def build_PWK(email, password_b64, scrypt_server, do_network): assert isinstance(email, unicode) # this is local A_b64 = PBKDF2_b64(password_b64=password_b64, salt_b64=SALT_b64("first-PBKDF", email.encode("utf-8")), c=c1, dkLen=KEYLEN) # can we do scrypt fast enough locally? offload_scrypt = False # XXX if offload_scrypt: N,r,p = SCRYPT_PARAMS msg = ["do-scrypt", A_b64, N, r, p] rx = do_network(scrypt_server, msg) ok, B_b64 = json.loads(rx.decode("utf-8")) if ok != "ok": raise Oops("scrypt server error") else: B_b64 = scrypt_b64(password_b64=A_b64, salt_b64=SALT_b64("scrypt"), # no email here, anon++ dkLen=KEYLEN) # this is local merged_b64 = b64encode(b64decode(B_b64)+b64decode(password_b64)) C_b64 = PBKDF2_b64(password_b64=merged_b64, salt_b64=SALT_b64("second-PBKDF", email.encode("utf-8")), c=c2, dkLen=KEYLEN) keys = make_keys(C_b64, SALT_b64("HKDF")) return keys # (PWK_b64, MAC_b64, SRPpw_b64)
def do_request(SRPsession, req, do_network, db_server): SRPKsession_b64, sid_b64 = SRPsession enc1_b64,mac1_b64,enc2_b64,mac2_b64 = make_session_keys(SRPKsession_b64) msg = client_create_request(req, enc1_b64, mac1_b64, sid_b64) rx = do_network(db_server, msg) return client_process_response(rx, enc2_b64, mac2_b64)
def MAGIC_SEND_SAFELY(url, secrets, do_network): # this is a vulnerability window. It really wants to use pinned SSL. do_network(url, ["magic-init"]+list(secrets))