def getContext(self): context = SSL.Context(SSL.TLSv1_METHOD) context.set_options(0x00020000)#SSL_OP_NO_COMPRESSION context.set_options(SSL.OP_DONT_INSERT_EMPTY_FRAGMENTS) context.set_options(SSL.OP_TLS_BLOCK_PADDING_BUG) return context
def get_ssl_context(method=SSL_METHOD): # One of: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD if openssl_import_error: raise openssl_import_error # pylint: disable=raising-bad-type return SSL.Context(method)
def __init__(self, config): self._context = SSL.Context(SSL.SSLv23_METHOD) self.configure_context(self._context, config)
def _create_ssl_context( method: int = DEFAULT_METHOD, options: int = DEFAULT_OPTIONS, ca_path: str = None, ca_pemfile: str = None, cipher_list: str = None, alpn_protos: typing.Iterable[bytes] = None, alpn_select=None, alpn_select_callback: typing.Callable[[typing.Any, typing.Any], bytes] = None, verify: int = SSL.VERIFY_PEER, verify_callback: typing.Optional[typing.Callable[ [SSL.Connection, SSL.X509, int, int, bool], bool]] = None, ) -> SSL.Context: """ Creates an SSL Context. :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD, TLSv1_1_METHOD, or TLSv1_2_METHOD :param options: A bit field consisting of OpenSSL.SSL.OP_* values :param verify: A bit field consisting of OpenSSL.SSL.VERIFY_* values :param ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool :param ca_pemfile: Path to a PEM formatted trusted CA certificate :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html :rtype : SSL.Context """ try: context = SSL.Context(method) except ValueError: method_name = METHOD_NAMES.get(method, "unknown") raise exceptions.TlsException( "SSL method \"%s\" is most likely not supported " "or disabled (for security reasons) in your libssl. " "Please refer to https://github.com/mitmproxy/mitmproxy/issues/1101 " "for more details." % method_name) # Options (NO_SSLv2/3) if options is not None: context.set_options(options) # Verify Options (NONE/PEER and trusted CAs) if verify is not None: context.set_verify(verify, verify_callback) if ca_path is None and ca_pemfile is None: ca_pemfile = certifi.where() try: context.load_verify_locations(ca_pemfile, ca_path) except SSL.Error: raise exceptions.TlsException( "Cannot load trusted certificates ({}, {}).".format( ca_pemfile, ca_path)) # Workaround for # https://github.com/pyca/pyopenssl/issues/190 # https://github.com/mitmproxy/mitmproxy/issues/472 # Options already set before are not cleared. context.set_mode(SSL._lib.SSL_MODE_AUTO_RETRY) # Cipher List if cipher_list: try: context.set_cipher_list(cipher_list.encode()) except SSL.Error as v: raise exceptions.TlsException( "SSL cipher specification error: %s" % str(v)) # SSLKEYLOGFILE if log_master_secret: context.set_info_callback(log_master_secret) if alpn_protos is not None: # advertise application layer protocols context.set_alpn_protos(alpn_protos) elif alpn_select is not None and alpn_select_callback is None: # select application layer protocol def alpn_select_callback(conn_, options): if alpn_select in options: return bytes(alpn_select) else: # pragma: no cover return options[0] context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is None: if not callable(alpn_select_callback): raise exceptions.TlsException( "ALPN error: alpn_select_callback must be a function.") context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is not None: raise exceptions.TlsException( "ALPN error: only define alpn_select (string) OR alpn_select_callback (function)." ) return context
def test02_fetch_from_url(self): config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True) res = fetch_from_url(Constants.TEST_URI, config) self.assertTrue(res)
def _test_openssl(self): ''' Run a test with openssl to detect any MITM proxies ''' success = True hostname = urlparse(self.base_url).netloc.split(':') sock = socket.socket() sock.setblocking(1) if self.proxies: connect_str = 'CONNECT {0} HTTP/1.0\r\n'.format(hostname[0]) if self.proxy_auth: connect_str += 'Proxy-Authorization: {0}\r\n'.format(self.proxy_auth) connect_str += '\r\n' proxy = urlparse(self.proxies['https']).netloc.split(':') try: sock.connect((proxy[0], int(proxy[1]))) except Exception as e: logger.debug(e) logger.error('Failed to connect to proxy %s. Connection refused.', self.proxies['https']) return False sock.send(connect_str) res = sock.recv(4096) if '200 Connection established' not in res: logger.error('Failed to connect to %s. Invalid hostname.', self.base_url) return False else: try: sock.connect((hostname[0], 443)) except socket.gaierror: logger.error('Error: Failed to connect to %s. Invalid hostname.', self.base_url) return False ctx = SSL.Context(SSL.TLSv1_METHOD) if type(self.cert_verify) is not bool: if os.path.isfile(self.cert_verify): ctx.load_verify_locations(self.cert_verify, None) else: logger.error('Error: Invalid cert path: %s', self.cert_verify) return False ctx.set_verify(SSL.VERIFY_PEER, self._verify_check) ssl_conn = SSL.Connection(ctx, sock) ssl_conn.set_connect_state() try: # output from verify generated here ssl_conn.do_handshake() # print cert chain certs = self.cert_chain[1] # put them in the right order certs.reverse() logger.debug('---\nCertificate chain') for depth, c in enumerate(certs): logger.debug(self._generate_cert_str(c.get_subject(), str(depth) + ' s :/')) logger.debug(self._generate_cert_str(c.get_issuer(), ' i :/')) # print server cert server_cert = ssl_conn.get_peer_certificate() logger.debug('---\nServer certificate') logger.debug(crypto.dump_certificate(crypto.FILETYPE_PEM, server_cert)) logger.debug(self._generate_cert_str(server_cert.get_subject(), 'subject=/')) logger.debug(self._generate_cert_str(server_cert.get_issuer(), 'issuer=/')) logger.debug('---') except SSL.Error as e: logger.debug('SSL error: %s', e) success = False logger.error('Certificate chain test failed!') ssl_conn.shutdown() ssl_conn.close() if self.cert_chain[0]: logger.error('Certificate chain test failed! Self ' 'signed certificate detected in chain') return success and not self.cert_chain[0]
def _create_ssl_context(self, enable_tls=False, encrypt_only=False, cafile=None, capath=None, keyfile=None, keyfile_password=None, certfile=None, protocols=None, cipher_suite=None): if not enable_tls: return method, protocols_to_disable = self._parse_protocols(protocols) self.ctx = SSL.Context(method) self.ctx = self._set_context_options(self.ctx, protocols_to_disable) if encrypt_only: self.ctx.set_verify(SSL.VERIFY_NONE, self._verify_none_cb) else: self.ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_CLIENT_ONCE, self._verify_cb) if cafile or capath: try: self.ctx.load_verify_locations(cafile, capath) except Exception as e: path = "" if cafile: path = "cafile=%s" % (str(cafile)) if capath: if path: path += " and " path += "capath=%s" % (str(capath)) raise Exception( "Failed to load CA certificate from %s \n %s" % (path, str(e))) if certfile: try: self.ctx.use_certificate_chain_file(certfile) except Exception as e: raise Exception( "Failed to load certificate chain file %s \n %s" % (certfile, str(e))) if keyfile: pkey = None pwd = None if keyfile_password: try: pwd = self._read_keyfile_password(keyfile_password) except Exception as e: raise Exception( "Invalid keyfile_password {0} \n{1}".format( keyfile_password, e)) try: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, open(keyfile, 'rb').read(), pwd) except IOError: raise Exception( "Unable to locate key file {}".format(keyfile)) except crypto.Error: raise Exception( "Invalid key file or bad passphrase {}".format( keyfile)) except Exception as e: raise Exception("Failed to load private key %s \n %s" % (keyfile, str(e))) if pkey is None: raise Exception("Failed to load private key %s" % keyfile) try: self.ctx.use_privatekey(pkey) except Exception as e: raise Exception("Failed to load private key %s \n %s" % (keyfile, str(e))) if cipher_suite: self.ctx.set_cipher_list(cipher_suite)
def _create_ssl_context( self, method=SSL_DEFAULT_METHOD, options=SSL_DEFAULT_OPTIONS, verify_options=SSL.VERIFY_NONE, ca_path=None, ca_pemfile=None, cipher_list=None, alpn_protos=None, alpn_select=None, alpn_select_callback=None, ): """ Creates an SSL Context. :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD, TLSv1_1_METHOD, or TLSv1_2_METHOD :param options: A bit field consisting of OpenSSL.SSL.OP_* values :param verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values :param ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool :param ca_pemfile: Path to a PEM formatted trusted CA certificate :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html :rtype : SSL.Context """ context = SSL.Context(method) # Options (NO_SSLv2/3) if options is not None: context.set_options(options) # Verify Options (NONE/PEER and trusted CAs) if verify_options is not None: def verify_cert(conn, x509, errno, err_depth, is_cert_verified): if not is_cert_verified: self.ssl_verification_error = dict(errno=errno, depth=err_depth) return is_cert_verified context.set_verify(verify_options, verify_cert) if ca_path is None and ca_pemfile is None: ca_pemfile = certifi.where() context.load_verify_locations(ca_pemfile, ca_path) # Workaround for # https://github.com/pyca/pyopenssl/issues/190 # https://github.com/mitmproxy/mitmproxy/issues/472 # Options already set before are not cleared. context.set_mode(SSL._lib.SSL_MODE_AUTO_RETRY) # Cipher List if cipher_list: try: context.set_cipher_list(cipher_list) # TODO: maybe change this to with newer pyOpenSSL APIs context.set_tmp_ecdh( OpenSSL.crypto.get_elliptic_curve('prime256v1')) except SSL.Error as v: raise TlsException("SSL cipher specification error: %s" % str(v)) # SSLKEYLOGFILE if log_ssl_key: context.set_info_callback(log_ssl_key) if HAS_ALPN: if alpn_protos is not None: # advertise application layer protocols context.set_alpn_protos(alpn_protos) elif alpn_select is not None and alpn_select_callback is None: # select application layer protocol def alpn_select_callback(conn_, options): if alpn_select in options: return bytes(alpn_select) else: # pragma no cover return options[0] context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is None: context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is not None: raise TlsException( "ALPN error: only define alpn_select (string) OR alpn_select_callback (method)." ) return context
def _create_ssl_context( self, method=SSL_DEFAULT_METHOD, options=SSL_DEFAULT_OPTIONS, verify_options=SSL.VERIFY_NONE, ca_path=None, ca_pemfile=None, cipher_list=None, alpn_protos=None, alpn_select=None, alpn_select_callback=None, sni=None, ): """ Creates an SSL Context. :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD, TLSv1_1_METHOD, or TLSv1_2_METHOD :param options: A bit field consisting of OpenSSL.SSL.OP_* values :param verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values :param ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool :param ca_pemfile: Path to a PEM formatted trusted CA certificate :param cipher_list: A textual OpenSSL cipher list, see https://www.openssl.org/docs/apps/ciphers.html :rtype : SSL.Context """ try: context = SSL.Context(method) except ValueError as e: method_name = ssl_method_names.get(method, "unknown") raise exceptions.TlsException( "SSL method \"%s\" is most likely not supported " "or disabled (for security reasons) in your libssl. " "Please refer to https://github.com/mitmproxy/mitmproxy/issues/1101 " "for more details." % method_name) # Options (NO_SSLv2/3) if options is not None: context.set_options(options) # Verify Options (NONE/PEER and trusted CAs) if verify_options is not None: def verify_cert(conn, x509, errno, err_depth, is_cert_verified): if not is_cert_verified: self.ssl_verification_error = exceptions.InvalidCertificateException( "Certificate Verification Error for {}: {} (errno: {}, depth: {})" .format( sni, strutils.always_str( SSL._ffi.string( SSL._lib.X509_verify_cert_error_string( errno)), "utf8"), errno, err_depth)) return is_cert_verified context.set_verify(verify_options, verify_cert) if ca_path is None and ca_pemfile is None: ca_pemfile = certifi.where() try: context.load_verify_locations(ca_pemfile, ca_path) except SSL.Error: raise exceptions.TlsException( "Cannot load trusted certificates ({}, {}).".format( ca_pemfile, ca_path)) # Workaround for # https://github.com/pyca/pyopenssl/issues/190 # https://github.com/mitmproxy/mitmproxy/issues/472 # Options already set before are not cleared. context.set_mode(SSL._lib.SSL_MODE_AUTO_RETRY) # Cipher List if cipher_list: try: context.set_cipher_list(cipher_list) context.set_tmp_ecdh( OpenSSL.crypto.get_elliptic_curve('prime256v1')) except SSL.Error as v: raise exceptions.TlsException( "SSL cipher specification error: %s" % str(v)) # SSLKEYLOGFILE if log_ssl_key: context.set_info_callback(log_ssl_key) if HAS_ALPN: if alpn_protos is not None: # advertise application layer protocols context.set_alpn_protos(alpn_protos) elif alpn_select is not None and alpn_select_callback is None: # select application layer protocol def alpn_select_callback(conn_, options): if alpn_select in options: return bytes(alpn_select) else: # pragma no cover return options[0] context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is None: context.set_alpn_select_callback(alpn_select_callback) elif alpn_select_callback is not None and alpn_select is not None: raise exceptions.TlsException( "ALPN error: only define alpn_select (string) OR alpn_select_callback (method)." ) return context
def verify_cb(conn, cert, errnum, depth, ok): # This obviously has to be updated print 'Got certificate: %s' % cert.get_subject() return ok if len(sys.argv) < 2: print 'Usage: python[2] server.py PORT' sys.exit(1) dir = os.path.dirname(sys.argv[0]) if dir == '': dir = os.curdir # Initialize context ctx = SSL.Context(SSL.TLSv1_1_METHOD) ctx.set_options(SSL.OP_NO_SSLv2) ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) # Demand a certificate ctx.use_privatekey_file(os.path.join(dir, 'server.pkey')) ctx.use_certificate_file(os.path.join(dir, 'server.cert')) ctx.load_verify_locations(os.path.join(dir, 'CA.cert')) # Set up server server = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) server.bind(('', int(sys.argv[1]))) server.listen(3) server.setblocking(0) clients = {} writers = {}
def run(config=None, plugin_providers=None, product_name='ajenti', dev_mode=False, debug_mode=False, autologin=False): """ A global entry point for Ajenti. :param config: config file implementation instance to use :type config: :class:`aj.config.BaseConfig` :param plugin_providers: list of plugin providers to load plugins from :type plugin_providers: list(:class:`aj.plugins.PluginProvider`) :param str product_name: a product name to use :param bool dev_mode: enables dev mode (automatic resource recompilation) :param bool debug_mode: enables debug mode (verbose and extra logging) :param bool autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE. """ if config is None: raise TypeError('`config` can\'t be None') reload_module(sys) if hasattr(sys, 'setdefaultencoding'): sys.setdefaultencoding('utf8') aj.product = product_name aj.debug = debug_mode aj.dev = dev_mode aj.dev_autologin = autologin aj.init() aj.log.set_log_params(tag='master', master_pid=os.getpid()) aj.context = Context() aj.config = config aj.plugin_providers = plugin_providers or [] logging.info('Loading config from %s', aj.config) aj.config.load() aj.config.ensure_structure() if aj.debug: logging.warn('Debug mode') if aj.dev: logging.warn('Dev mode') try: locale.setlocale(locale.LC_ALL, '') except locale.Error: logging.warning('Couldn\'t set default locale') # install a passthrough gettext replacement since all localization is handled in frontend # and _() is here only for string extraction __builtins__['_'] = lambda x: x logging.info('Ajenti Core %s', aj.version) logging.info('Detected platform: %s / %s', aj.platform, aj.platform_string) # Load plugins PluginManager.get(aj.context).load_all_from(aj.plugin_providers) if len(PluginManager.get(aj.context)) == 0: logging.warn('No plugins were loaded!') if aj.config.data['bind']['mode'] == 'unix': path = aj.config.data['bind']['socket'] if os.path.exists(path): os.unlink(path) listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: listener.bind(path) except OSError: logging.error('Could not bind to %s', path) sys.exit(1) if aj.config.data['bind']['mode'] == 'tcp': host = aj.config.data['bind']['host'] port = aj.config.data['bind']['port'] listener = socket.socket( socket.AF_INET6 if ':' in host else socket.AF_INET, socket.SOCK_STREAM ) if aj.platform not in ['freebsd', 'osx']: try: listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1) except socket.error: logging.warn('Could not set TCP_CORK') listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) logging.info('Binding to [%s]:%s', host, port) try: listener.bind((host, port)) except socket.error as e: logging.error('Could not bind: %s', str(e)) sys.exit(1) # Fix stupid socketio bug (it tries to do *args[0][0]) socket.socket.__getitem__ = lambda x, y: None listener.listen(10) gateway = GateMiddleware.get(aj.context) application = HttpRoot(HttpMiddlewareAggregator([gateway])).dispatch aj.server = SocketIOServer( listener, log=open(os.devnull, 'w'), application=application, handler_class=RequestHandler, policy_server=False, transports=[ str('websocket'), str('flashsocket'), str('xhr-polling'), str('jsonp-polling'), ], ) if aj.config.data['ssl']['enable'] and aj.config.data['bind']['mode'] == 'tcp': context = SSL.Context(SSL.TLSv1_2_METHOD) context.set_session_id(str(id(context))) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1) context.set_cipher_list('ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM') certificate = crypto.load_certificate( crypto.FILETYPE_PEM, open(aj.config.data['ssl']['certificate']).read() ) private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, open(aj.config.data['ssl']['certificate']).read() ) context.use_certificate(certificate) context.use_privatekey(private_key) if aj.config.data['ssl']['client_auth']['enable']: # todo harden files logging.info('Enabling SSL client authentication') context.add_client_ca(certificate) context.get_cert_store().add_cert(certificate) verify_flags = SSL.VERIFY_PEER if aj.config.data['ssl']['client_auth']['force']: verify_flags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT context.set_verify(verify_flags, AuthenticationService.get(aj.context).client_certificate_callback) context.set_verify_depth(0) aj.server.ssl_args = {'server_side': True} aj.server.wrap_socket = lambda socket, **ssl: SSLSocket(context, socket) logging.info('SSL enabled') # auth.log try: syslog.openlog( ident=str(aj.product), facility=syslog.LOG_AUTH, ) except: syslog.openlog(aj.product) def cleanup(): if hasattr(cleanup, 'started'): return cleanup.started = True logging.info('Process %s exiting normally', os.getpid()) gevent.signal(signal.SIGINT, lambda: None) gevent.signal(signal.SIGTERM, lambda: None) if aj.master: gateway.destroy() p = psutil.Process(os.getpid()) for c in p.children(recursive=True): try: os.killpg(c.pid, signal.SIGTERM) os.killpg(c.pid, signal.SIGKILL) except OSError: pass def signal_handler(): cleanup() sys.exit(0) gevent.signal(signal.SIGINT, signal_handler) gevent.signal(signal.SIGTERM, signal_handler) aj.server.serve_forever() if not aj.master: # child process, server is stopped, wait until killed gevent.wait() if hasattr(aj.server, 'restart_marker'): logging.warn('Restarting by request') cleanup() fd = 20 # Close all descriptors. Creepy thing while fd > 2: try: os.close(fd) logging.debug('Closed descriptor #%i', fd) except OSError: pass fd -= 1 logging.warn('Will restart the process now') if '-d' in sys.argv: sys.argv.remove('-d') os.execv(sys.argv[0], sys.argv) else: if aj.master: logging.debug('Server stopped') cleanup()
from OpenSSL import SSL import ssl from requests.adapters import HTTPAdapter from requests.packages.urllib3.poolmanager import PoolManager SSL.Context(SSL.SSLv2_METHOD ) # Noncompliant {{Change this code to use a stronger protocol.}} # ^^^^^^^^^^^^ # Keyword argument SSL.Context(method=SSL.SSLv2_METHOD) # Noncompliant SSL.Context(SSL.TLSv1_2_METHOD) # Compliant SSL.Context(method=SSL.TLSv1_2_METHOD) # Compliant # ssl.SSLContext() ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2) # Noncompliant ctx = ssl.SSLContext(protocol=ssl.PROTOCOL_SSLv2) # Noncompliant # ssl.wrap_socket() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv2) # Noncompliant # ^^^^^^^^^^^^^^ # ssl.SSLContext() ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant ctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2) # Compliant # ssl.wrap_socket() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1_2) # Compliant
def getContext(self): return SSL.Context(SSL.SSLv23_METHOD)
def main( args: List[str] = sys.argv[1:], ) -> None: if sys.platform == "win32": # Magic incantation to make a Windows 10 cmd.exe process color-related ANSI escape codes. os.system("") # TODO: we lazily import "det deploy" but in the future we'd want to lazily import everything. parser = make_parser() full_cmd, aliases = generate_aliases(deploy_cmd.name) is_deploy_cmd = len(args) > 0 and any(args[0] == alias for alias in [*aliases, full_cmd]) if is_deploy_cmd: from determined.deploy.cli import args_description as deploy_args_description add_args(parser, [deploy_args_description]) else: add_args(parser, all_args_description) try: argcomplete.autocomplete(parser) parsed_args = parser.parse_args(args) def die(message: str, always_print_traceback: bool = False) -> None: if always_print_traceback or debug_mode(): import traceback traceback.print_exc(file=sys.stderr) parser.exit(1, colored(message + "\n", "red")) v = vars(parsed_args) if not v.get("func"): parser.print_usage() parser.exit(2, "{}: no subcommand specified\n".format(parser.prog)) try: # For `det deploy`, skip interaction with master. if is_deploy_cmd: parsed_args.func(parsed_args) return # Configure the CLI's Cert singleton. certs.cli_cert = certs.default_load(parsed_args.master) try: check_version(parsed_args) except requests.exceptions.SSLError: # An SSLError usually means that we queried a master over HTTPS and got an untrusted # cert, so allow the user to store and trust the current cert. (It could also mean # that we tried to talk HTTPS on the HTTP port, but distinguishing that based on the # exception is annoying, and we'll figure that out in the next step anyway.) addr = api.parse_master_address(parsed_args.master) check_not_none(addr.hostname) check_not_none(addr.port) try: ctx = SSL.Context(SSL.TLSv1_2_METHOD) conn = SSL.Connection(ctx, socket.socket()) conn.set_tlsext_host_name(cast(str, addr.hostname).encode()) conn.connect(cast(Sequence[Union[str, int]], (addr.hostname, addr.port))) conn.do_handshake() cert_pem_data = "".join( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode() for cert in conn.get_peer_cert_chain() ) except crypto.Error: die( "Tried to connect over HTTPS but couldn't get a certificate from the " "master; consider using HTTP" ) cert_hash = hashlib.sha256(ssl.PEM_cert_to_DER_cert(cert_pem_data)).hexdigest() cert_fingerprint = ":".join(chunks(cert_hash, 2)) if not render.yes_or_no( "The master sent an untrusted certificate chain with this SHA256 fingerprint:\n" "{}\nDo you want to trust this certificate from now on?".format( cert_fingerprint ) ): die("Unable to verify master certificate") certs.CertStore(certs.default_store()).set_cert(parsed_args.master, cert_pem_data) # Reconfigure the CLI's Cert singleton, but preserve the certificate name. old_cert_name = certs.cli_cert.name certs.cli_cert = certs.Cert(cert_pem=cert_pem_data, name=old_cert_name) check_version(parsed_args) parsed_args.func(parsed_args) except KeyboardInterrupt as e: raise e except (api.errors.BadRequestException, api.errors.BadResponseException) as e: die("Failed to {}: {}".format(parsed_args.func.__name__, e)) except api.errors.CorruptTokenCacheException: die( "Failed to login: Attempted to read a corrupted token cache. " "The store has been deleted; please try again." ) except EnterpriseOnlyError as e: die(f"Determined Enterprise Edition is required for this functionality: {e}") except Exception: die("Failed to {}".format(parsed_args.func.__name__), always_print_traceback=True) except KeyboardInterrupt: # die() may not be defined yet. if debug_mode(): import traceback traceback.print_exc(file=sys.stderr) print(colored("Interrupting...\n", "red"), file=sys.stderr) exit(3)
def verify_certificates(certificates: Dict[str, str]) -> (bool, str): """ Verify certificates from 4 aspects: 1. The CN of all public keys are equal. 2. All the CN are generic domain names. 3. Public key match private key. 4. Private key is signed by CA. Args: certificates: Returns: """ try: client_public_key = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('client/client.pem'))) server_public_key = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('server/server.pem'))) client_private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, b64decode(certificates.get('client/client.key'))) server_private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, b64decode(certificates.get('server/server.key'))) client_intermediate_ca = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('client/intermediate.pem'))) server_intermediate_ca = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('server/intermediate.pem'))) client_root_ca = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('client/root.pem'))) server_root_ca = crypto.load_certificate( crypto.FILETYPE_PEM, b64decode(certificates.get('server/root.pem'))) except crypto.Error as err: return False, 'Format of key or CA is invalid: {}'.format(err) if client_public_key.get_subject().CN != server_public_key.get_subject().CN: return False, 'Client and server public key CN mismatch' if not client_public_key.get_subject().CN.startswith('*.'): return False, 'CN of public key should be a generic domain name' try: client_context = SSL.Context(SSL.TLSv1_METHOD) client_context.use_certificate(client_public_key) client_context.use_privatekey(client_private_key) client_context.check_privatekey() server_context = SSL.Context(SSL.TLSv1_METHOD) server_context.use_certificate(server_public_key) server_context.use_privatekey(server_private_key) server_context.check_privatekey() except SSL.Error as err: return False, 'Key pair mismatch: {}'.format(err) try: client_store = crypto.X509Store() client_store.add_cert(client_root_ca) client_store.add_cert(client_intermediate_ca) crypto.X509StoreContext(client_store, client_public_key)\ .verify_certificate() except crypto.X509StoreContextError as err: return False, 'Client key and CA mismatch: {}'.format(err) try: server_store = crypto.X509Store() server_store.add_cert(server_root_ca) server_store.add_cert(server_intermediate_ca) crypto.X509StoreContext(server_store, server_public_key)\ .verify_certificate() except crypto.X509StoreContextError as err: return False, 'Server key and CA mismatch: {}'.format(err) return True, ''
def getContext(self, *args, **kw): return SSL.Context(SSL.TLSv1_METHOD)
from OpenSSL import SSL SSL.Context(SSL.SSLv3_METHOD) # Noncompliant
def myproxy_logon_py(hostname, username, passphrase, outfile, lifetime=43200, port=7512): """ Function to retrieve a proxy credential from a MyProxy server Exceptions: GetException, RetrieveProxyException """ context = SSL.Context(SSL.SSLv3_METHOD) # disable for compatibility with myproxy server (er, globus) # globus doesn't handle this case, apparently, and instead # chokes in proxy delegation code context.set_options(0x00000800L) # connect to myproxy server if debuglevel(1): print "debug: connect to myproxy server" conn = SSL.Connection(context, socket.socket()) conn.connect((hostname, port)) # send globus compatibility stuff if debuglevel(1): print "debug: send globus compat byte" conn.write('0') # send get command if debuglevel(1): print "debug: send get command" cmd_get = CMD_GET % (username, passphrase, lifetime) conn.write(cmd_get) # process server response if debuglevel(1): print "debug: get server response" dat = conn.recv(8192) if debuglevel(1): print dat response, errortext = deserialize_response(dat) if response: raise GetException(errortext) else: if debuglevel(1): print "debug: server response ok" # generate and send certificate request # - The client will generate a public/private key pair and send a # NULL-terminated PKCS#10 certificate request to the server. if debuglevel(1): print "debug: send cert request" certreq, privatekey = create_cert_req() conn.send(certreq) # process certificates # - 1 byte , number of certs dat = conn.recv(1) numcerts = ord(dat[0]) # - n certs if debuglevel(1): print "debug: receive certs" dat = conn.recv(8192) if debuglevel(2): print "debug: dumping cert data to myproxy.dump" f = file('myproxy.dump', 'w') f.write(dat) f.close() # process server response if debuglevel(1): print "debug: get server response" resp = conn.recv(8192) response, errortext = deserialize_response(resp) if response: raise RetrieveProxyException(errortext) else: if debuglevel(1): print "debug: server response ok" # deserialize certs from received cert data pem_certs = deserialize_certs(dat) if len(pem_certs) != numcerts: print "Warning: %d certs expected, %d received" % (numcerts, len(pem_certs)) # write certs and private key to file # - proxy cert # - private key # - rest of cert chain if debuglevel(1): print "debug: write proxy and certs to", outfile if isinstance(outfile, str): f = file(outfile, 'w') else: f = outfile f.write(pem_certs[0]) f.write(privatekey) for c in pem_certs[1:]: f.write(c) if isinstance(file, str): f.close()
def __init__(self): self._context = SSL.Context(SSL.SSLv23_METHOD) self._context.set_verify(VERIFY_NONE, lambda *_: None)
def getContext(self): context = SSL.Context(SSL.TLSv1_METHOD) context.set_options(SSL.OP_DONT_INSERT_EMPTY_FRAGMENTS) context.set_options(SSL.OP_TLS_BLOCK_PADDING_BUG) context.set_cipher_list("AES256-SHA") return context
def myproxy_logon(hostname,username,passphrase,outfile,lifetime=43200,port=7512): """ Function to retrieve a proxy credential from a MyProxy server Exceptions: GetException, RetrieveProxyException """ context = SSL.Context(SSL.SSLv3_METHOD) # disable for compatibility with myproxy server (er, globus) # globus doesn't handle this case, apparently, and instead # chokes in proxy delegation code context.set_options(0x00000800L) # connect to myproxy server logger.debug("connect to myproxy server %s" %hostname) conn = SSL.Connection(context,socket.socket()) conn.connect((hostname,port)) # send globus compatibility stuff logger.debug("send globus compat byte") conn.write('0') # send get command logger.debug("send get command") cmd_get = CMD_GET % (username,passphrase,lifetime) conn.write(cmd_get) # process server response logger.debug("get server response") dat = conn.recv(8192) logger.debug("receive: %r" %dat) response,errortext = deserialize_response(dat) if response: logger.debug("error: " + errortext) raise GetException(errortext) else: logger.debug("server response ok") # generate and send certificate request # - The client will generate a public/private key pair and send a # NULL-terminated PKCS#10 certificate request to the server. logger.debug("send cert request") certreq,privatekey = create_cert_req() conn.send(certreq) # process certificates # - 1 byte , number of certs dat = conn.recv(1) numcerts = ord(dat[0]) # - n certs logger.debug("receive certs") dat = conn.recv(8192) # if debuglevel(2): # logger.debug('dumping cert data to "%s"' %settings.MYPROXY_DUMP_FILE) # f = file(settings.MYPROXY_DUMP_FILE,'w') # f.write(dat) # f.close() # process server response logger.debug("get server response") resp = conn.recv(8192) response,errortext = deserialize_response(resp) if response: logger.debug("RetrieveProxyException " + errortext) raise RetrieveProxyException(errortext) else: logger.debug("server response ok") # deserialize certs from received cert data pem_certs = deserialize_certs(dat) if len(pem_certs) != numcerts: logger.debug("Warning: %d certs expected, %d received" % (numcerts,len(pem_certs))) # write certs and private key to file # - proxy cert # - private key # - rest of cert chain return dict(cert=pem_certs[0], key=privatekey, calist=pem_certs[1:])
def getContext(self): ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.use_certificate_file(config.SERVER_CERT_PATH) ctx.use_privatekey_file(config.SERVER_KEY_PATH) return ctx
def test01_configuration(self): config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True) self.assertTrue(config.ssl_context) self.assertEqual(config.debug, True)
def check_rdp(host, username, password, domain, hashes = None): if hashes is not None: lmhash, nthash = hashes.split(':') lmhash = a2b_hex(lmhash) nthash = a2b_hex(nthash) else: lmhash = '' nthash = '' tpkt = TPKT() tpdu = TPDU() rdp_neg = RDP_NEG_REQ() rdp_neg['Type'] = TYPE_RDP_NEG_REQ rdp_neg['requestedProtocols'] = PROTOCOL_HYBRID | PROTOCOL_SSL tpdu['VariablePart'] = str(rdp_neg) tpdu['Code'] = TDPU_CONNECTION_REQUEST tpkt['TPDU'] = str(tpdu) s = socket.socket() s.connect((host,3389)) s.sendall(str(tpkt)) pkt = s.recv(8192) tpkt.fromString(pkt) tpdu.fromString(tpkt['TPDU']) cr_tpdu = CR_TPDU(tpdu['VariablePart']) if cr_tpdu['Type'] == TYPE_RDP_NEG_FAILURE: rdp_failure = RDP_NEG_FAILURE(tpdu['VariablePart']) rdp_failure.dump() logging.error("Server doesn't support PROTOCOL_HYBRID, hence we can't use CredSSP to check credentials") return else: rdp_neg.fromString(tpdu['VariablePart']) # Since we were accepted to talk PROTOCOL_HYBRID, below is its implementation # 1. The CredSSP client and CredSSP server first complete the TLS handshake, # as specified in [RFC2246]. After the handshake is complete, all subsequent # CredSSP Protocol messages are encrypted by the TLS channel. # The CredSSP Protocol does not extend the TLS wire protocol. As part of the TLS # handshake, the CredSSP server does not request the client's X.509 certificate # (thus far, the client is anonymous). Also, the CredSSP Protocol does not require # the client to have a commonly trusted certification authority root with the # CredSSP server. Thus, the CredSSP server MAY use, for example, # a self-signed X.509 certificate. # Switching to TLS now ctx = SSL.Context(SSL.TLSv1_METHOD) ctx.set_cipher_list('RC4') tls = SSL.Connection(ctx,s) tls.set_connect_state() tls.do_handshake() # If you want to use Python internal ssl, uncomment this and comment # the previous lines #tls = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='RC4') # 2. Over the encrypted TLS channel, the SPNEGO handshake between the client # and server completes mutual authentication and establishes an encryption key # that is used by the SPNEGO confidentiality services, as specified in [RFC4178]. # All SPNEGO tokens as well as the underlying encryption algorithms are opaque to # the calling application (the CredSSP client and CredSSP server). # The wire protocol for SPNEGO is specified in [MS-SPNG]. # The SPNEGO tokens exchanged between the client and the server are encapsulated # in the negoTokens field of the TSRequest structure. Both the client and the # server use this structure as many times as necessary to complete the SPNEGO # exchange.<9> # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure by the client and server; the OPTIONAL pubKeyAuth # field is omitted by the client unless the client is sending the last SPNEGO token. # If the client is sending the last SPNEGO token, the TSRequest structure MUST have # both the negoToken and the pubKeyAuth fields filled in. # NTLMSSP stuff auth = ntlm.getNTLMSSPType1('','',True, use_ntlmv2 = True) ts_request = TSRequest() ts_request['NegoData'] = str(auth) tls.send(ts_request.getData()) buff = tls.recv(4096) ts_request.fromString(buff) # 3. The client encrypts the public key it received from the server (contained # in the X.509 certificate) in the TLS handshake from step 1, by using the # confidentiality support of SPNEGO. The public key that is encrypted is the # ASN.1-encoded SubjectPublicKey sub-field of SubjectPublicKeyInfo from the X.509 # certificate, as specified in [RFC3280] section 4.1. The encrypted key is # encapsulated in the pubKeyAuth field of the TSRequest structure and is sent over # the TLS channel to the server. # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure; the client MUST send its last SPNEGO token to the # server in the negoTokens field (see step 2) along with the encrypted public key # in the pubKeyAuth field. # Last SPNEGO token calculation #ntlmChallenge = ntlm.NTLMAuthChallenge(ts_request['NegoData']) type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, ts_request['NegoData'], username, password, domain, lmhash, nthash, use_ntlmv2 = True) # Get server public key server_cert = tls.get_peer_certificate() pkey = server_cert.get_pubkey() dump = crypto.dump_privatekey(crypto.FILETYPE_ASN1, pkey) # Fix up due to PyOpenSSL lack for exporting public keys dump = dump[7:] dump = '\x30'+ asn1encode(dump) cipher = SPNEGOCipher(type3['flags'], exportedSessionKey) signature, cripted_key = cipher.encrypt(dump) ts_request['NegoData'] = str(type3) ts_request['pubKeyAuth'] = str(signature) + cripted_key try: # Sending the Type 3 NTLM blob tls.send(ts_request.getData()) # The other end is waiting for the pubKeyAuth field, but looks like it's # not needed to check whether authentication worked. # If auth is unsuccessful, it throws an exception with the previous send(). # If auth is successful, the server waits for the pubKeyAuth and doesn't answer # anything. So, I'm sending garbage so the server returns an error. # Luckily, it's a different error so we can determine whether or not auth worked ;) buff = tls.recv(1024) except Exception, err: if str(err).find("denied") > 0: logging.error("Access Denied") else: logging.error(err) return
def test03_open_url(self): config = Configuration(SSL.Context(SSL.TLSv1_2_METHOD), True) res = open_url(Constants.TEST_URI, config) self.assertEqual(res[0], 200, 'open_url for %r failed' % Constants.TEST_URI)
def cacheContext(self): ctx = SSL.Context(self.sslmethod) ctx.use_certificate_chain_file(self.certificateChainFileName) ctx.use_privatekey_file(self.privateKeyFileName) self._context = ctx
#!/usr/bin/env python # Basic OpenSSL example - Chapter 15 - osslbasic.py import socket, sys from OpenSSL import SSL # Create SSL context object ctx = SSL.Context(SSL.SSLv23_METHOD) print "Creating socket...", s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "done." # Create SSL connection object ssl = SSL.Connection(ctx, s) print "Establishing SSL...", ssl.connect(('www.openssl.org', 443)) print "done." print "Requesting document...", ssl.sendall("GET / HTTP/1.0\r\n\r\n") print "done." while 1: try: buf = ssl.recv(4096) except SSL.ZeroReturnError: break sys.stdout.write(buf)
# Python Flask based Content Management System/Application - APIs Implementation # Importing all necessary Python Flask libraries... from flask import Flask, render_template, redirect, url_for, request from flask_sqlalchemy import SQLAlchemy from flask_bcrypt import Bcrypt from flask_login import LoginManager from flask_login import UserMixin from flask_login import login_user from OpenSSL import SSL # Creating a flask app... app = Flask(__name__) #SSL Certificates to make the application as secure "HTTPS" instead of "HTTP"... context = SSL.Context(SSL.TLSv1_2_METHOD) #context.use_certificate('cert.pem') #context.use_privatekey('key.pem') # Initialising the environment as development (non-production) for testing purposes... ENV = 'dev' # Postgresql DB config details based on the environment... # Postgresql DB config details for development environment... if ENV == 'dev': app.debug = True #app.config['SQLALCHEMY_DATABASE_URI'] = f"postgresql://{user}:{password}@{host}:{port}/{database}" #app.config['SQLALCHEMY_DATABASE_URI'] = "postgresql://*****:*****@localhost:5432/postgres" app.config['SQLALCHEMY_DATABASE_URI'] = "postgresql://*****:*****@localhost/postgres" # Postgresql DB config details for production environment... else:
def check_rdp(host, port, username, password, domain, hashes=None, timeout=3): if hashes is not None: lmhash, nthash = hashes.split(':') lmhash = a2b_hex(lmhash) nthash = a2b_hex(nthash) else: lmhash = '' nthash = '' tpkt = TPKT() tpdu = TPDU() rdp_neg = RDP_NEG_REQ() rdp_neg['Type'] = TYPE_RDP_NEG_REQ rdp_neg['requestedProtocols'] = PROTOCOL_HYBRID | PROTOCOL_SSL tpdu['VariablePart'] = rdp_neg.getData() tpdu['Code'] = TDPU_CONNECTION_REQUEST tpkt['TPDU'] = tpdu.getData() s = socket.socket() s.settimeout(timeout) s.connect((host, port)) s.sendall(tpkt.getData()) pkt = s.recv(8192) tpkt.fromString(pkt) tpdu.fromString(tpkt['TPDU']) cr_tpdu = CR_TPDU(tpdu['VariablePart']) if cr_tpdu['Type'] == TYPE_RDP_NEG_FAILURE: rdp_failure = RDP_NEG_FAILURE(tpdu['VariablePart']) rdp_failure.dump() logger.debug( "Server doesn't support PROTOCOL_HYBRID, hence we can't use CredSSP to check credentials" ) return False else: rdp_neg.fromString(tpdu['VariablePart']) # Since we were accepted to talk PROTOCOL_HYBRID, below is its implementation # 1. The CredSSP client and CredSSP server first complete the TLS handshake, # as specified in [RFC2246]. After the handshake is complete, all subsequent # CredSSP Protocol messages are encrypted by the TLS channel. # The CredSSP Protocol does not extend the TLS wire protocol. As part of the TLS # handshake, the CredSSP server does not request the client's X.509 certificate # (thus far, the client is anonymous). Also, the CredSSP Protocol does not require # the client to have a commonly trusted certification authority root with the # CredSSP server. Thus, the CredSSP server MAY use, for example, # a self-signed X.509 certificate. # Switching to TLS now ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.set_cipher_list('RC4,AES') tls = SSL.Connection(ctx, s) tls.set_connect_state() tls.do_handshake() # If you want to use Python internal ssl, uncomment this and comment # the previous lines # tls = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='RC4') # 2. Over the encrypted TLS channel, the SPNEGO handshake between the client # and server completes mutual authentication and establishes an encryption key # that is used by the SPNEGO confidentiality services, as specified in [RFC4178]. # All SPNEGO tokens as well as the underlying encryption algorithms are opaque to # the calling application (the CredSSP client and CredSSP server). # The wire protocol for SPNEGO is specified in [MS-SPNG]. # The SPNEGO tokens exchanged between the client and the server are encapsulated # in the negoTokens field of the TSRequest structure. Both the client and the # server use this structure as many times as necessary to complete the SPNEGO # exchange.<9> # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure by the client and server; the OPTIONAL pubKeyAuth # field is omitted by the client unless the client is sending the last SPNEGO token. # If the client is sending the last SPNEGO token, the TSRequest structure MUST have # both the negoToken and the pubKeyAuth fields filled in. # NTLMSSP stuff auth = ntlm.getNTLMSSPType1('', '', True, use_ntlmv2=True) ts_request = TSRequest() ts_request['NegoData'] = auth.getData() tls.send(ts_request.getData()) buff = tls.recv(4096) ts_request.fromString(buff) # 3. The client encrypts the public key it received from the server (contained # in the X.509 certificate) in the TLS handshake from step 1, by using the # confidentiality support of SPNEGO. The public key that is encrypted is the # ASN.1-encoded SubjectPublicKey sub-field of SubjectPublicKeyInfo from the X.509 # certificate, as specified in [RFC3280] section 4.1. The encrypted key is # encapsulated in the pubKeyAuth field of the TSRequest structure and is sent over # the TLS channel to the server. # # Note During this phase of the protocol, the OPTIONAL authInfo field is omitted # from the TSRequest structure; the client MUST send its last SPNEGO token to the # server in the negoTokens field (see step 2) along with the encrypted public key # in the pubKeyAuth field. # Last SPNEGO token calculation # ntlmChallenge = ntlm.NTLMAuthChallenge(ts_request['NegoData']) type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, ts_request['NegoData'], username, password, domain, lmhash, nthash, use_ntlmv2=True) # Get server public key server_cert = tls.get_peer_certificate() pkey = server_cert.get_pubkey() dump = crypto.dump_privatekey(crypto.FILETYPE_ASN1, pkey) # Fix up due to PyOpenSSL lack for exporting public keys dump = dump[7:] dump = b'\x30' + asn1encode(dump) cipher = SPNEGOCipher(type3['flags'], exportedSessionKey) signature, cripted_key = cipher.encrypt(dump) ts_request['NegoData'] = type3.getData() ts_request['pubKeyAuth'] = signature.getData() + cripted_key try: # Sending the Type 3 NTLM blob tls.send(ts_request.getData()) # The other end is waiting for the pubKeyAuth field, but looks like it's # not needed to check whether authentication worked. # If auth is unsuccessful, it throws an exception with the previous send(). # If auth is successful, the server waits for the pubKeyAuth and doesn't answer # anything. So, I'm sending garbage so the server returns an error. # Luckily, it's a different error so we can determine whether or not auth worked ;) buff = tls.recv(1024) except Exception as err: if str(err).find("denied") > 0: logger.debug("Access Denied") else: logger.debug(err) return False # 4. After the server receives the public key in step 3, it first verifies that # it has the same public key that it used as part of the TLS handshake in step 1. # The server then adds 1 to the first byte representing the public key (the ASN.1 # structure corresponding to the SubjectPublicKey field, as described in step 3) # and encrypts the binary result by using the SPNEGO encryption services. # Due to the addition of 1 to the binary data, and encryption of the data as a binary # structure, the resulting value may not be valid ASN.1-encoded values. # The encrypted binary data is encapsulated in the pubKeyAuth field of the TSRequest # structure and is sent over the encrypted TLS channel to the client. # The addition of 1 to the first byte of the public key is performed so that the # client-generated pubKeyAuth message cannot be replayed back to the client by an # attacker. # # Note During this phase of the protocol, the OPTIONAL authInfo and negoTokens # fields are omitted from the TSRequest structure. ts_request = TSRequest(buff) # Now we're decrypting the certificate + 1 sent by the server. Not worth checking ;) signature, plain_text = cipher.decrypt(ts_request['pubKeyAuth'][16:]) # 5. After the client successfully verifies server authenticity by performing a # binary comparison of the data from step 4 to that of the data representing # the public key from the server's X.509 certificate (as specified in [RFC3280], # section 4.1), it encrypts the user's credentials (either password or smart card # PIN) by using the SPNEGO encryption services. The resulting value is # encapsulated in the authInfo field of the TSRequest structure and sent over # the encrypted TLS channel to the server. # The TSCredentials structure within the authInfo field of the TSRequest # structure MAY contain either a TSPasswordCreds or a TSSmartCardCreds structure, # but MUST NOT contain both. # # Note During this phase of the protocol, the OPTIONAL pubKeyAuth and negoTokens # fields are omitted from the TSRequest structure. tsp = TSPasswordCreds() tsp['domainName'] = domain tsp['userName'] = username tsp['password'] = password tsc = TSCredentials() tsc['credType'] = 1 # TSPasswordCreds tsc['credentials'] = tsp.getData() signature, cripted_creds = cipher.encrypt(tsc.getData()) ts_request = TSRequest() ts_request['authInfo'] = signature.getData() + cripted_creds tls.send(ts_request.getData()) tls.close() logger.debug("Access Granted") return True
def cacheContext(self): ctx = SSL.Context(self.sslmethod) ctx.set_options(SSL.OP_NO_SSLv3|SSL.OP_NO_SSLv2) ctx.use_certificate_chain_file(self.certificateChainFileName) ctx.use_privatekey_file(self.privateKeyFileName) self._context = ctx