jmg
/
ntunnel
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 1 Wiki Activity
An stunnel like program that utilizes the Noise protocol.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
2 Branches
396 KiB
 
 
Tree: bd6eccc344
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bd6eccc344'
${ noResults }
ntunnel/twistednoise.py

269 lines
8.7 KiB
Raw Blame History 

  1. from twisted.trial import unittest

  2. from twisted.test import proto_helpers

  3. from noise.connection import NoiseConnection, Keypair

  4. from twisted.internet.protocol import Factory

  5. from twisted.internet import endpoints, reactor, defer, task

  6. # XXX - shouldn't need to access the underlying primitives, but that's what

  7. # noiseprotocol module requires.

  8. from cryptography.hazmat.primitives.asymmetric import x448

  9. from cryptography.hazmat.primitives import serialization

  10. 

  11. import mock

  12. import os.path

  13. import shutil

  14. import tempfile

  15. import twisted.internet.protocol

  16. 

  17. __author__ = 'John-Mark Gurney'

  18. __copyright__ = 'Copyright 2019 John-Mark Gurney.  All rights reserved.'

  19. __license__ = '2-clause BSD license'

  20. 

  21. # Copyright 2019 John-Mark Gurney.

  22. # All rights reserved.

  23. #

  24. # Redistribution and use in source and binary forms, with or without

  25. # modification, are permitted provided that the following conditions

  26. # are met:

  27. # 1. Redistributions of source code must retain the above copyright

  28. #    notice, this list of conditions and the following disclaimer.

  29. # 2. Redistributions in binary form must reproduce the above copyright

  30. #    notice, this list of conditions and the following disclaimer in the

  31. #    documentation and/or other materials provided with the distribution.

  32. #

  33. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

  34. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  35. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  36. # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  37. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  38. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  39. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  40. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  41. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  42. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  43. # SUCH DAMAGE.

  44. 

  45. # Notes:

  46. # Using XK, so that the connecting party's identity is hidden and that the

  47. # server's party's key is known.

  48. #

  49. # Noise packets are 16 bytes + length of data

  50. #

  51. # Proposed method to hide message lengths:

  52. # Immediately after handshake completes, each side generates and sends

  53. # an n byte key that will be used for encrypting (algo tbd) their own

  54. # byte counts.  The length field will be encrypted via

  55. # E(pktnum, key) XOR 2 byte length.

  56. #

  57. # Note that authenticating the message length is NOT needed.  This is

  58. # because the noise message blocks themselves are authenticated.  The

  59. # worse that could happen is that a larger read (64k) is done, and then

  60. # the connection aborts because of decryption failure.

  61. #

  62. 

  63. def genkeypair():

  64. 	'''Generates a keypair, and returns a tuple of (public, private).

  65. 	They are encoded as raw bytes, and sutible for use w/ Noise.'''

  66. 

  67. 	key = x448.X448PrivateKey.generate()

  68. 

  69. 	enc = serialization.Encoding.Raw

  70. 	pubformat = serialization.PublicFormat.Raw

  71. 	privformat = serialization.PrivateFormat.Raw

  72. 	encalgo = serialization.NoEncryption()

  73. 

  74. 	pub = key.public_key().public_bytes(encoding=enc, format=pubformat)

  75. 	priv = key.private_bytes(encoding=enc, format=privformat, encryption_algorithm=encalgo)

  76. 

  77. 	return pub, priv

  78. 

  79. class TwistedNoiseServerProtocol(twisted.internet.protocol.Protocol):

  80. 	'''This class acts as a Noise Protocol responder.  The factory that

  81. 	creates this Protocol is required to have the properties server_key

  82. 	and endpoint.

  83. 

  84. 	The server_key propery is the key for the server that the clients are

  85. 	required to have (due to Noise XK protocol used) to authenticate the

  86. 	server.

  87. 

  88. 	The endpoint property contains the endpoint as a string that will be

  89. 	used w/ clientFromString, see https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#clientFromString

  90. 	and https://twistedmatrix.com/documents/current/core/howto/endpoints.html#clients

  91. 	for information on how to use this property.'''

  92. 

  93. 	def connectionMade(self):

  94. 		# Initialize Noise

  95. 		noise = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  96. 		self.noise = noise

  97. 		noise.set_as_responder()

  98. 		noise.set_keypair_from_private_bytes(Keypair.STATIC, self.factory.server_key)

  99. 

  100. 		# Start Handshake

  101. 		noise.start_handshake()

  102. 

  103. 	def encData(self, data):

  104. 		self.transport.write(self.noise.encrypt(data))

  105. 

  106. 	def dataReceived(self, data):

  107. 		if not self.noise.handshake_finished:

  108. 			self.noise.read_message(data)

  109. 			if not self.noise.handshake_finished:

  110. 				self.transport.write(self.noise.write_message())

  111. 			if self.noise.handshake_finished:

  112. 				self.transport.pauseProducing()

  113. 

  114. 				# start the connection to the endpoint

  115. 				ep = endpoints.clientFromString(reactor, self.factory.endpoint)

  116. 				epdef = ep.connect(ClientProxyFactory(self))

  117. 				epdef.addCallback(self.proxyConnected)

  118. 		else:

  119. 			r = self.noise.decrypt(data)

  120. 

  121. 			self.endpoint.transport.write(r)

  122. 

  123. 	def proxyConnected(self, endpoint):

  124. 		self.endpoint = endpoint

  125. 		self.transport.resumeProducing()

  126. 

  127. class ClientProxyProtocol(twisted.internet.protocol.Protocol):

  128. 	def dataReceived(self, data):

  129. 		self.factory.noiseproto.encData(data)

  130. 

  131. class ClientProxyFactory(Factory):

  132. 	protocol = ClientProxyProtocol

  133. 

  134. 	def __init__(self, noiseproto):

  135. 		self.noiseproto = noiseproto

  136. 

  137. class TwistedNoiseServerFactory(Factory):

  138. 	protocol = TwistedNoiseServerProtocol

  139. 

  140. 	def __init__(self, server_key, endpoint):

  141. 		self.server_key = server_key

  142. 		self.endpoint = endpoint

  143. 

  144. class TNServerTest(unittest.TestCase):

  145. 	@defer.inlineCallbacks

  146. 	def setUp(self):

  147. 		d = os.path.realpath(tempfile.mkdtemp())

  148. 		self.basetempdir = d

  149. 		self.tempdir = os.path.join(d, 'subdir')

  150. 		os.mkdir(self.tempdir)

  151. 

  152. 		self.server_key_pair = genkeypair()

  153. 		self.protos = []

  154. 		self.connectionmade = defer.Deferred()

  155. 

  156. 		class AccProtFactory(Factory):

  157. 			protocol = proto_helpers.AccumulatingProtocol

  158. 

  159. 			def __init__(self, tc):

  160. 				self.__tc = tc

  161. 				Factory.__init__(self)

  162. 

  163. 			protocolConnectionMade = self.connectionmade

  164. 

  165. 			def buildProtocol(self, addr):

  166. 				r = Factory.buildProtocol(self, addr)

  167. 				self.__tc.protos.append(r)

  168. 				return r

  169. 

  170. 		sockpath = os.path.join(self.tempdir, 'clientsock')

  171. 		ep = endpoints.UNIXServerEndpoint(reactor, sockpath)

  172. 		lpobj = yield ep.listen(AccProtFactory(self))

  173. 

  174. 		self.testserv = ep

  175. 		self.listenportobj = lpobj

  176. 		self.endpoint = 'unix:path=%s' % sockpath

  177. 

  178. 		factory = TwistedNoiseServerFactory(server_key=self.server_key_pair[1], endpoint=self.endpoint)

  179. 		self.proto = factory.buildProtocol(None)

  180. 		self.tr = proto_helpers.StringTransport()

  181. 		self.proto.makeConnection(self.tr)

  182. 

  183. 		self.client_key_pair = genkeypair()

  184. 

  185. 	def tearDown(self):

  186. 		self.listenportobj.stopListening()

  187. 

  188. 		shutil.rmtree(self.basetempdir)

  189. 		self.tempdir = None

  190. 

  191. 	@defer.inlineCallbacks

  192. 	def test_testprotocol(self):

  193. 		#

  194. 		# How this test is plumbed:

  195. 		#

  196. 		#  proto (NoiseConnection) -> self.tr (StringTransport) ->

  197. 		#    self.proto (TwistedNoiseServerProtocol) ->

  198. 		#    self.proto.endpoint (ClientProxyProtocol) -> unix sock ->

  199. 		#    self.protos[0] (AccumulatingProtocol)

  200. 		#

  201. 		# Create client

  202. 		proto = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  203. 		proto.set_as_initiator()

  204. 

  205. 		# Setup required keys

  206. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  207. 		proto.set_keypair_from_public_bytes(Keypair.REMOTE_STATIC, self.server_key_pair[0])

  208. 

  209. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  210. 		proto.start_handshake()

  211. 

  212. 		# Send first message

  213. 		message = proto.write_message()

  214. 		self.proto.dataReceived(message)

  215. 

  216. 		# Get response

  217. 		resp = self.tr.value()

  218. 		self.tr.clear()

  219. 

  220. 		# And process it

  221. 		proto.read_message(resp)

  222. 

  223. 		# Send second message

  224. 		message = proto.write_message()

  225. 		self.proto.dataReceived(message)

  226. 

  227. 		# assert handshake finished

  228. 		self.assertTrue(proto.handshake_finished)

  229. 

  230. 		# Make sure incoming data is paused till we establish client

  231. 		# connection, otherwise no place to write the data

  232. 		self.assertEqual(self.tr.producerState, 'paused')

  233. 

  234. 		# Wait for the connection to be made

  235. 		d = yield self.connectionmade

  236. 

  237. 		d = yield task.deferLater(reactor, .1, bool, 1)

  238. 

  239. 		# How to make this ready?

  240. 		self.assertEqual(self.tr.producerState, 'producing')

  241. 

  242. 		# Encrypt the message

  243. 		ptmsg = b'this is a test message'

  244. 		encmsg = proto.encrypt(ptmsg)

  245. 

  246. 		# Feed it into the protocol

  247. 		self.proto.dataReceived(encmsg)

  248. 

  249. 		# wait to pass it through

  250. 		d = yield task.deferLater(reactor, .1, bool, 1)

  251. 

  252. 		# fetch remote end out

  253. 		clientend = self.protos[0]

  254. 		self.assertEqual(clientend.data, ptmsg)

  255. 

  256. 		# send a message the other direction

  257. 		rptmsg = b'this is a different test message going the other way'

  258. 		clientend.transport.write(rptmsg)

  259. 

  260. 		# wait to pass it through

  261. 		d = yield task.deferLater(reactor, .1, bool, 1)

  262. 

  263. 		# receive it and decrypt it

  264. 		resp = self.tr.value()

  265. 		self.assertEqual(proto.decrypt(resp), rptmsg)

  266. 

  267. 		# clean up connection

  268. 		clientend.transport.loseConnection()