Implement HMAC for babel

HMAC is added to babel to make sure nodes from a given re6st network
don't talk to nodes from another re6st network. This is useful when
machines from separate re6st networks are on a LAN.
The key is the same for all nodes with the same registry: a random
part created by their registry and passed through network parameters,
combined with the prefix and prefix length of this re6st network.

This uses the currently WIP hmac branch of babel:
https://github.com/jech/babeld/tree/hmac

re6st/cli/node.py

@@ -395,6 +395,11 @@ def main():
                 os.path.join(config.state, 'babeld.state'),
                 os.path.join(config.run, 'babeld.pid'),
                 control_socket, cache.babel_default,
+                # We combine a key generated by the registry
+                # and our network prefix to get a hmac key for babel
+                '%064x' % int(bin(len(network))[2:].zfill(7) + network + bin(
+                          int(cache.babel_hmac_rand.encode(
+                          'hex'),16))[2:-7-len(network)],2),
                 *config.babel_args).stop)
             if config.up:
                 exit.release()

re6st/plib.py

@@ -62,10 +62,11 @@ def client(iface, address_list, encrypt, *args, **kw):
 
 
 def router(ip, ip4, src, hello_interval, log_path, state_path,
-           pidfile, control_socket, default, *args, **kw):
+           pidfile, control_socket, default, babel_hmac_key, *args, **kw):
     ip, n = ip
     if ip4:
         ip4, n4 = ip4
+    key_id = 'babel_hmac_key'
     cmd = ['babeld',
             '-h', str(hello_interval),
             '-H', str(hello_interval),
@@ -79,7 +80,8 @@ def router(ip, ip4, src, hello_interval, log_path, state_path,
             #   is not equivalent, at least not the way we use babeld
             #   (and we don't need RTA_SRC for ipv4).
             '-C', 'ipv6-subtrees true',
-            '-C', 'default ' + default,
+            '-C', 'key type sha256 id %s value %s' % (key_id, babel_hmac_key),
+            '-C', 'default %s hmac %s' % (default, key_id),
             '-C', 'redistribute local deny',
             '-C', 'redistribute ip %s/%s eq %s' % (ip, n, n)]
     if ip4:

re6st/registry.py

@@ -127,6 +127,13 @@ class RegistryServer(object):
         for x in ('client_count', 'encrypt', 'hello',
                   'max_clients', 'min_protocol', 'tunnel_refresh'):
             kw[x] = getattr(self.config, x)
+        current_hmac_rand = self.getConfig('babel_hmac_rand', None)
+        if current_hmac_rand:
+            kw['babel_hmac_rand'] = current_hmac_rand.encode('base64')
+        else:
+            rand = os.urandom(32)
+            self.setConfig('babel_hmac_rand', rand)
+            kw['babel_hmac_rand'] = rand.encode('base64')
         config = json.dumps(kw, sort_keys=True)
         if config != self.getConfig('last_config', None):
             self.version = self.encodeVersion(
@@ -137,7 +144,7 @@ class RegistryServer(object):
             self.setConfig('last_config', config)
             self.sendto(self.prefix, 0)
         # The following entry lists values that are base64-encoded.
-        kw[''] = 'version',
+        kw[''] = 'version', 'babel_hmac_rand',
         kw['version'] = self.version.encode('base64')
         self.network_config = zlib.compress(json.dumps(kw), 9)