def __connect_tls_psk(self):
'''
Connect and establish a TLS-PSK connection on top of the connection.
'''
self.__connect_plain()
# wrap socket with TLS-PSK
client_socket = self.socket
identity = self.get_tls_psk_identity()
if isinstance(self.password, Password):
password = self.password.md5()
else:
raise ConnectionError(u'No password provides.')
self.logger.debug("identity = {}, password = {}".format(
identity, password))
try:
self.socket = sslpsk.wrap_socket(
client_socket,
psk=(password, identity),
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
#ssl_version=ssl.PROTOCOL_TLSv1_2,
server_side=False)
except ssl.SSLError as e:
# raise ConnectionError(
# "failed to connect to host {}, port {}: {}".format(self.address, self.port, str(e)))
# Using a general raise keep more information about the type of error.
raise
return True
def __connect_tls_psk(self):
"""
Connect and establish a TLS-PSK connection on top of the connection.
"""
self.__connect_plain()
# wrap socket with TLS-PSK
client_socket = self.socket
identity = self.get_tls_psk_identity()
if isinstance(self.password, Password):
password = self.password.md5()
else:
raise bareos.exceptions.ConnectionError(u"No password provided.")
self.logger.debug("identity = {0}, password = {1}".format(
identity, password))
try:
self.socket = sslpsk.wrap_socket(
client_socket,
ssl_version=self.tls_version,
ciphers="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",
psk=(password, identity),
server_side=False,
)
except ssl.SSLError as e:
# raise ConnectionError(
# "failed to connect to host {0}, port {1}: {2}".format(self.address, self.port, str(e)))
# Using a general raise keep more information about the type of error.
raise
return True
def __connect_tls_psk(self):
'''
Connect and establish a TLS-PSK connection on top of the connection.
'''
self.__connect_plain()
# wrap socket with TLS-PSK
client_socket = self.socket
identity = self.get_tls_psk_identity()
if isinstance(self.password, Password):
password = self.password.md5()
else:
raise ConnectionError(u'No password provides.')
self.logger.debug("identity = {}, password = {}".format(identity, password))
try:
self.socket = sslpsk.wrap_socket(
client_socket,
psk=(password, identity),
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
#ssl_version=ssl.PROTOCOL_TLSv1_2,
server_side=False)
except ssl.SSLError as e:
# raise ConnectionError(
# "failed to connect to host {}, port {}: {}".format(self.address, self.port, str(e)))
# Using a general raise keep more information about the type of error.
raise
return True
def secure_socket(sock,
shared_secret,
ciphers=default_ciphers,
ssl_version=default_ssl_version):
return sslpsk.wrap_socket(sock,
psk=(shared_secret, 'x'),
ciphers=ciphers,
ssl_version=ssl_version)
def new_client(self, s1):
try:
ssl_sock = sslpsk.wrap_socket(s1,
server_side = True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ciphers='PSK-AES128-CBC-SHA256',
psk=get_psk,
hint=self.hint)
s2 = client(self.host, self.port)
self.sessions.append((ssl_sock, s2))
except:
pass
def connect(self, *args, **kwargs):
# `sslpsk.wrap_socket` must be called *after* socket.connect,
# while the `ssl.wrap_socket` must be called *before* socket.connect.
self.__sock.connect(*args, **kwargs)
# `sslv3 alert bad record mac` exception means incorrect PSK
self.__sock = sslpsk.wrap_socket(
self.__sock,
# https://github.com/zabbix/zabbix/blob/f0a1ad397e5653238638cd1a65a25ff78c6809bb/src/libs/zbxcrypto/tls.c#L3231
ssl_version=ssl.PROTOCOL_TLSv1_2,
# https://github.com/zabbix/zabbix/blob/f0a1ad397e5653238638cd1a65a25ff78c6809bb/src/libs/zbxcrypto/tls.c#L3179
ciphers="PSK-AES128-CBC-SHA",
psk=(self.__psk, self.__identity),)
def new_client(self, s1):
try:
ssl_sock = sslpsk.wrap_socket(
s1,
server_side=True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ciphers='PSK-AES128-CBC-SHA256',
psk=lambda identity: gen_psk(identity, self.hint),
hint=self.hint)
s2 = client(self.host, self.port)
self.sessions.append((ssl_sock, s2))
except Exception as e:
print("could not establish sslpsk socket:", e)
def accept():
self.server_socket, _ = self.accept_socket.accept()
# wrap socket with TLS-PSK
self.server_psk_sock = sslpsk.wrap_socket(
self.server_socket,
psk=self.psk,
ciphers='PSK-AES256-CBC-SHA',
ssl_version=ssl.PROTOCOL_TLSv1,
server_side=True)
# accept data from client
data = self.server_psk_sock.recv(10)
self.server_psk_sock.sendall(data.upper())
def client(host, port, psk):
tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tcp_socket.connect((host, port))
ssl_sock = sslpsk.wrap_socket(tcp_socket,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
psk=lambda hint: (PSKS[hint], 'client1'))
ssl_sock.sendall("ping")
msg = ssl_sock.recv(4)
print 'Client received: %s' % (msg)
ssl_sock.shutdown(socket.SHUT_RDWR)
ssl_sock.close()
def testClient(self):
# initialize
self.client_socket.connect(self.addr)
# wrap socket with TLS-PSK
self.client_psk_sock = sslpsk.wrap_socket(
self.client_socket,
psk=self.psk,
ciphers='PSK-AES256-CBC-SHA',
ssl_version=ssl.PROTOCOL_TLSv1,
server_side=False)
self.client_psk_sock.sendall(TEST_DATA)
data = self.client_psk_sock.recv(10)
print('data: %s' % data)
self.assertTrue(data == TEST_DATA.upper(), 'Test Failed')
def new_client(self, s1):
try:
ssl_sock = sslpsk.wrap_socket(
s1,
server_side=True,
ssl_version=ssl.PROTOCOL_TLSv1_2,
ciphers='PSK-AES128-CBC-SHA256',
psk=lambda identity: gen_psk(identity, self.hint),
hint=self.hint)
s2 = client(self.host, self.port)
self.sessions.append((ssl_sock, s2))
except ssl.SSLError as e:
print("could not establish sslpsk socket:", e)
if "NO_SHARED_CIPHER" in e.reason or "WRONG_VERSION_NUMBER" in e.reason or "WRONG_SSL_VERSION" in e.reason:
print("don't panic this is probably just your phone!")
def server(host, port):
tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tcp_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tcp_sock.bind((host, port))
tcp_sock.listen(1)
sock, _ = tcp_sock.accept()
ssl_sock = sslpsk.wrap_socket(sock,
server_side = True,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH',
psk=lambda identity: PSKS[identity],
hint='server1')
msg = ssl_sock.recv(4)
print 'Server received: %s'%(msg)
ssl_sock.sendall("pong")
ssl_sock.shutdown(socket.SHUT_RDWR)
ssl_sock.close()
def bindToURI(self, URI):
with self.lock: # only 1 thread at a time can bind the URI
try:
self.URI = URI
# This are the statements that differ from Pyro/protocol.py
raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
_connect_socket(raw_sock, URI.address, URI.port, self.timeout)
sock = sslpsk.wrap_socket(
raw_sock, psk=Pyro.config.PYROPSK, server_side=False,
ciphers="PSK-AES256-CBC-SHA", # available in openssl 1.0.2
ssl_version=ssl.PROTOCOL_TLSv1)
# all the rest is the same as in Pyro/protocol.py
conn = TCPConnection(sock, sock.getpeername())
# receive the authentication challenge string, and use that to build the actual identification string.
try:
authChallenge = self.recvAuthChallenge(conn)
except ProtocolError as x:
# check if we were denied
if hasattr(x, "partialMsg") and x.partialMsg[:len(self.denyMSG)] == self.denyMSG:
raise ConnectionDeniedError(Pyro.constants.deniedReasons[int(x.partialMsg[-1])])
else:
raise
# reply with our ident token, generated from the ident passphrase and the challenge
msg = self._sendConnect(sock, self.newConnValidator.createAuthToken(self.ident, authChallenge, conn.addr, self.URI, None))
if msg == self.acceptMSG:
self.conn = conn
self.conn.connected = 1
Log.msg('PYROAdapter', 'connected to', str(URI))
if URI.protocol == 'PYROLOCPSK':
self.resolvePYROLOC_URI("PYROPSK") # updates self.URI
elif msg[:len(self.denyMSG)] == self.denyMSG:
try:
raise ConnectionDeniedError(Pyro.constants.deniedReasons[int(msg[-1])])
except (KeyError, ValueError):
raise ConnectionDeniedError('invalid response')
except socket.error:
Log.msg('PYROAdapter', 'connection failed to URI', str(URI))
raise ProtocolError('connection failed')
