def setPassword(crypt, password):
try:
(db, _, _) = getDB(None, None)
crypt.genKeys()
(f, c) = crypt.getKeys()
(salt, vkey) = srp.create_salted_verification_key(args.client, password)
if args.keys:
db.beginTransaction()
db.setSrpValues(salt, vkey)
Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c)
db.commit()
else:
db.setKeys(salt, vkey, f, c)
return 0
except TardisDB.NotAuthenticated:
logger.error('Client %s already has a password', args.client)
if args.exceptions:
logger.exception(e)
return 1
except TardisDB.AuthenticationFailed as e:
logger.error("Authentication failed. Bad password")
if args.exceptions:
logger.exception(e)
return 1
except Exception as e:
logger.error(str(e))
if args.exceptions:
logger.exception(e)
return 1
def setPassword(password):
try:
(db, _, _) = getDB(None)
crypt = TardisCrypto.getCrypto(TardisCrypto.defaultCryptoScheme,
password)
crypt.genKeys()
(f, c) = crypt.getKeys()
(salt,
vkey) = srp.create_salted_verification_key(args.client, password)
if args.keys:
db.beginTransaction()
db.setSrpValues(salt, vkey)
db.setConfigValue('CryptoScheme', crypt.getCryptoScheme())
Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c)
else:
db.setKeys(salt, vkey, f, c)
db.setConfigValue('CryptoScheme', crypt.getCryptoScheme())
return 0
except TardisDB.NotAuthenticated:
logger.error('Client %s already has a password', args.client)
if args.exceptions:
logger.exception(e)
return 1
except TardisDB.AuthenticationFailed as e:
logger.error("Authentication failed. Bad password")
if args.exceptions:
logger.exception(e)
return 1
except Exception as e:
logger.error(str(e))
if args.exceptions:
logger.exception(e)
return 1
def setPassword(crypt, password):
try:
(db, _) = getDB(None, None)
crypt.genKeys()
(f, c) = crypt.getKeys()
(salt, vkey) = srp.create_salted_verification_key(args.client, password)
if args.keys:
db.beginTransaction()
db.setSrpValues(salt, vkey)
Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c)
db.commit()
else:
db.setKeys(salt, vkey, f, c)
return 0
except TardisDB.NotAuthenticated:
logger.error('Client %s already has a password', args.client)
exceptionLogger.log(e)
return 1
except TardisDB.AuthenticationFailed as e:
logger.error("Authentication failed. Bad password")
exceptionLogger.log(e)
return 1
except Exception as e:
logger.error(str(e))
exceptionLogger.log(e)
return 1
def changePassword(crypt, oldpw):
try:
(db, _, crypt) = getDB(oldpw)
# Get the new password
try:
newpw = Util.getPassword(args.newpw,
args.newpwf,
args.newpwp,
prompt="New Password for %s: " %
(args.client),
allowNone=False,
confirm=True,
strength=True)
except Exception as e:
logger.critical(str(e))
if args.exceptions:
logger.exception(e)
return -1
scheme = db.getConfigValue('CryptoScheme', 1)
crypt2 = TardisCrypto.getCrypto(scheme, newpw, args.client)
# Load the keys, and insert them into the crypt object, to decyrpt them
if args.keys:
(f, c) = Util.loadKeys(args.keys, db.getConfigValue('ClientID'))
# No need to check here, loadKeys() throws exception if nothing set.
else:
(f, c) = db.getKeys()
if f is None or c is None:
logger.critical(
"No keys loaded from database. Please specify --keys as appropriate"
)
raise Exception("No keys loaded")
crypt.setKeys(f, c)
# Grab the keys from one crypt object.
# Need to do this because getKeys/setKeys assumes they're encrypted, and we need the raw
# versions
crypt2._filenameKey = crypt._filenameKey
crypt2._contentKey = crypt._contentKey
# Now get the encrypted versions
(f, c) = crypt2.getKeys()
(salt, vkey) = srp.create_salted_verification_key(args.client, newpw)
if args.keys:
db.beginTransaction()
db.setSrpValues(salt, vkey)
Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c)
db.commit()
else:
db.setKeys(salt, vkey, f, c)
return 0
except Exception as e:
logger.error(str(e))
if args.exceptions:
logger.exception(e)
return 1
def register(self, api_uri, username, password):
try:
salt, verifier = create_salted_verification_key(
username, password, self.hash_alg, self.ng_type)
return self._post_registration_data(api_uri, username, salt,
verifier)
except (HTTPError, SSLError, Timeout), e:
raise LeapAuthException(e)
def get_signup_params(self, username, password):
salt, verifier = srp.create_salted_verification_key(bytes(username), bytes(password), srp.SHA256, srp.NG_1024)
user_data = {
"user[login]": username,
"user[password_salt]": binascii.hexlify(salt),
"user[password_verifier]": binascii.hexlify(verifier),
}
return user_data
def get_signup_params(self, username, password):
salt, verifier = srp.create_salted_verification_key(
bytes(username), bytes(password), srp.SHA256, srp.NG_1024)
user_data = {
'user[login]': username,
'user[password_salt]': binascii.hexlify(salt),
'user[password_verifier]': binascii.hexlify(verifier)
}
return user_data
async def handle_authenticate(self, dg: Datagram):
# Credentials
if not self.verify_credentials(dg.data):
await self.send_error(constants.ERR_CREDENTIALS)
return
else:
await self.send(
Datagram(command=constants.CMD_AUTH, recipient=dg.data))
# HMAC
response = await self.recv()
if response and response.data and \
self.verify_HMAC(
response.data.encode(),
dg.data.encode(),
self._hmac_key):
await self.send_response(True)
else:
await self.send_error(constants.ERR_HMAC)
return
# Challenge
response = await self.recv()
if response and response.data:
svr = srp.Verifier(
dg.data.encode(),
*srp.create_salted_verification_key(dg.data.encode(),
self._challenge_key),
bytes.fromhex(response.data))
else:
await self.send_error(constants.ERR_CHALLENGE)
return
s, B = svr.get_challenge()
if s and B:
await self.send_response([s.hex(), B.hex()])
else:
await self.send_error(constants.ERR_CHALLENGE)
return
# Verification
response = await self.recv()
if response and response.data:
HAMK = svr.verify_session(bytes.fromhex(response.data))
if HAMK and svr.authenticated():
await self.send_response(HAMK.hex())
self.counter_cipher = svr.get_session_key()
self.name = dg.data
else:
await self.send_error(constants.ERR_VERIFICATION)
return
else:
await self.send_error(constants.ERR_VERIFICATION)
return
def regdata(username, password):
salt, vkey = srp.create_salted_verification_key(username, password)
print("salt:", salt)
print("vkey:", vkey)
print()
result = {}
result['salt'] = base64.b64encode(salt).decode('utf-8')
result['verifier'] = binascii.hexlify(vkey).decode('utf-8')
return result
def main():
username = input("Enter username: "******"Enter password: "******"Add the following line to the users.csv:")
print()
print("%s,%s,%s" %
(username, base64.standard_b64encode(salt).decode('utf-8'),
base64.standard_b64encode(vkey).decode('utf-8')))
def changePassword(crypt, oldpw) :
try:
(db, _, crypt) = getDB(crypt, oldpw)
# Get the new password
try:
newpw = Util.getPassword(args.newpw, args.newpwf, args.newpwp, prompt="New Password for %s: " % (args.client),
allowNone=False, confirm=True, strength=True)
except Exception as e:
logger.critical(str(e))
if args.exceptions:
logger.exception(e)
return -1
crypt2 = TardisCrypto.TardisCrypto(newpw, args.client)
# Load the keys, and insert them into the crypt object, to decyrpt them
if args.keys:
(f, c) = Util.loadKeys(args.keys, db.getConfigValue('ClientID'))
# No need to check here, loadKeys() throws exception if nothing set.
else:
(f, c) = db.getKeys()
if f is None or c is None:
logger.critical("No keys loaded from database. Please specify --keys as appropriate")
raise Exception("No keys loaded")
crypt.setKeys(f, c)
# Grab the keys from one crypt object.
# Need to do this because getKeys/setKeys assumes they're encrypted, and we need the raw
# versions
crypt2._filenameKey = crypt._filenameKey
crypt2._contentKey = crypt._contentKey
# Now get the encrypted versions
(f, c) = crypt2.getKeys()
(salt, vkey) = srp.create_salted_verification_key(args.client, newpw)
if args.keys:
db.beginTransaction()
db.setSrpValues(salt, vkey)
Util.saveKeys(args.keys, db.getConfigValue('ClientID'), f, c)
db.commit()
else:
db.setKeys(salt, vkey, f, c)
return 0
except Exception as e:
logger.error(str(e))
if args.exceptions:
logger.exception(e)
return 1
def performance_test( mod, hash_alg, ng_type, niter=10, nthreads=1 ):
global NLEFT
_s, _v = srp.create_salted_verification_key( username, password, hash_alg, ng_type )
NLEFT = niter
def test_thread():
global NLEFT
while NLEFT > 0:
do_auth( mod, hash_alg, ng_type, _s, _v )
NLEFT -= 1
start = time.time()
while nthreads > 1:
_thread.start_new_thread( test_thread, () )
nthreads -= 1
test_thread()
duration = time.time() - start
return duration
def main():
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger()
crypto = None
args = processArgs()
password = Util.getPassword(args.password, args.passwordfile, args.passwordurl, args.passwordprog)
if password:
crypto = TardisCrypto.TardisCrypto(password, args.client)
path = os.path.join(args.database, args.client, args.dbname)
db = TardisDB.TardisDB(path, backup=False)
token = createToken(crypto, args.client)
if not checkToken(db, token):
logger.error("Password does not match")
sys.exit(1)
salt, vkey = srp.create_salted_verification_key(args.client, password)
db.setSrpValues(salt, vkey)
db._setConfigValue('Token', None)
def main():
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger()
crypto = None
args = processArgs()
password = Util.getPassword(args.password, args.passwordfile, args.passwordurl, args.passwordprog)
if password:
crypto = TardisCrypto.TardisCrypto(password, args.client)
path = os.path.join(args.database, args.client, args.dbname)
db = TardisDB.TardisDB(path, backup=False)
token = createToken(crypto, args.client)
if not checkToken(db, token):
logger.error("Password does not match")
sys.exit(1)
salt, vkey = srp.create_salted_verification_key(args.client, password)
db.setSrpValues(salt, vkey)
db._setConfigValue('Token', None)
def main(argv=None):
if argv is None:
argv = sys.argv
logger.setLevel(logging.INFO)
#logger.setLevel(logging.DEBUG)
try:
conf_filename = argv[1]
except IndexError:
conf_filename = 'sksync.json'
logger.info('attempting to open config: %r', conf_filename)
try:
f = open(conf_filename, 'rb')
config = load_json(f.read())
f.close()
except IOError:
config = {}
# defaults
config['users'] = config.get('users', {})
username = raw_input('Username: '******'"%s" Password: '******'Confirm password: '******'users'][username] = config['users'].get('username', {})
config['users'][username]['authsrp'] = salt, vkey
raw_json = dump_json(config, indent=4)
logger.info('attempting to open config for write: %r', conf_filename)
f = open(conf_filename, 'wb')
f.write(raw_json)
f.close()
return 0
def performance_test(mod, hash_alg, ng_type, niter=10, nthreads=1):
global NLEFT
_s, _v = srp.create_salted_verification_key(username, password, hash_alg,
ng_type)
NLEFT = niter
def test_thread():
global NLEFT
while NLEFT > 0:
do_auth(mod, hash_alg, ng_type, _s, _v)
NLEFT -= 1
start = time.time()
while nthreads > 1:
_thread.start_new_thread(test_thread, ())
nthreads -= 1
test_thread()
duration = time.time() - start
return duration
def register(self, api_uri, username, password):
try:
salt, verifier = create_salted_verification_key(username, password, self.hash_alg, self.ng_type)
return self._post_registration_data(api_uri, username, salt, verifier)
except (HTTPError, SSLError, Timeout), e:
raise LeapAuthException(e)
#!/usr/bin/env python2
import srp
# The salt and verifier returned from srp.create_salted_verification_key() should be
# stored on the server.
salt, vkey = srp.create_salted_verification_key('testuser', 'testpassword')
class AuthenticationFailed(Exception):
pass
# ~~~ Begin Authentication ~~~
usr = srp.User('testuser', 'testpassword')
uname, A = usr.start_authentication()
# The authentication process can fail at each step from this
# point on. To comply with the SRP protocol, the authentication
# process should be aborted on the first failure.
# Client => Server: username, A
svr = srp.Verifier(uname, salt, vkey, A)
s, B = svr.get_challenge()
if s is None or B is None:
raise AuthenticationFailed()
# Server => Client: s, B
M = usr.process_challenge(s, B)
def createSRPValues(self, password, client=None):
if client is None:
client = self.client
salt, vkey = srp.create_salted_verification_key(client, password)
return salt, vkey
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import tlv
import srp
import hashlib
import hmac
import pprint
ACC_NAME = "Test"
PASSWORD = "******"
srp_salt, srp_session_key = srp.create_salted_verification_key(ACC_NAME, PASSWORD)
key = hmac.new("Pair-Setup-Salt", srp_session_key, hashlib.sha512).digest()
okm = hmac.new(key, "Pair-Setup-Encryption-Key", hashlib.sha512).digest()
class HomeKitHandler(BaseHTTPRequestHandler):
def do_GET(s):
print s.path
def do_POST(s):
length = int(s.headers['Content-Length'])
post_data = s.rfile.read(length)
if s.path == '/pair-setup':
s.close_connection = 0
s.protocol_version = "HTTP/1.1"
tlv_data = tlv.unpack(post_data)
pprint.pprint(tlv_data)
response = []
response.append({'type': 'auth_tag', 'length': 1, 'data': 2})
response.append({'type': 'public_key', 'length': len(okm), 'data': okm})
response.append({'type': 'salt', 'length': 16, 'data': [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]})
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
import unittest
import binascii
from urlparse import parse_qs
from httmock import urlmatch, all_requests, HTTMock, response
from requests.exceptions import Timeout
import srp
from pixelated.provider.leap_srp import LeapSecureRemotePassword, LeapAuthException
(salt_bytes, verification_key_bytes) = srp.create_salted_verification_key('username', 'password', hash_alg=srp.SHA256, ng_type=srp.NG_1024)
verifier = None
@all_requests
def not_found_mock(url, request):
return {'status_code': 404,
'content': 'foobar'}
@all_requests
def timeout_mock(url, request):
raise Timeout()
@urlmatch(netloc=r'(.*\.)?leap\.local$')
def on_frame(self, frame: str) -> None:
try:
message = json.loads(frame)
except:
logger.exception("Could not decode JSON message: {}".format(frame))
self.transport.close()
return
mtype = message.get('type').upper()
if mtype == 'HEY':
self.text_to_sign = message.get('data')
self.server_cert = base64.b16encode(self.getCert()).decode()
print(self.server_cert)
self._send({'type','CERT_SERVER', 'data', self.server_cert })
self.server_signature = base64.b64encode(self.getSignature()).decode()
self._send({'type','SIGN_SERVER', 'data', self.server_signature })
if mtype == 'SERVER_OK':
self.client_text = message.get('data')
if mtype == 'SERVER_OK':
self.client_text = base64.b64decode(message.get('data')).encode()
if mtype == 'CERT_CLIENT':
self.client_cert = base64.b64decode(message.get('data')).encode()
if mtype == 'SIGN_CLIENT':
self.sign_client = message.get('data')
if not self.verifyClient():
return
self._send({'type','START_LOGIN'})
if mtype == 'USER':
uname = message.get('uname')
A = base64.b64decode(message.get('A')).encode()
password = self.getPassword(uname)
salt, vkey = srp.create_salted_verification_key( uname, password )
self.svr = srp.Verifier( uname, salt, vkey, A)
s,B = self.svr.get_challenge()
self._send({'type','s', 'data', base64.b64encode(s).decode() })
self._send({'type','B', 'data', base64.b64encode(B).decode() })
if mtype == 'M':
M = base64.b64decode(message.get('data')).encode()
HAMK = self.svr.verify_session(M)
if HAMK:
self._send({'type': 'OKOK'})
if mtype == 'HELLO':
self.algorithms = message.get('data').split('_')
if self.algorithms:
self.keyPair()
logger.info("Send public Key")
self._send({'type': 'PUBLIC_KEY', 'data': base64.b64encode(self.pem_public_key).decode()})
ret = True
else:
ret = False
if mtype == 'SECURE':
self.encriptkey = base64.b64decode(message.get('data'))
if self.encriptkey != '':
logger.info("Key")
self.getKey()
ret = True
else:
ret = False
if mtype == 'SECURE_IV':
logger.info("iv")
self.iv=base64.b64decode(message.get('data'))
if self.iv != '':
ret = True
else:
ret= False
if mtype == 'OPEN':
ret = self.process_open(message)
if mtype == 'DATA':
ret = self.process_data(message)
if mtype == 'CLOSE':
ret = self.process_close(message)
logger.info("Decrypt file")
self.decryptFile()
else:
logger.warning("Invalid message type: {}".format(message['type']))
ret = False
if not ret:
try:
self._send({'type': 'ERROR', 'message': 'See server'})
except:
pass # Silently ignore
logger.info("Closing transport")
if self.file is not None:
self.file.close()
self.file = None
self.state = STATE_CLOSE
self.transport.close()
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import tlv
import srp
import hashlib
import hmac
import pprint
ACC_NAME = "Test"
PASSWORD = "******"
srp_salt, srp_session_key = srp.create_salted_verification_key(
ACC_NAME, PASSWORD)
key = hmac.new("Pair-Setup-Salt", srp_session_key, hashlib.sha512).digest()
okm = hmac.new(key, "Pair-Setup-Encryption-Key", hashlib.sha512).digest()
class HomeKitHandler(BaseHTTPRequestHandler):
def do_GET(s):
print s.path
def do_POST(s):
length = int(s.headers['Content-Length'])
post_data = s.rfile.read(length)
if s.path == '/pair-setup':
s.close_connection = 0
s.protocol_version = "HTTP/1.1"
tlv_data = tlv.unpack(post_data)
pprint.pprint(tlv_data)
response = []
response.append({'type': 'auth_tag', 'length': 1, 'data': 2})
def _get_salt_verifier(username, password):
return srp.create_salted_verification_key(bytes(username), bytes(password),
srp.SHA256, srp.NG_1024)
def _get_salt_verifier(username, password):
return srp.create_salted_verification_key(bytes(username), bytes(password),
srp.SHA256, srp.NG_1024)
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
import json
import unittest
import binascii
from urlparse import parse_qs
from httmock import urlmatch, all_requests, HTTMock, response
from requests.exceptions import Timeout
import srp
from pixelated.bitmask_libraries.leap_srp import LeapSecureRemotePassword, LeapAuthException
(salt_bytes, verification_key_bytes) = srp.create_salted_verification_key(
'username', 'password', hash_alg=srp.SHA256, ng_type=srp.NG_1024)
verifier = None
@all_requests
def not_found_mock(url, request):
return {'status_code': 404, 'content': 'foobar'}
@all_requests
def timeout_mock(url, request):
raise Timeout()
@urlmatch(netloc=r'(.*\.)?leap\.local$')
def srp_login_server_simulator_mock(url, request):
email = "*****@*****.**"
password = "******"
if False:
Tstart = time.time()
A = PBKDF2(password=password, salt=plus(KW1, email), c=c1, dkLen=dkLen)
Ta = time.time()
print "time[A]:", Ta-Tstart
B = scrypt(password=A, salt=plus(KW2, email), N=N,r=r,p=p, dkLen=256/8)
Tb = time.time()
print "time[B]:", Tb-Ta
C = PBKDF2(password=plus(password,B), salt=plus(KW3, email), c=c2, dkLen=3*dkLen)
Tc = time.time()
print "time[C]:", Tc-Tb
PWK, MAC, SRPpw = C[:dkLen], C[dkLen:2*dkLen], C[2*dkLen:3*dkLen]
SRPsalt, SRPvkey = create_salted_verification_key(email, SRPpw, hash_alg=SHA256)
Td = time.time()
print "time[D]:", Td-Tc
print "time[total]:", Td-Tstart
print
print "PWK:", hexlify(PWK)
print "MAC:", hexlify(MAC)
print "SRPpw:", hexlify(SRPpw)
print
print "SRPvkey:", hexlify(SRPvkey)
print "SRPsalt:", hexlify(SRPsalt)
sys.exit(0)
salt,vkey = create_salted_verification_key(email, password, hash_alg=SHA256)
import srp
# The salt and verifier returned from srp.create_salted_verification_key() should be
# stored on the server.
salt, vkey = srp.create_salted_verification_key( 'testuser', 'testpassword' )
class AuthenticationFailed (Exception):
pass
# ~~~ Begin Authentication ~~~
usr = srp.User( 'testuser', 'testpassword' )
uname, A = usr.start_authentication()
# The authentication process can fail at each step from this
# point on. To comply with the SRP protocol, the authentication
# process should be aborted on the first failure.
# Client => Server: username, A
svr = srp.Verifier( uname, salt, vkey, A )
s,B = svr.get_challenge()
if s is None or B is None:
raise AuthenticationFailed()
# Server => Client: s, B
M = usr.process_challenge( s, B )
if M is None:
raise AuthenticationFailed()
def createSRPValues(self, password, client=None):
if client is None:
client = self.client
salt, vkey = srp.create_salted_verification_key(client, password)
return salt, vkey
