jmg
/
ntunnel
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 1 Wiki Activity
An stunnel like program that utilizes the Noise protocol.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
2 Branches
396 KiB
 
 
Tree: b0754aee2a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b0754aee2a'
${ noResults }
ntunnel/twistednoise.py

255 lines
8.1 KiB
Raw Blame History 

  1. from twisted.trial import unittest

  2. from twisted.test import proto_helpers

  3. from noise.connection import NoiseConnection, Keypair

  4. from twisted.internet.protocol import Factory

  5. from twisted.internet import endpoints, reactor, defer, task

  6. # XXX - shouldn't need to access the underlying primitives, but that's what

  7. # noiseprotocol module requires.

  8. from cryptography.hazmat.primitives.asymmetric import x448

  9. from cryptography.hazmat.primitives import serialization

  10. 

  11. import mock

  12. import os.path

  13. import shutil

  14. import tempfile

  15. import twisted.internet.protocol

  16. 

  17. __author__ = 'John-Mark Gurney'

  18. __copyright__ = 'Copyright 2019 John-Mark Gurney.  All rights reserved.'

  19. __license__ = '2-clause BSD license'

  20. 

  21. # Copyright 2019 John-Mark Gurney.

  22. # All rights reserved.

  23. #

  24. # Redistribution and use in source and binary forms, with or without

  25. # modification, are permitted provided that the following conditions

  26. # are met:

  27. # 1. Redistributions of source code must retain the above copyright

  28. #    notice, this list of conditions and the following disclaimer.

  29. # 2. Redistributions in binary form must reproduce the above copyright

  30. #    notice, this list of conditions and the following disclaimer in the

  31. #    documentation and/or other materials provided with the distribution.

  32. #

  33. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

  34. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  35. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  36. # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  37. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  38. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  39. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  40. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  41. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  42. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  43. # SUCH DAMAGE.

  44. 

  45. # Notes:

  46. # Using XK, so that the connecting party's identity is hidden and that the

  47. # server's party's key is known.

  48. 

  49. def genkeypair():

  50. 	'''Generates a keypair, and returns a tuple of (public, private).

  51. 	They are encoded as raw bytes, and sutible for use w/ Noise.'''

  52. 

  53. 	key = x448.X448PrivateKey.generate()

  54. 

  55. 	enc = serialization.Encoding.Raw

  56. 	pubformat = serialization.PublicFormat.Raw

  57. 	privformat = serialization.PrivateFormat.Raw

  58. 	encalgo = serialization.NoEncryption()

  59. 

  60. 	pub = key.public_key().public_bytes(encoding=enc, format=pubformat)

  61. 	priv = key.private_bytes(encoding=enc, format=privformat, encryption_algorithm=encalgo)

  62. 

  63. 	return pub, priv

  64. 

  65. class TwistedNoiseServerProtocol(twisted.internet.protocol.Protocol):

  66. 	'''This class acts as a Noise Protocol responder.  The factory that

  67. 	creates this Protocol is required to have the properties server_key

  68. 	and endpoint.

  69. 

  70. 	The server_key propery is the key for the server that the clients are

  71. 	required to have (due to Noise XK protocol used) to authenticate the

  72. 	server.

  73. 

  74. 	The endpoint property contains the endpoint as a string that will be

  75. 	used w/ clientFromString, see https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#clientFromString

  76. 	and https://twistedmatrix.com/documents/current/core/howto/endpoints.html#clients

  77. 	for information on how to use this property.'''

  78. 

  79. 	def connectionMade(self):

  80. 		# Initialize Noise

  81. 		noise = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  82. 		self.noise = noise

  83. 		noise.set_as_responder()

  84. 		noise.set_keypair_from_private_bytes(Keypair.STATIC, self.factory.server_key)

  85. 

  86. 		# Start Handshake

  87. 		noise.start_handshake()

  88. 

  89. 	def encData(self, data):

  90. 		self.transport.write(self.noise.encrypt(data))

  91. 

  92. 	def dataReceived(self, data):

  93. 		if not self.noise.handshake_finished:

  94. 			self.noise.read_message(data)

  95. 			if not self.noise.handshake_finished:

  96. 				self.transport.write(self.noise.write_message())

  97. 			if self.noise.handshake_finished:

  98. 				self.transport.pauseProducing()

  99. 

  100. 				# start the connection to the endpoint

  101. 				ep = endpoints.clientFromString(reactor, self.factory.endpoint)

  102. 				epdef = ep.connect(ClientProxyFactory(self))

  103. 				epdef.addCallback(self.proxyConnected)

  104. 		else:

  105. 			r = self.noise.decrypt(data)

  106. 

  107. 			self.endpoint.transport.write(r)

  108. 

  109. 	def proxyConnected(self, endpoint):

  110. 		self.endpoint = endpoint

  111. 		self.transport.resumeProducing()

  112. 

  113. class ClientProxyProtocol(twisted.internet.protocol.Protocol):

  114. 	def dataReceived(self, data):

  115. 		self.factory.noiseproto.encData(data)

  116. 

  117. class ClientProxyFactory(Factory):

  118. 	protocol = ClientProxyProtocol

  119. 

  120. 	def __init__(self, noiseproto):

  121. 		self.noiseproto = noiseproto

  122. 

  123. class TwistedNoiseServerFactory(Factory):

  124. 	protocol = TwistedNoiseServerProtocol

  125. 

  126. 	def __init__(self, server_key, endpoint):

  127. 		self.server_key = server_key

  128. 		self.endpoint = endpoint

  129. 

  130. class TNServerTest(unittest.TestCase):

  131. 	@defer.inlineCallbacks

  132. 	def setUp(self):

  133. 		d = os.path.realpath(tempfile.mkdtemp())

  134. 		self.basetempdir = d

  135. 		self.tempdir = os.path.join(d, 'subdir')

  136. 		os.mkdir(self.tempdir)

  137. 

  138. 		self.server_key_pair = genkeypair()

  139. 		self.protos = []

  140. 		self.connectionmade = defer.Deferred()

  141. 

  142. 		class AccProtFactory(Factory):

  143. 			protocol = proto_helpers.AccumulatingProtocol

  144. 

  145. 			def __init__(self, tc):

  146. 				self.__tc = tc

  147. 				Factory.__init__(self)

  148. 

  149. 			protocolConnectionMade = self.connectionmade

  150. 

  151. 			def buildProtocol(self, addr):

  152. 				r = Factory.buildProtocol(self, addr)

  153. 				self.__tc.protos.append(r)

  154. 				return r

  155. 

  156. 		sockpath = os.path.join(self.tempdir, 'clientsock')

  157. 		ep = endpoints.UNIXServerEndpoint(reactor, sockpath)

  158. 		lpobj = yield ep.listen(AccProtFactory(self))

  159. 

  160. 		self.testserv = ep

  161. 		self.listenportobj = lpobj

  162. 		self.endpoint = 'unix:path=%s' % sockpath

  163. 

  164. 		factory = TwistedNoiseServerFactory(server_key=self.server_key_pair[1], endpoint=self.endpoint)

  165. 		self.proto = factory.buildProtocol(None)

  166. 		self.tr = proto_helpers.StringTransport()

  167. 		self.proto.makeConnection(self.tr)

  168. 

  169. 		self.client_key_pair = genkeypair()

  170. 

  171. 	def tearDown(self):

  172. 		self.listenportobj.stopListening()

  173. 

  174. 		shutil.rmtree(self.basetempdir)

  175. 		self.tempdir = None

  176. 

  177. 	@defer.inlineCallbacks

  178. 	def test_testprotocol(self):

  179. 		#

  180. 		# How this test is plumbed:

  181. 		#

  182. 		#  proto (NoiseConnection) -> self.tr (StringTransport) ->

  183. 		#    self.proto (TwistedNoiseServerProtocol) ->

  184. 		#    self.proto.endpoint (ClientProxyProtocol) -> unix sock ->

  185. 		#    self.protos[0] (AccumulatingProtocol)

  186. 		#

  187. 		# Create client

  188. 		proto = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  189. 		proto.set_as_initiator()

  190. 

  191. 		# Setup required keys

  192. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  193. 		proto.set_keypair_from_public_bytes(Keypair.REMOTE_STATIC, self.server_key_pair[0])

  194. 

  195. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  196. 		proto.start_handshake()

  197. 

  198. 		# Send first message

  199. 		message = proto.write_message()

  200. 		self.proto.dataReceived(message)

  201. 

  202. 		# Get response

  203. 		resp = self.tr.value()

  204. 		self.tr.clear()

  205. 

  206. 		# And process it

  207. 		proto.read_message(resp)

  208. 

  209. 		# Send second message

  210. 		message = proto.write_message()

  211. 		self.proto.dataReceived(message)

  212. 

  213. 		# assert handshake finished

  214. 		self.assertTrue(proto.handshake_finished)

  215. 

  216. 		# Make sure incoming data is paused till we establish client

  217. 		# connection, otherwise no place to write the data

  218. 		self.assertEqual(self.tr.producerState, 'paused')

  219. 

  220. 		# Wait for the connection to be made

  221. 		d = yield self.connectionmade

  222. 

  223. 		d = yield task.deferLater(reactor, .1, bool, 1)

  224. 

  225. 		# How to make this ready?

  226. 		self.assertEqual(self.tr.producerState, 'producing')

  227. 

  228. 		# Encrypt the message

  229. 		ptmsg = b'this is a test message'

  230. 		encmsg = proto.encrypt(ptmsg)

  231. 

  232. 		# Feed it into the protocol

  233. 		self.proto.dataReceived(encmsg)

  234. 

  235. 		# wait to pass it through

  236. 		d = yield task.deferLater(reactor, .1, bool, 1)

  237. 

  238. 		# fetch remote end out

  239. 		clientend = self.protos[0]

  240. 		self.assertEqual(clientend.data, ptmsg)

  241. 

  242. 		# send a message the other direction

  243. 		rptmsg = b'this is a different test message going the other way'

  244. 		clientend.transport.write(rptmsg)

  245. 

  246. 		# wait to pass it through

  247. 		d = yield task.deferLater(reactor, .1, bool, 1)

  248. 

  249. 		# receive it and decrypt it

  250. 		resp = self.tr.value()

  251. 		self.assertEqual(proto.decrypt(resp), rptmsg)

  252. 

  253. 		# clean up connection

  254. 		clientend.transport.loseConnection()