示例#1
0
    def init_self_tests(self):
        # determine where to connect to
        if self.options.listen_on[0] == HOST_ADDR_ANY:
            peer_host = 'localhost'
        else:
            peer_host = self.options.listen_on[0]
        peer = (peer_host, self.options.listen_on[1])

        # instantiate hammer class
        if self.options.self_test == 0:
            self.selftest_hammer = None
        else:
            if self.options.self_test == 1:
                self.selftest_hammer = TCPConnectionHammer(-1)

            elif self.options.self_test == 2:
                self.selftest_hammer = CNVerifyingSSLConnectionHammer(
                    -1, 'hello')

            elif self.options.self_test == 3:
                if self.options.user_ca_cert_file is not None:
                    self.selftest_hammer = CurlHammer(
                        -1, self.options.user_ca_cert_file)
                else:
                    raise ConfigError(
                        'test mode 3 requires --user-ca-cert/--user-ca-key')
            else:
                raise ConfigError('invalid selftest number %d' %
                                  self.options.self_test)

            # set the peer for the hammer
            self.selftest_hammer.set_peer(peer)
示例#2
0
    def init_self_tests(self):
        # determine where to connect to
        if self.options.listen_on[0] == HOST_ADDR_ANY:
            peer_host = 'localhost'
        else:
            peer_host = self.options.listen_on[0]
        peer = (peer_host, self.options.listen_on[1])

        # instantiate hammer class
        if self.options.self_test is None:
            self.selftest_hammer = None
        else:
            if self.options.self_test == 0:
                self.selftest_hammer = TCPConnectionHammer(-1)

            elif self.options.self_test == 1:
                if self.options.user_cn is not None:
                    self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')
                else:
                    raise ConfigError('test mode 1 requires --user-cn')

            elif self.options.self_test == 2:
                if self.options.user_ca_cert_file is not None:
                    self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
                else:
                    raise ConfigError('test mode 2 requires --user-ca-cert/--user-ca-key')
            else:
                raise ConfigError('invalid selftest number %d' % self.options.self_test)

            # set the peer for the hammer
            self.selftest_hammer.set_peer(peer)
    def test_curl_works_with_sslv2_and_export_ciphers(self):
        # curl is expected to work with SSLv2 and weak ciphers
        eccars = []
        there_are_export_ciphers = False
        protos = sslproto.get_supported_protocols()
        for proto in protos:
            for cipher in sslproto.DEFAULT_CIPHER_SUITES:
                if cipher == sslproto.EXPORT_CIPHER:
                    there_are_export_ciphers = True

                if proto == 'sslv2':
                    expected_res = ALERT_NON_SSLV2_INITIAL_PACKET
                elif proto == 'sslv3':
                    expected_res = ALERT_SSLV3_BAD_CERTIFICATE
                else:
                    expected_res = ALERT_UNKNOWN_CA

                eccars.append(
                    ECCAR(SSLServerProtoSpec(proto, cipher),
                          expected_res=expected_res))
        self.assertTrue(there_are_export_ciphers)
        self._main_test(['-m', 'sslproto'], CurlHammer(len(eccars)), eccars)
示例#4
0
class BaseClientAuditController(Thread):
    def __init__(self, options, file_bag, event_handler):
        Thread.__init__(self,
                        target=self.run,
                        name='BaseClientAuditController')
        self.options = options
        self.event_handler = event_handler
        self.queue_read_timeout = 0.1

        self.file_bag = file_bag

        self.init_profile_factories()

        self.server = ClientAuditorServer(self.options.listen_on,
                                          self.profile_factories,
                                          options.post_test_action, None,
                                          self.file_bag)
        self.res_queue = self.server.res_queue

        logger.debug('dumping options')
        for (key, value) in self.options.__dict__.items():
            logger.debug('\t%s = %s' % (key, value))
        logger.debug('end of options dump')
        logger.info('number of profile factories: %d' %
                    len(self.profile_factories))
        for pf in self.profile_factories:
            logger.info('profile factory: %s', pf)

        # initialize the self test hammers
        # make sure we shut down the controller if there is a failure
        try:
            self.init_self_tests()
        except Exception as ex:
            self.server.server_close()
            raise ex

    def init_profile_factories(self):
        self.profile_factories = []

        for module_name in self.options.modules.split(','):
            # load the module from under MODULE_NAME_PREFIX
            module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
            try:
                __import__(module_name, fromlist=[])
            except Exception as ex:
                raise ConfigError("cannot load module %s, exception: %s" %
                                  (module_name, ex))

            # find and instantiate the profile factory class
            profile_factory_class = sys.modules[module_name].__dict__[
                PROFILE_FACTORY_CLASS_NAME]
            self.profile_factories.append(
                profile_factory_class(self.file_bag, self.options))

        # there must be some profile factories in the list, otherwise we die right here
        if len(self.profile_factories) == 0:
            raise ConfigError(
                "no single profile factory configured, nothing to do")

    def start(self):
        self.do_stop = False
        self.server.start()
        Thread.start(self)

        if self.selftest_hammer is not None:
            self.selftest_hammer.start()

    def stop(self):
        # signal the controller thread to stop
        self.do_stop = True
        # tell the test hammer to stop as well
        if self.selftest_hammer:
            self.selftest_hammer.stop()

    def run(self):
        '''
        SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
        '''
        logger.debug('entering main loop in run()')

        # loop until get all desired results, quit if stopped
        while not self.do_stop:
            try:
                # wait for a message blocking for short intervals, check stop flag frequently
                res = self.server.res_queue.get(True, self.queue_read_timeout)
                logger.debug("got result %s", res)
                self.event_handler(res)

                if isinstance(res, SessionEndResult):
                    if self.options.post_test_action == CFG_PTA_EXIT:
                        break
            except Empty:
                pass

        self.server.stop()
        if self.selftest_hammer:
            self.selftest_hammer.stop()
        logger.debug('exited main loop in run()')

    def init_self_tests(self):
        # determine where to connect to
        if self.options.listen_on[0] == HOST_ADDR_ANY:
            peer_host = 'localhost'
        else:
            peer_host = self.options.listen_on[0]
        peer = (peer_host, self.options.listen_on[1])

        # instantiate hammer class
        if self.options.self_test == 0:
            self.selftest_hammer = None
        else:
            if self.options.self_test == 1:
                self.selftest_hammer = TCPConnectionHammer(-1)

            elif self.options.self_test == 2:
                self.selftest_hammer = CNVerifyingSSLConnectionHammer(
                    -1, 'hello')

            elif self.options.self_test == 3:
                if self.options.user_ca_cert_file is not None:
                    self.selftest_hammer = CurlHammer(
                        -1, self.options.user_ca_cert_file)
                else:
                    raise ConfigError(
                        'test mode 3 requires --user-ca-cert/--user-ca-key')
            else:
                raise ConfigError('invalid selftest number %d' %
                                  self.options.self_test)

            # set the peer for the hammer
            self.selftest_hammer.set_peer(peer)
示例#5
0
class BaseClientAuditController(Thread):
    logger = logging.getLogger('BaseClientAuditController')

    def __init__(self, options):
        Thread.__init__(self, target=self.run)
        self.options = options
        self.queue_read_timeout = 0.1

        if self.options.debug_level > 0:
            logging.getLogger().setLevel(logging.DEBUG)

        self.file_bag = FileBag(self.options.test_name)

        self.init_profile_factories()

        self.server = ClientAuditorServer(self.options.listen_on, self.profile_factories)
        self.res_queue = self.server.res_queue

        #self.logger.info('initialized with options %s' % str(self.options))

        self.init_self_tests()

    def init_profile_factories(self):
        self.profile_factories = []

        for module_name in self.options.modules.split(','):
            # load the module from under MODULE_NAME_PREFIX
            module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
            try:
                __import__(module_name, fromlist=[])
            except Exception as ex:
                raise ConfigError("cannot load module %s, exception: %s" % (module_name, ex))

            # find and instantiate the profile factory class
            profile_factory_class = sys.modules[module_name].__dict__[PROFILE_FACTORY_CLASS_NAME]
            self.profile_factories.append(profile_factory_class(self.file_bag, self.options))

        # there must be some profile factories in the list, otherwise we die right here
        if len(self.profile_factories) == 0:
            raise ConfigError("no single profile factory configured, nothing to do")

    def start(self):
        self.do_stop = False
        self.server.start()
        Thread.start(self)

        if self.selftest_hammer is not None:
            self.selftest_hammer.start()

    def stop(self):
        # signal the controller thread to stop
        self.do_stop = True

    def run(self):
        '''
        SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
        '''
        nresults = 0

        # loop until get all desired results, quit if stopped
        while nresults < self.options.nclients and not self.do_stop:
            try:
                # wait for a message blocking for short intervals, check stop flag frequently
                res = self.server.res_queue.get(True, self.queue_read_timeout)
                self.logger.debug("got result %s", res)
                self.handle_result(res)

                if isinstance(res, ClientAuditResult):
                    nresults = nresults + 1
            except Empty:
                pass

    def handle_result(self, res):
        raise NotImplemented('subclasses must override this method')

    def init_self_tests(self):
        # determine where to connect to
        if self.options.listen_on[0] == HOST_ADDR_ANY:
            peer_host = 'localhost'
        else:
            peer_host = self.options.listen_on[0]
        peer = (peer_host, self.options.listen_on[1])

        # instantiate hammer class
        if self.options.self_test is None:
            self.selftest_hammer = None
        else:
            if self.options.self_test == 0:
                self.selftest_hammer = TCPConnectionHammer(-1)

            elif self.options.self_test == 1:
                if self.options.user_cn is not None:
                    self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')
                else:
                    raise ConfigError('test mode 1 requires --user-cn')

            elif self.options.self_test == 2:
                if self.options.user_ca_cert_file is not None:
                    self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
                else:
                    raise ConfigError('test mode 2 requires --user-ca-cert/--user-ca-key')
            else:
                raise ConfigError('invalid selftest number %d' % self.options.self_test)

            # set the peer for the hammer
            self.selftest_hammer.set_peer(peer)
class BaseClientAuditController(Thread):

    def __init__(self, options, file_bag, event_handler):
        Thread.__init__(self, target=self.run, name='BaseClientAuditController')
        self.options = options
        self.event_handler = event_handler
        self.queue_read_timeout = 0.1

        self.file_bag = file_bag

        self.init_profile_factories()

        self.server = ClientAuditorServer(self.options.listen_on, self.profile_factories, options.post_test_action, None, self.file_bag)
        self.res_queue = self.server.res_queue

        logger.debug('dumping options')
        for (key, value) in self.options.__dict__.items():
          logger.debug('\t%s = %s' % (key, value))
        logger.debug('end of options dump')
        logger.info('number of profile factories: %d' % len(self.profile_factories))
        for pf in self.profile_factories:
            logger.info('profile factory: %s', pf)

        # initialize the self test hammers
        # make sure we shut down the controller if there is a failure
        try:
            self.init_self_tests()
        except Exception as ex:
            self.server.server_close()
            raise ex

    def init_profile_factories(self):
        self.profile_factories = []

        for module_name in self.options.modules.split(','):
            # load the module from under MODULE_NAME_PREFIX
            module_name = MODULE_MODULE_NAME_PREFIX + "." + module_name + '.' + PROFILE_FACTORY_MODULE_NAME
            try:
                __import__(module_name, fromlist=[])
            except Exception as ex:
                raise ConfigError("cannot load module %s, exception: %s" % (module_name, ex))

            # find and instantiate the profile factory class
            profile_factory_class = sys.modules[module_name].__dict__[PROFILE_FACTORY_CLASS_NAME]
            self.profile_factories.append(profile_factory_class(self.file_bag, self.options))

        # there must be some profile factories in the list, otherwise we die right here
        if len(self.profile_factories) == 0:
            raise ConfigError("no single profile factory configured, nothing to do")

    def start(self):
        self.do_stop = False
        self.server.start()
        Thread.start(self)

        if self.selftest_hammer is not None:
            self.selftest_hammer.start()

    def stop(self):
        # signal the controller thread to stop
        self.do_stop = True
        # tell the test hammer to stop as well
        if self.selftest_hammer:
            self.selftest_hammer.stop()

    def run(self):
        '''
        SSLCAuditCLI loop function. Will run until the desired number of clients is handled.
        '''
        logger.debug('entering main loop in run()')

        # loop until get all desired results, quit if stopped
        while not self.do_stop:
            try:
                # wait for a message blocking for short intervals, check stop flag frequently
                res = self.server.res_queue.get(True, self.queue_read_timeout)
                logger.debug("got result %s", res)
                self.event_handler(res)

                if isinstance(res, SessionEndResult):
                    if self.options.post_test_action == CFG_PTA_EXIT:
                        break
            except Empty:
                pass

        self.server.stop()
        if self.selftest_hammer:
            self.selftest_hammer.stop()
        logger.debug('exited main loop in run()')

    def init_self_tests(self):
        # determine where to connect to
        if self.options.listen_on[0] == HOST_ADDR_ANY:
            peer_host = 'localhost'
        else:
            peer_host = self.options.listen_on[0]
        peer = (peer_host, self.options.listen_on[1])

        # instantiate hammer class
        if self.options.self_test == 0:
            self.selftest_hammer = None
        else:
            if self.options.self_test == 1:
                self.selftest_hammer = TCPConnectionHammer(-1)

            elif self.options.self_test == 2:
                self.selftest_hammer = CNVerifyingSSLConnectionHammer(-1, 'hello')

            elif self.options.self_test == 3:
                if self.options.user_ca_cert_file is not None:
                    self.selftest_hammer = CurlHammer(-1, self.options.user_ca_cert_file)
                else:
                    raise ConfigError('test mode 3 requires --user-ca-cert/--user-ca-key')
            else:
                raise ConfigError('invalid selftest number %d' % self.options.self_test)

            # set the peer for the hammer
            self.selftest_hammer.set_peer(peer)
示例#7
0
    def test_curl(self):
        # curl does all the checks
        eccars = [
            # user-supplied certificate
            ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # self-signed certificates
            ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ALERT_UNKNOWN_CA),

            # signed by user-supplied certificate
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),

            # signed by user-supplied CA
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN),
                  ConnectedGotRequest()),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # default CN, signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),

            # user-supplied CN signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotRequest()),

            # replica of server certificate signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
        ]

        self._main_test(mk_sslcaudit_argv(user_cn=LOCALHOST),
                        CurlHammer(len(eccars), TEST_USER_CA_CERT_FILE),
                        eccars)