlib.sha1)
        self.assertEqual(clientKey, serverKey)
        self.assertEqual(M, binascii.unhexlify('8c12324bb6e9e683a3ee62e13905b95d69f028a9'))
Example #3
0
    def test_sha1(self):
        user = b'SYSDBA'
        password = b'masterkey'

        A, a = srp.client_seed(srp.DEBUG_PRIVATE_KEY)

        salt = srp.DEBUG_SALT
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v, srp.DEBUG_PRIVATE_KEY)

        serverKey = srp.server_session(user, password, salt, A, B, b)

        M, clientKey = srp.client_proof(user, password, salt, A, B, a,
                                        hashlib.sha1)
        self.assertEqual(clientKey, serverKey)
        self.assertEqual(
            M, binascii.unhexlify('8c12324bb6e9e683a3ee62e13905b95d69f028a9'))
Example #4
0
    def test_srp_key_exchange(self):
        user = b'sysdba'
        password = b'masterkey'
    
        # Client send A to Server
        A, a = srp.client_seed()
    
        # Server send B, salt to Client
        salt = srp.get_salt()
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v)
    
        serverKey = srp.server_session(user, password, salt, A, B, b)

        # Client send M to Server
        M, clientKey = srp.client_proof(user, password, salt, A, B, a)
    
        # Client and Server has same key
        self.assertEqual(clientKey, serverKey)
Example #5
0
    def test_srp_key_exchange(self):
        user = b'sysdba'
        password = b'masterkey'
    
        # Client send A to Server
        A, a = srp.client_seed()
    
        # Server send B, salt to Client
        salt = srp.get_salt()
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v)
    
        serverKey = srp.server_session(user, password, salt, A, B, b)

        # Client send M to Server
        M, clientKey = srp.client_proof(user, password, salt, A, B, a)
    
        # Client and Server has same key
        self.assertEqual(clientKey, serverKey)
Example #6
0
    def test_sha256(self):
        user = b'SYSDBA'
        password = b'masterkey'

        A, a = srp.client_seed(srp.DEBUG_PRIVATE_KEY)

        salt = srp.DEBUG_SALT
        v = srp.get_verifier(user, password, salt)
        B, b = srp.server_seed(v, srp.DEBUG_PRIVATE_KEY)

        serverKey = srp.server_session(user, password, salt, A, B, b)

        M, clientKey = srp.client_proof(user, password, salt, A, B, a,
                                        hashlib.sha256)
        self.assertEqual(clientKey, serverKey)
        self.assertEqual(
            M,
            binascii.unhexlify(
                '4675c18056c04b00cc2b991662324c22c6f08bb90beb3677416b03469a770308'
            ))
Example #7
0
    def _op_accept(self):
        b = self.recv_channel(4)
        while bytes_to_bint(b) == self.op_dummy:
            b = self.recv_channel(4)
        if bytes_to_bint(b) == self.op_reject:
            raise OperationalError('Connection is rejected')

        op_code = bytes_to_bint(b)
        if op_code == self.op_response:
            return self._parse_op_response()    # error occured

        b = self.recv_channel(12)
        self.accept_version = byte_to_int(b[3])
        self.accept_architecture = bytes_to_bint(b[4:8])
        self.accept_type = bytes_to_bint(b[8:])
        self.lazy_response_count = 0

        if op_code == self.op_cond_accept or op_code == self.op_accept_data:
            read_length = 0

            ln = bytes_to_bint(self.recv_channel(4))
            data = self.recv_channel(ln, word_alignment=True)

            ln = bytes_to_bint(self.recv_channel(4))
            self.accept_plugin_name = self.recv_channel(ln, word_alignment=True)

            is_authenticated = bytes_to_bint(self.recv_channel(4))
            read_length += 4
            ln = bytes_to_bint(self.recv_channel(4))
            self.recv_channel(ln, word_alignment=True)   # keys

            if is_authenticated == 0:
                if self.accept_plugin_name == b'Srp':
                    ln = bytes_to_int(data[:2])
                    server_salt = data[2:ln+2]
                    server_public_key = srp.bytes2long(
                        hex_to_bytes(data[4+ln:]))
                    auth_data, session_key = srp.client_proof(
                        self.str_to_bytes(self.user.upper()),
                        self.str_to_bytes(self.password),
                        server_salt,
                        self.client_public_key,
                        server_public_key,
                        self.client_private_key)
                elif self.accept_plugin_name == b'Legacy_Auth':
                    auth_data = get_crypt(self.password)
                else:
                    raise OperationalError('Unauthorized')
                if self.wire_crypt:
                    # send op_cont_auth
                    p = xdrlib.Packer()
                    p.pack_int(self.op_cont_auth)
                    p.pack_string(bytes_to_hex(auth_data))
                    p.pack_bytes(self.accept_plugin_name)
                    p.pack_bytes(self.plugin_list)
                    p.pack_bytes(b'')
                    self.sock.send(p.get_buffer())
                    (h, oid, buf) = self._op_response()

                    # op_crypt: plugin[Arc4] key[Symmetric]
                    p = xdrlib.Packer()
                    p.pack_int(self.op_crypt)
                    p.pack_string(b'Arc4')
                    p.pack_string(b'Symmetric')
                    self.sock.send(p.get_buffer())
                    self.sock.set_translator(
                        ARC4.new(session_key), ARC4.new(session_key))
                    (h, oid, buf) = self._op_response()
                else:   # use later _op_attach() and _op_create()
                    self.auth_data = auth_data
        else:
            assert op_code == self.op_accept
Example #8
0
    def _op_accept(self):
        b = self.recv_channel(4)
        while bytes_to_bint(b) == self.op_dummy:
            b = self.recv_channel(4)
        if bytes_to_bint(b) == self.op_reject:
            raise OperationalError('Connection is rejected')

        op_code = bytes_to_bint(b)
        if op_code == self.op_response:
            return self._parse_op_response()    # error occured

        b = self.recv_channel(12)
        self.accept_version = byte_to_int(b[3])
        self.accept_architecture = bytes_to_bint(b[4:8])
        self.accept_type =  bytes_to_bint(b[8:])

        if op_code == self.op_cond_accept or op_code == self.op_accept_data:
            read_length = 0

            ln = bytes_to_bint(self.recv_channel(4))
            data = self.recv_channel(ln)
            read_length += 4 + ln
            if read_length % 4:
                self.recv_channel(4 - read_length % 4) # padding
                read_length += 4 - read_length % 4

            ln = bytes_to_bint(self.recv_channel(4))
            self.plugin_name = self.recv_channel(ln)
            read_length += 4 + ln
            if read_length % 4:
                self.recv_channel(4 - read_length % 4) # padding
                read_length += 4 - read_length % 4

            is_authenticated = bytes_to_bint(self.recv_channel(4))
            read_length += 4
            ln = bytes_to_bint(self.recv_channel(4))
            keys = self.recv_channel(ln)
            read_length += 4 + ln
            if read_length % 4:
                self.recv_channel(4 - read_length % 4) # padding
                read_length += 4 - read_length % 4

            if self.plugin_name == b'Legacy_Auth' and is_authenticated == 0:
                raise OperationalError('Unauthorized')

            if self.plugin_name == b'Srp':
                ln = bytes_to_int(data[:2])
                server_salt = data[2:ln+2]
                server_public_key = srp.bytes2long(
                                        hex_to_bytes(data[4+ln:]))

                client_proof, auth_key = srp.client_proof(
                                        self.str_to_bytes(self.user.upper()),
                                        self.str_to_bytes(self.password),
                                        server_salt,
                                        self.client_public_key,
                                        server_public_key,
                                        self.client_private_key)
                # send op_cont_auth
                p = xdrlib.Packer()
                p.pack_int(self.op_cont_auth)
                p.pack_string(bytes_to_hex(client_proof))
                p.pack_bytes(self.plugin_name)
                p.pack_bytes(self.plugin_list)
                p.pack_bytes(b'')
                self.sock.send(p.get_buffer())
                (h, oid, buf) = self._op_response()

                # op_crypt: plugin[Arc4] key[Symmetric]
                p = xdrlib.Packer()
                p.pack_int(self.op_crypt)
                p.pack_string(b'Arc4')
                p.pack_string(b'Symmetric')
                self.sock.send(p.get_buffer())
                self.sock.set_translator(Arc4(auth_key), Arc4(auth_key))
                (h, oid, buf) = self._op_response()
        else:
            assert op_code == self.op_accept
Example #9
0
    def _parse_connect_response(self):
        # want and treat op_accept or op_cond_accept or op_accept_data
        b = self.recv_channel(4)
        while bytes_to_bint(b) == self.op_dummy:
            b = self.recv_channel(4)
        if bytes_to_bint(b) == self.op_reject:
            raise OperationalError('Connection is rejected')

        op_code = bytes_to_bint(b)
        if op_code == self.op_response:
            return self._parse_op_response()  # error occured

        b = self.recv_channel(12)
        self.accept_version = byte_to_int(b[3])
        self.accept_architecture = bytes_to_bint(b[4:8])
        self.accept_type = bytes_to_bint(b[8:])
        self.lazy_response_count = 0

        if op_code == self.op_cond_accept or op_code == self.op_accept_data:

            ln = bytes_to_bint(self.recv_channel(4))
            data = self.recv_channel(ln, word_alignment=True)

            ln = bytes_to_bint(self.recv_channel(4))
            self.accept_plugin_name = self.recv_channel(ln,
                                                        word_alignment=True)

            is_authenticated = bytes_to_bint(self.recv_channel(4))
            ln = bytes_to_bint(self.recv_channel(4))
            self.recv_channel(ln, word_alignment=True)  # keys

            if is_authenticated == 0:
                if self.accept_plugin_name in (b'Srp256', b'Srp'):
                    if self.accept_plugin_name == b'Srp256':
                        hash_algo = hashlib.sha256
                    elif self.accept_plugin_name == b'Srp':
                        hash_algo = hashlib.sha1
                    else:
                        raise OperationalError('Unknown auth plugin %s' %
                                               (self.accept_plugin_name))
                    user = self.user
                    if len(user) > 2 and user[0] == user[-1] == '"':
                        user = user[1:-1]
                        user = user.replace('""', '"')
                    else:
                        user = user.upper()

                    if len(data) == 0:
                        raise OperationalError('Unauthorized')
                    ln = bytes_to_int(data[:2])
                    server_salt = data[2:ln + 2]
                    server_public_key = srp.bytes2long(
                        hex_to_bytes(data[4 + ln:]))

                    auth_data, session_key = srp.client_proof(
                        self.str_to_bytes(user),
                        self.str_to_bytes(self.password), server_salt,
                        self.client_public_key, server_public_key,
                        self.client_private_key, hash_algo)
                elif self.accept_plugin_name == b'Legacy_Auth':
                    auth_data = self.str_to_bytes(get_crypt(self.password))
                else:
                    raise OperationalError('Unauthorized')
                if self.wire_crypt:
                    # send op_cont_auth
                    p = xdrlib.Packer()
                    p.pack_int(self.op_cont_auth)
                    p.pack_string(bytes_to_hex(auth_data))
                    p.pack_bytes(self.accept_plugin_name)
                    p.pack_bytes(self.plugin_list)
                    p.pack_bytes(b'')
                    self.sock.send(p.get_buffer())
                    (h, oid, buf) = self._op_response()

                    # op_crypt: plugin[Arc4] key[Symmetric]
                    p = xdrlib.Packer()
                    p.pack_int(self.op_crypt)
                    p.pack_string(b'Arc4')
                    p.pack_string(b'Symmetric')
                    self.sock.send(p.get_buffer())
                    self.sock.set_translator(ARC4.new(session_key),
                                             ARC4.new(session_key))
                    (h, oid, buf) = self._op_response()
                else:  # use later _op_attach() and _op_create()
                    self.auth_data = auth_data
        else:
            assert op_code == self.op_accept
Example #10
0
    def _op_accept(self):
        b = self.recv_channel(4)
        while bytes_to_bint(b) == self.op_dummy:
            b = self.recv_channel(4)
        if bytes_to_bint(b) == self.op_reject:
            raise OperationalError('Connection is rejected')

        op_code = bytes_to_bint(b)
        if op_code == self.op_response:
            return self._parse_op_response()  # error occured

        b = self.recv_channel(12)
        self.accept_version = byte_to_int(b[3])
        self.accept_architecture = bytes_to_bint(b[4:8])
        self.accept_type = bytes_to_bint(b[8:])
        self.lazy_response_count = 0

        if op_code == self.op_cond_accept or op_code == self.op_accept_data:
            read_length = 0

            ln = bytes_to_bint(self.recv_channel(4))
            data = self.recv_channel(ln, word_alignment=True)

            ln = bytes_to_bint(self.recv_channel(4))
            self.accept_plugin_name = self.recv_channel(ln,
                                                        word_alignment=True)

            is_authenticated = bytes_to_bint(self.recv_channel(4))
            read_length += 4
            ln = bytes_to_bint(self.recv_channel(4))
            self.recv_channel(ln, word_alignment=True)  # keys

            if is_authenticated == 0:
                if self.accept_plugin_name == b'Srp':
                    ln = bytes_to_int(data[:2])
                    server_salt = data[2:ln + 2]
                    server_public_key = srp.bytes2long(
                        hex_to_bytes(data[4 + ln:]))
                    auth_data, session_key = srp.client_proof(
                        self.str_to_bytes(self.user.upper()),
                        self.str_to_bytes(self.password), server_salt,
                        self.client_public_key, server_public_key,
                        self.client_private_key)
                elif self.accept_plugin_name == b'Legacy_Auth':
                    auth_data = get_crypt(self.password)
                else:
                    raise OperationalError('Unauthorized')
                if self.wire_crypt:
                    # send op_cont_auth
                    p = xdrlib.Packer()
                    p.pack_int(self.op_cont_auth)
                    p.pack_string(bytes_to_hex(auth_data))
                    p.pack_bytes(self.accept_plugin_name)
                    p.pack_bytes(self.plugin_list)
                    p.pack_bytes(b'')
                    self.sock.send(p.get_buffer())
                    (h, oid, buf) = self._op_response()

                    # op_crypt: plugin[Arc4] key[Symmetric]
                    p = xdrlib.Packer()
                    p.pack_int(self.op_crypt)
                    p.pack_string(b'Arc4')
                    p.pack_string(b'Symmetric')
                    self.sock.send(p.get_buffer())
                    self.sock.set_translator(ARC4.new(session_key),
                                             ARC4.new(session_key))
                    (h, oid, buf) = self._op_response()
                else:  # use later _op_attach() and _op_create()
                    self.auth_data = auth_data
        else:
            assert op_code == self.op_accept
Example #11
0
    def _parse_connect_response(self):
        # want and treat op_accept or op_cond_accept or op_accept_data
        b = self.recv_channel(4)
        while bytes_to_bint(b) == self.op_dummy:
            b = self.recv_channel(4)
        if bytes_to_bint(b) == self.op_reject:
            raise OperationalError('Connection is rejected')

        op_code = bytes_to_bint(b)
        if op_code == self.op_response:
            return self._parse_op_response()    # error occured

        b = self.recv_channel(12)
        self.accept_version = byte_to_int(b[3])
        self.accept_architecture = bytes_to_bint(b[4:8])
        self.accept_type = bytes_to_bint(b[8:])
        self.lazy_response_count = 0

        if op_code == self.op_cond_accept or op_code == self.op_accept_data:
            ln = bytes_to_bint(self.recv_channel(4))
            data = self.recv_channel(ln, word_alignment=True)

            ln = bytes_to_bint(self.recv_channel(4))
            self.accept_plugin_name = self.recv_channel(ln, word_alignment=True)

            is_authenticated = bytes_to_bint(self.recv_channel(4))
            ln = bytes_to_bint(self.recv_channel(4))
            self.recv_channel(ln, word_alignment=True)   # keys

            if is_authenticated == 0:
                if self.accept_plugin_name in (b'Srp256',  b'Srp'):
                    hash_algo = {
                        b'Srp256': hashlib.sha256,
                        b'Srp': hashlib.sha1,
                    }[self.accept_plugin_name]

                    user = self.user
                    if len(user) > 2 and user[0] == user[-1] == '"':
                        user = user[1:-1]
                        user = user.replace('""','"')
                    else:
                        user = user.upper()

                    if len(data) == 0:
                        # send op_cont_auth
                        self._op_cont_auth(
                            srp.long2bytes(self.client_public_key),
                            self.accept_plugin_name,
                            self.plugin_list,
                            b''
                        )
                        # parse op_cont_auth
                        b = self.recv_channel(4)
                        assert bytes_to_bint(b) == self.op_cont_auth
                        ln = bytes_to_bint(self.recv_channel(4))
                        data = self.recv_channel(ln, word_alignment=True)
                        ln = bytes_to_bint(self.recv_channel(4))
                        plugin_name = self.recv_channel(ln, word_alignment=True)
                        ln = bytes_to_bint(self.recv_channel(4))
                        plugin_list = self.recv_channel(ln, word_alignment=True)
                        ln = bytes_to_bint(self.recv_channel(4))
                        keys = self.recv_channel(ln, word_alignment=True)

                    ln = bytes_to_int(data[:2])
                    server_salt = data[2:ln+2]
                    server_public_key = srp.bytes2long(
                        hex_to_bytes(data[4+ln:]))

                    auth_data, session_key = srp.client_proof(
                        self.str_to_bytes(user),
                        self.str_to_bytes(self.password),
                        server_salt,
                        self.client_public_key,
                        server_public_key,
                        self.client_private_key,
                        hash_algo)
                elif self.accept_plugin_name == b'Legacy_Auth':
                    auth_data = self.str_to_bytes(get_crypt(self.password))
                    session_key = b''
                else:
                    raise OperationalError(
                        'Unknown auth plugin %s' % (self.accept_plugin_name)
                    )
            else:
                auth_data = b''
                session_key = b''

            if op_code == self.op_cond_accept:
                self._op_cont_auth(
                    auth_data,
                    self.accept_plugin_name,
                    self.plugin_list,
                    b''
                )
                (h, oid, buf) = self._op_response()

            if self.wire_crypt and session_key:
                # op_crypt: plugin[Arc4] key[Symmetric]
                p = xdrlib.Packer()
                p.pack_int(self.op_crypt)
                p.pack_string(b'Arc4')
                p.pack_string(b'Symmetric')
                self.sock.send(p.get_buffer())
                self.sock.set_translator(
                    ARC4.new(session_key), ARC4.new(session_key))
                (h, oid, buf) = self._op_response()
            else:   # use later _op_attach() and _op_create()
                self.auth_data = auth_data
        else:
            assert op_code == self.op_accept