def TestCrypt(data): mycertobj = X509.X509() mycertobj.parse(MYCERT) Fingerprint = mycertobj.getFingerprint() mypublickey = mycertobj.publicKey myprivatekey = tlslite.utils.keyfactory.parsePEMKey(MYKEY, private=True) mypublicXMLkeyString = myprivatekey.writeXMLPublicKey() data2 = '2010-02-02 21:15:00' logging.info('%s: %s' % ('data', data)) logging.info('%s: %s' % ('time.time', time.time())) myhashAndSign = myprivatekey.hashAndSign( tlslite.utils.compat.stringToBytes('%s%s' % (data2, MYSECRET))) logging.info('%s: %s' % ('myhashAndSign', tlslite.utils.cryptomath.bytesToBase64(myhashAndSign))) verify = mypublickey.hashAndVerify(myhashAndSign, '%s%s' % (data2, MYSECRET)) if verify: logging.info('%s: %s' % ('verify', 'TRUE')) else: logging.info('%s: %s' % ('verify', 'FALSE')) mycrypt = mypublickey.encrypt(tlslite.utils.compat.stringToBytes(data)) mydecrypt = myprivatekey.decrypt(mycrypt) logging.info('%s: %s' % ('mydecrypt', mydecrypt.tostring()))
def __init__(self, cert_fname, pkey_fname, pkey_password, peer_cert_fname): # Read our own cert s = open(cert_fname).read() x509 = X509() x509.parse(s) self.cert = X509CertChain([x509]) # Read our own primary key s = open(pkey_fname).read() self.pkey = parsePEMKey(s, private=True, passwordCallback=lambda: pkey_password) # Read our peer's cert s = open(peer_cert_fname).read() x509 = X509() x509.parse(s) cert = X509CertChain([x509]) self.checker = Checker(cert.getFingerprint())
def AuthRest(http_timestamp, http_signed): #logging.info('%s: %s' % ('http_timestamp', http_timestamp)) #logging.info('%s: %s' % ('http_signed', http_signed)) dif = abs(float(http_timestamp) - time.time()) logging.info('%s: %s' % ('dif', dif)) if dif > 120: return False mycertobj = X509.X509() mycertobj.parse(MYCERT) mypublickey = mycertobj.publicKey verify = mypublickey.hashAndVerify( tlslite.utils.cryptomath.base64ToBytes(http_signed), tlslite.utils.compat.stringToBytes('%s%s' % (http_timestamp, MYSECRET))) if verify: logging.info('%s: %s' % ('verify', 'TRUE')) return True else: logging.info('%s: %s' % ('verify', 'FALSE')) return False
def _getFingerprint(fname): s = open(fname).read() x509 = X509() x509.parse(s) cert = X509CertChain([x509]) return cert.getFingerprint()
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(5) sock.connect(address) c = TLSConnection(sock) return c test = 0 badFault = False print("Test 0 - anonymous handshake") connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() print("Test 1 - good X509 (plus SNI)") connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) connection.close() print("Test 1.a - good X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 1.b - good X509, RC4-MD5") connection = connect() settings = HandshakeSettings() settings.macNames = ["md5"] connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True print("Test 2.a - good X.509, TACK") connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() print("Test 2.b - good X.509, TACK unrelated to cert chain") connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() print("Test 3 - good SRP") connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() print("Test 4 - SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 6 - good SRP: with X.509 certificate, TLSv1.0") settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() print("Test 7 - X.509 with SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 11 - X.509 faults") for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 14 - good mutual X509") x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14.a - good mutual X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 15 - mutual X.509 faults") for fault in Fault.clientCertFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 18 - good SRP, prepare to resume... (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session print("Test 19 - resumption (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below print("Test 20 - invalidated resumption (plus SNI)") connection.sock.close() #Close the socket without a close_notify! connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() print("Test 21 - HTTPS test X.509") address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: time.sleep(2) htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) time.sleep(2) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") print("Test 22 - different ciphers, TLSv1.0") for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: print("Test 22:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() print("Test 23 - throughput test") for implementation in implementations: for cipher in ["aes128", "aes256", "3des", "rc4"]: if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue print("Test 23:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = time.clock() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = time.clock() if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() print("Test 24.a - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.b - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.c - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.d - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.e - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() print("Test 24.f - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.g - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print('Test 25 - good standard XMLRPC https client') time.sleep(2) # Hack for lack of ability to set timeout here address = address[0], address[1]+1 server = xmlrpclib.Server('https://%s:%s' % address) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 26 - good tlslite XMLRPC client') transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 27 - good XMLRPC ignored protocol') server = xmlrpclib.Server('http://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print("Test 28 - Internet servers test") try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() print("Test 28: IMAP4 good") p = POP3_TLS("pop.gmail.com") p.quit() print("Test 29: POP3 good") except socket.error as e: print("Non-critical error: socket error trying to reach internet server: ", e) if not badFault: print("Test succeeded") else: print("Test failed")
def serverTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #Connect to server lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.bind(address) lsock.listen(5) def connect(): return TLSConnection(lsock.accept()[0]) x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "serverX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) print("Test 0 - Anonymous server handshake") connection = connect() connection.handshakeServer(anon=True) testConnServer(connection) connection.close() print("Test 1 - good X.509") connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert(connection.session.serverName == address[0]) testConnServer(connection) connection.close() print("Test 1.a - good X.509, SSL v3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() print("Test 1.b - good X.509, RC4-MD5") connection = connect() settings = HandshakeSettings() settings.macNames = ["sha", "md5"] settings.cipherNames = ["rc4"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() if tackpyLoaded: tack = Tack.createFromPem(open("./TACK1.pem", "rU").read()) tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read()) settings = HandshakeSettings() settings.useExperimentalTackExtension = True print("Test 2.a - good X.509, TACK") connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tack], activationFlags=1, settings=settings) testConnServer(connection) connection.close() print("Test 2.b - good X.509, TACK unrelated to cert chain") connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tackUnrelated], settings=settings) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise print("Test 3 - good SRP") verifierDB = VerifierDB() verifierDB.create() entry = VerifierDB.makeVerifier("test", "password", 1536) verifierDB["test"] = entry connection = connect() connection.handshakeServer(verifierDB=verifierDB) testConnServer(connection) connection.close() print("Test 4 - SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(verifierDB=verifierDB) assert() except: pass connection.close() print("Test 6 - good SRP: with X.509 cert") connection = connect() connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() print("Test 7 - X.509 with SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) assert() except: pass connection.close() print("Test 11 - X.509 faults") for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert() except: pass connection.close() print("Test 14 - good mutual X.509") connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) testConnServer(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14a - good mutual X.509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings) testConnServer(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 15 - mutual X.509 faults") for fault in Fault.clientCertFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) assert() except: pass connection.close() print("Test 18 - good SRP, prepare to resume") sessionCache = SessionCache() connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) assert(connection.session.serverName == address[0]) testConnServer(connection) connection.close() print("Test 19 - resumption") connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) assert(connection.session.serverName == address[0]) testConnServer(connection) #Don't close! -- see next test print("Test 20 - invalidated resumption") try: connection.read(min=1, max=1) assert() #Client is going to close the socket without a close_notify except TLSAbruptCloseError as e: pass connection = connect() try: connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) except TLSLocalAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() print("Test 21 - HTTPS test X.509") #Close the current listening socket lsock.close() #Create and run an HTTP Server using TLSSocketServerMixIn class MyHTTPServer(TLSSocketServerMixIn, HTTPServer): def handshake(self, tlsConnection): tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key) return True cd = os.getcwd() os.chdir(dir) address = address[0], address[1]+1 httpd = MyHTTPServer(address, SimpleHTTPRequestHandler) for x in range(6): httpd.handle_request() httpd.server_close() cd = os.chdir(cd) #Re-connect the listening socket lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) address = address[0], address[1]+1 lsock.bind(address) lsock.listen(5) implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") print("Test 22 - different ciphers") for implementation in ["python"] * len(implementations): for cipher in ["aes128", "aes256", "rc4"]: print("Test 22:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) print(connection.getCipherName(), connection.getCipherImplementation()) testConnServer(connection) connection.close() print("Test 23 - throughput test") for implementation in implementations: for cipher in ["aes128", "aes256", "3des", "rc4"]: if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue print("Test 23:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) print(connection.getCipherName(), connection.getCipherImplementation()) h = connection.read(min=50000, max=50000) assert(h == b"hello"*10000) connection.write(h) connection.close() print("Test 24.a - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1"]) testConnServer(connection) connection.close() print("Test 24.b - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/2", b"http/1.1"]) testConnServer(connection) connection.close() print("Test 24.c - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1", b"spdy/2"]) testConnServer(connection) connection.close() print("Test 24.d - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/2", b"http/1.1"]) testConnServer(connection) connection.close() print("Test 24.e - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"]) testConnServer(connection) connection.close() print("Test 24.f - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/3", b"spdy/2"]) testConnServer(connection) connection.close() print("Test 24.g - Next-Protocol Server Negotiation") connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[]) testConnServer(connection) connection.close() print("Tests 25-27 - XMLRPXC server") address = address[0], address[1]+1 class Server(TLSXMLRPCServer): def handshake(self, tlsConnection): try: tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) tlsConnection.ignoreAbruptClose = True return True except TLSError as error: print("Handshake failure:", str(error)) return False class MyFuncs: def pow(self, x, y): return pow(x, y) def add(self, x, y): return x + y server = Server(address) server.register_instance(MyFuncs()) #sa = server.socket.getsockname() #print "Serving HTTPS on", sa[0], "port", sa[1] for i in range(6): server.handle_request() print("Test succeeded")
def serverTestCmd(argv): address = argv[0] dir = argv[1] datasize = argv[2] #Split address into hostname/port tuple address = address.split(":") address = (address[0], int(address[1])) #Create synchronisation FIFO synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) synchroSocket.bind((address[0], address[1] - 1)) synchroSocket.listen(2) #Connect to server lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) lsock.bind(address) lsock.listen(5) # following is blocking until the other side doesn't open synchro = synchroSocket.accept()[0] def connect(): return TLSConnection(lsock.accept()[0]) x509Cert = X509().parse( open(os.path.join(dir, "serverX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "serverX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) test_no = 0 for cipher in [ "aes128gcm", "aes128", "aes256", "rc4", "chacha20-poly1305", "speck128", "speck128gcm", "speck192gcm" ]: test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = ["python"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) print(connection.getCipherName(), connection.getCipherImplementation()) if datasize == "3MB": h = connection.read(min=1500000, max=1500000) elif datasize == "2MB": h = connection.read(min=1000000, max=1000000) elif datasize == "1MB": h = connection.read(min=500000, max=500000) elif datasize == "500k": h = connection.read(min=250000, max=250000) elif datasize == "100k": h = connection.read(min=50000, max=50000) elif datasize == "2k": h = connection.read(min=1000, max=1000) else: print("Datasize not supported or syntax error! Exiting...") exit(1) connection.write(h) connection.close() synchro.close() synchroSocket.close() print("Test succeeded")
super().__init__(sock) self._recordLayer = MyRecordLayer(sock, data) # recv first packet data = conn.recv(BUFFER_SIZE) hexdump(data) isTLS = "" isRunning = True if data.startswith(b"\x16\x03"): print(">> Detect ssl request") # ssl context x509 = X509() x509.parse(open(CERT).read()) certChain = X509CertChain([x509]) privateKey = parsePEMKey(open(KEY).read(), private=True) # wrap it with modified class connection = MyTLSConnection(conn, data) # resume the handshake try: connection.handshakeServer(certChain=certChain, privateKey=privateKey, reqCert=True) except: print(">> Failed to switch ssl") else:
def send_eap_tls_client_key(self): """ Generate Client_Certificate, Client_KeyExchange, Client_CertificateVerify, Client_ChangeCipherSpec & FINISHED Message and send it to the server """ if self.state != "TLS HANDSHAKE 1": print("Wrong Connection State for Client_Key Message: {0} - should be 'TLS HANDSHAKE 1'".format(self.state)) return 1 #May have to move this to the _init_ field packet_head = Dot11(addr1=self.bssid ,addr2=self.sta_mac ,addr3=self.bssid ,type=2 ,subtype=8 , FCfield="to-DS" )/ Dot11QoS('\x00\x00')/LLC(dsap=0xaa,ssap=0xaa,ctrl=3)/ SNAP(OUI=0x0, code=0x888e) / EAPOL(version=1,type=0) #---------------------------------------------------------------------------# x509_1 = X509() x509_1.parse(self.public_cert_file) x509_2 = X509() x509_2.parse(self.ca_certs_file) cert1 = x509_1.writeBytes() cert2 = x509_2.writeBytes() #Add 3 Bytes for every Certificate as Length-Field has to be included chainLength = len(cert1)+3+len(cert2)+3 cert1_len_hex = "{:06x}".format(len(cert1)) cert2_len_hex = "{:06x}".format(len(cert2)) cert1_len = binascii.unhexlify(cert1_len_hex) cert2_len = binascii.unhexlify(cert2_len_hex) client_certs = cert1_len + cert1 + cert2_len + cert2 #We use str() because client_certs is a byte-array client_cert_load = TLSCertificate(certslen=chainLength, certs=str(client_certs)) print("#########################################################") print("Generating CLIENT CERTIFICATE PAYLOAD") print("#########################################################") client_cert_load.show2() client_cert = TLS(type="handshake", version="TLS 1.0", iv="", msg=client_cert_load) print("#########################################################") print("Generating CLIENTCERTIFICATE") print("#########################################################") client_cert.show2() self.handshake_log = self.handshake_log / client_cert[TLSCertificate] print("#################################################################################################") #---------------------------------------------------------------------------# #Generating ClientKey curve = reg.get_curve("secp256r1") self.client_secret = random.getrandbits(256) client_pubKey = curve.g * self.client_secret #04 Prefix for "uncompressed" and "41" for length of pubKey as scapy cant parse it right pubKey_head = binascii.unhexlify("4104") #This one is for sending raw_full_client_pubKey = pubKey_head + long_to_bytes(client_pubKey.x) + long_to_bytes(client_pubKey.y) print("#########################################################") print("Generated following Coordinates:") print("X:") print(client_pubKey.x) print("Y:") print(client_pubKey.y) print("#########################################################") #Parsing ServerKey raw_full_server_pubKey = self.handshake_log[TLSServerKeyExchange].params.point #Remove "uncompressed" indicator full_server_pubKey = raw_full_server_pubKey[1:] #splitting the x and y coordinates server_key_x_raw = full_server_pubKey[0:32] server_key_y_raw = full_server_pubKey[32:64] server_key_x = bytes_to_long(server_key_x_raw) server_key_y = bytes_to_long(server_key_y_raw) server_parse = ec.Point(curve, server_key_x, server_key_y) print("#########################################################") print("Parsed following Server Coordinates:") print("X:") print(server_parse.x) print("Y:") print(server_parse.y) print("#########################################################") #Calculating the pre-master-secret (Returned as a long) long_premaster = (server_parse * self.client_secret).x self.premaster = long_to_bytes(long_premaster) #Generating ClientKeyExchange Layer print("#########################################################") print("Generating CLIENTKEYEXCHANGE Payload:") print("#########################################################") client_key_load = TLSClientKeyExchange(exchkeys=Raw(load=raw_full_client_pubKey)) client_key_load.show2() client_key = TLS(type="handshake", version="TLS 1.0", iv="", msg=client_key_load) print("#########################################################") print("Generating CLIENTKEYEXCHANGE") print("#########################################################") client_key.show2() self.handshake_log = self.handshake_log / client_key_load print("#################################################################################################") #---------------------------------------------------------------------------# #Generating CertificateVerify Layer #Hash-Value Calculation temp = hashlib.md5() temp.update(str(self.handshake_log)) m_string = temp.digest() temp = hashlib.sha1() temp.update(str(self.handshake_log)) s_string = temp.digest() concat_string = m_string + s_string concat_string_hex = binascii.hexlify(concat_string) #Padding Calculation head = "0001" bottom = "00" body = "" for i in range(0,434): body = body + "F" #Combining Hash & Padding concat_string_build = head + body + bottom + concat_string_hex concat_string_raw = binascii.unhexlify(concat_string_build) #Signing Message with M2Crypto using no_padding mode m2_key = RSA.load_key(self.private_key_file) signature_m2 = m2_key.private_encrypt(concat_string_raw, m2.no_padding) #Parsing the Certificate Verify Layer from Wireshark as Scapy has problems generating it certificate_verify_head = binascii.unhexlify("0f0001020100") #Works, as the signature has same length every time certificate_verify_load = TLSCertificateVerify(certificate_verify_head + signature_m2) certificate_verify = TLS(type="handshake", version="TLS 1.0", iv="", msg=certificate_verify_load) print("#########################################################") print("Generated CERTIFICATEVERIFY") print("#########################################################") certificate_verify.show2() #Used for FINISHED Message later self.handshake_log = self.handshake_log / certificate_verify[TLSCertificateVerify] print("#################################################################################################") #---------------------------------------------------------------------------# #Generate ChangeCipherSpec Message #IS NOT RELEVANT FOR FINISHED MESSAGE -> Therefore not saved to log cipher_spec_load = TLSChangeCipherSpec() cipher_spec = TLS(type="change_cipher_spec", version="TLS 1.0", iv="", msg=cipher_spec_load) print("#########################################################") print("Generated CHANGECIPHERSPEC") print("#########################################################") cipher_spec.show2() print("#################################################################################################") #---------------------------------------------------------------------------# #Via Scapy: gmt_unix_time + random_bytes = FULL Random_bytes parsed_time_client = "{0:02x}".format(self.handshake_log[TLSClientHello].gmt_unix_time).zfill(8) parsed_time_server = "{0:02x}".format(self.handshake_log[TLSServerHello].gmt_unix_time).zfill(8) client_random = binascii.unhexlify(parsed_time_client) + self.handshake_log[TLSClientHello].random_bytes server_random = binascii.unhexlify(parsed_time_server) + self.handshake_log[TLSServerHello].random_bytes print("#########################################################") print("Parsed following random_bytes:") print("Client Random:") print(binascii.hexlify(client_random)) print("Server Random:") print(binascii.hexlify(server_random)) #master bitaray with length 48 Bytes self.master = tlslite.mathtls.calcMasterSecret((3,1), None, self.premaster, client_random, server_random) print("#########################################################") print("Calculated Master-Secret:") print(binascii.hexlify(str(self.master))) print("#########################################################") #---------------------------------------------------------------------------# #Calculate FINISHED Message via tlslite #handshakeHash = MD5(handshake_messages) + SHA-1(handshake_messages) #No Padding like RSA Signatur PKCS! #Method expects handshakeHash as byteArray -> makes no difference here print("#################################################################################################") #Hash-Value Calculation exactly as in ClientVerify but now with ClientVerify appended to the log temp = hashlib.md5() temp.update(str(self.handshake_log)) m_string = temp.digest() temp = hashlib.sha1() temp.update(str(self.handshake_log)) s_string = temp.digest() handshakeHash = m_string + s_string #content of FINISHED-Message: verifyData = tlslite.mathtls.PRF(self.master, "client finished", handshakeHash, 12) #Creating Header for Handshake-Layer (NOT Record!): #14 -> ContentType 20 = FINISHED #00000C -> Length of Content = 12 Bytes = VerifyData.length header_hex = "1400000C" header = binascii.unhexlify(header_hex) finished_payload = header + verifyData #Generating Key-Material to calculate required Keys for Sending: #Required: client_write_MAC, client_write_key , client_write_IV #client_write_MAC with SHA-1 -> 20 Bytes #client_write_key with AES-256 -> 256 Bit -> 32 Bytes #client/server IV still uses 128 bit blocks, so 128-bit IV -> 16 Bytes #key_block = PRF(master_secret, "key expansion", server_random + client_random) #KEYLENGTH = 20 (MAC) + 20(Server MAC) + 32 (AES256) + 32 (AES256 Server) + 16 (IV) + 16 (Server IV) = 136 bytes #Order of Keys : client_write_MAC , server_write_MAC, client_write_key, server_write_key, client_write_IV, server_write_IV keys = tlslite.mathtls.PRF(self.master, "key expansion", server_random + client_random, 136) #20 Bytes per Key (SHA-1) client_mac_key = keys[0:20] server_mac_key = keys[20:40] #32 Bytes per Key (AES-256) client_write_key = keys[40:72] server_write_key = keys[72:104] #16 Bytes per Key (AES-CBC) client_write_iv = keys[104:120] server_write_iv = keys[120:136] print("#########################################################") print("Client_Mac_Key:") print(binascii.hexlify(str(client_mac_key))) print("Server_Mac_Key:") print(binascii.hexlify(str(server_mac_key))) print("Client_Write_Key:") print(binascii.hexlify(str(client_write_key))) print("Server_Write_Key:") print(binascii.hexlify(str(server_write_key))) print("Client_Write_IV:") print(binascii.hexlify(str(client_write_iv))) print("Server_Write_IV:") print(binascii.hexlify(str(server_write_iv))) print("#########################################################") #HMAC_SHA1(client_write_mac_key, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment) #client_write_mac_key = get from master_secret #seq_num = 0 as 8 Bytes -> 0x0000000000000000 #TLSCompressed.type = 0x16 = 22 from Record-Layer #TLSCompressed.version = 0x0301 #TLSCompressed.length = length(header+verifyData) -> 0x0010 because we have 16 bytes #TLSCompressed.fragment = header+verifyData #label = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length label = binascii.unhexlify("0000000000000000") + binascii.unhexlify("16") + binascii.unhexlify("0301") + binascii.unhexlify("0010") fin_mac = hmac.new(client_mac_key, label+finished_payload, hashlib.sha1).digest() #Padding: (We need 12 Bytes Padding, so 11-Bytes with Value '11' and one Padding-Length-Byte with Value '11') padding_hex = "" for i in range(0,11): padding_hex = padding_hex + "0B" #Adding the Padding-Length padding_hex = padding_hex + "0B" padding = binascii.unhexlify(padding_hex) #Encrypt the Layer: #USING IN THIS ORDER : finished_payload + fin_mac + padding encryptor = EVP.Cipher(alg="aes_256_cbc", key=client_write_key, iv=client_write_iv, op=1, padding=0) encrypted_payload = encryptor.update(finished_payload + fin_mac + padding) encrypted_payload += encryptor.final() #Generate TLS Record Layer: finished_head = binascii.unhexlify("1603010030") finished = finished_head + encrypted_payload print("#########################################################") print("Generated FINISHED") print("#########################################################") #---------------------------------------------------------------------------# #Construct the whole packet: packet_tls = str(client_cert) + str(client_key) + str(certificate_verify) + str(cipher_spec) + str(finished) #Fragment the packet: (In this Case - Fragments of the size of about 1266 Bytes) fragment1_payload = packet_tls[0:1266] fragment2_payload = packet_tls[1266:2532] fragment3_payload = packet_tls[2532:] #EAP Packet Head -> Remember ID regarding Fragmentation and "More Fragments"-Flag packet1 = packet_head / EAP_TLS(code="Response", id=(self.current_id - 1), type="EAP-TLS", L=1, M=1, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment1_payload) packet1[Dot11].SC = 0x0090 packet2 = packet_head / EAP_TLS(code="Response", id=self.current_id , type="EAP-TLS", L=1, M=1, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment2_payload) packet2[Dot11].SC = 0x00A0 self.current_id += 1 packet3 = packet_head / EAP_TLS(code="Response", id=self.current_id , type="EAP-TLS", L=1, M=0, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment3_payload) packet3[Dot11].SC = 0x00B0 print("#########################################################") print("Generated 3 Fragments:") print("#########################################################") print("Fragment 1 :") packet1.show2() print("#########################################################") print("Fragment 2 :") packet2.show2() print("#########################################################") print("Fragment 3 :") packet3.show2() print("#########################################################") fragments = list() #First packet will be sent directly! fragments.append(packet2) fragments.append(packet3) #Send it away! result_queue = multiprocessing.Queue() send_process = multiprocessing.Process( target=self.mon_ifc.send_packet, args=(packet1,None, )) send_and_receive_process = multiprocessing.Process( target=self.mon_ifc.search_eap_tls_server_response, args=(result_queue, fragments,)) send_and_receive_process.start() time.sleep(.250) send_process.start() send_process.join() send_and_receive_process.join() if result_queue.get(): self.state = "TLS SUCCESS"
def serverTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = (address[0], int(address[1])) #Connect to server lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.bind(address) lsock.listen(5) def connect(): return TLSConnection(lsock.accept()[0]) print "Test 0 - Anonymous server handshake" connection = connect() connection.handshakeServer(anon=True) testConnServer(connection) connection.close() print "Test 1 - good X.509" x509Cert = X509().parse( open(os.path.join(dir, "serverX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "serverX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert (connection.session.serverName == address[0]) testConnServer(connection) connection.close() print "Test 1.a - good X.509, SSL v3" connection = connect() settings = HandshakeSettings() settings.minVersion = (3, 0) settings.maxVersion = (3, 0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() if tackpyLoaded: tack = Tack.createFromPem(open("./TACK1.pem", "rU").read()) tackUnrelated = Tack.createFromPem( open("./TACKunrelated.pem", "rU").read()) settings = HandshakeSettings() settings.useExperimentalTackExtension = True print "Test 2.a - good X.509, TACK" connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tack], activationFlags=1, settings=settings) testConnServer(connection) connection.close() print "Test 2.b - good X.509, TACK unrelated to cert chain" connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tackUnrelated], settings=settings) assert (False) except TLSRemoteAlert, alert: if alert.description != AlertDescription.illegal_parameter: raise
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)) badFault = True print "Test 11 - X.509 faults" for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert() print " Good Fault %s" % (Fault.faultNames[fault]) except TLSFaultError, e: print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)) badFault = True print "Test 14 - good mutual X509" x509Cert = X509().parse( open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert (isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print "Test 14.a - good mutual X509, SSLv3" connection = connect() settings = HandshakeSettings() settings.minVersion = (3, 0) settings.maxVersion = (3, 0)
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #open synchronisation FIFO synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM) synchro.settimeout(15) synchro.connect((address[0], address[1]-1)) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(15) sock.connect(address) c = TLSConnection(sock) return c test_no = 0 badFault = False print("Test {0} - anonymous handshake".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good X509 (plus SNI)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS cert".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS sig".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X509, SSLv3".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good X509, RC4-MD5".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames = ["md5"] settings.cipherNames = ["rc4"] connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5) assert(connection.encryptThenMAC == False) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True test_no += 1 print("Test {0} - good X.509, TACK".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain".\ format(test_no)) synchro.recv(1) connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() else: test_no += 1 print("Test {0} - good X.509, TACK...skipped (no tackpy)".\ format(test_no)) test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain...skipped" " (no tackpy)".\ format(test_no)) test_no += 1 print("Test {0} - good SRP (db)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good SRP".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() test_no += 1 print("Test {0} - SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good SRP: with X.509 certificate, TLSv1.0".format(test_no)) settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - X.509 with SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - X.509 faults".format(test_no)) for fault in Fault.clientNoAuthFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good mutual X509".format(test_no)) x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) synchro.recv(1) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X509, TLSv1.1".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,2) settings.maxVersion = (3,2) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X509, SSLv3".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - mutual X.509 faults".format(test_no)) for fault in Fault.clientCertFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good SRP, prepare to resume... (plus SNI)".\ format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session test_no += 1 print("Test {0} - resumption (plus SNI)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below test_no += 1 print("Test {0} - invalidated resumption (plus SNI)".format(test_no)) synchro.recv(1) connection.sock.close() #Close the socket without a close_notify! synchro.recv(1) connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() test_no += 1 print("Test {0} - HTTPS test X.509".format(test_no)) address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): synchro.recv(1) h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") test_no += 1 print("Test {0} - different ciphers, TLSv1.0".format(test_no)) for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() test_no += 1 print("Test {0} - throughput test".format(test_no)) for implementation in implementations: for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des", "rc4", "chacha20-poly1305_draft00", "chacha20-poly1305"]: # skip tests with implementations that don't support them if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue if cipher in ("aes128gcm", "aes256gcm") and \ implementation not in ("pycrypto", "python"): continue if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \ and implementation not in ("python", ): continue test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = timeit.default_timer() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = timeit.default_timer() sizeofdata = len(h)*2 if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(sizeofdata/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True connection.handshakeClientCert(settings=settings) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True settings.maxVersion = (3, 2) try: connection.handshakeClientCert(settings=settings) assert() except TLSRemoteAlert as alert: if alert.description != AlertDescription.inappropriate_fallback: raise connection.close() test_no += 1 print("Test {0} - no EtM server side".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") assert(settings.useEncryptThenMAC) connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - no EtM client side".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") settings.useEncryptThenMAC = False connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - resumption with EtM".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.resumed) assert(connection.encryptThenMAC) connection.close() session = connection.session # resume synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0], session=session) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.resumed) assert(connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.resumed) assert(connection.encryptThenMAC) connection.close() session = connection.session # resume synchro.recv(1) settings = HandshakeSettings() settings.useEncryptThenMAC = False settings.macNames.remove("aead") connection = connect() try: connection.handshakeClientCert(serverName=address[0], session=session, settings=settings) except TLSRemoteAlert as e: assert(str(e) == "handshake_failure") else: raise AssertionError("No exception raised") connection.close() test_no += 1 print('Test {0} - good standard XMLRPC https client'.format(test_no)) address = address[0], address[1]+1 synchro.recv(1) try: # python 2.7.9 introduced certificate verification (context option) # python 3.4.2 doesn't have it though context = ssl.create_default_context(\ cafile=os.path.join(dir, "serverX509Cert.pem")) server = xmlrpclib.Server('https://%s:%s' % address, context=context) except (TypeError, AttributeError): server = xmlrpclib.Server('https://%s:%s' % address) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print('Test {0} - good tlslite XMLRPC client'.format(test_no)) transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print('Test {0} - good XMLRPC ignored protocol'.format(test_no)) server = xmlrpclib.Server('http://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print("Test {0} - Internet servers test".format(test_no)) try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() test_no += 1 print("Test {0}: IMAP4 good".format(test_no)) p = POP3_TLS("pop.gmail.com") p.quit() test_no += 1 print("Test {0}: POP3 good".format(test_no)) except (socket.error, socket.timeout) as e: print("Non-critical error: socket error trying to reach internet server: ", e) synchro.close() if not badFault: print("Test succeeded, {0} good".format(test_no)) else: print("Test failed")
def serverTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #Create synchronisation FIFO synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) synchroSocket.bind((address[0], address[1]-1)) synchroSocket.listen(2) #Connect to server lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) lsock.bind(address) lsock.listen(5) # following is blocking until the other side doesn't open synchro = synchroSocket.accept()[0] def connect(): return TLSConnection(lsock.accept()[0]) x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "serverX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) with open(os.path.join(dir, "serverRSAPSSSigCert.pem")) as f: x509CertRSAPSSSig = X509().parse(f.read()) x509ChainRSAPSSSig = X509CertChain([x509CertRSAPSSSig]) with open(os.path.join(dir, "serverRSAPSSSigKey.pem")) as f: x509KeyRSAPSSSig = parsePEMKey(f.read(), private=True) with open(os.path.join(dir, "serverRSAPSSCert.pem")) as f: x509CertRSAPSS = X509().parse(f.read()) x509ChainRSAPSS = X509CertChain([x509CertRSAPSS]) assert x509CertRSAPSS.certAlg == "rsa-pss" with open(os.path.join(dir, "serverRSAPSSKey.pem")) as f: x509KeyRSAPSS = parsePEMKey(f.read(), private=True, implementations=["python"]) test_no = 0 print("Test {0} - Anonymous server handshake".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(anon=True) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert(connection.session.serverName == address[0]) assert(connection.extendedMasterSecret) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS sig".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509ChainRSAPSSSig, privateKey=x509KeyRSAPSSSig) assert(connection.session.serverName == address[0]) assert(connection.extendedMasterSecret) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS cert".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509ChainRSAPSS, privateKey=x509KeyRSAPSS) assert(connection.session.serverName == address[0]) assert(connection.extendedMasterSecret) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509, SSL v3".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) assert(not connection.extendedMasterSecret) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509, RC4-MD5".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.macNames = ["sha", "md5"] settings.cipherNames = ["rc4"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() if tackpyLoaded: tack = Tack.createFromPem(open("./TACK1.pem", "rU").read()) tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read()) settings = HandshakeSettings() settings.useExperimentalTackExtension = True test_no += 1 print("Test {0} - good X.509, TACK".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tack], activationFlags=1, settings=settings) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain".\ format(test_no)) synchro.send(b'R') connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, tacks=[tackUnrelated], settings=settings) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise else: test_no += 1 print("Test {0} - good X.509, TACK...skipped (no tackpy)".\ format(test_no)) test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain" "...skipped (no tackpy)".format(test_no)) test_no += 1 print("Test {0} - good SRP (db)".format(test_no)) try: (db_file, db_name) = mkstemp() os.close(db_file) # this is race'y but the interface dbm interface is stupid like that... os.remove(db_name) verifierDB = VerifierDB(db_name) verifierDB.create() entry = VerifierDB.makeVerifier("test", "password", 1536) verifierDB[b"test"] = entry synchro.send(b'R') connection = connect() connection.handshakeServer(verifierDB=verifierDB) testConnServer(connection) connection.close() finally: try: os.remove(db_name) except FileNotFoundError: # dbm module may create files with different names depending on # platform os.remove(db_name + ".dat") test_no += 1 print("Test {0} - good SRP".format(test_no)) verifierDB = VerifierDB() verifierDB.create() entry = VerifierDB.makeVerifier("test", "password", 1536) verifierDB[b"test"] = entry synchro.send(b'R') connection = connect() connection.handshakeServer(verifierDB=verifierDB) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.send(b'R') connection = connect() connection.fault = fault connection.handshakeServer(verifierDB=verifierDB) connection.close() test_no += 1 print("Test {0} - good SRP: with X.509 cert".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - X.509 with SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.send(b'R') connection = connect() connection.fault = fault connection.handshakeServer(verifierDB=verifierDB, \ certChain=x509Chain, privateKey=x509Key) connection.close() test_no += 1 print("Test {0} - X.509 faults".format(test_no)) for fault in Fault.clientNoAuthFaults + Fault.genericFaults: synchro.send(b'R') connection = connect() connection.fault = fault connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) connection.close() test_no += 1 print("Test {0} - good mutual X.509".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) testConnServer(connection) assert(isinstance(connection.session.clientCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X.509, TLSv1.1".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.minVersion = (3,2) settings.maxVersion = (3,2) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings) testConnServer(connection) assert(isinstance(connection.session.clientCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X.509, SSLv3".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings) testConnServer(connection) assert(isinstance(connection.session.clientCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - mutual X.509 faults".format(test_no)) for fault in Fault.clientCertFaults + Fault.genericFaults: synchro.send(b'R') connection = connect() connection.fault = fault connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True) connection.close() test_no += 1 print("Test {0} - good SRP, prepare to resume".format(test_no)) synchro.send(b'R') sessionCache = SessionCache() connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) assert(connection.session.serverName == address[0]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - resumption".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) assert(connection.session.serverName == address[0]) testConnServer(connection) #Don't close! -- see next test test_no += 1 print("Test {0} - invalidated resumption".format(test_no)) synchro.send(b'R') try: connection.read(min=1, max=1) assert() #Client is going to close the socket without a close_notify except TLSAbruptCloseError as e: pass synchro.send(b'R') connection = connect() try: connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache) except TLSLocalAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() test_no += 1 print("Test {0} - HTTPS test X.509".format(test_no)) #Close the current listening socket lsock.close() #Create and run an HTTP Server using TLSSocketServerMixIn class MyHTTPServer(TLSSocketServerMixIn, HTTPServer): def handshake(self, tlsConnection): tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key) return True def server_bind(self): self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) HTTPServer.server_bind(self) cd = os.getcwd() os.chdir(dir) address = address[0], address[1]+1 httpd = MyHTTPServer(address, SimpleHTTPRequestHandler) for x in range(6): synchro.send(b'R') httpd.handle_request() httpd.server_close() cd = os.chdir(cd) #Re-connect the listening socket lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) address = address[0], address[1]+1 lsock.bind(address) lsock.listen(5) implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") test_no += 1 print("Test {0} - different ciphers".format(test_no)) for implementation in ["python"] * len(implementations): for cipher in ["aes128", "aes256", "rc4"]: test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) print(connection.getCipherName(), connection.getCipherImplementation()) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - throughput test".format(test_no)) for implementation in implementations: for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des", "rc4", "chacha20-poly1305_draft00", "chacha20-poly1305"]: # skip tests with implementations that don't support them if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue if cipher in ("aes128gcm", "aes256gcm") and \ implementation not in ("pycrypto", "python"): continue if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \ and implementation not in ("python", ): continue test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) print(connection.getCipherName(), connection.getCipherImplementation()) h = connection.read(min=50000, max=50000) assert(h == b"hello"*10000) connection.write(h) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/2", b"http/1.1"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1", b"spdy/2"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/2", b"http/1.1"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[b"spdy/3", b"spdy/2"]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - Next-Protocol Server Negotiation".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings, nextProtos=[]) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.send(b'R') connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) assert() except TLSLocalAlert as alert: if alert.description != AlertDescription.inappropriate_fallback: raise connection.close() test_no += 1 print("Test {0} - no EtM server side".format(test_no)) synchro.send(b'R') connection = connect() settings = HandshakeSettings() settings.useEncryptThenMAC = False connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - no EtM client side".format(test_no)) synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - resumption with EtM".format(test_no)) synchro.send(b'R') sessionCache = SessionCache() connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) testConnServer(connection) connection.close() # resume synchro.send(b'R') connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) testConnServer(connection) connection.close() test_no += 1 print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no)) synchro.send(b'R') sessionCache = SessionCache() connection = connect() connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) testConnServer(connection) connection.close() # resume synchro.send(b'R') connection = connect() try: connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) except TLSLocalAlert as e: assert(str(e) == "handshake_failure") else: raise AssertionError("no exception raised") connection.close() test_no += 1 print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2)) test_no += 2 address = address[0], address[1]+1 class Server(TLSXMLRPCServer): def handshake(self, tlsConnection): try: tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key, sessionCache=sessionCache) tlsConnection.ignoreAbruptClose = True return True except TLSError as error: print("Handshake failure:", str(error)) return False class MyFuncs: def pow(self, x, y): return pow(x, y) def add(self, x, y): return x + y server = Server(address) server.register_instance(MyFuncs()) synchro.send(b'R') #sa = server.socket.getsockname() #print "Serving HTTPS on", sa[0], "port", sa[1] for i in range(6): synchro.send(b'R') server.handle_request() synchro.close() synchroSocket.close() print("Test succeeded")