def getNewConnection(self):
"""
Initialize a new serializable TLSConnection.
"""
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((self.host, self.port))
connection = TLSConnection(sock)
chain, key = self.getCertChainKey()
connection.handshakeClientCert(chain, key)
return connection
def connect(self):
if self.conn:
return
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(self.address)
self.conn = TLSConnection(sock)
self.conn.handshakeClientCert(self.__creds.cert,
self.__creds.pkey,
checker=self.__creds.checker)
self.fconn = self.conn.makefile()
def setup_connection(self):
hdr = self.generate_peer_header()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect(self.address_tuple)
self.upstream_connection = TLSConnection(sock)
hs = self.upstream_connection.handshakeClientCert()
self.upstream_connection.write(self.nsbytes)
self.upstream_connection.write(hdr)
invalid = self.read_peer_header(self.upstream_connection)
if invalid.message != '':
raise Exception(
"GRPC Server sent invalid header or proof {0}".format(invalid))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
def testMACValidation():
"""
Tests whether the server properly rejects messages when their MAC is modified.
"""
print("Testing validation of individual MAC bits...")
failBits = []
for maskBit in range(0, 96):
rejected = False
try:
# formulate a bit mask based on the current mask bit index
mask = bytearray([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
maskIndex = int((maskBit - (maskBit % 8)) / 8)
mask[maskIndex] = (0x80 >> (maskBit % 8))
if args.verbose:
maskBinString = ''.join(format(x, 'b').zfill(8) for x in mask)
print("\tTesting bit %d, mask: %s" % (maskBit, maskBinString))
else:
print("+", end="")
# connect to the server and do a handshake
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((args.host, args.port))
tls = TLSConnection(sock)
# assign mask as tweak
tls.macTweak = bytearray(mask)
tls.handshakeClientCert()
# send a packet
tls.send("GET / HTTP/1.0\n\n\n")
# try to read some data back
data = tls.read()
except (TLSRemoteAlert, socket.error):
rejected = True
if args.verbose:
print("\tBit %d rejected correctly!" % maskBit)
except (TLSAbruptCloseError, socket.error):
rejected = True
if args.verbose:
print("\tBit %d rejected correctly!" % maskBit)
if not rejected:
failBits.append(maskBit)
if not args.verbose:
print("")
if len(failBits) > 0:
macValidationIssue = getIssueTemplate("MAC_VALIDATION_ERROR")
macValidationIssue.findings = ', '.join(str(b) for b in failBits)
report.addIssue(macValidationIssue)
print("The following modified MAC bits were incorrectly accepted: ",
end='')
print(', '.join(str(b) for b in failBits))
else:
print("All modified MAC bits were correctly rejected.")
class RevTLSClient:
def __init__(self, address, credentials):
self.address = address
self.__creds = credentials
self.conn = None
self.connect()
def __enter__(self):
return self
def __exit__(self, type, value, traceback):
self.close()
def connect(self):
if self.conn:
return
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(self.address)
self.conn = TLSConnection(sock)
self.conn.handshakeClientCert(self.__creds.cert,
self.__creds.pkey,
checker=self.__creds.checker)
self.fconn = self.conn.makefile()
def sendall(self, data):
_write_with_length(self.fconn, data)
def recvall(self):
return _read_with_length(self.fconn)
def close(self):
self.fconn.close()
self.fconn = None
self.conn.close()
self.conn = None
def start (self):
"""Run a TLS handshake, and if that works, start up the constant reader...."""
tc = TLSConnection(self._socket)
p = self.transport()
ret = False
if p:
u = p.uid()
# Catch some some or exception here....
p.info("Calling handshake for {0}".format(u))
try:
tc.handshakeClientSRP(u, p.pw(), p.previousTlsSession())
self._tls_transport = tc
p.setTlsSession(tc.session)
# Call up to superclass....
transport.ClearStreamWrapper.start(self)
p.info("Handshake succeeded for #{0}".format(u))
ret = True
except TLSRemoteAlert as e:
msg = "SRP authentication error for {0}: {1}".format(u, e)
p.info(msg)
p.reportError('handshake', msg)
else:
self.warn("Transport was dead in TlsClientStreamWrapper.start")
return ret
def setup(self):
conn = TLSConnection(self.request)
conn.closeSocket = True
conn.handshakeServer(certChain=self.owner.creds.cert,
privateKey=self.owner.creds.pkey,
checker=self.owner.creds.checker,
reqCert=True)
self.rfile = conn.makefile('rb', self.rbufsize)
self.wfile = conn.makefile('wb', self.wbufsize)
self.owner.conn = conn
class WAVEGRPCClient:
def __init__(self,
address_tuple,
namespace,
entityfile,
grpcservice,
proof_file='clientproof.pem',
waved='localhost:410'):
self.address_tuple = address_tuple
self.ns = namespace
self.grpcservice = grpcservice
self.nsbytes = base64.urlsafe_b64decode(self.ns)
self.entityfile = open(entityfile, 'rb').read()
self.perspective = eapi_pb2.Perspective(
entitySecret=eapi_pb2.EntitySecret(DER=self.entityfile))
self._listen_address = None
self._ready = threading.Event()
self.wave_channel = grpc.insecure_channel(waved)
self.wave_client = eapi_pb2_grpc.WAVEStub(self.wave_channel)
resp = self.wave_client.Inspect(
eapi_pb2.InspectParams(content=self.entityfile, ))
self.entityhash = resp.entity.hash
self.proof_file = open('clientproof.pem', 'rb').read()
resp = self.wave_client.VerifyProof(
eapi_pb2.VerifyProofParams(proofDER=self.proof_file, ))
self.sigresp = self.wave_client.Sign(
eapi_pb2.SignParams(
perspective=self.perspective,
content=self.proof_file,
))
# setup server
self._server_thread = threading.Thread(
target=self.get_client_connection, daemon=True)
self._server_thread.start()
def setup_connection(self):
hdr = self.generate_peer_header()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect(self.address_tuple)
self.upstream_connection = TLSConnection(sock)
hs = self.upstream_connection.handshakeClientCert()
self.upstream_connection.write(self.nsbytes)
self.upstream_connection.write(hdr)
invalid = self.read_peer_header(self.upstream_connection)
if invalid.message != '':
raise Exception(
"GRPC Server sent invalid header or proof {0}".format(invalid))
@property
def listen_address(self):
self._ready.wait()
return "{0}:{1}".format(*self._listen_address)
def get_client_connection(self):
listen_port = 5005
while True:
listen_address = ('localhost', listen_port)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.bind(listen_address)
self._listen_address = listen_address
self._ready.set()
break
except Exception as e:
print("Failed to listen on {0}".format(listen_address), e)
time.sleep(1)
listen_port += 1
print("Listening on {0}".format(listen_address))
server.listen(10)
while True:
client_socket, addr = server.accept()
# reconnect to the GRPC server on each call
self.setup_connection()
# start a thread to talk to the remote host
proxy_thread = threading.Thread(target=self.handle_client,
args=(client_socket, ),
daemon=True)
proxy_thread.start()
def handle_client(self, client_socket):
while True:
try:
local_buffer = receive_from(client_socket)
if len(local_buffer):
self.upstream_connection.send(local_buffer)
# receive back the response
remote_buffer = receive_from(self.upstream_connection)
if len(remote_buffer):
# send the response to the local socket
client_socket.send(remote_buffer)
# if no more data on the either side, close the connections
if not len(local_buffer) or not len(remote_buffer):
print("Done with call")
break
finally:
client_socket.close()
self.upstream_connection.close()
def generate_peer_header(self):
buf = bytes()
buf += self.entityhash
buf += struct.pack('<H', len(self.sigresp.signature))
buf += self.sigresp.signature
buf += struct.pack('<I', len(self.proof_file))
buf += self.proof_file
return buf
def read_peer_header(self, conn):
entityhash = conn.read(max=34, min=34)
sigsize = struct.unpack('<H', conn.read(max=2, min=2))[0]
signature = conn.read(max=sigsize, min=sigsize)
proofsize = struct.unpack('<I', conn.read(max=4, min=4))[0]
proof = conn.read(max=proofsize, min=proofsize)
#TODO verify this
# TODO: need peer certificate
cert = self.upstream_connection.session.serverCertChain.x509List[
0].bytes
c = x509.load_der_x509_certificate(cert, default_backend())
vresp = self.wave_client.VerifySignature(
eapi_pb2.VerifySignatureParams(
signer=entityhash,
signature=signature,
content=c.signature,
))
if vresp.error.message != "":
return vresp.error
proofresp = self.wave_client.VerifyProof(
eapi_pb2.VerifyProofParams(
proofDER=proof,
subject=entityhash,
requiredRTreePolicy=eapi_pb2.RTreePolicy(
namespace=self.nsbytes,
statements=[
eapi_pb2.RTreePolicyStatement(
permissionSet=XBOS_PERMSET,
permissions=["serve_grpc"],
resource=self.grpcservice,
),
],
)))
if proofresp.result == None:
return "no proof"
return proofresp.error
def connect():
return TLSConnection(lsock.accept()[0])
break
_SID = uid
def setBit(int_type, offset):
mask = 1 << offset
return (int_type | mask)
def testBit(int_type, offset):
mask = 1 << offset
return (int_type & mask)
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((GATEWAY_HOST, GATEWAY_PORT))
connection = TLSConnection(sock)
connection.handshakeClientCert()
print '***connected***'
## Authentication message
msg = message_pb2.Container()
msg.SID = uid
msg.RID = ''
msg.STIME = 0
os.system('TITLE CLIENT %s' % _SID)
msgType = 0
msgType = setBit(msgType, 0) # Identity
msgType = setBit(msgType, 1) # Authenticate
import os
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'usage: ' + sys.argv[0] + ' server_ip server_port'
else:
server_ip = sys.argv[1]
server_port = int(sys.argv[2])
cipher_suite = 'aes256gcm'
curve_name = 'x25519'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
settings = HandshakeSettings()
settings.cipherNames = [cipher_suite]
settings.eccCurves = list([curve_name])
settings.defaultCurve = curve_name
settings.keyShares = [curve_name]
settings.maxVersion = (3, 3) # tls 1.2
settings.versions = [(3, 3)]
#settings.number_of_middleboxes = number_of_middleboxes
settings.print_debug_info = True
cert_file = "tests/serverX509Cert.pem"
s = open(cert_file, "rb").read()
if sys.version_info[0] >= 3:
s = str(s, 'utf-8')
if __name__ == '__main__':
if len(sys.argv) != 5:
print 'usage: ' + sys.argv[
0] + ' enable_metls server_ip server_port number_of_middleboxes'
else:
server_ip = sys.argv[2]
server_port = int(sys.argv[3])
number_of_middleboxes = int(sys.argv[4])
cipher_suite = 'aes256gcm'
curve_name = 'x25519'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
settings = HandshakeSettings()
settings.cipherNames = [cipher_suite]
settings.eccCurves = list([curve_name])
settings.defaultCurve = curve_name
settings.keyShares = [curve_name]
settings.enable_metls = (int(sys.argv[1]) == 1)
settings.print_debug_info = True
settings.calculate_ibe_keys = False
settings.csibekey = bytearray(32)
settings.c_to_s_mb_list = []
settings.s_to_c_mb_list = []
for i in range(number_of_middleboxes):
mbid = bytearray(os.urandom(64))
# client introduce server to client middleboxes
for i in range(number_of_middleboxes):
mbid = bytearray(os.urandom(64))
permission = bytearray(1)
permission[0] = random.randint(0, 1)
mb = {'middlebox_id': mbid, 'middlebox_permission': permission}
settings.s_to_c_mb_list.append(mb)
time1 = time.time()
for i in range(number_of_connections):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
connection.handshakeClientCert(settings=settings)
# send page request to server
#request = bytearray()
#request.append((amt >> 16) & 0xff)
#request.append((amt >> 8) & 0xff)
#request.append(amt & 0xff)
#connection.sendall(request)
while amt > blocksize:
data = connection.recv(blocksize)
amt = amt - blocksize
if amt > 0:
data = connection.recv(amt)
# read page from server
#response = connection.recv(amt)
connection.close()
settings.s_to_c_mb_list = []
# client introduce server to client middleboxes
for i in range(number_of_middleboxes):
mbid = bytearray(os.urandom(64))
permission = bytearray(1)
permission[0] = random.randint(0, 1)
mb = {'middlebox_id': mbid, 'middlebox_permission': permission}
settings.s_to_c_mb_list.append(mb)
time1 = time.time()
for i in range(number_of_connections):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
connection.handshakeClientCert(settings=settings)
# send page request to server
request = bytearray()
request.append((amt >> 16) & 0xff)
request.append((amt >> 8) & 0xff)
request.append(amt & 0xff)
connection.sendall(request)
# read page from server
response = connection.recv(amt)
connection.close()
time2 = time.time()
page_load_time = (time2 - time1) / number_of_connections
print 'page load time is ' + str(page_load_time) + ' second'
if __name__ == '__main__':
if len(sys.argv) != 5:
print 'usage: ' + sys.argv[
0] + ' enable_metls server_ip server_port number_of_middleboxes'
else:
server_ip = sys.argv[2]
server_port = int(sys.argv[3])
number_of_middleboxes = int(sys.argv[4])
cipher_suite = 'aes256gcm'
curve_name = 'x25519'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
settings = HandshakeSettings()
settings.cipherNames = [cipher_suite]
settings.eccCurves = list([curve_name])
settings.defaultCurve = curve_name
settings.keyShares = [curve_name]
settings.enable_metls = (int(sys.argv[1]) == 1)
settings.print_debug_info = True
settings.calculate_ibe_keys = False
settings.csibekey = bytearray(32)
settings.c_to_s_mb_list = []
settings.s_to_c_mb_list = []
# client introduce server to client middleboxes
for i in range(number_of_middleboxes):
assert not (haveActivePin and not havePin), "Cant't have activePin, but no pins"
if args.show:
for pin in pins:
print("------------------------------")
print(pin)
print("------------------------------")
exit(0)
### end get pins
# open socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((args.server, int(args.port)))
# construct TLS Connection
conn = TLSConnection(sock)
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
conn.handshakeClientCert(settings=settings)
if conn.session.tackExt:
tackExt = conn.session.tackExt
print("TACK is working on " + sockString)
print("------------------------------")
print(tackExt)
print("------------------------------")
if tackExt.activation_flags != 0:
usingTACK = True
# if no active TACKs in TLS-Connection
if not usingTACK:
sock.sendall(request)
# receive reply from socke 5 proxy
failed_reply = b''
failed_reply = failed_reply + b'\x05' # version number
failed_reply = failed_reply + b'\x01' # general SOCKS server failure
failed_reply = failed_reply + b'\x00' # reserved
failed_reply = failed_reply + b'\x01' + b'\x00' * 6
reply = sock.recv(10)
if len(reply) != 10:
print 'reply length is not 10'
print 'this should not happen'
elif reply == failed_reply:
print 'received failed reply'
else:
print 'received succeeded reply, socks 5 proxy established connection with the remote server'
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
mb_utils.fake_handshakeClientCert(connection)
# 2 \r\n
connection.send("GET / HTTP/1.0\r\n\r\n")
r = connection.recv(10240)
if r in (0, 1):
print 'received 0 or 1'
elif isinstance(r, str):
print 'received from server:'
print r
else:
print 'f**k'
#connection.close()
def setBit(int_type, offset):
mask = 1 << offset
return (int_type | mask)
def testBit(int_type, offset):
mask = 1 << offset
return (int_type & mask)
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((GATEWAY_HOST, GATEWAY_PORT))
connection = TLSConnection(sock)
connection.handshakeClientCert()
print '***connected***'
## Authentication message
msg = message_pb2.Container()
_SID = raw_input('YOUR SID> ')
msg.SID = _SID #'a'
msg.RID = ''
msg.STIME = 0
os.system('TITLE CLIENT %s' % _SID)
msgType = 0
msgType = setBit(msgType, 0) # Identity
if __name__ == '__main__':
if len(sys.argv) != 5:
print 'usage: ' + sys.argv[
0] + ' enable_metls server_ip server_port number_of_middleboxes'
else:
server_ip = sys.argv[2]
server_port = int(sys.argv[3])
number_of_middleboxes = int(sys.argv[4])
cipher_suite = 'aes256gcm'
curve_name = 'x25519'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server_ip, server_port))
# now use sock to establish TLS 1.3 connection with the remote server
connection = TLSConnection(sock)
settings = HandshakeSettings()
settings.cipherNames = [cipher_suite]
settings.eccCurves = list([curve_name])
settings.defaultCurve = curve_name
settings.keyShares = [curve_name]
settings.enable_metls = (int(sys.argv[1]) == 1)
settings.print_debug_info = False
settings.calculate_ibe_keys = False
settings.csibekey = bytearray(32)
settings.c_to_s_mb_list = []
settings.s_to_c_mb_list = []
# client introduce server to client middleboxes
for i in range(number_of_middleboxes):