def send_email():
# connect to alarm program database
conn = sqlite3.connect('alarm.db')
c = conn.cursor()
# get username and password for email
login = c.execute("SELECT * FROM keys").fetchone()
# log in to email server
server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
key = keys.get_key()
email = keys.decrypt(login[0], key)
password = keys.decrypt(login[1], key)
server.login(email, password)
# send an email
msg = "Test"
server.sendmail(email, email, msg)
# disconnect
server.quit()
conn.close()
def receive_client_com(self,reply):
""" Process a client-com message from client """
# Client in session
client = self.clients[str(reply['src'])]
# Decipher: public key received + old private key
ciphertext = base64.b64decode(reply['data']['ciphertext'])
client.received_public_key = keys.deserialize_public_key(base64.b64decode(reply['data']['public_key']))
digest = base64.b64decode(reply['data']['hash'])
client.received_random = base64.b64decode(reply['data']['random'])
iv = base64.b64decode(reply['data']['iv'])
client.client_client_master_secret = keys.generate_master_secret(client.received_public_key, client.private_key)
client.client_client_final_master = keys.generate_final_master_secret(client.client_client_master_secret, client.random + client.received_random)
client.digest = keys.message_authentication(client.cipher_suite,client.client_client_final_master, ciphertext)
client.public_key = client.received_public_key
if client.digest != digest:
logging.warning('Client Hash and Server Hash do not match!')
cleartext = keys.decrypt(client.cipher_suite, client.client_client_final_master, ciphertext, iv)
print '__________________________________________\n'
print 'Client:',str(reply['src']),'# ',cleartext
print '__________________________________________\n'
if cleartext != '':
self.send_client_ack(reply['src'])
def secure_receive(self, msg_json):
""" Process a secure message from server """
# Decipher: public key received + old private key
ciphertext = base64.b64decode(msg_json['payload']['ciphertext'])
public_key = keys.deserialize_public_key(base64.b64decode(msg_json['payload']['public_key']))
server_hash = base64.b64decode(msg_json['sa-data']['hash'])
server_iv = base64.b64decode(msg_json['sa-data']['iv'])
server_random = base64.b64decode(msg_json['sa-data']['random'])
new_master_secret = keys.generate_master_secret(public_key, self.new_private_key)
new_final_master_secret = keys.generate_final_master_secret(new_master_secret,self.rand_client + server_random)
client_hash = keys.message_authentication(self.cipher_suite, new_final_master_secret, ciphertext)
self.server_public_key = public_key
self.rand_srv = server_random
msg_json['payload'] = keys.decrypt(self.cipher_suite,new_final_master_secret,ciphertext,server_iv)
if (server_hash != client_hash):
logging.warning('Client Hash and Server Hash do not match!')
if msg_json['payload']['type'] == 'list':
self.receive_list_clients(msg_json['payload'], self.id)
elif msg_json['payload']['type'] == 'client-connect':
self.receive_client_connect(msg_json['payload'])
elif msg_json['payload']['type'] == 'client-disconnect':
self.receive_client_disconnect(msg_json['payload'])
elif msg_json['payload']['type'] == 'client-com':
self.receive_client_com(msg_json['payload'])
elif msg_json['payload']['type'] == 'ack':
self.receive_client_ack(msg_json['payload'])
def processSecure(self, sender, request):
"""
Process a secure message from a client
"""
if sender.state != STATE_CONNECTED:
logging.warning("SECURE from disconnected client: %s" % sender)
return
if 'payload' not in request:
logging.warning("Secure message with missing fields")
return
# This is a secure message.
# TODO: Inner message is encrypted for us. Must decrypt and validate.
ciphertext = base64.b64decode(request['payload']['ciphertext'])
sender.received_public_key = keys.deserialize_public_key(
base64.b64decode(request['payload']['public_key']))
client_hash = base64.b64decode(request['sa-data']['hash'])
client_iv = base64.b64decode(request['sa-data']['iv'])
sender.random_client = base64.b64decode(request['sa-data']['random'])
new_master_secret = keys.generate_master_secret(
sender.received_public_key, sender.private_key)
sender.final_master_secret = keys.generate_final_master_secret(
new_master_secret, sender.random_client + sender.rand_server)
server_hash = keys.message_authentication(sender.cipher_suite,
sender.final_master_secret,
ciphertext)
if (client_hash != server_hash):
logging.warning('Client Hash and Server Hash do not match!')
request['payload'] = keys.decrypt(sender.cipher_suite,
sender.final_master_secret,
ciphertext, client_iv)
if 'type' not in request['payload'].keys():
logging.warning("Secure message without inner frame type")
return
if request['payload']['type'] == 'list':
self.processList(sender, request['payload'])
return
if not all(k in request['payload'].keys() for k in ("src", "dst")):
return
if not int(request['payload']['dst']) in self.id2client.keys():
logging.warning("Message to unknown client: %s" %
request['payload']['dst'])
return
dst = self.id2client[int(request['payload']['dst'])]
dst_message = {'type': 'secure', 'payload': request['payload']}
dst.send(dst_message)
def decrypt(key, input_file):
data = input_file.read()
data = data.split(b'\n')
input_file.close()
decrypted_data = b''
for row in data:
if not row:
break
decrypted_data += keys.decrypt(key, row)
return decrypted_data
def receive_client_com(self,reply):
""" Process a client-com message from client """
# Client in session
client = self.clients[str(reply['src'])]
# get client sign
sign = base64.b64decode(reply['sign'])
del reply['sign']
#validation
if keys.verifySign(sign, client.cert, json.dumps(reply,sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
return
# CONTINUE
# CONA
# Decipher: public key received + old private key
ciphertext = base64.b64decode(reply['data']['ciphertext'])
tmp_public_key = keys.deserialize_public_key(base64.b64decode(reply['data']['public_key']))
digest = base64.b64decode(reply['data']['hash'])
tmp_received_random = base64.b64decode(reply['data']['random'])
iv = base64.b64decode(reply['data']['iv'])
client.client_client_master_secret = keys.generate_master_secret(tmp_public_key, client.private_key)
client.client_client_final_master = keys.generate_final_master_secret(client.client_client_master_secret, client.random + tmp_received_random)
client.digest = keys.message_authentication(client.cipher_suite,client.client_client_final_master, ciphertext)
if client.digest != digest:
logging.warning('Client Hash and Server Hash do not match!')
cleartext = keys.decrypt(client.cipher_suite, client.client_client_final_master, ciphertext, iv)
print '__________________________________________\n'
print 'Client:',str(reply['src']),'# ',cleartext
print '__________________________________________\n'
def receive_client_connect(self, reply):
""" Process a client-connect message from client (phase > 1) """
msg = {'type':'client-connect'}
if reply['phase'] == 1:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
self.secure_send(ack)
#get peer_client cert
cli_cert = base64.b64decode(reply['data']['certificate'])
#cert verification
cert = openssl.load_certificate(openssl.FILETYPE_ASN1, cli_cert)
if keys.verifycert(cert,self.store) == False:
logging.warning("Invalid Certificate!!")
return
self.addClient(str(reply['src']))
client= self.clients[str(reply['src'])]
if str(reply['src']) not in self.clients:
logging.warning('Client not supported!')
ciphers = ['ECDHE-RSA-CTR-SHA256', 'ECDHE-AES256_CTR-SHA384','ECDHE-AES128_CTR-SHA256']
# Cipher_suite selection mode
cipher = [c for c in reply['ciphers'] if c in ciphers]
if cipher == []:
logging.warning('Does not support cipher spec!')
return
msg['src'] = reply['dst']
msg['dst'] = reply['src']
msg['phase'] = reply['phase']+1
msg['ciphers'] = cipher[0]
# Update
client.cipher_suite = msg['ciphers']
client.cert = cli_cert
client.randomCH = os.urandom(32)
msg['data'] = {'certificate': base64.b64encode(self.cert),'challenge':base64.b64encode(client.randomCH)}
Hash = keys.hash(msg)
self.dst_val[Hash] = msg.copy()
self.secure_send(msg)
return
if reply['phase'] == 2:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
self.secure_send(ack)
#get peer_client cert
cli_cert = base64.b64decode(reply['data']['certificate'])
#cert verification
cert = openssl.load_certificate(openssl.FILETYPE_ASN1,cli_cert)
if keys.verifycert(cert,self.store) == False:
logging.warning("Invalid Certificate!!")
return
client = self.clients[str(reply['src'])]
if reply['ciphers'] not in client.cipher_suite:
logging.warning('Does not support cipher spec!')
return
# Update
client.cipher_suite = reply['ciphers']
client.cert = cli_cert
peerRandom = base64.b64decode(reply['data']['challenge'])
client.randomCH = os.urandom(32)
sign_peerRandom = keys.signClient(self.session, self.obj[0], peerRandom)
msg['dst'] = reply['src']
msg['src'] = reply['dst']
msg['phase'] = reply['phase'] +1
msg['ciphers'] = reply['ciphers']
msg['data'] = {'sign_challenge':base64.b64encode(sign_peerRandom),'challenge':base64.b64encode(client.randomCH)}
Hash = keys.hash(msg)
self.dst_val[Hash] = msg.copy()
self.secure_send(msg)
return
if reply['phase'] == 3:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
self.secure_send(ack)
client = self.clients[str(reply['src'])]
# get client sign
sign = base64.b64decode(reply['data']['sign_challenge'])
#validation
if keys.verifySign(sign, client.cert, client.randomCH)== False:
logging.warning("Invalid Signature!!")
return
peerRandom = base64.b64decode(reply['data']['challenge'])
sign_peerRandom = keys.signClient(self.session, self.obj[0], peerRandom)
msg['data'] = {'sign_challenge':base64.b64encode(sign_peerRandom)}
client.cipher_suite = reply['ciphers']
msg['dst'] = reply['src']
msg['src'] = reply['dst']
msg['phase'] = reply['phase'] +1
Hash = keys.hash(msg)
self.dst_val[Hash] = msg.copy()
self.secure_send(msg)
return
if reply['phase'] == 4:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
self.secure_send(ack)
client = self.clients[str(reply['src'])]
# get client sign
sign = base64.b64decode(reply['data']['sign_challenge'])
#validation
if keys.verifySign(sign, client.cert, client.randomCH) == False:
logging.warning("Invalid Signature!!")
return
print "\n\n"
print "Challenge Response Complete!!"
print "\n\n"
client.public_key, client.private_key = keys.verify_cipher_suite(client.cipher_suite)
client.random = os.urandom(32)
msg['data'] = {'public_key': client.public_key, 'random': base64.b64encode(client.random)}
msg['dst'] = reply['src']
msg['src'] = reply['dst']
msg['phase'] = reply['phase']+1
#msg['ciphers'] = reply['ciphers']
# Assinar toda a mensagem
signature = keys.signClient(self.session, self.obj[0], json.dumps(msg,sort_keys = True))
msg['sign'] = base64.b64encode(signature)
Hash = keys.hash(msg)
self.dst_val[Hash] = msg.copy()
self.secure_send(msg)
return
if reply['phase'] == 5:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
sign_ack = keys.signClient(self.session, self.obj[0], json.dumps(ack,sort_keys = True))
ack['sign'] = base64.b64encode(sign_ack)
self.secure_send(ack)
client = self.clients[str(reply['src'])]
# get client sign
sign = base64.b64decode(reply['sign'])
del reply['sign']
#validation
if keys.verifySign(sign, client.cert, json.dumps(reply,sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
return
# CONTINUE
#client.cipher_suite = reply['ciphers']
client.public_key, client.private_key = keys.verify_cipher_suite(client.cipher_suite)
client.random = os.urandom(32)
client.received_public_key = keys.deserialize_public_key(base64.b64decode(reply['data']['public_key']))
client.received_random = base64.b64decode(reply['data']['random'])
client.client_client_master_secret = keys.generate_master_secret(client.received_public_key,client.private_key)
client.client_client_final_master = keys.generate_final_master_secret(client.client_client_master_secret,client.received_random+client.random)
msg['data'] = {'public_key': client.public_key, 'random':base64.b64encode(client.random)}
msg['dst'] = reply['src']
msg['src'] = reply['dst']
msg['phase'] = reply['phase'] +1
# enviar info do Hardware
info_hash = keys.participantConsistency_Hash()
info = keys.participantConsistency()
# cifrar info do Hardware
tmp = { 'hash': info_hash, 'info':info}
encrypt_info, iv = keys.encrypt(client.cipher_suite, client.client_client_final_master, tmp )
msg['encrypt_hardware'] ={ 'encrypt_info':base64.b64encode(encrypt_info) , 'iv': base64.b64encode(iv)}
# Assinar toda a mensagem
signature = keys.signClient(self.session, self.obj[0], json.dumps(msg,sort_keys = True))
msg['sign'] = base64.b64encode(signature)
Hash = keys.hash(msg)
self.dst_val[Hash] = msg.copy()
self.secure_send(msg)
return
if reply['phase'] == 6:
Hash = keys.hash(reply)
ack = {'type':'ack','hash':Hash, 'src': self.id, 'dst': reply['src']}
sign_ack = keys.signClient(self.session, self.obj[0], json.dumps(ack,sort_keys = True))
ack['sign'] = base64.b64encode(sign_ack)
self.secure_send(ack)
client = self.clients[str(reply['src'])]
# get client sign
sign = base64.b64decode(reply['sign'])
del reply['sign']
#validation
if keys.verifySign(sign, client.cert, json.dumps(reply,sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
return
# CONTINUE
client.received_public_key = keys.deserialize_public_key(base64.b64decode(reply['data']['public_key']))
client.client_client_master_secret = keys.generate_master_secret(client.received_public_key,client.private_key )
client.received_random = base64.b64decode(reply['data']['random'])
client.client_client_final_master = keys.generate_final_master_secret(client.client_client_master_secret,client.random+client.received_random )
to_decrypt = base64.b64decode(reply['encrypt_hardware']['encrypt_info'])
iv_todecrypt = base64.b64decode(reply['encrypt_hardware']['iv'])
cleartext = keys.decrypt(client.cipher_suite , client.client_client_final_master, to_decrypt ,iv_todecrypt)
if client.cert in self.part_cons.keys():
if self.part_cons[client.cert] != (cleartext['hash'][1], cleartext['info'][1]):
print 'Hard novo!'
print '\n Mac Adrress'+ str(cleartext['info']['brand'])
# Update
self.part_cons[client.cert] = (cleartext['hash'][1], cleartext['info'][1])
print 'Connection to the Client finished with sucess!\n'
return
def secure_receive(self, msg_json):
""" Process a secure message from server """
# verificar a assinatura antes de fazer o decrypt7
tmp = msg_json.copy()
sign = base64.b64decode(msg_json['sign'])
del msg_json['sign']
#validation
if keys.verifySign(sign, self.servercert, json.dumps(msg_json,sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
return
# CONTINUE
# CONA
# Decipher: public key received + old private key
ciphertext = base64.b64decode(msg_json['payload']['ciphertext'])
public_key = keys.deserialize_public_key(base64.b64decode(msg_json['payload']['public_key']))
server_hash = base64.b64decode(msg_json['sa-data']['hash'])
server_iv = base64.b64decode(msg_json['sa-data']['iv'])
server_random = base64.b64decode(msg_json['sa-data']['random'])
new_master_secret = keys.generate_master_secret(public_key, self.private_key)
new_final_master_secret = keys.generate_final_master_secret(new_master_secret,self.rand_client + server_random)
client_hash = keys.message_authentication(self.cipher_suite, new_final_master_secret, ciphertext)
msg_json['payload'] = keys.decrypt(self.cipher_suite,new_final_master_secret,ciphertext,server_iv)
#print '\nPayloadSecure'
#print msg_json['payload']
if (server_hash != client_hash):
logging.warning('Client Hash and Server Hash do not match!')
if msg_json['payload']['type'] == 'ack':
self.receive_ack(msg_json['payload'])
return
Hash = keys.hash(tmp)
ack = {'type':'ack','hash':Hash}
sign_ack = keys.signClient(self.session, self.obj[0], json.dumps(ack,sort_keys = True))
ack['sign'] = base64.b64encode(sign_ack)
self.secure_send(ack)
if msg_json['payload']['type'] == 'list':
self.receive_list_clients(msg_json['payload'], self.id)
return
if msg_json['payload']['type'] == 'client-connect':
self.receive_client_connect(msg_json['payload'])
return
if msg_json['payload']['type'] == 'client-disconnect':
self.receive_client_disconnect(msg_json['payload'])
return
#print '123456'
#print msg_json['payload']
Hash = keys.hash(msg_json['payload'])
ack = {'type':'ack', 'hash':Hash, 'src': self.id, 'dst': msg_json['payload']['src']}
sign_ack = keys.signClient(self.session, self.obj[0], json.dumps(ack,sort_keys = True))
ack['sign'] = base64.b64encode(sign_ack)
self.secure_send(ack)
if msg_json['payload']['type'] == 'client-com':
self.receive_client_com(msg_json['payload'])
def processSecure(self, sender, request):
"""
Process a secure message from a client
"""
tmp = request.copy()
if sender.state != STATE_CONNECTED:
logging.warning("SECURE from disconnected client: %s" % sender)
return
if 'payload' not in request:
logging.warning("Secure message with missing fields")
return
# This is a secure message.
# TODO: Inner message is encrypted for us. Must decrypt and validate.
# Validar a assinatura no Secure antes de fazer o decrypt
sign = base64.b64decode(request['sign'])
del request['sign']
#validation
if keys.verifySign(sign, sender.cert,
json.dumps(request, sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
self.delClient(sender.socket)
sender.close()
return
# CONTINUE
ciphertext = base64.b64decode(request['payload']['ciphertext'])
received_public_key = keys.deserialize_public_key(
base64.b64decode(request['payload']['public_key']))
client_hash = base64.b64decode(request['sa-data']['hash'])
client_iv = base64.b64decode(request['sa-data']['iv'])
tmp_random_client = base64.b64decode(request['sa-data']['random'])
new_master_secret = keys.generate_master_secret(
received_public_key, sender.private_key)
sender.final_master_secret = keys.generate_final_master_secret(
new_master_secret, sender.rand_server + tmp_random_client)
server_hash = keys.message_authentication(sender.cipher_suite,
sender.final_master_secret,
ciphertext)
if (client_hash != server_hash):
logging.warning('Client Hash and Server Hash do not match!')
request['payload'] = keys.decrypt(sender.cipher_suite,
sender.final_master_secret,
ciphertext, client_iv)
print "\n\n"
print "payload", request['payload']
if request['payload']['type'] == 'ack' and 'src' not in request[
'payload'].keys():
if 'sign' in request['payload'].keys():
#print "\nSIGN DO ACK"
sign = base64.b64decode(request['payload']['sign'])
del request['payload']['sign']
#validation
if keys.verifySign(
sign, sender.cert,
json.dumps(request['payload'],
sort_keys=True)) == False:
logging.warning("Invalid Signature!!")
return
try:
del dst_val[request['payload']['hash']]
except:
print "Ack from Unknown src!!!"
print dst_val
print '\n\n'
# generate ack for secure response
Hash = keys.hash(tmp)
ack = {'type': 'ack', 'hash': Hash}
sign_ack = keys.signServer(serverKey, json.dumps(ack, sort_keys=True))
ack['sign'] = base64.b64encode(sign_ack)
msg = {'type': 'secure', 'payload': ack}
sender.send(msg)
if 'type' not in request['payload'].keys():
logging.warning("Secure message without inner frame type")
return
if request['payload']['type'] == 'list':
self.processList(sender, request['payload'])
return
if not all(k in request['payload'].keys() for k in ("src", "dst")):
return
if not int(request['payload']['dst']) in self.id2client.keys():
logging.warning("Message to unknown client: %s" %
request['payload']['dst'])
return
#Bell-LaPadula
if request['payload']['type'] == 'client-com':
#print "Entrou"
#print "\n\n"
print self.bell
src = int(request['payload']['src'])
dst = int(request['payload']['dst'])
print 'src', src
print 'dst', dst
print self.bell[src]
print self.bell[dst]
if self.bell[src] > self.bell[dst]:
logging.error('Não tem permissao para enviar a mensagem!')
return
dst = self.id2client[int(request['payload']['dst'])]
dst_message = {'type': 'secure', 'payload': request['payload']}
dst.send(dst_message)
