def TestTLS(self):
"""Perform smoke tests for SSL v3, SSL v2, and TLS 1.x on server:port:protocol"""
if TLSTest.TestConnectionV3(self, (3, 0), (3, 0)):
return True
if self.protocol == ProbeData.Server.PROTOCOL_HTTPS:
settings = HandshakeSettings.HandshakeSettings()
settings.maxVersion = (3, 0)
if SSLv2Test.TestConnectionV2(self, settings):
return True
for minor in [1, 2, 3]:
if TLSTest.TestConnectionV3(self, (3, minor), (3, minor)):
return True
return False
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1] - 1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
for cipher in [
"aes128gcm", "aes128", "aes256", "rc4", "chacha20-poly1305",
"speck128", "speck128gcm", "speck192gcm"
]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
if datasize == "3MB":
h = connection.read(min=1500000, max=1500000)
elif datasize == "2MB":
h = connection.read(min=1000000, max=1000000)
elif datasize == "1MB":
h = connection.read(min=500000, max=500000)
elif datasize == "500k":
h = connection.read(min=250000, max=250000)
elif datasize == "100k":
h = connection.read(min=50000, max=50000)
elif datasize == "2k":
h = connection.read(min=1000, max=1000)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
connection.write(h)
connection.close()
synchro.close()
synchroSocket.close()
print("Test succeeded")
#!/usr/bin/env python
from __future__ import print_function
from tlslite import HTTPTLSConnection, HandshakeSettings
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
h = HTTPTLSConnection("localhost", 4443, settings=settings)
h.request("GET", "/index.html")
r = h.getresponse()
print(r.read())
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(40)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(25)
sock.connect(address)
c = TLSConnection(sock)
return c
test_no = 0
badFault = False
message = dataRandomizer(datasize)
for cipher in [ "aes128gcm","aes128", "aes256",
"rc4", "chacha20-poly1305", "speck128", "speck128gcm","speck192gcm"]:
test_no += 1
t1 = time.time()
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
t2 = time.time()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeClientCert(settings=settings)
t3 = time.time()
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
if datasize == "3MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=1500000, max=1500000)
t4 = time.time()
if t4-t3:
print("3MB exchanged at rate of %d bytes/sec" % int(3000000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput is bytes/sec:", round(sizeInBytes / (t4-t3), 3))
else:
print("3MB exchanged very fast")
assert(h == message)
elif datasize == "2MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=1000000, max=1000000)
t4 = time.time()
if t4-t3:
print("2MB exchanged at rate of %d bytes/sec" % int(2000000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4-t3), 3))
else:
print("2MB exchanged very fast")
assert(h == message)
elif datasize == "1MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=500000, max=500000)
t4 = time.time()
if t4-t3:
print("1MB exchanged at rate of %d bytes/sec" % int(1000000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4-t3), 3))
else:
print("1MB exchanged very fast")
assert(h == message)
elif datasize == "500k":
t3 = time.time()
connection.write(message)
h = connection.read(min=250000, max=250000)
t4 = time.time()
if t4-t3:
print("500kbytes exchanged at rate of %d bytes/sec" % int(500000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4-t3), 3))
else:
print("500kbytes exchanged very fast")
assert(h == message)
elif datasize == "100k":
t3 = time.time()
connection.write(message)
h = connection.read(min=50000, max=50000)
t4 = time.time()
if t4-t3:
print("100kBytes exchanged at rate of %d bytes/sec" % int(100000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4-t3), 3))
else:
print("100kBytes exchanged very fast")
assert(h == message)
elif datasize == "2k":
t3 = time.time()
connection.write(message)
h = connection.read(min=1000, max=1000)
t4 = time.time()
if t4-t3:
print("2kBytes exchanged at rate of %d bytes/sec" % int(2000/(t4-t3)))
print ('Raw timers:','t1=', t1,'t2=', t2,'t3=', t3,'t4=', t4)
print ('Intervals:', t2-t1, t3-t2, t4-t3)
sizeInBytes = sys.getsizeof(h)*2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4-t3), 3))
else:
print("2kBytes exchanged very fast")
assert(h == message)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
print("Used Ciphersuite: {0}".\
format(CipherSuite.ietfNames[connection.session.cipherSuite]))
print(" ")
connection.close()
synchro.close()
if not badFault:
print("Test succeeded, {0} good".format(test_no))
else:
print("Test failed")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(5)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
synchro.recv(1)
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 1.b - good X509, RC4-MD5")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, TLSv1.1")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.b - good mutual X509, SSLv3")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
synchro.recv(1)
connection.sock.close() #Close the socket without a close_notify!
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
synchro.recv(1)
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 25.a - FALLBACK_SCSV")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
connection.close()
print("Test 25.b - FALLBACK_SCSV")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
settings.maxVersion = (3, 2)
try:
connection.handshakeClientCert(settings=settings)
assert()
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
print("Test 26.a - server checks cipher version")
synchro.recv(1)
connection = connect()
# Configure the ClientHello to only advertise SHA-256 ciphers, but not
# support TLS 1.2.
connection.fault = Fault.ignoreVersionForCipher
settings = HandshakeSettings()
settings.maxVersion = (3, 2)
settings.macNames = ["sha256"]
connection.handshakeClientCert(settings=settings)
connection.close()
print("Test 26.b - client checks cipher version")
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert()
assert()
except TLSLocalAlert as alert:
# The client should reject the ServerHello because it selected an
# invalid cipher for the version.
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print('Test 27 - good standard XMLRPC https client')
address = address[0], address[1]+1
synchro.recv(1)
try:
# python 2.7.9 introduced certificate verification (context option)
# python 3.4.2 doesn't have it though
context = ssl.create_default_context(\
cafile=os.path.join(dir, "serverX509Cert.pem"))
server = xmlrpclib.Server('https://%s:%s' % address, context=context)
except (TypeError, AttributeError):
server = xmlrpclib.Server('https://%s:%s' % address)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print('Test 28 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print('Test 29 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print("Test 30 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 30: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 31: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
synchro.close()
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print "Test 0 - anonymous handshake"
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print "Test 1 - good X509 (plus SNI)"
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print "Test 1.a - good X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
testConnClient(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 6 - good SRP: with X.509 certificate, TLSv1.0"
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print "Test 7 - X.509 with SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print " Good Fault %s" % (Fault.faultNames[fault])
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
print("Test 0 - Anonymous server handshake")
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print("Test 1 - good X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 1.a - good X.509, SSL v3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
print("Test 1.b - good X.509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print("Test 3 - good SRP")
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print("Test 6 - good SRP: with X.509 cert")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 14 - good mutual X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14a - good mutual X.509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print("Test 18 - good SRP, prepare to resume")
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 19 - resumption")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
print("Test 20 - invalidated resumption")
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers")
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
print("Test 24.a - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.b - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.c - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.d - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.e - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
print("Test 24.f - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.g - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
print("Tests 25-27 - XMLRPXC server")
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
server.handle_request()
print("Test succeeded")
#!/usr/bin/env python
from tlslite import HTTPTLSConnection, HandshakeSettings
settings = HandshakeSettings()
settings.useExperimentalTACKExtension = True
h = HTTPTLSConnection("localhost", 4443, settings=settings)
h.request("GET", "/index.html")
r = h.getresponse()
print r.read()
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print "Test 0 - anonymous handshake"
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print "Test 1 - good X509 (plus SNI)"
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
assert (connection.session.serverName == address[0])
connection.close()
print "Test 1.a - good X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeClientCert(settings=settings)
assert (connection.session.tackExt.tacks[0].getTackId() ==
"rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert (connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert (False)
except TLSLocalAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert (connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(
open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tack],
activationFlags=1,
settings=settings)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tackUnrelated],
settings=settings)
assert (False)
except TLSRemoteAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
testConnClient(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 6 - good SRP: with X.509 certificate, TLSv1.0"
settings = HandshakeSettings()
settings.minVersion = (3, 1)
settings.maxVersion = (3, 1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print "Test 7 - X.509 with SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print " Good Fault %s" % (Fault.faultNames[fault])
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(15)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(15)
sock.connect(address)
c = TLSConnection(sock)
return c
test_no = 0
badFault = False
print("Test {0} - anonymous handshake".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X509 (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good X509, RC4-MD5".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
settings.cipherNames = ["rc4"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
assert(connection.encryptThenMAC == False)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain...skipped"
" (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good SRP".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP: with X.509 certificate, TLSv1.0".format(test_no))
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good mutual X509".format(test_no))
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, TLSv1.1".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP, prepare to resume... (plus SNI)".\
format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
test_no += 1
print("Test {0} - resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
test_no += 1
print("Test {0} - invalidated resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection.sock.close() #Close the socket without a close_notify!
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
synchro.recv(1)
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers, TLSv1.0".format(test_no))
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = timeit.default_timer()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = timeit.default_timer()
sizeofdata = len(h)*2
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(sizeofdata/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
settings.maxVersion = (3, 2)
try:
connection.handshakeClientCert(settings=settings)
assert()
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
assert(settings.useEncryptThenMAC)
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
settings.useEncryptThenMAC = False
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0], session=session)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
settings.macNames.remove("aead")
connection = connect()
try:
connection.handshakeClientCert(serverName=address[0], session=session,
settings=settings)
except TLSRemoteAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("No exception raised")
connection.close()
test_no += 1
print('Test {0} - good standard XMLRPC https client'.format(test_no))
address = address[0], address[1]+1
synchro.recv(1)
try:
# python 2.7.9 introduced certificate verification (context option)
# python 3.4.2 doesn't have it though
context = ssl.create_default_context(\
cafile=os.path.join(dir, "serverX509Cert.pem"))
server = xmlrpclib.Server('https://%s:%s' % address, context=context)
except (TypeError, AttributeError):
server = xmlrpclib.Server('https://%s:%s' % address)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good tlslite XMLRPC client'.format(test_no))
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good XMLRPC ignored protocol'.format(test_no))
server = xmlrpclib.Server('http://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print("Test {0} - Internet servers test".format(test_no))
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
test_no += 1
print("Test {0}: IMAP4 good".format(test_no))
p = POP3_TLS("pop.gmail.com")
p.quit()
test_no += 1
print("Test {0}: POP3 good".format(test_no))
except (socket.error, socket.timeout) as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
synchro.close()
if not badFault:
print("Test succeeded, {0} good".format(test_no))
else:
print("Test failed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
with open(os.path.join(dir, "serverRSAPSSSigCert.pem")) as f:
x509CertRSAPSSSig = X509().parse(f.read())
x509ChainRSAPSSSig = X509CertChain([x509CertRSAPSSSig])
with open(os.path.join(dir, "serverRSAPSSSigKey.pem")) as f:
x509KeyRSAPSSSig = parsePEMKey(f.read(), private=True)
with open(os.path.join(dir, "serverRSAPSSCert.pem")) as f:
x509CertRSAPSS = X509().parse(f.read())
x509ChainRSAPSS = X509CertChain([x509CertRSAPSS])
assert x509CertRSAPSS.certAlg == "rsa-pss"
with open(os.path.join(dir, "serverRSAPSSKey.pem")) as f:
x509KeyRSAPSS = parsePEMKey(f.read(), private=True,
implementations=["python"])
test_no = 0
print("Test {0} - Anonymous server handshake".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSSSig,
privateKey=x509KeyRSAPSSSig)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSS,
privateKey=x509KeyRSAPSS)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, SSL v3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
assert(not connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, RC4-MD5".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain"
"...skipped (no tackpy)".format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
try:
(db_file, db_name) = mkstemp()
os.close(db_file)
# this is race'y but the interface dbm interface is stupid like that...
os.remove(db_name)
verifierDB = VerifierDB(db_name)
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
finally:
try:
os.remove(db_name)
except FileNotFoundError:
# dbm module may create files with different names depending on
# platform
os.remove(db_name + ".dat")
test_no += 1
print("Test {0} - good SRP".format(test_no))
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
test_no += 1
print("Test {0} - good SRP: with X.509 cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - good mutual X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, SSLv3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
test_no += 1
print("Test {0} - good SRP, prepare to resume".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
test_no += 1
print("Test {0} - invalidated resumption".format(test_no))
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers".format(test_no))
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
except TLSLocalAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("no exception raised")
connection.close()
test_no += 1
print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
test_no += 2
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(40)
synchro.connect((address[0], address[1] - 1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(25)
sock.connect(address)
c = TLSConnection(sock)
return c
test_no = 0
badFault = False
message = dataRandomizer(datasize)
for cipher in [
"aes128gcm", "aes128", "aes256", "rc4", "chacha20-poly1305",
"speck128", "speck128gcm", "speck192gcm"
]:
test_no += 1
t1 = time.time()
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
t2 = time.time()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeClientCert(settings=settings)
t3 = time.time()
print(
"%s %s:" %
(connection.getCipherName(), connection.getCipherImplementation()),
end=' ')
if datasize == "3MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=1500000, max=1500000)
t4 = time.time()
if t4 - t3:
print("3MB exchanged at rate of %d bytes/sec" % int(3000000 /
(t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput is bytes/sec:",
round(sizeInBytes / (t4 - t3), 3))
else:
print("3MB exchanged very fast")
assert (h == message)
elif datasize == "2MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=1000000, max=1000000)
t4 = time.time()
if t4 - t3:
print("2MB exchanged at rate of %d bytes/sec" % int(2000000 /
(t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4 - t3), 3))
else:
print("2MB exchanged very fast")
assert (h == message)
elif datasize == "1MB":
t3 = time.time()
connection.write(message)
h = connection.read(min=500000, max=500000)
t4 = time.time()
if t4 - t3:
print("1MB exchanged at rate of %d bytes/sec" % int(1000000 /
(t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4 - t3), 3))
else:
print("1MB exchanged very fast")
assert (h == message)
elif datasize == "500k":
t3 = time.time()
connection.write(message)
h = connection.read(min=250000, max=250000)
t4 = time.time()
if t4 - t3:
print("500kbytes exchanged at rate of %d bytes/sec" %
int(500000 / (t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4 - t3), 3))
else:
print("500kbytes exchanged very fast")
assert (h == message)
elif datasize == "100k":
t3 = time.time()
connection.write(message)
h = connection.read(min=50000, max=50000)
t4 = time.time()
if t4 - t3:
print("100kBytes exchanged at rate of %d bytes/sec" %
int(100000 / (t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4 - t3), 3))
else:
print("100kBytes exchanged very fast")
assert (h == message)
elif datasize == "2k":
t3 = time.time()
connection.write(message)
h = connection.read(min=1000, max=1000)
t4 = time.time()
if t4 - t3:
print("2kBytes exchanged at rate of %d bytes/sec" %
int(2000 / (t4 - t3)))
print('Raw timers:', 't1=', t1, 't2=', t2, 't3=', t3, 't4=',
t4)
print('Intervals:', t2 - t1, t3 - t2, t4 - t3)
sizeInBytes = sys.getsizeof(h) * 2
print("Tranmsitted data size:", sizeInBytes)
print("Throughput:", round(sizeInBytes / (t4 - t3), 3))
else:
print("2kBytes exchanged very fast")
assert (h == message)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
print("Used Ciphersuite: {0}".\
format(CipherSuite.ietfNames[connection.session.cipherSuite]))
print(" ")
connection.close()
synchro.close()
if not badFault:
print("Test succeeded, {0} good".format(test_no))
else:
print("Test failed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
print("Test {0} - Anonymous server handshake".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, SSL v3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
assert(not connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, RC4-MD5".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain"
"...skipped (no tackpy)".format(test_no))
test_no += 1
print("Test {0} - good SRP".format(test_no))
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
try:
(db_file, db_name) = mkstemp()
os.close(db_file)
# this is race'y but the interface dbm interface is stupid like that...
os.remove(db_name)
verifierDB = VerifierDB(db_name)
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
finally:
os.remove(db_name)
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
test_no += 1
print("Test {0} - good SRP: with X.509 cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - good mutual X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, SSLv3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
test_no += 1
print("Test {0} - good SRP, prepare to resume".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
test_no += 1
print("Test {0} - invalidated resumption".format(test_no))
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers".format(test_no))
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
except TLSLocalAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("no exception raised")
connection.close()
test_no += 1
print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
test_no += 2
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
connection.sock.close() #Close the socket without a close_notify!
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
time.sleep(2)
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
# don't check cert unless we provide a fingerprint --dmb
checker = Checker(x509Fingerprints=[fingerprint]) if fingerprint else None
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
time.sleep(2)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if tlscryptoLoaded:
implementations.append("tlscrypto")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print('Test 25 - good standard XMLRPC https client')
time.sleep(2) # Hack for lack of ability to set timeout here
address = address[0], address[1]+1
server = xmlrpclib.Server('https://%s:%s' % address)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 26 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 27 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print("Test 28 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 28: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 29: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 1.b - good X509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
connection.sock.close() #Close the socket without a close_notify!
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
time.sleep(2)
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
time.sleep(2)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print('Test 25 - good standard XMLRPC https client')
time.sleep(2) # Hack for lack of ability to set timeout here
address = address[0], address[1]+1
server = xmlrpclib.Server('https://%s:%s' % address)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 26 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 27 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print("Test 28 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 28: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 29: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
# TACK1 and TACK2 are both "good" TACKs, one targetting, the key,
# one the hash
tack1 = TACK()
tack1.parsePem(open("./TACK1.pem", "rU").read())
tack2 = TACK()
tack2.parsePem(open("./TACK2.pem", "rU").read())
tackUnrelated = TACK()
tackUnrelated.parsePem(open("./TACKunrelated.pem", "rU").read())
breakSigs = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs.pem").read())
breakSigsActual = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs_TACK1.pem").read())
print "Test 2.a - good X.509, good TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1, breakSigs=breakSigs)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, \"wrong\" TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1)
connection.close()
print "Test 2.c - good X.509, \"wrong\" TACK but break signature (hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
print "Test 2.d - good X.509, \"wrong\" TACK but break signature (not hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
testConnServer(connection)
connection.close()
print "Test 2.e - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tackUnrelated)
except TLSRemoteAlert as alert:
assert(alert.description == AlertDescription.handshake_failure)
print "Test 2.f - good X.509, no TACK but expected"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
print "Test 3 - good SRP"
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print "Test 6 - good SRP: with X.509 cert"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 7 - X.509 with SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 11 - X.509 faults"
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 14 - good mutual X.509"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14a - good mutual X.509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 15 - mutual X.509 faults"
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print "Test 18 - good SRP, prepare to resume"
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
connection.close()
print "Test 19 - resumption"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
#Don't close! -- see next test
print "Test 20 - invalidated resumption"
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError, e:
pass
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print "Test 0 - anonymous handshake"
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print "Test 1 - good X509"
connection = connect()
connection.handshakeClientCert()
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 1.a - good X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
if tackpyLoaded:
print "Test 2.a - good X.509, good TACK"
connection = connect()
connection.handshakeClientCert(reqTack=True,
checker=Checker(tackID="BE1W1.AHUDE.GQIUT.TF9YC.3XVME", hardTack=True))
testConnClient(connection)
connection.close()
try:
print "Test 2.b - good X.509, \"wrong\" TACK"
connection = connect()
connection.handshakeClientCert(reqTack=True,
checker=Checker(tackID="B4444.EQ61B.F34EL.9KKLN.3WEW5", hardTack=True))
assert(False)
except TLSTackMismatchError:
pass
print "Test 2.c - good X.509, \"wrong\" TACK but break signature (hardTack)"
connection = connect()
try:
connection.handshakeClientCert(reqTack=True,
checker=Checker(tackID="BE1W1.AHUDE.GQIUT.TF9YC.3XVME", hardTack=True))
assert(False)
except TLSTackBreakError:
pass
print "Test 2.d - good X.509, \"wrong\" TACK but break signature (not hardTack)"
connection = connect()
connection.handshakeClientCert(reqTack=True,
checker=Checker(tackID="BE1W1.AHUDE.GQIUT.TF9YC.3XVME", hardTack=False))
testConnClient(connection)
connection.close()
print "Test 2.e - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeClientCert(reqTack=True)
assert(False)
except TLSLocalAlert as alert:
assert(alert.description == AlertDescription.handshake_failure)
connection.close()
try:
print "Test 2.f - good X.509, no TACK but expected"
connection = connect()
connection.handshakeClientCert(reqTack=True,
checker=Checker(tackID="B4444.EQ61B.F34EL.9KKLN.3WEW5", hardTack=False))
assert(False)
except TLSTackMissingError:
pass
print "Test 3 - good SRP"
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
print("Test 0 - Anonymous server handshake")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print("Test 1 - good X.509")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 1.a - good X.509, SSL v3")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
print("Test 1.b - good X.509, RC4-MD5")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print("Test 3 - good SRP")
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
print("Test 6 - good SRP: with X.509 cert")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
print("Test 14 - good mutual X.509")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14a - good mutual X.509, TLSv1.1")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14b - good mutual X.509, SSLv3")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
print("Test 18 - good SRP, prepare to resume")
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 19 - resumption")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
print("Test 20 - invalidated resumption")
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers")
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
print("Test 24.a - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.b - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.c - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.d - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.e - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
print("Test 24.f - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.g - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
print("Test 25.a - FALLBACK_SCSV")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 25.b - FALLBACK_SCSV")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
print("Test 26.a - server checks cipher version")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
# The server should reject the connection with a handshake_failure
# because, after taking the version into account, no ciphers match.
if alert.description != AlertDescription.handshake_failure:
raise
connection.close()
print("Test 26.b - client checks cipher version")
synchro.send(b'R')
connection = connect()
# Configure the server to illegally select SHA-256 ciphers at TLS 1.1.
connection.fault = Fault.ignoreVersionForCipher
settings = HandshakeSettings()
settings.maxVersion = (3, 2)
settings.macNames = ["sha256"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
connection.close()
print("Tests 27-29 - XMLRPXC server")
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
#!/usr/bin/env python
from __future__ import print_function
from tlslite import HTTPTLSConnection, HandshakeSettings
from optparse import OptionParser
settings = HandshakeSettings()
settings.cipherNames = ['aes128gcm']
settings.keyExchangeNames = ['ecdhe_rsa']
settings.cipherImplementations = ["python"]
#settings.macNames = ['sha256']
settings.minVersion = (3,3)
settings.maxVersion = (3,3)
settings.useExperimentalTackExtension = True
def main():
parser = OptionParser(usage='%prog host filename [options]', description='A Simple https client used with tlslite-ng')
parser.add_option("--port", dest="port", help="port", default = 4443, type="int", metavar="4443")
parser.add_option("--algo", dest="algo", help="algo", default = "speck128")
parser.add_option("--keyEx", dest="keyEx", help="Key Exchange", default="ecdhe_rsa")
(options, arguments) = parser.parse_args()
if len(arguments) < 1:
parser.print_help()
exit(1)
def _init_connection(self, pure_python_tls=False):
try:
if self._use_ssl:
if not pure_python_tls:
# If we do not have the SSL library, then we cannot do server certificate validation anyway.
if __has_ssl__:
ca_file = self._ca_file
else:
ca_file = None
self.__connection = HTTPSConnectionWithTimeoutAndVerification(
self._host,
self._port,
self._request_deadline,
ca_file,
__has_ssl__,
)
self.__connection.connect()
else:
# Pure python implementation of TLS does not require ssl library
settings = HandshakeSettings()
settings.minVersion = (3, 3) # TLS 1.2
self.__connection = HTTPTLSConnection(
self._host,
self._port,
timeout=self._request_deadline,
settings=settings,
)
self.__connection.connect()
# Non-null _ca_file signifies server cert validation is requireds
if self._ca_file:
try:
self._validate_chain_certvalidator(self.__connection)
except Exception as e:
log.exception("Failure in _validate_chain_certvalidator()")
self._validate_chain_openssl()
else:
# unencrypted connection
self.__connection = HTTPConnectionWithTimeout(
self._host, self._port, self._request_deadline
)
self.__connection.connect()
except Exception as error:
if hasattr(error, "errno"):
errno = error.errno
else:
errno = None
if isinstance(error, CertValidationError):
log.error(
'Failed to connect to "%s" because of server certificate validation error: "%s"',
self._full_address,
error.message,
error_code="client/connectionFailed",
)
elif __has_ssl__ and isinstance(error, ssl.SSLError):
log.error(
'Failed to connect to "%s" due to some SSL error. Possibly the configured certificate '
"for the root Certificate Authority could not be parsed, or we attempted to connect to "
"a server whose certificate could not be trusted (if so, maybe Scalyr's SSL cert has "
"changed and you should update your agent to get the new certificate). The returned "
"errno was %d and the full exception was '%s'. Closing connection, will re-attempt",
self._full_address,
errno,
str(error),
error_code="client/connectionFailed",
)
elif errno == 61: # Connection refused
log.error(
'Failed to connect to "%s" because connection was refused. Server may be unavailable.',
self._full_address,
error_code="client/connectionFailed",
)
elif errno == 8: # Unknown name
log.error(
'Failed to connect to "%s" because could not resolve address. Server host may be bad.',
self._full_address,
error_code="client/connectionFailed",
)
elif errno is not None:
log.error(
'Failed to connect to "%s" due to errno=%d. Exception was "%s". Closing connection, '
"will re-attempt",
self._full_address,
errno,
str(error),
error_code="client/connectionFailed",
)
else:
log.error(
'Failed to connect to "%s" due to exception. Exception was "%s". Closing connection, '
"will re-attempt",
self._full_address,
str(error),
error_code="client/connectionFailed",
)
raise Exception("client/connectionFailed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
for cipher in ["aes128gcm", "aes128", "aes256", "rc4","chacha20-poly1305","speck128", "speck128gcm", "speck192gcm"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
if datasize == "3MB":
h = connection.read(min=1500000, max=1500000)
elif datasize == "2MB":
h = connection.read(min=1000000, max=1000000)
elif datasize == "1MB":
h = connection.read(min=500000, max=500000)
elif datasize == "500k":
h = connection.read(min=250000, max=250000)
elif datasize == "100k":
h = connection.read(min=50000, max=50000)
elif datasize == "2k":
h = connection.read(min=1000, max=1000)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
connection.write(h)
connection.close()
synchro.close()
synchroSocket.close()
print("Test succeeded")
