def do_handshake(self): """Perform a PTLS handshake.""" # first frame is client_hello, with his short-term pubkey data = self._recv_frame() self.remote_shortpub, pskhint, cahint = from_bson(data, 'spub', 'pskhint', 'cahint') # in case we get a hint we need to get the respective psk/cav if pskhint or cahint: if not self.hint_cb: raise pwrtls_exception('Hint supplied, but no hint_cb set.') self.psk, self.cav = self.hint_cb() # now send our hello message with short-term pubkey self._send_frame(self.serverhello()) # receive verification message for authenticating the short-term key data = self._recv_frame() try: opened = nacl.crypto_box_open(data, snonce(3), self.remote_shortpub, self.shortpriv) except ValueError: raise pwrtls_exception('Could not open client_verify message.') self.remote_longpub, vbox, vnonce, pskv, cav = from_bson(opened, 'lpub', 'v', 'vn', 'pskv', 'cav') # check verifybox inner_spub = None try: inner_spub = nacl.crypto_box_open(vbox, vnonce, self.remote_longpub, self.privkey) except ValueError: pass if not inner_spub == str(self.remote_shortpub): raise pwrtls_exception('Verifybox failure, client not in posession of correct private keys!') # now actual remote authentication must happen # verifybox is checked before this because validate_cb probably costs more if not self.validate_cb: logger.critical('PTLS socket has no validate_cb, connection will be INSECURE!') else: if not self.validate_cb(self.remote_longpub, pskv, cav): raise pwrtls_exception('Validation callback veto.')
def do_handshake(self): """Perform a PTLS handshake.""" # first frame is client_hello, with his short-term pubkey data = self._recv_frame() self.remote_shortpub, pskhint, cahint = from_bson( data, 'spub', 'pskhint', 'cahint') # in case we get a hint we need to get the respective psk/cav if pskhint or cahint: if not self.hint_cb: raise pwrtls_exception('Hint supplied, but no hint_cb set.') self.psk, self.cav = self.hint_cb() # now send our hello message with short-term pubkey self._send_frame(self.serverhello()) # receive verification message for authenticating the short-term key data = self._recv_frame() try: opened = nacl.crypto_box_open(data, snonce(3), self.remote_shortpub, self.shortpriv) except ValueError: raise pwrtls_exception('Could not open client_verify message.') self.remote_longpub, vbox, vnonce, pskv, cav = from_bson( opened, 'lpub', 'v', 'vn', 'pskv', 'cav') # check verifybox inner_spub = None try: inner_spub = nacl.crypto_box_open(vbox, vnonce, self.remote_longpub, self.privkey) except ValueError: pass if not inner_spub == str(self.remote_shortpub): raise pwrtls_exception( 'Verifybox failure, client not in posession of correct private keys!' ) # now actual remote authentication must happen # verifybox is checked before this because validate_cb probably costs more if not self.validate_cb: logger.critical( 'PTLS socket has no validate_cb, connection will be INSECURE!') else: if not self.validate_cb(self.remote_longpub, pskv, cav): raise pwrtls_exception('Validation callback veto.')
def inbound_message(self, body): their_vatid, their_pubkey, nonce, encbody = self.parse_message(body) # their_vatid is "pk0-base32..", while their_pubkey is binary assert their_vatid != self.vatid, "go away mirror" nonce_number = int(hexlify(nonce), 16) if their_vatid < self.vatid: offset = 2 # they are First, I am Second, msg is First->Second else: offset = 0 # I am First, they are Second, msg is Second->First assert nonce_number % 4 == offset, "wrong nonce type %d %d" % (nonce_number, offset) msg = crypto_box_open(encbody, nonce, their_pubkey, self.privkey) resp = self.process_message(their_vatid, nonce_number, offset, msg) r_nonce = self.number_to_nonce(nonce_number+1) return ",".join(["v0", util.to_ascii(self.pubkey, "pk0-", encoding="base32"), util.to_ascii(r_nonce, encoding="base32"), crypto_box(resp, r_nonce, their_pubkey, self.privkey)])
def _outbound_response(self, response, their_vatid, msgnum): if their_vatid < self.vatid: offset = 0 # they are First, I am Second, msg is Second->First else: offset = 2 # I am First, they are Second, msg is First->Second expected_nonce = self.number_to_nonce(4*msgnum+offset+1) pubkey_s, pubkey, nonce, encbody = self.parse_message(response) assert pubkey_s == their_vatid, (pubkey_s, their_vatid) assert nonce == expected_nonce, (int(hexlify(nonce),16), 4*msgnum+offset+1) msg = crypto_box_open(encbody, nonce, pubkey, self.privkey) log.msg("response msg: %s" % msg) # we don't actually look at the contents, just getting a valid boxed # response back is proof of success. We can now retire it. c = self.db.cursor() c.execute("DELETE FROM `outbound_messages`" " WHERE `to_vatid`=? AND `msgnum`=?", (their_vatid, msgnum)) self.db.commit()
def do_handshake(self): """Perform a PTLS handshake.""" self._send_frame(self.clienthello()) # receive server hello with his short-term pubkey data = self._recv_frame() box, self.remote_longpub = from_bson(data, 'box', 'lpub') srvhello = nacl.crypto_box_open(box, snonce(2), self.remote_longpub, self.shortpriv) self.remote_shortpub, pskv, cav = from_bson(srvhello, 'spub', 'pskv', 'cav') # now actual remote authentication must happen if not self.validate_cb: logger.critical('PTLS socket has no validate_cb, connection will be INSECURE!') else: if not self.validate_cb(self.remote_longpub, pskv, cav): raise pwrtls_exception('Validation callback veto.') # send verification message authenticating our short-term key with our long-term one self._send_frame(self.clientverify())
def do_handshake(self): """Perform a PTLS handshake.""" self._send_frame(self.clienthello()) # receive server hello with his short-term pubkey data = self._recv_frame() box, self.remote_longpub = from_bson(data, 'box', 'lpub') srvhello = nacl.crypto_box_open(box, snonce(2), self.remote_longpub, self.shortpriv) self.remote_shortpub, pskv, cav = from_bson(srvhello, 'spub', 'pskv', 'cav') # now actual remote authentication must happen if not self.validate_cb: logger.critical( 'PTLS socket has no validate_cb, connection will be INSECURE!') else: if not self.validate_cb(self.remote_longpub, pskv, cav): raise pwrtls_exception('Validation callback veto.') # send verification message authenticating our short-term key with our long-term one self._send_frame(self.clientverify())
def test_box(self): nonce = self.nonce() c = nacl.crypto_box(self.msg, nonce, self.pk2, self.sk1) m = nacl.crypto_box_open(c, nonce, self.pk1, self.sk2) self.assertEqual(m, self.msg)
def test_box(self): nonce = self.nonce() c = nacl.crypto_box(self.msg, nonce, self.pk2, self.sk1) m = nacl.crypto_box_open(c, nonce, self.pk1, self.sk2) self.assertEqual(m, self.msg)
def _open_message(self, data): opened = nacl.crypto_box_open(data, snonce(self.remotenonce), self.remote_shortpub, self.shortpriv) self.remotenonce += 2 return opened