def build_PWK(email, password_b64, scrypt_server, do_network):
assert isinstance(email, unicode)
# this is local
A_b64 = PBKDF2_b64(password_b64=password_b64,
salt_b64=SALT_b64("first-PBKDF",
email.encode("utf-8")),
c=c1, dkLen=KEYLEN)
# can we do scrypt fast enough locally?
offload_scrypt = False # XXX
if offload_scrypt:
N,r,p = SCRYPT_PARAMS
msg = ["do-scrypt", A_b64, N, r, p]
rx = do_network(scrypt_server, msg)
ok, B_b64 = json.loads(rx.decode("utf-8"))
if ok != "ok":
raise Oops("scrypt server error")
else:
B_b64 = scrypt_b64(password_b64=A_b64,
salt_b64=SALT_b64("scrypt"), # no email here, anon++
dkLen=KEYLEN)
# this is local
merged_b64 = b64encode(b64decode(B_b64)+b64decode(password_b64))
C_b64 = PBKDF2_b64(password_b64=merged_b64,
salt_b64=SALT_b64("second-PBKDF",
email.encode("utf-8")),
c=c2, dkLen=KEYLEN)
keys = make_keys(C_b64, SALT_b64("HKDF"))
return keys # (PWK_b64, MAC_b64, SRPpw_b64)
def do_request(SRPsession, req, do_network, db_server):
SRPKsession_b64, sid_b64 = SRPsession
enc1_b64,mac1_b64,enc2_b64,mac2_b64 = make_session_keys(SRPKsession_b64)
msg = client_create_request(req, enc1_b64, mac1_b64, sid_b64)
rx = do_network(db_server, msg)
return client_process_response(rx, enc2_b64, mac2_b64)
def MAGIC_SEND_SAFELY(url, secrets, do_network):
# this is a vulnerability window. It really wants to use pinned SSL.
do_network(url, ["magic-init"]+list(secrets))