def register(team_name):
team_name = to_unicode(team_name)
log.info('updating subrepo')
SubRepo.pull()
log.info('registering new team: %s' % team_name)
team = Team(name=team_name)
if team.exists():
log.fail('team is already registered')
return False
log.info('generating encryption keypair')
crypt_pk, crypt_sk = pysodium.crypto_box_keypair()
log.info('generating signature keypair')
sign_pk, sign_sk = pysodium.crypto_sign_keypair()
team.update({'crypt_pk': crypt_pk,
'sign_pk': sign_pk})
team.validate()
team.save()
SubRepo.push(commit_message='Register team %s' % team_name)
log.success('team %s added successfully' % team_name)
write_team_secrets(team.id, crypt_sk, sign_sk)
return True
def create(self):
self.created = datetime.datetime.utcnow()
self.valid = datetime.datetime.utcnow() + datetime.timedelta(days=365)
self.mp, self.ms = nacl.crypto_sign_keypair()
self.sp, self.ss = nacl.crypto_sign_keypair()
self.cp, self.cs = nacl.crypto_box_keypair()
self.save()
def test_crypto_box_open(self):
m = b"howdy"
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box(m, n, pk, sk)
plaintext = pysodium.crypto_box_open(c, n, pk, sk)
self.assertEqual(m, plaintext)
def initialize():
"""
Create a ~/.zkm directory with a config file inside.
The config file will hold our public key, secret key, and since value.
"""
if os.path.exists(ZKMDIR) is False:
print('[+] Creating ZKM configuration directory.')
os.mkdir(ZKMDIR, 0o750)
print('[+] Creating new keypair.')
our_public, our_secret = pysodium.crypto_box_keypair()
print('[+] Creating configuration file.')
config = {
b'public': base64.b64encode(our_public),
b'secret': base64.b64encode(our_secret),
b'since': b'1',
b'channel': b'default'
}
save_data(CONFIG, config)
os.chmod(CONFIG, 0o600)
print('[+] Creating contacts file.')
save_data(CONTACT, {})
os.chmod(CONTACT, 0o600)
else:
print('[-] ZKM configuration directory already exists.')
def create(self):
self.created = datetime.datetime.utcnow()
self.valid = datetime.datetime.utcnow() + datetime.timedelta(days=365)
self.mp, self.ms = nacl.crypto_sign_keypair()
self.sp, self.ss = nacl.crypto_sign_keypair()
self.cp, self.cs = nacl.crypto_box_keypair()
self.save()
def initialize():
"""
Create a ~/.zkm directory with a config file inside.
The config file will hold our public key, secret key, and since value.
"""
if os.path.exists(ZKMDIR) is False:
print('[+] Creating ZKM configuration directory.')
os.mkdir(ZKMDIR, 0o750)
print('[+] Creating new keypair.')
our_public, our_secret = pysodium.crypto_box_keypair()
print('[+] Creating configuration file.')
config = {b'public': base64.b64encode(our_public),
b'secret': base64.b64encode(our_secret),
b'since': b'1',
b'channel': b'default'}
save_data(CONFIG, config)
os.chmod(CONFIG, 0o600)
print('[+] Creating contacts file.')
save_data(CONTACT, {})
os.chmod(CONTACT, 0o600)
else:
print('[-] ZKM configuration directory already exists.')
def test_crypto_box_open(self):
m = b"howdy"
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box(m, n, pk, sk)
plaintext = pysodium.crypto_box_open(c, n, pk, sk)
self.assertEqual(m, plaintext)
def test_crypto_box_open_detached(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c, mac = pysodium.crypto_box_detached("howdy", n, pk, sk)
r = pysodium.crypto_box_open_detached(c, mac, n, pk, sk)
self.assertEqual(r, b"howdy")
changed = "\0"*len(c)
self.assertRaises(ValueError, pysodium.crypto_box_open_detached,changed, mac, n, pk, sk)
def test_crypto_box_open_detached(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c, mac = pysodium.crypto_box_detached(b"howdy", n, pk, sk)
r = pysodium.crypto_box_open_detached(c, mac, n, pk, sk)
self.assertEqual(r, b"howdy")
changed = b"\0"*len(c)
self.assertRaises(ValueError, pysodium.crypto_box_open_detached,changed, mac, n, pk, sk)
def test_crypto_box_open_afternm(self):
m = b"howdy"
pk, sk = pysodium.crypto_box_keypair()
k = pysodium.crypto_box_beforenm(pk, sk)
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box_afternm(m, n, k)
self.assertEqual(c, c)
plaintext = pysodium.crypto_box_open_afternm(c, n, k)
self.assertEqual(m, plaintext)
def test_crypto_box_open_afternm(self):
m = b"howdy"
pk, sk = pysodium.crypto_box_keypair()
k = pysodium.crypto_box_beforenm(pk, sk)
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box_afternm(m, n, k)
self.assertEqual(c, c)
plaintext = pysodium.crypto_box_open_afternm(c, n, k)
self.assertEqual(m, plaintext)
def get_key():
s = QtCore.QSettings(SETTINGS_ORG, SETTINGS_APP)
pk = s.value(SETTINGS_PK_KEY)
sk = s.value(SETTINGS_SK_KEY)
ap = s.value(SETTINGS_APP_KEY)
if not (pk and sk):
pk, sk = pysodium.crypto_box_keypair()
s.setValue(SETTINGS_PK_KEY, QtCore.QByteArray(pk))
s.setValue(SETTINGS_SK_KEY, QtCore.QByteArray(sk))
s.sync()
return str(pk), str(sk), ap and str(ap)
def connectSocket():
try:
global sock, publicKey, secretKey
sock.connect(server_address)
except socket.error as msg:
sock.close()
sock = None
if sock is not None:
keypair = pysodium.crypto_box_keypair()
publicKey = base64.b64encode(keypair[0])
secretKey = base64.b64encode(keypair[1])
def test_box():
m = b"passwd"
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
print(n)
c = pysodium.crypto_box(m, n, pk, sk)
plaintext = pysodium.crypto_box_open(c, n, pk, sk)
print(plaintext)
def test0():
if not pysodium.sodium_version_check(1, 0, 9): return
pk, sk = pysodium.crypto_box_keypair()
#print(pk)
#print(sk)
p = binascii.hexlify(pk)
s = binascii.hexlify(sk)
print(p)
print(s)
c = pysodium.crypto_box_seal(b"passwd", pk)
print(binascii.hexlify(c))
print(pysodium.crypto_box_seal_open(c, pk, sk))
def main(self):
if sys.argv[1] != '-t':
sys.exit(1)
self.dest_ip = sys.argv[2].split(':')[0][1:-1]
self.dest_port = int(sys.argv[2].split(':')[1])
if sys.argv[3] != '-k':
sys.exit(1)
self.server_public = self.b64safe_bytes(sys.argv[4].encode('ascii') + b'=')
self.their_public = self.server_public
(self.client_public, self.client_secret) = pysodium.crypto_box_keypair()
self.our_secret = self.client_secret
self.mode = 'insecure'
self.send()
def open_interface(self, data):
print(f"data: {data}")
# create keypair
import pysodium
from base64 import b64encode
keys = pysodium.crypto_box_keypair()
# TODO: open interface
router = Router()
#self.gateway.router.interface.create(ifname=data['device_id'], ip='10.0.42.15/16', privatekey=b64encode(keys[1]),
# listenport=42001)
# new interface/wg control
router.interface.create(ifname=data['device_id'],
ip='10.0.42.15/16',
privatekey=b64encode(keys[1]),
listenport=42001)
# router.interface.addpeer(ifname=data['device_id'], publickey=data['wgpubkey'], endpointaddr=data['ip'], endpointport=42001, keepalive=10)
router.interface.addpeer(ifname=data['device_id'],
publickey=data['wgpubkey'],
keepalive=10,
allowedips={'0.0.0.0/0'})
# iptables for wg-interface
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.out_interface = "tf-0815"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
rule = iptc.Rule()
rule.out_interface = "eth0"
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
return b64encode(keys[0])
def generate(statedir):
try:
os.makedirs(statedir)
except Exception:
pass
print("[+] Generating shapeshifter parameters...")
public, private = pysodium.crypto_box_keypair()
priv_hex = binascii.b2a_hex(private)
pub_hex = binascii.b2a_hex(public)
node_id = os.urandom(20)
node_id_hex = binascii.b2a_hex(node_id)
drbg_seed = os.urandom(24)
def tostr(b):
return b.decode('utf-8')
with open(statedir + '/obfs4_state.json', 'w') as state:
state.write(
json.dumps({
'node-id': tostr(node_id_hex),
'private-key': tostr(priv_hex),
'public-key': tostr(pub_hex),
'drbg-seed': tostr(binascii.b2a_hex(drbg_seed)),
'iatMode': 0
}))
cert = base64.b64encode(node_id + public)
print("CERT:", cert)
with open(statedir + '/obfs4_cert.txt', 'w') as certf:
certf.write(tostr(cert).rstrip('='))
with open(statedir + '/obfs4_bridgeline.txt', 'w') as bridgef:
bridgef.write(BRIDGE_PREAMBLE + tostr(cert) + BRIDGE_END)
print("[+] done")
def test_pysodium():
"""
Test all the functions needed from pysodium libarary (libsodium)
"""
# crypto_sign signatures with Ed25519 keys
# create keypair without seed
verkey, sigkey = pysodium.crypto_sign_keypair()
assert len(verkey) == 32 == pysodium.crypto_sign_PUBLICKEYBYTES
assert len(sigkey) == 64 == pysodium.crypto_sign_SECRETKEYBYTES
assert 32 == pysodium.crypto_sign_SEEDBYTES
sigseed = pysodium.randombytes(pysodium.crypto_sign_SEEDBYTES)
assert len(sigseed) == 32
# seed = (b'J\xeb\x06\xf2BA\xd6/T\xe1\xe2\xe2\x838\x8a\x99L\xd9\xb5(\\I\xccRb\xc8\xd5\xc7Y\x1b\xb6\xf0')
# Ann's seed
sigseed = (
b'PTi\x15\xd5\xd3`\xf1u\x15}^r\x9bfH\x02l\xc6\x1b\x1d\x1c\x0b9\xd7{\xc0_\xf2K\x93`'
)
assert len(sigseed) == 32
# try key stretching from 16 bytes using pysodium.crypto_pwhash()
assert 16 == pysodium.crypto_pwhash_SALTBYTES
salt = pysodium.randombytes(pysodium.crypto_pwhash_SALTBYTES)
assert len(salt) == 16
# salt = b'\x19?\xfa\xc7\x8f\x8b\x7f\x8b\xdbS"$\xd7[\x85\x87'
# algorithm default is argon2id
sigseed = pysodium.crypto_pwhash(
outlen=32,
passwd="",
salt=salt,
opslimit=pysodium.crypto_pwhash_OPSLIMIT_INTERACTIVE,
memlimit=pysodium.crypto_pwhash_MEMLIMIT_INTERACTIVE,
alg=pysodium.crypto_pwhash_ALG_DEFAULT)
assert len(sigseed) == 32
# seed = (b'\xa9p\x89\x7f+\x0e\xc4\x9c\xf2\x01r\xafTI\xc0\xfa\xac\xd5\x99\xf8O\x8f=\x843\xa2\xb6e\x9fO\xff\xd0')
# creates signing/verification key pair from seed
verkey, sigkey = pysodium.crypto_sign_seed_keypair(sigseed)
assert len(verkey) == 32
assert len(sigkey) == 64
# sigkey is seed and verkey concatenated. Libsodium does this as an optimization
# because the signing scheme needs both the private key (seed) and the public key so
# instead of recomputing the public key each time from the secret key it requires
# the public key as an input of and instead of two separate inputs, one for the
# secret key and one for the public key, it uses a concatenated form.
# Essentially crypto_sign_seed_keypair and crypto_sign_keypair return redundant
# information in the duple (verkey, sigkey) because sigkey includes verkey
# so one could just store sigkey and extract verkey or sigseed when needed
# or one could just store verkey and sigseed and reconstruct sigkey when needed.
# crypto_sign_detached requires sigkey (sigseed + verkey)
# crypto_sign_verify_detached reqires verkey only
# https://crypto.stackexchange.com/questions/54353/why-are-nacl-secret-keys-64-bytes-for-signing-but-32-bytes-for-box
assert sigseed == sigkey[:32]
assert verkey == sigkey[32:]
assert sigkey == sigseed + verkey
# vk = (b'B\xdd\xbb}8V\xa0\xd6lk\xcf\x15\xad9\x1e\xa7\xa1\xfe\xe0p<\xb6\xbex\xb0s\x8d\xd6\xf5\xa5\xe8Q')
# utility function to extract seed from secret sigkey (really just extracting from front half)
assert sigseed == pysodium.crypto_sign_sk_to_seed(sigkey)
assert 64 == pysodium.crypto_sign_BYTES
msg = "The lazy dog jumped over the river"
msgb = msg.encode(
"utf-8") # must convert unicode string to bytes in order to sign it
assert msgb == b'The lazy dog jumped over the river'
sig = pysodium.crypto_sign_detached(msgb, sigseed +
verkey) # sigkey = seed + verkey
assert len(sig) == 64
"""
sig = (b"\x99\xd2<9$$0\x9fk\xfb\x18\xa0\x8c@r\x122.k\xb2\xc7\x1fp\x0e'm\x8f@"
b'\xaa\xa5\x8c\xc8n\x85\xc8!\xf6q\x91p\xa9\xec\xcf\x92\xaf)\xde\xca'
b'\xfc\x7f~\xd7o|\x17\x82\x1d\xd4<o"\x81&\t')
"""
#siga = pysodium.crypto_sign(msg.encode("utf-8"), sk)[:pysodium.crypto_sign_BYTES]
#assert len(siga) == 64
#assert sig == siga
try: # verify returns None if valid else raises ValueError
result = pysodium.crypto_sign_verify_detached(sig, msgb, verkey)
except Exception as ex:
assert False
assert not result
assert result is None
sigbad = sig[:-1]
sigbad += b'A'
try: # verify returns None if valid else raises ValueError
result = pysodium.crypto_sign_verify_detached(sigbad, msgb, verkey)
except Exception as ex:
assert True
assert isinstance(ex, ValueError)
# crypto_box authentication encryption with X25519 keys
apubkey, aprikey = pysodium.crypto_box_keypair()
assert len(apubkey) == 32 == pysodium.crypto_box_SECRETKEYBYTES
assert len(aprikey) == 32 == pysodium.crypto_box_PUBLICKEYBYTES
repubkey = pysodium.crypto_scalarmult_curve25519_base(aprikey)
assert repubkey == apubkey
assert 32 == pysodium.crypto_box_SEEDBYTES
boxseed = pysodium.randombytes(pysodium.crypto_box_SEEDBYTES)
assert len(boxseed) == 32
bpubkey, bprikey = pysodium.crypto_box_seed_keypair(boxseed)
assert len(bpubkey) == 32
assert len(bprikey) == 32
repubkey = pysodium.crypto_scalarmult_curve25519_base(bprikey)
assert repubkey == bpubkey
assert 24 == pysodium.crypto_box_NONCEBYTES
nonce = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
assert len(nonce) == 24
# nonce = b'\x11\xfbi<\xf2\xb6k\xa05\x0c\xf9\x86t\x07\x8e\xab\x8a\x97nG\xe8\x87,\x94'
atob_tx = "Hi Bob I'm Alice"
atob_txb = atob_tx.encode("utf-8")
# Detached recomputes shared key every time.
# A encrypt to B
acrypt, amac = pysodium.crypto_box_detached(atob_txb, nonce, bpubkey,
aprikey)
amacl = pysodium.crypto_box_MACBYTES
assert amacl == 16
# amac = b'\xa1]\xc6ML\xe2\xa9:\xc0\xdc\xab\xa5\xc4\xc7\xf4\xdb'
# acrypt = (b'D\n\x17\xb6z\xd8+t)\xcc`y\x1d\x10\x0cTC\x02\xb5@\xe2\xf2\xc9-(\xec*O\xb8~\xe2\x1a\xebO')
# when transmitting prepend amac to crypt
acipher = pysodium.crypto_box(atob_txb, nonce, bpubkey, aprikey)
assert acipher == amac + acrypt
atob_rxb = pysodium.crypto_box_open_detached(acrypt, amac, nonce, apubkey,
bprikey)
atob_rx = atob_rxb.decode("utf-8")
assert atob_rx == atob_tx
assert atob_rxb == atob_txb
atob_rxb = pysodium.crypto_box_open(acipher, nonce, apubkey, bprikey)
atob_rx = atob_rxb.decode("utf-8")
assert atob_rx == atob_tx
assert atob_rxb == atob_txb
btoa_tx = "Hello Alice I am Bob"
btoa_txb = btoa_tx.encode("utf-8")
# B encrypt to A
bcrypt, bmac = pysodium.crypto_box_detached(btoa_txb, nonce, apubkey,
bprikey)
# bmac = b'\x90\xe07=\xd22\x8fh2\xff\xdd\x84tC\x053'
# bcrypt = (b'8\xb5\xba\xe7\xcc\xae B\xefx\xe6{U\xf7\xefA\x00\xc7|\xdbu\xcfc\x01$\xa9\xa2P\xa7\x84\xa5\xae\x180')
# when transmitting prepend amac to crypt
bcipher = pysodium.crypto_box(btoa_txb, nonce, apubkey, bprikey)
assert bcipher == bmac + bcrypt
btoa_rxb = pysodium.crypto_box_open_detached(bcrypt, bmac, nonce, bpubkey,
aprikey)
btoa_rx = btoa_rxb.decode("utf-8")
assert btoa_rx == btoa_tx
assert btoa_rxb == btoa_txb
btoa_rxb = pysodium.crypto_box_open(bcipher, nonce, bpubkey, aprikey)
btoa_rx = btoa_rxb.decode("utf-8")
assert btoa_rx == btoa_tx
assert btoa_rxb == btoa_txb
# compute shared key
asymkey = pysodium.crypto_box_beforenm(bpubkey, aprikey)
bsymkey = pysodium.crypto_box_beforenm(apubkey, bprikey)
assert asymkey == bsymkey
acipher = pysodium.crypto_box_afternm(atob_txb, nonce, asymkey)
atob_rxb = pysodium.crypto_box_open_afternm(acipher, nonce, bsymkey)
assert atob_rxb == atob_txb
bcipher = pysodium.crypto_box_afternm(btoa_txb, nonce, bsymkey)
btoa_rxb = pysodium.crypto_box_open_afternm(bcipher, nonce, asymkey)
assert btoa_rxb == btoa_txb
# crypto_box_seal public key encryption with X25519 keys
# uses same X25519 type of keys as crypto_box authenticated encryption
# so when converting sign key Ed25519 to X25519 can use for both types of encryption
pubkey, prikey = pysodium.crypto_box_keypair()
assert len(pubkey) == 32 == pysodium.crypto_box_PUBLICKEYBYTES
assert len(prikey) == 32 == pysodium.crypto_box_SECRETKEYBYTES
assert 48 == pysodium.crypto_box_SEALBYTES
msg_txb = "Catch me if you can.".encode("utf-8")
assert msg_txb == b'Catch me if you can.'
cipher = pysodium.crypto_box_seal(msg_txb, pubkey)
assert len(cipher) == 48 + len(msg_txb)
msg_rxb = pysodium.crypto_box_seal_open(cipher, pubkey, prikey)
assert msg_rxb == msg_txb
# convert Ed25519 key pair to X25519 key pair
# https://blog.filippo.io/using-ed25519-keys-for-encryption/
# https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519
# crypto_sign_ed25519_pk_to_curve25519
# crypto_sign_ed25519_sk_to_curve25519
pubkey = pysodium.crypto_sign_pk_to_box_pk(verkey)
assert len(pubkey) == pysodium.crypto_box_PUBLICKEYBYTES
prikey = pysodium.crypto_sign_sk_to_box_sk(sigkey)
assert len(prikey) == pysodium.crypto_box_SECRETKEYBYTES
repubkey = pysodium.crypto_scalarmult_curve25519_base(prikey)
assert repubkey == pubkey
msg_txb = "Encoded using X25519 key converted from Ed25519 key".encode(
"utf-8")
cipher = pysodium.crypto_box_seal(msg_txb, pubkey)
assert len(cipher) == 48 + len(msg_txb)
msg_rxb = pysodium.crypto_box_seal_open(cipher, pubkey, prikey)
assert msg_rxb == msg_txb
"""
print "%s" % decryptedmessage
message = "w" + str(int(decryptedmessage[10:13])
) + ",0" + "C" * random.randint(10, 3000)
except:
message = "c7"
s.send(encrypt_message(nonce, server_pub, client_priv, message))
size = s.recv(4)
size = struct.unpack("<I", size)[0]
data = s.recv(size)
try:
print "%s" % decrypt_message(server_pub, client_priv, data)
except:
print data
client_pub, client_priv = pysodium.crypto_box_keypair()
nonce = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
server_pub = s.recv(BUFFER_SIZE)
s.send(str(client_pub))
thread1 = myThread(1, "first", 1000, s)
thread2 = myThread(2, "second", 10, s)
thread3 = myThread(3, "third", 1, s)
thread1.start()
#thread2.start()
#thread3.start()
def openInterface(data):
# POSTFIX = "gw"
POSTFIX = ""
print(f"data: {data}")
# TODO: create wg keys
# TODO: replace subprocess !!!
# import subprocess
# subprocess.call(f"wg genkey | tee privatekey+{data['device_id']} | wg pubkey > publickey+{data['device_id']}", shell=True)
# with open(f"privatekey+{data['device_id']}", 'r') as f:
# priv = f.read()
# print(f"PRIV: {priv}")
# f.close()
# with open(f"publickey+{data['device_id']}", 'r') as f:
# pub = f.read()
# print(f"PUB: {pub}")
# f.close()
# subprocess.call(f"rm privatekey+{data['device_id']} && rm publickey+{data['device_id']}", shell=True)
import pysodium
from base64 import b64encode
keys = pysodium.crypto_box_keypair()
priv = b64encode(keys[1])
pub = b64encode(keys[0])
# TODO: open interface
router = Router()
router.device_id = data['device_id'] + POSTFIX
print(f"{data}")
router.dev.link('add',
ifname=data['device_id'] + POSTFIX,
kind='wireguard')
idx = router.dev.link_lookup(ifname=data['device_id'] + POSTFIX)[0]
print(f"IDX: {idx}")
# router.dev.addr('add', index=idx, address='192.168.42.50', mask=24)
router.dev.addr('add',
index=idx,
local='192.168.42.50',
mask=32,
address='192.168.100.10')
print(f"setup config")
cfg = {
"interface":
data['device_id'] + POSTFIX,
"listen_port":
42001,
"private_key":
priv,
"peers": [{
"public_key": data["wgpubkey"],
"allowed_ips": ["0.0.0.0/0"]
}]
}
router.wg.set_device(ifname=data['device_id'] + POSTFIX,
config=cfg)
print(f"clientpubkey: {len(data['wgpubkey'])}")
print(f"clientpubkey: {data['wgpubkey']}")
router.dev.link('set', index=idx, state='up')
# iptables for wg-interface
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.out_interface = "tf_gateone"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
rule = iptc.Rule()
rule.out_interface = "eth0"
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
return pub
def test_crypto_box_seal(self):
if not pysodium.sodium_version_check(1, 0, 3): return
pk, sk = pysodium.crypto_box_keypair()
c = pysodium.crypto_box_seal(b"howdy", pk)
self.assertEqual(pysodium.crypto_box_seal_open(c, pk, sk), b'howdy')
def test_crypto_box_open_detached(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c, mac = pysodium.crypto_box_detached("howdy", n, pk, sk)
pysodium.crypto_box_open_detached(c, mac, n, pk, sk)
def test_crypto_box_pk_from_sk(self):
pk1, sk = pysodium.crypto_box_keypair()
pk2 = pysodium.crypto_scalarmult_curve25519_base(sk)
self.assertEqual(pk1, pk2)
encrypted = nonce + "\x00"*16 + encrypted
length = struct.pack("<I", len(encrypted))
return length+encrypted
def decrypt_message(public_key, secret_key, message):
decrypted = pysodium.crypto_box_open(message[40:], message[0:24], public_key, secret_key)
return decrypted
TCP_IP = '10.0.0.1'
TCP_PORT = 20008
BUFFER_SIZE = 1024
client_pub, client_priv = pysodium.crypto_box_keypair()
nonce = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
server_pub = s.recv(BUFFER_SIZE)
s.send(str(client_pub))
message = "o0777lib/i386-linux-gnu/libgcc_s.so.1"
s.send(encrypt_message(nonce, server_pub, client_priv, message))
size = s.recv(4)
size = struct.unpack("<I", size)[0]
data = s.recv(size)
try:
decryptedmessage = decrypt_message(server_pub, client_priv, data)
def _generate_and_store_receiver_key(self, receiver_key_filename):
self.receiver_pub_key, sk = pysodium.crypto_box_keypair()
#we don't care about the sk
self._store_key(self.receiver_pub_key, receiver_key_filename + ".pub")
self._store_key(sk, receiver_key_filename)
def test_crypto_box_pk_from_sk(self):
pk1, sk = pysodium.crypto_box_keypair()
pk2 = pysodium.crypto_scalarmult_curve25519_base(sk)
self.assertEqual(pk1, pk2)
def test_crypto_box_open(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box(b"howdy", n, pk, sk)
pysodium.crypto_box_open(c, n, pk, sk)
def test_crypto_box_seal(self):
if not pysodium.sodium_version_check(1, 0, 3): return
pk, sk = pysodium.crypto_box_keypair()
c = pysodium.crypto_box_seal(b"howdy", pk)
self.assertEqual(pysodium.crypto_box_seal_open(c, pk, sk), b'howdy')
def gen_byte_keys(self):
k = pysodium.crypto_box_keypair()
self.private_wg_key = k[0]
self.public_wg_key = k[1]
def gen_b64_keys(self):
k = pysodium.crypto_box_keypair()
self.private_wg_key = b64encode(k[0])
self.public_wg_key = b64encode(k[1])
import pysodium
from base64 import b64encode, b64decode
private_key = pysodium.crypto_box_keypair()
public_key = pysodium.crypto_box_keypair()
print("Private Key:", private_key)
print("Public Key:", b64encode(public_key[0]), b64encode(public_key[1]))
def create_keypair():
"""Return (public key, private key)"""
return pysodium.crypto_box_keypair()
def test_crypto_box_seal(self):
pk, sk = pysodium.crypto_box_keypair()
c = pysodium.crypto_box_seal(b"howdy", pk)
self.assertEqual(pysodium.crypto_box_seal_open(c, pk, sk), b'howdy')
def test_crypto_box_seal(self):
pk, sk = pysodium.crypto_box_keypair()
c = pysodium.crypto_box_seal(b"howdy", pk)
self.assertEqual(pysodium.crypto_box_seal_open(c, pk, sk), b'howdy')
def test_crypto_box_open(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c = pysodium.crypto_box(b"howdy", n, pk, sk)
pysodium.crypto_box_open(c, n, pk, sk)
def test_crypto_box_open_detached(self):
pk, sk = pysodium.crypto_box_keypair()
n = pysodium.randombytes(pysodium.crypto_box_NONCEBYTES)
c, mac = pysodium.crypto_box_detached("howdy", n, pk, sk)
pysodium.crypto_box_open_detached(c, mac, n, pk, sk)
def main(self):
if sys.argv[1] != '-d':
sys.exit(1)
if sys.argv[2] != '-s':
sys.exit(1)
self.source_ip = sys.argv[3].split(':')[0][1:-1]
self.source_port = int(sys.argv[3].split(':')[1])
if sys.argv[4] != '-t':
sys.exit(1)
self.dest_ip = sys.argv[5].split(':')[0][1:-1]
self.dest_port = int(sys.argv[5].split(':')[1])
(self.server_public, self.our_secret) = pysodium.crypto_box_keypair()
client_sock = self.bind(self.source_ip, self.source_port)
# In future the upload-to-E service will read the certificates
# from S's stdout one-per-line, uploading when a new one is
# spotted. S will continue to understand the old configuration
# during a grace period, for those clients who could not
# possibly have known of the new configuration.
# This would be some minutes for the cert to be uploaded to E,
# plus the cache TTL of E, which might range from a couple of
# minutes to a day or more. The rekey period should be chosen
# with the TTL in mind.
print("Added key: " + self.bytes_b64safe(self.server_public).decode('ascii')[:-1])
print("Added port: " + str(client_sock.getsockname()[1]))
sys.stdout.flush()
print("Type commands to administer, or \"help\" for more information.", file=sys.stderr)
print("> ", end='', file=sys.stderr)
sys.stderr.flush()
fd = sys.stdin.fileno()
fl = fcntl.fcntl(fd, fcntl.F_GETFL)
fcntl.fcntl(fd, fcntl.F_SETFL, fl | os.O_NONBLOCK)
try:
while True:
try:
backend_socks = []
for tunnel in self.get_tunnels().values():
backend_socks += tunnel.get_opened_connections().values()
(rready, wready, xready) = select.select([sys.stdin] + [client_sock] + backend_socks, [], [])
if sys.stdin in rready:
if not self.handle_command():
break
elif client_sock in rready:
self.receive_packet(client_sock)
else:
for r in rready:
for tunnel in self.get_tunnels().values():
if r in tunnel.get_opened_connections().values():
tunnel.backend_receive(r)
except KeyboardInterrupt:
break
finally:
client_sock.close()
