2015-06-21 01:36:22 +00:00
from __future__ import print_function
2015-06-21 02:18:21 +00:00
import os, sys, json, re
2015-06-21 01:36:22 +00:00
from binascii import hexlify, unhexlify
from zope.interface import implementer
from twisted.internet import reactor, defer
from twisted.web import client as web_client
from twisted.web import error as web_error
from twisted.web.iweb import IBodyProducer
from nacl.secret import SecretBox
from nacl.exceptions import CryptoError
2015-06-21 02:18:21 +00:00
from nacl import utils
2015-06-21 01:36:22 +00:00
from spake2 import SPAKE2_Symmetric
from .eventsource import ReconnectingEventSource
from .. import __version__
from .. import codes
from ..errors import ServerError
from ..util.hkdf import HKDF
2015-02-11 02:34:13 +00:00
2015-06-21 01:36:22 +00:00
class WrongPasswordError(Exception):
Key confirmation failed.
2015-06-21 02:18:21 +00:00
class ReflectionAttack(Exception):
"""An attacker (or bug) reflected our outgoing message back to us."""
class UsageError(Exception):
"""The programmer did something wrong."""
2015-06-21 01:36:22 +00:00
class DataProducer:
def __init__(self, data):
self.data = data
2015-06-21 02:18:21 +00:00
self.length = len(data)
2015-06-21 01:36:22 +00:00
def startProducing(self, consumer):
return defer.succeed(None)
def stopProducing(self):
def pauseProducing(self):
def resumeProducing(self):
2015-06-21 02:18:21 +00:00
class SymmetricWormhole:
2015-07-24 23:57:19 +00:00
motd_displayed = False
version_warning_displayed = False
2015-06-21 02:18:21 +00:00
def __init__(self, appid, relay):
2015-02-11 02:34:13 +00:00
self.appid = appid
self.relay = relay
2015-06-21 02:18:21 +00:00
self.agent = web_client.Agent(reactor)
self.side = None
2015-06-21 01:36:22 +00:00
self.code = None
2015-06-21 02:18:21 +00:00
self.key = None
self._started_get_code = False
2015-06-21 01:36:22 +00:00
2015-07-24 23:57:19 +00:00
def _url(self, verb, msgnum=None):
url = "%s%d/%s/%s" % (self.relay, self.channel_id, self.side, verb)
if msgnum is not None:
url += "/" + msgnum
return url
def handle_welcome(self, welcome):
if ("motd" in welcome and
not self.motd_displayed):
motd_lines = welcome["motd"].splitlines()
motd_formatted = "\n ".join(motd_lines)
print("Server (at %s) says:\n %s" % (self.relay, motd_formatted),
self.motd_displayed = True
# Only warn if we're running a release version (e.g. 0.0.6, not
# 0.0.6-DISTANCE-gHASH). Only warn once.
if ("-" not in __version__ and
not self.version_warning_displayed and
welcome["current_version"] != __version__):
print("Warning: errors may occur unless both sides are running the same version", file=sys.stderr)
print("Server claims %s is current, but ours is %s"
% (welcome["current_version"], __version__), file=sys.stderr)
self.version_warning_displayed = True
if "error" in welcome:
raise ServerError(welcome["error"], self.relay)
2015-07-24 23:22:02 +00:00
def _post_json(self, url, post_json=None):
2015-07-24 23:46:39 +00:00
# POST to a URL, parsing the response as JSON. Optionally include a
# JSON request body.
2015-07-24 23:22:02 +00:00
p = None
if post_json:
data = json.dumps(post_json).encode("utf-8")
p = DataProducer(data)
d = self.agent.request("POST", url, bodyProducer=p)
def _check_error(resp):
if resp.code != 200:
raise web_error.Error(resp.code, resp.phrase)
return resp
d.addCallback(lambda data: json.loads(data))
return d
2015-06-21 01:36:22 +00:00
def _allocate_channel(self):
url = self.relay + "allocate/%s" % self.side
2015-07-24 23:18:03 +00:00
d = self._post_json(url)
2015-06-21 02:18:21 +00:00
def _got_channel(data):
2015-06-21 01:36:22 +00:00
if "welcome" in data:
return data["channel-id"]
return d
2015-07-25 00:02:32 +00:00
def get_code(self, code_length=2):
if self.code is not None: raise UsageError
if self._started_get_code: raise UsageError
self._started_get_code = True
self.side = hexlify(os.urandom(5))
d = self._allocate_channel()
def _got_channel_id(channel_id):
code = codes.make_code(channel_id, code_length)
return code
return d
2015-06-21 02:18:21 +00:00
def set_code(self, code):
if self.code is not None: raise UsageError
if self.side is not None: raise UsageError
self.side = hexlify(os.urandom(5))
def _set_code_and_channel_id(self, code):
if self.code is not None: raise UsageError
mo = re.search(r'^(\d+)-', code)
if not mo:
raise ValueError("code (%s) must start with NN-" % code)
self.channel_id = int(mo.group(1))
self.code = code
2015-06-21 01:36:22 +00:00
2015-06-21 02:18:21 +00:00
def _start(self):
# allocate the rest now too, so it can be serialized
self.sp = SPAKE2_Symmetric(self.code.encode("ascii"),
self.msg1 = self.sp.start()
def serialize(self):
# I can only be serialized after get_code/set_code and before
# get_verifier/get_data
if self.code is None: raise UsageError
if self.key is not None: raise UsageError
data = {
"appid": self.appid,
"relay": self.relay,
"code": self.code,
"side": self.side,
"spake2": json.loads(self.sp.serialize()),
"msg1": self.msg1.encode("hex"),
return json.dumps(data)
def from_serialized(klass, data):
d = json.loads(data)
self = klass(d["appid"].encode("ascii"), d["relay"].encode("ascii"))
self.side = d["side"].encode("ascii")
self.sp = SPAKE2_Symmetric.from_serialized(json.dumps(d["spake2"]))
self.msg1 = d["msg1"].decode("hex")
return self
2015-06-21 01:36:22 +00:00
2015-07-24 23:46:39 +00:00
def _post_message(self, url, msg):
# TODO: retry on failure, with exponential backoff. We're guarding
# against the rendezvous server being temporarily offline.
if not isinstance(msg, type(b"")): raise UsageError(type(msg))
d = self._post_json(url, {"message": hexlify(msg).decode("ascii")})
d.addCallback(lambda resp: resp["messages"]) # other_msgs
return d
2015-07-24 23:33:29 +00:00
def _get_message(self, old_msgs, verb, msgnum):
# fire with a bytestring of the first message that matches
# verb/msgnum, which either came from old_msgs, or from an
# EventSource that we attached to the corresponding URL
2015-06-21 01:36:22 +00:00
if old_msgs:
2015-07-24 23:33:29 +00:00
msg = unhexlify(old_msgs[0].encode("ascii"))
return defer.succeed(msg)
2015-06-21 01:36:22 +00:00
d = defer.Deferred()
msgs = []
def _handle(name, data):
if name == "welcome":
if name == "message":
2015-06-21 02:18:21 +00:00
2015-06-21 01:36:22 +00:00
2015-07-24 23:18:03 +00:00
es = ReconnectingEventSource(None, lambda: self._url(verb, msgnum),
2015-06-21 01:36:22 +00:00
_handle)#, agent=self.agent)
es.startService() # TODO: .setServiceParent(self)
d.addCallback(lambda _: es.deactivate())
d.addCallback(lambda _: es.stopService())
2015-07-24 23:33:29 +00:00
d.addCallback(lambda _: unhexlify(msgs[0].encode("ascii")))
2015-06-21 01:36:22 +00:00
return d
def derive_key(self, purpose, length=SecretBox.KEY_SIZE):
2015-07-24 22:55:42 +00:00
if self.key is None:
# call after get_verifier() or get_data()
raise UsageError
2015-07-24 23:45:20 +00:00
if not isinstance(purpose, type(b"")): raise UsageError
2015-06-21 01:36:22 +00:00
return HKDF(self.key, length, CTXinfo=purpose)
2015-06-21 02:18:21 +00:00
def _encrypt_data(self, key, data):
2015-07-24 22:55:42 +00:00
if len(key) != SecretBox.KEY_SIZE: raise UsageError
2015-06-21 02:18:21 +00:00
box = SecretBox(key)
nonce = utils.random(SecretBox.NONCE_SIZE)
return box.encrypt(data, nonce)
def _decrypt_data(self, key, encrypted):
2015-07-24 22:55:42 +00:00
if len(key) != SecretBox.KEY_SIZE: raise UsageError
2015-06-21 02:18:21 +00:00
box = SecretBox(key)
data = box.decrypt(encrypted)
return data
2015-06-21 01:36:22 +00:00
def _get_key(self):
# TODO: prevent multiple invocation
if self.key:
return defer.succeed(self.key)
2015-07-24 23:46:39 +00:00
d = self._post_message(self._url("post", "pake"), self.msg1)
d.addCallback(lambda msgs: self._get_message(msgs, "poll", "pake"))
2015-07-24 23:33:29 +00:00
def _got_pake(pake_msg):
2015-06-21 01:36:22 +00:00
key = self.sp.finish(pake_msg)
self.key = key
self.verifier = self.derive_key(self.appid+b":Verifier")
return key
return d
def get_verifier(self):
2015-06-21 02:18:21 +00:00
if self.code is None: raise UsageError
2015-06-21 01:36:22 +00:00
d = self._get_key()
d.addCallback(lambda _: self.verifier)
return d
def get_data(self, outbound_data):
# only call this once
2015-06-21 02:18:21 +00:00
if self.code is None: raise UsageError
2015-06-21 01:36:22 +00:00
d = self._get_key()
2015-06-21 02:18:21 +00:00
d.addCallback(self._get_data2, outbound_data)
2015-07-24 23:56:41 +00:00
2015-06-21 02:18:21 +00:00
return d
def _get_data2(self, key, outbound_data):
# Without predefined roles, we can't derive predictably unique keys
# for each side, so we use the same key for both. We use random
# nonces to keep the messages distinct, and check for reflection.
data_key = self.derive_key(b"data-key")
2015-07-24 23:57:19 +00:00
2015-06-21 02:18:21 +00:00
outbound_encrypted = self._encrypt_data(data_key, outbound_data)
2015-07-24 23:46:39 +00:00
d = self._post_message(self._url("post", "data"), outbound_encrypted)
2015-07-24 23:57:19 +00:00
2015-07-24 23:46:39 +00:00
d.addCallback(lambda msgs: self._get_message(msgs, "poll", "data"))
2015-07-24 23:33:29 +00:00
def _got_data(inbound_encrypted):
2015-06-21 02:18:21 +00:00
if inbound_encrypted == outbound_encrypted:
raise ReflectionAttack
2015-06-21 01:36:22 +00:00
2015-06-21 02:18:21 +00:00
inbound_data = self._decrypt_data(data_key, inbound_encrypted)
2015-06-21 01:36:22 +00:00
return inbound_data
except CryptoError:
raise WrongPasswordError
return d
2015-06-21 02:18:21 +00:00
def _deallocate(self, res):
# only try once, no retries
2015-07-24 23:18:03 +00:00
d = self.agent.request("POST", self._url("deallocate"))
2015-06-21 02:18:21 +00:00
d.addBoth(lambda _: res) # ignore POST failure, pass-through result
return d