jmg
/
ntunnel
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 1 Wiki Activity
An stunnel like program that utilizes the Noise protocol.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18 Commits
2 Branches
375 KiB
 
 
Tree: 59d4a88ac3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '59d4a88ac3'
${ noResults }
ntunnel/twistednoise.py

327 lines
10 KiB
Raw Blame History 

  1. from twisted.trial import unittest

  2. from twisted.test import proto_helpers

  3. from noise.connection import NoiseConnection, Keypair

  4. from twisted.internet.protocol import Factory

  5. from twisted.internet import endpoints, reactor, defer, task

  6. # XXX - shouldn't need to access the underlying primitives, but that's what

  7. # noiseprotocol module requires.

  8. from cryptography.hazmat.primitives.asymmetric import x448

  9. from cryptography.hazmat.primitives import serialization

  10. 

  11. import mock

  12. import os.path

  13. import shutil

  14. import tempfile

  15. import twisted.internet.protocol

  16. 

  17. __author__ = 'John-Mark Gurney'

  18. __copyright__ = 'Copyright 2019 John-Mark Gurney.  All rights reserved.'

  19. __license__ = '2-clause BSD license'

  20. 

  21. # Copyright 2019 John-Mark Gurney.

  22. # All rights reserved.

  23. #

  24. # Redistribution and use in source and binary forms, with or without

  25. # modification, are permitted provided that the following conditions

  26. # are met:

  27. # 1. Redistributions of source code must retain the above copyright

  28. #    notice, this list of conditions and the following disclaimer.

  29. # 2. Redistributions in binary form must reproduce the above copyright

  30. #    notice, this list of conditions and the following disclaimer in the

  31. #    documentation and/or other materials provided with the distribution.

  32. #

  33. # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

  34. # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  35. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  36. # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  37. # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  38. # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  39. # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  40. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  41. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  42. # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  43. # SUCH DAMAGE.

  44. 

  45. # Notes:

  46. # Using XK, so that the connecting party's identity is hidden and that the

  47. # server's party's key is known.

  48. #

  49. # Noise packets are 16 bytes + length of data

  50. #

  51. # Proposed method to hide message lengths:

  52. # Immediately after handshake completes, each side generates and sends

  53. # an n byte key that will be used for encrypting (algo tbd) their own

  54. # byte counts.  The length field will be encrypted via

  55. # E(pktnum, key) XOR 2 byte length.

  56. #

  57. # Note that authenticating the message length is NOT needed.  This is

  58. # because the noise message blocks themselves are authenticated.  The

  59. # worse that could happen is that a larger read (64k) is done, and then

  60. # the connection aborts because of decryption failure.

  61. #

  62. 

  63. def _makeunix(path):

  64. 	'''Make a properly formed unix path socket string.'''

  65. 

  66. 	return 'unix:%s' % path

  67. 

  68. def genkeypair():

  69. 	'''Generates a keypair, and returns a tuple of (public, private).

  70. 	They are encoded as raw bytes, and sutible for use w/ Noise.'''

  71. 

  72. 	key = x448.X448PrivateKey.generate()

  73. 

  74. 	enc = serialization.Encoding.Raw

  75. 	pubformat = serialization.PublicFormat.Raw

  76. 	privformat = serialization.PrivateFormat.Raw

  77. 	encalgo = serialization.NoEncryption()

  78. 

  79. 	pub = key.public_key().public_bytes(encoding=enc, format=pubformat)

  80. 	priv = key.private_bytes(encoding=enc, format=privformat, encryption_algorithm=encalgo)

  81. 

  82. 	return pub, priv

  83. 

  84. class TwistedNoiseProtocol(twisted.internet.protocol.Protocol):

  85. 	'''This class acts as a Noise Protocol responder.  The factory that

  86. 	creates this Protocol is required to have the properties server_key

  87. 	and endpoint.

  88. 

  89. 	The server_key propery is the key for the server that the clients are

  90. 	required to have (due to Noise XK protocol used) to authenticate the

  91. 	server.

  92. 

  93. 	The endpoint property contains the endpoint as a string that will be

  94. 	used w/ clientFromString, see https://twistedmatrix.com/documents/current/api/twisted.internet.endpoints.html#clientFromString

  95. 	and https://twistedmatrix.com/documents/current/core/howto/endpoints.html#clients

  96. 	for information on how to use this property.'''

  97. 

  98. 	def connectionMade(self):

  99. 		# Initialize Noise

  100. 		noise = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  101. 		self.noise = noise

  102. 		if self.mode == 'resp':

  103. 			noise.set_as_responder()

  104. 

  105. 		noise.set_keypair_from_private_bytes(Keypair.STATIC, self.factory.priv_key)

  106. 

  107. 		# Start Handshake

  108. 		noise.start_handshake()

  109. 

  110. 	def encData(self, data):

  111. 		'''Receive plain text data, encrypt it, and send it down the

  112. 		wire.'''

  113. 

  114. 		self.transport.write(self.noise.encrypt(data))

  115. 

  116. 	def dataReceived(self, data):

  117. 		'''Receive encrypted data, and write it to the endpoint that

  118. 		was connected via the plaintextConnected method.'''

  119. 

  120. 		if not self.noise.handshake_finished:

  121. 			self.noise.read_message(data)

  122. 			if not self.noise.handshake_finished:

  123. 				self.transport.write(self.noise.write_message())

  124. 			if self.noise.handshake_finished:

  125. 				self.handshakeFinished()

  126. 		else:

  127. 			r = self.noise.decrypt(data)

  128. 

  129. 			self.endpoint.transport.write(r)

  130. 

  131. 	def handshakeFinished(self):	# pragma: no cover

  132. 		'''This function is called when the handshake has been

  133. 		completed.  This is used to start data flowing, and to

  134. 		do any necessary connection work.'''

  135. 

  136. 		raise NotImplementedError

  137. 

  138. 	def plaintextConnected(self, endpoint):

  139. 		'''Connect the plain text endpoint to the factory.  All the

  140. 		decrypted data will be written to this protocol,

  141. 		(specifically, it's transport).'''

  142. 

  143. 		self.endpoint = endpoint

  144. 		self.transport.resumeProducing()

  145. 

  146. class TwistedNoiseServerProtocol(TwistedNoiseProtocol):

  147. 	mode = 'resp'

  148. 

  149. 	def handshakeFinished(self):

  150. 		self.transport.pauseProducing()

  151. 

  152. 		# start the connection to the endpoint

  153. 		ep = endpoints.clientFromString(reactor, self.factory.endpoint)

  154. 		epdef = ep.connect(ServerPTProxyFactory(self))

  155. 		epdef.addCallback(self.plaintextConnected)

  156. 

  157. class TwistedNoiseClientProtocol(TwistedNoiseProtocol):

  158. 	mode = 'init'

  159. 

  160. class ServerPTProxyProtocol(twisted.internet.protocol.Protocol):

  161. 	def dataReceived(self, data):

  162. 		self.factory.noiseproto.encData(data)

  163. 

  164. class ServerPTProxyFactory(Factory):

  165. 	protocol = ServerPTProxyProtocol

  166. 

  167. 	def __init__(self, noiseproto):

  168. 		self.noiseproto = noiseproto

  169. 

  170. class TwistedNoiseServerFactory(Factory):

  171. 	protocol = TwistedNoiseServerProtocol

  172. 

  173. 	def __init__(self, priv_key, endpoint):

  174. 		self.priv_key = priv_key

  175. 		self.endpoint = endpoint

  176. 

  177. class TNServerTest(unittest.TestCase):

  178. 	@defer.inlineCallbacks

  179. 	def setUp(self):

  180. 		# setup temporary directory

  181. 		d = os.path.realpath(tempfile.mkdtemp())

  182. 		self.basetempdir = d

  183. 		self.tempdir = os.path.join(d, 'subdir')

  184. 		os.mkdir(self.tempdir)

  185. 

  186. 		# Generate key pairs

  187. 		self.server_key_pair = genkeypair()

  188. 		self.client_key_pair = genkeypair()

  189. 

  190. 		# Server's PT client will be here

  191. 		self.protos = []

  192. 		self.connectionmade = defer.Deferred()

  193. 

  194. 		class AccProtFactory(Factory):

  195. 			protocol = proto_helpers.AccumulatingProtocol

  196. 

  197. 			def __init__(self, tc):

  198. 				self.__tc = tc

  199. 				Factory.__init__(self)

  200. 

  201. 			protocolConnectionMade = self.connectionmade

  202. 

  203. 			def buildProtocol(self, addr):

  204. 				r = Factory.buildProtocol(self, addr)

  205. 				self.__tc.protos.append(r)

  206. 				return r

  207. 

  208. 		# Setup PT client endpoint

  209. 		sockpath = os.path.join(self.tempdir, 'servptsock')

  210. 		ep = endpoints.UNIXServerEndpoint(reactor, sockpath)

  211. 		lpobj = yield ep.listen(AccProtFactory(self))

  212. 

  213. 		self.testserv = ep

  214. 		self.listenportobj = lpobj

  215. 		self.endpoint = _makeunix(sockpath)

  216. 

  217. 		# Setup server, and configure where to connect to.

  218. 		self.servfactory = TwistedNoiseServerFactory(priv_key=self.server_key_pair[1], endpoint=self.endpoint)

  219. 

  220. 	@defer.inlineCallbacks

  221. 	def tearDown(self):

  222. 		d = yield self.listenportobj.stopListening()

  223. 

  224. 		shutil.rmtree(self.basetempdir)

  225. 		self.tempdir = None

  226. 

  227. 	@defer.inlineCallbacks

  228. 	def test_testserver(self):

  229. 		#

  230. 		# How this test is plumbed:

  231. 		#

  232. 		#  proto (NoiseConnection) -> self.tr (StringTransport) ->

  233. 		#    self.proto (TwistedNoiseServerProtocol) ->

  234. 		#    self.proto.endpoint (ServerPTProxyProtocol) -> unix sock ->

  235. 		#    self.protos[0] (AccumulatingProtocol)

  236. 		#

  237. 

  238. 		# Generate a server protocol, and bind it to a string

  239. 		# transport for testing

  240. 		self.proto = self.servfactory.buildProtocol(None)

  241. 		self.tr = proto_helpers.StringTransport()

  242. 		self.proto.makeConnection(self.tr)

  243. 

  244. 		# Create client

  245. 		proto = NoiseConnection.from_name(b'Noise_XK_448_ChaChaPoly_SHA256')

  246. 		proto.set_as_initiator()

  247. 

  248. 		# Setup required keys

  249. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  250. 		proto.set_keypair_from_public_bytes(Keypair.REMOTE_STATIC, self.server_key_pair[0])

  251. 

  252. 		proto.set_keypair_from_private_bytes(Keypair.STATIC, self.client_key_pair[1])

  253. 		proto.start_handshake()

  254. 

  255. 		# Send first message

  256. 		message = proto.write_message()

  257. 		self.proto.dataReceived(message)

  258. 

  259. 		# Get response

  260. 		resp = self.tr.value()

  261. 		self.tr.clear()

  262. 

  263. 		# And process it

  264. 		proto.read_message(resp)

  265. 

  266. 		# Send second message

  267. 		message = proto.write_message()

  268. 		self.proto.dataReceived(message)

  269. 

  270. 		# assert handshake finished

  271. 		self.assertTrue(proto.handshake_finished)

  272. 

  273. 		# Make sure incoming data is paused till we establish client

  274. 		# connection, otherwise no place to write the data

  275. 		self.assertEqual(self.tr.producerState, 'paused')

  276. 

  277. 		# Wait for the connection to be made

  278. 		d = yield self.connectionmade

  279. 

  280. 		d = yield task.deferLater(reactor, .1, bool, 1)

  281. 

  282. 		# How to make this ready?

  283. 		self.assertEqual(self.tr.producerState, 'producing')

  284. 

  285. 		# Encrypt the message

  286. 		ptmsg = b'this is a test message'

  287. 		encmsg = proto.encrypt(ptmsg)

  288. 

  289. 		# Feed it into the protocol

  290. 		self.proto.dataReceived(encmsg)

  291. 

  292. 		# XXX - fix

  293. 		# wait to pass it through

  294. 		d = yield task.deferLater(reactor, .1, bool, 1)

  295. 

  296. 		# fetch remote end out

  297. 		clientend = self.protos[0]

  298. 		self.assertEqual(clientend.data, ptmsg)

  299. 

  300. 		# send a message the other direction

  301. 		rptmsg = b'this is a different test message going the other way'

  302. 		clientend.transport.write(rptmsg)

  303. 

  304. 		# XXX - fix

  305. 		# wait to pass it through

  306. 		d = yield task.deferLater(reactor, .1, bool, 1)

  307. 

  308. 		# receive it and decrypt it

  309. 		resp = self.tr.value()

  310. 		self.assertEqual(proto.decrypt(resp), rptmsg)

  311. 

  312. 		# clean up connection

  313. 		clientend.transport.loseConnection()

  314. 

  315. 	@defer.inlineCallbacks

  316. 	def test_clientserver(self):

  317. 		# Path that the client "listener" sits on.

  318. 		cptsockpath = os.path.join(self.tempdir, 'clientptsock')

  319. 

  320. 		# Path that the server sits on

  321. 		servsockpath = os.path.join(self.tempdir, 'servsock')

  322. 

  323. 		servep = endpoints.serverFromString(reactor, _makeunix(servsockpath))

  324. 		servlpobj = yield servep.listen(self.servfactory)

  325. 

  326. 		d = yield servlpobj.stopListening()