Update SslAesTransport for legacy firmware versions

2025-08-06 10:44:04 +00:00 · 2024-12-10 14:05:30 +00:00
parent ed0481918c
commit 4a5bc20ee2
8 changed files with 248 additions and 34 deletions
--- a/kasa/transports/init.py
+++ b/kasa/transports/init.py
@@ -4,6 +4,7 @@ from .aestransport import AesEncyptionSession, AesTransport
 from .basetransport import BaseTransport
 from .klaptransport import KlapTransport, KlapTransportV2
 from .linkietransport import LinkieTransportV2
+from .sslaestransport import SslAesTransport
 from .ssltransport import SslTransport
 from .xortransport import XorEncryption, XorTransport

@@ -11,6 +12,7 @@ __all__ = [
    "AesTransport",
    "AesEncyptionSession",
    "SslTransport",
+    "SslAesTransport",
    "BaseTransport",
    "KlapTransport",
    "KlapTransportV2",
--- a/kasa/transports/sslaestransport.py
+++ b/kasa/transports/sslaestransport.py
@@ -48,6 +48,10 @@ def _sha256_hash(payload: bytes) -> str:
    return hashlib.sha256(payload).hexdigest().upper()  # noqa: S324


+def _sha1_hash(payload: bytes) -> str:
+    return hashlib.sha1(payload).hexdigest().upper()  # noqa: S324
+
+
 class TransportState(Enum):
    """Enum for AES state."""

@@ -107,11 +111,10 @@ class SslAesTransport(BaseTransport):
        self._app_url = URL(f"https://{self._host_port}")
        self._token_url: URL | None = None
        self._ssl_context: ssl.SSLContext | None = None
-        ref = str(self._token_url) if self._token_url else str(self._app_url)
        self._headers = {
            **self.COMMON_HEADERS,
-            "Host": self._host_port,
-            "Referer": ref,
+            "Host": self._host,
+            "Referer": f"https://{self._host}",
        }
        self._seq: int | None = None
        self._pwd_hash: str | None = None
@@ -125,6 +128,7 @@ class SslAesTransport(BaseTransport):
            self._password = ch["pwd"]
            self._username = ch["un"]
        self._local_nonce: str | None = None
+        self._send_secure = True

        _LOGGER.debug("Created AES transport for %s", self._host)

@@ -194,6 +198,10 @@ class SslAesTransport(BaseTransport):
        else:
            url = self._app_url

+        _LOGGER.debug(
+            "Sending secure passthrough from %s",
+            self._host,
+        )
        encrypted_payload = self._encryption_session.encrypt(request.encode())  # type: ignore
        passthrough_request = {
            "method": "securePassthrough",
@@ -254,6 +262,37 @@ class SslAesTransport(BaseTransport):
                ) from ex
        return ret_val  # type: ignore[return-value]

+    async def send_unencrypted(self, request: str) -> dict[str, Any]:
+        """Send encrypted message as passthrough."""
+        if self._state is TransportState.ESTABLISHED and self._token_url:
+            url = self._token_url
+        else:
+            url = self._app_url
+
+        _LOGGER.debug(
+            "Sending unencrypted from %s",
+            self._host,
+        )
+
+        status_code, resp_dict = await self._http_client.post(
+            url,
+            json=request,
+            headers=self._headers,
+            ssl=await self._get_ssl_context(),
+        )
+
+        if status_code != 200:
+            raise KasaException(
+                f"{self._host} responded with an unexpected "
+                + f"status code {status_code}"
+            )
+
+        self._handle_response_error_code(resp_dict, "Error sending message")
+
+        if TYPE_CHECKING:
+            resp_dict = cast(dict[str, Any], resp_dict)
+        return resp_dict
+
    @staticmethod
    def generate_confirm_hash(
        local_nonce: str, server_nonce: str, pwd_hash: str
@@ -302,8 +341,52 @@ class SslAesTransport(BaseTransport):

    async def perform_handshake(self) -> None:
        """Perform the handshake."""
-        local_nonce, server_nonce, pwd_hash = await self.perform_handshake1()
-        await self.perform_handshake2(local_nonce, server_nonce, pwd_hash)
+        result = await self.perform_handshake1()
+        if result:
+            local_nonce, server_nonce, pwd_hash = result
+            await self.perform_handshake2(local_nonce, server_nonce, pwd_hash)
+
+    async def try_perform_login(self) -> bool:
+        """Perform the md5 login."""
+        _LOGGER.debug("Performing insecure login ...")
+
+        pwd_hash = _md5_hash(self._pwd_to_hash().encode())
+        username = self._username
+        body = {
+            "method": "login",
+            "params": {
+                "hashed": True,
+                "password": pwd_hash,
+                "username": username,
+            },
+        }
+
+        http_client = self._http_client
+        status_code, resp_dict = await http_client.post(
+            self._app_url,
+            json=body,
+            headers=self._headers,
+            ssl=await self._get_ssl_context(),
+        )
+        if status_code != 200:
+            raise KasaException(
+                f"{self._host} responded with an unexpected "
+                + f"status code {status_code} to handshake2"
+            )
+        resp_dict = cast(dict, resp_dict)
+        if resp_dict.get("error_code") == 0 and (
+            stok := resp_dict.get("result", {}).get("stok")
+        ):
+            _LOGGER.debug(
+                "Succesfully logged in to %s with less secure passthrough", self._host
+            )
+            self._send_secure = False
+            self._token_url = URL(f"{str(self._app_url)}/stok={stok}/ds")
+            self._pwd_hash = pwd_hash
+            return True
+
+        _LOGGER.debug("Unable to log in to %s with less secure login", self._host)
+        return False

    async def perform_handshake2(
        self, local_nonce: str, server_nonce: str, pwd_hash: str
@@ -355,13 +438,42 @@ class SslAesTransport(BaseTransport):
        self._state = TransportState.ESTABLISHED
        _LOGGER.debug("Handshake2 complete ...")

-    async def perform_handshake1(self) -> tuple[str, str, str]:
+    def _pwd_to_hash(self) -> str:
+        """Return the password to hash."""
+        if self._credentials and self._credentials != Credentials():
+            return self._credentials.password
+
+        if self._username and self._password:
+            return self._password
+
+        return self._default_credentials.password
+
+    async def perform_handshake1(self) -> tuple[str, str, str] | None:
        """Perform the handshake1."""
        resp_dict = None
        if self._username:
            local_nonce = secrets.token_bytes(8).hex().upper()
            resp_dict = await self.try_send_handshake1(self._username, local_nonce)

+        if (
+            resp_dict
+            and (error_code := self._get_response_error(resp_dict))
+            is SmartErrorCode.SESSION_EXPIRED
+            and (
+                encrypt_type := resp_dict.get("result", {})
+                .get("data", {})
+                .get("encrypt_type")
+            )
+            and (encrypt_type != ["3"])
+        ):
+            _LOGGER.debug(
+                "Received encrypt_type %s for %s, trying less secure login",
+                encrypt_type,
+                self._host,
+            )
+            if await self.try_perform_login():
+                return None
+
        # Try the default username. If it fails raise the original error_code
        if (
            not resp_dict
@@ -369,6 +481,7 @@ class SslAesTransport(BaseTransport):
            is not SmartErrorCode.INVALID_NONCE
            or "nonce" not in resp_dict["result"].get("data", {})
        ):
+            _LOGGER.debug("Trying default credentials to %s", self._host)
            local_nonce = secrets.token_bytes(8).hex().upper()
            default_resp_dict = await self.try_send_handshake1(
                self._default_credentials.username, local_nonce
@@ -378,7 +491,7 @@ class SslAesTransport(BaseTransport):
            ) is SmartErrorCode.INVALID_NONCE and "nonce" in default_resp_dict[
                "result"
            ].get("data", {}):
-                _LOGGER.debug("Connected to {self._host} with default username")
+                _LOGGER.debug("Connected to %s with default username", self._host)
                self._username = self._default_credentials.username
                error_code = default_error_code
                resp_dict = default_resp_dict
@@ -397,12 +510,8 @@ class SslAesTransport(BaseTransport):

        server_nonce = resp_dict["result"]["data"]["nonce"]
        device_confirm = resp_dict["result"]["data"]["device_confirm"]
-        if self._credentials and self._credentials != Credentials():
-            pwd_hash = _sha256_hash(self._credentials.password.encode())
-        elif self._username and self._password:
-            pwd_hash = _sha256_hash(self._password.encode())
-        else:
-            pwd_hash = _sha256_hash(self._default_credentials.password.encode())
+
+        pwd_hash = _sha256_hash(self._pwd_to_hash().encode())

        expected_confirm_sha256 = self.generate_confirm_hash(
            local_nonce, server_nonce, pwd_hash
@@ -414,7 +523,9 @@ class SslAesTransport(BaseTransport):
        if TYPE_CHECKING:
            assert self._credentials
            assert self._credentials.password
-        pwd_hash = _md5_hash(self._credentials.password.encode())
+
+        pwd_hash = _md5_hash(self._pwd_to_hash().encode())
+
        expected_confirm_md5 = self.generate_confirm_hash(
            local_nonce, server_nonce, pwd_hash
        )
@@ -422,8 +533,17 @@ class SslAesTransport(BaseTransport):
            _LOGGER.debug("Credentials match")
            return local_nonce, server_nonce, pwd_hash

+        for val in {"admin", "tpadmin", "slprealtek"}:
+            for func in {_sha256_hash, _md5_hash, _sha1_hash, lambda x: x.decode()}:
+                pwd_hash = func(val.encode())
+                ec = self.generate_confirm_hash(local_nonce, server_nonce, pwd_hash)
+                if device_confirm == ec:
+                    _LOGGER.debug("Credentials match with %s %s", val, func.__name__)
+                    return local_nonce, server_nonce, pwd_hash
+
        msg = f"Server response doesn't match our challenge on ip {self._host}"
        _LOGGER.debug(msg)
+
        raise AuthenticationError(msg)

    async def try_send_handshake1(self, username: str, local_nonce: str) -> dict:
@@ -462,7 +582,10 @@ class SslAesTransport(BaseTransport):
        if self._state is TransportState.HANDSHAKE_REQUIRED:
            await self.perform_handshake()

-        return await self.send_secure_passthrough(request)
+        if self._send_secure:
+            return await self.send_secure_passthrough(request)
+
+        return await self.send_unencrypted(request)

    async def close(self) -> None:
        """Close the http client and reset internal state."""