def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test == 0:
self.selftest_hammer = None
else:
if self.options.self_test == 1:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 2:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(
-1, 'hello')
elif self.options.self_test == 3:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(
-1, self.options.user_ca_cert_file)
else:
raise ConfigError(
'test mode 3 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' %
self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test is None:
self.selftest_hammer = None
else:
if self.options.self_test == 0:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 1:
if self.options.user_cn is not None:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')
else:
raise ConfigError('test mode 1 requires --user-cn')
elif self.options.self_test == 2:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
else:
raise ConfigError('test mode 2 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' % self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
def test_curl_works_with_sslv2_and_export_ciphers(self):
# curl is expected to work with SSLv2 and weak ciphers
eccars = []
there_are_export_ciphers = False
protos = sslproto.get_supported_protocols()
for proto in protos:
for cipher in sslproto.DEFAULT_CIPHER_SUITES:
if cipher == sslproto.EXPORT_CIPHER:
there_are_export_ciphers = True
if proto == 'sslv2':
expected_res = ALERT_NON_SSLV2_INITIAL_PACKET
elif proto == 'sslv3':
expected_res = ALERT_SSLV3_BAD_CERTIFICATE
else:
expected_res = ALERT_UNKNOWN_CA
eccars.append(
ECCAR(SSLServerProtoSpec(proto, cipher),
expected_res=expected_res))
self.assertTrue(there_are_export_ciphers)
self._main_test(['-m', 'sslproto'], CurlHammer(len(eccars)), eccars)
class BaseClientAuditController(Thread):
def __init__(self, options, file_bag, event_handler):
Thread.__init__(self,
target=self.run,
name='BaseClientAuditController')
self.options = options
self.event_handler = event_handler
self.queue_read_timeout = 0.1
self.file_bag = file_bag
self.init_profile_factories()
self.server = ClientAuditorServer(self.options.listen_on,
self.profile_factories,
options.post_test_action, None,
self.file_bag)
self.res_queue = self.server.res_queue
logger.debug('dumping options')
for (key, value) in self.options.__dict__.items():
logger.debug('\t%s = %s' % (key, value))
logger.debug('end of options dump')
logger.info('number of profile factories: %d' %
len(self.profile_factories))
for pf in self.profile_factories:
logger.info('profile factory: %s', pf)
# initialize the self test hammers
# make sure we shut down the controller if there is a failure
try:
self.init_self_tests()
except Exception as ex:
self.server.server_close()
raise ex
def init_profile_factories(self):
self.profile_factories = []
for module_name in self.options.modules.split(','):
# load the module from under MODULE_NAME_PREFIX
module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
try:
__import__(module_name, fromlist=[])
except Exception as ex:
raise ConfigError("cannot load module %s, exception: %s" %
(module_name, ex))
# find and instantiate the profile factory class
profile_factory_class = sys.modules[module_name].__dict__[
PROFILE_FACTORY_CLASS_NAME]
self.profile_factories.append(
profile_factory_class(self.file_bag, self.options))
# there must be some profile factories in the list, otherwise we die right here
if len(self.profile_factories) == 0:
raise ConfigError(
"no single profile factory configured, nothing to do")
def start(self):
self.do_stop = False
self.server.start()
Thread.start(self)
if self.selftest_hammer is not None:
self.selftest_hammer.start()
def stop(self):
# signal the controller thread to stop
self.do_stop = True
# tell the test hammer to stop as well
if self.selftest_hammer:
self.selftest_hammer.stop()
def run(self):
'''
SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
'''
logger.debug('entering main loop in run()')
# loop until get all desired results, quit if stopped
while not self.do_stop:
try:
# wait for a message blocking for short intervals, check stop flag frequently
res = self.server.res_queue.get(True, self.queue_read_timeout)
logger.debug("got result %s", res)
self.event_handler(res)
if isinstance(res, SessionEndResult):
if self.options.post_test_action == CFG_PTA_EXIT:
break
except Empty:
pass
self.server.stop()
if self.selftest_hammer:
self.selftest_hammer.stop()
logger.debug('exited main loop in run()')
def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test == 0:
self.selftest_hammer = None
else:
if self.options.self_test == 1:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 2:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(
-1, 'hello')
elif self.options.self_test == 3:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(
-1, self.options.user_ca_cert_file)
else:
raise ConfigError(
'test mode 3 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' %
self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
class BaseClientAuditController(Thread):
logger = logging.getLogger('BaseClientAuditController')
def __init__(self, options):
Thread.__init__(self, target=self.run)
self.options = options
self.queue_read_timeout = 0.1
if self.options.debug_level > 0:
logging.getLogger().setLevel(logging.DEBUG)
self.file_bag = FileBag(self.options.test_name)
self.init_profile_factories()
self.server = ClientAuditorServer(self.options.listen_on, self.profile_factories)
self.res_queue = self.server.res_queue
#self.logger.info('initialized with options %s' % str(self.options))
self.init_self_tests()
def init_profile_factories(self):
self.profile_factories = []
for module_name in self.options.modules.split(','):
# load the module from under MODULE_NAME_PREFIX
module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
try:
__import__(module_name, fromlist=[])
except Exception as ex:
raise ConfigError("cannot load module %s, exception: %s" % (module_name, ex))
# find and instantiate the profile factory class
profile_factory_class = sys.modules[module_name].__dict__[PROFILE_FACTORY_CLASS_NAME]
self.profile_factories.append(profile_factory_class(self.file_bag, self.options))
# there must be some profile factories in the list, otherwise we die right here
if len(self.profile_factories) == 0:
raise ConfigError("no single profile factory configured, nothing to do")
def start(self):
self.do_stop = False
self.server.start()
Thread.start(self)
if self.selftest_hammer is not None:
self.selftest_hammer.start()
def stop(self):
# signal the controller thread to stop
self.do_stop = True
def run(self):
'''
SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
'''
nresults = 0
# loop until get all desired results, quit if stopped
while nresults < self.options.nclients and not self.do_stop:
try:
# wait for a message blocking for short intervals, check stop flag frequently
res = self.server.res_queue.get(True, self.queue_read_timeout)
self.logger.debug("got result %s", res)
self.handle_result(res)
if isinstance(res, ClientAuditResult):
nresults = nresults + 1
except Empty:
pass
def handle_result(self, res):
raise NotImplemented('subclasses must override this method')
def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test is None:
self.selftest_hammer = None
else:
if self.options.self_test == 0:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 1:
if self.options.user_cn is not None:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')
else:
raise ConfigError('test mode 1 requires --user-cn')
elif self.options.self_test == 2:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
else:
raise ConfigError('test mode 2 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' % self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
class BaseClientAuditController(Thread):
def __init__(self, options, file_bag, event_handler):
Thread.__init__(self, target=self.run, name='BaseClientAuditController')
self.options = options
self.event_handler = event_handler
self.queue_read_timeout = 0.1
self.file_bag = file_bag
self.init_profile_factories()
self.server = ClientAuditorServer(self.options.listen_on, self.profile_factories, options.post_test_action, None, self.file_bag)
self.res_queue = self.server.res_queue
logger.debug('dumping options')
for (key, value) in self.options.__dict__.items():
logger.debug('\t%s = %s' % (key, value))
logger.debug('end of options dump')
logger.info('number of profile factories: %d' % len(self.profile_factories))
for pf in self.profile_factories:
logger.info('profile factory: %s', pf)
# initialize the self test hammers
# make sure we shut down the controller if there is a failure
try:
self.init_self_tests()
except Exception as ex:
self.server.server_close()
raise ex
def init_profile_factories(self):
self.profile_factories = []
for module_name in self.options.modules.split(','):
# load the module from under MODULE_NAME_PREFIX
module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
try:
__import__(module_name, fromlist=[])
except Exception as ex:
raise ConfigError("cannot load module %s, exception: %s" % (module_name, ex))
# find and instantiate the profile factory class
profile_factory_class = sys.modules[module_name].__dict__[PROFILE_FACTORY_CLASS_NAME]
self.profile_factories.append(profile_factory_class(self.file_bag, self.options))
# there must be some profile factories in the list, otherwise we die right here
if len(self.profile_factories) == 0:
raise ConfigError("no single profile factory configured, nothing to do")
def start(self):
self.do_stop = False
self.server.start()
Thread.start(self)
if self.selftest_hammer is not None:
self.selftest_hammer.start()
def stop(self):
# signal the controller thread to stop
self.do_stop = True
# tell the test hammer to stop as well
if self.selftest_hammer:
self.selftest_hammer.stop()
def run(self):
'''
SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
'''
logger.debug('entering main loop in run()')
# loop until get all desired results, quit if stopped
while not self.do_stop:
try:
# wait for a message blocking for short intervals, check stop flag frequently
res = self.server.res_queue.get(True, self.queue_read_timeout)
logger.debug("got result %s", res)
self.event_handler(res)
if isinstance(res, SessionEndResult):
if self.options.post_test_action == CFG_PTA_EXIT:
break
except Empty:
pass
self.server.stop()
if self.selftest_hammer:
self.selftest_hammer.stop()
logger.debug('exited main loop in run()')
def init_self_tests(self):
# determine where to connect to
if self.options.listen_on[0] == HOST_ADDR_ANY:
peer_host = 'localhost'
else:
peer_host = self.options.listen_on[0]
peer = (peer_host, self.options.listen_on[1])
# instantiate hammer class
if self.options.self_test == 0:
self.selftest_hammer = None
else:
if self.options.self_test == 1:
self.selftest_hammer = TCPConnectionHammer(-1)
elif self.options.self_test == 2:
self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')
elif self.options.self_test == 3:
if self.options.user_ca_cert_file is not None:
self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
else:
raise ConfigError('test mode 3 requires --user-ca-cert/--user-ca-key')
else:
raise ConfigError('invalid selftest number %d' % self.options.self_test)
# set the peer for the hammer
self.selftest_hammer.set_peer(peer)
def test_curl(self):
# curl does all the checks
eccars = [
# user-supplied certificate
ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
ConnectedGotEOFBeforeTimeout()),
# self-signed certificates
ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ALERT_UNKNOWN_CA),
# signed by user-supplied certificate
ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
ALERT_UNKNOWN_CA),
# signed by user-supplied CA
ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN),
ConnectedGotRequest()),
ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
# default CN, signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
# user-supplied CN signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotRequest()),
# replica of server certificate signed by user-supplied CA, with an intermediate CA
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
ECCAR(
SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
TEST_USER_CA_CN),
ConnectedGotEOFBeforeTimeout()),
]
self._main_test(mk_sslcaudit_argv(user_cn=LOCALHOST),
CurlHammer(len(eccars), TEST_USER_CA_CERT_FILE),
eccars)