def handleArgs(argv, argString, flagsList=[]):
# Convert to getopt argstring format:
# Add ":" after each arg, ie "abc" -> "a:b:c:"
getOptArgString = ":".join(argString) + ":"
try:
opts, argv = getopt.getopt(argv, getOptArgString, flagsList)
except getopt.GetoptError as e:
printError(e)
# Default values if arg not present
privateKey = None
certChain = None
username = None
password = None
tack = None
breakSigs = None
verifierDB = None
reqCert = False
directory = None
for opt, arg in opts:
if opt == "-k":
s = open(arg, "rb").read()
privateKey = parsePEMKey(s, private=True)
elif opt == "-c":
s = open(arg, "rb").read()
x509 = X509()
x509.parse(s)
certChain = X509CertChain([x509])
elif opt == "-u":
username = arg
elif opt == "-p":
password = arg
elif opt == "-t":
if tackpyLoaded:
s = open(arg, "rU").read()
tack = TACK()
tack.parsePem(s)
elif opt == "-b":
if tackpyLoaded:
s = open(arg, "rU").read()
breakSigs = TACK_Break_Sig.parsePemList(s)
elif opt == "-v":
verifierDB = VerifierDB(arg)
verifierDB.open()
elif opt == "-d":
directory = arg
elif opt == "--reqcert":
reqCert = True
else:
assert(False)
if not argv:
printError("Missing address")
if len(argv)>1:
printError("Too many arguments")
#Split address into hostname/port tuple
address = argv[0]
address = address.split(":")
if len(address) != 2:
raise SyntaxError("Must specify <host>:<port>")
address = ( address[0], int(address[1]) )
# Populate the return list
retList = [address]
if "k" in argString:
retList.append(privateKey)
if "c" in argString:
retList.append(certChain)
if "u" in argString:
retList.append(username)
if "p" in argString:
retList.append(password)
if "t" in argString:
retList.append(tack)
if "b" in argString:
retList.append(breakSigs)
if "v" in argString:
retList.append(verifierDB)
if "d" in argString:
retList.append(directory)
if "reqcert" in flagsList:
retList.append(reqCert)
return retList
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
# TACK1 and TACK2 are both "good" TACKs, one targetting, the key,
# one the hash
tack1 = TACK()
tack1.parsePem(open("./TACK1.pem", "rU").read())
tack2 = TACK()
tack2.parsePem(open("./TACK2.pem", "rU").read())
tackUnrelated = TACK()
tackUnrelated.parsePem(open("./TACKunrelated.pem", "rU").read())
breakSigs = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs.pem").read())
breakSigsActual = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs_TACK1.pem").read())
print "Test 2.a - good X.509, good TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1, breakSigs=breakSigs)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, \"wrong\" TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1)
connection.close()
print "Test 2.c - good X.509, \"wrong\" TACK but break signature (hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
print "Test 2.d - good X.509, \"wrong\" TACK but break signature (not hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
testConnServer(connection)
connection.close()
print "Test 2.e - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tackUnrelated)
except TLSRemoteAlert as alert:
assert(alert.description == AlertDescription.handshake_failure)
print "Test 2.f - good X.509, no TACK but expected"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
print "Test 3 - good SRP"
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print "Test 6 - good SRP: with X.509 cert"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 7 - X.509 with SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 11 - X.509 faults"
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 14 - good mutual X.509"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14a - good mutual X.509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 15 - mutual X.509 faults"
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print "Test 18 - good SRP, prepare to resume"
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
connection.close()
print "Test 19 - resumption"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
#Don't close! -- see next test
print "Test 20 - invalidated resumption"
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError, e:
pass
