Freed RNS from dependency on PyCA HMAC, HKDF and hashes

This commit is contained in:
Mark Qvist 2022-06-07 15:48:23 +02:00
parent 5bb510b589
commit 19a033db96
4 changed files with 20 additions and 41 deletions

View File

@ -34,10 +34,8 @@ from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.fernet import Fernet from cryptography.fernet import Fernet
cio_default_backend = default_backend()
class Identity: class Identity:
""" """
@ -159,10 +157,7 @@ class Identity:
:param data: Data to be hashed as *bytes*. :param data: Data to be hashed as *bytes*.
:returns: SHA-256 hash as *bytes* :returns: SHA-256 hash as *bytes*
""" """
digest = hashlib.sha256() return RNS.Cryptography.sha256(data)
digest.update(data)
return digest.digest()
@staticmethod @staticmethod
def truncated_hash(data): def truncated_hash(data):
@ -429,14 +424,12 @@ class Identity:
shared_key = ephemeral_key.exchange(self.pub) shared_key = ephemeral_key.exchange(self.pub)
# TODO: Improve this re-allocation of HKDF derived_key = RNS.Cryptography.hkdf(
derived_key = HKDF(
algorithm=hashes.SHA256(),
length=32, length=32,
derive_from=shared_key,
salt=self.get_salt(), salt=self.get_salt(),
info=self.get_context(), context=self.get_context(),
backend=cio_default_backend, )
).derive(shared_key)
fernet = Fernet(base64.urlsafe_b64encode(derived_key)) fernet = Fernet(base64.urlsafe_b64encode(derived_key))
ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext)) ciphertext = base64.urlsafe_b64decode(fernet.encrypt(plaintext))
@ -464,14 +457,12 @@ class Identity:
shared_key = self.prv.exchange(peer_pub) shared_key = self.prv.exchange(peer_pub)
# TODO: Improve this re-allocation of HKDF derived_key = RNS.Cryptography.hkdf(
derived_key = HKDF(
algorithm=hashes.SHA256(),
length=32, length=32,
derive_from=shared_key,
salt=self.get_salt(), salt=self.get_salt(),
info=self.get_context(), context=self.get_context(),
backend=cio_default_backend, )
).derive(shared_key)
fernet = Fernet(base64.urlsafe_b64encode(derived_key)) fernet = Fernet(base64.urlsafe_b64encode(derived_key))
ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:] ciphertext = ciphertext_token[Identity.KEYSIZE//8//2:]

View File

@ -25,7 +25,6 @@ from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.fernet import Fernet from cryptography.fernet import Fernet
from time import sleep from time import sleep
from .vendor import umsgpack as umsgpack from .vendor import umsgpack as umsgpack
@ -35,9 +34,6 @@ import math
import time import time
import RNS import RNS
import traceback
cio_default_backend = default_backend()
class LinkCallbacks: class LinkCallbacks:
def __init__(self): def __init__(self):
@ -239,14 +235,13 @@ class Link:
self.status = Link.HANDSHAKE self.status = Link.HANDSHAKE
self.shared_key = self.prv.exchange(self.peer_pub) self.shared_key = self.prv.exchange(self.peer_pub)
# TODO: Improve this re-allocation of HKDF self.derived_key = RNS.Cryptography.hkdf(
self.derived_key = HKDF(
algorithm=hashes.SHA256(),
length=32, length=32,
derive_from=self.shared_key,
salt=self.get_salt(), salt=self.get_salt(),
info=self.get_context(), context=self.get_context(),
backend=cio_default_backend, )
).derive(self.shared_key)
def prove(self): def prove(self):
signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes signed_data = self.link_id+self.pub_bytes+self.sig_pub_bytes
@ -822,9 +817,6 @@ class Link:
return plaintext return plaintext
except Exception as e: except Exception as e:
RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR) RNS.log("Decryption failed on link "+str(self)+". The contained exception was: "+str(e), RNS.LOG_ERROR)
# RNS.log(traceback.format_exc(), RNS.LOG_ERROR)
# TODO: Think long about implications here
# self.teardown()
def sign(self, message): def sign(self, message):

View File

@ -21,11 +21,6 @@
# SOFTWARE. # SOFTWARE.
from .vendor.platformutils import get_platform from .vendor.platformutils import get_platform
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.backends import default_backend
cio_default_backend = default_backend()
if get_platform() == "android": if get_platform() == "android":
from .Interfaces import Interface from .Interfaces import Interface
@ -840,13 +835,12 @@ class Reticulum:
ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8")) ifac_origin += RNS.Identity.full_hash(interface.ifac_netkey.encode("utf-8"))
ifac_origin_hash = RNS.Identity.full_hash(ifac_origin) ifac_origin_hash = RNS.Identity.full_hash(ifac_origin)
interface.ifac_key = HKDF( interface.ifac_key = RNS.Cryptography.hkdf(
algorithm=hashes.SHA256(),
length=64, length=64,
derive_from=ifac_origin_hash,
salt=self.ifac_salt, salt=self.ifac_salt,
info=None, context=None
backend=cio_default_backend, )
).derive(ifac_origin_hash)
interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key) interface.ifac_identity = RNS.Identity.from_bytes(interface.ifac_key)
interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key)) interface.ifac_signature = interface.ifac_identity.sign(RNS.Identity.full_hash(interface.ifac_key))

View File

@ -37,6 +37,8 @@ from .Destination import Destination
from .Packet import Packet from .Packet import Packet
from .Packet import PacketReceipt from .Packet import PacketReceipt
from .Resource import Resource, ResourceAdvertisement from .Resource import Resource, ResourceAdvertisement
from .Cryptography import HKDF
from .Cryptography import Hashes
modules = glob.glob(os.path.dirname(__file__)+"/*.py") modules = glob.glob(os.path.dirname(__file__)+"/*.py")
__all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')] __all__ = [ os.path.basename(f)[:-3] for f in modules if not f.endswith('__init__.py')]