def do_CONNECT(self):
remote_connection = self._create_remote_ssl_connection(self.path)
if remote_connection:
self.log_request(200)
self.wfile.write(self.protocol_version +
' 200 Connection established\r\n')
self.wfile.write('Proxy-agent: %s\r\n' % self.version_string())
self.wfile.write('\r\n')
try:
if self.server.pem_file:
self.connection = ssl.SSLSocket(
self.connection,
server_side=True,
certfile=self.server.pem_file)
elif self.server_cert_file:
self.connection = ssl.SSLSocket(
self.connection,
server_side=True,
certfile=self.server.cert_file)
else:
self.connection = ssl.SSLSocket(
self.connection,
server_side=True,
certfile=self.server.cert_file,
keyfile=self.server.key_file)
except ssl.SSLError, e:
logging.error(e)
self._chat_to_remote_connection(remote_connection)
def get_request(self):
sock, client_address = HTTPServer.get_request(self)
if sock and config.server_certificate:
# this is this kind of smart shit that gets you in really deep trouble later
peek = sock.recv(5, socket.MSG_PEEK)
if peek and len(peek) == 5:
if peek[0] == 0x16:
logging.debug(
"socket %s from %s appears to start with a TSL handshake, version %d.%d",
sock, client_address, peek[1], peek[2])
try:
sock = ssl.SSLSocket(
sock=sock,
certfile=config.server_certificate,
server_side=True)
except:
logging.exception(
"failed to SSL wrap socket %s from %s", sock,
client_address)
elif peek[0] == 0x80 and peek[2] == 0x01:
logging.debug(
"socket %s from %s appears to start with a SSLv2 handshake, supported version %d.%d",
sock, client_address, peek[3], peek[4])
try:
sock = ssl.SSLSocket(
sock=sock,
certfile=config.server_certificate,
server_side=True)
except:
logging.exception(
"failed to SSL wrap socket %s from %s", sock,
client_address)
return sock, client_address
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False):
'''Connect to a IRC server. addr is a tuple of (server, port)'''
self.acquire_lock()
try:
self.addr = (rmnlsp(addr[0]), addr[1])
if use_ssl:
if (3, ) <= sys.version_info < (3, 3):
self.sock = ssl.SSLSocket()
elif sys.version_info >= (3, 4):
ctx = ssl.create_default_context()
if ssl.HAS_SNI:
self.sock = ctx.wrap_socket(socket.socket(),
server_hostname=addr[0])
else:
self.sock = ctx.wrap_socket(socket.socket())
else:
self.sock = ssl.SSLSocket(sock=socket.socket())
else:
self.sock = socket.socket()
self.sock.settimeout(300)
self.sock.connect(self.addr)
self.nick = None
self.recvbuf = b''
self.sendbuf = b''
finally:
self.lock.release()
def connect(self, host, port=587, secure=SEC_STARTTLS):
targets = socket.getaddrinfo(host, port, socket.AF_UNSPEC,
socket.SOCK_STREAM, 0, 0)
# TODO: should we iterate through targets in order, randomly, or
# randomly by address family (that is, try IPv6 first, then IPv4, then
# whatever is left)?
for i in targets:
print "Trying", i[4][0], i[
3] # address, canonical name (if available)
s = socket.socket(*i[:3])
if secure == SEC_SSL:
oldSock = s
s = ssl.SSLSocket(s,
ca_certs=self.ca_certs,
cert_reqs=ssl.CERT_REQUIRED
if self.ca_certs else ssl.CERT_NONE)
else:
oldSock = None
try:
s.connect(i[4])
self._negotiate(s, host, secure)
break
except socket.error as ev:
print " ", ev.strerror
continue
else:
# TODO: Provide some more info. Ideally, we'd have some
# differentiation between, say, connection refused vs timed out vs
# no route, etc.
# May be difficult due to multiple connection attempts.
raise Exception("unable to connect")
def test_bad_host(self):
with open(Fixtures.keys.path("private1.pem"), "rb") as f:
key = RSAObject(pem=f.read())
h = SSLHandler(self, self.serverSock, self.clientEndpoint,
self.certfile, self.keyfile)
self.assertEqual(self.client_sock.recv(8), b"FLUX0003")
c_sock = ssl.SSLSocket(self.client_sock, do_handshake_on_connect=False)
self.complete_ssl_handshake(h, c_sock)
randbytes = c_sock.recv(64)
# Client send identify
document = hash_password(tcp_ssl.UUID_BIN, randbytes)
signature = key.sign(document)
c_sock.send(from_hex("89ba8bc366d22153e82c22aa6c01f60bcac38c93"))
c_sock.send(signature)
# Final identify
while select((h.sock, ), (), (), 0.05)[0]:
h.on_recv(None, None)
if h.ready == -1:
break
self.assertEqual(h.ready, -1)
select((c_sock, ), (), (), 0.1)
self.assertEqual(c_sock.recv(16), tcp_ssl.MESSAGE_UNKNOWN_HOST)
def connect(self):
"Connect to a host on a given (SSL) port."
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, self.port))
ssl_soc = ssl.SSLSocket(sock, self.key_file, self.cert_file)
self.sock = FakeSocket(sock, ssl_soc)
def connect(self):
"""
Connects and registers with the IRC Server.
"""
self.socket = socket.socket()
if self.ssl:
self.socket = ssl.SSLSocket(self.socket)
self.socket.settimeout(self.socket_timeout)
wait_time = self.connection_wait_timer_start
while self.connected == False:
try:
self.socket.connect((self.host, self.port))
self.connected = True
print "Connected to %s on port %s" % (self.host, str(
self.port))
except:
print "Failed to connect to %s on port %s" % (self.host,
str(self.port))
print "Reconnecting in %s seconds" % wait_time
time.sleep(wait_time)
if (wait_time * self.connection_wait_timer_multiplier <
self.connection_wait_timer_max):
wait_time = wait_time * self.connection_wait_timer_multiplier
elif (wait_time < self.connection_wait_timer_max):
wait_time = self.connection_wait_timer_max
# Register on server
self.socket.send("NICK %s\r\n" % self.nick)
self.socket.send("USER %s %s something :%s\r\n" %
(self.ident, self.host, self.real_name))
self.last_time_sent_nick = time.time()
# Listen for replies from the server
self.listen()
def _wrap_socket_sni(sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=ssl.CERT_NONE,
ssl_version=ssl.PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
server_hostname=None,
ciphers=None):
"""Socket wrap with SNI headers.
Default `ssl.wrap_socket` method augmented with support for
setting the server_hostname field required for SNI hostname header
"""
sock = ssl.SSLSocket(sock=sock,
keyfile=keyfile,
certfile=certfile,
server_side=server_side,
cert_reqs=cert_reqs,
ssl_version=ssl_version,
ca_certs=ca_certs,
do_handshake_on_connect=do_handshake_on_connect,
suppress_ragged_eofs=suppress_ragged_eofs,
server_hostname=server_hostname,
ciphers=ciphers)
return sock
def connect(self):
"""
Connect to a host on a given (SSL) port using PyOpenSSL.
"""
sock = socket.create_connection((self.host, self.port), self.timeout)
if PY2:
ssl_ctx = configure_pyopenssl_context(self.credentials)
# attempt to upgrade the socket to TLS
cxn = OpenSSL.SSL.Connection(ssl_ctx, sock)
cxn.set_connect_state()
while True:
try:
cxn.do_handshake()
except OpenSSL.SSL.WantReadError:
select.select([sock], [], [])
continue
except OpenSSL.SSL.Error as e:
raise SecurityError('bad handshake - ' + str(e))
break
self.sock = RiakWrappedSocket(cxn, sock)
self.credentials._check_revoked_cert(self.sock)
else:
ssl_ctx = configure_ssl_context(self.credentials)
host = "riak@" + self.host
self.sock = ssl.SSLSocket(sock=sock,
keyfile=self.credentials.pkey_file,
certfile=self.credentials.cert_file,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=self.credentials.cacert_file,
ciphers=self.credentials.ciphers,
server_hostname=host)
self.sock.context = ssl_ctx
def accept(self):
plain_client, addr = self.handle.accept()
try:
context = ssl.SSLContext(self.SSL_VERSION)
context.verify_mode = ssl.CERT_NONE
context.load_cert_chain(certfile=self.certfile,
keyfile=self.keyfile)
if self.capath:
context.load_verify_locations(cafile=None, capath=self.capath)
if self.ciphers:
context.set_ciphers(self.ciphers)
client = ssl.SSLSocket(plain_client,
server_side=True,
_context=context)
except ssl.SSLError as ssl_exc:
# failed handshake/ssl wrap, close socket to client
plain_client.close()
# raise ssl_exc
# We can't raise the exception, because it kills most TServer derived
# serve() methods.
# Instead, return None, and let the TServer instance deal with it in
# other exception handling. (but TSimpleServer dies anyway)
return None
result = TSocket.TSocket()
result.setHandle(client)
return result
def run_client(args):
host = args.hostname
port = args.p
nuid = args.neu_id
secure = args.s
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.SSLSocket(sock) if secure else sock
sock.connect((host, port))
message = 'cs3700fall2016 HELLO {}\n'.format(nuid)
while True:
sock.send(bytes(message, 'utf-8'))
response = sock.recv(BUFFER)
response_str = response.decode('utf-8').strip()
if "STATUS" in response_str:
operation = response_str.split('STATUS ')[1]
answer = int(eval(operation))
message = "cs3700fall2016 {}\n".format(answer)
elif "BYE" in response_str:
secret_flag = response_str.split('BYE ')[1]
break
else:
sock.close()
raise Exception('Unexpected Response')
sock.close()
print(secret_flag)
def _ssl_handshake(self):
"""
Perform an SSL handshake w/ the server.
Precondition: a successful STARTTLS exchange has
taken place with Riak
returns True upon success, otherwise an exception is raised
"""
credentials = self._client._credentials
if credentials:
try:
ssl_ctx = configure_ssl_context(credentials)
host = self._address[0]
ssl_socket = ssl.SSLSocket(
sock=self._socket,
keyfile=credentials.pkey_file,
certfile=credentials.cert_file,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=credentials.cacert_file,
ciphers=credentials.ciphers,
server_hostname=host)
ssl_socket.context = ssl_ctx
# ssl handshake successful
ssl_socket.do_handshake()
self._socket = ssl_socket
return True
except ssl.SSLError as e:
raise SecurityError(e)
except Exception as e:
# fail if *any* exceptions are thrown during SSL handshake
raise SecurityError(e)
def get_roomba_password(ip):
"""
Sends a (magic?) packet and parses the response as the password
Mostly based on: https://github.com/koalazak/dorita980
Thanks koalazak :)
:param ip:
:return:
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.SSLSocket(sock=sock)
ssl_sock.connect((ip, 8883))
ssl_sock.write('\xf0\x05\xef\xcc\x3b\x29\x00')
# Should get back a 2 byte message containing the size of the next message
r1 = [ord(x) for x in ssl_sock.recv()]
# If we get the expected values pull out the password
if len(r1) == 2 and r1[1] == 21:
r2 = [chr(ord(x)) for x in ssl_sock.recv()]
return "".join(r2[5:])
else:
print "ERROR make sure you pressed the button!"
print "Got:", r1
return ""
def _wrap_socket_sni(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=ssl.CERT_NONE,
ca_certs=None, do_handshake_on_connect=True,
suppress_ragged_eofs=True, server_hostname=None,
ciphers=None, ssl_version=None):
"""Socket wrap with SNI headers.
Default `ssl.wrap_socket` method augmented with support for
setting the server_hostname field required for SNI hostname header
"""
opts = dict(sock=sock, keyfile=keyfile, certfile=certfile,
server_side=server_side, cert_reqs=cert_reqs,
ca_certs=ca_certs,
do_handshake_on_connect=do_handshake_on_connect,
suppress_ragged_eofs=suppress_ragged_eofs,
ciphers=ciphers)
# Setup the right SSL version; default to optimal versions across
# ssl implementations
if ssl_version is not None:
opts['ssl_version'] = ssl_version
else:
# older versions of python 2.7 and python 2.6 do not have the
# ssl.PROTOCOL_TLS defined the equivalent is ssl.PROTOCOL_SSLv23
# we default to PROTOCOL_TLS and fallback to PROTOCOL_SSLv23
if hasattr(ssl, 'PROTOCOL_TLS'):
opts['ssl_version'] = ssl.PROTOCOL_TLS
else:
opts['ssl_version'] = ssl.PROTOCOL_SSLv23
# Set SNI headers if supported
if (server_hostname is not None) and (
hasattr(ssl, 'HAS_SNI') and ssl.HAS_SNI):
opts['server_hostname'] = server_hostname
sock = ssl.SSLSocket(**opts)
return sock
def connect(self):
"""Initiates a connection using the ssl module."""
rawsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if self.protocol == 'xmlrpc/ssl':
ssl_protocol_ver = ssl.PROTOCOL_SSLv23
else:
log.error("Unknown protocol %s" % (self.protocol))
raise Exception, "unknown protocol %s" % self.protocol
if self.ca:
other_side_required = ssl.CERT_REQUIRED
else:
other_side_required = ssl.CERT_NONE
log.warning("No ca is specified. Cannot authenticate the server with SSL.")
if self.cert and not self.key:
log.warning("SSL cert specfied, but no key. Cannot authenticate this client with SSL.")
self.cert = None
raise Exception, "no SSL key specified"
if self.key and not self.cert:
log.warning("SSL key specfied, but no cert. Cannot authenticate this client with SSL.")
raise Exception, "no SSL cert specified"
rawsock.settimeout(self.timeout)
self.sock = ssl.SSLSocket(rawsock, cert_reqs=other_side_required,
ca_certs=self.ca, suppress_ragged_eofs=True,
keyfile=self.key, certfile=self.cert,
ssl_version=ssl_protocol_ver)
self.sock.connect((self.host, self.port))
peer_cert = self.sock.getpeercert()
if peer_cert and self.scns:
scn = [x[0][1] for x in peer_cert['subject'] if x[0][0] == 'commonName'][0]
if scn not in self.scns:
raise CertificateError, scn
self.sock.closeSocket = True
def download_as_der(
base_url=d1_common.const.URL_DATAONE_ROOT,
timeout_sec=d1_common.const.RESPONSE_TIMEOUT,
):
"""Download certificate from the server at {base_url} and return it as a DER
encoded string.
{base_url} can be a full URL to a DataONE service endpoint or just a server
hostname.
In some cases, there's a need to download certificates in order to fix
validation issues that prevent those certificates from being downloaded. To
work around such chicken-and-egg problems, temporarily wrap calls to the
download_* functions with the disable_cert_validation() context manager (also
in this module).
TODO: It is unclear which SSL and TLS protocols are supported by the method
currently being used. The current method and the two commented out below
should be compared to determine which has the best compatibility with current
versions of Python and current best practices for protocol selection.
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout_sec)
ssl_socket = ssl.SSLSocket(sock)
url_obj = urllib.parse.urlparse(base_url)
ssl_socket.connect((url_obj.netloc, 443))
return ssl_socket.getpeercert(binary_form=True)
def accept(self):
newsock, addr = socket.socket.accept(self)
return (ssl.SSLSocket(
sock=newsock,
server_side=True,
do_handshake_on_connect=self.do_handshake_on_connect,
_context=self.context), addr)
def main():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
s = ssl.SSLSocket(s)
login = base64.b64encode(b"*****@*****.**")
password = base64.b64encode(b"17fedfd7")
try:
s.connect(("smtp.yandex.ru", PORT))
data = s.recv(1024)
for line in dumper(data):
print(line)
msg = send_recv(b"EHLO google.ru", s)
print(msg.decode(ENCODING))
msg = send_recv(b"AUTH LOGIN", s)
print(msg.decode(ENCODING))
msg = send_recv(login, s)
print(msg.decode(ENCODING))
msg = send_recv(password, s)
print(msg.decode(ENCODING))
msg = send_recv(b"MAIL FROM:[email protected]", s)
print(msg.decode(ENCODING))
msg = send_recv(b"RCPT TO:[email protected]", s)
print(msg.decode(ENCODING))
msg = send_recv(b"DATA", s)
print(msg.decode(ENCODING))
msg = send_recv(create_msg(), s)
print(msg.decode(ENCODING))
except socket.timeout as e:
print("Server doesn't respond")
finally:
s.close()
def get_banner(self, server: str) -> str:
"""
Get the banner of the service on a given port of an IP address.
:param server: Server to connect to.
"""
banner = ''
try:
raw_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if self.is_ssl:
sock = ssl.SSLSocket(sock=raw_socket,
ca_certs=certifi.where(),
cert_reqs=ssl.CERT_REQUIRED,
server_hostname=server)
else:
sock = raw_socket
sock.connect((server, self.port))
if self.payload is not None:
sent_bytes = sock.send(self.payload.encode())
if sent_bytes < len(self.payload):
raise socket.error
banner = sock.recv(5096).decode('ISO-8859-1')
except socket.error:
raw_socket = False
banner = ''
finally:
if raw_socket:
raw_socket.close()
return banner.rstrip()
def connect(self):
if self.http_proxy:
conn = HttpProxyConnection((self.host, self.port), self.http_proxy)
conn.establish()
sock = conn.socket
ssl_sock = ssl.SSLSocket(sock, self.key_file, self.cert_file)
self.sock = httplib.FakeSocket(sock, ssl_sock)
else:
httplib.HTTPSConnection.connect(self)
def check_ssl_version(version, ip, port):
try:
https = ssl.SSLSocket(socket.socket(),
ssl_version=SSL_VERSION.get(version))
c = https.connect((ip, port))
print(version + ' Supported')
return True
except Exception as e:
return False
def getlistener(addr, family=socket.AF_INET, sslargs=None):
sock = socket.socket(family, socket.SOCK_STREAM)
if sslargs:
sslargs['server_side'] = True
sock = ssl.SSLSocket(sock, **sslargs)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(addr)
sock.listen(1024)
return sock
def __init__(self, server_address, HandlerClass):
SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
self.socket = ssl.SSLSocket(socket.socket(self.address_family,
self.socket_type),
keyfile=PEM,
certfile=PEM)
self.server_bind()
self.server_activate()
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False):
'''Connect to a IRC server. addr is a tuple of (server, port)'''
self.acquire_lock()
self.addr = (rmnlsp(addr[0]), addr[1])
for res in socket.getaddrinfo(self.addr[0], self.addr[1], socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
if use_ssl:
if (3,) <= sys.version_info < (3, 3):
self.sock = ssl.SSLSocket(af, socktype, proto)
elif sys.version_info >= (3, 4):
ctx = ssl.create_default_context()
if ssl.HAS_SNI:
self.sock = ctx.wrap_socket(socket.socket(af, socktype, proto), server_hostname=self.addr[0])
else:
self.sock = ctx.wrap_socket(socket.socket(af, socktype, proto))
else:
self.sock = ssl.SSLSocket(sock=socket.socket(af, socktype, proto))
else:
self.sock = socket.socket(af, socktype, proto)
except socket.error:
self.sock = None
continue
try:
self.sock.settimeout(300)
self.sock.connect(sa)
except socket.error:
self.sock.close()
self.sock = None
continue
break
if self.sock is None:
e = socket.error(
'[errno %d] Socket operation on non-socket' % errno.ENOTSOCK)
e.errno = errno.ENOTSOCK
self.lock.release()
raise e
self.nick = None
self.recvbuf = b''
self.sendbuf = b''
self.lock.release()
def __init__(self, server_address, HandlerClass):
BaseServer.__init__(self, server_address, HandlerClass)
fpem = 'server.pem'
self.socket = ssl.SSLSocket(socket.socket(self.address_family,
self.socket_type),
keyfile=fpem,
certfile=fpem)
self.server_bind()
self.server_activate()
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False):
'''Connect to a IRC server. addr is a tuple of (server, port)'''
self.acquire_lock()
try:
self.addr = (rmnlsp(addr[0]), addr[1])
if use_ssl:
if (3, ) <= sys.version_info < (3, 3):
self.sock = ssl.SSLSocket()
else:
self.sock = ssl.SSLSocket(sock=socket.socket())
else:
self.sock = socket.socket()
self.sock.settimeout(300)
self.sock.connect(self.addr)
self.nick = None
self.recvbuf = b''
self.sendbuf = b''
finally:
self.lock.release()
def _get_ssl_socket(socket, ssl_version, cert_reqs=ssl.CERT_NONE,
ca_certs=None, keyfile=None, certfile=None, **kwargs):
return ssl.SSLSocket(
socket,
ssl_version=ssl_version,
cert_reqs=cert_reqs,
ca_certs=ca_certs,
keyfile=keyfile,
certfile=certfile,
)
def __init__(self, server_address, HandlerClass):
BaseServer.__init__(self, server_address, HandlerClass)
self.socket = ssl.SSLSocket(socket.socket(self.address_family,
self.socket_type),
keyfile="test-key.pem",
certfile="test-cert.pem")
self.server_bind()
self.server_activate()
def do_set(self,value):
sock= ssl.SSLSocket(sock=socket(),ca_certs="public.pem")
sock.settimeout(5)
try:
sock.connect(hostip)
sock.send(b"SET / ADMIN/1.0\r\nSKey: "+self.skey.encode()+b"\r\nValue: "+value.encode()+b"\r\nKey: "+self.key.encode()+b"\r\nName: "+self.name.encode()+b"\r\n")
data = sock.recv(10000)
except:
print("\x1b[44;31mServer is unreachable!\x1b[0m")
return (("",),)
sock.close()
def connect(self):
s = socket.create_connection((self.host, self.port))
s.settimeout(timeout)
self.sock = ssl.SSLSocket(s,
server_hostname=self.host.split(':',
0)[0])
certRaw = self.sock.getpeercert(True)
global fingerprints
fingerprints = {
'sha1': hashlib.sha1(certRaw).hexdigest().upper(),
'sha256': hashlib.sha256(certRaw).hexdigest().upper()
}
