From 19a033db965b5f2b1f6468635e4a995e193dc8b7 Mon Sep 17 00:00:00 2001 From: Mark Qvist Date: Tue, 7 Jun 2022 15:48:23 +0200 Subject: [PATCH] Freed RNS from dependency on PyCA HMAC, HKDF and hashes --- RNS/Identity.py | 27 +++++++++------------------ RNS/Link.py | 18 +++++------------- RNS/Reticulum.py | 14 ++++---------- RNS/__init__.py | 2 ++ 4 files changed, 20 insertions(+), 41 deletions(-) diff --git a/RNS/Identity.py b/RNS/Identity.py index 7ed3f26..9ce9bec 100644 --- a/RNS/Identity.py +++ b/RNS/Identity.py @@ -34,10 +34,8 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey -from cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.fernet import Fernet -cio_default_backend = default_backend() class Identity: """ @@ -159,10 +157,7 @@ class Identity: :param data: Data to be hashed as *bytes*. :returns: SHA-256 hash as *bytes* """ - digest = hashlib.sha256() - digest.update(data) - - return digest.digest() + return RNS.Cryptography.sha256(data) @staticmethod def truncated_hash(data): @@ -429,14 +424,12 @@ class Identity: shared_key = ephemeral_key.exchange(self.pub) - # TODO: Improve this re-allocation of HKDF - derived_key = HKDF( - algorithm=hashes.SHA256(), + derived_key = RNS.Cryptography.hkdf( length=32, + derive_from=shared_key, salt=self.get_salt(), - info=self.get_context(), - backend=cio_default_backend, - ).derive(shared_key) + context=self.get_context(), + ) fernet = Fernet(base64.urlsafe_b64encode(derived_key)) ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext)) @@ -464,14 +457,12 @@ class Identity: shared_key = self.prv.exchange(peer_pub) - # TODO: Improve this re-allocation of HKDF - derived_key = HKDF( - algorithm=hashes.SHA256(), + derived_key = RNS.Cryptography.hkdf( length=32, + derive_from=shared_key, salt=self.get_salt(), - info=self.get_context(), - backend=cio_default_backend, - ).derive(shared_key) + context=self.get_context(), + ) fernet = Fernet(base64.urlsafe_b64encode(derived_key)) ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:] diff --git a/RNS/Link.py b/RNS/Link.py index 56863d3..70642ff 100644 --- a/RNS/Link.py +++ b/RNS/Link.py @@ -25,7 +25,6 @@ from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey -from cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.fernet import Fernet from time import sleep from .vendor import umsgpack as umsgpack @@ -35,9 +34,6 @@ import math import time import RNS -import traceback - -cio_default_backend = default_backend() class LinkCallbacks: def __init__(self): @@ -239,14 +235,13 @@ class Link: self.status = Link.HANDSHAKE self.shared_key = self.prv.exchange(self.peer_pub) - # TODO: Improve this re-allocation of HKDF - self.derived_key = HKDF( - algorithm=hashes.SHA256(), + self.derived_key = RNS.Cryptography.hkdf( length=32, + derive_from=self.shared_key, salt=self.get_salt(), - info=self.get_context(), - backend=cio_default_backend, - ).derive(self.shared_key) + context=self.get_context(), + ) + def prove(self): signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes @@ -822,9 +817,6 @@ class Link: return plaintext except Exception as e: RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR) - # RNS.log(traceback.format_exc(), RNS.LOG_ERROR) - # TODO: Think long about implications here - # self.teardown() def sign(self, message): diff --git a/RNS/Reticulum.py b/RNS/Reticulum.py index ff4cbe5..ac444b0 100755 --- a/RNS/Reticulum.py +++ b/RNS/Reticulum.py @@ -21,11 +21,6 @@ # SOFTWARE. from .vendor.platformutils import get_platform -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.kdf.hkdf import HKDF -from cryptography.hazmat.backends import default_backend - -cio_default_backend = default_backend() if get_platform() == "android": from .Interfaces import Interface @@ -840,13 +835,12 @@ class Reticulum: ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8")) ifac_origin_hash = RNS.Identity.full_hash(ifac_origin) - interface.ifac_key = HKDF( - algorithm=hashes.SHA256(), + interface.ifac_key = RNS.Cryptography.hkdf( length=64, + derive_from=ifac_origin_hash, salt=self.ifac_salt, - info=None, - backend=cio_default_backend, - ).derive(ifac_origin_hash) + context=None + ) interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key) interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key)) diff --git a/RNS/__init__.py b/RNS/__init__.py index 7bf25d7..5dd856b 100755 --- a/RNS/__init__.py +++ b/RNS/__init__.py @@ -37,6 +37,8 @@ from .Destination import Destination from .Packet import Packet from .Packet import PacketReceipt from .Resource import Resource, ResourceAdvertisement +from .Cryptography import HKDF +from .Cryptography import Hashes modules = glob.glob(os.path.dirname(__file__)+"/*.py") __all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')]