fognode 0.1.0__py3-none-any.whl

fognode/__init__.py

@@ -0,0 +1,120 @@
+from __future__ import annotations
+
+from fognode import ciphers, decorators, exceptions, filters, types
+from fognode.app import App, Context, Message, Router
+from fognode.core.client import client_connect
+from fognode.core.server import start_server
+from fognode.core.state import ChatState
+from fognode.crypto.channel import SecureChannel
+from fognode.types import (
+    AESGCM_NONCE_LENGTH,
+    CERT_VALIDITY_DAYS,
+    CHAT_HISTORY_LIMIT,
+    CHAT_MAX_TEXT_LENGTH,
+    DEFAULT_HOST,
+    DEFAULT_PORT,
+    MAX_MESSAGE_SIZE,
+    NONCE_LENGTH,
+    PBKDF2_ITERATIONS,
+    RATE_LIMIT_MAX_ATTEMPTS,
+    RATE_LIMIT_WINDOW,
+    REPLAY_WINDOW,
+    RSA_KEY_SIZE,
+    SALT_LENGTH,
+    TOKEN_LENGTH,
+    AuthError,
+    AuthResult,
+    ByeMsg,
+    Bytes32,
+    CertError,
+    ChallengeMsg,
+    ChatMsg,
+    ChatMsgDict,
+    Cipher,
+    CmdMsg,
+    CodeName,
+    ConnectionInfo,
+    ConnectString,
+    Fingerprint,
+    FrameError,
+    HandshakeError,
+    HistoryMsg,
+    InfoMsg,
+    IPAddress,
+    MessageHandler,
+    OnConnect,
+    OnDisconnect,
+    OnMessage,
+    PongMsg,
+    Port,
+    ResponseMsg,
+    SecurityError,
+    ServerInfo,
+    User,
+    UsersMsg,
+    WelcomeMsg,
+    WireError,
+)
+
+__all__ = [
+    "AESGCM_NONCE_LENGTH",
+    "App",
+    "AuthError",
+    "AuthResult",
+    "Bytes32",
+    "ByeMsg",
+    "CERT_VALIDITY_DAYS",
+    "CHAT_HISTORY_LIMIT",
+    "CHAT_MAX_TEXT_LENGTH",
+    "CertError",
+    "ChallengeMsg",
+    "ChatMsg",
+    "ChatMsgDict",
+    "ChatState",
+    "Cipher",
+    "CmdMsg",
+    "CodeName",
+    "ConnectString",
+    "ConnectionInfo",
+    "Context",
+    "DEFAULT_HOST",
+    "DEFAULT_PORT",
+    "Fingerprint",
+    "FrameError",
+    "HandshakeError",
+    "HistoryMsg",
+    "InfoMsg",
+    "IPAddress",
+    "MAX_MESSAGE_SIZE",
+    "Message",
+    "MessageHandler",
+    "NONCE_LENGTH",
+    "OnConnect",
+    "OnDisconnect",
+    "OnMessage",
+    "PBKDF2_ITERATIONS",
+    "PongMsg",
+    "Port",
+    "RATE_LIMIT_MAX_ATTEMPTS",
+    "RATE_LIMIT_WINDOW",
+    "REPLAY_WINDOW",
+    "RSA_KEY_SIZE",
+    "ResponseMsg",
+    "Router",
+    "SALT_LENGTH",
+    "SecureChannel",
+    "SecurityError",
+    "ServerInfo",
+    "TOKEN_LENGTH",
+    "User",
+    "UsersMsg",
+    "WelcomeMsg",
+    "WireError",
+    "ciphers",
+    "client_connect",
+    "decorators",
+    "exceptions",
+    "filters",
+    "start_server",
+    "types",
+]

fognode/__main__.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from fognode.cli.entrypoint import main
+
+main()

fognode/app.py

@@ -0,0 +1,270 @@
+from __future__ import annotations
+
+import asyncio
+import threading
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Any, Callable
+
+from fognode.core.client import client_connect
+from fognode.core.server import _state, start_server
+from fognode.crypto.channel import SecureChannel
+from fognode.filters import Command
+from fognode.handlers import HandlerObject
+from fognode.types.constants import DEFAULT_HOST, DEFAULT_PORT, Cipher
+from fognode.types.protocol import ChatMsg
+
+if TYPE_CHECKING:
+    from fognode.app import App
+
+
+@dataclass(slots=True, frozen=True)
+class Message:
+    type: str
+    user: str
+    text: str
+    ts: float
+    raw: dict[str, Any]
+
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> Message:
+        return cls(
+            type=data.get("type", ""),
+            user=data.get("user", ""),
+            text=data.get("text", ""),
+            ts=data.get("ts", 0.0),
+            raw=data,
+        )
+
+
+@dataclass(slots=True)
+class Context:
+    app: App
+    channel: SecureChannel | None
+    user: str
+    message: Message | None = None
+
+    async def answer(self, text: str) -> None:
+        if self.channel is None:
+            raise RuntimeError("no channel available")
+        self.channel.send({"type": "chat", "text": text})
+
+    async def send(self, data: dict[str, Any]) -> None:
+        if self.channel is None:
+            raise RuntimeError("no channel available")
+        self.channel.send(data)
+
+    async def reply(self, data: dict[str, Any]) -> None:
+        if self.channel is None:
+            raise RuntimeError("no channel available")
+        self.channel.send(data)
+
+
+class Router:
+    def __init__(self) -> None:
+        self._handlers: dict[str, list[HandlerObject]] = {
+            "connect": [],
+            "disconnect": [],
+            "message": [],
+        }
+
+    def on_connect(self) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["connect"].append(HandlerObject(callback))
+            return callback
+
+        return decorator
+
+    def on_disconnect(self) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["disconnect"].append(HandlerObject(callback))
+            return callback
+
+        return decorator
+
+    def on_message(self, *filters: Any) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["message"].append(HandlerObject(callback, list(filters)))
+            return callback
+
+        return decorator
+
+    def on_command(self, commands: str | list[str]) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["message"].append(HandlerObject(callback, [Command(commands)]))
+            return callback
+
+        return decorator
+
+    def include(self, app: App) -> None:
+        for event, handlers in self._handlers.items():
+            app._handlers[event].extend(handlers)
+
+
+class App:
+    def __init__(
+        self,
+        host: str = DEFAULT_HOST,
+        port: int = DEFAULT_PORT,
+        user: str | None = None,
+        password: str | None = None,
+        cipher: Cipher = Cipher.AESGCM,
+        mode: str = "server",
+        connect_string: str | None = None,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self.user = user
+        self.password = password
+        self.cipher = cipher
+        self.mode = mode
+        self.connect_string = connect_string
+        self._handlers: dict[str, list[HandlerObject]] = {
+            "connect": [],
+            "disconnect": [],
+            "message": [],
+        }
+        self._loop: asyncio.AbstractEventLoop | None = None
+        self._channel: SecureChannel | None = None
+
+    @classmethod
+    def client(
+        cls,
+        connect_string: str,
+        password: str,
+        cipher: Cipher = Cipher.AESGCM,
+    ) -> App:
+        return cls(
+            mode="client",
+            connect_string=connect_string,
+            password=password,
+            cipher=cipher,
+        )
+
+    def on_connect(self) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["connect"].append(HandlerObject(callback))
+            return callback
+
+        return decorator
+
+    def on_disconnect(self) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["disconnect"].append(HandlerObject(callback))
+            return callback
+
+        return decorator
+
+    def on_message(self, *filters: Any) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["message"].append(HandlerObject(callback, list(filters)))
+            return callback
+
+        return decorator
+
+    def on_command(self, commands: str | list[str]) -> Callable[..., Any]:
+        def decorator(callback: Callable[..., Any]) -> Callable[..., Any]:
+            self._handlers["message"].append(HandlerObject(callback, [Command(commands)]))
+            return callback
+
+        return decorator
+
+    def include_router(self, router: Router) -> None:
+        router.include(self)
+
+    def run(self) -> None:
+        self._loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(self._loop)
+        if self.mode == "server":
+            self._setup_server()
+        else:
+            self._setup_client()
+        try:
+            self._loop.run_forever()
+        except KeyboardInterrupt:
+            pass
+        finally:
+            self._loop.close()
+
+    def _setup_server(self) -> None:
+        if not self.user or not self.password:
+            raise ValueError("user and password required for server mode")
+
+        def _on_connect(user: str) -> None:
+            if self._loop is not None:
+                self._loop.call_soon_threadsafe(self._process_connect, user)
+
+        def _on_disconnect(user: str) -> None:
+            if self._loop is not None:
+                self._loop.call_soon_threadsafe(self._process_disconnect, user)
+
+        def _on_msg(msg: ChatMsg) -> None:
+            if self._loop is not None:
+                self._loop.call_soon_threadsafe(self._process_chat, msg)
+
+        start_server(
+            self.host,
+            self.port,
+            self.user,
+            self.password,
+            on_connect=_on_connect,
+            on_disconnect=_on_disconnect,
+        )
+        _state.on_message(_on_msg)
+
+    def _setup_client(self) -> None:
+        if not self.connect_string or not self.password:
+            raise ValueError("connect_string and password required for client mode")
+
+        ch, _fp = client_connect(self.connect_string, self.password)
+        self._channel = ch
+
+        welcome = ch.recv()
+        if welcome.get("type") == "welcome":
+            for m in welcome.get("history", []):
+                self._process_raw_msg(ch, m)
+
+        def _recv() -> None:
+            while True:
+                try:
+                    msg = ch.recv()
+                    if self._loop is not None:
+                        self._loop.call_soon_threadsafe(self._process_raw_msg, ch, msg)
+                except Exception:
+                    break
+
+        threading.Thread(target=_recv, daemon=True).start()
+
+    def _process_connect(self, user: str) -> None:
+        ch = _state.get_channel(user)
+        ctx = Context(self, ch, user)
+        for handler in self._handlers["connect"]:
+            asyncio.create_task(handler.call(ctx))
+
+    def _process_disconnect(self, user: str) -> None:
+        ch = _state.get_channel(user)
+        ctx = Context(self, ch, user)
+        for handler in self._handlers["disconnect"]:
+            asyncio.create_task(handler.call(ctx))
+
+    def _process_chat(self, m: ChatMsg) -> None:
+        ch = _state.get_channel(m.user)
+        if ch is None:
+            return
+        msg = Message.from_dict(m.as_dict())
+        ctx = Context(self, ch, m.user, msg)
+        for handler in self._handlers["message"]:
+            asyncio.create_task(self._run_handler(handler, msg.raw, ctx))
+
+    def _process_raw_msg(self, ch: SecureChannel, msg: dict[str, Any]) -> None:
+        mtype = msg.get("type", "")
+        if mtype == "chat":
+            message = Message.from_dict(msg)
+            ctx = Context(self, ch, msg.get("user", ""), message)
+            for handler in self._handlers["message"]:
+                asyncio.create_task(self._run_handler(handler, msg, ctx))
+
+    async def _run_handler(
+        self, handler: HandlerObject, data: dict[str, Any], ctx: Context
+    ) -> None:
+        if await handler.check(data):
+            await handler.call(ctx)

fognode/auth/__init__.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from fognode.auth.handshake import client_handshake, server_handshake
+
+__all__ = ["client_handshake", "server_handshake"]

fognode/auth/handshake.py

@@ -0,0 +1,107 @@
+from __future__ import annotations
+
+import base64
+import os
+import ssl
+
+from fognode.crypto.cert import cert_fingerprint, cert_paths
+from fognode.crypto.channel import SecureChannel
+from fognode.crypto.kx import x25519_keypair, x25519_shared
+from fognode.crypto.password import load_password_key
+from fognode.crypto.primitives import hkdf_expand, hmac256, hmac256_verify, pbkdf2
+from fognode.types.constants import NONCE_LENGTH, TOKEN_LENGTH
+from fognode.types.exceptions import AuthError, SecurityError
+from fognode.types.protocol import IPAddress, User
+from fognode.utils.ratelimit import RateLimiter
+from fognode.wire.framing import wire_recv, wire_send
+
+_rl = RateLimiter()
+
+
+def server_handshake(
+    tls: ssl.SSLSocket, client_ip: IPAddress, expected_user: User
+) -> SecureChannel:
+    salt, stored_key = load_password_key()
+    server_fp = cert_fingerprint(cert_paths()[0])
+    nonce = os.urandom(NONCE_LENGTH)
+    sv_pub, sv_priv = x25519_keypair()
+
+    wire_send(
+        tls,
+        {
+            "type": "challenge",
+            "nonce": nonce.hex(),
+            "salt": salt.hex(),
+            "fp": server_fp,
+            "ecdh_pub": base64.b64encode(sv_pub).decode(),
+            "ver": "1",
+        },
+    )
+
+    resp = wire_recv(tls)
+    client_user = resp.get("user", "")
+    hmac_resp = bytes.fromhex(resp.get("hmac_resp", ""))
+    client_fp = resp.get("cert_fp", "")
+    cl_pub = base64.b64decode(resp.get("ecdh_pub", ""))
+
+    if client_fp.upper() != server_fp.upper():
+        wire_send(tls, {"ok": False, "error": "fp_mismatch"})
+        raise AuthError("fp mismatch")
+
+    if client_user.encode() != expected_user.encode():
+        wire_send(tls, {"ok": False, "error": "bad_user"})
+        raise AuthError("bad user")
+
+    if not hmac256_verify(nonce, stored_key, hmac_resp):
+        wire_send(tls, {"ok": False, "error": "bad_password"})
+        raise AuthError("bad password")
+
+    session_token = os.urandom(TOKEN_LENGTH)
+    shared = x25519_shared(sv_priv, cl_pub)
+    key_material = hkdf_expand(shared, session_token, b"fognode_v1_channel_keys", length=64)
+    enc_key, mac_key = key_material[:32], key_material[32:]
+
+    wire_send(tls, {"ok": True, "token": session_token.hex()})
+    _rl.ok(client_ip)
+    return SecureChannel(tls, enc_key, mac_key)
+
+
+def client_handshake(
+    tls: ssl.SSLSocket, username: User, password: str, measured_fp: str
+) -> SecureChannel:
+    chal = wire_recv(tls)
+    if chal.get("type") != "challenge":
+        raise ConnectionError("expected challenge")
+
+    nonce = bytes.fromhex(chal["nonce"])
+    salt = bytes.fromhex(chal["salt"])
+    server_fp = chal.get("fp", "")
+    sv_pub = base64.b64decode(chal.get("ecdh_pub", ""))
+
+    if measured_fp.upper() != server_fp.upper():
+        raise SecurityError("fingerprint mismatch")
+
+    key = pbkdf2(password, salt)
+    hmac_resp = hmac256(nonce, key)
+    cl_pub, cl_priv = x25519_keypair()
+
+    wire_send(
+        tls,
+        {
+            "user": username,
+            "hmac_resp": hmac_resp.hex(),
+            "cert_fp": measured_fp,
+            "ecdh_pub": base64.b64encode(cl_pub).decode(),
+        },
+    )
+
+    result = wire_recv(tls)
+    if not result.get("ok"):
+        raise AuthError(f"auth rejected: {result.get('error')}")
+
+    session_token = bytes.fromhex(result["token"])
+    shared = x25519_shared(cl_priv, sv_pub)
+    key_material = hkdf_expand(shared, session_token, b"fognode_v1_channel_keys", length=64)
+    enc_key, mac_key = key_material[:32], key_material[32:]
+
+    return SecureChannel(tls, enc_key, mac_key)

fognode/ciphers/__init__.py

@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+from fognode.ciphers.aesgcm import aes_decrypt, aes_encrypt
+from fognode.ciphers.blake2 import blake2b, blake2s
+from fognode.ciphers.blowfish import blowfish_decrypt, blowfish_encrypt
+from fognode.ciphers.chacha20 import chacha_decrypt, chacha_encrypt
+from fognode.ciphers.ed25519 import ed25519_generate_key, ed25519_sign, ed25519_verify
+from fognode.ciphers.fernet import fernet_decrypt, fernet_encrypt, fernet_generate_key
+from fognode.ciphers.hkdf import hkdf_expand
+from fognode.ciphers.hmac import hmac256, hmac256_verify
+from fognode.ciphers.pbkdf2 import pbkdf2
+from fognode.ciphers.rsa import (
+    rsa_decrypt,
+    rsa_encrypt,
+    rsa_generate_key,
+    rsa_serialize_private,
+    rsa_serialize_public,
+    rsa_sign,
+    rsa_verify,
+)
+from fognode.ciphers.scrypt import scrypt_kdf
+from fognode.ciphers.sha3 import sha3_256, sha3_512, sha512
+from fognode.ciphers.x25519 import x25519_keypair, x25519_shared
+
+__all__ = [
+    "aes_decrypt",
+    "aes_encrypt",
+    "blake2b",
+    "blake2s",
+    "blowfish_decrypt",
+    "blowfish_encrypt",
+    "chacha_decrypt",
+    "chacha_encrypt",
+    "ed25519_generate_key",
+    "ed25519_sign",
+    "ed25519_verify",
+    "fernet_decrypt",
+    "fernet_encrypt",
+    "fernet_generate_key",
+    "hkdf_expand",
+    "hmac256",
+    "hmac256_verify",
+    "pbkdf2",
+    "rsa_decrypt",
+    "rsa_encrypt",
+    "rsa_generate_key",
+    "rsa_sign",
+    "rsa_serialize_private",
+    "rsa_serialize_public",
+    "rsa_verify",
+    "scrypt_kdf",
+    "sha3_256",
+    "sha3_512",
+    "sha512",
+    "x25519_keypair",
+    "x25519_shared",
+]

fognode/ciphers/aesgcm.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+from fognode.crypto.primitives import aes_decrypt, aes_encrypt
+
+__all__ = ["aes_decrypt", "aes_encrypt"]

fognode/ciphers/blake2.py

@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+import hashlib
+
+
+def blake2b(data: bytes, key: bytes = b"") -> bytes:
+    return hashlib.blake2b(data, key=key).digest()
+
+
+def blake2s(data: bytes, key: bytes = b"") -> bytes:
+    return hashlib.blake2s(data, key=key).digest()
+
+
+__all__ = ["blake2b", "blake2s"]

fognode/ciphers/blowfish.py

@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+import os
+
+from cryptography.hazmat.primitives.ciphers import Cipher as _Cipher
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
+
+from fognode.types.exceptions import SecurityError
+
+
+def blowfish_encrypt(key: bytes, plaintext: bytes) -> tuple[bytes, bytes]:
+    iv = os.urandom(8)
+    cipher = _Cipher(algorithms.Blowfish(key), modes.CBC(iv))
+    encryptor = cipher.encryptor()
+    pad_len = 8 - (len(plaintext) % 8)
+    padded = plaintext + bytes([pad_len] * pad_len)
+    ct = encryptor.update(padded) + encryptor.finalize()
+    return iv, ct
+
+
+def blowfish_decrypt(key: bytes, iv: bytes, ciphertext: bytes) -> bytes:
+    try:
+        cipher = _Cipher(algorithms.Blowfish(key), modes.CBC(iv))
+        decryptor = cipher.decryptor()
+        padded = decryptor.update(ciphertext) + decryptor.finalize()
+        pad_len = padded[-1]
+        return padded[:-pad_len]
+    except Exception:
+        raise SecurityError("blowfish decrypt failed") from None
+
+
+__all__ = ["blowfish_decrypt", "blowfish_encrypt"]

fognode/ciphers/chacha20.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+import os
+
+from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
+
+from fognode.types.exceptions import SecurityError
+
+
+def chacha_encrypt(key: bytes, plaintext: bytes, aad: bytes) -> tuple[bytes, bytes]:
+    nonce = os.urandom(12)
+    ct = ChaCha20Poly1305(key).encrypt(nonce, plaintext, aad)
+    return nonce, ct
+
+
+def chacha_decrypt(key: bytes, nonce: bytes, ciphertext: bytes, aad: bytes) -> bytes:
+    try:
+        return ChaCha20Poly1305(key).decrypt(nonce, ciphertext, aad)
+    except Exception:
+        raise SecurityError("ChaCha20-Poly1305 tag invalid") from None
+
+
+__all__ = ["chacha_decrypt", "chacha_encrypt"]

fognode/ciphers/ed25519.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey
+
+
+def ed25519_generate_key() -> tuple[Ed25519PrivateKey, Ed25519PublicKey]:
+    private_key = Ed25519PrivateKey.generate()
+    return private_key, private_key.public_key()
+
+
+def ed25519_sign(private_key: Ed25519PrivateKey, data: bytes) -> bytes:
+    return private_key.sign(data)
+
+
+def ed25519_verify(public_key: Ed25519PublicKey, data: bytes, signature: bytes) -> bool:
+    try:
+        public_key.verify(signature, data)
+        return True
+    except Exception:
+        return False
+
+
+__all__ = ["ed25519_generate_key", "ed25519_sign", "ed25519_verify"]

fognode/ciphers/fernet.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from cryptography.fernet import Fernet, InvalidToken
+
+from fognode.types.exceptions import SecurityError
+
+
+def fernet_generate_key() -> bytes:
+    return Fernet.generate_key()
+
+
+def fernet_encrypt(key: bytes, plaintext: bytes) -> bytes:
+    return Fernet(key).encrypt(plaintext)
+
+
+def fernet_decrypt(key: bytes, ciphertext: bytes) -> bytes:
+    try:
+        return Fernet(key).decrypt(ciphertext)
+    except InvalidToken:
+        raise SecurityError("fernet token invalid") from None
+
+
+__all__ = ["fernet_decrypt", "fernet_encrypt", "fernet_generate_key"]