Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crypto vs Cryptodome #37

Open
olivluca opened this issue Dec 4, 2023 · 16 comments
Open

Crypto vs Cryptodome #37

olivluca opened this issue Dec 4, 2023 · 16 comments

Comments

@olivluca
Copy link
Contributor

olivluca commented Dec 4, 2023

I'm not really into python cryptography, but wanting to try the latest few commits, I saw an error importing SHA256. I couldn't find a debian package providing it, but I found python3-pycryptodome, so I made this change


diff --git a/pypush_gsa_icloud.py b/pypush_gsa_icloud.py
index d6d84e4..528b010 100644
--- a/pypush_gsa_icloud.py
+++ b/pypush_gsa_icloud.py
@@ -12,7 +12,7 @@ from datetime import datetime
 import srp._pysrp as srp
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from Crypto.Hash import SHA256
+from Cryptodome.Hash import SHA256
 
 # Created here so that it is consistent
 USER_ID = uuid.uuid4()

Searching cryptodome I found this bug so maybe it's a good idea to import from Cryptodome instead of from Crypto.

@Systm21
Copy link

Systm21 commented Dec 4, 2023

pip install cryptography

Should work.

@olivluca
Copy link
Contributor Author

olivluca commented Dec 4, 2023

Sure, but I prefer to use debian packages whenever possible.

@Systm21
Copy link

Systm21 commented Dec 4, 2023

OK, but you're causing problems where there aren't any.

@Chapoly1305
Copy link

I vote for not a bug of this project and this can be closed. You shall use virtual environmental (venv) for individual projects. Using apt to install isn't a good idea anyway due to potential version conflicts and broken dependency.

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

I vote for not a bug of this project and this can be closed. You shall use virtual environmental (venv) for individual projects. Using apt to install isn't a good idea anyway due to potential version conflicts and broken dependency.

I tend to disagree here, I too prefer to manage my python packages using the os package manager.

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

I cannot ensure 100% that the change Crypto -> Cryptodome works, but I could authenticate (surprisingly it just asked me the username and password but no authentication code) and get the reports.

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

surprisingly it just asked me the username and password but no authentication code

That's because of the anisette.

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

But on subsequent calls it doesn't even ask for username/password.
I checked and while the previous openhaystack.json and the new auth.json have the same ds_prs_id/dsid, they have a different search party token.

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

The first call is to get the search party token, and when the anisette data used for that is from a trusted device, it will not ask for 2FA. The subsequent calls use the cached search party token from the first call as password and the dsid as username.
I've noticed the search party tokens change when using different sources for anisette data indeed. (and there might be other reasons for it to change, I did not pay much attention)

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

Sorry for abusing thins bug, but where is the anisette data stored? In the anisette server (I'm using the dockerized one)?.

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

The anisette server is faking an apple device, with the serials and stuff (ADI) stored in $HOME/.config/anisette-v3/adi.pb and device.json. Those numbers together generate a validation code like OTP, which is then going through a whole bunch of Mixed Boolean Arithmetic to generate two anisette headers for the request. One of these is a machine serial that is quite static over time, the other one is the otp which changes a lot.
If you switch to https://github.com/Dadoum/pyprovision you will get the ADI data in the anisette folder.

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

Ah, thank you, I see those files inside the container, I thought they would be stored in the mounted volume (which is empty).

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

I'm trying (unsuccessfully but that will be another bug) to use provision and I see that if I install cryprodome with pip in a venv, the correct import is Crypto, while with the debian package is Cryptodome. For the time being, while I'm experimenting with provision but I want to use the, working, system python I did this:

diff --git a/pypush_gsa_icloud.py b/pypush_gsa_icloud.py
index d6d84e4..cd21b89 100644
--- a/pypush_gsa_icloud.py
+++ b/pypush_gsa_icloud.py
@@ -12,7 +12,10 @@ from datetime import datetime
 import srp._pysrp as srp
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from Crypto.Hash import SHA256
+try:
+  from Crypto.Hash import SHA256
+except:
+  from Cryptodome.Hash import SHA256
 
 # Created here so that it is consistent
 USER_ID = uuid.uuid4()

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

the original pypush code uses pbkdf2.PBKDF2(p, salt, iterations, hashlib.sha256).read(32), then you just need to import hashlib and can leave out SHA256 from Crypto.Hash. For me that did not work for some reason, but maybe for you it will?

@olivluca
Copy link
Contributor Author

olivluca commented Dec 5, 2023

Nope, that doesn't work because hashlib.sha256 has no digest_size (only an instance created with it has the attribute).
I don't understand how the original code could possibly work.

@biemster
Copy link
Owner

biemster commented Dec 5, 2023

Yes that's my error too! 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants