jmg
/
ntunnel
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 1 Wiki Activity
An stunnel like program that utilizes the Noise protocol.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11 Commits
2 Branches
375 KiB
 
 
Tree: 01b664048e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '01b664048e'
${ noResults }
ntunnel/twistednoise.py

276 lines
8.9 KiB
Raw Blame History 

  1. from twisted.trial import unittest

  2. from twisted.test import proto_helpers

  3. from noise.connection import NoiseConnection, Keypair

  4. from twisted.internet.protocol import Factory

  5. from twisted.internet import endpoints, reactor, defer, task

  6. # XXX - shouldn't need to access the underlying primitives, but that's what

  7. # noiseprotocol module requires.

  8. from cryptography.hazmat.primitives.asymmetric import x448

  9. from cryptography.hazmat.primitives import serialization

  10. 

  11. import mock

  12. import os.path

  13. import shutil

  14. import tempfile

  15. import twisted.internet.protocol

  16. 

  17. __author__ = 'John-Mark Gurney'

  18. __copyright__ = 'Copyright 2019 John-Mark Gurney.  All rights reserved.'

  19. __license__ = '2-clause BSD license'

  20. 

  21. # Copyright 2019 John-Mark Gurney.

  22. # All rights reserved.

  23. #

  24. # Redistribution and use in source and binary forms, with or without

  25. # modification, are permitted provided that the following conditions

  26. # are met:

  27. # 1. Redistributions of source code must retain the above copyright

  28. #    notice, this list of conditions and the following disclaimer.

  29. # 2. Redistributions in binary form must reproduce the above copyright

  30. #    notice, this list of conditions and the following disclaimer in the

  31. #    documentation and/or other materials provided with the distribution.

  32. #

  33. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

  34. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  35. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  36. # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  37. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  38. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  39. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  40. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  41. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  42. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  43. # SUCH DAMAGE.

  44. 

  45. # Notes:

  46. # Using XK, so that the connecting party's identity is hidden and that the

  47. # server's party's key is known.

  48. #

  49. # Noise packets are 16 bytes + length of data

  50. #

  51. # Proposed method to hide message lengths:

  52. # Immediately after handshake completes, each side generates and sends

  53. # an n byte key that will be used for encrypting (algo tbd) their own

  54. # byte counts.  The length field will be encrypted via

  55. # E(pktnum, key) XOR 2 byte length.

  56. #

  57. # Note that authenticating the message length is NOT needed.  This is

  58. # because the noise message blocks themselves are authenticated.  The

  59. # worse that could happen is that a larger read (64k) is done, and then

  60. # the connection aborts because of decryption failure.

  61. #

  62. 

  63. def genkeypair():

  64. 	'''Generates a keypair, and returns a tuple of (public, private).

  65. 	They are encoded as raw bytes, and sutible for use w/ Noise.'''

  66. 

  67. 	key = x448.X448PrivateKey.generate()

  68. 

  69. 	enc = serialization.Encoding.Raw

  70. 	pubformat = serialization.PublicFormat.Raw

  71. 	privformat = serialization.PrivateFormat.Raw

  72. 	encalgo = serialization.NoEncryption()

  73. 

  74. 	pub = key.public_key().public_bytes(encoding=enc, format=pubformat)

  75. 	priv = key.private_bytes(encoding=enc, format=privformat, encryption_algorithm=encalgo)

  76. 

  77. 	return pub, priv

  78. 

  79. class TwistedNoiseProtocol(twisted.internet.protocol.Protocol):

  80. 	'''This class acts as a Noise Protocol responder.  The factory that

  81. 	creates this Protocol is required to have the properties server_key

  82. 	and endpoint.

  83. 

  84. 	The server_key propery is the key for the server that the clients are

  85. 	required to have (due to Noise XK protocol used) to authenticate the

  86. 	server.

  87. 

  88. 	The endpoint property contains the endpoint as a string that will be

  89. 	used w/ clientFromString, see https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#clientFromString

  90. 	and https://twistedmatrix.com/documents/current/core/howto/endpoints.html#clients

  91. 	for information on how to use this property.'''

  92. 

  93. 	def connectionMade(self):

  94. 		# Initialize Noise

  95. 		noise = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  96. 		self.noise = noise

  97. 		noise.set_as_responder()

  98. 		noise.set_keypair_from_private_bytes(Keypair.STATIC, self.factory.server_key)

  99. 

  100. 		# Start Handshake

  101. 		noise.start_handshake()

  102. 

  103. 	def encData(self, data):

  104. 		self.transport.write(self.noise.encrypt(data))

  105. 

  106. 	def dataReceived(self, data):

  107. 		if not self.noise.handshake_finished:

  108. 			self.noise.read_message(data)

  109. 			if not self.noise.handshake_finished:

  110. 				self.transport.write(self.noise.write_message())

  111. 			if self.noise.handshake_finished:

  112. 				self.handshakeFinished()

  113. 		else:

  114. 			r = self.noise.decrypt(data)

  115. 

  116. 			self.endpoint.transport.write(r)

  117. 

  118. 	def handshakeFinished(self):

  119. 		raise NotImplementedError

  120. 

  121. 	def plaintextConnected(self, endpoint):

  122. 		self.endpoint = endpoint

  123. 		self.transport.resumeProducing()

  124. 

  125. class TwistedNoiseServerProtocol(TwistedNoiseProtocol):

  126. 	def handshakeFinished(self):

  127. 		self.transport.pauseProducing()

  128. 

  129. 		# start the connection to the endpoint

  130. 		ep = endpoints.clientFromString(reactor, self.factory.endpoint)

  131. 		epdef = ep.connect(ClientProxyFactory(self))

  132. 		epdef.addCallback(self.plaintextConnected)

  133. 

  134. class ClientProxyProtocol(twisted.internet.protocol.Protocol):

  135. 	def dataReceived(self, data):

  136. 		self.factory.noiseproto.encData(data)

  137. 

  138. class ClientProxyFactory(Factory):

  139. 	protocol = ClientProxyProtocol

  140. 

  141. 	def __init__(self, noiseproto):

  142. 		self.noiseproto = noiseproto

  143. 

  144. class TwistedNoiseServerFactory(Factory):

  145. 	protocol = TwistedNoiseServerProtocol

  146. 

  147. 	def __init__(self, server_key, endpoint):

  148. 		self.server_key = server_key

  149. 		self.endpoint = endpoint

  150. 

  151. class TNServerTest(unittest.TestCase):

  152. 	@defer.inlineCallbacks

  153. 	def setUp(self):

  154. 		d = os.path.realpath(tempfile.mkdtemp())

  155. 		self.basetempdir = d

  156. 		self.tempdir = os.path.join(d, 'subdir')

  157. 		os.mkdir(self.tempdir)

  158. 

  159. 		self.server_key_pair = genkeypair()

  160. 		self.protos = []

  161. 		self.connectionmade = defer.Deferred()

  162. 

  163. 		class AccProtFactory(Factory):

  164. 			protocol = proto_helpers.AccumulatingProtocol

  165. 

  166. 			def __init__(self, tc):

  167. 				self.__tc = tc

  168. 				Factory.__init__(self)

  169. 

  170. 			protocolConnectionMade = self.connectionmade

  171. 

  172. 			def buildProtocol(self, addr):

  173. 				r = Factory.buildProtocol(self, addr)

  174. 				self.__tc.protos.append(r)

  175. 				return r

  176. 

  177. 		sockpath = os.path.join(self.tempdir, 'clientsock')

  178. 		ep = endpoints.UNIXServerEndpoint(reactor, sockpath)

  179. 		lpobj = yield ep.listen(AccProtFactory(self))

  180. 

  181. 		self.testserv = ep

  182. 		self.listenportobj = lpobj

  183. 		self.endpoint = 'unix:path=%s' % sockpath

  184. 

  185. 		factory = TwistedNoiseServerFactory(server_key=self.server_key_pair[1], endpoint=self.endpoint)

  186. 		self.proto = factory.buildProtocol(None)

  187. 		self.tr = proto_helpers.StringTransport()

  188. 		self.proto.makeConnection(self.tr)

  189. 

  190. 		self.client_key_pair = genkeypair()

  191. 

  192. 	def tearDown(self):

  193. 		self.listenportobj.stopListening()

  194. 

  195. 		shutil.rmtree(self.basetempdir)

  196. 		self.tempdir = None

  197. 

  198. 	@defer.inlineCallbacks

  199. 	def test_testserver(self):

  200. 		#

  201. 		# How this test is plumbed:

  202. 		#

  203. 		#  proto (NoiseConnection) -> self.tr (StringTransport) ->

  204. 		#    self.proto (TwistedNoiseServerProtocol) ->

  205. 		#    self.proto.endpoint (ClientProxyProtocol) -> unix sock ->

  206. 		#    self.protos[0] (AccumulatingProtocol)

  207. 		#

  208. 		# Create client

  209. 		proto = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  210. 		proto.set_as_initiator()

  211. 

  212. 		# Setup required keys

  213. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  214. 		proto.set_keypair_from_public_bytes(Keypair.REMOTE_STATIC, self.server_key_pair[0])

  215. 

  216. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  217. 		proto.start_handshake()

  218. 

  219. 		# Send first message

  220. 		message = proto.write_message()

  221. 		self.proto.dataReceived(message)

  222. 

  223. 		# Get response

  224. 		resp = self.tr.value()

  225. 		self.tr.clear()

  226. 

  227. 		# And process it

  228. 		proto.read_message(resp)

  229. 

  230. 		# Send second message

  231. 		message = proto.write_message()

  232. 		self.proto.dataReceived(message)

  233. 

  234. 		# assert handshake finished

  235. 		self.assertTrue(proto.handshake_finished)

  236. 

  237. 		# Make sure incoming data is paused till we establish client

  238. 		# connection, otherwise no place to write the data

  239. 		self.assertEqual(self.tr.producerState, 'paused')

  240. 

  241. 		# Wait for the connection to be made

  242. 		d = yield self.connectionmade

  243. 

  244. 		d = yield task.deferLater(reactor, .1, bool, 1)

  245. 

  246. 		# How to make this ready?

  247. 		self.assertEqual(self.tr.producerState, 'producing')

  248. 

  249. 		# Encrypt the message

  250. 		ptmsg = b'this is a test message'

  251. 		encmsg = proto.encrypt(ptmsg)

  252. 

  253. 		# Feed it into the protocol

  254. 		self.proto.dataReceived(encmsg)

  255. 

  256. 		# wait to pass it through

  257. 		d = yield task.deferLater(reactor, .1, bool, 1)

  258. 

  259. 		# fetch remote end out

  260. 		clientend = self.protos[0]

  261. 		self.assertEqual(clientend.data, ptmsg)

  262. 

  263. 		# send a message the other direction

  264. 		rptmsg = b'this is a different test message going the other way'

  265. 		clientend.transport.write(rptmsg)

  266. 

  267. 		# wait to pass it through

  268. 		d = yield task.deferLater(reactor, .1, bool, 1)

  269. 

  270. 		# receive it and decrypt it

  271. 		resp = self.tr.value()

  272. 		self.assertEqual(proto.decrypt(resp), rptmsg)

  273. 

  274. 		# clean up connection

  275. 		clientend.transport.loseConnection()