def setUp(self):
super(TestMessage, self).setUp()
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96)
transform2 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
transform3 = Transform(Transform.Type.ENCR,
Transform.EncrId.ENCR_AES_CBC, 256)
proposal1 = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform1, transform2, transform3])
proposal2 = Proposal(20, Proposal.Protocol.IKE, b'anotherone',
[transform3])
payload_sa = PayloadSA([proposal1, proposal2])
payload_nonce = PayloadNONCE()
payload_ke = PayloadKE(5, b'1234567890' * 10)
payload_vendor = PayloadVENDOR(b'pyikev2-test-0.1')
self.object = Message(
spi_i=b'12345678',
spi_r=b'12345678',
major=2,
minor=0,
exchange_type=Message.Exchange.IKE_SA_INIT,
is_response=False,
can_use_higher_version=False,
is_initiator=False,
message_id=0,
payloads=[payload_sa, payload_ke, payload_nonce, payload_vendor],
encrypted_payloads=[])
def test_is_subset(self):
proposal = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever', [
Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96),
Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC, 128),
Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA1)
])
self.assertTrue(self.object.is_subset(proposal))
def setUp(self):
super(TestProposal, self).setUp()
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96)
transform2 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
self.object = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform1, transform2])
def test_no_spi(self):
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96)
transform2 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
proposal = Proposal(20, Proposal.Protocol.IKE, b'',
[transform1, transform2])
data = proposal.to_bytes()
proposal = Proposal.parse(data)
self.assertEqual(proposal.spi, b'')
def test_intersection(self):
proposal = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever', [
Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96),
Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC, 128),
Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA1)
])
intersection = self.object.intersection(proposal)
self.assertEqual(intersection, self.object)
self.assertIsNone(proposal.intersection(self.object))
def setUp(self):
super(TestPayloadSA, self).setUp()
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96)
transform2 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
transform3 = Transform(Transform.Type.ENCR,
Transform.EncrId.ENCR_AES_CBC, 128)
proposal1 = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform1, transform2])
proposal2 = Proposal(20, Proposal.Protocol.IKE, b'anotherone',
[transform3])
self.object = PayloadSA([proposal1, proposal2])
def test_encrypt_decrypt(self):
integrity = Integrity(
Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96))
cipher = Cipher(
Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC, 256))
encryption_key = b'Mypassword121111' * 2
iv = cipher.generate_iv()
crypto = Crypto(cipher, encryption_key, integrity, b'', None, b'')
payload_sk = PayloadSK.generate(b'Hello there!', iv, crypto)
iv2, clear = payload_sk.decrypt(crypto)
self.assertEqual(clear, b'Hello there!')
self.assertEqual(iv, iv2)
def test_eq(self):
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA1_96)
transform2 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
transform3 = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_MD5)
proposal = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform2, transform1])
proposal2 = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform2])
proposal3 = Proposal(20, Proposal.Protocol.IKE, b'aspiwhatever',
[transform1, transform2, transform3])
self.assertEqual(self.object, proposal)
self.assertNotEqual(self.object, proposal2)
self.assertNotEqual(self.object, proposal3)
def test_ike_sa_init_invalid_ke(self, mockclass):
self.ike_sa1.configuration.dh.insert(
0, Transform(Transform.Type.DH, Transform.DhId.DH_16))
small_tsi = TrafficSelector.from_network(
ip_network("192.168.0.1/32"), 8765, TrafficSelector.IpProtocol.TCP)
small_tsr = TrafficSelector.from_network(
ip_network("192.168.0.2/32"), 23, TrafficSelector.IpProtocol.TCP)
ike_sa_init_req = self.ike_sa1.process_acquire(small_tsi, small_tsr, 1)
ike_sa_init_res = self.ike_sa2.process_message(ike_sa_init_req)
ike_sa_init_req_newgroup = self.ike_sa1.process_message(
ike_sa_init_res)
ike_sa3 = IkeSa(
is_initiator=False,
peer_spi=self.ike_sa1.my_spi,
my_addr=self.ip2,
peer_addr=self.ip1,
configuration=self.configuration2.get_ike_configuration(self.ip1))
ike_sa3.process_message(ike_sa_init_req_newgroup)
self.assertMessageHasNotification(
ike_sa_init_res, self.ike_sa2,
PayloadNOTIFY.Type.INVALID_KE_PAYLOAD)
self.assertEqual(self.ike_sa1.state, IkeSa.State.INIT_REQ_SENT)
self.assertEqual(self.ike_sa2.state, IkeSa.State.DELETED)
self.assertEqual(ike_sa3.state, IkeSa.State.INIT_RES_SENT)
self.assertEqual(len(self.ike_sa1.child_sas), 0)
self.assertEqual(len(self.ike_sa2.child_sas), 0)
self.assertEqual(len(ike_sa3.child_sas), 0)
def _load_ipsec_conf(self, ikeconf, conf_dict):
no_esn = [Transform(Transform.Type.ESN, Transform.EsnId.NO_ESN)]
ipsec_proto = self._load_from_dict(conf_dict.get('ipsec_proto', 'esp'),
_ipsec_proto_name_to_enum)
encr = self._load_crypto_algs('encr',
conf_dict.get('encr', ['aes256']),
_encr_name_to_transform)
integ = self._load_crypto_algs('integ',
conf_dict.get('integ', ['sha256']),
_integ_name_to_transform)
dh = self._load_crypto_algs('dh', conf_dict.get('dh', []),
_dh_name_to_transform)
if ipsec_proto == Proposal.Protocol.AH:
encr = []
ip_proto = self._load_from_dict(conf_dict.get('ip_proto', 'any'),
_ip_proto_name_to_enum)
my_subnet = self._load_ip_network(
conf_dict.get('my_subnet', ikeconf.my_addr))
my_port = int(conf_dict.get('my_port', 0))
peer_subnet = self._load_ip_network(
conf_dict.get('peer_subnet', ikeconf.peer_addr))
peer_port = int(conf_dict.get('peer_port', 0))
return IpsecConfiguration(
index=int(conf_dict.get('index', random.randint(0, 2**20))),
my_ts=TrafficSelector.from_network(my_subnet, my_port, ip_proto),
peer_ts=TrafficSelector.from_network(peer_subnet, peer_port,
ip_proto),
lifetime=int(conf_dict.get('lifetime', 5 * 60)),
mode=self._load_from_dict(conf_dict.get('mode', 'tunnel'),
_mode_name_to_enum),
proposal=Proposal(1, ipsec_proto, b'', encr + integ + dh + no_esn),
)
def test_integrity(self):
integrity = Integrity(
Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA2_512_256))
checksum = integrity.compute(b'supersecret', b'This is a long message')
self.assertEqual(
checksum,
b'\x0e\xb2\x8a\xa0N\x14\x0b$\x9a\x8c/\x9d<\x83\xd2\xf8\x94\x12\x1a\xbc\xd4b~'
b'\xd5\xd0\xa5\x02-\x0f\x8fcC')
def test_prf(self):
prf = Prf(Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA1))
digest = prf.prf(b'supersecret', b'This is a long message')
prfplus = prf.prfplus(b'supersecret', b'This is a long message', 100)
self.assertEqual(
digest,
b']e\xed\xc7\xa7\xa7\xc1\xc3\x11\xaa\x19\x1c]\xeb\xbc\xeb-\xad\xbc\xd6'
)
self.assertEqual(
prfplus,
b'\xdbeb\x11F\xbf\xf2Y\xadC\xbd\xba\xc4\xe9\xdd\xf2\x10\x82\r\xd5\x85\xa6h2l\xcf\x98'
b'\xc9$\xd6\xc2\xc7\x12BJ\x0bi\xfd.w\xa2\x11\\\xf0\x89\xd5\x06\xcd\xf4\x81PH\x01\xbf'
b'\x95\xb0b\xe6J\x8cT\xab\x93L\xe5\x07\x86\xc0\xaa\x1a/\xb8J\xbfC\x85T\xb5\x1ddm{'
b'\x1cCqfx\x0f[\xb1\xd3\'\t\x92\\\xb9\xd7(SS')
def test_encrypted(self):
transform1 = Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA2_256_128)
transform2 = Transform(Transform.Type.ENCR,
Transform.EncrId.ENCR_AES_CBC, 256)
proposal1 = Proposal(1, Proposal.Protocol.IKE, b'aspiwhatever',
[transform1, transform2])
payload_sa = PayloadSA([proposal1])
payload_nonce = PayloadNONCE(b'123456789012341232132132131')
crypto = Crypto(
Cipher(
Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC,
256)), b'a' * 32,
Integrity(
Transform(Transform.Type.INTEG,
Transform.IntegId.AUTH_HMAC_SHA2_512_256)), b'a' * 8,
None, b'')
message = Message(spi_i=b'12345678',
spi_r=b'12345678',
major=2,
minor=0,
exchange_type=Message.Exchange.IKE_AUTH,
is_response=False,
can_use_higher_version=False,
is_initiator=False,
message_id=0,
payloads=[],
encrypted_payloads=[payload_sa, payload_nonce],
crypto=crypto)
data = message.to_bytes()
new_message = Message.parse(data, crypto=crypto)
data2 = new_message.to_bytes()
self.assertEqual(data, data2)
def test_encr(self):
transform = Transform(Transform.Type.ENCR,
Transform.EncrId.ENCR_AES_CBC, 256)
cipher = Cipher(transform)
iv = cipher.generate_iv()
original = b'Hello this is a long message' * cipher.block_size
ciphertext = cipher.encrypt(b'Mypassword121111' * 2, iv, original)
decrypted = cipher.decrypt(b'Mypassword121111' * 2, iv, ciphertext)
decrypted2 = cipher.decrypt(b'Mypassword121112' * 2, iv, ciphertext)
self.assertEqual(cipher.block_size, 16)
self.assertEqual(cipher.key_size, 32)
self.assertEqual(original, decrypted)
self.assertNotEqual(ciphertext, decrypted)
self.assertNotEqual(decrypted, decrypted2)
def test_not_eq(self):
another = Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC,
256)
self.assertNotEqual(self.object, another)
from crypto import RsaPrivateKey, RsaPublicKey
from message import PayloadID, Proposal, TrafficSelector, Transform
__author__ = 'Alejandro Perez-Mendez <*****@*****.**>'
class ConfigurationError(Exception):
pass
class ConfigurationNotFound(ConfigurationError):
pass
_encr_name_to_transform = {
'aes128': Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC,
128),
'aes256': Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC,
256),
}
_integ_name_to_transform = {
'sha256':
Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA2_256_128),
'sha512':
Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA2_512_256),
'sha1':
Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA1_96),
}
_prf_name_to_transform = {
'sha1': Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA1),
def setUp(self):
super(TestTransformWithKeylen, self).setUp()
self.object = Transform(Transform.Type.ENCR,
Transform.EncrId.ENCR_AES_CBC, 128)
def setUp(self):
super(TestTransformWithoutKeylen, self).setUp()
self.object = Transform(Transform.Type.PRF,
Transform.PrfId.PRF_HMAC_SHA1)
import xfrm
from message import PayloadID, Proposal, TrafficSelector, Transform
__author__ = 'Alejandro Perez-Mendez <*****@*****.**>'
class ConfigurationError(Exception):
pass
class ConfigurationNotFound(ConfigurationError):
pass
_encr_name_to_transform = {
'aes128': Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC, 128),
'aes256': Transform(Transform.Type.ENCR, Transform.EncrId.ENCR_AES_CBC, 256),
}
_integ_name_to_transform = {
'sha256': Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA2_256_128),
'sha512': Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA2_512_256),
'sha1': Transform(Transform.Type.INTEG, Transform.IntegId.AUTH_HMAC_SHA1_96),
}
_prf_name_to_transform = {
'sha1': Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA1),
'sha256': Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA2_256),
'sha512': Transform(Transform.Type.PRF, Transform.PrfId.PRF_HMAC_SHA2_512),
}
