def test_tls_session_resumption(tmpdir, sf1, sf2, sf3): """Attempt TLS session resumption against the same kresd instance and a different one.""" # TODO ensure that session can't be resumed after session ticket key regeneration # at the first kresd instance def connect(kresd, ctx, sf, session=None): sock, dest = kresd.stream_socket(sf, tls=True) ssock = ctx.wrap_socket(sock, server_hostname='transport-test-server.com', session=session) ssock.connect(dest) new_session = ssock.session assert new_session.has_ticket assert ssock.session_reused == (session is not None) utils.ping_alive(ssock) ssock.close() return new_session workdir = os.path.join(str(tmpdir), 'kresd') os.makedirs(workdir) with make_kresd(workdir, 'tt') as kresd: ctx = utils.make_ssl_context(verify_location=kresd.tls_cert_path) session = connect(kresd, ctx, sf1) # initial conn connect(kresd, ctx, sf2, session) # resume session on the same instance workdir2 = os.path.join(str(tmpdir), 'kresd2') os.makedirs(workdir2) with make_kresd(workdir2, 'tt') as kresd2: connect(kresd2, ctx, sf3, session) # resume session on a different instance
def test_rehandshake(tmpdir): def resolve_hint(sock, qname): buff, msgid = utils.get_msgbuff(qname) sock.sendall(buff) answer = utils.receive_parse_answer(sock) assert answer.id == msgid assert answer.rcode() == dns.rcode.NOERROR assert answer.answer[0][0].address == '127.0.0.1' hints = { '0.foo.': '127.0.0.1', '1.foo.': '127.0.0.1', '2.foo.': '127.0.0.1', '3.foo.': '127.0.0.1', } # run forward target instance workdir = os.path.join(str(tmpdir), 'kresd_fwd_target') os.makedirs(workdir) with make_kresd(workdir, hints=hints, port=53910) as kresd_fwd_target: sock = kresd_fwd_target.ip_tls_socket() resolve_hint(sock, '0.foo.') # run proxy cwd, cmd = os.path.split(REHANDSHAKE_PROXY) cmd = './' + cmd ca_file = os.path.join(CERTS_DIR, 'tt.cert.pem') try: proxy = subprocess.Popen( [cmd], cwd=cwd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # run test kresd instance workdir2 = os.path.join(str(tmpdir), 'kresd') os.makedirs(workdir2) forward = Forward(proto='tls', ip='127.0.0.1', port=53921, hostname='transport-test-server.com', ca_file=ca_file) with make_kresd(workdir2, forward=forward) as kresd: sock2 = kresd.ip_tcp_socket() try: for hint in hints: resolve_hint(sock2, hint) time.sleep(0.1) finally: # verify log n_connecting_to = 0 n_rehandshake = 0 partial_log = kresd.partial_log() print(partial_log) for line in partial_log.splitlines(): if re.search(r"connecting to: .*", line) is not None: n_connecting_to += 1 elif re.search(r"TLS rehandshake .* has started", line) is not None: n_rehandshake += 1 assert n_connecting_to == 0 # shouldn't be present in partial log assert n_rehandshake > 0 finally: proxy.terminate()
def kresd_tls_client( workdir: str, proxy: TLSProxy, kresd_tls_client_kwargs: Optional[Dict[Any, Any]] = None, kresd_fwd_target_kwargs: Optional[Dict[Any, Any]] = None) -> Kresd: """kresd_tls_client --(tls)--> tlsproxy --(tcp)--> kresd_fwd_target""" ALLOWED_IPS = {'127.0.0.1', '::1'} assert proxy.local_ip in ALLOWED_IPS, "only localhost IPs supported for proxy" assert proxy.upstream_ip in ALLOWED_IPS, "only localhost IPs are supported for proxy" if kresd_tls_client_kwargs is None: kresd_tls_client_kwargs = dict() if kresd_fwd_target_kwargs is None: kresd_fwd_target_kwargs = dict() # run forward target instance dir1 = os.path.join(workdir, 'kresd_fwd_target') os.makedirs(dir1) with make_kresd(dir1, hints=HINTS, **kresd_fwd_target_kwargs) as kresd_fwd_target: sock = kresd_fwd_target.ip_tcp_socket() resolve_hint(sock, list(HINTS.keys())[0]) proxy.local_port = make_port('127.0.0.1', '::1') proxy.upstream_port = kresd_fwd_target.port with proxy: # run test kresd instance dir2 = os.path.join(workdir, 'kresd_tls_client') os.makedirs(dir2) forward = Forward(proto='tls', ip=proxy.local_ip, port=proxy.local_port, hostname='transport-test-server.com', ca_file=proxy.cert_path) with make_kresd(dir2, forward=forward, **kresd_tls_client_kwargs) as kresd: yield kresd
def test_tls_session_resumption(tmpdir, sf1, sf2, sf3): """Attempt TLS session resumption against the same kresd instance and a different one.""" # TODO ensure that session can't be resumed after session ticket key regeneration # at the first kresd instance # NOTE TLS 1.3 is intentionally disabled for session resumption tests, # becuase python's SSLSocket.session isn't compatible with TLS 1.3 # https://docs.python.org/3/library/ssl.html?highlight=ssl%20ticket#tls-1-3 def connect(kresd, ctx, sf, session=None): sock, dest = kresd.stream_socket(sf, tls=True) ssock = ctx.wrap_socket(sock, server_hostname='transport-test-server.com', session=session) ssock.connect(dest) new_session = ssock.session assert new_session.has_ticket assert ssock.session_reused == (session is not None) utils.ping_alive(ssock) ssock.close() return new_session workdir = os.path.join(str(tmpdir), 'kresd') os.makedirs(workdir) with make_kresd(workdir, 'tt') as kresd: ctx = utils.make_ssl_context(verify_location=kresd.tls_cert_path, extra_options=[ssl.OP_NO_TLSv1_3]) session = connect(kresd, ctx, sf1) # initial conn connect(kresd, ctx, sf2, session) # resume session on the same instance workdir2 = os.path.join(str(tmpdir), 'kresd2') os.makedirs(workdir2) with make_kresd(workdir2, 'tt') as kresd2: connect(kresd2, ctx, sf3, session) # resume session on a different instance
def kresd(tmpdir): with make_kresd(tmpdir) as kresd: yield kresd
def kresd_tt(tmpdir): with make_kresd(tmpdir, 'tt') as kresd: yield kresd
def kresd_silent(tmpdir): with make_kresd(tmpdir, verbose=False) as kresd: yield kresd