def testMACValidation(): """ Tests whether the server properly rejects messages when their MAC is modified. """ print("Testing validation of individual MAC bits...") failBits = [] for maskBit in range(0, 96): rejected = False try: # formulate a bit mask based on the current mask bit index mask = bytearray([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) maskIndex = int((maskBit - (maskBit % 8)) / 8) mask[maskIndex] = (0x80 >> (maskBit % 8)) if args.verbose: maskBinString = ''.join(format(x, 'b').zfill(8) for x in mask) print("\tTesting bit %d, mask: %s" % (maskBit, maskBinString)) else: print("+", end="") # connect to the server and do a handshake sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((args.host, args.port)) tls = TLSConnection(sock) # assign mask as tweak tls.macTweak = bytearray(mask) tls.handshakeClientCert() # send a packet tls.send("GET / HTTP/1.0\n\n\n") # try to read some data back data = tls.read() except (TLSRemoteAlert, socket.error): rejected = True if args.verbose: print("\tBit %d rejected correctly!" % maskBit) except (TLSAbruptCloseError, socket.error): rejected = True if args.verbose: print("\tBit %d rejected correctly!" % maskBit) if not rejected: failBits.append(maskBit) if not args.verbose: print("") if len(failBits) > 0: macValidationIssue = getIssueTemplate("MAC_VALIDATION_ERROR") macValidationIssue.findings = ', '.join(str(b) for b in failBits) report.addIssue(macValidationIssue) print("The following modified MAC bits were incorrectly accepted: ", end='') print(', '.join(str(b) for b in failBits)) else: print("All modified MAC bits were correctly rejected.")
def getNewConnection(self): """ Initialize a new serializable TLSConnection. """ sock = socket(AF_INET, SOCK_STREAM) sock.connect((self.host, self.port)) connection = TLSConnection(sock) chain, key = self.getCertChainKey() connection.handshakeClientCert(chain, key) return connection
class RevTLSClient: def __init__(self, address, credentials): self.address = address self.__creds = credentials self.conn = None self.connect() def __enter__(self): return self def __exit__(self, type, value, traceback): self.close() def connect(self): if self.conn: return sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(self.address) self.conn = TLSConnection(sock) self.conn.handshakeClientCert(self.__creds.cert, self.__creds.pkey, checker=self.__creds.checker) self.fconn = self.conn.makefile() def sendall(self, data): _write_with_length(self.fconn, data) def recvall(self): return _read_with_length(self.fconn) def close(self): self.fconn.close() self.fconn = None self.conn.close() self.conn = None
class WAVEGRPCClient: def __init__(self, address_tuple, namespace, entityfile, grpcservice, proof_file='clientproof.pem', waved='localhost:410'): self.address_tuple = address_tuple self.ns = namespace self.grpcservice = grpcservice self.nsbytes = base64.urlsafe_b64decode(self.ns) self.entityfile = open(entityfile, 'rb').read() self.perspective = eapi_pb2.Perspective( entitySecret=eapi_pb2.EntitySecret(DER=self.entityfile)) self._listen_address = None self._ready = threading.Event() self.wave_channel = grpc.insecure_channel(waved) self.wave_client = eapi_pb2_grpc.WAVEStub(self.wave_channel) resp = self.wave_client.Inspect( eapi_pb2.InspectParams(content=self.entityfile, )) self.entityhash = resp.entity.hash self.proof_file = open('clientproof.pem', 'rb').read() resp = self.wave_client.VerifyProof( eapi_pb2.VerifyProofParams(proofDER=self.proof_file, )) self.sigresp = self.wave_client.Sign( eapi_pb2.SignParams( perspective=self.perspective, content=self.proof_file, )) # setup server self._server_thread = threading.Thread( target=self.get_client_connection, daemon=True) self._server_thread.start() def setup_connection(self): hdr = self.generate_peer_header() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect(self.address_tuple) self.upstream_connection = TLSConnection(sock) hs = self.upstream_connection.handshakeClientCert() self.upstream_connection.write(self.nsbytes) self.upstream_connection.write(hdr) invalid = self.read_peer_header(self.upstream_connection) if invalid.message != '': raise Exception( "GRPC Server sent invalid header or proof {0}".format(invalid)) @property def listen_address(self): self._ready.wait() return "{0}:{1}".format(*self._listen_address) def get_client_connection(self): listen_port = 5005 while True: listen_address = ('localhost', listen_port) server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: server.bind(listen_address) self._listen_address = listen_address self._ready.set() break except Exception as e: print("Failed to listen on {0}".format(listen_address), e) time.sleep(1) listen_port += 1 print("Listening on {0}".format(listen_address)) server.listen(10) while True: client_socket, addr = server.accept() # reconnect to the GRPC server on each call self.setup_connection() # start a thread to talk to the remote host proxy_thread = threading.Thread(target=self.handle_client, args=(client_socket, ), daemon=True) proxy_thread.start() def handle_client(self, client_socket): while True: try: local_buffer = receive_from(client_socket) if len(local_buffer): self.upstream_connection.send(local_buffer) # receive back the response remote_buffer = receive_from(self.upstream_connection) if len(remote_buffer): # send the response to the local socket client_socket.send(remote_buffer) # if no more data on the either side, close the connections if not len(local_buffer) or not len(remote_buffer): print("Done with call") break finally: client_socket.close() self.upstream_connection.close() def generate_peer_header(self): buf = bytes() buf += self.entityhash buf += struct.pack('<H', len(self.sigresp.signature)) buf += self.sigresp.signature buf += struct.pack('<I', len(self.proof_file)) buf += self.proof_file return buf def read_peer_header(self, conn): entityhash = conn.read(max=34, min=34) sigsize = struct.unpack('<H', conn.read(max=2, min=2))[0] signature = conn.read(max=sigsize, min=sigsize) proofsize = struct.unpack('<I', conn.read(max=4, min=4))[0] proof = conn.read(max=proofsize, min=proofsize) #TODO verify this # TODO: need peer certificate cert = self.upstream_connection.session.serverCertChain.x509List[ 0].bytes c = x509.load_der_x509_certificate(cert, default_backend()) vresp = self.wave_client.VerifySignature( eapi_pb2.VerifySignatureParams( signer=entityhash, signature=signature, content=c.signature, )) if vresp.error.message != "": return vresp.error proofresp = self.wave_client.VerifyProof( eapi_pb2.VerifyProofParams( proofDER=proof, subject=entityhash, requiredRTreePolicy=eapi_pb2.RTreePolicy( namespace=self.nsbytes, statements=[ eapi_pb2.RTreePolicyStatement( permissionSet=XBOS_PERMSET, permissions=["serve_grpc"], resource=self.grpcservice, ), ], ))) if proofresp.result == None: return "no proof" return proofresp.error
_SID = uid def setBit(int_type, offset): mask = 1 << offset return (int_type | mask) def testBit(int_type, offset): mask = 1 << offset return (int_type & mask) sock = socket(AF_INET, SOCK_STREAM) sock.connect((GATEWAY_HOST, GATEWAY_PORT)) connection = TLSConnection(sock) connection.handshakeClientCert() print '***connected***' ## Authentication message msg = message_pb2.Container() msg.SID = uid msg.RID = '' msg.STIME = 0 os.system('TITLE CLIENT %s' % _SID) msgType = 0 msgType = setBit(msgType, 0) # Identity msgType = setBit(msgType, 1) # Authenticate
def setBit(int_type, offset): mask = 1 << offset return (int_type | mask) def testBit(int_type, offset): mask = 1 << offset return (int_type & mask) sock = socket(AF_INET, SOCK_STREAM) sock.connect((GATEWAY_HOST, GATEWAY_PORT)) connection = TLSConnection(sock) connection.handshakeClientCert() print '***connected***' ## Authentication message msg = message_pb2.Container() _SID = raw_input('YOUR SID> ') msg.SID = _SID #'a' msg.RID = '' msg.STIME = 0 os.system('TITLE CLIENT %s' % _SID) msgType = 0 msgType = setBit(msgType, 0) # Identity msgType = setBit(msgType, 1) # Authenticate
# client introduce server to client middleboxes for i in range(number_of_middleboxes): mbid = bytearray(os.urandom(64)) permission = bytearray(1) permission[0] = random.randint(0, 1) mb = {'middlebox_id': mbid, 'middlebox_permission': permission} settings.s_to_c_mb_list.append(mb) time1 = time.time() for i in range(number_of_connections): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((server_ip, server_port)) # now use sock to establish TLS 1.3 connection with the remote server connection = TLSConnection(sock) connection.handshakeClientCert(settings=settings) # send page request to server #request = bytearray() #request.append((amt >> 16) & 0xff) #request.append((amt >> 8) & 0xff) #request.append(amt & 0xff) #connection.sendall(request) while amt > blocksize: data = connection.recv(blocksize) amt = amt - blocksize if amt > 0: data = connection.recv(amt) # read page from server #response = connection.recv(amt) connection.close()
for pin in pins: print("------------------------------") print(pin) print("------------------------------") exit(0) ### end get pins # open socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((args.server, int(args.port))) # construct TLS Connection conn = TLSConnection(sock) settings = HandshakeSettings() settings.useExperimentalTackExtension = True conn.handshakeClientCert(settings=settings) if conn.session.tackExt: tackExt = conn.session.tackExt print("TACK is working on " + sockString) print("------------------------------") print(tackExt) print("------------------------------") if tackExt.activation_flags != 0: usingTACK = True # if no active TACKs in TLS-Connection if not usingTACK: if haveActivePin: raise Error("Active PIN, but no active TACK. Connection might be compromised!") elif havePin: