Freed RNS from dependency on PyCA HMAC, HKDF and hashes
This commit is contained in:
parent
5bb510b589
commit
19a033db96
@ -34,10 +34,8 @@ from cryptography.hazmat.backends import default_backend
|
|||||||
from cryptography.hazmat.primitives import serialization
|
from cryptography.hazmat.primitives import serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
|
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
|
||||||
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
|
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
|
||||||
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
|
|
||||||
from cryptography.fernet import Fernet
|
from cryptography.fernet import Fernet
|
||||||
|
|
||||||
cio_default_backend = default_backend()
|
|
||||||
|
|
||||||
class Identity:
|
class Identity:
|
||||||
"""
|
"""
|
||||||
@ -159,10 +157,7 @@ class Identity:
|
|||||||
:param data: Data to be hashed as *bytes*.
|
:param data: Data to be hashed as *bytes*.
|
||||||
:returns: SHA-256 hash as *bytes*
|
:returns: SHA-256 hash as *bytes*
|
||||||
"""
|
"""
|
||||||
digest = hashlib.sha256()
|
return RNS.Cryptography.sha256(data)
|
||||||
digest.update(data)
|
|
||||||
|
|
||||||
return digest.digest()
|
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def truncated_hash(data):
|
def truncated_hash(data):
|
||||||
@ -429,14 +424,12 @@ class Identity:
|
|||||||
|
|
||||||
shared_key = ephemeral_key.exchange(self.pub)
|
shared_key = ephemeral_key.exchange(self.pub)
|
||||||
|
|
||||||
# TODO: Improve this re-allocation of HKDF
|
derived_key = RNS.Cryptography.hkdf(
|
||||||
derived_key = HKDF(
|
|
||||||
algorithm=hashes.SHA256(),
|
|
||||||
length=32,
|
length=32,
|
||||||
|
derive_from=shared_key,
|
||||||
salt=self.get_salt(),
|
salt=self.get_salt(),
|
||||||
info=self.get_context(),
|
context=self.get_context(),
|
||||||
backend=cio_default_backend,
|
)
|
||||||
).derive(shared_key)
|
|
||||||
|
|
||||||
fernet = Fernet(base64.urlsafe_b64encode(derived_key))
|
fernet = Fernet(base64.urlsafe_b64encode(derived_key))
|
||||||
ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext))
|
ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext))
|
||||||
@ -464,14 +457,12 @@ class Identity:
|
|||||||
|
|
||||||
shared_key = self.prv.exchange(peer_pub)
|
shared_key = self.prv.exchange(peer_pub)
|
||||||
|
|
||||||
# TODO: Improve this re-allocation of HKDF
|
derived_key = RNS.Cryptography.hkdf(
|
||||||
derived_key = HKDF(
|
|
||||||
algorithm=hashes.SHA256(),
|
|
||||||
length=32,
|
length=32,
|
||||||
|
derive_from=shared_key,
|
||||||
salt=self.get_salt(),
|
salt=self.get_salt(),
|
||||||
info=self.get_context(),
|
context=self.get_context(),
|
||||||
backend=cio_default_backend,
|
)
|
||||||
).derive(shared_key)
|
|
||||||
|
|
||||||
fernet = Fernet(base64.urlsafe_b64encode(derived_key))
|
fernet = Fernet(base64.urlsafe_b64encode(derived_key))
|
||||||
ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:]
|
ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:]
|
||||||
|
18
RNS/Link.py
18
RNS/Link.py
@ -25,7 +25,6 @@ from cryptography.hazmat.primitives import hashes
|
|||||||
from cryptography.hazmat.primitives import serialization
|
from cryptography.hazmat.primitives import serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
|
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
|
||||||
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
|
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
|
||||||
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
|
|
||||||
from cryptography.fernet import Fernet
|
from cryptography.fernet import Fernet
|
||||||
from time import sleep
|
from time import sleep
|
||||||
from .vendor import umsgpack as umsgpack
|
from .vendor import umsgpack as umsgpack
|
||||||
@ -35,9 +34,6 @@ import math
|
|||||||
import time
|
import time
|
||||||
import RNS
|
import RNS
|
||||||
|
|
||||||
import traceback
|
|
||||||
|
|
||||||
cio_default_backend = default_backend()
|
|
||||||
|
|
||||||
class LinkCallbacks:
|
class LinkCallbacks:
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
@ -239,14 +235,13 @@ class Link:
|
|||||||
self.status = Link.HANDSHAKE
|
self.status = Link.HANDSHAKE
|
||||||
self.shared_key = self.prv.exchange(self.peer_pub)
|
self.shared_key = self.prv.exchange(self.peer_pub)
|
||||||
|
|
||||||
# TODO: Improve this re-allocation of HKDF
|
self.derived_key = RNS.Cryptography.hkdf(
|
||||||
self.derived_key = HKDF(
|
|
||||||
algorithm=hashes.SHA256(),
|
|
||||||
length=32,
|
length=32,
|
||||||
|
derive_from=self.shared_key,
|
||||||
salt=self.get_salt(),
|
salt=self.get_salt(),
|
||||||
info=self.get_context(),
|
context=self.get_context(),
|
||||||
backend=cio_default_backend,
|
)
|
||||||
).derive(self.shared_key)
|
|
||||||
|
|
||||||
def prove(self):
|
def prove(self):
|
||||||
signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes
|
signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes
|
||||||
@ -822,9 +817,6 @@ class Link:
|
|||||||
return plaintext
|
return plaintext
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR)
|
RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR)
|
||||||
# RNS.log(traceback.format_exc(), RNS.LOG_ERROR)
|
|
||||||
# TODO: Think long about implications here
|
|
||||||
# self.teardown()
|
|
||||||
|
|
||||||
|
|
||||||
def sign(self, message):
|
def sign(self, message):
|
||||||
|
@ -21,11 +21,6 @@
|
|||||||
# SOFTWARE.
|
# SOFTWARE.
|
||||||
|
|
||||||
from .vendor.platformutils import get_platform
|
from .vendor.platformutils import get_platform
|
||||||
from cryptography.hazmat.primitives import hashes
|
|
||||||
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
|
|
||||||
cio_default_backend = default_backend()
|
|
||||||
|
|
||||||
if get_platform() == "android":
|
if get_platform() == "android":
|
||||||
from .Interfaces import Interface
|
from .Interfaces import Interface
|
||||||
@ -840,13 +835,12 @@ class Reticulum:
|
|||||||
ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8"))
|
ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8"))
|
||||||
|
|
||||||
ifac_origin_hash = RNS.Identity.full_hash(ifac_origin)
|
ifac_origin_hash = RNS.Identity.full_hash(ifac_origin)
|
||||||
interface.ifac_key = HKDF(
|
interface.ifac_key = RNS.Cryptography.hkdf(
|
||||||
algorithm=hashes.SHA256(),
|
|
||||||
length=64,
|
length=64,
|
||||||
|
derive_from=ifac_origin_hash,
|
||||||
salt=self.ifac_salt,
|
salt=self.ifac_salt,
|
||||||
info=None,
|
context=None
|
||||||
backend=cio_default_backend,
|
)
|
||||||
).derive(ifac_origin_hash)
|
|
||||||
|
|
||||||
interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key)
|
interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key)
|
||||||
interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key))
|
interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key))
|
||||||
|
@ -37,6 +37,8 @@ from .Destination import Destination
|
|||||||
from .Packet import Packet
|
from .Packet import Packet
|
||||||
from .Packet import PacketReceipt
|
from .Packet import PacketReceipt
|
||||||
from .Resource import Resource, ResourceAdvertisement
|
from .Resource import Resource, ResourceAdvertisement
|
||||||
|
from .Cryptography import HKDF
|
||||||
|
from .Cryptography import Hashes
|
||||||
|
|
||||||
modules = glob.glob(os.path.dirname(__file__)+"/*.py")
|
modules = glob.glob(os.path.dirname(__file__)+"/*.py")
|
||||||
__all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')]
|
__all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')]
|
||||||
|
Loading…
Reference in New Issue
Block a user