magic-wormhole/src/wormhole/twisted/transcribe.py

from __future__ import print_function
import os, sys, json, re
from binascii import hexlify, unhexlify
from zope.interface import implementer
from twisted.internet import reactor, defer
from twisted.web import client as web_client
from twisted.web import error as web_error
from twisted.web.iweb import IBodyProducer
from nacl.secret import SecretBox
from nacl.exceptions import CryptoError
from nacl import utils
from spake2 import SPAKE2_Symmetric
from .eventsource import ReconnectingEventSource
from .. import __version__
from .. import codes
from ..errors import ServerError
from ..util.hkdf import HKDF

class WrongPasswordError(Exception):
    """
    Key confirmation failed.
    """

class ReflectionAttack(Exception):
    """An attacker (or bug) reflected our outgoing message back to us."""

class UsageError(Exception):
    """The programmer did something wrong."""

@implementer(IBodyProducer)
class DataProducer:
    def __init__(self, data):
        self.data = data
        self.length = len(data)
    def startProducing(self, consumer):
        consumer.write(self.data)
        return defer.succeed(None)
    def stopProducing(self):
        pass
    def pauseProducing(self):
        pass
    def resumeProducing(self):
        pass


class SymmetricWormhole:
    def __init__(self, appid, relay):
        self.appid = appid
        self.relay = relay
        self.agent = web_client.Agent(reactor)
        self.side = None
        self.code = None
        self.key = None
        self._started_get_code = False

    def get_code(self, code_length=2):
        if self.code is not None: raise UsageError
        if self._started_get_code: raise UsageError
        self._started_get_code = True
        self.side = hexlify(os.urandom(5))
        d = self._allocate_channel()
        def _got_channel_id(channel_id):
            code = codes.make_code(channel_id, code_length)
            self._set_code_and_channel_id(code)
            self._start()
            return code
        d.addCallback(_got_channel_id)
        return d

    def _post_json(self, url, post_json=None):
        # TODO: retry on failure, with exponential backoff. We're guarding
        # against the rendezvous server being temporarily offline.
        p = None
        if post_json:
            data = json.dumps(post_json).encode("utf-8")
            p = DataProducer(data)
        d = self.agent.request("POST", url, bodyProducer=p)
        def _check_error(resp):
            if resp.code != 200:
                raise web_error.Error(resp.code, resp.phrase)
            return resp
        d.addCallback(_check_error)
        d.addCallback(web_client.readBody)
        d.addCallback(lambda data: json.loads(data))
        return d

    def _allocate_channel(self):
        url = self.relay + "allocate/%s" % self.side
        d = self._post_json(url)
        def _got_channel(data):
            if "welcome" in data:
                self.handle_welcome(data["welcome"])
            return data["channel-id"]
        d.addCallback(_got_channel)
        return d

    def set_code(self, code):
        if self.code is not None: raise UsageError
        if self.side is not None: raise UsageError
        self._set_code_and_channel_id(code)
        self.side = hexlify(os.urandom(5))
        self._start()

    def _set_code_and_channel_id(self, code):
        if self.code is not None: raise UsageError
        mo = re.search(r'^(\d+)-', code)
        if not mo:
            raise ValueError("code (%s) must start with NN-" % code)
        self.channel_id = int(mo.group(1))
        self.code = code

    def _start(self):
        # allocate the rest now too, so it can be serialized
        self.sp = SPAKE2_Symmetric(self.code.encode("ascii"),
                                   idA=self.appid+":SymmetricA",
                                   idB=self.appid+":SymmetricB")
        self.msg1 = self.sp.start()

    def serialize(self):
        # I can only be serialized after get_code/set_code and before
        # get_verifier/get_data
        if self.code is None: raise UsageError
        if self.key is not None: raise UsageError
        data = {
            "appid": self.appid,
            "relay": self.relay,
            "code": self.code,
            "side": self.side,
            "spake2": json.loads(self.sp.serialize()),
            "msg1": self.msg1.encode("hex"),
        }
        return json.dumps(data)

    @classmethod
    def from_serialized(klass, data):
        d = json.loads(data)
        self = klass(d["appid"].encode("ascii"), d["relay"].encode("ascii"))
        self._set_code_and_channel_id(d["code"].encode("ascii"))
        self.side = d["side"].encode("ascii")
        self.sp = SPAKE2_Symmetric.from_serialized(json.dumps(d["spake2"]))
        self.msg1 = d["msg1"].decode("hex")
        return self

    motd_displayed = False
    version_warning_displayed = False

    def handle_welcome(self, welcome):
        if ("motd" in welcome and
            not self.motd_displayed):
            motd_lines = welcome["motd"].splitlines()
            motd_formatted = "\n ".join(motd_lines)
            print("Server (at %s) says:\n %s" % (self.relay, motd_formatted),
                  file=sys.stderr)
            self.motd_displayed = True

        # Only warn if we're running a release version (e.g. 0.0.6, not
        # 0.0.6-DISTANCE-gHASH). Only warn once.
        if ("-" not in __version__ and
            not self.version_warning_displayed and
            welcome["current_version"] != __version__):
            print("Warning: errors may occur unless both sides are running the same version", file=sys.stderr)
            print("Server claims %s is current, but ours is %s"
                  % (welcome["current_version"], __version__), file=sys.stderr)
            self.version_warning_displayed = True

        if "error" in welcome:
            raise ServerError(welcome["error"], self.relay)

    def _url(self, verb, msgnum=None):
        url = "%s%d/%s/%s" % (self.relay, self.channel_id, self.side, verb)
        if msgnum is not None:
            url += "/" + msgnum
        return url

    def _get_message(self, old_msgs, verb, msgnum):
        # fire with a bytestring of the first message that matches
        # verb/msgnum, which either came from old_msgs, or from an
        # EventSource that we attached to the corresponding URL
        if old_msgs:
            msg = unhexlify(old_msgs[0].encode("ascii"))
            return defer.succeed(msg)
        d = defer.Deferred()
        msgs = []
        def _handle(name, data):
            if name == "welcome":
                self.handle_welcome(json.loads(data))
            if name == "message":
                msgs.append(json.loads(data)["message"])
                d.callback(None)
        es = ReconnectingEventSource(None, lambda: self._url(verb, msgnum),
                                     _handle)#, agent=self.agent)
        es.startService() # TODO: .setServiceParent(self)
        es.activate()
        d.addCallback(lambda _: es.deactivate())
        d.addCallback(lambda _: es.stopService())
        d.addCallback(lambda _: unhexlify(msgs[0].encode("ascii")))
        return d

    def derive_key(self, purpose, length=SecretBox.KEY_SIZE):
        if self.key is None:
            # call after get_verifier() or get_data()
            raise UsageError
        if type(purpose) is not type(b""): raise UsageError
        return HKDF(self.key, length, CTXinfo=purpose)

    def _encrypt_data(self, key, data):
        if len(key) != SecretBox.KEY_SIZE: raise UsageError
        box = SecretBox(key)
        nonce = utils.random(SecretBox.NONCE_SIZE)
        return box.encrypt(data, nonce)

    def _decrypt_data(self, key, encrypted):
        if len(key) != SecretBox.KEY_SIZE: raise UsageError
        box = SecretBox(key)
        data = box.decrypt(encrypted)
        return data


    def _get_key(self):
        # TODO: prevent multiple invocation
        if self.key:
            return defer.succeed(self.key)
        data = {"message": hexlify(self.msg1).decode("ascii")}
        d = self._post_json(self._url("post", "pake"), data)
        d.addCallback(lambda j: self._get_message(j["messages"], "poll", "pake"))
        def _got_pake(pake_msg):
            key = self.sp.finish(pake_msg)
            self.key = key
            self.verifier = self.derive_key(self.appid+b":Verifier")
            return key
        d.addCallback(_got_pake)
        return d

    def get_verifier(self):
        if self.code is None: raise UsageError
        d = self._get_key()
        d.addCallback(lambda _: self.verifier)
        return d

    def get_data(self, outbound_data):
        # only call this once
        if self.code is None: raise UsageError
        d = self._get_key()
        d.addCallback(self._get_data2, outbound_data)
        return d

    def _get_data2(self, key, outbound_data):
        # Without predefined roles, we can't derive predictably unique keys
        # for each side, so we use the same key for both. We use random
        # nonces to keep the messages distinct, and check for reflection.
        data_key = self.derive_key(b"data-key")
        outbound_encrypted = self._encrypt_data(data_key, outbound_data)
        data = {"message": hexlify(outbound_encrypted).decode("ascii")}
        d = self._post_json(self._url("post", "data"), data)
        d.addCallback(lambda j: self._get_message(j["messages"], "poll", "data"))
        def _got_data(inbound_encrypted):
            if inbound_encrypted == outbound_encrypted:
                raise ReflectionAttack
            try:
                inbound_data = self._decrypt_data(data_key, inbound_encrypted)
                return inbound_data
            except CryptoError:
                raise WrongPasswordError
        d.addCallback(_got_data)
        d.addBoth(self._deallocate)
        return d

    def _deallocate(self, res):
        # only try once, no retries
        d = self.agent.request("POST", self._url("deallocate"))
        d.addBoth(lambda _: res) # ignore POST failure, pass-through result
        return d
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`from __future__ import print_function`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`import os, sys, json, re`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`from binascii import hexlify, unhexlify`
			`from zope.interface import implementer`
			`from twisted.internet import reactor, defer`
			`from twisted.web import client as web_client`
			`from twisted.web import error as web_error`
			`from twisted.web.iweb import IBodyProducer`
			`from nacl.secret import SecretBox`
			`from nacl.exceptions import CryptoError`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`from nacl import utils`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`from spake2 import SPAKE2_Symmetric`
			`from .eventsource import ReconnectingEventSource`
			`from .. import __version__`
			`from .. import codes`
			`from ..errors import ServerError`
			`from ..util.hkdf import HKDF`
fill in initiator flow, define relay API 2015-02-11 02:34:13 +00:00
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`class WrongPasswordError(Exception):`
			`"""`
			`Key confirmation failed.`
			`"""`

make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`class ReflectionAttack(Exception):`
			`"""An attacker (or bug) reflected our outgoing message back to us."""`

			`class UsageError(Exception):`
			`"""The programmer did something wrong."""`

rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`@implementer(IBodyProducer)`
			`class DataProducer:`
			`def __init__(self, data):`
			`self.data = data`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`self.length = len(data)`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`def startProducing(self, consumer):`
			`consumer.write(self.data)`
			`return defer.succeed(None)`
			`def stopProducing(self):`
			`pass`
			`def pauseProducing(self):`
			`pass`
			`def resumeProducing(self):`
			`pass`

make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00
			`class SymmetricWormhole:`
			`def __init__(self, appid, relay):`
fill in initiator flow, define relay API 2015-02-11 02:34:13 +00:00			`self.appid = appid`
			`self.relay = relay`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`self.agent = web_client.Agent(reactor)`
			`self.side = None`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`self.code = None`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`self.key = None`
			`self._started_get_code = False`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def get_code(self, code_length=2):`
			`if self.code is not None: raise UsageError`
			`if self._started_get_code: raise UsageError`
			`self._started_get_code = True`
			`self.side = hexlify(os.urandom(5))`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`d = self._allocate_channel()`
			`def _got_channel_id(channel_id):`
			`code = codes.make_code(channel_id, code_length)`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`self._set_code_and_channel_id(code)`
			`self._start()`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`return code`
			`d.addCallback(_got_channel_id)`
			`return d`

rearrange slightly 2015-07-24 23:22:02 +00:00			`def _post_json(self, url, post_json=None):`
			`# TODO: retry on failure, with exponential backoff. We're guarding`
			`# against the rendezvous server being temporarily offline.`
			`p = None`
			`if post_json:`
			`data = json.dumps(post_json).encode("utf-8")`
			`p = DataProducer(data)`
			`d = self.agent.request("POST", url, bodyProducer=p)`
			`def _check_error(resp):`
			`if resp.code != 200:`
			`raise web_error.Error(resp.code, resp.phrase)`
			`return resp`
			`d.addCallback(_check_error)`
			`d.addCallback(web_client.readBody)`
			`d.addCallback(lambda data: json.loads(data))`
			`return d`

rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`def _allocate_channel(self):`
			`url = self.relay + "allocate/%s" % self.side`
rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`d = self._post_json(url)`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def _got_channel(data):`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`if "welcome" in data:`
			`self.handle_welcome(data["welcome"])`
			`return data["channel-id"]`
			`d.addCallback(_got_channel)`
			`return d`

make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def set_code(self, code):`
			`if self.code is not None: raise UsageError`
			`if self.side is not None: raise UsageError`
			`self._set_code_and_channel_id(code)`
			`self.side = hexlify(os.urandom(5))`
			`self._start()`

			`def _set_code_and_channel_id(self, code):`
			`if self.code is not None: raise UsageError`
			`mo = re.search(r'^(\d+)-', code)`
			`if not mo:`
			`raise ValueError("code (%s) must start with NN-" % code)`
			`self.channel_id = int(mo.group(1))`
			`self.code = code`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def _start(self):`
			`# allocate the rest now too, so it can be serialized`
			`self.sp = SPAKE2_Symmetric(self.code.encode("ascii"),`
			`idA=self.appid+":SymmetricA",`
			`idB=self.appid+":SymmetricB")`
			`self.msg1 = self.sp.start()`

			`def serialize(self):`
			`# I can only be serialized after get_code/set_code and before`
			`# get_verifier/get_data`
			`if self.code is None: raise UsageError`
			`if self.key is not None: raise UsageError`
			`data = {`
			`"appid": self.appid,`
			`"relay": self.relay,`
			`"code": self.code,`
			`"side": self.side,`
			`"spake2": json.loads(self.sp.serialize()),`
			`"msg1": self.msg1.encode("hex"),`
			`}`
			`return json.dumps(data)`

			`@classmethod`
			`def from_serialized(klass, data):`
			`d = json.loads(data)`
			`self = klass(d["appid"].encode("ascii"), d["relay"].encode("ascii"))`
			`self._set_code_and_channel_id(d["code"].encode("ascii"))`
			`self.side = d["side"].encode("ascii")`
			`self.sp = SPAKE2_Symmetric.from_serialized(json.dumps(d["spake2"]))`
			`self.msg1 = d["msg1"].decode("hex")`
			`return self`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00
			`motd_displayed = False`
			`version_warning_displayed = False`

			`def handle_welcome(self, welcome):`
			`if ("motd" in welcome and`
			`not self.motd_displayed):`
			`motd_lines = welcome["motd"].splitlines()`
			`motd_formatted = "\n ".join(motd_lines)`
			`print("Server (at %s) says:\n %s" % (self.relay, motd_formatted),`
			`file=sys.stderr)`
			`self.motd_displayed = True`

			`# Only warn if we're running a release version (e.g. 0.0.6, not`
			`# 0.0.6-DISTANCE-gHASH). Only warn once.`
			`if ("-" not in __version__ and`
			`not self.version_warning_displayed and`
			`welcome["current_version"] != __version__):`
			`print("Warning: errors may occur unless both sides are running the same version", file=sys.stderr)`
			`print("Server claims %s is current, but ours is %s"`
			`% (welcome["current_version"], __version__), file=sys.stderr)`
			`self.version_warning_displayed = True`

			`if "error" in welcome:`
			`raise ServerError(welcome["error"], self.relay)`

rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`def _url(self, verb, msgnum=None):`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`url = "%s%d/%s/%s" % (self.relay, self.channel_id, self.side, verb)`
			`if msgnum is not None:`
			`url += "/" + msgnum`
			`return url`

refactor: _get_message() (singular) does unhexlify too 2015-07-24 23:33:29 +00:00			`def _get_message(self, old_msgs, verb, msgnum):`
			`# fire with a bytestring of the first message that matches`
			`# verb/msgnum, which either came from old_msgs, or from an`
			`# EventSource that we attached to the corresponding URL`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`if old_msgs:`
refactor: _get_message() (singular) does unhexlify too 2015-07-24 23:33:29 +00:00			`msg = unhexlify(old_msgs[0].encode("ascii"))`
			`return defer.succeed(msg)`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`d = defer.Deferred()`
			`msgs = []`
			`def _handle(name, data):`
			`if name == "welcome":`
			`self.handle_welcome(json.loads(data))`
			`if name == "message":`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`msgs.append(json.loads(data)["message"])`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`d.callback(None)`
rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`es = ReconnectingEventSource(None, lambda: self._url(verb, msgnum),`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`_handle)#, agent=self.agent)`
			`es.startService() # TODO: .setServiceParent(self)`
			`es.activate()`
			`d.addCallback(lambda _: es.deactivate())`
			`d.addCallback(lambda _: es.stopService())`
refactor: _get_message() (singular) does unhexlify too 2015-07-24 23:33:29 +00:00			`d.addCallback(lambda _: unhexlify(msgs[0].encode("ascii")))`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`return d`

			`def derive_key(self, purpose, length=SecretBox.KEY_SIZE):`
replace base asserts with UsageError 2015-07-24 22:55:42 +00:00			`if self.key is None:`
			`# call after get_verifier() or get_data()`
			`raise UsageError`
			`if type(purpose) is not type(b""): raise UsageError`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`return HKDF(self.key, length, CTXinfo=purpose)`

make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def _encrypt_data(self, key, data):`
replace base asserts with UsageError 2015-07-24 22:55:42 +00:00			`if len(key) != SecretBox.KEY_SIZE: raise UsageError`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`box = SecretBox(key)`
			`nonce = utils.random(SecretBox.NONCE_SIZE)`
			`return box.encrypt(data, nonce)`

			`def _decrypt_data(self, key, encrypted):`
replace base asserts with UsageError 2015-07-24 22:55:42 +00:00			`if len(key) != SecretBox.KEY_SIZE: raise UsageError`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`box = SecretBox(key)`
			`data = box.decrypt(encrypted)`
			`return data`

rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00
			`def _get_key(self):`
			`# TODO: prevent multiple invocation`
			`if self.key:`
			`return defer.succeed(self.key)`
			`data = {"message": hexlify(self.msg1).decode("ascii")}`
rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`d = self._post_json(self._url("post", "pake"), data)`
refactor: _get_message() (singular) does unhexlify too 2015-07-24 23:33:29 +00:00			`d.addCallback(lambda j: self._get_message(j["messages"], "poll", "pake"))`
			`def _got_pake(pake_msg):`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`key = self.sp.finish(pake_msg)`
			`self.key = key`
			`self.verifier = self.derive_key(self.appid+b":Verifier")`
			`return key`
			`d.addCallback(_got_pake)`
			`return d`

			`def get_verifier(self):`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`if self.code is None: raise UsageError`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`d = self._get_key()`
			`d.addCallback(lambda _: self.verifier)`
			`return d`

			`def get_data(self, outbound_data):`
			`# only call this once`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`if self.code is None: raise UsageError`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`d = self._get_key()`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`d.addCallback(self._get_data2, outbound_data)`
			`return d`

			`def _get_data2(self, key, outbound_data):`
			`# Without predefined roles, we can't derive predictably unique keys`
			`# for each side, so we use the same key for both. We use random`
			`# nonces to keep the messages distinct, and check for reflection.`
			`data_key = self.derive_key(b"data-key")`
			`outbound_encrypted = self._encrypt_data(data_key, outbound_data)`
			`data = {"message": hexlify(outbound_encrypted).decode("ascii")}`
rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`d = self._post_json(self._url("post", "data"), data)`
refactor: _get_message() (singular) does unhexlify too 2015-07-24 23:33:29 +00:00			`d.addCallback(lambda j: self._get_message(j["messages"], "poll", "data"))`
			`def _got_data(inbound_encrypted):`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`if inbound_encrypted == outbound_encrypted:`
			`raise ReflectionAttack`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`try:`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`inbound_data = self._decrypt_data(data_key, inbound_encrypted)`
rough out twisted.SymmetricWormhole 2015-06-21 01:36:22 +00:00			`return inbound_data`
			`except CryptoError:`
			`raise WrongPasswordError`
			`d.addCallback(_got_data)`
			`d.addBoth(self._deallocate)`
			`return d`

make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`def _deallocate(self, res):`
			`# only try once, no retries`
rename some methods to make them more private 2015-07-24 23:18:03 +00:00			`d = self.agent.request("POST", self._url("deallocate"))`
make twisted work, get serialization into shape, add proper tests 2015-06-21 02:18:21 +00:00			`d.addBoth(lambda _: res) # ignore POST failure, pass-through result`
			`return d`