def setPassword(crypt, password): try: (db, _, _) = getDB(None, None) crypt.genKeys() (f, c) = crypt.getKeys() (salt, vkey) = srp.create_salted_verification_key(args.client, password) if args.keys: db.beginTransaction() db.setSrpValues(salt, vkey) Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c) db.commit() else: db.setKeys(salt, vkey, f, c) return 0 except TardisDB.NotAuthenticated: logger.error('Client %s already has a password', args.client) if args.exceptions: logger.exception(e) return 1 except TardisDB.AuthenticationFailed as e: logger.error("Authentication failed. Bad password") if args.exceptions: logger.exception(e) return 1 except Exception as e: logger.error(str(e)) if args.exceptions: logger.exception(e) return 1
def setPassword(password): try: (db, _, _) = getDB(None) crypt = TardisCrypto.getCrypto(TardisCrypto.defaultCryptoScheme, password) crypt.genKeys() (f, c) = crypt.getKeys() (salt, vkey) = srp.create_salted_verification_key(args.client, password) if args.keys: db.beginTransaction() db.setSrpValues(salt, vkey) db.setConfigValue('CryptoScheme', crypt.getCryptoScheme()) Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c) else: db.setKeys(salt, vkey, f, c) db.setConfigValue('CryptoScheme', crypt.getCryptoScheme()) return 0 except TardisDB.NotAuthenticated: logger.error('Client %s already has a password', args.client) if args.exceptions: logger.exception(e) return 1 except TardisDB.AuthenticationFailed as e: logger.error("Authentication failed. Bad password") if args.exceptions: logger.exception(e) return 1 except Exception as e: logger.error(str(e)) if args.exceptions: logger.exception(e) return 1
def setPassword(crypt, password): try: (db, _) = getDB(None, None) crypt.genKeys() (f, c) = crypt.getKeys() (salt, vkey) = srp.create_salted_verification_key(args.client, password) if args.keys: db.beginTransaction() db.setSrpValues(salt, vkey) Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c) db.commit() else: db.setKeys(salt, vkey, f, c) return 0 except TardisDB.NotAuthenticated: logger.error('Client %s already has a password', args.client) exceptionLogger.log(e) return 1 except TardisDB.AuthenticationFailed as e: logger.error("Authentication failed. Bad password") exceptionLogger.log(e) return 1 except Exception as e: logger.error(str(e)) exceptionLogger.log(e) return 1
def changePassword(crypt, oldpw): try: (db, _, crypt) = getDB(oldpw) # Get the new password try: newpw = Util.getPassword(args.newpw, args.newpwf, args.newpwp, prompt="New Password for %s: " % (args.client), allowNone=False, confirm=True, strength=True) except Exception as e: logger.critical(str(e)) if args.exceptions: logger.exception(e) return -1 scheme = db.getConfigValue('CryptoScheme', 1) crypt2 = TardisCrypto.getCrypto(scheme, newpw, args.client) # Load the keys, and insert them into the crypt object, to decyrpt them if args.keys: (f, c) = Util.loadKeys(args.keys, db.getConfigValue('ClientID')) # No need to check here, loadKeys() throws exception if nothing set. else: (f, c) = db.getKeys() if f is None or c is None: logger.critical( "No keys loaded from database. Please specify --keys as appropriate" ) raise Exception("No keys loaded") crypt.setKeys(f, c) # Grab the keys from one crypt object. # Need to do this because getKeys/setKeys assumes they're encrypted, and we need the raw # versions crypt2._filenameKey = crypt._filenameKey crypt2._contentKey = crypt._contentKey # Now get the encrypted versions (f, c) = crypt2.getKeys() (salt, vkey) = srp.create_salted_verification_key(args.client, newpw) if args.keys: db.beginTransaction() db.setSrpValues(salt, vkey) Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c) db.commit() else: db.setKeys(salt, vkey, f, c) return 0 except Exception as e: logger.error(str(e)) if args.exceptions: logger.exception(e) return 1
def register(self, api_uri, username, password): try: salt, verifier = create_salted_verification_key( username, password, self.hash_alg, self.ng_type) return self._post_registration_data(api_uri, username, salt, verifier) except (HTTPError, SSLError, Timeout), e: raise LeapAuthException(e)
def get_signup_params(self, username, password): salt, verifier = srp.create_salted_verification_key(bytes(username), bytes(password), srp.SHA256, srp.NG_1024) user_data = { "user[login]": username, "user[password_salt]": binascii.hexlify(salt), "user[password_verifier]": binascii.hexlify(verifier), } return user_data
def get_signup_params(self, username, password): salt, verifier = srp.create_salted_verification_key( bytes(username), bytes(password), srp.SHA256, srp.NG_1024) user_data = { 'user[login]': username, 'user[password_salt]': binascii.hexlify(salt), 'user[password_verifier]': binascii.hexlify(verifier) } return user_data
async def handle_authenticate(self, dg: Datagram): # Credentials if not self.verify_credentials(dg.data): await self.send_error(constants.ERR_CREDENTIALS) return else: await self.send( Datagram(command=constants.CMD_AUTH, recipient=dg.data)) # HMAC response = await self.recv() if response and response.data and \ self.verify_HMAC( response.data.encode(), dg.data.encode(), self._hmac_key): await self.send_response(True) else: await self.send_error(constants.ERR_HMAC) return # Challenge response = await self.recv() if response and response.data: svr = srp.Verifier( dg.data.encode(), *srp.create_salted_verification_key(dg.data.encode(), self._challenge_key), bytes.fromhex(response.data)) else: await self.send_error(constants.ERR_CHALLENGE) return s, B = svr.get_challenge() if s and B: await self.send_response([s.hex(), B.hex()]) else: await self.send_error(constants.ERR_CHALLENGE) return # Verification response = await self.recv() if response and response.data: HAMK = svr.verify_session(bytes.fromhex(response.data)) if HAMK and svr.authenticated(): await self.send_response(HAMK.hex()) self.counter_cipher = svr.get_session_key() self.name = dg.data else: await self.send_error(constants.ERR_VERIFICATION) return else: await self.send_error(constants.ERR_VERIFICATION) return
def regdata(username, password): salt, vkey = srp.create_salted_verification_key(username, password) print("salt:", salt) print("vkey:", vkey) print() result = {} result['salt'] = base64.b64encode(salt).decode('utf-8') result['verifier'] = binascii.hexlify(vkey).decode('utf-8') return result
def main(): username = input("Enter username: "******"Enter password: "******"Add the following line to the users.csv:") print() print("%s,%s,%s" % (username, base64.standard_b64encode(salt).decode('utf-8'), base64.standard_b64encode(vkey).decode('utf-8')))
def changePassword(crypt, oldpw) : try: (db, _, crypt) = getDB(crypt, oldpw) # Get the new password try: newpw = Util.getPassword(args.newpw, args.newpwf, args.newpwp, prompt="New Password for %s: " % (args.client), allowNone=False, confirm=True, strength=True) except Exception as e: logger.critical(str(e)) if args.exceptions: logger.exception(e) return -1 crypt2 = TardisCrypto.TardisCrypto(newpw, args.client) # Load the keys, and insert them into the crypt object, to decyrpt them if args.keys: (f, c) = Util.loadKeys(args.keys, db.getConfigValue('ClientID')) # No need to check here, loadKeys() throws exception if nothing set. else: (f, c) = db.getKeys() if f is None or c is None: logger.critical("No keys loaded from database. Please specify --keys as appropriate") raise Exception("No keys loaded") crypt.setKeys(f, c) # Grab the keys from one crypt object. # Need to do this because getKeys/setKeys assumes they're encrypted, and we need the raw # versions crypt2._filenameKey = crypt._filenameKey crypt2._contentKey = crypt._contentKey # Now get the encrypted versions (f, c) = crypt2.getKeys() (salt, vkey) = srp.create_salted_verification_key(args.client, newpw) if args.keys: db.beginTransaction() db.setSrpValues(salt, vkey) Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c) db.commit() else: db.setKeys(salt, vkey, f, c) return 0 except Exception as e: logger.error(str(e)) if args.exceptions: logger.exception(e) return 1
def performance_test( mod, hash_alg, ng_type, niter=10, nthreads=1 ): global NLEFT _s, _v = srp.create_salted_verification_key( username, password, hash_alg, ng_type ) NLEFT = niter def test_thread(): global NLEFT while NLEFT > 0: do_auth( mod, hash_alg, ng_type, _s, _v ) NLEFT -= 1 start = time.time() while nthreads > 1: _thread.start_new_thread( test_thread, () ) nthreads -= 1 test_thread() duration = time.time() - start return duration
def main(): logging.basicConfig(level=logging.INFO) logger = logging.getLogger() crypto = None args = processArgs() password = Util.getPassword(args.password, args.passwordfile, args.passwordurl, args.passwordprog) if password: crypto = TardisCrypto.TardisCrypto(password, args.client) path = os.path.join(args.database, args.client, args.dbname) db = TardisDB.TardisDB(path, backup=False) token = createToken(crypto, args.client) if not checkToken(db, token): logger.error("Password does not match") sys.exit(1) salt, vkey = srp.create_salted_verification_key(args.client, password) db.setSrpValues(salt, vkey) db._setConfigValue('Token', None)
def main(argv=None): if argv is None: argv = sys.argv logger.setLevel(logging.INFO) #logger.setLevel(logging.DEBUG) try: conf_filename = argv[1] except IndexError: conf_filename = 'sksync.json' logger.info('attempting to open config: %r', conf_filename) try: f = open(conf_filename, 'rb') config = load_json(f.read()) f.close() except IOError: config = {} # defaults config['users'] = config.get('users', {}) username = raw_input('Username: '******'"%s" Password: '******'Confirm password: '******'users'][username] = config['users'].get('username', {}) config['users'][username]['authsrp'] = salt, vkey raw_json = dump_json(config, indent=4) logger.info('attempting to open config for write: %r', conf_filename) f = open(conf_filename, 'wb') f.write(raw_json) f.close() return 0
def performance_test(mod, hash_alg, ng_type, niter=10, nthreads=1): global NLEFT _s, _v = srp.create_salted_verification_key(username, password, hash_alg, ng_type) NLEFT = niter def test_thread(): global NLEFT while NLEFT > 0: do_auth(mod, hash_alg, ng_type, _s, _v) NLEFT -= 1 start = time.time() while nthreads > 1: _thread.start_new_thread(test_thread, ()) nthreads -= 1 test_thread() duration = time.time() - start return duration
def register(self, api_uri, username, password): try: salt, verifier = create_salted_verification_key(username, password, self.hash_alg, self.ng_type) return self._post_registration_data(api_uri, username, salt, verifier) except (HTTPError, SSLError, Timeout), e: raise LeapAuthException(e)
#!/usr/bin/env python2 import srp # The salt and verifier returned from srp.create_salted_verification_key() should be # stored on the server. salt, vkey = srp.create_salted_verification_key('testuser', 'testpassword') class AuthenticationFailed(Exception): pass # ~~~ Begin Authentication ~~~ usr = srp.User('testuser', 'testpassword') uname, A = usr.start_authentication() # The authentication process can fail at each step from this # point on. To comply with the SRP protocol, the authentication # process should be aborted on the first failure. # Client => Server: username, A svr = srp.Verifier(uname, salt, vkey, A) s, B = svr.get_challenge() if s is None or B is None: raise AuthenticationFailed() # Server => Client: s, B M = usr.process_challenge(s, B)
def createSRPValues(self, password, client=None): if client is None: client = self.client salt, vkey = srp.create_salted_verification_key(client, password) return salt, vkey
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler import tlv import srp import hashlib import hmac import pprint ACC_NAME = "Test" PASSWORD = "******" srp_salt, srp_session_key = srp.create_salted_verification_key(ACC_NAME, PASSWORD) key = hmac.new("Pair-Setup-Salt", srp_session_key, hashlib.sha512).digest() okm = hmac.new(key, "Pair-Setup-Encryption-Key", hashlib.sha512).digest() class HomeKitHandler(BaseHTTPRequestHandler): def do_GET(s): print s.path def do_POST(s): length = int(s.headers['Content-Length']) post_data = s.rfile.read(length) if s.path == '/pair-setup': s.close_connection = 0 s.protocol_version = "HTTP/1.1" tlv_data = tlv.unpack(post_data) pprint.pprint(tlv_data) response = [] response.append({'type': 'auth_tag', 'length': 1, 'data': 2}) response.append({'type': 'public_key', 'length': len(okm), 'data': okm}) response.append({'type': 'salt', 'length': 16, 'data': [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]})
# GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import json import unittest import binascii from urlparse import parse_qs from httmock import urlmatch, all_requests, HTTMock, response from requests.exceptions import Timeout import srp from pixelated.provider.leap_srp import LeapSecureRemotePassword, LeapAuthException (salt_bytes, verification_key_bytes) = srp.create_salted_verification_key('username', 'password', hash_alg=srp.SHA256, ng_type=srp.NG_1024) verifier = None @all_requests def not_found_mock(url, request): return {'status_code': 404, 'content': 'foobar'} @all_requests def timeout_mock(url, request): raise Timeout() @urlmatch(netloc=r'(.*\.)?leap\.local$')
def on_frame(self, frame: str) -> None: try: message = json.loads(frame) except: logger.exception("Could not decode JSON message: {}".format(frame)) self.transport.close() return mtype = message.get('type').upper() if mtype == 'HEY': self.text_to_sign = message.get('data') self.server_cert = base64.b16encode(self.getCert()).decode() print(self.server_cert) self._send({'type','CERT_SERVER', 'data', self.server_cert }) self.server_signature = base64.b64encode(self.getSignature()).decode() self._send({'type','SIGN_SERVER', 'data', self.server_signature }) if mtype == 'SERVER_OK': self.client_text = message.get('data') if mtype == 'SERVER_OK': self.client_text = base64.b64decode(message.get('data')).encode() if mtype == 'CERT_CLIENT': self.client_cert = base64.b64decode(message.get('data')).encode() if mtype == 'SIGN_CLIENT': self.sign_client = message.get('data') if not self.verifyClient(): return self._send({'type','START_LOGIN'}) if mtype == 'USER': uname = message.get('uname') A = base64.b64decode(message.get('A')).encode() password = self.getPassword(uname) salt, vkey = srp.create_salted_verification_key( uname, password ) self.svr = srp.Verifier( uname, salt, vkey, A) s,B = self.svr.get_challenge() self._send({'type','s', 'data', base64.b64encode(s).decode() }) self._send({'type','B', 'data', base64.b64encode(B).decode() }) if mtype == 'M': M = base64.b64decode(message.get('data')).encode() HAMK = self.svr.verify_session(M) if HAMK: self._send({'type': 'OKOK'}) if mtype == 'HELLO': self.algorithms = message.get('data').split('_') if self.algorithms: self.keyPair() logger.info("Send public Key") self._send({'type': 'PUBLIC_KEY', 'data': base64.b64encode(self.pem_public_key).decode()}) ret = True else: ret = False if mtype == 'SECURE': self.encriptkey = base64.b64decode(message.get('data')) if self.encriptkey != '': logger.info("Key") self.getKey() ret = True else: ret = False if mtype == 'SECURE_IV': logger.info("iv") self.iv=base64.b64decode(message.get('data')) if self.iv != '': ret = True else: ret= False if mtype == 'OPEN': ret = self.process_open(message) if mtype == 'DATA': ret = self.process_data(message) if mtype == 'CLOSE': ret = self.process_close(message) logger.info("Decrypt file") self.decryptFile() else: logger.warning("Invalid message type: {}".format(message['type'])) ret = False if not ret: try: self._send({'type': 'ERROR', 'message': 'See server'}) except: pass # Silently ignore logger.info("Closing transport") if self.file is not None: self.file.close() self.file = None self.state = STATE_CLOSE self.transport.close()
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler import tlv import srp import hashlib import hmac import pprint ACC_NAME = "Test" PASSWORD = "******" srp_salt, srp_session_key = srp.create_salted_verification_key( ACC_NAME, PASSWORD) key = hmac.new("Pair-Setup-Salt", srp_session_key, hashlib.sha512).digest() okm = hmac.new(key, "Pair-Setup-Encryption-Key", hashlib.sha512).digest() class HomeKitHandler(BaseHTTPRequestHandler): def do_GET(s): print s.path def do_POST(s): length = int(s.headers['Content-Length']) post_data = s.rfile.read(length) if s.path == '/pair-setup': s.close_connection = 0 s.protocol_version = "HTTP/1.1" tlv_data = tlv.unpack(post_data) pprint.pprint(tlv_data) response = [] response.append({'type': 'auth_tag', 'length': 1, 'data': 2})
def _get_salt_verifier(username, password): return srp.create_salted_verification_key(bytes(username), bytes(password), srp.SHA256, srp.NG_1024)
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import json import unittest import binascii from urlparse import parse_qs from httmock import urlmatch, all_requests, HTTMock, response from requests.exceptions import Timeout import srp from pixelated.bitmask_libraries.leap_srp import LeapSecureRemotePassword, LeapAuthException (salt_bytes, verification_key_bytes) = srp.create_salted_verification_key( 'username', 'password', hash_alg=srp.SHA256, ng_type=srp.NG_1024) verifier = None @all_requests def not_found_mock(url, request): return {'status_code': 404, 'content': 'foobar'} @all_requests def timeout_mock(url, request): raise Timeout() @urlmatch(netloc=r'(.*\.)?leap\.local$') def srp_login_server_simulator_mock(url, request):
email = "*****@*****.**" password = "******" if False: Tstart = time.time() A = PBKDF2(password=password, salt=plus(KW1, email), c=c1, dkLen=dkLen) Ta = time.time() print "time[A]:", Ta-Tstart B = scrypt(password=A, salt=plus(KW2, email), N=N,r=r,p=p, dkLen=256/8) Tb = time.time() print "time[B]:", Tb-Ta C = PBKDF2(password=plus(password,B), salt=plus(KW3, email), c=c2, dkLen=3*dkLen) Tc = time.time() print "time[C]:", Tc-Tb PWK, MAC, SRPpw = C[:dkLen], C[dkLen:2*dkLen], C[2*dkLen:3*dkLen] SRPsalt, SRPvkey = create_salted_verification_key(email, SRPpw, hash_alg=SHA256) Td = time.time() print "time[D]:", Td-Tc print "time[total]:", Td-Tstart print print "PWK:", hexlify(PWK) print "MAC:", hexlify(MAC) print "SRPpw:", hexlify(SRPpw) print print "SRPvkey:", hexlify(SRPvkey) print "SRPsalt:", hexlify(SRPsalt) sys.exit(0) salt,vkey = create_salted_verification_key(email, password, hash_alg=SHA256)
import srp # The salt and verifier returned from srp.create_salted_verification_key() should be # stored on the server. salt, vkey = srp.create_salted_verification_key( 'testuser', 'testpassword' ) class AuthenticationFailed (Exception): pass # ~~~ Begin Authentication ~~~ usr = srp.User( 'testuser', 'testpassword' ) uname, A = usr.start_authentication() # The authentication process can fail at each step from this # point on. To comply with the SRP protocol, the authentication # process should be aborted on the first failure. # Client => Server: username, A svr = srp.Verifier( uname, salt, vkey, A ) s,B = svr.get_challenge() if s is None or B is None: raise AuthenticationFailed() # Server => Client: s, B M = usr.process_challenge( s, B ) if M is None: raise AuthenticationFailed()