def importServerCerts(self): rawCerts = getServerCerts() self.certs = [ CipherUtil.getCertFromBytes(c.encode("utf-8")) for c in rawCerts ] self.publicKey = self.certs[0].public_key() self.rootCert = CipherUtil.getCertFromBytes( getRootCert().encode("utf-8"))
def importKeys(self): addr = self.transport.get_extra_info('sockname')[0] self.privateKey = serialization.load_pem_private_key( str.encode(getPrivateKeyForAddr(addr)), password=None, backend=default_backend()) rawCerts = getCertsForAddr(addr) self.certs = [ CipherUtil.getCertFromBytes(c.encode("utf-8")) for c in rawCerts ] self.publicKey = self.certs[0].public_key() self.rootCert = CipherUtil.getCertFromBytes( getRootCert().encode("utf-8"))
def GetCommonName(cls, certBytes): cert = CipherUtil.getCertFromBytes(certBytes) commonNameList = cert.subject.get_attributes_for_oid( NameOID.COMMON_NAME) if len(commonNameList) != 1: return None commonNameAttr = commonNameList[0] return commonNameAttr.value
def sendPlsKeyExchange(self,pc): #print("************ TIME FOR SERVER TO SEND KEY EXCHANGE PACKET ********************") ServerKX = PlsKeyExchange() ServerKX.NoncePlusOne = self.NCc + 1 #print("1") self.PKs = (CipherUtil.getCertFromBytes(self.Received_Certificates[0])).public_key() #print("1") ServerKX.PreKey = self.PKs.encrypt(os.urandom(16),padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),algorithm=hashes.SHA256(),label=None)) self.serverprekey = ServerKX.PreKey #print("1") skeyexchange = ServerKX.__serialize__() self.m.update(skeyexchange) self.transport.write(skeyexchange)
def sendPlsKeyExchange(self, pc): #print("************ TIME FOR CLIENT TO SEND KEY EXCHANGE PACKET ********************") ClientKX = PlsKeyExchange() ClientKX.NoncePlusOne = pc.Nonce + 1 self.PKs = (CipherUtil.getCertFromBytes(pc.Certs[0])).public_key() ClientKX.PreKey = self.PKs.encrypt( os.urandom(16), padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) self.clientprekey = ClientKX.PreKey ckeyexchange = ClientKX.__serialize__() self.m.update(ckeyexchange) self.transport.write(ckeyexchange)
def data_received(self, data): self.deserializer.update(data) for packet in self.deserializer.nextPackets(): if isinstance(packet, PlsHello): self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[0])) self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[1])) self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[2])) print("\nReceived Server Hello. Beginning Validation.") if self.validate(self.incoming_cert): self.m.update(packet.__serialize__()) print( " Server Certificate Validated. Sending Client Key Exchange!\n" ) clientkey = PlsKeyExchange() randomvalue = os.urandom( 16) # Example bytes:- b'1234567887654321' self.pkc = int.from_bytes(randomvalue, byteorder='big') clientkey.NoncePlusOne = packet.Nonce + 1 self.ns = packet.Nonce pub_key = self.incoming_cert[0].public_key() encrypted1 = pub_key.encrypt( randomvalue, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) #print ("Encrypted String is: ",encrypted1) clientkey.PreKey = encrypted1 clkey = clientkey.__serialize__() print("Sent the Prekey to Server.") self.m.update(clkey) self.transport.write(clkey) if isinstance(packet, PlsKeyExchange): print("Received Server Key Exchange.") self.m.update(packet.__serialize__()) myprivatekey = getPrivateKeyForAddr( "20174.1.666.46" ) #This hardcoded IP address must the peerAddress serverpriv = CipherUtil.getPrivateKeyFromPemBytes(myprivatekey) decrypted = serverpriv.decrypt( packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) #print("Decrypted Pre-Master Secret: ", decrypted) self.pks = int.from_bytes(decrypted, byteorder='big') #==================================== #sending digest self.clientdigest = self.m.digest() #print("Hash digest is: ", self.clientdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = self.clientdigest hdone_s = hdone.__serialize__() print("Sent the PLS Handshake Done to server.") self.transport.write(hdone_s) if isinstance(packet, PlsHandshakeDone): print("\n\nReceived Server Handshake done message.") if (self.clientdigest == packet.ValidationHash): print("Digest verification done!") self.key_generator() plstransport = PLSStackingTransport(self, self.transport) higherTransport = StackingTransport(plstransport) self.higherProtocol().connection_made(higherTransport) if isinstance(packet, PlsData): print( "#######################Recieved Data Packet from PLSServer ############################" ) self.ctr = 0 if self.mac_verification_engine(packet.Ciphertext, packet.Mac): DecryptedPacket = self.decryption_engine(packet.Ciphertext) self.higherProtocol().data_received(DecryptedPacket) self.ctr = 0 else: self.ctr += 1 if self.ctr != 5: print("Verification Failed. Try Again. Failed {}" ).format(self.ctr) else: print( "Verification failed 5 times. Killing Connection and Sending PlsClose." ) # Creating and Sending PlsClose self.ctr = 0 Close = PlsClose() #Close.Error = "Closing Connection due to 5 Verification failures. Aggressive Close." serializeClose = Close.__serialize__() self.transport.write(serializeClose) self.transport.close() if isinstance(packet, PlsClose): print( "#####################Received PlsClose from Server###########################" ) self.transport.close()
def validate(self, certificate): serverissuer = CipherUtil.getCertIssuer(certificate[0]) intermediatesubject = CipherUtil.getCertSubject(certificate[1]) intermediateissuer = CipherUtil.getCertIssuer(certificate[1]) encodedrootcert = getRootCert() rootcert = CipherUtil.getCertFromBytes(encodedrootcert) print("Type of RootCert: ", type(rootcert)) rootsubject = CipherUtil.getCertSubject(rootcert) print(" Server PeerAddress is:- ", self.address) receivedIDCommonName = self.GetCommonName(certificate[0]) intermediateCommonName = self.GetCommonName(certificate[1]) rootCommonName = self.GetCommonName(rootcert) if self.peerAddress == receivedIDCommonName: splitlist = re.split('(.*)\.(.*)\.(.*)\.(.*)', receivedIDCommonName)[1:4] FirstThreeOctets = '.'.join(splitlist) if serverissuer == intermediatesubject and FirstThreeOctets == intermediateCommonName: print( "Chain 1 verification succeeded! Going to Check Signature now" ) # checking signature first stage signature = certificate[0].signature intermediate_pubkey = certificate[1].public_key() cert_bytes = certificate[0].tbs_certificate_bytes try: intermediate_pubkey.verify(signature, cert_bytes, padding.PKCS1v15(), hashes.SHA256()) print("Signature check stage 1 successful!") splitlist = re.split('(.*)\.(.*)\.(.*)', intermediateCommonName)[1:3] FirstTwoOctets = '.'.join(splitlist) if intermediateissuer == rootsubject and FirstTwoOctets == rootCommonName: print( "Chain 2 verification succeeded! Going to check signature now" ) # checking signature second stage signature = certificate[1].signature cert_bytes = certificate[1].tbs_certificate_bytes root_pubkey = rootcert.public_key() try: root_pubkey.verify(signature, cert_bytes, padding.PKCS1v15(), hashes.SHA256()) print("Signature check stage 2 successful!") print("FULLY VALIDATED! AWESOME!") return True except Exception: print("Signature check stage 2 failed") raise else: print( "Chain 2 verification failed! Check the chain please." ) except Exception: print("Signature check stage 1 failed") raise else: print("Chain 1 verification failed! Check the chain please.") else: print( "Peer Address and the address received in the certificate is incorrect! Please check the Identity Certificate" ) '''
def data_received(self, data): self._deserializer.update(data) for packet in self._deserializer.nextPackets(): if isinstance(packet, PlsData): cipher_text = packet.Ciphertext verification_code = packet.Mac if self._verification_engine.verifyMac(cipher_text, verification_code): plain_text = self._decryption_engine.decrypt(cipher_text) self.higherProtocol().data_received(plain_text) else: self.terminate_connection("validation error") elif isinstance(packet, PlsHello): ''' 1. store certs from the other side (?) 2. get the other side's pubk from the certs 3. store the other side's nonce 4. store this message for SHA1 ''' self._certs_for_other_side = list(packet.Certs) self._nonce_for_other_side = packet.Nonce self._pubk_for_other_side = CertFactory.getPubkFromCert( packet.Certs[0]) self._messages_for_handshake.append(packet.__serialize__()) ''' verify certs ''' tmp_cert_list = [] for cert_for_other_side in self._certs_for_other_side: tmp_cert_list.append( CipherUtil.getCertFromBytes(cert_for_other_side)) peer_name = self.transport.get_extra_info("peername")[0] common_name = CertFactory.GetCommonName(packet.Certs[0]) root = CipherUtil.getCertFromBytes(CertFactory.getRootCert()) issuer = CipherUtil.RSA_SIGNATURE_MAC(root.public_key()) if str(peer_name).startswith( common_name ) and CipherUtil.ValidateCertChainSigs(tmp_cert_list) and ( packet.Certs[-1] == CertFactory.getRootCert() or issuer.verify(packet.Certs[-1], root.signature)): if self._state == 0: # start to send plshello self._nonce = random.randint(0, 2**64) pls_hello = PlsHello(Nonce=self._nonce, Certs=self._certs) pls_hello_bytes = pls_hello.__serialize__() self.transport.write(pls_hello_bytes) self._state = 2 self._messages_for_handshake.append(pls_hello_bytes) elif self._state == 1: self._pre_key = CertFactory.getPreKey() pls_key_exchange = PlsKeyExchange( PreKey=CryptoUtil.RSAEncrypt( self._pubk_for_other_side, self._pre_key), NoncePlusOne=self._nonce_for_other_side + 1) pls_key_exchange_bytes = pls_key_exchange.__serialize__( ) self.transport.write(pls_key_exchange_bytes) self._state = 3 self._messages_for_handshake.append( (pls_key_exchange_bytes)) else: # pass self.terminate_connection("Status error") else: # pass self.terminate_connection("PlsHello error") elif isinstance(packet, PlsKeyExchange): if packet.NoncePlusOne == self._nonce + 1: self._pre_key_for_other_side = CryptoUtil.RSADecrypt( self._private_key, packet.PreKey) self._messages_for_handshake.append(packet.__serialize__()) if self._state == 2: self._pre_key = CertFactory.getPreKey() pls_key_exchange = PlsKeyExchange( PreKey=CryptoUtil.RSAEncrypt( self._pubk_for_other_side, self._pre_key), NoncePlusOne=self._nonce_for_other_side + 1) pls_key_exchange_bytes = pls_key_exchange.__serialize__( ) self.transport.write(pls_key_exchange_bytes) self._state = 4 self._messages_for_handshake.append( pls_key_exchange_bytes) elif self._state == 3: m = hashlib.sha1() m.update(self._messages_for_handshake[0] + self._messages_for_handshake[1] + self._messages_for_handshake[2] + self._messages_for_handshake[3]) self._hash_for_handshake = m.digest() pls_handshake_done = PlsHandshakeDone( ValidationHash=self._hash_for_handshake) self.transport.write( pls_handshake_done.__serialize__()) self._state = 5 else: # pass self.terminate_connection("Status error") else: # pass self.terminate_connection("PlsKeyExchange error") elif isinstance(packet, PlsHandshakeDone): validation_hash = packet.ValidationHash if self._state == 4: m = hashlib.sha1() m.update(self._messages_for_handshake[0] + self._messages_for_handshake[1] + self._messages_for_handshake[2] + self._messages_for_handshake[3]) self._hash_for_handshake = m.digest() if self._hash_for_handshake == validation_hash: pls_handshake_done = PlsHandshakeDone( ValidationHash=self._hash_for_handshake) self.transport.write( pls_handshake_done.__serialize__()) self._state = 6 # ------------ set symmetric variables ------------ self.set_symmetric_variables(False) # ------------ connect to higher protocol ------------ self.higherProtocol().connection_made( PLSTransport(self.transport, self)) else: # pass self.terminate_connection( "PlsHandshakeDone validation error") elif self._state == 5: if self._hash_for_handshake == validation_hash: self.set_symmetric_variables(True) self.higherProtocol().connection_made( PLSTransport(self.transport, self)) self._state = 6 else: # pass self.terminate_connection( "PlsHandshakeDone validation error") else: # pass self.terminate_connection("status error") elif isinstance(packet, PlsClose): print("connection closed by the other side") self.transport.close() else: print('PLSP is waiting for a PLS packet.')
def data_received(self, data): self.deserializer.update(data) for pkt in self.deserializer.nextPackets(): if isinstance(pkt, PlsHello) and self.state == self.STATE_SERVER_HELLO: # Deserialize certs in packet, attach root cert peerCerts = [CipherUtil.getCertFromBytes(c) for c in pkt.Certs] if self.verifyCerts(peerCerts): self.dbgPrint("Server: PlsHello received!") self.messages["M1"] = pkt.__serialize__() self.peerPublicKey = peerCerts[0].public_key() self.clientNonce = pkt.Nonce # Make PlsHello and send back self.serverNonce = self.generateNonce() # Serialize certs to pack into PlsHello certBytes = [CipherUtil.serializeCert(c) for c in self.certs] self.dbgPrint("Server: sending PlsHello back to client... Current state: {!r}, nonce Number: {!r}" .format(self.STATE_DESC[self.state], self.serverNonce)) helloPkt = PlsHello.makeHelloPacket(self.serverNonce, certBytes) self.messages["M2"] = helloPkt.__serialize__() self.transport.write(helloPkt.__serialize__()) self.state = self.STATE_SERVER_KEY_EXCHANGE else: self.handleError("Error: certificate verification failure.") elif isinstance(pkt, PlsKeyExchange) and self.state == self.STATE_SERVER_KEY_EXCHANGE: if self.serverNonce + 1 == pkt.NoncePlusOne: self.dbgPrint("Server: received PlsKeyExchange packet from client") self.messages["M3"] = pkt.__serialize__() self.clientPreKey = self.privateKey.decrypt( pkt.PreKey, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None ) ) if len(self.clientPreKey) != self.PRE_KEY_LENGTH_BYTES: self.handleError("Error: Bad client pre-key with length = " + str(len(self.clientPreKey) * 8) + " bits, wrong RSA decryption?") else: self.dbgPrint("Server: client prekey received: " + self.clientPreKey.hex()) # Make PlsKeyExchange and send back self.serverPreKey = self.generatePreKey() self.dbgPrint( "Server: sending plsKeyExchange packet, prekey: {!r}".format(self.serverPreKey.hex())) encryptedPreKey = self.peerPublicKey.encrypt( self.serverPreKey, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None ) ) plsKeyExchangePkt = PlsKeyExchange.makePlsKeyExchange(encryptedPreKey, self.clientNonce + 1) self.messages["M4"] = plsKeyExchangePkt.__serialize__() self.transport.write(plsKeyExchangePkt.__serialize__()) self.state = self.STATE_SERVER_PLS_HANDSHAKE_DONE # Enough info to generate keys and initialize ciphers self.setKeys(self.generateDerivationHash()) self.setEngines() else: self.handleError("Error: bad nonce in key exchange.") elif isinstance(pkt, PlsHandshakeDone) and self.state == self.STATE_SERVER_PLS_HANDSHAKE_DONE: if self.verifyValidationHash(pkt.ValidationHash): self.dbgPrint("Server: plsHandshakeDone packet received from client.") self.dbgPrint( "Server: sending plsHandshakeDone to client and notifying upper layer connection_made") hashText = self.generateValidationHash() handshakeDonePkt = PlsHandshakeDone.makePlsHandshakeDone(hashText) self.transport.write(handshakeDonePkt.__serialize__()) # Enter transmission self.state = self.STATE_SERVER_TRANSFER higherTransport = PLSTransport(self.transport, self) self.higherProtocol().connection_made(higherTransport) else: self.handleError("Error: validation hash verification failure.") elif isinstance(pkt, PlsData) and self.state == self.STATE_SERVER_TRANSFER: self.dbgPrint("Server: received application data from client, decrypt and notify upper layer") if self.verifyPlsData(pkt.Ciphertext, pkt.Mac): self.dbgPrint("Verification succeeded, sending data to upper layer...") self.higherProtocol().data_received(self.decrypt(pkt.Ciphertext)) else: # self.handleError("Error: data verification failure.") self.dbgPrint("Data MAC verification error, discarded.") elif isinstance(pkt, PlsClose): self.dbgPrint("PlsClose received, closing...") self.transport.close() else: self.handleError("Error: wrong packet type " + pkt.DEFINITION_IDENTIFIER + ", current state " + self.STATE_DESC[self.state])
def data_received(self, data): self.deserializer.update(data) for packet in self.deserializer.nextPackets(): if isinstance(packet, PlsHello): self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[0]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[1]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[2]))) print("\nReceived Server Hello. Trying to verify issuer...") if self.validate(self.incoming_cert): self.m.update(packet.__serialize__()) print( " Server Certificate Validated. Sending Client Key Exchange!\n" ) clientkey = PlsKeyExchange() randomvalue = b'1234567887654321' print(type(randomvalue)) self.pkc = randomvalue.decode() clientkey.NoncePlusOne = packet.Nonce + 1 self.ns = packet.Nonce pub_key = self.incoming_cert[0].public_key() encrypted1 = pub_key.encrypt( randomvalue, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Encrypted String is: ", encrypted1) clientkey.PreKey = encrypted1 clkey = clientkey.__serialize__() print("Sent the Prekey to Server.") self.m.update(clkey) self.transport.write(clkey) if isinstance(packet, PlsKeyExchange): print("Received Server Key Exchange.") self.m.update(packet.__serialize__()) serverpriv = CipherUtil.loadPrivateKeyFromPemFile( "/root/keys/client/sagar-client.key") decrypted = serverpriv.decrypt( packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Decrypted Pre-Master Secret: ", decrypted) self.pks = decrypted.decode() #==================================== #sending digest self.clientdigest = self.m.digest() print("Hash digest is: ", self.clientdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = self.clientdigest hdone_s = hdone.__serialize__() print("Sent the PLS Handshake Done to server.") self.transport.write(hdone_s) if isinstance(packet, PlsHandshakeDone): print("\n\nReceived Server Handshake done message.") if (self.clientdigest == packet.ValidationHash): print("Digest verification done!") self.key_generator()
def data_received(self, data): self.deserializer.update(data) for pkt in self.deserializer.nextPackets(): if isinstance( pkt, SITHPacket ): # judge if this packet is an instance of RIPPPacket if (pkt.Type == "HELLO") and ( self.state == self.STATE_SERVER_HELLO): #receive client hello pkt # Deserialize certs in packet, attach root cert self.peerCerts = [ CipherUtil.getCertFromBytes(c) for c in pkt.Certificate ] if self.verifyCerts(self.peerCerts): self.log("Server: SithHello received!") self.messages["M1"] = pkt.__serialize__( ) #turn the client's hello pkt into bytes self.peerPublicKey = self.peerCerts[0].public_key() # Serialize certs to pack into SithHello self.certBytes = [ CipherUtil.serializeCert(c) for c in self.certs ] self.log( "Server: sending SithHello back to client... Current state: {!r}, random: {!r}" .format(self.STATE_DESC[self.state], self.random)) helloPkt = SITHPacket.makeHelloPacket( self.random, self.certBytes, self.public_key) self.messages["M2"] = helloPkt.__serialize__( ) #turn the server's hello pkt into bytes self.transport.write( helloPkt.__serialize__() ) #send the server hello pkt and enter 'server_key_exchange' stage self.state = self.STATE_SERVER_KEY_EXCHANGE #key derivation self.client_public_key = x25519.X25519PublicKey.from_public_bytes( pkt.PublicValue ) #load client's public key from bytes shared_secret = self.private_key.exchange( self.client_public_key) hasher = hashes.Hash(hashes.SHA256(), backend=default_backend()) hasher.update(self.messages["M1"] + self.messages["M2"]) self.hash_msg = hasher.finalize() #get the hash result derived_key = HKDF( algorithm=hashes.SHA256(), length=32, salt=None, info=self.hash_msg, backend=default_backend()).derive( shared_secret) #get the derived key self.iv_dec = derived_key[:12] self.iv_enc = derived_key[12:24] self.server_write = derived_key[:16] self.server_read = derived_key[16:] self.setEngines() self.state = self.STATE_SERVER_SITH_HANDSHAKE_DONE else: self.log("Error: certificate verification failure.") self.sendSithClose(1) elif (pkt.Type == "FINISH") and ( self.state == self.STATE_SERVER_SITH_HANDSHAKE_DONE): self.log( "Server: received handshake_finish packet from client") #verify client's signature client_public_key = self.peerCerts[0].public_key() client_signature = pkt.Signature verify_result = self.verify_signature( client_public_key, client_signature, self.hash_msg) if not verify_result: self.log("Server: wrong signature of client!") self.log("Server is closing...") self.sendSithClose(1) else: # generate handshake finish pkt self.cert_private_key = getServerPrivateKey( ) # read private of server's certificate finishPkt = SITHPacket.makeFinishPacket( self.messages["M1"], self.messages["M2"], self.cert_private_key) self.transport.write( finishPkt.__serialize__() ) # send the server hello pkt and enter 'server_key_exchange' stage #enter the data transmission state self.state = self.STATE_SERVER_TRANSFER higherTransport = SITHTransport(self.transport, self) self.higherProtocol().connection_made(higherTransport) # Enter transmission higherTransport = SITHTransport(self.transport, self) self.higherProtocol().connection_made(higherTransport) elif (pkt.Type == "DATA") and self.state == self.STATE_SERVER_TRANSFER: self.log( "Server: received application data from client, decrypt and notify upper layer" ) self.log( "Verification succeeded, sending data to upper layer..." ) self.higherProtocol().data_received( self.decrypt(self.iv_dec, pkt.Ciphertext, None)) elif (pkt.Type == "CLOSE"): self.transport.close() else: self.log("Error: wrong packet type " + pkt.DEFINITION_IDENTIFIER + ", current state " + self.STATE_DESC[self.state]) self.sendSithClose(1) else: self.log("Wrong packet class type: {!r}".format(str( type(pkt)))) self.sendSithClose(1)
def data_received(self, data): self.deserializer.update(data) for packet in self.deserializer.nextPackets(): if isinstance(packet, PlsHello): self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[0]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[1]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[2]))) print("\nReceived Server Hello. Trying to verify issuer...") if self.validate(self.incoming_cert): self.m.update(packet.__serialize__()) print( " Server Certificate Validated. Sending Client Key Exchange!\n" ) clientkey = PlsKeyExchange() randomvalue = b'1234567887654321' print(type(randomvalue)) self.pkc = randomvalue.decode() clientkey.NoncePlusOne = packet.Nonce + 1 self.ns = packet.Nonce pub_key = self.incoming_cert[0].public_key() encrypted1 = pub_key.encrypt( randomvalue, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Encrypted String is: ", encrypted1) clientkey.PreKey = encrypted1 clkey = clientkey.__serialize__() print("Sent the Prekey to Server.") self.m.update(clkey) self.transport.write(clkey) if isinstance(packet, PlsKeyExchange): print("Received Server Key Exchange.") self.m.update(packet.__serialize__()) serverpriv = CipherUtil.loadPrivateKeyFromPemFile( "/home/prashanth/netsec/prashanth-client.key") decrypted = serverpriv.decrypt( packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Decrypted Pre-Master Secret: ", decrypted) self.pks = decrypted.decode() #==================================== #sending digest self.clientdigest = self.m.digest() print("Hash digest is: ", self.clientdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = self.clientdigest hdone_s = hdone.__serialize__() print("Sent the PLS Handshake Done to server.") self.transport.write(hdone_s) if isinstance(packet, PlsHandshakeDone): print("\n\nReceived Server Handshake done message.") if (self.clientdigest == packet.ValidationHash): print("Digest verification done!") self.key_generator() if isinstance(packet, PlsData): print( "=====================Recieved Data Packet from PLSServer ======================" ) self.ctr = 0 if self.mac_verification_engine(packet.Ciphertext, packet.Mac): print( "=====================Pls Client Verification Successful. Decrypting=============" ) DecryptedPacket = self.decryption_engine(packet.Ciphertext) print( "=======================Decryption DONE! =======Sending to HigherLayer===========" ) self.higherProtocol().data_received(DecryptedPacket) self.ctr = 0 else: self.ctr += 1 if self.ctr != 5: print("Verification Failed. Try Again. Failed {}" ).format(self.ctr) else: print( "Verification failed 5 times. Killing Connection and Sending PlsClose." ) #Creating and Sending PlsClose self.ctr = 0 Close = PlsClose() Close.Error = "Closing Connection due to 5 Verification failures. Aggressive Close." serializeClose = Close.__serialize__() self.transport.write(serializeClose) self.transport.close() if isinstance(packet, PlsClose): print( "==================Received PlsClose from Server======================== " ) self.connection_lost(packet.Error) self.transport.close()
def data_received(self, data): print( "####################SSL layer data received called!#####################" ) self.deserializer.update(data) for packet in self.deserializer.nextPackets(): if isinstance(packet, PlsHello): self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[0])) self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[1])) self.incoming_cert.append( CipherUtil.getCertFromBytes(packet.Certs[2])) print("\nReceived Client Hello packet. Beginning Validation.") if self.validate(self.incoming_cert): self.nc = packet.Nonce self.m = hashlib.sha1() self.m.update(packet.__serialize__()) print("Certificate Validated. Sending Server hello!\n") self.clientnonce = packet.Nonce serverhello = PlsHello() serverhello.Nonce = int.from_bytes( os.urandom(8), byteorder='big') #12345678 self.ns = serverhello.Nonce idcert = getCertsForAddr(self.address) pubkey = getCertsForAddr(self.splitaddr) root = getRootCert() serverhello.Certs = [] serverhello.Certs.append(idcert) serverhello.Certs.append(pubkey) serverhello.Certs.append(root) srvhello = serverhello.__serialize__() print("Sent Server Hello!\n") self.m.update(srvhello) self.transport.write(srvhello) if isinstance(packet, PlsKeyExchange): print("Received Client Key Exchange. Server Server Keys\n\n") self.m.update(packet.__serialize__()) myprivatekey = getPrivateKeyForAddr(self.address) serverpriv = CipherUtil.getPrivateKeyFromPemBytes(myprivatekey) decrypted = serverpriv.decrypt( packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) #print("Decrypted Pre-Master Secret: ", decrypted) self.pkc = int.from_bytes(decrypted, byteorder='big') #==================================== #Creating Server Pre-Master serverkey = PlsKeyExchange() randomvalue = os.urandom(16) #b'1234567887654321' self.pks = int.from_bytes(randomvalue, byteorder='big') serverkey.NoncePlusOne = self.clientnonce + 1 pub_key = self.incoming_cert[0].public_key() encrypted = pub_key.encrypt( randomvalue, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) #print("Encrypted String is: ", encrypted) serverkey.PreKey = encrypted skey = serverkey.__serialize__() print("Sent the Prekey to Client.\n\n") self.m.update(skey) self.transport.write(skey) if isinstance(packet, PlsHandshakeDone): print("Received Client Handshake done message.") clientdigest = packet.ValidationHash serverdigest = self.m.digest() #print("Hash digest is: ", serverdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = serverdigest if (serverdigest == clientdigest): print("Digest verification done!") # calling higher connection made since we have received the ACK self.key_generator() plstransport = PLSStackingTransport(self, self.transport) higherTransport = StackingTransport(plstransport) self.higherProtocol().connection_made(higherTransport) hdone_s = hdone.__serialize__() self.transport.write(hdone_s) if isinstance(packet, PlsData): print( "##################Recieved Data Packet from PLSClient###########################" ) self.ctr = 0 if self.mac_verification_engine(packet.Ciphertext, packet.Mac): DecryptedPacket = self.decryption_engine(packet.Ciphertext) self.higherProtocol().data_received(DecryptedPacket) self.ctr = 0 else: self.ctr += 1 if self.ctr != 5: print("Verification Failed. Try Again. Failed {}" ).format(self.ctr) else: print( "Verification failed 5 times. Killing Connection and Sending PlsClose." ) self.ctr = 0 #Creating and Sending PlsClose Close = PlsClose() #Close.Error = "Closing Connection due to 5 Verification failures. Aggrresive Close" serializeClose = Close.__serialize__() self.transport.write(serializeClose) self.transport.close() if isinstance(packet, PlsClose): print( "######################Received PlsClose from Client######################### " ) #self.connection_lost(self) self.transport.close()
def data_received(self, data): self.deserializer.update(data) for pkt in self.deserializer.nextPackets(): if isinstance( pkt, SITHPacket ): #judge if this packet is an instance of RIPPPacket if (pkt.Type == "HELLO") and (self.state == self.STATE_CLIENT_HELLO ): #receive server's hello pkt # Deserialize certs in packet, attach root cert self.peerCerts = [ CipherUtil.getCertFromBytes(c) for c in pkt.Certificate ] #deserialize certificate from byte format if self.verifyCerts(self.peerCerts): self.dbgPrint( "Client: received SithHello packet from server, current state: {!r}" .format(self.STATE_DESC[self.state])) self.messages["M2"] = pkt.__serialize__() self.state = self.STATE_CLIENT_KEY_EXCHANGE #after receiving server's hello pkt, enter 'client_key_exchange' stage #key derivation self.server_public_key = x25519.X25519PublicKey.from_public_bytes( pkt.PublicValue ) #load server's public key from bytes shared_secret = self.private_key.exchange( self.server_public_key) hasher = hashes.Hash(hashes.SHA256(), backend=default_backend()) hasher.update(self.messages["M1"] + self.messages["M2"]) self.hash_msg = hasher.finalize() #get the hash result derived_key = HKDF( algorithm=hashes.SHA256(), length=32, salt=None, info=self.hash_msg, backend=default_backend()).derive( shared_secret) #get the derived key self.iv_enc = derived_key[:12] self.iv_dec = derived_key[12:24] self.client_read = derived_key[:16] self.client_write = derived_key[16:] self.setEngines() self.state = self.STATE_CLIENT_SITH_HANDSHAKE_DONE #generate handshake finish pkt self.cert_private_key = getClientPrivateKey() finishPkt = SITHPacket.makeFinishPacket( self.messages["M1"], self.messages["M2"], self.cert_private_key) self.transport.write( finishPkt.__serialize__() ) #send the server hello pkt and enter 'server_key_exchange' state #send the client finish pkt to server and enter handshake done state else: self.dbgPrint( "Error: certificate verification failure.") self.state = self.STATE_CLIENT_CLOSED self.sendSithClose(1) elif ( pkt.Type == "FINISH" ) and self.state == self.STATE_CLIENT_SITH_HANDSHAKE_DONE: self.dbgPrint( "Client: received handshake_finish packet from server") #verify server's signature server_public_key = self.peerCerts[0].public_key() server_signature = pkt.Signature verify_result = self.verify_signature( server_public_key, server_signature, self.hash_msg) if not verify_result: self.dbgPrint("Client: wrong signature of client!") self.dbgPrint("Client is closing...") self.state = self.STATE_CLIENT_CLOSED self.sendSithClose(1) else: #enter data transmission state self.state = self.STATE_CLIENT_TRANSFER higherTransport = SITHTransport(self.transport, self) self.higherProtocol().connection_made(higherTransport) elif (pkt.Type == "DATA") and self.state == self.STATE_CLIENT_TRANSFER: self.dbgPrint( "Client: received application data from server") self.higherProtocol().data_received( self.decrypt(self.iv_dec, pkt.Ciphertext, None)) elif (pkt.Type == "CLOSE"): self.state = self.STATE_CLIENT_CLOSED self.transport.close() else: self.dbgPrint("Error: wrong packet type " + pkt.DEFINITION_IDENTIFIER + ", current state " + self.STATE_DESC[self.state]) self.sendSithClose(1) else: self.dbgPrint("Wrong packet class type: {!r}".format( str(type(pkt)))) self.sendSithClose(1)
def data_received(self, data): print("###SSL layer data received called!###") self.deserializer.update(data) for packet in self.deserializer.nextPackets(): #print(packet.Certs[0], packet.Certs[1], packet.Certs[2]) if isinstance(packet, PlsHello): self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[0]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[1]))) self.incoming_cert.append( CipherUtil.getCertFromBytes(str.encode(packet.Certs[2]))) print( "\nReceived Client Hello packet. Trying to verify issuer..." ) #print(packet.Certs) if self.validate(self.incoming_cert): self.nc = packet.Nonce self.m = hashlib.sha1() self.m.update(packet.__serialize__()) print("Certificate Validated. Sending Server hello!\n") self.clientnonce = packet.Nonce serverhello = PlsHello() serverhello.Nonce = 12345678 self.ns = serverhello.Nonce idcert = getServerIDCertsForAddr() pubkey = getCertsForAddr() root = getRootCertsForAddr() serverhello.Certs = [] serverhello.Certs.append(idcert) serverhello.Certs.append(pubkey) serverhello.Certs.append(root) srvhello = serverhello.__serialize__() print("Sent Server Hello!\n") self.m.update(srvhello) self.transport.write(srvhello) if isinstance(packet, PlsKeyExchange): print("Received Client Key Exchange. Server Server Keys\n\n") self.m.update(packet.__serialize__()) serverpriv = CipherUtil.loadPrivateKeyFromPemFile( "/home/prashanth/netsec/prashanth.key") decrypted = serverpriv.decrypt( packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Decrypted Pre-Master Secret: ", decrypted) self.pkc = decrypted.decode() #==================================== #Creating Server Pre-Master serverkey = PlsKeyExchange() randomvalue = b'1234567887654321' self.pks = randomvalue.decode() serverkey.NoncePlusOne = self.clientnonce + 1 pub_key = self.incoming_cert[0].public_key() encrypted1 = pub_key.encrypt( randomvalue, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) print("Encrypted String is: ", encrypted1) serverkey.PreKey = encrypted1 skey = serverkey.__serialize__() print("Sent the Prekey to Client.\n\n") self.m.update(skey) self.transport.write(skey) if isinstance(packet, PlsHandshakeDone): print("Received Client Handshake done message.") clientdigest = packet.ValidationHash serverdigest = self.m.digest() print("Hash digest is: ", serverdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = serverdigest if (serverdigest == clientdigest): print("Digest verification done!") self.key_generator() hdone_s = hdone.__serialize__() self.transport.write(hdone_s) if isinstance(packet, PlsData): print( "=====================Recieved Data Packet from PLSClient======================" ) self.ctr = 0 if self.mac_verification_engine(packet.Ciphertext, packet.Mac): print( "=====================Pls Client Verification Successful. Decrypting=============" ) DecryptedPacket = self.decryption_engine(packet.Ciphertext) print( "=======================Decryption DONE! =======Sending to HigherLayer===========" ) self.higherProtocol().data_received(DecryptedPacket) self.ctr = 0 else: self.ctr += 1 if self.ctr != 5: print("Verification Failed. Try Again. Failed {}" ).format(self.ctr) else: print( "Verification failed 5 times. Killing Connection and Sending PlsClose." ) self.ctr = 0 # Creating and Sending PlsClose Close = PlsClose() Close.Error = "Closing Connection due to 5 Verification failures. Aggrresive Close" serializeClose = Close.__serialize__() self.transport.write(serializeClose) self.transport.close() if isinstance(packet, PlsClose): print( "==================Received PlsClose from Client======================== " ) self.connection_lost(packet.Error) self.transport.close()
def data_received(self, data): print("###SSL layer data received called!###") self.deserializer.update(data) for packet in self.deserializer.nextPackets(): #print(packet.Certs[0], packet.Certs[1], packet.Certs[2]) if isinstance(packet, PlsHello): self.incoming_cert.append(CipherUtil.getCertFromBytes(str.encode(packet.Certs[0]))) self.incoming_cert.append(CipherUtil.getCertFromBytes(str.encode(packet.Certs[1]))) self.incoming_cert.append(CipherUtil.getCertFromBytes(str.encode(packet.Certs[2]))) print("\nReceived Client Hello packet. Trying to verify issuer...") #print(packet.Certs) if self.validate(self.incoming_cert): self.nc = packet.Nonce self.m = hashlib.sha1() self.m.update(packet.__serialize__()) print("Certificate Validated. Sending Server hello!\n") self.clientnonce = packet.Nonce serverhello = PlsHello() serverhello.Nonce = 12345678 self.ns = serverhello.Nonce idcert = getIDCertsForAddr() pubkey = getCertsForAddr() root = getRootCertsForAddr() serverhello.Certs = [] serverhello.Certs.append(idcert) serverhello.Certs.append(pubkey) serverhello.Certs.append(root) srvhello = serverhello.__serialize__() print("Sent Server Hello!\n") self.m.update(srvhello) self.transport.write(srvhello) if isinstance(packet, PlsKeyExchange): print("Received Client Key Exchange. Server Server Keys\n\n") self.m.update(packet.__serialize__()) serverpriv = CipherUtil.loadPrivateKeyFromPemFile("/root/keys/server/sagar-server.key") decrypted = serverpriv.decrypt(packet.PreKey, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),algorithm=hashes.SHA256(), label=None)) print("Decrypted Pre-Master Secret: ", decrypted) self.pkc = decrypted.decode() #==================================== #Creating Server Pre-Master serverkey = PlsKeyExchange() randomvalue = b'1234567887654321' self.pks = randomvalue.decode() serverkey.NoncePlusOne = self.clientnonce + 1 pub_key = self.incoming_cert[0].public_key() encrypted1 = pub_key.encrypt(randomvalue, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),algorithm=hashes.SHA256(), label=None)) print("Encrypted String is: ", encrypted1) serverkey.PreKey = encrypted1 skey = serverkey.__serialize__() print("Sent the Prekey to Client.\n\n") self.m.update(skey) self.transport.write(skey) if isinstance(packet, PlsHandshakeDone): print("Received Client Handshake done message.") clientdigest = packet.ValidationHash serverdigest = self.m.digest() print("Hash digest is: ", serverdigest) hdone = PlsHandshakeDone() hdone.ValidationHash = serverdigest if (serverdigest == clientdigest): print("Digest verification done!") self.key_generator() hdone_s = hdone.__serialize__() self.transport.write(hdone_s)