def __connect_tls_psk(self): ''' Connect and establish a TLS-PSK connection on top of the connection. ''' self.__connect_plain() # wrap socket with TLS-PSK client_socket = self.socket identity = self.get_tls_psk_identity() if isinstance(self.password, Password): password = self.password.md5() else: raise ConnectionError(u'No password provides.') self.logger.debug("identity = {}, password = {}".format( identity, password)) try: self.socket = sslpsk.wrap_socket( client_socket, psk=(password, identity), ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH', #ssl_version=ssl.PROTOCOL_TLSv1_2, server_side=False) except ssl.SSLError as e: # raise ConnectionError( # "failed to connect to host {}, port {}: {}".format(self.address, self.port, str(e))) # Using a general raise keep more information about the type of error. raise return True
def __connect_tls_psk(self): """ Connect and establish a TLS-PSK connection on top of the connection. """ self.__connect_plain() # wrap socket with TLS-PSK client_socket = self.socket identity = self.get_tls_psk_identity() if isinstance(self.password, Password): password = self.password.md5() else: raise bareos.exceptions.ConnectionError(u"No password provided.") self.logger.debug("identity = {0}, password = {1}".format( identity, password)) try: self.socket = sslpsk.wrap_socket( client_socket, ssl_version=self.tls_version, ciphers="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", psk=(password, identity), server_side=False, ) except ssl.SSLError as e: # raise ConnectionError( # "failed to connect to host {0}, port {1}: {2}".format(self.address, self.port, str(e))) # Using a general raise keep more information about the type of error. raise return True
def __connect_tls_psk(self): ''' Connect and establish a TLS-PSK connection on top of the connection. ''' self.__connect_plain() # wrap socket with TLS-PSK client_socket = self.socket identity = self.get_tls_psk_identity() if isinstance(self.password, Password): password = self.password.md5() else: raise ConnectionError(u'No password provides.') self.logger.debug("identity = {}, password = {}".format(identity, password)) try: self.socket = sslpsk.wrap_socket( client_socket, psk=(password, identity), ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH', #ssl_version=ssl.PROTOCOL_TLSv1_2, server_side=False) except ssl.SSLError as e: # raise ConnectionError( # "failed to connect to host {}, port {}: {}".format(self.address, self.port, str(e))) # Using a general raise keep more information about the type of error. raise return True
def secure_socket(sock, shared_secret, ciphers=default_ciphers, ssl_version=default_ssl_version): return sslpsk.wrap_socket(sock, psk=(shared_secret, 'x'), ciphers=ciphers, ssl_version=ssl_version)
def new_client(self, s1): try: ssl_sock = sslpsk.wrap_socket(s1, server_side = True, ssl_version=ssl.PROTOCOL_TLSv1_2, ciphers='PSK-AES128-CBC-SHA256', psk=get_psk, hint=self.hint) s2 = client(self.host, self.port) self.sessions.append((ssl_sock, s2)) except: pass
def connect(self, *args, **kwargs): # `sslpsk.wrap_socket` must be called *after* socket.connect, # while the `ssl.wrap_socket` must be called *before* socket.connect. self.__sock.connect(*args, **kwargs) # `sslv3 alert bad record mac` exception means incorrect PSK self.__sock = sslpsk.wrap_socket( self.__sock, # https://github.com/zabbix/zabbix/blob/f0a1ad397e5653238638cd1a65a25ff78c6809bb/src/libs/zbxcrypto/tls.c#L3231 ssl_version=ssl.PROTOCOL_TLSv1_2, # https://github.com/zabbix/zabbix/blob/f0a1ad397e5653238638cd1a65a25ff78c6809bb/src/libs/zbxcrypto/tls.c#L3179 ciphers="PSK-AES128-CBC-SHA", psk=(self.__psk, self.__identity),)
def new_client(self, s1): try: ssl_sock = sslpsk.wrap_socket( s1, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1_2, ciphers='PSK-AES128-CBC-SHA256', psk=lambda identity: gen_psk(identity, self.hint), hint=self.hint) s2 = client(self.host, self.port) self.sessions.append((ssl_sock, s2)) except Exception as e: print("could not establish sslpsk socket:", e)
def accept(): self.server_socket, _ = self.accept_socket.accept() # wrap socket with TLS-PSK self.server_psk_sock = sslpsk.wrap_socket( self.server_socket, psk=self.psk, ciphers='PSK-AES256-CBC-SHA', ssl_version=ssl.PROTOCOL_TLSv1, server_side=True) # accept data from client data = self.server_psk_sock.recv(10) self.server_psk_sock.sendall(data.upper())
def client(host, port, psk): tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_socket.connect((host, port)) ssl_sock = sslpsk.wrap_socket(tcp_socket, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH', psk=lambda hint: (PSKS[hint], 'client1')) ssl_sock.sendall("ping") msg = ssl_sock.recv(4) print 'Client received: %s' % (msg) ssl_sock.shutdown(socket.SHUT_RDWR) ssl_sock.close()
def testClient(self): # initialize self.client_socket.connect(self.addr) # wrap socket with TLS-PSK self.client_psk_sock = sslpsk.wrap_socket( self.client_socket, psk=self.psk, ciphers='PSK-AES256-CBC-SHA', ssl_version=ssl.PROTOCOL_TLSv1, server_side=False) self.client_psk_sock.sendall(TEST_DATA) data = self.client_psk_sock.recv(10) print('data: %s' % data) self.assertTrue(data == TEST_DATA.upper(), 'Test Failed')
def new_client(self, s1): try: ssl_sock = sslpsk.wrap_socket( s1, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1_2, ciphers='PSK-AES128-CBC-SHA256', psk=lambda identity: gen_psk(identity, self.hint), hint=self.hint) s2 = client(self.host, self.port) self.sessions.append((ssl_sock, s2)) except ssl.SSLError as e: print("could not establish sslpsk socket:", e) if "NO_SHARED_CIPHER" in e.reason or "WRONG_VERSION_NUMBER" in e.reason or "WRONG_SSL_VERSION" in e.reason: print("don't panic this is probably just your phone!")
def server(host, port): tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) tcp_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) tcp_sock.bind((host, port)) tcp_sock.listen(1) sock, _ = tcp_sock.accept() ssl_sock = sslpsk.wrap_socket(sock, server_side = True, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH', psk=lambda identity: PSKS[identity], hint='server1') msg = ssl_sock.recv(4) print 'Server received: %s'%(msg) ssl_sock.sendall("pong") ssl_sock.shutdown(socket.SHUT_RDWR) ssl_sock.close()
def bindToURI(self, URI): with self.lock: # only 1 thread at a time can bind the URI try: self.URI = URI # This are the statements that differ from Pyro/protocol.py raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) _connect_socket(raw_sock, URI.address, URI.port, self.timeout) sock = sslpsk.wrap_socket( raw_sock, psk=Pyro.config.PYROPSK, server_side=False, ciphers="PSK-AES256-CBC-SHA", # available in openssl 1.0.2 ssl_version=ssl.PROTOCOL_TLSv1) # all the rest is the same as in Pyro/protocol.py conn = TCPConnection(sock, sock.getpeername()) # receive the authentication challenge string, and use that to build the actual identification string. try: authChallenge = self.recvAuthChallenge(conn) except ProtocolError as x: # check if we were denied if hasattr(x, "partialMsg") and x.partialMsg[:len(self.denyMSG)] == self.denyMSG: raise ConnectionDeniedError(Pyro.constants.deniedReasons[int(x.partialMsg[-1])]) else: raise # reply with our ident token, generated from the ident passphrase and the challenge msg = self._sendConnect(sock, self.newConnValidator.createAuthToken(self.ident, authChallenge, conn.addr, self.URI, None)) if msg == self.acceptMSG: self.conn = conn self.conn.connected = 1 Log.msg('PYROAdapter', 'connected to', str(URI)) if URI.protocol == 'PYROLOCPSK': self.resolvePYROLOC_URI("PYROPSK") # updates self.URI elif msg[:len(self.denyMSG)] == self.denyMSG: try: raise ConnectionDeniedError(Pyro.constants.deniedReasons[int(msg[-1])]) except (KeyError, ValueError): raise ConnectionDeniedError('invalid response') except socket.error: Log.msg('PYROAdapter', 'connection failed to URI', str(URI)) raise ProtocolError('connection failed')