2017-11-30 15:20:51 +03:00
|
|
|
"""
|
|
|
|
This module contains several functions that authenticate the client machine
|
|
|
|
with Telegram's servers, effectively creating an authorization key.
|
|
|
|
"""
|
2016-09-16 15:04:46 +03:00
|
|
|
import os
|
2016-09-04 12:07:18 +03:00
|
|
|
import time
|
2017-06-02 17:49:03 +03:00
|
|
|
from hashlib import sha1
|
2016-11-30 00:29:42 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
from ..tl.types import (
|
|
|
|
ResPQ, PQInnerData, ServerDHParamsFail, ServerDHParamsOk,
|
|
|
|
ServerDHInnerData, ClientDHInnerData, DhGenOk, DhGenRetry, DhGenFail
|
|
|
|
)
|
2019-02-11 02:16:46 +03:00
|
|
|
from .. import helpers
|
2018-05-30 19:55:01 +03:00
|
|
|
from ..crypto import AES, AuthKey, Factorization, rsa
|
2017-09-29 14:07:21 +03:00
|
|
|
from ..errors import SecurityError
|
2017-09-28 12:36:51 +03:00
|
|
|
from ..extensions import BinaryReader
|
|
|
|
from ..tl.functions import (
|
2018-02-19 22:31:47 +03:00
|
|
|
ReqPqMultiRequest, ReqDHParamsRequest, SetClientDHParamsRequest
|
2017-09-28 12:36:51 +03:00
|
|
|
)
|
2017-09-17 20:14:36 +03:00
|
|
|
|
|
|
|
|
2018-06-07 17:32:12 +03:00
|
|
|
async def do_authentication(sender):
|
2017-11-30 15:20:51 +03:00
|
|
|
"""
|
|
|
|
Executes the authentication process with the Telegram servers.
|
|
|
|
|
2018-06-07 17:32:12 +03:00
|
|
|
:param sender: a connected `MTProtoPlainSender`.
|
2017-11-30 15:20:51 +03:00
|
|
|
:return: returns a (authorization key, time offset) tuple.
|
2017-06-03 14:36:41 +03:00
|
|
|
"""
|
2017-09-28 12:36:51 +03:00
|
|
|
# Step 1 sending: PQ Request, endianness doesn't matter since it's random
|
2018-06-07 17:32:12 +03:00
|
|
|
nonce = int.from_bytes(os.urandom(16), 'big', signed=True)
|
|
|
|
res_pq = await sender.send(ReqPqMultiRequest(nonce))
|
2018-06-26 12:32:09 +03:00
|
|
|
assert isinstance(res_pq, ResPQ), 'Step 1 answer was %s' % res_pq
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 17:32:12 +03:00
|
|
|
if res_pq.nonce != nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 1 invalid nonce from server')
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
pq = get_int(res_pq.pq)
|
2016-08-28 20:26:06 +03:00
|
|
|
|
|
|
|
# Step 2 sending: DH Exchange
|
2017-05-21 14:59:16 +03:00
|
|
|
p, q = Factorization.factorize(pq)
|
2018-12-24 16:16:50 +03:00
|
|
|
p, q = rsa.get_byte_array(p), rsa.get_byte_array(q)
|
2017-09-28 12:36:51 +03:00
|
|
|
new_nonce = int.from_bytes(os.urandom(32), 'little', signed=True)
|
|
|
|
|
2017-10-17 20:54:24 +03:00
|
|
|
pq_inner_data = bytes(PQInnerData(
|
2017-09-28 12:36:51 +03:00
|
|
|
pq=rsa.get_byte_array(pq), p=p, q=q,
|
|
|
|
nonce=res_pq.nonce,
|
|
|
|
server_nonce=res_pq.server_nonce,
|
|
|
|
new_nonce=new_nonce
|
2017-10-17 20:54:24 +03:00
|
|
|
))
|
2017-09-28 12:36:51 +03:00
|
|
|
|
|
|
|
# sha_digest + data + random_bytes
|
|
|
|
cipher_text, target_fingerprint = None, None
|
|
|
|
for fingerprint in res_pq.server_public_key_fingerprints:
|
|
|
|
cipher_text = rsa.encrypt(fingerprint, pq_inner_data)
|
|
|
|
if cipher_text is not None:
|
|
|
|
target_fingerprint = fingerprint
|
|
|
|
break
|
|
|
|
|
2019-10-03 21:51:45 +03:00
|
|
|
if cipher_text is None:
|
|
|
|
# Second attempt, but now we're allowed to use old keys
|
|
|
|
for fingerprint in res_pq.server_public_key_fingerprints:
|
|
|
|
cipher_text = rsa.encrypt(fingerprint, pq_inner_data, use_old=True)
|
|
|
|
if cipher_text is not None:
|
|
|
|
target_fingerprint = fingerprint
|
|
|
|
break
|
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
if cipher_text is None:
|
|
|
|
raise SecurityError(
|
2018-06-26 12:32:09 +03:00
|
|
|
'Step 2 could not find a valid key for fingerprints: {}'
|
2017-09-28 12:36:51 +03:00
|
|
|
.format(', '.join(
|
|
|
|
[str(f) for f in res_pq.server_public_key_fingerprints])
|
2017-08-23 22:49:27 +03:00
|
|
|
)
|
2017-09-28 12:36:51 +03:00
|
|
|
)
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 17:32:12 +03:00
|
|
|
server_dh_params = await sender.send(ReqDHParamsRequest(
|
2017-09-28 12:36:51 +03:00
|
|
|
nonce=res_pq.nonce,
|
|
|
|
server_nonce=res_pq.server_nonce,
|
|
|
|
p=p, q=q,
|
|
|
|
public_key_fingerprint=target_fingerprint,
|
|
|
|
encrypted_data=cipher_text
|
2018-06-07 17:32:12 +03:00
|
|
|
))
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-26 12:32:09 +03:00
|
|
|
assert isinstance(
|
|
|
|
server_dh_params, (ServerDHParamsOk, ServerDHParamsFail)),\
|
|
|
|
'Step 2.1 answer was %s' % server_dh_params
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
if server_dh_params.nonce != res_pq.nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 2 invalid nonce from server')
|
2016-08-30 18:40:49 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
if server_dh_params.server_nonce != res_pq.server_nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 2 invalid server nonce from server')
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
if isinstance(server_dh_params, ServerDHParamsFail):
|
|
|
|
nnh = int.from_bytes(
|
|
|
|
sha1(new_nonce.to_bytes(32, 'little', signed=True)).digest()[4:20],
|
|
|
|
'little', signed=True
|
|
|
|
)
|
|
|
|
if server_dh_params.new_nonce_hash != nnh:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 2 invalid DH fail nonce from server')
|
2018-06-07 18:20:45 +03:00
|
|
|
|
2018-06-26 12:32:09 +03:00
|
|
|
assert isinstance(server_dh_params, ServerDHParamsOk),\
|
|
|
|
'Step 2.2 answer was %s' % server_dh_params
|
2018-06-07 18:20:45 +03:00
|
|
|
|
2016-08-28 20:26:06 +03:00
|
|
|
# Step 3 sending: Complete DH Exchange
|
2019-02-11 02:16:46 +03:00
|
|
|
key, iv = helpers.generate_key_data_from_nonce(
|
2017-09-28 12:36:51 +03:00
|
|
|
res_pq.server_nonce, new_nonce
|
|
|
|
)
|
2017-11-24 21:05:18 +03:00
|
|
|
if len(server_dh_params.encrypted_answer) % 16 != 0:
|
|
|
|
# See PR#453
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 3 AES block size mismatch')
|
2017-11-24 21:05:18 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
plain_text_answer = AES.decrypt_ige(
|
|
|
|
server_dh_params.encrypted_answer, key, iv
|
|
|
|
)
|
|
|
|
|
|
|
|
with BinaryReader(plain_text_answer) as reader:
|
|
|
|
reader.read(20) # hash sum
|
|
|
|
server_dh_inner = reader.tgread_object()
|
2018-06-26 12:32:09 +03:00
|
|
|
assert isinstance(server_dh_inner, ServerDHInnerData),\
|
|
|
|
'Step 3 answer was %s' % server_dh_inner
|
2017-09-28 12:36:51 +03:00
|
|
|
|
|
|
|
if server_dh_inner.nonce != res_pq.nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 3 Invalid nonce in encrypted answer')
|
2017-09-28 12:36:51 +03:00
|
|
|
|
|
|
|
if server_dh_inner.server_nonce != res_pq.server_nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 3 Invalid server nonce in encrypted answer')
|
2017-09-28 12:36:51 +03:00
|
|
|
|
|
|
|
dh_prime = get_int(server_dh_inner.dh_prime, signed=False)
|
2020-01-14 14:03:01 +03:00
|
|
|
g = server_dh_inner.g
|
2017-09-28 12:36:51 +03:00
|
|
|
g_a = get_int(server_dh_inner.g_a, signed=False)
|
|
|
|
time_offset = server_dh_inner.server_time - int(time.time())
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2017-06-19 00:38:14 +03:00
|
|
|
b = get_int(os.urandom(256), signed=False)
|
2020-01-14 14:03:01 +03:00
|
|
|
g_b = pow(g, b, dh_prime)
|
2017-09-28 12:36:51 +03:00
|
|
|
gab = pow(g_a, b, dh_prime)
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2020-01-14 14:03:01 +03:00
|
|
|
# IMPORTANT: Apart from the conditions on the Diffie-Hellman prime
|
|
|
|
# dh_prime and generator g, both sides are to check that g, g_a and
|
|
|
|
# g_b are greater than 1 and less than dh_prime - 1. We recommend
|
|
|
|
# checking that g_a and g_b are between 2^{2048-64} and
|
|
|
|
# dh_prime - 2^{2048-64} as well.
|
|
|
|
# (https://core.telegram.org/mtproto/auth_key#dh-key-exchange-complete)
|
|
|
|
if not (1 < g < (dh_prime - 1)):
|
|
|
|
raise SecurityError('g_a is not within (1, dh_prime - 1)')
|
|
|
|
|
|
|
|
if not (1 < g_a < (dh_prime - 1)):
|
|
|
|
raise SecurityError('g_a is not within (1, dh_prime - 1)')
|
|
|
|
|
|
|
|
if not (1 < g_b < (dh_prime - 1)):
|
|
|
|
raise SecurityError('g_b is not within (1, dh_prime - 1)')
|
|
|
|
|
|
|
|
safety_range = 2 ** (2048 - 64)
|
|
|
|
if not (safety_range <= g_a <= (dh_prime - safety_range)):
|
|
|
|
raise SecurityError('g_a is not within (2^{2048-64}, dh_prime - 2^{2048-64})')
|
|
|
|
|
|
|
|
if not (safety_range <= g_b <= (dh_prime - safety_range)):
|
|
|
|
raise SecurityError('g_b is not within (2^{2048-64}, dh_prime - 2^{2048-64})')
|
|
|
|
|
2016-08-28 20:26:06 +03:00
|
|
|
# Prepare client DH Inner Data
|
2017-10-17 20:54:24 +03:00
|
|
|
client_dh_inner = bytes(ClientDHInnerData(
|
2017-09-28 12:36:51 +03:00
|
|
|
nonce=res_pq.nonce,
|
|
|
|
server_nonce=res_pq.server_nonce,
|
|
|
|
retry_id=0, # TODO Actual retry ID
|
2020-01-14 14:03:01 +03:00
|
|
|
g_b=rsa.get_byte_array(g_b)
|
2017-10-17 20:54:24 +03:00
|
|
|
))
|
2017-06-02 17:49:03 +03:00
|
|
|
|
2017-09-28 12:36:51 +03:00
|
|
|
client_dh_inner_hashed = sha1(client_dh_inner).digest() + client_dh_inner
|
2016-08-28 20:26:06 +03:00
|
|
|
|
|
|
|
# Encryption
|
2017-09-28 12:36:51 +03:00
|
|
|
client_dh_encrypted = AES.encrypt_ige(client_dh_inner_hashed, key, iv)
|
2016-08-28 20:26:06 +03:00
|
|
|
|
|
|
|
# Prepare Set client DH params
|
2018-06-07 17:32:12 +03:00
|
|
|
dh_gen = await sender.send(SetClientDHParamsRequest(
|
2017-09-28 12:36:51 +03:00
|
|
|
nonce=res_pq.nonce,
|
|
|
|
server_nonce=res_pq.server_nonce,
|
|
|
|
encrypted_data=client_dh_encrypted,
|
2018-06-07 17:32:12 +03:00
|
|
|
))
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
nonce_types = (DhGenOk, DhGenRetry, DhGenFail)
|
2018-06-26 12:32:09 +03:00
|
|
|
assert isinstance(dh_gen, nonce_types), 'Step 3.1 answer was %s' % dh_gen
|
2018-06-07 18:20:45 +03:00
|
|
|
name = dh_gen.__class__.__name__
|
|
|
|
if dh_gen.nonce != res_pq.nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 3 invalid {} nonce from server'.format(name))
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
if dh_gen.server_nonce != res_pq.server_nonce:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError(
|
|
|
|
'Step 3 invalid {} server nonce from server'.format(name))
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
auth_key = AuthKey(rsa.get_byte_array(gab))
|
|
|
|
nonce_number = 1 + nonce_types.index(type(dh_gen))
|
|
|
|
new_nonce_hash = auth_key.calc_new_nonce_hash(new_nonce, nonce_number)
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
dh_hash = getattr(dh_gen, 'new_nonce_hash{}'.format(nonce_number))
|
|
|
|
if dh_hash != new_nonce_hash:
|
2018-06-26 12:32:09 +03:00
|
|
|
raise SecurityError('Step 3 invalid new nonce hash')
|
2016-08-28 20:26:06 +03:00
|
|
|
|
2018-08-14 20:14:13 +03:00
|
|
|
if not isinstance(dh_gen, DhGenOk):
|
|
|
|
raise AssertionError('Step 3.2 answer was %s' % dh_gen)
|
|
|
|
|
2018-06-07 18:20:45 +03:00
|
|
|
return auth_key, time_offset
|
2016-09-03 11:54:58 +03:00
|
|
|
|
|
|
|
|
2016-09-08 17:11:37 +03:00
|
|
|
def get_int(byte_array, signed=True):
|
2017-11-30 15:20:51 +03:00
|
|
|
"""
|
|
|
|
Gets the specified integer from its byte array.
|
|
|
|
This should be used by this module alone, as it works with big endian.
|
|
|
|
|
|
|
|
:param byte_array: the byte array representing th integer.
|
|
|
|
:param signed: whether the number is signed or not.
|
|
|
|
:return: the integer representing the given byte array.
|
2017-09-04 18:10:04 +03:00
|
|
|
"""
|
2016-09-08 17:11:37 +03:00
|
|
|
return int.from_bytes(byte_array, byteorder='big', signed=signed)
|