def client_thread(client_sock,data,std):
#create a tls connection
connection = TLSConnection(client_sock)
#get certificate
s = open("C:/OpenSSL-Win64/bin/mywebsitename.crt").read()
x509 = X509()
x509.parse(s)
certChain = X509CertChain([x509])
#get key
s = open("C:/OpenSSL-Win64/bin/mywebsitename.key").read()
privateKey = parsePEMKey(s, private=True)
#handshake
connection.handshakeServer(certChain=certChain, privateKey=privateKey,reqCert=False)
#print message establishing the connection has been successfully made
print connection.session.serverCertChain
counter = 0
while counter < 50:
#collected data being sent in a list
counter += 1
test = connection.read()
data.append(json.loads(test))
print data[-1]
print 'you are here'
connection.close()
def __init__(self, certFile, fakeHost, host='127.0.0.1', port=4443):
HTTPServer.__init__(self, (host, port), HttpHandler)
self.host = host
self.port = port
self.url = 'https://' + host + '/'
self.fakeUrl = 'https://' + fakeHost + '/'
self.apk = None
self.result = None
with open(certFile) as f:
cert = f.read()
self.certChain = tlslite.X509CertChain()
self.certChain.parsePemList(cert)
self.privateKey = tlslite.parsePEMKey(cert, private=True)
def __init__(self, cert_fname, pkey_fname, pkey_password, peer_cert_fname):
# Read our own cert
s = open(cert_fname).read()
x509 = X509()
x509.parse(s)
self.cert = X509CertChain([x509])
# Read our own primary key
s = open(pkey_fname).read()
self.pkey = parsePEMKey(s,
private=True,
passwordCallback=lambda: pkey_password)
# Read our peer's cert
s = open(peer_cert_fname).read()
x509 = X509()
x509.parse(s)
cert = X509CertChain([x509])
self.checker = Checker(cert.getFingerprint())
def getAuthFromPEM(cls, certFilePath):
"""
Utility to read a .pem file and return the objects used by TLSConnection to authenticate the connection.
These objects are cached in memory.
@return: certChain, privateKey
@rtype: tuple (X509CertChain, RSAKey)
"""
if certFilePath not in cls._AUTH_CACHE:
with open(certFilePath) as f:
s = f.read()
x509 = X509()
x509.parse(s)
certChain = X509CertChain([x509])
privateKey = parsePEMKey(s, private=True)
cls._AUTH_CACHE[certFilePath] = (certChain, privateKey)
return cls._AUTH_CACHE[certFilePath]
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 1.b - good X509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
connection.sock.close() #Close the socket without a close_notify!
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
time.sleep(2)
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
time.sleep(2)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print('Test 25 - good standard XMLRPC https client')
time.sleep(2) # Hack for lack of ability to set timeout here
address = address[0], address[1]+1
server = xmlrpclib.Server('https://%s:%s' % address)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 26 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 27 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print("Test 28 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 28: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 29: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
if not badFault:
print("Test succeeded")
else:
print("Test failed")
print "Test 11 - X.509 faults"
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 14 - good mutual X509"
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14.a - good mutual X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
print("Test {0} - Anonymous server handshake".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, SSL v3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
assert(not connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, RC4-MD5".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain"
"...skipped (no tackpy)".format(test_no))
test_no += 1
print("Test {0} - good SRP".format(test_no))
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
try:
(db_file, db_name) = mkstemp()
os.close(db_file)
# this is race'y but the interface dbm interface is stupid like that...
os.remove(db_name)
verifierDB = VerifierDB(db_name)
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
finally:
os.remove(db_name)
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
test_no += 1
print("Test {0} - good SRP: with X.509 cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - good mutual X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, SSLv3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
test_no += 1
print("Test {0} - good SRP, prepare to resume".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
test_no += 1
print("Test {0} - invalidated resumption".format(test_no))
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers".format(test_no))
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
except TLSLocalAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("no exception raised")
connection.close()
test_no += 1
print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
test_no += 2
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
print("Test 0 - Anonymous server handshake")
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print("Test 1 - good X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 1.a - good X.509, SSL v3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
print("Test 1.b - good X.509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print("Test 3 - good SRP")
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print("Test 6 - good SRP: with X.509 cert")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 14 - good mutual X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14a - good mutual X.509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print("Test 18 - good SRP, prepare to resume")
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 19 - resumption")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
print("Test 20 - invalidated resumption")
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers")
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
print("Test 24.a - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.b - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.c - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.d - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.e - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
print("Test 24.f - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.g - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
print("Tests 25-27 - XMLRPXC server")
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
server.handle_request()
print("Test succeeded")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(5)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
synchro.recv(1)
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 1.b - good X509, RC4-MD5")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, TLSv1.1")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.b - good mutual X509, SSLv3")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
synchro.recv(1)
connection.sock.close() #Close the socket without a close_notify!
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
synchro.recv(1)
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 25.a - FALLBACK_SCSV")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
connection.close()
print("Test 25.b - FALLBACK_SCSV")
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
settings.maxVersion = (3, 2)
try:
connection.handshakeClientCert(settings=settings)
assert()
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
print("Test 26.a - server checks cipher version")
synchro.recv(1)
connection = connect()
# Configure the ClientHello to only advertise SHA-256 ciphers, but not
# support TLS 1.2.
connection.fault = Fault.ignoreVersionForCipher
settings = HandshakeSettings()
settings.maxVersion = (3, 2)
settings.macNames = ["sha256"]
connection.handshakeClientCert(settings=settings)
connection.close()
print("Test 26.b - client checks cipher version")
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert()
assert()
except TLSLocalAlert as alert:
# The client should reject the ServerHello because it selected an
# invalid cipher for the version.
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print('Test 27 - good standard XMLRPC https client')
address = address[0], address[1]+1
synchro.recv(1)
try:
# python 2.7.9 introduced certificate verification (context option)
# python 3.4.2 doesn't have it though
context = ssl.create_default_context(\
cafile=os.path.join(dir, "serverX509Cert.pem"))
server = xmlrpclib.Server('https://%s:%s' % address, context=context)
except (TypeError, AttributeError):
server = xmlrpclib.Server('https://%s:%s' % address)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print('Test 28 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print('Test 29 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
print("Test 30 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 30: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 31: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
synchro.close()
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(15)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(15)
sock.connect(address)
c = TLSConnection(sock)
return c
test_no = 0
badFault = False
print("Test {0} - anonymous handshake".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X509 (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good X509, RC4-MD5".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
settings.cipherNames = ["rc4"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
assert(connection.encryptThenMAC == False)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain...skipped"
" (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good SRP".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP: with X.509 certificate, TLSv1.0".format(test_no))
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good mutual X509".format(test_no))
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, TLSv1.1".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP, prepare to resume... (plus SNI)".\
format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
test_no += 1
print("Test {0} - resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
test_no += 1
print("Test {0} - invalidated resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection.sock.close() #Close the socket without a close_notify!
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
synchro.recv(1)
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers, TLSv1.0".format(test_no))
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = timeit.default_timer()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = timeit.default_timer()
sizeofdata = len(h)*2
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(sizeofdata/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
settings.maxVersion = (3, 2)
try:
connection.handshakeClientCert(settings=settings)
assert()
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
assert(settings.useEncryptThenMAC)
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
settings.useEncryptThenMAC = False
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0], session=session)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
settings.macNames.remove("aead")
connection = connect()
try:
connection.handshakeClientCert(serverName=address[0], session=session,
settings=settings)
except TLSRemoteAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("No exception raised")
connection.close()
test_no += 1
print('Test {0} - good standard XMLRPC https client'.format(test_no))
address = address[0], address[1]+1
synchro.recv(1)
try:
# python 2.7.9 introduced certificate verification (context option)
# python 3.4.2 doesn't have it though
context = ssl.create_default_context(\
cafile=os.path.join(dir, "serverX509Cert.pem"))
server = xmlrpclib.Server('https://%s:%s' % address, context=context)
except (TypeError, AttributeError):
server = xmlrpclib.Server('https://%s:%s' % address)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good tlslite XMLRPC client'.format(test_no))
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good XMLRPC ignored protocol'.format(test_no))
server = xmlrpclib.Server('http://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print("Test {0} - Internet servers test".format(test_no))
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
test_no += 1
print("Test {0}: IMAP4 good".format(test_no))
p = POP3_TLS("pop.gmail.com")
p.quit()
test_no += 1
print("Test {0}: POP3 good".format(test_no))
except (socket.error, socket.timeout) as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
synchro.close()
if not badFault:
print("Test succeeded, {0} good".format(test_no))
else:
print("Test failed")
arg = parse_args()
handle_args(arg)
# Determine the type of certificate and parse the file into an X509CertChain object
x509 = tlslite.X509()
if os.path.splitext(arg.cert)[1].lower() == ".pem":
with open(arg.cert, "r") as s:
x509.parse(s.read())
else:
with open(arg.cert, "rb") as b:
x509.parseBinary(b.read())
certChain = tlslite.X509CertChain([x509])
# Parse the private key file
with open(arg.key, "r") as s:
privateKey = tlslite.parsePEMKey(s.read(), private=True)
# Listen for client connections
sock = socket.socket()
sock.bind(("", arg.port))
sock.listen()
sock_list.append(sock)
while True:
with lib.spinner.Spinner(" Listening on port {}".format(arg.port)):
client, addr = sock.accept()
sock_list.append(client)
print("[*] Client connected: {}:{}".format(addr[0], addr[1]))
# Checker object to always reject the client's certificate (compares fingerprint to 0)
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
for cipher in ["aes128gcm", "aes128", "aes256", "rc4","chacha20-poly1305","speck128", "speck128gcm", "speck192gcm"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
if datasize == "3MB":
h = connection.read(min=1500000, max=1500000)
elif datasize == "2MB":
h = connection.read(min=1000000, max=1000000)
elif datasize == "1MB":
h = connection.read(min=500000, max=500000)
elif datasize == "500k":
h = connection.read(min=250000, max=250000)
elif datasize == "100k":
h = connection.read(min=50000, max=50000)
elif datasize == "2k":
h = connection.read(min=1000, max=1000)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
connection.write(h)
connection.close()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def client_thread(client_sock,data,std,model,wifi_keys,positions,headings,landmarks,data_mean,data_std,label_to_loc):
connection = TLSConnection(client_sock)
#make certificate later
#get certificate
s = open("C:/OpenSSL-Win64/bin/mywebsitename.crt").read()
x509 = X509()
x509.parse(s)
certChain = X509CertChain([x509])
s = open("C:/OpenSSL-Win64/bin/mywebsitename.key").read()
privateKey = parsePEMKey(s, private=True)
#handshake
connection.handshakeServer(certChain=certChain, privateKey=privateKey,reqCert=False)
print connection.session.serverCertChain
#helper variables
number_of_spots = 6 #place the number of spots here
counter = 0 #counter for while loop iteration
heading = [0,1] #a reference heading (direction) used for the direction calculations in the iterations
itter_heading = array([0.0,0.0]) #the variable used for the current heading (direction) of the user in the iteration
pos = array([0,0]) #variable used to store the position of the user
leap = 0.0 #used to store how many steps a user has taken since last reading
last_step = 0 #used to store the last known value of the step counter
old_reading = zeros(12) # used to store the last known wifi sensor values
step_size = 0.865 #the size of a step in units of two feet
old_past_location = -1 #the landmark that was detected in a previous iteration of the while loop
past_location = -1 #the landmark that was detected in the current iteration if a landmark was detected in the current iteration otherwise this variable will take the value of old_past_location
steps_since_past_location = 0 #the number of steps taken since a landmark was last detected
steps_since_past_location_threshold = 10 #the number of steps a user must take before the same landmark can be detected twice
#this variable is used to avoid the detection of a landmark multiple times as a user is walking through items
#by avoiding multiple simultaneous detections, the users location won't be set to the corresponding position of the landmark multiple times.
while counter < 1500:
found_lm = False #variable used to specify if a landmark has been found in this iteration
counter += 1 #loop counter
#read a data record from the TLS connection and add it to the data list
test = connection.read()
data.append(json.loads(test))
#get the direction the user is standing in.
#below I get the users orientation as an angle from the direction of north. This angle is stored in
#data[-1]['all_data']['fused_0']. Here data[-1] indexes the last element of the list, data[-1]['all_data'] accesses a value in a dictionary( which is like a hash make with key value pairs)
#data[-1]['all_data']['fused_0'] accesses a value in a dictionary that's in a dictionary. Looking at the json output of our sent data should make this more clear.
da_angle = -(data[-1]['all_data']['fused_0']+30)*pi/180.0
itter_heading[0] = cos(da_angle)*heading[0]-sin(da_angle)*heading[1]
itter_heading[1] = sin(da_angle)*heading[0]+cos(da_angle)*heading[1]
#here I collect all of the wifi signals and put them in an array to be queried by the SVM. These wifi signals have been hard coded into the Android code. So you will have to make your own list and pass it into this function.
#the syntax for the list is like this ['key id 1','key id 2','key id 3']
test_post = array([data[-1]['all_data'][key] for key in wifi_keys]).reshape((1,len(wifi_keys)))
test_post[test_post==-200] = -100.0
#If the new wifi signals are different from the old wifi signals then enter the list
if not array_equal(test_post,old_reading):
#get probabilities for each of the landmarks based on the wifi signals
probs = model.predict_proba((test_post[0,1:]-data_mean)/data_std)
print probs
#get the index of the landmark with highest probability
ma = argmax(probs)
#if the probability of the the most probable landmark is above some threshold (here .75)
#then possibly predict that the user is at the landmarks location and set pos accordingly
if probs[0,ma] >0.75:
found_lm = True
#If the user has walked a certain amount of steps after the last landmark was detected, then that same landmark can be detected again, otherwise it can not.
#New landmarks can always be detected. If a landmark is detected then pos will be set to the position of that landmark
if not (past_location == model.classes_[ma] and steps_since_past_location <= steps_since_past_location_threshold):
print 'you are here ',model.classes_[ma]
pos = label_to_loc[model.classes_[ma]]
steps_since_past_location=0
past_location = model.classes_[ma]
#book keeping variables
positions.append(pos)
headings.append(itter_heading)
landmarks.append(1)
#save the value of the old wifi readings for next iteration
old_reading = copy(test_post)
#Below I look at the step counter to see if the user has taken any steps since the last loop iteration
if data[-1][u'all_data'][u'stepc']> 0.0:
leap = float(data[-1][u'all_data'][u'stepc']) - last_step if last_step!=0 else 1
#If the user has taken steps then move them in the direction that thay are facing by however many steps they have taken.
#The number of steps that they have taken is stored in leap
if leap>0.0:
#If the last landmark detected is the same then increment the following counter
if past_location == old_past_location:
steps_since_past_location+=1
#print out the number of steps the user has taken in total
print data[-1][u'all_data'][u'stepc']
#change the users location
num_steps = leap*step_size
pos = itter_heading*num_steps+pos
#record the users last step for future iterations
last_step = data[-1][u'all_data'][u'stepc']
#book keeping variables
positions.append(pos)
headings.append(itter_heading)
landmarks.append(0)
old_past_location = past_location
#close the connection
print 'you are here'
connection.close()
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
connection.sock.close() #Close the socket without a close_notify!
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
time.sleep(2)
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
# don't check cert unless we provide a fingerprint --dmb
checker = Checker(x509Fingerprints=[fingerprint]) if fingerprint else None
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
time.sleep(2)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if tlscryptoLoaded:
implementations.append("tlscrypto")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print('Test 25 - good standard XMLRPC https client')
time.sleep(2) # Hack for lack of ability to set timeout here
address = address[0], address[1]+1
server = xmlrpclib.Server('https://%s:%s' % address)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 26 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 27 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print("Test 28 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 28: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 29: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def read_private(self):
import tlslite
self.private = tlslite.parsePEMKey(open(self.key_path).read(),
private=True)
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert (connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(
open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tack],
activationFlags=1,
settings=settings)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tackUnrelated],
settings=settings)
assert (False)
except TLSRemoteAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 14 - good mutual X509"
x509Cert = X509().parse(
open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14.a - good mutual X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
def read_private (self):
import tlslite
self.private = tlslite.parsePEMKey (
open (self.key_path).read(),
private=True
)
# recv first packet
data = conn.recv(BUFFER_SIZE)
hexdump(data)
isTLS = ""
isRunning = True
if data.startswith(b"\x16\x03"):
print(">> Detect ssl request")
# ssl context
x509 = X509()
x509.parse(open(CERT).read())
certChain = X509CertChain([x509])
privateKey = parsePEMKey(open(KEY).read(), private=True)
# wrap it with modified class
connection = MyTLSConnection(conn, data)
# resume the handshake
try:
connection.handshakeServer(certChain=certChain,
privateKey=privateKey,
reqCert=True)
except:
print(">> Failed to switch ssl")
else:
print(">> Upgraded")
conn = connection
isTLS = "[TLS] "
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
print("Test 0 - Anonymous server handshake")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print("Test 1 - good X.509")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 1.a - good X.509, SSL v3")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
print("Test 1.b - good X.509, RC4-MD5")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print("Test 3 - good SRP")
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
print("Test 6 - good SRP: with X.509 cert")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
print("Test 14 - good mutual X.509")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14a - good mutual X.509, TLSv1.1")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14b - good mutual X.509, SSLv3")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
print("Test 18 - good SRP, prepare to resume")
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 19 - resumption")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
print("Test 20 - invalidated resumption")
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers")
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
print("Test 24.a - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.b - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.c - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.d - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.e - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
print("Test 24.f - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.g - Next-Protocol Server Negotiation")
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
print("Test 25.a - FALLBACK_SCSV")
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 25.b - FALLBACK_SCSV")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
print("Test 26.a - server checks cipher version")
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
# The server should reject the connection with a handshake_failure
# because, after taking the version into account, no ciphers match.
if alert.description != AlertDescription.handshake_failure:
raise
connection.close()
print("Test 26.b - client checks cipher version")
synchro.send(b'R')
connection = connect()
# Configure the server to illegally select SHA-256 ciphers at TLS 1.1.
connection.fault = Fault.ignoreVersionForCipher
settings = HandshakeSettings()
settings.maxVersion = (3, 2)
settings.macNames = ["sha256"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
connection.close()
print("Tests 27-29 - XMLRPXC server")
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1] - 1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
for cipher in [
"aes128gcm", "aes128", "aes256", "rc4", "chacha20-poly1305",
"speck128", "speck128gcm", "speck192gcm"
]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
if datasize == "3MB":
h = connection.read(min=1500000, max=1500000)
elif datasize == "2MB":
h = connection.read(min=1000000, max=1000000)
elif datasize == "1MB":
h = connection.read(min=500000, max=500000)
elif datasize == "500k":
h = connection.read(min=250000, max=250000)
elif datasize == "100k":
h = connection.read(min=50000, max=50000)
elif datasize == "2k":
h = connection.read(min=1000, max=1000)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
connection.write(h)
connection.close()
synchro.close()
synchroSocket.close()
print("Test succeeded")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
# TACK1 and TACK2 are both "good" TACKs, one targetting, the key,
# one the hash
tack1 = TACK()
tack1.parsePem(open("./TACK1.pem", "rU").read())
tack2 = TACK()
tack2.parsePem(open("./TACK2.pem", "rU").read())
tackUnrelated = TACK()
tackUnrelated.parsePem(open("./TACKunrelated.pem", "rU").read())
breakSigs = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs.pem").read())
breakSigsActual = TACK_Break_Sig.parsePemList(
open("./TACK_Break_Sigs_TACK1.pem").read())
print "Test 2.a - good X.509, good TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1, breakSigs=breakSigs)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, \"wrong\" TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack1)
connection.close()
print "Test 2.c - good X.509, \"wrong\" TACK but break signature (hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
print "Test 2.d - good X.509, \"wrong\" TACK but break signature (not hardTack)"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tack2, breakSigs=breakSigsActual)
testConnServer(connection)
connection.close()
print "Test 2.e - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tack=tackUnrelated)
except TLSRemoteAlert as alert:
assert(alert.description == AlertDescription.handshake_failure)
print "Test 2.f - good X.509, no TACK but expected"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
print "Test 3 - good SRP"
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print "Test 4 - SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print "Test 6 - good SRP: with X.509 cert"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print "Test 7 - X.509 with SRP faults"
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 11 - X.509 faults"
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print "Test 14 - good mutual X.509"
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14a - good mutual X.509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 15 - mutual X.509 faults"
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print "Test 18 - good SRP, prepare to resume"
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
connection.close()
print "Test 19 - resumption"
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
testConnServer(connection)
#Don't close! -- see next test
print "Test 20 - invalidated resumption"
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError, e:
pass
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
with open(os.path.join(dir, "serverRSAPSSSigCert.pem")) as f:
x509CertRSAPSSSig = X509().parse(f.read())
x509ChainRSAPSSSig = X509CertChain([x509CertRSAPSSSig])
with open(os.path.join(dir, "serverRSAPSSSigKey.pem")) as f:
x509KeyRSAPSSSig = parsePEMKey(f.read(), private=True)
with open(os.path.join(dir, "serverRSAPSSCert.pem")) as f:
x509CertRSAPSS = X509().parse(f.read())
x509ChainRSAPSS = X509CertChain([x509CertRSAPSS])
assert x509CertRSAPSS.certAlg == "rsa-pss"
with open(os.path.join(dir, "serverRSAPSSKey.pem")) as f:
x509KeyRSAPSS = parsePEMKey(f.read(), private=True,
implementations=["python"])
test_no = 0
print("Test {0} - Anonymous server handshake".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSSSig,
privateKey=x509KeyRSAPSSSig)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSS,
privateKey=x509KeyRSAPSS)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, SSL v3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
assert(not connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, RC4-MD5".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain"
"...skipped (no tackpy)".format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
try:
(db_file, db_name) = mkstemp()
os.close(db_file)
# this is race'y but the interface dbm interface is stupid like that...
os.remove(db_name)
verifierDB = VerifierDB(db_name)
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
finally:
try:
os.remove(db_name)
except FileNotFoundError:
# dbm module may create files with different names depending on
# platform
os.remove(db_name + ".dat")
test_no += 1
print("Test {0} - good SRP".format(test_no))
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
test_no += 1
print("Test {0} - good SRP: with X.509 cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - good mutual X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, SSLv3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
test_no += 1
print("Test {0} - good SRP, prepare to resume".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
test_no += 1
print("Test {0} - invalidated resumption".format(test_no))
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers".format(test_no))
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
except TLSLocalAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("no exception raised")
connection.close()
test_no += 1
print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
test_no += 2
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")
