def ssl_wrap_socket(
sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None
):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception: # Reraise as SSLError
e = sys.exc_info()[1]
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
# Disable TLS compression to migitate CRIME attack (issue #309)
OP_NO_COMPRESSION = 0x20000
context.options |= OP_NO_COMPRESSION
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=None,
ca_certs=None,
server_hostname=None,
ssl_version=None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
print('------')
except Exception as e:
raise SSLError(e)
else:
context.load_default_certs(purpose=Purpose.SERVER_AUTH)
if certfile:
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # server name indication enabled by OpenSSL
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=CERT_NONE,
ca_certs=None,
server_hostname=None,
ssl_version=PROTOCOL_SSLv23):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except TypeError as e: # Reraise as SSLError
# fixme: This block needs a test.
raise SSLError(e)
if certfile:
# fixme: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=None,
ca_certs=None,
server_hostname=None,
ssl_version=None):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=None,
ca_certs=None,
server_hostname=None,
ssl_version=None):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
OP_NO_COMPRESSION = 131072
context.options |= OP_NO_COMPRESSION
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except Exception as e:
raise SSLError(e)
if certfile:
context.load_cert_chain(certfile, keyfile)
if HAS_SNI:
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def sslify_socket(sock: socket.socket, ssl_context: ssl.SSLContext,
server_side: bool = False, server_hostname: str = None) -> ssl.SSLSocket:
""" Wraps the socket creating an ssl.SSLSocket for client or server side """
ssock = sock
if ssl_context:
if server_side:
log.d("Wrapping a server_side socket")
ssock = ssl_context.wrap_socket(sock, server_side=server_side)
elif server_hostname:
log.d(f"Wrapping a client_side socket - server hostname = {server_hostname}")
ssock = ssl_context.wrap_socket(sock, server_hostname=server_hostname)
else:
log.w("Wrapping a socket without knowning whether is a client or a server side")
ssock = ssl_context.wrap_socket(sock)
return ssock
async def test_receive_send_after_eof(
self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.sendall(b"hello")
conn.unwrap()
conn.close()
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync, daemon=True)
server_thread.start()
stream = await connect_tcp(*server_sock.getsockname())
async with await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context) as wrapper:
assert await wrapper.receive() == b"hello"
with pytest.raises(EndOfStream):
await wrapper.receive()
server_thread.join()
server_sock.close()
async def test_send_receive(self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.settimeout(1)
data = conn.recv(10)
conn.send(data[::-1])
conn.close()
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync)
server_thread.start()
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context)
await wrapper.send(b"hello")
response = await wrapper.receive()
server_thread.join()
server_sock.close()
assert response == b"olleh"
async def test_alpn_negotiation(self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.settimeout(1)
selected_alpn_protocol = conn.selected_alpn_protocol()
assert selected_alpn_protocol is not None
conn.send(selected_alpn_protocol.encode())
conn.close()
server_context.set_alpn_protocols(["dummy1", "dummy2"])
client_context.set_alpn_protocols(["dummy2", "dummy3"])
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync)
server_thread.start()
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context)
assert wrapper.extra(TLSAttribute.alpn_protocol) == "dummy2"
server_alpn_protocol = await wrapper.receive()
server_thread.join()
server_sock.close()
assert server_alpn_protocol == b"dummy2"
async def test_unwrap(self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.settimeout(1)
conn.send(b"encrypted")
unencrypted = conn.unwrap()
unencrypted.send(b"unencrypted")
unencrypted.close()
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync)
server_thread.start()
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context)
msg1 = await wrapper.receive()
unwrapped_stream, msg2 = await wrapper.unwrap()
if msg2 != b"unencrypted":
msg2 += await unwrapped_stream.receive()
server_thread.join()
server_sock.close()
assert msg1 == b"encrypted"
assert msg2 == b"unencrypted"
def wrap(client, _socket):
""" Wrap socket in SSL wrapper. """
if client.init_kwargs.get('use_ssl', None):
keyfile = client.init_kwargs.get('ssl_keyfile', None)
certfile = client.init_kwargs.get('ssl_certfile', None)
if keyfile and not certfile:
raise ValueError("certfile must be specified")
password = client.init_kwargs.get('ssl_keyfile_password', None)
ssl_version = client.init_kwargs.get('ssl_version',
SSL_DEFAULT_VERSION)
ciphers = client.init_kwargs.get('ssl_ciphers', SSL_DEFAULT_CIPHERS)
cert_reqs = client.init_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE)
ca_certs = client.init_kwargs.get('ssl_ca_certfile', None)
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
context.load_verify_locations(ca_certs)
if certfile:
context.load_cert_chain(certfile, keyfile, password)
if ciphers:
context.set_ciphers(ciphers)
_socket = context.wrap_socket(sock=_socket)
return _socket
def Manejador(ClienteSocket):
ContextoSSL = SSLContext(protocol=ssl.PROTOCOL_SSLv23)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketSeguro = ContextoSSL.wrap_socket(sock, server_hostname=SNI)
socketSeguro.connect((HOST, PORT))
socketSeguro.do_handshake()
der = socketSeguro.getpeercert(binary_form=True)
pem_data = ssl.DER_cert_to_PEM_cert(der)
print "Algoritmo de cifrado " + socketSeguro.cipher()[0]
try:
while True:
socketPaleer = [ClienteSocket, socketSeguro]
socketSel, _, _ = select.select(socketPaleer, [], [])
if not socketSel:
socketSeguro.close()
ClienteSocket.close()
print "TERMINO AL CONEXION"
break
for s in socketSel:
if s is socketSeguro:
data = s.recv(BUFSERVERLEN)
ClienteSocket.send(data)
else:
data = s.recv(BUFCLIENTLEN)
socketSeguro.send(data)
except:
ClienteSocket.close()
socketSeguro.close()
print "encontre un error"
def run_simple_https_server(ssl_context: ssl.SSLContext):
server = HTTPServer(('127.0.0.1', 8080), HTTPRequestHandlerForTest)
server.socket = ssl_context.wrap_socket(server.socket, server_side=True)
server.serve_forever()
def _assert_good_server(self, ssl_context: ssl.SSLContext = None):
# Note: all those time.sleep()s are necessary
# Remember that we're running in "Threaded" mode, and there's the GIL...
# The time.sleep()s lets go of the GIL allowing the asyncio loop to move
# forward
assert self.sockfile.exists()
with ExitStack() as stk:
sock: socket.socket = stk.enter_context(
socket.socket(socket.AF_UNIX, socket.SOCK_STREAM))
sock.connect(str(self.sockfile))
if ssl_context:
sock = stk.enter_context(ssl_context.wrap_socket(sock))
time.sleep(0.1)
resp = sock.recv(1024)
assert resp.startswith(b"220 ")
assert resp.endswith(b"\r\n")
sock.send(b"EHLO socket.test\r\n")
# We need to "build" resparr because, especially when socket is wrapped
# in SSL, the SMTP server takes it sweet time responding with the list
# of ESMTP features ...
resparr = bytearray()
while not resparr.endswith(b"250 HELP\r\n"):
time.sleep(0.1)
resp = sock.recv(1024)
if not resp:
break
resparr += resp
assert resparr.endswith(b"250 HELP\r\n")
sock.send(b"QUIT\r\n")
time.sleep(0.1)
resp = sock.recv(1024)
assert resp.startswith(b"221")
def _check_protocols(self, protocols: List) -> int:
exit_code = 0
for protocol in protocols:
print("\n-------\nProtocol: {}\nShould be active: {}".format(
protocol.protocol, protocol.is_allowed()))
try:
with create_connection((self.domain, 443)) as sock:
ctx = SSLContext(protocol.get_ssl_attribute())
for opposite in protocol \
.get_opposite_ssl_as_op_no(_configurations):
ctx.options |= opposite
with ctx.wrap_socket(sock, server_hostname=self.domain) \
as context_sock:
print("Connected with: {}".format(
context_sock.version()))
print("Using cipher: {}".format(context_sock.cipher()))
failed = False
except gaierror:
print("{} is not valid".format(self.domain))
return 1
except (ValueError, SSLError):
failed = True
if (failed and protocol.is_allowed()) or \
(not failed and not protocol.is_allowed()):
print("\033[91m\tWrong configuration\033[0m")
exit_code = 1
print("\nTest on {} \033[91mfailed\033[0m".format(self.domain)
if exit_code == 1 else "\033[94mpassed\033[0m")
if self.slide and exit_code:
print("But we'll let it slide for now"
"(you are testing an appspot domain)")
return exit_code if not self.slide else 0
def ssl_wrap_socket(sock, keyfile = None, certfile = None, cert_reqs = None, ca_certs = None, server_hostname = None, ssl_version = None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
OP_NO_COMPRESSION = 131072
context.options |= OP_NO_COMPRESSION
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except Exception as e:
raise SSLError(e)
if certfile:
context.load_cert_chain(certfile, keyfile)
if HAS_SNI:
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
async def start_tls(
self, hostname: bytes, ssl_context: SSLContext, timeout: TimeoutDict
) -> "AsyncSocketStream":
connect_timeout = convert_timeout(timeout.get("connect"))
exc_map = {
curio.TaskTimeout: ConnectTimeout,
curio.CurioError: ConnectError,
OSError: ConnectError,
}
with map_exceptions(exc_map):
wrapped_sock = curio.io.Socket(
ssl_context.wrap_socket(
self.socket._socket,
do_handshake_on_connect=False,
server_hostname=hostname.decode("ascii"),
)
)
await curio.timeout_after(
connect_timeout,
wrapped_sock.do_handshake(),
)
return SocketStream(wrapped_sock)
def secure(self, verify=True, hostname=None):
""" Apply a layer of security onto this connection.
"""
from ssl import SSLContext, SSLError
try:
# noinspection PyUnresolvedReferences
from ssl import PROTOCOL_TLS
except ImportError:
from ssl import PROTOCOL_SSLv23
context = SSLContext(PROTOCOL_SSLv23)
else:
context = SSLContext(PROTOCOL_TLS)
if verify:
from ssl import CERT_REQUIRED
context.verify_mode = CERT_REQUIRED
context.check_hostname = bool(hostname)
else:
from ssl import CERT_NONE
context.verify_mode = CERT_NONE
context.load_default_certs()
try:
self.__socket = context.wrap_socket(self.__socket,
server_hostname=hostname)
except (IOError, OSError) as error:
# TODO: add connection failure/diagnostic callback
if error.errno == 0:
raise BrokenWireError(
"Peer closed connection during TLS handshake; "
"server may not be configured for secure connections")
else:
raise WireError(
"Unable to establish secure connection with remote peer")
else:
self.__active_time = monotonic()
def _wrap_socket(self, sock: socket.socket,
context: ssl.SSLContext) -> ssl.SSLSocket:
ssock = context.wrap_socket(sock,
server_side=False,
do_handshake_on_connect=False,
server_hostname=self.host)
try:
self.log.info("Start SSL handshake")
timer = start_timer()
ssock.do_handshake()
self.results['ssl.handshake.time.perf'], self.results[
'ssl.handshake.time.process'] = stop_timer(*timer)
self._update_results(context, ssock, True)
self.log.info("SSL handshake successfull")
return ssock
except ssl.SSLError as e:
self._update_results(context, ssock, False)
self.log.error(f"SSL handshake failed: {e.reason}", exc_info=False)
return None
def main(port=None):
# load db
db = pickle.loads(Path('users.pickle').read_bytes())
# read user id
splash_screen()
print('Assume the role of a card reader, and type the card id, will you?')
userid = sys.stdin.readline()[:-1].encode()
# read card pin
print('\nGood, good... Now punch in the pin:')
pin = sys.stdin.readline()[:-1].encode()
# fetch secret
_, _, _, pin_salt = db[userid]
pin = hash_pin(pin, pin_salt)
# start server
ctx = SSLContext(PROTOCOL_TLSv1_2)
ctx.load_verify_locations('cert.pem')
ok = 'ok'
err = 'err'
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:
with ctx.wrap_socket(sock, server_hostname='localhost') as c:
print('\nDialing backend...')
# connect
c.connect(('localhost', port))
print('...All good!\n')
# send user id and pin
msg = pickle.dumps(dict(userid=userid, pin=pin))
c.sendall(msg)
# check if ok
msg = pickle.loads(c.recv(1024))
if not msg[ok]:
print(f'Error: {msg[err]}')
return
# read 2fa token
print('Punch in your 2fa token:')
token = sys.stdin.readline()[:-1]
# send token
msg = pickle.dumps(dict(token=token))
c.sendall(msg)
# check if ok
msg = pickle.loads(c.recv(1024))
if not msg[ok]:
print(f'Error: {msg[err]}')
return
print(f'\n\nAutheticated as: {str(userid, "utf8")}')
print('Alright, time to order some Uber Eats(tm)!')
def factory(uri, ssl=False, **init_args):
from urllib.parse import urlparse, unquote, parse_qs
o = urlparse(uri)
srv = None
if o.scheme == "irc" or o.scheme == "ircs":
# https://www.w3.org/Addressing/draft-mirashi-url-irc-01.txt
# https://www-archive.mozilla.org/projects/rt-messaging/chatzilla/irc-urls.html
args = init_args
if o.scheme == "ircs": ssl = True
if o.hostname is not None: args["host"] = o.hostname
if o.port is not None: args["port"] = o.port
if o.username is not None: args["username"] = o.username
if o.password is not None: args["password"] = o.password
modifiers = o.path.split(",")
target = unquote(modifiers.pop(0)[1:])
# Read query string
params = parse_qs(o.query)
if "msg" in params:
if "on_connect" not in args:
args["on_connect"] = []
args["on_connect"].append("PRIVMSG %s :%s" % (target, params["msg"]))
if "key" in params:
if "channels" not in args:
args["channels"] = []
args["channels"].append((target, params["key"]))
if "pass" in params:
args["password"] = params["pass"]
if "charset" in params:
args["encoding"] = params["charset"]
#
if "channels" not in args and "isnick" not in modifiers:
args["channels"] = [ target ]
from nemubot.server.IRC import IRC as IRCServer
srv = IRCServer(**args)
if ssl:
try:
from ssl import create_default_context
context = create_default_context()
except ImportError:
# Python 3.3 compat
from ssl import SSLContext, PROTOCOL_TLSv1
context = SSLContext(PROTOCOL_TLSv1)
from ssl import wrap_socket
srv._fd = context.wrap_socket(srv._fd, server_hostname=o.hostname)
return srv
def __init__(self, server_address, HandlerClass, dir):
super().__init__(server_address, HandlerClass, bind_and_activate=False)
ctx = SSLContext(PROTOCOL_TLSv1)
ctx.load_cert_chain(join(dir, 'server-cert.pem'), join(dir, 'server-key.pem'))
# ctx.load_verify_locations(join(dir, 'ca-cert.pem'))
self.socket = ctx.wrap_socket(self.socket, server_side=True)
self.server_bind()
self.server_activate()
async def test_ragged_eofs(
self,
server_context: ssl.SSLContext,
client_context: ssl.SSLContext,
server_compatible: bool,
client_compatible: bool,
) -> None:
server_exc = None
def serve_sync() -> None:
nonlocal server_exc
conn, addr = server_sock.accept()
try:
conn.settimeout(1)
conn.sendall(b"hello")
if server_compatible:
conn.unwrap()
except BaseException as exc:
server_exc = exc
finally:
conn.close()
client_cm: ContextManager = ExitStack()
if client_compatible and not server_compatible:
client_cm = pytest.raises(BrokenResourceError)
server_sock = server_context.wrap_socket(
socket.socket(),
server_side=True,
suppress_ragged_eofs=not server_compatible,
)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync, daemon=True)
server_thread.start()
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(
stream,
hostname="localhost",
ssl_context=client_context,
standard_compatible=client_compatible,
)
with client_cm:
assert await wrapper.receive() == b"hello"
await wrapper.aclose()
server_thread.join()
server_sock.close()
if not client_compatible and server_compatible:
assert isinstance(server_exc, OSError)
assert not isinstance(server_exc, socket.timeout)
else:
assert server_exc is None
def load_TLS(self):
context = SSLContext(PROTOCOL_TLS)
context.minimum_version = TLSVersion.TLSv1_3
context.verify_mode = CERT_REQUIRED
context.check_hostname = True
if self.CA != 'default' and self.CA != '':
context.load_verify_locations(self.CA)
else:
context.load_default_certs()
self.server = create_connection((self.SERVER_HOST, self.SERVER_PORT))
self.server = context.wrap_socket(self.server, server_hostname=self.SERVER_HOST)
async def test_extra_attributes(self, server_context: ssl.SSLContext,
client_context: ssl.SSLContext) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
with conn:
conn.settimeout(1)
conn.recv(1)
server_context.set_alpn_protocols(["h2"])
client_context.set_alpn_protocols(["h2"])
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=True)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync)
server_thread.start()
async with await connect_tcp(*server_sock.getsockname()) as stream:
wrapper = await TLSStream.wrap(
stream,
hostname="localhost",
ssl_context=client_context,
standard_compatible=False,
)
async with wrapper:
for name, attribute in SocketAttribute.__dict__.items():
if not name.startswith("_"):
assert wrapper.extra(attribute) == stream.extra(
attribute)
assert wrapper.extra(TLSAttribute.alpn_protocol) == "h2"
assert isinstance(
wrapper.extra(TLSAttribute.channel_binding_tls_unique),
bytes)
assert isinstance(wrapper.extra(TLSAttribute.cipher), tuple)
assert isinstance(wrapper.extra(TLSAttribute.peer_certificate),
dict)
assert isinstance(
wrapper.extra(TLSAttribute.peer_certificate_binary), bytes)
assert wrapper.extra(TLSAttribute.server_side) is False
assert isinstance(wrapper.extra(TLSAttribute.shared_ciphers),
list)
assert isinstance(wrapper.extra(TLSAttribute.ssl_object),
ssl.SSLObject)
assert wrapper.extra(TLSAttribute.standard_compatible) is False
assert wrapper.extra(
TLSAttribute.tls_version).startswith("TLSv")
await wrapper.send(b"\x00")
server_thread.join()
server_sock.close()
def start_tls(self, hostname: bytes, ssl_context: SSLContext,
timeout: TimeoutDict) -> "SyncSocketStream":
connect_timeout = timeout.get("connect")
exc_map = {socket.timeout: ConnectTimeout, socket.error: ConnectError}
with map_exceptions(exc_map):
self.sock.settimeout(connect_timeout)
wrapped = ssl_context.wrap_socket(
self.sock, server_hostname=hostname.decode("ascii"))
return SyncSocketStream(wrapped)
def connect_server():
global client
HOSTNAME = 'example.org'
SERVER = "127.0.0.1"
PORT = 3443
context = SSLContext(PROTOCOL_TLS_CLIENT)
context.load_verify_locations('certificates/cert.pem')
tls = create_connection((SERVER, PORT))
client = context.wrap_socket(tls, server_hostname=HOSTNAME)
print("insert the input then press ENTER")
print("press q + ENTER so exit")
print() #sending the data to server
def ssl_wrap_socket(sock,
keyfile=None,
certfile=None,
cert_reqs=None,
ca_certs=None,
server_hostname=None,
ssl_version=None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except Exception as e:
raise SSLError(e)
if certfile:
context.load_cert_chain(certifile, keyfile)
if HAS_SNI:
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Reraise as SSLError
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return (context, context.wrap_socket(sock, server_hostname=server_hostname))
return (context, context.wrap_socket(sock))
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE,
ca_certs=None, server_hostname=None,
ssl_version=PROTOCOL_SSLv23):
"""
All arguments except `server_hostname` have the same meaning as for
:func:`ssl.wrap_socket`
:param server_hostname:
Hostname of the expected certificate
"""
context = SSLContext(ssl_version)
context.verify_mode = cert_reqs
if ca_certs:
try:
context.load_verify_locations(ca_certs)
except TypeError as e: # Reraise as SSLError
# FIXME: This block needs a test.
raise SSLError(e)
if certfile:
# FIXME: This block needs a test.
context.load_cert_chain(certfile, keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return context.wrap_socket(sock, server_hostname=server_hostname)
return context.wrap_socket(sock)
class secureStream(stream):
def __init__(self):
stream.createsocket(stream)
self.contxt = SSLContext(PROTOCOL_TLSv1_2)
self.contxt.verify_mode = CERT_REQUIRED
self.contxt.load_default_certs()
def connect(self,host,port):
self.connection.settimeout(15)
self.connection.connect((host,port))
self.connection = self.contxt.wrap_socket(self.connection)#stream.connection
self.connection.settimeout(0)
def twitchconnect(self):
self.connect('api.twitch.tv',443)
def receive(self,buffer=4096):
try:
data = self.connection.recv(buffer).decode()
#print(data)#temporary
except:
return(None)
else:
return(data)
def transmit(self,data):
junk = self.receive()
data = data.encode()
try:
self.connection.sendall(data)
except ConnectionAbortedError:
print('Break detected!')
self.connection = None
self.connection = socket(AF_INET,SOCK_STREAM)
self.twitchconnect()
self.connection.settimeout(0)
except ConnectionResetError:
print('Break detected!')
self.connection = None
self.connection = socket(AF_INET,SOCK_STREAM)
self.twitchconnect()
self.connection.settimeout(0)
junk = None
def close(self):
self.connection.close()
def start_tls(
self,
ssl_context: ssl.SSLContext,
server_hostname: str = None,
timeout: float = None,
) -> NetworkStream:
exc_map = {socket.timeout: ConnectTimeout, socket.error: ConnectError}
with map_exceptions(exc_map):
try:
self._sock.settimeout(timeout)
sock = ssl_context.wrap_socket(self._sock,
server_hostname=server_hostname)
except Exception as exc: # pragma: nocover
self.close()
raise exc
return SyncStream(sock)
async def start_tls(self, context: ssl.SSLContext,
server_hostname: Optional[str] = None,
suppress_ragged_eofs: bool = False) -> None:
plain_socket = self._raw_socket
self._raw_socket = context.wrap_socket(
self._raw_socket, server_side=not server_hostname, do_handshake_on_connect=False,
server_hostname=server_hostname, suppress_ragged_eofs=suppress_ragged_eofs)
while True:
try:
self._raw_socket.do_handshake()
return
except ssl.SSLWantReadError:
await self._wait_readable()
except ssl.SSLWantWriteError:
await self._wait_writable()
except BaseException:
self._raw_socket = plain_socket
raise
def secure(self, verify=True, hostname=None):
""" Apply a layer of security onto this connection.
"""
from ssl import SSLContext, PROTOCOL_TLS, CERT_NONE, CERT_REQUIRED
context = SSLContext(PROTOCOL_TLS)
if verify:
context.verify_mode = CERT_REQUIRED
context.check_hostname = bool(hostname)
else:
context.verify_mode = CERT_NONE
context.load_default_certs()
try:
self.__socket = context.wrap_socket(self.__socket,
server_hostname=hostname)
except (IOError, OSError):
# TODO: add connection failure/diagnostic callback
raise WireError(
"Unable to establish secure connection with remote peer")
async def test_send_eof_not_implemented(self,
server_context: ssl.SSLContext,
ca: CA,
force_tlsv12: bool) -> None:
def serve_sync() -> None:
conn, addr = server_sock.accept()
conn.sendall(b"hello")
conn.unwrap()
conn.close()
client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
ca.configure_trust(client_context)
if force_tlsv12:
expected_pattern = r"send_eof\(\) requires at least TLSv1.3"
if hasattr(ssl, "TLSVersion"):
client_context.maximum_version = ssl.TLSVersion.TLSv1_2
else: # Python 3.6
client_context.options |= ssl.OP_NO_TLSv1_3
else:
expected_pattern = (
r"send_eof\(\) has not yet been implemented for TLS streams")
server_sock = server_context.wrap_socket(socket.socket(),
server_side=True,
suppress_ragged_eofs=False)
server_sock.settimeout(1)
server_sock.bind(("127.0.0.1", 0))
server_sock.listen()
server_thread = Thread(target=serve_sync, daemon=True)
server_thread.start()
stream = await connect_tcp(*server_sock.getsockname())
async with await TLSStream.wrap(stream,
hostname="localhost",
ssl_context=client_context) as wrapper:
assert await wrapper.receive() == b"hello"
with pytest.raises(NotImplementedError) as exc:
await wrapper.send_eof()
exc.match(expected_pattern)
server_thread.join()
server_sock.close()
def main(port=None):
ctx = SSLContext(PROTOCOL_TLSv1_2)
ctx.load_cert_chain(certfile='cert.pem', keyfile='key.pem')
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as listener:
listener.bind(('127.0.0.1', port))
listener.listen(8)
db = SharedState('users.pickle')
while True:
try:
s, addr = listener.accept()
addr = f'{addr[0]}:{addr[1]}'
print(f'{addr} : connected')
s = ctx.wrap_socket(s, server_side=True)
SockHandler(s, addr, db).start()
except KeyboardInterrupt:
print('\n*Windows shutdown jingle*')
break
def create_socket(ip: str, port: int, context: ssl.SSLContext = None,
verify_hostname: bool = True, timeout: int = 10) -> ssl.SSLSocket:
"""
Creates a new SSL-wrapped socket.
:param ip: The IP to connect to.
:param port: The port to connect to.
:param context: The SSL context to use, or None for a default one to be created.
:param verify_hostname: Ignored
:param timeout: The timeout for recv().
:return: A new SSLSocket.
"""
verify_hostname = current_app.conf["SERVER_LOGIN_ON_CLIENT_VERIFY"]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
if context:
sock = context.wrap_socket(s)
else:
sock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED if verify_hostname else ssl.CERT_NONE)
sock.connect((ip, port))
return sock
class SMTPServer(smtpd.SMTPServer):
def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5):
smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)
self.logger = logging.getLogger( secure_smtpd.LOG_NAME )
self.certfile = certfile
self.keyfile = keyfile
self.ssl_version = ssl_version
self.subprocesses = []
self.require_authentication = require_authentication
self.credential_validator = credential_validator
self.ssl = ssl
self.maximum_execution_time = maximum_execution_time
self.process_count = process_count
self.process_pool = None
self.context = SSLContext(ssl_version)
self.context.load_cert_chain(certfile=certfile, keyfile=keyfile)
def handle_accept(self):
self.process_pool = ProcessPool(self._accept_subprocess, process_count=self.process_count)
self.close()
def _accept_subprocess(self, queue):
while True:
try:
self.socket.setblocking(1)
pair = self.accept()
map = {}
if pair is not None:
self.logger.info('_accept_subprocess(): smtp connection accepted within subprocess.')
newsocket, fromaddr = pair
newsocket.settimeout(self.maximum_execution_time)
if self.ssl:
newsocket = self.context.wrap_socket(
newsocket,
server_side=True,
)
channel = SMTPChannel(
self,
newsocket,
fromaddr,
require_authentication=self.require_authentication,
credential_validator=self.credential_validator,
map=map
)
self.logger.info('_accept_subprocess(): starting asyncore within subprocess.')
asyncore.loop(map=map)
self.logger.error('_accept_subprocess(): asyncore loop exited.')
except (ExitNow, SSLError):
self._shutdown_socket(newsocket)
self.logger.info('_accept_subprocess(): smtp channel terminated asyncore.')
except Exception as e:
self._shutdown_socket(newsocket)
self.logger.error('_accept_subprocess(): uncaught exception: %s' % str(e))
def _shutdown_socket(self, s):
try:
s.shutdown(socket.SHUT_RDWR)
s.close()
except Exception as e:
self.logger.error('_shutdown_socket(): failed to cleanly shutdown socket: %s' % str(e))
def run(self):
asyncore.loop()
if hasattr(signal, 'SIGTERM'):
def sig_handler(signal,frame):
self.logger.info("Got signal %s, shutting down." % signal)
sys.exit(0)
signal.signal(signal.SIGTERM, sig_handler)
while 1:
time.sleep(1)
def secure_socket(s, host):
ssl_context = SSLContext(PROTOCOL_SSLv23)
ssl_context.options |= OP_NO_SSLv2
return ssl_context.wrap_socket(s, server_hostname=host if HAS_SNI else None)
