Package tlslite :: Module mathtls
[hide private]
[frames] | no frames]

Source Code for Module tlslite.mathtls

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Dave Baggett (Arcode Corporation) - MD5 support for MAC_SSL 
  4  #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 
  5  #   Hubert Kario - SHA384 PRF 
  6  # 
  7  # See the LICENSE file for legal information regarding use of this file. 
  8   
  9  """Miscellaneous helper functions.""" 
 10   
 11  from .utils.compat import * 
 12  from .utils.cryptomath import * 
 13  from .constants import CipherSuite 
 14  from .utils import tlshashlib as hashlib 
 15   
 16  import hmac 
 17   
 18  #1024, 1536, 2048, 3072, 4096, 6144, and 8192 bit groups] 
 19  goodGroupParameters = [(2,0xEEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3),\ 
 20                         (2,0x9DEF3CAFB939277AB1F12A8617A47BBBDBA51DF499AC4C80BEEEA9614B19CC4D5F4F5F556E27CBDE51C6A94BE4607A291558903BA0D0F84380B655BB9A22E8DCDF028A7CEC67F0D08134B1C8B97989149B609E0BE3BAB63D47548381DBC5B1FC764E3F4B53DD9DA1158BFD3E2B9C8CF56EDF019539349627DB2FD53D24B7C48665772E437D6C7F8CE442734AF7CCB7AE837C264AE3A9BEB87F8A2FE9B8B5292E5A021FFF5E91479E8CE7A28C2442C6F315180F93499A234DCF76E3FED135F9BB),\ 
 21                         (2,0xAC6BDB41324A9A9BF166DE5E1389582FAF72B6651987EE07FC3192943DB56050A37329CBB4A099ED8193E0757767A13DD52312AB4B03310DCD7F48A9DA04FD50E8083969EDB767B0CF6095179A163AB3661A05FBD5FAAAE82918A9962F0B93B855F97993EC975EEAA80D740ADBF4FF747359D041D5C33EA71D281E446B14773BCA97B43A23FB801676BD207A436C6481F1D2B9078717461A5B9D32E688F87748544523B524B0D57D5EA77A2775D2ECFA032CFBDBF52FB3786160279004E57AE6AF874E7303CE53299CCC041C7BC308D82A5698F3A8D0C38271AE35F8E9DBFBB694B5C803D89F7AE435DE236D525F54759B65E372FCD68EF20FA7111F9E4AFF73),\ 
 22                         (2,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF),\ 
 23                         (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF),\ 
 24                         (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF),\ 
 25                         (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF)] 
 26   
27 -def P_hash(macFunc, secret, seed, length):
28 bytes = bytearray(length) 29 A = seed 30 index = 0 31 while 1: 32 A = macFunc(secret, A) 33 output = macFunc(secret, A + seed) 34 for c in output: 35 if index >= length: 36 return bytes 37 bytes[index] = c 38 index += 1 39 return bytes
40
41 -def PRF(secret, label, seed, length):
42 #Split the secret into left and right halves 43 # which may share a byte if len is odd 44 S1 = secret[ : int(math.ceil(len(secret)/2.0))] 45 S2 = secret[ int(math.floor(len(secret)/2.0)) : ] 46 47 #Run the left half through P_MD5 and the right half through P_SHA1 48 p_md5 = P_hash(HMAC_MD5, S1, label + seed, length) 49 p_sha1 = P_hash(HMAC_SHA1, S2, label + seed, length) 50 51 #XOR the output values and return the result 52 for x in range(length): 53 p_md5[x] ^= p_sha1[x] 54 return p_md5
55
56 -def PRF_1_2(secret, label, seed, length):
57 """Pseudo Random Function for TLS1.2 ciphers that use SHA256""" 58 return P_hash(HMAC_SHA256, secret, label + seed, length)
59
60 -def PRF_1_2_SHA384(secret, label, seed, length):
61 """Pseudo Random Function for TLS1.2 ciphers that use SHA384""" 62 return P_hash(HMAC_SHA384, secret, label + seed, length)
63
64 -def PRF_SSL(secret, seed, length):
65 bytes = bytearray(length) 66 index = 0 67 for x in range(26): 68 A = bytearray([ord('A')+x] * (x+1)) # 'A', 'BB', 'CCC', etc.. 69 input = secret + SHA1(A + secret + seed) 70 output = MD5(input) 71 for c in output: 72 if index >= length: 73 return bytes 74 bytes[index] = c 75 index += 1 76 return bytes
77
78 -def calcExtendedMasterSecret(version, cipherSuite, premasterSecret, 79 handshakeHashes):
80 """Derive Extended Master Secret from premaster and handshake msgs""" 81 assert version in ((3, 1), (3, 2), (3, 3)) 82 if version in ((3, 1), (3, 2)): 83 masterSecret = PRF(premasterSecret, b"extended master secret", 84 handshakeHashes.digest('md5') + 85 handshakeHashes.digest('sha1'), 86 48) 87 else: 88 if cipherSuite in CipherSuite.sha384PrfSuites: 89 masterSecret = PRF_1_2_SHA384(premasterSecret, 90 b"extended master secret", 91 handshakeHashes.digest('sha384'), 92 48) 93 else: 94 masterSecret = PRF_1_2(premasterSecret, 95 b"extended master secret", 96 handshakeHashes.digest('sha256'), 97 48) 98 return masterSecret
99 100
101 -def calcMasterSecret(version, cipherSuite, premasterSecret, clientRandom, 102 serverRandom):
103 """Derive Master Secret from premaster secret and random values""" 104 if version == (3,0): 105 masterSecret = PRF_SSL(premasterSecret, 106 clientRandom + serverRandom, 48) 107 elif version in ((3,1), (3,2)): 108 masterSecret = PRF(premasterSecret, b"master secret", 109 clientRandom + serverRandom, 48) 110 elif version == (3,3): 111 if cipherSuite in CipherSuite.sha384PrfSuites: 112 masterSecret = PRF_1_2_SHA384(premasterSecret, 113 b"master secret", 114 clientRandom + serverRandom, 115 48) 116 else: 117 masterSecret = PRF_1_2(premasterSecret, 118 b"master secret", 119 clientRandom + serverRandom, 120 48) 121 else: 122 raise AssertionError() 123 return masterSecret
124
125 -def calcFinished(version, masterSecret, cipherSuite, handshakeHashes, 126 isClient):
127 """Calculate the Handshake protocol Finished value 128 129 @param version: TLS protocol version tuple 130 @param masterSecret: negotiated master secret of the connection 131 @param cipherSuite: negotiated cipher suite of the connection, 132 @param handshakeHashes: running hash of the handshake messages 133 @param isClient: whether the calculation should be performed for message 134 sent by client (True) or by server (False) side of connection 135 """ 136 assert version in ((3, 0), (3, 1), (3, 2), (3, 3)) 137 if version == (3,0): 138 if isClient: 139 senderStr = b"\x43\x4C\x4E\x54" 140 else: 141 senderStr = b"\x53\x52\x56\x52" 142 143 verifyData = handshakeHashes.digestSSL(masterSecret, senderStr) 144 else: 145 if isClient: 146 label = b"client finished" 147 else: 148 label = b"server finished" 149 150 if version in ((3,1), (3,2)): 151 handshakeHash = handshakeHashes.digest() 152 verifyData = PRF(masterSecret, label, handshakeHash, 12) 153 else: # version == (3,3): 154 if cipherSuite in CipherSuite.sha384PrfSuites: 155 handshakeHash = handshakeHashes.digest('sha384') 156 verifyData = PRF_1_2_SHA384(masterSecret, label, 157 handshakeHash, 12) 158 else: 159 handshakeHash = handshakeHashes.digest('sha256') 160 verifyData = PRF_1_2(masterSecret, label, handshakeHash, 12) 161 162 return verifyData
163
164 -def makeX(salt, username, password):
165 if len(username)>=256: 166 raise ValueError("username too long") 167 if len(salt)>=256: 168 raise ValueError("salt too long") 169 innerHashResult = SHA1(username + bytearray(b":") + password) 170 outerHashResult = SHA1(salt + innerHashResult) 171 return bytesToNumber(outerHashResult)
172 173 #This function is used by VerifierDB.makeVerifier
174 -def makeVerifier(username, password, bits):
175 bitsIndex = {1024:0, 1536:1, 2048:2, 3072:3, 4096:4, 6144:5, 8192:6}[bits] 176 g,N = goodGroupParameters[bitsIndex] 177 salt = getRandomBytes(16) 178 x = makeX(salt, username, password) 179 verifier = powMod(g, x, N) 180 return N, g, salt, verifier
181
182 -def PAD(n, x):
183 nLength = len(numberToByteArray(n)) 184 b = numberToByteArray(x) 185 if len(b) < nLength: 186 b = (b"\0" * (nLength-len(b))) + b 187 return b
188
189 -def makeU(N, A, B):
190 return bytesToNumber(SHA1(PAD(N, A) + PAD(N, B)))
191
192 -def makeK(N, g):
193 return bytesToNumber(SHA1(numberToByteArray(N) + PAD(N, g)))
194
195 -def createHMAC(k, digestmod=hashlib.sha1):
196 h = hmac.HMAC(k, digestmod=digestmod) 197 h.block_size = digestmod().block_size 198 return h
199
200 -def createMAC_SSL(k, digestmod=None):
201 mac = MAC_SSL() 202 mac.create(k, digestmod=digestmod) 203 return mac
204 205
206 -class MAC_SSL(object):
207 - def create(self, k, digestmod=None):
208 self.digestmod = digestmod or hashlib.sha1 209 self.block_size = self.digestmod().block_size 210 # Repeat pad bytes 48 times for MD5; 40 times for other hash functions. 211 self.digest_size = 16 if (self.digestmod is hashlib.md5) else 20 212 repeat = 40 if self.digest_size == 20 else 48 213 opad = b"\x5C" * repeat 214 ipad = b"\x36" * repeat 215 216 self.ohash = self.digestmod(k + opad) 217 self.ihash = self.digestmod(k + ipad)
218
219 - def update(self, m):
220 self.ihash.update(m)
221
222 - def copy(self):
223 new = MAC_SSL() 224 new.ihash = self.ihash.copy() 225 new.ohash = self.ohash.copy() 226 new.digestmod = self.digestmod 227 new.digest_size = self.digest_size 228 new.block_size = self.block_size 229 return new
230
231 - def digest(self):
232 ohash2 = self.ohash.copy() 233 ohash2.update(self.ihash.digest()) 234 return bytearray(ohash2.digest())
235