def test_tls_session_resumption(tmpdir, sf1, sf2, sf3):
"""Attempt TLS session resumption against the same kresd instance and a different one."""
# TODO ensure that session can't be resumed after session ticket key regeneration
# at the first kresd instance
def connect(kresd, ctx, sf, session=None):
sock, dest = kresd.stream_socket(sf, tls=True)
ssock = ctx.wrap_socket(sock,
server_hostname='transport-test-server.com',
session=session)
ssock.connect(dest)
new_session = ssock.session
assert new_session.has_ticket
assert ssock.session_reused == (session is not None)
utils.ping_alive(ssock)
ssock.close()
return new_session
workdir = os.path.join(str(tmpdir), 'kresd')
os.makedirs(workdir)
with make_kresd(workdir, 'tt') as kresd:
ctx = utils.make_ssl_context(verify_location=kresd.tls_cert_path)
session = connect(kresd, ctx, sf1) # initial conn
connect(kresd, ctx, sf2,
session) # resume session on the same instance
workdir2 = os.path.join(str(tmpdir), 'kresd2')
os.makedirs(workdir2)
with make_kresd(workdir2, 'tt') as kresd2:
connect(kresd2, ctx, sf3,
session) # resume session on a different instance
def test_rehandshake(tmpdir):
def resolve_hint(sock, qname):
buff, msgid = utils.get_msgbuff(qname)
sock.sendall(buff)
answer = utils.receive_parse_answer(sock)
assert answer.id == msgid
assert answer.rcode() == dns.rcode.NOERROR
assert answer.answer[0][0].address == '127.0.0.1'
hints = {
'0.foo.': '127.0.0.1',
'1.foo.': '127.0.0.1',
'2.foo.': '127.0.0.1',
'3.foo.': '127.0.0.1',
}
# run forward target instance
workdir = os.path.join(str(tmpdir), 'kresd_fwd_target')
os.makedirs(workdir)
with make_kresd(workdir, hints=hints, port=53910) as kresd_fwd_target:
sock = kresd_fwd_target.ip_tls_socket()
resolve_hint(sock, '0.foo.')
# run proxy
cwd, cmd = os.path.split(REHANDSHAKE_PROXY)
cmd = './' + cmd
ca_file = os.path.join(CERTS_DIR, 'tt.cert.pem')
try:
proxy = subprocess.Popen(
[cmd], cwd=cwd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
# run test kresd instance
workdir2 = os.path.join(str(tmpdir), 'kresd')
os.makedirs(workdir2)
forward = Forward(proto='tls', ip='127.0.0.1', port=53921,
hostname='transport-test-server.com', ca_file=ca_file)
with make_kresd(workdir2, forward=forward) as kresd:
sock2 = kresd.ip_tcp_socket()
try:
for hint in hints:
resolve_hint(sock2, hint)
time.sleep(0.1)
finally:
# verify log
n_connecting_to = 0
n_rehandshake = 0
partial_log = kresd.partial_log()
print(partial_log)
for line in partial_log.splitlines():
if re.search(r"connecting to: .*", line) is not None:
n_connecting_to += 1
elif re.search(r"TLS rehandshake .* has started", line) is not None:
n_rehandshake += 1
assert n_connecting_to == 0 # shouldn't be present in partial log
assert n_rehandshake > 0
finally:
proxy.terminate()
def kresd_tls_client(
workdir: str,
proxy: TLSProxy,
kresd_tls_client_kwargs: Optional[Dict[Any, Any]] = None,
kresd_fwd_target_kwargs: Optional[Dict[Any, Any]] = None) -> Kresd:
"""kresd_tls_client --(tls)--> tlsproxy --(tcp)--> kresd_fwd_target"""
ALLOWED_IPS = {'127.0.0.1', '::1'}
assert proxy.local_ip in ALLOWED_IPS, "only localhost IPs supported for proxy"
assert proxy.upstream_ip in ALLOWED_IPS, "only localhost IPs are supported for proxy"
if kresd_tls_client_kwargs is None:
kresd_tls_client_kwargs = dict()
if kresd_fwd_target_kwargs is None:
kresd_fwd_target_kwargs = dict()
# run forward target instance
dir1 = os.path.join(workdir, 'kresd_fwd_target')
os.makedirs(dir1)
with make_kresd(dir1, hints=HINTS,
**kresd_fwd_target_kwargs) as kresd_fwd_target:
sock = kresd_fwd_target.ip_tcp_socket()
resolve_hint(sock, list(HINTS.keys())[0])
proxy.local_port = make_port('127.0.0.1', '::1')
proxy.upstream_port = kresd_fwd_target.port
with proxy:
# run test kresd instance
dir2 = os.path.join(workdir, 'kresd_tls_client')
os.makedirs(dir2)
forward = Forward(proto='tls',
ip=proxy.local_ip,
port=proxy.local_port,
hostname='transport-test-server.com',
ca_file=proxy.cert_path)
with make_kresd(dir2, forward=forward,
**kresd_tls_client_kwargs) as kresd:
yield kresd
def test_tls_session_resumption(tmpdir, sf1, sf2, sf3):
"""Attempt TLS session resumption against the same kresd instance and a different one."""
# TODO ensure that session can't be resumed after session ticket key regeneration
# at the first kresd instance
# NOTE TLS 1.3 is intentionally disabled for session resumption tests,
# becuase python's SSLSocket.session isn't compatible with TLS 1.3
# https://docs.python.org/3/library/ssl.html?highlight=ssl%20ticket#tls-1-3
def connect(kresd, ctx, sf, session=None):
sock, dest = kresd.stream_socket(sf, tls=True)
ssock = ctx.wrap_socket(sock,
server_hostname='transport-test-server.com',
session=session)
ssock.connect(dest)
new_session = ssock.session
assert new_session.has_ticket
assert ssock.session_reused == (session is not None)
utils.ping_alive(ssock)
ssock.close()
return new_session
workdir = os.path.join(str(tmpdir), 'kresd')
os.makedirs(workdir)
with make_kresd(workdir, 'tt') as kresd:
ctx = utils.make_ssl_context(verify_location=kresd.tls_cert_path,
extra_options=[ssl.OP_NO_TLSv1_3])
session = connect(kresd, ctx, sf1) # initial conn
connect(kresd, ctx, sf2,
session) # resume session on the same instance
workdir2 = os.path.join(str(tmpdir), 'kresd2')
os.makedirs(workdir2)
with make_kresd(workdir2, 'tt') as kresd2:
connect(kresd2, ctx, sf3,
session) # resume session on a different instance
def kresd(tmpdir):
with make_kresd(tmpdir) as kresd:
yield kresd
def kresd_tt(tmpdir):
with make_kresd(tmpdir, 'tt') as kresd:
yield kresd
def kresd_silent(tmpdir):
with make_kresd(tmpdir, verbose=False) as kresd:
yield kresd
