def testSigs(self):
RR = self.hi.pack()
hi2 = HI(Rec=RR)
#hi2.genKey()
str = 'this is a fairly long test string'
sig = self.hi.sign(str)
hi2.verify(str, sig)
def setUp(self):
# do this so we have something constant to work with
self.hi = HI(List=(
0x4db6e03ca8bf11ba15aed05d913339d8b4824073dafc211c8f7db6d2ce48c75770a2375068da6ae878429bafa0f525cf10dcbd23f3caf396276b023803ac35a5,
0x00a64bc37a17edc7c2adfb7191b1890481c2aab14eadb9ef9040e14e158b026ccabfdebc4810a934ab53ea1df89df81b0c884638145985e41aa680601febe57db7,
0x00d0d199d0645774f2e1ff473df343adf196df57f0ef275f59cec0e129747134dc37e8cb3895bf5864c9c9d429622039291f1f2c5c46a4d2f91d781d9e7c61813d,
0x00963b3c5ec2880fa38feb771321dffec8156a03cf,
0x2d10761d29b55f5e1cfa0baf9a12286efeb0139d))
def testSignVerify(self):
self.hi = HI()
self.hi.genKey()
#str = 'stuff, stuff, and more stuff'
str = self.hi.pack()
sig = self.hi.sign(str)
v = self.hi.verify(str, sig)
self.failUnless(v)
str += 'gibberish'
self.failUnless(not self.hi.verify(str, sig))
def input(self, machine, header, RRset):
bod = RRsetToAttrs(RRset,
[(HIP_REC_KEY, 'keylist'),
(HIP_REC_HIP_CNTLS, 'controls'),
],
Body())
newHIT = bod.keylist.pop(0)
newHI = HI(Rec=bod.keylist.pop(0))
if newHI.HIT127() == newHIT:
HI.HITable[newHIT] = newHI
def CMD_loadhi(self, sk, args):
RR = args[0]
hi2 = HI.HI(Rec=unhexlify(RR))
if len(args) > 1:
hit = unhexlify(args[1])
else:
hit = hi2.HIT127()
HI.HI.HITable[hit] = hi2
return 'Loaded HI with HIT %s.' % (hexlify(hit))
def testKeyGen(self):
self.hi = HI()
#self.failUnlessRaises( DSA.DSAError, self.hi.pack )
#self.hi.genKey()
self.failUnless(self.hi.pack())
def testGen(self):
hi = HI()
class HITests(unittest.TestCase):
def setUp(self):
# do this so we have something constant to work with
self.hi = HI(List=(
0x4db6e03ca8bf11ba15aed05d913339d8b4824073dafc211c8f7db6d2ce48c75770a2375068da6ae878429bafa0f525cf10dcbd23f3caf396276b023803ac35a5,
0x00a64bc37a17edc7c2adfb7191b1890481c2aab14eadb9ef9040e14e158b026ccabfdebc4810a934ab53ea1df89df81b0c884638145985e41aa680601febe57db7,
0x00d0d199d0645774f2e1ff473df343adf196df57f0ef275f59cec0e129747134dc37e8cb3895bf5864c9c9d429622039291f1f2c5c46a4d2f91d781d9e7c61813d,
0x00963b3c5ec2880fa38feb771321dffec8156a03cf,
0x2d10761d29b55f5e1cfa0baf9a12286efeb0139d))
# actually, test the test framework...
def testNothing(self):
pass
def testGen(self):
hi = HI()
# def testFile(self):
# hi=HI('dsa.priv.pem')
## def testListLoad(self):
## # actual load is done in setUp()
## self.failUnless( self.dsa.y == 0x4db6e03ca8bf11ba15aed05d913339d8b4824073dafc211c8f7db6d2ce48c75770a2375068da6ae878429bafa0f525cf10dcbd23f3caf396276b023803ac35a5 )
## # ok, so we got the right number.
## def testBN2nbo(self):
## bn=m2.dsa_get_p(self.hi.dsa.dsa)
## # Now convert it to +ve network byte order.
## # just chop off first five bytes 'cause this one is positive.
## assert( BN2nbo(bn) == bn[5:] )
## # now make up a negative number
## bn2 = "\x00\x00\x00A\xff\xd0\xd1\x99\xd0dWt\xf2\xe1\xffG=\xf3C\xad\xf1\x96\xdfW\xf0\xef\'_Y\xce\xc0\xe1)tq4\xdc7\xe8\xcb8\x95\xbfXd\xc9\xc9\xd4)b 9)\x1f\x1f,\\F\xa4\xd2\xf9\x1dx\x1d\x9e|a\x81="
## # now chop off first FOUR bytes
## # note this now means can't distinguish -ve from +ve w/ 1st bit set.
## # must find a better way if this is ever a problem
## assert( BN2nbo(bn2) == bn2[4:] )
def testPack(self):
# RFC2535: 0x0200 flags,
# 0xff protocol (or IANA HIP value)
# 0x03 algorithm DSA (mandatory)
# RFC2536: t=0x00, q p g y
RR = self.hi.pack()
#assert( len(RR) == 4 + 1 + 20 + (64 * 3) )
#assert( RR[:4] == '\x02\x00\xff\x03' )
#assert( RR[4] == '\x00' )
def testUnPack(self):
# RFC2535: 0x0200 flags,
# 0xff protocol (or IANA HIP value)
# 0x03 algorithm DSA (mandatory)
# RFC2536: t=0x00, q p g y
RR = self.hi.pack()
hi2 = self.hi
hi2.unpack(RR)
assert (hi2.dsa.y == self.hi.dsa.y)
def testSigs(self):
RR = self.hi.pack()
hi2 = HI(Rec=RR)
#hi2.genKey()
str = 'this is a fairly long test string'
sig = self.hi.sign(str)
hi2.verify(str, sig)
def testUnPackASN1(self):
# RFC2535: 0x0200 flags,
# 0xff protocol (or IANA HIP value)
# 0x03 algorithm DSA (mandatory)
# RFC2536: t=0x00, q p g y
RR = self.hi.packASN1()
hi2 = self.hi
hi2.unpackASN1(RR)
assert (hi2.dsa.y == self.hi.dsa.y)
def testHIT127(self):
assert (hexlify(
self.hi.HIT127()) == '693b77c49c6f6964dae3f9e43a216e93')
def testKeyGen(self):
self.hi = HI()
#self.failUnlessRaises( DSA.DSAError, self.hi.pack )
#self.hi.genKey()
self.failUnless(self.hi.pack())
def testSignVerify(self):
self.hi = HI()
self.hi.genKey()
#str = 'stuff, stuff, and more stuff'
str = self.hi.pack()
sig = self.hi.sign(str)
v = self.hi.verify(str, sig)
self.failUnless(v)
str += 'gibberish'
self.failUnless(not self.hi.verify(str, sig))
import unittest
import Queue
from HIPState import *
from HIPMessage import *
import struct
from M2Crypto import DH, Rand, DSA
import m2
from HI import *
testHI = HI('hi.priv.pem')
class junk:
pass
class HIPTests(unittest.TestCase):
def setUp(self):
self.SM = StateMachine(state=E0, HI=testHI)
self.SM.setFQDN('1234')
self.SM.localHIT = self.SM.HI.pack()
self.SM.remoteHIT = '\xde\xad\xbe\xef\xde\xad\xbe\xef'
self.SM.DH = DH.load_params('dh512.pem')
def testBN2nbo(self):
bn = m2.dh_get_p(self.SM.DH.dh)
# Now convert it to +ve network byte order.
# just chop off first five bytes 'cause this one is positive.
assert (BN2nbo(bn) == bn[5:])
assert (nbo2BN(BN2nbo(bn)) == bn)
## def testPackXfrm(self):
def input(self, machine, header, RRset):
bod = RRsetToAttrs(RRset,
[(HIP_REC_HIP_COOKIE, 'cookie'),
(HIP_REC_HIP_CNTLS, 'controls'),
(HIP_REC_BIRTHDAY, 'birthday'),
(HIP_REC_HIP_TRANSFORM,
'hipXfrmList'),
(HIP_REC_ESP_TRANSFORM,
'ESPXfrmList'),
# we're going to get a two element list
(HIP_REC_KEY, 'keylist')
],
Body())
# todo: handle controls
machine.remoteHI = HI(Rec=bod.keylist.pop(0))
machine.Cookie.stored = bod.cookie.pop()
remoteBirthday = unpack('!L', bod.birthday.pop())[0]
if hasattr(machine,'remoteBirthday'):
if machine.remoteBirthday <> remoteBirthday:
# it rebooted, bang it on the head
# not right.
#machine.send(I2)
pass
machine.remoteBirthday = remoteBirthday
# in both cases, take the first we support
try:
machine.hipXfrm = [x[1]
for x in bod.hipXfrmList.pop()
if x[1] in machine.hipXfrmList][0]
machine.ESPXfrm = [x[1]
for x in bod.ESPXfrmList.pop()
if x[1] in machine.ESPXfrmList][0]
except IndexError:
raise HIPUnpackError, 'Remote requested unsupported transform'
# allocate LSI
machine.remoteLSI = pack('!L', StateMachine.LSIgen.next())
# allocate SPI
machine.remoteSPI = pack('!L', StateMachine.SPIgen.next())
# Extract HIP keymat. We're initiator.
machine.keygenerator=self.unpackDH(machine,
bod.keylist.pop(0),
machine.localHIT,
machine.remoteHIT,
1)
kl = machine.hipXfrmKeyLens[machine.hipXfrm]
machine.hipkey = ''.join(map(apply,
[machine.keygenerator.next]*kl))
machine.remotehipkey = ''.join(map(apply,
[machine.keygenerator.next]*kl))
# extract ESP keys and set up SA
machine.ESPalg = machine.ESPalgTags[machine.ESPXfrm]
(alg, keylen, blocksize,
authalg, authkeylen, authlen) = ESP.ESPAlgTable[machine.ESPalg]
machine.ESPkey = ''.join(map(apply,
[machine.keygenerator.next]*keylen))
machine.ESPauthkey = ''.join(map(apply,
[machine.keygenerator.next]*authkeylen))
machine.remoteESPkey = ''.join(map(apply,
[machine.keygenerator.next]*keylen))
machine.remoteESPauthkey = ''.join(map(apply,
[machine.keygenerator.next]*authkeylen))
machine.remoteESP = ESP.SPI(SPI=machine.remoteSPI,
key=machine.remoteESPkey,
iv=Rand.rand_bytes(blocksize),
authkey=machine.remoteESPauthkey,
algname=machine.ESPalg)
machine.remoteESP.machine = weakref.proxy(machine)
return 1
def testConversation(self):
hi1=HI()
hi2=HI()
hi1.genKey()
hi2.genKey()
HI.HITable[hi1.HIT127()] = hi1
HI.HITable[hi2.HIT127()] = hi2
sm1=StateMachine(HI=hi1)
sm2=StateMachine(HI=hi2)
def smsetup(sm):
# this is Oakley group 5, actually.
sm.DH = DH.construct((241031242692103258855207602219756607485695054850245994265416941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919,
2))
sm.DH.gen_key(RandomPool.get_bytes)
sm.DH.groupid = 3
sm.localHIT = sm.HI.HIT127()
sm.trace = 1
sm1.remoteHIT=unhexlify('00000000000000000000000000000000')
sm2.remoteHIT=unhexlify('00000000000000000000000000000000')
smsetup(sm1)
smsetup(sm2)
sm1.setstate(E0)
sm2.setstate(E1)
# sm1 needs to derive this.
#sm1.remoteHIT=sm2.localHIT
# use this if we have it - but we don't
#sm2.remoteHIT=sm1.localHIT
sm1.setFQDN('1.test.com')
sm2.setFQDN('2.test.net')
sm1.rekeying = 0
sm2.rekeying = 0
# send a BOS
p1 = []
## p2 = [(BOS, None)]
## #p2 = [(I1, None)]
## while p1 or p2:
## while p2:
## p=p2.pop(0)[0]
## pkt2=p.pack(sm2)
## print "sm2", sm2.FQDN, 'sent', str(p), "state", str(sm2.state)
## print hexlify(pkt2)
## packetDump(pkt2)
## sm1.input(pkt2)
## try:
## p1=[sm1.emit()]
## except:
## p1=[]
## try:
## while 1:
## p1.append(sm1.emit())
## except:
## pass
## while p1:
## p=p1.pop(0)[0]
## pkt1=p.pack(sm1)
## print "sm1", sm1.FQDN, 'sent', str(p), "state", str(sm1.state)
## print hexlify(pkt1)
## packetDump(pkt1)
## sm2.input(pkt1)
## try:
## p2=[sm2.emit()]
## except:
## p2 = []
## try:
## while 1:
## p2.append(sm2.emit())
## except:
## pass
## print "sm2", sm2.FQDN, "state", str(sm2.state)
## self.failUnless( sm2.state == E1 )
# Standard 4-packet exchange
p2=[(I1, None)]
while p1 or p2:
while p2:
print p2
p=p2.pop(0)[0]
pkt2=p.pack(sm2)
print "sm2", sm2.FQDN, 'sent', str(p), "state", str(sm2.state)
print hexlify(pkt2)
packetDump(pkt2)
sm1.input(pkt2)
try:
p1=[sm1.emit()]
except:
p1=[]
try:
while 1:
p1.append(sm1.emit())
except:
pass
while p1:
p=p1.pop(0)[0]
pkt1=p.pack(sm1)
print "sm1", sm1.FQDN, 'sent', str(p), "state", str(sm1.state)
print hexlify(pkt1)
packetDump(pkt1)
sm2.input(pkt1)
try:
p2=[sm2.emit()]
except:
p2 = []
try:
while 1:
p2.append(sm2.emit())
except:
pass
print "sm2", sm2.FQDN, "state", str(sm2.state)
print "sm1:", pformat(sm1.__dict__)
print "sm2:", pformat(sm2.__dict__)
self.failUnless( sm2.state == E3 )
## # test REA
## p2=[(REA, None)]
## #sm2.localIPs = [(10, 1, 6, '', ('fe80::220:e0ff:fe67:a4bf', 0, 0, 2))]
## sm2.interfaces = ifdict
## sm2.Interface = 2
## sm2.newspi=1234
## sm2.nextkeyind = 3
## sm2.nextreaid = 4
## while p1 or p2:
## while p2:
## print p2
## p=p2.pop(0)[0]
## pkt2=p.pack(sm2)
## print "sm2", sm2.FQDN, 'sent', str(p), "state", str(sm2.state)
## print hexlify(pkt2)
## packetDump(pkt2)
## sm1.input(pkt2)
## try:
## p1=[sm1.emit()]
## except:
## p1=[]
## try:
## while 1:
## p1.append(sm1.emit())
## except:
## pass
## while p1:
## p=p1.pop(0)[0]
## pkt1=p.pack(sm1)
## print "sm1", sm1.FQDN, 'sent', str(p), "state", str(sm1.state)
## print hexlify(pkt1)
## packetDump(pkt1)
## sm2.input(pkt1)
## try:
## p2=[sm2.emit()]
## except:
## p2 = []
## try:
## while 1:
## p2.append(sm2.emit())
## except:
## pass
## print "sm2", sm2.FQDN, "state", str(sm2.state)
## self.failUnless( sm1.remoteESP.SNCallbacks )
# test NES
p2 = [(NES, None)]
sm2.rekeying = 1
savedkey = sm2.ESPkey
smsetup(sm1)
smsetup(sm2)
while p1 or p2:
while p2:
print p2
p=p2.pop(0)[0]
pkt2=p.pack(sm2)
print "sm2", sm2.FQDN, 'sent', str(p), "state", str(sm2.state)
print hexlify(pkt2)
packetDump(pkt2)
sm1.input(pkt2)
try:
p1=[sm1.emit()]
except:
p1=[]
try:
while 1:
p1.append(sm1.emit())
except:
pass
while p1:
p=p1.pop(0)[0]
pkt1=p.pack(sm1)
print "sm1", sm1.FQDN, 'sent', str(p), "state", str(sm1.state)
print hexlify(pkt1)
packetDump(pkt1)
sm2.input(pkt1)
try:
p2=[sm2.emit()]
except:
p2 = []
try:
while 1:
p2.append(sm2.emit())
except:
pass
print "sm2", sm2.FQDN, "state", str(sm2.state)
self.failUnless( sm2.rekeying == 0 )
self.failUnless( sm2.ESPkey <> savedkey )
def main():
connect = ''
useIPv6 = 0
pig = 0
opts, args = getopt(sys.argv[1:], 'k:h:6p',
['key=', 'hostname=', 'ipv6', 'piggyback'])
for opt, val in opts:
if opt in ('-h', '--hostname'):
hostname = val
print 'Hostname:', hostname
if opt in ('-k', '--key'):
keyname = val
print 'Keyname:', keyname
if opt in ('-6', '--ipv6'):
useIPv6 = 1
print 'Using IPv6'
if opt in ('-p', '--piggyback'):
pig = 1
print 'Using Piggyback (if remote advertises)'
hi1 = HI.HI(keyname)
if connect:
hi2 = HI.HI(connect)
print 'Other hit is', hexlify(hi2.HIT127())
HI.HI.HITable[hi2.HIT127()] = hi2
print hostname, 'hit127 is', hexlify(hi1.HIT127())
print hostname, 'hit64 is ', hexlify(
hi1.HIT64(unhexlify('9e800000000000000000000000000000')))
def cb(machine):
print 'Remote host is %s' % socket.inet_ntoa(
struct.pack('!L', machine.remoteLSI))
print 'Local host is %s' % socket.inet_ntoa(
struct.pack('!L', machine.localLSI))
pass
def bing():
#print 'bing!'
pass
#if useIPv6:
if 0:
# varies from spec, this is a 118 bit HIT as a link addr
os.system('/sbin/ip -f inet6 addr add %s scope link dev %s' %
(IPAddress.IPv6_ntoa(hi1.HITv6link()), dev))
interfaces = {}
(ip_pipe_in, if_pipe_out, if_pipe_err) = os.popen3('/sbin/ip -o addr show')
for line in if_pipe_out.xreadlines():
splitline = line.split()
interface, name, af, addr = splitline[:4]
interface = int(interface[:-1])
isglobal = 'global' in splitline
if af in ('inet', 'inet6'):
try:
addr, prefixlen = addr.split('/')
except:
if af == 'inet':
prefixlen = 32
else:
prefixlen = 64
ip = IPAddress.IP(addr)
ip.af = af
if af == 'inet':
ip.af_n = socket.AF_INET
else:
ip.af_n = socket.AF_INET6
ip.isglobal = isglobal
ip.prefixlen = prefixlen
ip.name = name
try:
# anything going wrong here
ip.Lifetime = long(splitline[-1].split('sec')[0])
except:
# means we don't know, so default.
ip.Lifetime = 0L
print str(
interface
) + ':', ip.af, ip.String, ip.isglobal, ip.name, ip.Lifetime
if interfaces.has_key(interface):
interfaces[interface].append(ip)
else:
interfaces[interface] = [ip]
# print pformat(dict([(a, [b.__dict__ for b in interfaces[a]])
# for a in interfaces.keys()]))
#H1.FutureEvents[time.time() + 10] = bing
try:
os.system('modprobe ip_queue')
os.system('modprobe dummy')
os.system('modprobe ipv6')
os.system('modprobe ip6_queue')
os.system('modprobe ip6_tables')
os.system('iptables -I OUTPUT -d 1.0.0.0/8 -j QUEUE')
os.system('iptables -I INPUT -p 50 -j QUEUE')
os.system('ip6tables -A OUTPUT -d 4000::/2 -j QUEUE')
os.system('ip6tables -I INPUT -p 50 -j QUEUE')
os.system('ip link set dummy0 up')
os.system('ip -6 addr add %s scope link dev %s' %
(IPAddress.IPv6_ntoa(hi1.HITv6link()), 'dummy0'))
os.system('ip -6 route add 4000::/2 dev dummy0')
H1 = None
H1 = Host(hi1,
hostname,
useIPv6,
interfaces,
LSIcallback=cb,
piggyback=pig)
Host.defaultHandler = H1
H1.mainLoop()
except:
if hasattr(H1, 'CMDsk'):
H1.CMDsk.close
os.system('rm /tmp/hipd')
os.system('ip6tables -D OUTPUT -d 4000::/2 -j QUEUE')
os.system('ip6tables -D INPUT -p 50 -j QUEUE')
os.system('iptables -D OUTPUT -d 1.0.0.0/8 -j QUEUE')
os.system('iptables -D INPUT -p 50 -j QUEUE')
os.system('ip -6 addr add %s scope link dev %s' %
(IPAddress.IPv6_ntoa(hi1.HITv6link()), 'dummy0'))
raise
else:
if hasattr(H1, 'CMDsk'):
H1.CMDsk.close
os.system('rm /tmp/hipd')
os.system('ip6tables -D OUTPUT -d 4000::/2 -j QUEUE')
os.system('ip6tables -D INPUT -p 50 -j QUEUE')
os.system('iptables -D OUTPUT -d 1.0.0.0/8 -j QUEUE')
os.system('iptables -D INPUT -p 50 -j QUEUE')
os.system('ip -6 addr add %s scope link dev %s' %
(IPAddress.IPv6_ntoa(hi1.HITv6link()), 'dummy0'))
def CMD_connect(self, sk, args):
def cb(host, m, d=sk):
# do this now in background
k = Future(m.DH.gen_key(RandomPool.get_bytes))
m.rekey = 3000
resp = ('Connected. Local LSI is %s, remote is %s.' %
(socket.inet_ntoa(struct.pack('!L', m.localLSI)),
socket.inet_ntoa(struct.pack('!L', m.remoteLSI))))
if host.useIPv6:
m.useIPv6 = host.useIPv6
m.localESP.remoteIPv6addr = m.remoteHI.HITv6link()
m.localESP.localIPv6addr = host.hi.HITv6link()
m.remoteESP.remoteIPv6addr = m.localESP.remoteIPv6addr
m.remoteESP.localIPv6addr = m.localESP.localIPv6addr
resp += ('\nIPv6 addr is %s' %
IPAddress.IPv6_ntoa(m.localESP.remoteIPv6addr))
if d in host.OutMap:
host.OutMap[d][0].put(resp)
else:
host.OutMap[d] = (Queue.Queue(), host.handleCMDOut)
host.OutMap[d][0].put(resp)
# remove ourself from the callbacks
m.callbacks[HIPState.E3] = m.E3callback
print args
host = args[0]
if len(args) > 1 and args[1] <> '.':
hit = unhexlify(args[1])
if len(args) > 2:
RR = args[2]
hi2 = HI.HI(Rec=unhexlify(RR))
else:
hi2 = None
#hit = hi2.HIT64(unhexlify('9e800000000000000000000000000000'))
#hit = hi2.HIT127()
#hit = unhexlify('711d10d3058affb0c69bef095911dc23')
#hi2.hit127 = hit
else:
hi2 = None
hit = HI.zeroHIT
#ip = socket.inet_aton(socket.gethostbyname(host))
# now ip is a la getaddrinfo
ip = [
x for x in socket.getaddrinfo(host, None)
if x[0] in self.IPProtocols
][0]
print 'Connecting to ip', ip
if hit in HI.HI.HITable:
try:
m = Host.IPtable[ip]
m.send(HIPMessage.I1)
m.callbacks[HIPState.E3] = curryl(cb, self)
except KeyError:
pass
return 'Already connected to %s, with HIT %s.' % (host,
hexlify(hit))
if hi2 is not None:
HI.HI.HITable[hit] = hi2
#self.send(HIPMessage.BOS, ip, hit)
#m = Host.IPtable[ip]
#m.callbacks[HIPState.E3] = curryl(cb, self)
#m.send(HIPMessage.I1)
self.send(HIPMessage.I1,
ip,
hit,
state=HIPState.E3,
callback=curryl(cb, self))
return ('Connecting to %s at ip address %s, with HIT %s.' %
(host, ip, hexlify(hit)))