copyleftie
/
gajim-plural
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

functioning XEP-0217 implementation! (initiation only)

This commit is contained in:
Brendan Taylor 2007-06-17 10:39:19 +00:00
parent 8b7b368922
commit d1fe7b41f3
4 changed files with 291 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/chat_control.py
View File

@ -1946,12 +1946,12 @@ class ChatControl(ChatControlBase):
#if 'security' in self.session.features and self.session.features['security'] == 'e2e': #if 'security' in self.session.features and self.session.features['security'] == 'e2e':
if self.session.enable_encryption: if self.session.enable_encryption:
self.session.enable_encryption = False self.session.enable_encryption = False
print "e2e disabled." print "terminating e2e."
# self.session.terminate_e2e() self.session.terminate_e2e()
else: else:
self.session.enable_encryption = True self.session.enable_encryption = True
print "e2e enabled." print "negotiating e2e."
# self.session.negotiate_e2e() self.session.negotiate_e2e()
def got_connected(self): def got_connected(self):
ChatControlBase.got_connected(self) ChatControlBase.got_connected(self)

11
src/common/connection_handlers.py
View File

@ -1204,7 +1204,7 @@ class ConnectionHandlers(ConnectionVcard, ConnectionBytestream, ConnectionDisco,
def _FeatureNegCB(self, con, stanza, session): def _FeatureNegCB(self, con, stanza, session):
gajim.log.debug('FeatureNegCB') gajim.log.debug('FeatureNegCB')
feature = stanza.getTag('feature') feature = stanza.getTag(name='feature', namespace=common.xmpp.NS_FEATURE)
form = common.xmpp.DataForm(node=feature.getTag('x')) form = common.xmpp.DataForm(node=feature.getTag('x'))
if form['FORM_TYPE'] == 'urn:xmpp:ssn': if form['FORM_TYPE'] == 'urn:xmpp:ssn':
@ -1218,6 +1218,13 @@ class ConnectionHandlers(ConnectionVcard, ConnectionBytestream, ConnectionDisco,
con.send(reply) con.send(reply)
def _InitE2ECB(self, con, stanza, session):
gajim.log.debug('InitE2ECB')
init = stanza.getTag(name='init', namespace='http://www.xmpp.org/extensions/xep-0116.html#ns-init')
form = common.xmpp.DataForm(node=init.getTag('x'))
self.dispatch('SESSION_NEG', (stanza.getFrom(), session, form))
def _ErrorCB(self, con, iq_obj): def _ErrorCB(self, con, iq_obj):
gajim.log.debug('ErrorCB') gajim.log.debug('ErrorCB')
if iq_obj.getQueryNS() == common.xmpp.NS_VERSION: if iq_obj.getQueryNS() == common.xmpp.NS_VERSION:
@ -1440,6 +1447,8 @@ class ConnectionHandlers(ConnectionVcard, ConnectionBytestream, ConnectionDisco,
common.xmpp.NS_FEATURE: common.xmpp.NS_FEATURE:
self._FeatureNegCB(con, msg, session) self._FeatureNegCB(con, msg, session)
return return
if msg.getTag('init') and msg.getTag('init').namespace == 'http://www.xmpp.org/extensions/xep-0116.html#ns-init':
self._InitE2ECB(con, msg, session)
e2eTag = msg.getTag('c', namespace = common.xmpp.NS_STANZA_CRYPTO) e2eTag = msg.getTag('c', namespace = common.xmpp.NS_STANZA_CRYPTO)
if e2eTag: if e2eTag:

354
src/common/stanza_session.py
View File

@ -6,12 +6,19 @@ from common import helpers
import random import random
import string import string
import math
import os
import time
from common import dh
import xmpp.c14n
from Crypto.Cipher import AES from Crypto.Cipher import AES
from Crypto.Hash import HMAC, SHA256 from Crypto.Hash import HMAC, SHA256
import base64 import base64
class StanzaSession: class StanzaSession(object):
def __init__(self, conn, jid, thread_id, type): def __init__(self, conn, jid, thread_id, type):
self.conn = conn self.conn = conn
@ -33,11 +40,20 @@ class StanzaSession:
self.thread_id = self.generate_thread_id() self.thread_id = self.generate_thread_id()
self.last_send = 0 self.last_send = 0
self.status = None
self.features = {} self.features = {}
def generate_thread_id(self): def generate_thread_id(self):
return "".join([random.choice(string.letters) for x in xrange(0,32)]) return "".join([random.choice(string.letters) for x in xrange(0,32)])
def send(self, msg):
if self.thread_id:
msg.setThread(self.thread_id)
msg.setAttr('to', self.jid)
self.conn.send_stanza(msg)
self.last_send = time.time()
class EncryptedStanzaSession(StanzaSession): class EncryptedStanzaSession(StanzaSession):
def __init__(self, conn, jid, thread_id, type = 'chat'): def __init__(self, conn, jid, thread_id, type = 'chat'):
@ -48,19 +64,35 @@ class EncryptedStanzaSession(StanzaSession):
self.cipher = AES self.cipher = AES
self.hash_alg = SHA256 self.hash_alg = SHA256
self.en_key = '................'
self.de_key = '----------------'
self.en_counter = 777
self.de_counter = 777 ^ (2 ** (self.n - 1))
self.encrypter = self.cipher.new(self.en_key, self.cipher.MODE_CTR, counter=self.encryptcounter)
self.decrypter = self.cipher.new(self.de_key, self.cipher.MODE_CTR, counter=self.decryptcounter)
self.compression = None self.compression = None
self.xes = {}
self.es = {}
self.enable_encryption = False self.enable_encryption = False
self._kc_s = None
self._kc_o = None
# keep the encrypter updated with my latest cipher key
def set_kc_s(self, value):
self._kc_s = value
self.encrypter = self.cipher.new(self._kc_s, self.cipher.MODE_CTR, counter=self.encryptcounter)
def get_kc_s(self):
return self._kc_s
# keep the decrypter updated with the other party's latest cipher key
def set_kc_o(self, value):
self._kc_o = value
self.decrypter = self.cipher.new(self._kc_o, self.cipher.MODE_CTR, counter=self.decryptcounter)
def get_kc_o(self):
return self._kc_o
kc_s = property(get_kc_s, set_kc_s)
kc_o = property(get_kc_o, set_kc_o)
# convert a large integer to a big-endian bitstring # convert a large integer to a big-endian bitstring
def encode_mpi(self, n): def encode_mpi(self, n):
if n >= 256: if n >= 256:
@ -86,12 +118,12 @@ class EncryptedStanzaSession(StanzaSession):
return 256 * self.decode_mpi(s[:-1]) + ord(s[-1]) return 256 * self.decode_mpi(s[:-1]) + ord(s[-1])
def encryptcounter(self): def encryptcounter(self):
self.en_counter = (self.en_counter + 1) % 2 ** self.n self.c_s = (self.c_s + 1) % (2 ** self.n)
return self.encode_mpi_with_padding(self.en_counter) return self.encode_mpi_with_padding(self.c_s)
def decryptcounter(self): def decryptcounter(self):
self.de_counter = (self.de_counter + 1) % 2 ** self.n self.c_o = (self.c_o + 1) % (2 ** self.n)
return self.encode_mpi_with_padding(self.de_counter) return self.encode_mpi_with_padding(self.c_o)
def encrypt_stanza(self, stanza): def encrypt_stanza(self, stanza):
encryptable = filter(lambda x: x.getName() not in ('error', 'amp', 'thread'), stanza.getChildren()) encryptable = filter(lambda x: x.getName() not in ('error', 'amp', 'thread'), stanza.getChildren())
@ -99,7 +131,7 @@ class EncryptedStanzaSession(StanzaSession):
# XXX can also encrypt contents of <error/> elements in stanzas @type = 'error' # XXX can also encrypt contents of <error/> elements in stanzas @type = 'error'
# (except for <defined-condition xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> child elements) # (except for <defined-condition xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> child elements)
old_en_counter = self.en_counter old_en_counter = self.c_s
for element in encryptable: for element in encryptable:
stanza.delChild(element) stanza.delChild(element)
@ -116,12 +148,28 @@ class EncryptedStanzaSession(StanzaSession):
# XXX check for rekey request, handle <key/> elements # XXX check for rekey request, handle <key/> elements
m_content = ''.join(map(str, c.getChildren())) m_content = ''.join(map(str, c.getChildren()))
c.NT.mac = base64.b64encode(self.hmac(m_content, old_en_counter, self.en_key)) c.NT.mac = base64.b64encode(self.hmac(self.km_s, m_content + self.encode_mpi(old_en_counter)))
return stanza return stanza
def hmac(self, content, counter, key): def hmac(self, key, content):
return HMAC.new(key, content + self.encode_mpi_with_padding(counter), self.hash_alg).digest() return HMAC.new(key, content, self.hash_alg).digest()
# this should be more generic?
def sha256(self, string):
sh = SHA256.new()
sh.update(string)
return sh.digest()
def generate_initiator_keys(self, k):
return (self.hmac(k, 'Initiator Cipher Key'),
self.hmac(k, 'Initiator MAC Key'),
self.hmac(k, 'Initiator SIGMA Key') )
def generate_responder_keys(self, k):
return (self.hmac(k, 'Responder Cipher Key'),
self.hmac(k, 'Responder MAC Key'),
self.hmac(k, 'Responder SIGMA Key') )
def compress(self, plaintext): def compress(self, plaintext):
if self.compression == None: if self.compression == None:
@ -133,10 +181,15 @@ class EncryptedStanzaSession(StanzaSession):
def encrypt(self, encryptable): def encrypt(self, encryptable):
len_padding = 16 - (len(encryptable) % 16) len_padding = 16 - (len(encryptable) % 16)
encryptable += len_padding * ' ' if len_padding != 16:
encryptable += len_padding * ' '
return self.encrypter.encrypt(encryptable) return self.encrypter.encrypt(encryptable)
def generate_nonce(self):
# FIXME: this isn't a very good PRNG
return os.urandom(8)
def decrypt_stanza(self, stanza): def decrypt_stanza(self, stanza):
c = stanza.getTag(name='c', namespace='http://www.xmpp.org/extensions/xep-0200.html#ns') c = stanza.getTag(name='c', namespace='http://www.xmpp.org/extensions/xep-0200.html#ns')
@ -146,7 +199,7 @@ class EncryptedStanzaSession(StanzaSession):
macable = ''.join(map(str, filter(lambda x: x.getName() != 'mac', c.getChildren()))) macable = ''.join(map(str, filter(lambda x: x.getName() != 'mac', c.getChildren())))
received_mac = base64.b64decode(c.getTagData('mac')) received_mac = base64.b64decode(c.getTagData('mac'))
calculated_mac = self.hmac(macable, self.de_counter, self.de_key) calculated_mac = self.hmac(self.km_o, macable + self.encode_mpi_with_padding(self.c_o))
if not calculated_mac == received_mac: if not calculated_mac == received_mac:
raise 'bad signature (%s != %s)' % (repr(received_mac), repr(calculated_mac)) raise 'bad signature (%s != %s)' % (repr(received_mac), repr(calculated_mac))
@ -168,80 +221,197 @@ class EncryptedStanzaSession(StanzaSession):
def decrypt(self, ciphertext): def decrypt(self, ciphertext):
return self.decrypter.decrypt(ciphertext) return self.decrypter.decrypt(ciphertext)
def negotiate_e2e(): def negotiate_e2e(self):
request = xmpp.Message()
feature = request.NT.feature
feature.setNamespace(xmpp.NS_FEATURE)
x = xmpp.DataForm(typ='form')
x.addChild(node=xmpp.DataField(name='FORM_TYPE', value='urn:xmpp:ssn', typ='hidden'))
x.addChild(node=xmpp.DataField(name='accept', value='1', typ='boolean', required=True))
# this field is incorrectly called 'otr' in XEPs 0116 and 0217
# unsupported options: 'mustnot'
x.addChild(node=xmpp.DataField(name='logging', typ='list-single', options=['may'], required=True))
# unsupported options: 'disabled', 'enabled'
x.addChild(node=xmpp.DataField(name='disclosure', typ='list-single', options=['never'], required=True))
x.addChild(node=xmpp.DataField(name='security', typ='list-single', options=['e2e'], required=True))
x.addChild(node=xmpp.DataField(name='crypt_algs', value='aes128-ctr', typ='hidden'))
x.addChild(node=xmpp.DataField(name='hash_algs', value='sha256', typ='hidden'))
x.addChild(node=xmpp.DataField(name='compress', value='none', typ='hidden'))
# unsupported options: 'iq', 'presence'
x.addChild(node=xmpp.DataField(name='stanzas', typ='list-multi', options=['message']))
x.addChild(node=xmpp.DataField(name='init_pubkey', value='none', typ='hidden'))
x.addChild(node=xmpp.DataField(name='resp_pubkey', value='none', typ='hidden'))
x.addChild(node=xmpp.DataField(name='ver', value='1.0', typ='hidden'))
x.addChild(node=xmpp.DataField(name='rekey_freq', value='4294967295', typ='hidden'))
x.addChild(node=xmpp.DataField(name='sas_algs', value='sas28x5', typ='hidden'))
self.n_s = self.generate_nonce()
x.addChild(node=xmpp.DataField(name='my_nonce', value=base64.b64encode(self.n_s), typ='hidden'))
modp_options = [ 5, 14, 2, 1 ]
x.addChild(node=xmpp.DataField(name='modp', typ='list-single', options=map(lambda x: [ None, x ], modp_options)))
dhhashes = map(lambda x: self.make_dhhash(x), modp_options)
x.addChild(node=xmpp.DataField(name='dhhashes', typ='hidden', value=dhhashes))
self.form_a = ''.join(map(lambda el: xmpp.c14n.c14n(el), x.getChildren()))
feature.addChild(node=x)
self.status = 'requested-e2e'
self.send(request)
# generate a random number between 'bottom' and 'top'
def srand(self, bottom, top):
# minimum number of bytes needed to represent that range
bytes = int(math.ceil(math.log(top - bottom, 256)))
# FIXME: use a real PRNG
# in retrospect, this is horribly inadequate.
return (self.decode_mpi(os.urandom(bytes)) % (top - bottom)) + bottom
def make_dhhash(self, modp):
p = dh.primes[modp]
g = dh.generators[modp]
x = self.srand(2 ** (2 * self.n - 1), p - 1)
# XXX this may be a source of performance issues
e = self.powmod(g, x, p)
self.xes[modp] = x
self.es[modp] = e
He = self.sha256(self.encode_mpi(e))
return base64.b64encode(He)
# a faster version of (base ** exp) % mod
# taken from <http://lists.danga.com/pipermail/yadis/2005-September/001445.html>
def powmod(self, base, exp, mod):
square = base % mod
result = 1
while exp > 0:
if exp & 1: # exponent is odd
result = (result * square) % mod
square = (square * square) % mod
exp /= 2
return result
def terminate_e2e(self):
self.status = None
# 'Alice Accepts'
def accept_e2e_alice(self, form):
# 1. Verify that the ESession options selected by Bob are acceptable
# 2. Return a <not-acceptable/> error to Bob unless: 1 < d < p - 1
self.form_b = ''.join(map(lambda el: xmpp.c14n.c14n(el), form.getChildren()))
accept = xmpp.Message()
feature = accept.NT.feature
feature.setNamespace(xmpp.NS_FEATURE)
result = xmpp.DataForm(typ='result')
self.c_s = self.decode_mpi(base64.b64decode(form['counter']))
self.c_o = self.c_s ^ (2 ** (self.n - 1))
self.n_o = base64.b64decode(form['my_nonce'])
mod_p = int(form['modp'])
p = dh.primes[mod_p]
x = self.xes[mod_p]
e = self.es[mod_p]
self.d = self.decode_mpi(base64.b64decode(form['dhkeys']))
self.k = self.sha256(self.encode_mpi(self.powmod(self.d, x, p)))
result.addChild(node=xmpp.DataField(name='FORM_TYPE', value='urn:xmpp:ssn'))
result.addChild(node=xmpp.DataField(name='accept', value='1'))
result.addChild(node=xmpp.DataField(name='nonce', value=base64.b64encode(self.n_o)))
result.addChild(node=xmpp.DataField(name='dhkeys', value=base64.b64encode(self.encode_mpi(e))))
# TODO: store and return rshashes, or at least randomly generate some
result.addChild(node=xmpp.DataField(name='rshashes', value=[]))
form_a2 = ''.join(map(lambda el: xmpp.c14n.c14n(el), result.getChildren()))
self.kc_s, self.km_s, self.ks_s = self.generate_initiator_keys(self.k)
# MUST securely destroy K unless it will be used later to generate the final shared secret
old_c_s = self.c_s
mac_a = self.hmac(self.ks_s, self.n_o + self.n_s + self.encode_mpi(e) + self.form_a + form_a2)
id_a = self.encrypt(mac_a)
m_a = self.hmac(self.km_s, self.encode_mpi(old_c_s) + id_a)
result.addChild(node=xmpp.DataField(name='identity', value=base64.b64encode(id_a)))
result.addChild(node=xmpp.DataField(name='mac', value=base64.b64encode(m_a)))
feature.addChild(node=result)
self.send(accept)
self.status = 'identified-alice'
def final_steps_alice(self, form):
# Alice MUST identify the shared retained secret (SRS) by selecting from her client's list of the secrets it retained from sessions with Bob's clients (the most recent secret for each of the clients he has used to negotiate ESessions with Alice's client).
# Alice does this by using each secret in the list in turn as the key to calculate the HMAC (with SHA256) of the string "Shared Retained Secret", and comparing the calculated value with the value in the 'srshash' field she received from Bob (see Sending Bob's Identity). Once she finds a match, and has confirmed that the secret has not expired (because it is older than an implementation-defined period of time), then she has found the SRS.
srs = ''
oss = ''
self.k = self.sha256(self.k + srs + oss)
# Alice MUST destroy all her copies of the old retained secret (SRS) she was keeping for Bob's client, and calculate a new retained secret for this session:
srs = self.hmac('New Retained Secret', self.k)
# Alice MUST securely store the new value along with the retained secrets her client shares with Bob's other clients.
# don't need to calculate ks_s here
self.kc_s, self.km_s, self.ks_s = self.generate_initiator_keys(self.k)
self.kc_o, self.km_o, self.ks_o = self.generate_responder_keys(self.k)
#4.6.2 Verifying Bob's Identity
id_b = base64.b64decode(form['identity'])
m_b = self.hmac(self.encode_mpi(self.c_o) + id_b, self.km_o)
mac_b = self.decrypt(id_b)
form_b2 = ''.join(map(lambda el: xmpp.c14n.c14n(el), form.getChildren()))
mac_b = self.hmac(self.n_s + self.n_o + self.encode_mpi(self.d) + self.form_b + form_b2, self.ks_o)
# Note: If Alice discovers an error then she SHOULD ignore any encrypted content she received in the stanza.
# XXX check for MAC equality?
self.status = 'active'
self.enable_encryption = True
def accept_e2e_bob(self):
pass pass
#<x type='form' xmlns='jabber:x:data'>
# <field type='hidden' var='FORM_TYPE'>
# <value>urn:xmpp:ssn</value>
# </field>
# <field type='boolean' var='accept'>
# <value>1</value>
# <required/>
# </field>
# <field type='list-single' var='otr'>
# <option><value>false</value></option>
# <option><value>true</value></option>
# <required/>
# </field>
# <field type='list-single' var='disclosure'>
# <option><value>never</value></option>
# <required/>
# </field>
# <field type='list-single' var='security'>
# <option><value>e2e</value></option>
# <option><value>c2s</value></option>
# <required/>
# </field>
# <field type='list-single' var='modp'>
# <option><value>5</value></option>
# <option><value>14</value></option>
# <option><value>2</value></option>
# <option><value>1</value></option>
# </field>
# <field type='hidden' var='crypt_algs'>
# <value>aes128-ctr</value>
# </field>
# <field type='hidden' var='hash_algs'>
# <value>sha256</value>
# </field>
# <field type='hidden' var='compress'>
# <value>none</value>
# </field>
# <field type='list-multi' var='stanzas'>
# <option><value>message</value></option>
# <option><value>iq</value></option>
# <option><value>presence</value></option>
# </field>
# <field type='hidden' var='init_pubkey'>
# <value>none</value>
# </field>
# <field type='hidden' var='resp_pubkey'>
# <value>none</value>
# </field>
# <field type='list-single' var='ver'>
# <option><value>1.3</value></option>
# <option><value>1.2</value></option>
# </field>
# <field type='hidden' var='rekey_freq'>
# <value>4294967295</value>
# </field>
# <field type='hidden' var='my_nonce'>
# <value> ** Alice's Base64 encoded ESession ID ** </value>
# </field>
# <field type='hidden' var='sas_algs'>
# <value>sas28x5</value>
# </field>
# <field type='hidden' var='dhhashes'>
# <value> ** Base64 encoded value of He5 ** </value>
# <value> ** Base64 encoded value of He14 ** </value>
# <value> ** Base64 encoded value of He2 ** </value>
# <value> ** Base64 encoded value of He1 ** </value>
# </field>
# </x>
def terminate_e2e():
pass
#<message from='alice@example.org/pda' to='bob@example.com/laptop'> #<message from='alice@example.org/pda' to='bob@example.com/laptop'>
# <thread>ffd7076498744578d10edabfe7f4a866</thread> # <thread>ffd7076498744578d10edabfe7f4a866</thread>

16
src/gajim.py
View File

@ -1660,6 +1660,22 @@ class Interface:
# XXX check negotiation state, etc. # XXX check negotiation state, etc.
# XXX check if we can autoaccept # XXX check if we can autoaccept
# order of e2e statuses:
# 1. Alice, Bob: None
# 2. Alice: requested-e2e
# 3. Bob: responded-e2e
# 4. Alice: identified-alice
# 5. Bob: identified-bob
# 6. Alice, Bob: active
if session.status == 'requested-e2e' and form.getType() == 'submit':
print 'accepting'
session.accept_e2e_alice(form)
return
elif session.status == 'identified-alice' and form.getType() == 'result':
session.final_steps_alice(form)
return
if form.getType() == 'form': if form.getType() == 'form':
ctrl = gajim.interface.msg_win_mgr.get_control(str(jid), account) ctrl = gajim.interface.msg_win_mgr.get_control(str(jid), account)
if not ctrl: if not ctrl: