diff --git a/test/test_onion.py b/test/test_onion.py index 3c6067db1..91d818ed4 100644 --- a/test/test_onion.py +++ b/test/test_onion.py @@ -2,13 +2,28 @@ import sys -from pyelliptic import ecc -from pyelliptic import Cipher -from pyelliptic.hash import hmac_sha256 from hashlib import sha256 +from binascii import hexlify, unhexlify +import hmac +import random + +from cryptography.hazmat.primitives.ciphers import Cipher, modes, algorithms +from cryptography.hazmat.primitives.ciphers.algorithms import AES +from cryptography.hazmat.primitives.ciphers.modes import CTR +from cryptography.hazmat.backends import default_backend +# http://cryptography.io + +from pyelliptic import ecc + +class MyEx(Exception): pass + +def hmac_sha256(k, m): + return hmac.new(k, m, sha256).digest() + + + + -hexlify = ecc.hexlify -unhexlify = ecc.unhexlify ## pyelliptic doesn't support compressed pubkey representations ## so we have to add some code... @@ -22,6 +37,74 @@ OpenSSL.EC_POINT_set_compressed_coordinates_GFp.argtypes = [ ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_int, ctypes.c_void_p] +def ecc_ecdh_key(sec, pub): + assert isinstance(sec, ecc.ECC) + if isinstance(pub, ecc.ECC): + pub = pub.get_pubkey() + #return sec.get_ecdh_key(pub) + + pubkey_x, pubkey_y = ecc.ECC._decode_pubkey(pub, 'binary') + + other_key = other_pub_key_x = other_pub_key_y = other_pub_key = None + own_priv_key = res = res_x = res_y = None + try: + other_key = OpenSSL.EC_KEY_new_by_curve_name(sec.curve) + if other_key == 0: + raise Exception("[OpenSSL] EC_KEY_new_by_curve_name FAIL ... " + OpenSSL.get_error()) + + other_pub_key_x = OpenSSL.BN_bin2bn(pubkey_x, len(pubkey_x), 0) + other_pub_key_y = OpenSSL.BN_bin2bn(pubkey_y, len(pubkey_y), 0) + + other_group = OpenSSL.EC_KEY_get0_group(other_key) + other_pub_key = OpenSSL.EC_POINT_new(other_group) + if (other_pub_key == None): + raise Exception("[OpenSSl] EC_POINT_new FAIL ... " + OpenSSL.get_error()) + + if (OpenSSL.EC_POINT_set_affine_coordinates_GFp(other_group, + other_pub_key, + other_pub_key_x, + other_pub_key_y, + 0)) == 0: + raise Exception( + "[OpenSSL] EC_POINT_set_affine_coordinates_GFp FAIL ..." + OpenSSL.get_error()) + + own_priv_key = OpenSSL.BN_bin2bn(sec.privkey, len(sec.privkey), 0) + + res = OpenSSL.EC_POINT_new(other_group) + if (OpenSSL.EC_POINT_mul(other_group, res, 0, other_pub_key, own_priv_key, 0)) == 0: + raise Exception( + "[OpenSSL] EC_POINT_mul FAIL ..." + OpenSSL.get_error()) + + res_x = OpenSSL.BN_new() + res_y = OpenSSL.BN_new() + + if (OpenSSL.EC_POINT_get_affine_coordinates_GFp(other_group, res, + res_x, + res_y, 0 + )) == 0: + raise Exception( + "[OpenSSL] EC_POINT_get_affine_coordinates_GFp FAIL ... " + OpenSSL.get_error()) + + resx = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(res_x)) + resy = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(res_y)) + + OpenSSL.BN_bn2bin(res_x, resx) + resx = resx.raw + OpenSSL.BN_bn2bin(res_y, resy) + resy = resy.raw + + return resx, resy + + finally: + if other_key: OpenSSL.EC_KEY_free(other_key) + if other_pub_key_x: OpenSSL.BN_free(other_pub_key_x) + if other_pub_key_y: OpenSSL.BN_free(other_pub_key_y) + if other_pub_key: OpenSSL.EC_POINT_free(other_pub_key) + if own_priv_key: OpenSSL.BN_free(own_priv_key) + if res: OpenSSL.EC_POINT_free(res) + if res_x: OpenSSL.BN_free(res_x) + if res_y: OpenSSL.BN_free(res_y) + def get_pos_y_for_x(pubkey_x, yneg=0): key = pub_key = pub_key_x = pub_key_y = None try: @@ -62,6 +145,34 @@ class Onion(object): MSG_LEN = 128 ZEROES = b"\x00" * (HMAC_LEN + PKEY_LEN + MSG_LEN) + @staticmethod + def tweak_sha(sha, d): + sha = sha.copy() + sha.update(d) + return sha.digest() + + @classmethod + def get_ecdh_secrets(cls, sec, pkey_x, pkey_y): + pkey = unhexlify('04') + pkey_x + pkey_y + tmp_key = ecc.ECC(curve='secp256k1', pubkey=pkey) + sec_x, sec_y = ecc_ecdh_key(sec, tmp_key) + + b = '\x02' if ord(sec_y[-1]) % 2 == 0 else '\x03' + sec = sha256(sha256(b + sec_x).digest()) + + enckey = cls.tweak_sha(sec, b'\x00')[:16] + hmac = cls.tweak_sha(sec, b'\x01') + iv = cls.tweak_sha(sec, b'\x02')[:16] + pad_iv = cls.tweak_sha(sec, b'\x03')[:16] + + return enckey, hmac, iv, pad_iv + + def enc_pad(self, enckey, pad_iv): + aes = Cipher(AES(enckey), CTR(pad_iv), + default_backend()).encryptor() + return aes.update(self.ZEROES) + +class OnionDecrypt(Onion): def __init__(self, onion, my_ecc): self.my_ecc = my_ecc @@ -77,47 +188,104 @@ class Onion(object): self.get_secrets() def decrypt(self): - ctx = Cipher(self.enckey, self.pad_iv, 1, ciphername='aes-128-ctr') - pad = ctx.ciphering(self.ZEROES) + pad = self.enc_pad(self.enckey, self.pad_iv) - ctx = Cipher(self.enckey, self.iv, 0, ciphername='aes-128-ctr') - self.fwd = pad + ctx.ciphering(self.onion[:self.fwd_end]) - self.msg = ctx.ciphering(self.onion[self.fwd_end:self.msg_end]) - - def tweak_sha(self, sha, d): - sha = sha.copy() - sha.update(d) - return sha.digest() + aes = Cipher(AES(self.enckey), CTR(self.iv), + default_backend()).decryptor() + self.fwd = pad + aes.update(self.onion[:self.fwd_end]) + self.msg = aes.update(self.onion[self.fwd_end:self.msg_end]) def get_secrets(self): pkey_x = self.pkey - pkey_y = get_pos_y_for_x(pkey_x) - pkey = unhexlify('04') + pkey_x + pkey_y - tmp_key = ecc.ECC(curve='secp256k1', pubkey=pkey) - sec_x = self.my_ecc.get_ecdh_key(tmp_key.get_pubkey()) - sec_1 = sha256(sha256(b"\x02" + sec_x).digest()) - sec_2 = sha256(sha256(b"\x03" + sec_x).digest()) - - sec = None - if self.check_hmac(self.tweak_sha(sec_1, b'\x01')): - sec = sec_1 - if self.check_hmac(self.tweak_sha(sec_2, b'\x01')): - sec = sec_2 - if sec is None: + pkey_y = get_pos_y_for_x(pkey_x) # always positive by design + enckey, hmac, iv, pad_iv = self.get_ecdh_secrets(self.my_ecc, pkey_x, pkey_y) + if not self.check_hmac(hmac): raise Exception("HMAC did not verify") - - self.enckey = self.tweak_sha(sec, b'\x00')[:16] - self.iv = self.tweak_sha(sec, b'\x02')[:16] - self.pad_iv = self.tweak_sha(sec, b'\x03')[:16] + self.enckey = enckey + self.iv = iv + self.pad_iv = pad_iv def check_hmac(self, hmac_key): calc = hmac_sha256(hmac_key, self.onion[:-self.HMAC_LEN]) return calc == self.hmac -if __name__ == "__main__": +class OnionEncrypt(Onion): + def __init__(self, msgs, pubkeys): + assert len(msgs) == len(pubkeys) + assert 0 < len(msgs) <= 20 + assert all( len(m) <= self.MSG_LEN for m in msgs ) + + msgs = [m + "\0"*(self.MSG_LEN - len(m)) for m in msgs] + pubkeys = [ecc.ECC(pubkey=pk, curve='secp256k1') for pk in pubkeys] + n = len(msgs) + + tmpkeys = [] + tmppubkeys = [] + for i in range(n): + while True: + t = ecc.ECC(curve='secp256k1') + if ord(t.pubkey_y[-1]) % 2 == 0: + break + # or do the math to "flip" the secret key and pub key + tmpkeys.append(t) + tmppubkeys.append(t.pubkey_x) + + enckeys, hmacs, ivs, pad_ivs = zip(*[self.get_ecdh_secrets(tmpkey, pkey.pubkey_x, pkey.pubkey_y) + for tmpkey, pkey in zip(tmpkeys, pubkeys)]) + + # padding takes the form: + # E_(n-1)(0000s) + # D_(n-1)( + # E(n-2)(0000s) + # D(n-2)( + # ... + # ) + # ) + + padding = "" + for i in range(n-1): + pad = self.enc_pad(enckeys[i], pad_ivs[i]) + aes = Cipher(AES(enckeys[i]), CTR(ivs[i]), + default_backend()).decryptor() + padding = pad + aes.update(padding) + + if n < 20: + padding += str(bytearray(random.getrandbits(8) + for _ in range(len(self.ZEROES) * (20-n)))) + + # to encrypt the message we need to bump the counter past all + # the padding, then just encrypt the final message + aes = Cipher(AES(enckeys[-1]), CTR(ivs[-1]), + default_backend()).encryptor() + aes.update(padding) # don't care about cyphertext + msgenc = aes.update(msgs[-1]) + + msgenc = padding + msgenc + tmppubkeys[-1] + del padding + msgenc += hmac_sha256(hmacs[-1], msgenc) + + # *PHEW* + # now iterate + + for i in reversed(range(n-1)): + # drop the padding this node will add + msgenc = msgenc[len(self.ZEROES):] + # adding the msg + msgenc += msgs[i] + # encrypt it + aes = Cipher(AES(enckeys[i]), CTR(ivs[i]), + default_backend()).encryptor() + msgenc = aes.update(msgenc) + # add the tmp key + msgenc += tmppubkeys[i] + # add the hmac + msgenc += hmac_sha256(hmacs[i], msgenc) + self.onion = msgenc + +def decode_from_file(f): keys = [] msg = "" - for ln in sys.stdin.readlines(): + for ln in f.readlines(): if ln.startswith(" * Keypair "): w = ln.strip().split() idx = int(w[2].strip(":")) @@ -135,9 +303,27 @@ if __name__ == "__main__": assert msg != "" for k in keys: - o = Onion(msg, k) + o = OnionDecrypt(msg, k) o.decrypt() print o.msg msg = o.fwd - print "done" + +if __name__ == "__main__": + if len(sys.argv) > 1 and sys.argv[1] == "generate": + if len(sys.argv) == 3: + n = int(sys.argv[2]) + else: + n = 20 + servers = [ecc.ECC(curve='secp256k1') for _ in range(n)] + server_pubs = [s.get_pubkey() for s in servers] + msgs = ["Howzit %d..." % (i,) for i in range(n)] + + o = OnionEncrypt(msgs, server_pubs) + + for i, s in enumerate(servers): + print " * Keypair %d: %s %s" % ( + i, hexlify(s.privkey), hexlify(s.get_pubkey())) + print " * Message: %s" % (hexlify(o.onion)) + else: + decode_from_file(sys.stdin)