2015-02-24 12:54:00 +03:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
"""
|
|
|
|
Created on Tue Sep 2 19:26:15 2014
|
|
|
|
|
2015-03-13 13:39:31 +03:00
|
|
|
@author: Anton Grigoryev
|
2015-03-12 22:42:24 +01:00
|
|
|
@author: Sammy Pfeiffer
|
2015-02-24 12:54:00 +03:00
|
|
|
"""
|
2015-03-12 22:42:24 +01:00
|
|
|
from binascii import crc32 as originalcrc32
|
|
|
|
from time import time
|
2015-02-26 14:03:41 +03:00
|
|
|
import io
|
2015-03-13 13:39:31 +03:00
|
|
|
import os.path
|
2015-03-11 19:55:55 +03:00
|
|
|
import socket
|
|
|
|
import struct
|
2015-02-24 12:54:00 +03:00
|
|
|
|
2015-03-17 02:02:01 +03:00
|
|
|
# pycrypto module
|
|
|
|
from Crypto.Hash import SHA
|
|
|
|
from Crypto.PublicKey import RSA
|
|
|
|
from Crypto.Util.strxor import strxor
|
2015-03-17 17:26:36 +03:00
|
|
|
from Crypto.Util.number import long_to_bytes, bytes_to_long
|
2015-03-17 02:02:01 +03:00
|
|
|
|
|
|
|
# local modules
|
|
|
|
import crypt
|
|
|
|
import prime
|
|
|
|
import TL
|
|
|
|
|
|
|
|
def crc32(data):
|
|
|
|
return originalcrc32(data) & 0xffffffff
|
|
|
|
|
2015-02-25 18:30:03 +03:00
|
|
|
def vis(bs):
|
2015-03-11 19:55:55 +03:00
|
|
|
"""
|
|
|
|
Function to visualize byte streams. Split into bytes, print to console.
|
|
|
|
:param bs: BYTE STRING
|
|
|
|
"""
|
2015-03-12 22:42:24 +01:00
|
|
|
bs = bytearray(bs)
|
2015-03-11 19:55:55 +03:00
|
|
|
symbols_in_one_line = 8
|
|
|
|
n = len(bs) // symbols_in_one_line
|
2015-03-17 17:26:36 +03:00
|
|
|
i = 0
|
2015-02-25 18:30:03 +03:00
|
|
|
for i in range(n):
|
2015-03-12 19:29:56 +03:00
|
|
|
print(str(i*symbols_in_one_line)+" | "+" ".join(["%02X" % b for b in bs[i*symbols_in_one_line:(i+1)*symbols_in_one_line]])) # for every 8 symbols line
|
2015-03-13 13:39:31 +03:00
|
|
|
if not len(bs) % symbols_in_one_line == 0:
|
|
|
|
print(str((i+1)*symbols_in_one_line)+" | "+" ".join(["%02X" % b for b in bs[(i+1)*symbols_in_one_line:]])+"\n") # for last line
|
2015-02-25 18:30:03 +03:00
|
|
|
|
|
|
|
|
|
|
|
class Session:
|
2015-03-12 03:17:43 +03:00
|
|
|
""" Manages TCP Transport. encryption and message frames """
|
2015-03-17 19:28:24 +03:00
|
|
|
def __init__(self, ip, port, auth_key=None, server_salt=None):
|
2015-03-11 19:55:55 +03:00
|
|
|
# creating socket
|
2015-02-25 18:30:03 +03:00
|
|
|
self.sock = socket.socket()
|
2015-03-11 19:55:55 +03:00
|
|
|
self.sock.connect((ip, port))
|
2015-02-25 18:30:03 +03:00
|
|
|
self.number = 0
|
2015-03-17 19:28:24 +03:00
|
|
|
self.timedelta = 0
|
|
|
|
self.session_id = os.urandom(8)
|
|
|
|
self.auth_key = auth_key
|
|
|
|
self.auth_key_id = SHA.new(self.auth_key).digest()[-8:] if self.auth_key else None
|
2015-03-17 02:02:01 +03:00
|
|
|
|
2015-03-11 19:55:55 +03:00
|
|
|
def __del__(self):
|
|
|
|
# closing socket when session object is deleted
|
|
|
|
self.sock.close()
|
|
|
|
|
2015-03-17 19:28:24 +03:00
|
|
|
def send_message(self, message_data):
|
2015-03-11 19:55:55 +03:00
|
|
|
"""
|
2015-03-17 19:28:24 +03:00
|
|
|
Forming the message frame and sending message to server
|
2015-03-11 19:55:55 +03:00
|
|
|
:param message: byte string to send
|
|
|
|
"""
|
2015-03-17 17:26:36 +03:00
|
|
|
|
2015-03-17 19:28:24 +03:00
|
|
|
message_id = struct.pack('<Q', int(time()*2**30)*4)
|
2015-03-11 19:55:55 +03:00
|
|
|
|
2015-03-17 19:28:24 +03:00
|
|
|
if self.auth_key is None or self.server_salt is None:
|
|
|
|
# Unencrypted data send
|
|
|
|
message = (b'\x00\x00\x00\x00\x00\x00\x00\x00' +
|
|
|
|
message_id +
|
|
|
|
struct.pack('<I', len(message_data)) +
|
|
|
|
message_data)
|
|
|
|
else:
|
|
|
|
# Encrypted data send
|
|
|
|
encrypted_data = (self.server_salt +
|
|
|
|
self.session_id +
|
|
|
|
message_id +
|
|
|
|
struct.pack('<II', self.number, len(message_data)) +
|
|
|
|
message_data)
|
|
|
|
message_key = SHA.new(encrypted_data).digest()[-16:]
|
2015-03-17 20:26:22 +03:00
|
|
|
padding = os.urandom((-len(encrypted_data)) % 16)
|
|
|
|
print(len(encrypted_data+padding))
|
2015-03-17 19:28:24 +03:00
|
|
|
aes_key, aes_iv = self.aes_calculate(message_key)
|
|
|
|
|
|
|
|
message = (self.auth_key_id + message_key +
|
|
|
|
crypt.ige_encrypt(encrypted_data+padding, aes_key, aes_iv))
|
|
|
|
|
|
|
|
step1 = struct.pack('<II', len(message)+12, self.number) + message
|
2015-03-17 02:02:01 +03:00
|
|
|
step2 = step1 + struct.pack('<I', crc32(step1))
|
2015-02-25 18:30:03 +03:00
|
|
|
self.sock.send(step2)
|
2015-03-11 19:55:55 +03:00
|
|
|
self.number += 1
|
2015-02-25 18:30:03 +03:00
|
|
|
|
|
|
|
def recv_message(self):
|
2015-03-11 19:55:55 +03:00
|
|
|
"""
|
2015-03-13 16:58:27 +03:00
|
|
|
Reading socket and receiving message from server. Check the CRC32.
|
2015-03-11 19:55:55 +03:00
|
|
|
"""
|
2015-03-13 16:58:27 +03:00
|
|
|
packet_length_data = self.sock.recv(4) # reads how many bytes to read
|
2015-03-11 20:06:53 +03:00
|
|
|
|
2015-03-17 19:28:24 +03:00
|
|
|
if len(packet_length_data) < 4:
|
|
|
|
raise Exception("Nothing in the socket!")
|
|
|
|
packet_length = struct.unpack("<I", packet_length_data)[0]
|
|
|
|
packet = self.sock.recv(packet_length - 4) # read the rest of bytes from socket
|
|
|
|
|
|
|
|
# check the CRC32
|
|
|
|
if not crc32(packet_length_data + packet[0:-4]) == struct.unpack('<I', packet[-4:])[0]:
|
|
|
|
raise Exception("CRC32 was not correct!")
|
|
|
|
x = struct.unpack("<I", packet[:4])
|
|
|
|
auth_key_id = packet[4:12]
|
|
|
|
if auth_key_id == b'\x00\x00\x00\x00\x00\x00\x00\x00':
|
|
|
|
# No encryption - Plain text
|
|
|
|
(message_id, message_length) = struct.unpack("<8sI", packet[12:24])
|
2015-02-26 14:03:41 +03:00
|
|
|
data = packet[24:24+message_length]
|
2015-03-17 19:28:24 +03:00
|
|
|
elif auth_key_id == self.auth_key_id:
|
|
|
|
print("WOW! Encrypted data!")
|
|
|
|
message_key = packet[12:28]
|
|
|
|
encrypted_data = packet[28:-4]
|
|
|
|
aes_key, aes_iv = self.aes_calculate(message_key, direction="from server")
|
|
|
|
decrypted_data = crypt.ige_decrypt(encrypted_data, aes_key, aes_iv)
|
|
|
|
vis(decrypted_data)
|
|
|
|
assert decrypted_data[0:8] == self.server_salt
|
|
|
|
assert decrypted_data[8:16] == self.session_id
|
|
|
|
message_id = decrypted_data[16:24]
|
|
|
|
seq_no = struct.unpack("<I", decrypted_data[24:28])[0]
|
|
|
|
message_data_length = struct.unpack("<I", decrypted_data[28:32])[0]
|
|
|
|
data = decrypted_data[32:32+message_data_length]
|
2015-03-12 22:42:24 +01:00
|
|
|
else:
|
2015-03-17 19:28:24 +03:00
|
|
|
raise Exception("Got unknown auth_key id")
|
|
|
|
return data
|
|
|
|
|
2015-03-12 03:17:43 +03:00
|
|
|
|
|
|
|
def method_call(self, method, **kwargs):
|
2015-03-17 19:28:24 +03:00
|
|
|
z = io.BytesIO()
|
2015-03-17 02:02:01 +03:00
|
|
|
TL.serialize_method(z, method, **kwargs)
|
2015-03-17 20:26:22 +03:00
|
|
|
z_val = z.getvalue()
|
2015-03-12 22:42:24 +01:00
|
|
|
self.send_message(z_val)
|
2015-03-12 03:17:43 +03:00
|
|
|
server_answer = self.recv_message()
|
2015-03-17 02:02:01 +03:00
|
|
|
return TL.deserialize(io.BytesIO(server_answer))
|
|
|
|
|
|
|
|
def create_auth_key(self):
|
|
|
|
|
|
|
|
nonce = os.urandom(16)
|
2015-03-17 17:26:36 +03:00
|
|
|
print("Requesting pq")
|
2015-03-17 02:02:01 +03:00
|
|
|
|
|
|
|
ResPQ = self.method_call('req_pq', nonce=nonce)
|
|
|
|
server_nonce = ResPQ['server_nonce']
|
|
|
|
|
|
|
|
# TODO: selecting RSA public key based on this fingerprint
|
|
|
|
public_key_fingerprint = ResPQ['server_public_key_fingerprints'][0]
|
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
pq_bytes = ResPQ['pq']
|
2015-03-17 19:28:24 +03:00
|
|
|
pq = bytes_to_long(pq_bytes)
|
2015-03-17 02:02:01 +03:00
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
[p, q] = prime.primefactors(pq)
|
2015-03-17 02:02:01 +03:00
|
|
|
if p > q: (p, q) = (q, p)
|
2015-03-17 17:26:36 +03:00
|
|
|
assert p*q == pq and p < q
|
2015-03-17 02:02:01 +03:00
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
print("Factorization %d = %d * %d" % (pq, p, q))
|
|
|
|
p_bytes = long_to_bytes(p)
|
|
|
|
q_bytes = long_to_bytes(q)
|
2015-03-17 02:02:01 +03:00
|
|
|
f = open(os.path.join(os.path.dirname(__file__), "rsa.pub"))
|
|
|
|
key = RSA.importKey(f.read())
|
|
|
|
|
|
|
|
z = io.BytesIO()
|
|
|
|
|
|
|
|
new_nonce = os.urandom(32)
|
|
|
|
|
|
|
|
TL.serialize_obj(z, 'p_q_inner_data',
|
2015-03-17 17:26:36 +03:00
|
|
|
pq=pq_bytes,
|
|
|
|
p=p_bytes,
|
|
|
|
q=q_bytes,
|
|
|
|
nonce=nonce,
|
|
|
|
server_nonce=server_nonce,
|
|
|
|
new_nonce=new_nonce)
|
2015-03-17 02:02:01 +03:00
|
|
|
data = z.getvalue()
|
|
|
|
|
|
|
|
sha_digest = SHA.new(data).digest()
|
|
|
|
random_bytes = os.urandom(255-len(data)-len(sha_digest))
|
|
|
|
to_encrypt = sha_digest + data + random_bytes
|
|
|
|
encrypted_data = key.encrypt(to_encrypt, 0)[0]
|
|
|
|
|
|
|
|
print("Starting Diffie Hellman key exchange")
|
|
|
|
server_DH_params = self.method_call('req_DH_params',
|
2015-03-17 17:26:36 +03:00
|
|
|
nonce=nonce, # 16 bytes
|
|
|
|
server_nonce=server_nonce,
|
|
|
|
p=p_bytes,
|
|
|
|
q=q_bytes,
|
|
|
|
public_key_fingerprint=public_key_fingerprint,
|
|
|
|
encrypted_data=encrypted_data)
|
2015-03-17 02:02:01 +03:00
|
|
|
assert nonce == server_DH_params['nonce']
|
|
|
|
assert server_nonce == server_DH_params['server_nonce']
|
|
|
|
|
|
|
|
encrypted_answer = server_DH_params['encrypted_answer']
|
|
|
|
|
|
|
|
tmp_aes_key = SHA.new(new_nonce + server_nonce).digest() + SHA.new(server_nonce + new_nonce).digest()[0:12]
|
|
|
|
tmp_aes_iv = SHA.new(server_nonce + new_nonce).digest()[12:20] + SHA.new(new_nonce + new_nonce).digest() + new_nonce[0:4]
|
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
answer_with_hash = crypt.ige_decrypt(encrypted_answer, tmp_aes_key, tmp_aes_iv)
|
2015-03-17 02:02:01 +03:00
|
|
|
|
|
|
|
answer_hash = answer_with_hash[:20]
|
|
|
|
answer = answer_with_hash[20:]
|
|
|
|
# TODO: SHA hash assertion here
|
|
|
|
|
|
|
|
server_DH_inner_data = TL.deserialize(io.BytesIO(answer))
|
|
|
|
assert nonce == server_DH_inner_data['nonce']
|
|
|
|
assert server_nonce == server_DH_inner_data['server_nonce']
|
|
|
|
dh_prime_str = server_DH_inner_data['dh_prime']
|
|
|
|
g = server_DH_inner_data['g']
|
|
|
|
g_a_str = server_DH_inner_data['g_a']
|
|
|
|
server_time = server_DH_inner_data['server_time']
|
|
|
|
self.timedelta = server_time - time()
|
|
|
|
print("Server-client time delta = %.1f s" % self.timedelta)
|
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
dh_prime = bytes_to_long(dh_prime_str)
|
|
|
|
g_a = bytes_to_long(g_a_str)
|
2015-03-17 02:02:01 +03:00
|
|
|
assert prime.isprime(dh_prime)
|
|
|
|
retry_id = 0
|
2015-03-17 17:26:36 +03:00
|
|
|
b_str = os.urandom(256)
|
|
|
|
b = bytes_to_long(b_str)
|
|
|
|
g_b = pow(g, b, dh_prime)
|
|
|
|
|
|
|
|
g_b_str = long_to_bytes(g_b)
|
2015-03-17 02:02:01 +03:00
|
|
|
|
2015-03-17 17:26:36 +03:00
|
|
|
z = io.BytesIO()
|
|
|
|
TL.serialize_obj(z, 'client_DH_inner_data',
|
|
|
|
nonce=nonce,
|
|
|
|
server_nonce=server_nonce,
|
|
|
|
retry_id=retry_id,
|
|
|
|
g_b=g_b_str)
|
|
|
|
data = z.getvalue()
|
|
|
|
data_with_sha = SHA.new(data).digest()+data
|
|
|
|
data_with_sha_padded = data_with_sha + os.urandom(-len(data_with_sha) % 16)
|
|
|
|
encrypted_data = crypt.ige_encrypt(data_with_sha_padded, tmp_aes_key, tmp_aes_iv)
|
|
|
|
|
|
|
|
Set_client_DH_params_answer = self.method_call('set_client_DH_params',
|
|
|
|
nonce=nonce,
|
|
|
|
server_nonce=server_nonce,
|
|
|
|
encrypted_data=encrypted_data)
|
|
|
|
|
|
|
|
auth_key = pow(g_a, b, dh_prime)
|
|
|
|
auth_key_str = long_to_bytes(auth_key)
|
|
|
|
auth_key_sha = SHA.new(auth_key_str).digest()
|
|
|
|
auth_key_aux_hash = auth_key_sha[:8]
|
|
|
|
|
|
|
|
new_nonce_hash1 = SHA.new(new_nonce+b'\x01'+auth_key_aux_hash).digest()[-16:]
|
|
|
|
new_nonce_hash2 = SHA.new(new_nonce+b'\x02'+auth_key_aux_hash).digest()[-16:]
|
|
|
|
new_nonce_hash3 = SHA.new(new_nonce+b'\x03'+auth_key_aux_hash).digest()[-16:]
|
|
|
|
|
|
|
|
assert Set_client_DH_params_answer['nonce'] == nonce
|
|
|
|
assert Set_client_DH_params_answer['server_nonce'] == server_nonce
|
|
|
|
assert Set_client_DH_params_answer['new_nonce_hash1'] == new_nonce_hash1
|
|
|
|
print("Diffie Hellman key exchange processed successfully")
|
|
|
|
|
|
|
|
self.server_salt = strxor(new_nonce[0:8], server_nonce[0:8])
|
|
|
|
self.auth_key = auth_key_str
|
2015-03-17 19:28:24 +03:00
|
|
|
self.auth_key_id = auth_key_sha[-8:]
|
2015-03-17 17:26:36 +03:00
|
|
|
print("Auth key generated")
|
|
|
|
|
|
|
|
def aes_calculate(self, msg_key, direction="to server"):
|
|
|
|
x = 0 if direction == "to server" else 8
|
|
|
|
sha1_a = SHA.new(msg_key + self.auth_key[x:x+32]).digest()
|
|
|
|
sha1_b = SHA.new(self.auth_key[x+32:x+48] + msg_key + self.auth_key[48+x:64+x]).digest()
|
|
|
|
sha1_c = SHA.new(self.auth_key[x+64:x+96] + msg_key).digest()
|
|
|
|
sha1_d = SHA.new(msg_key + self.auth_key[x+96:x+128]).digest()
|
|
|
|
aes_key = sha1_a[0:8] + sha1_b[8:20] + sha1_c[4:16]
|
|
|
|
aes_iv = sha1_a[8:20] + sha1_b[0:8] + sha1_c[16:20] + sha1_d[0:8]
|
|
|
|
return aes_key, aes_iv
|