def TestCrypt(data):
mycertobj = X509.X509()
mycertobj.parse(MYCERT)
Fingerprint = mycertobj.getFingerprint()
mypublickey = mycertobj.publicKey
myprivatekey = tlslite.utils.keyfactory.parsePEMKey(MYKEY, private=True)
mypublicXMLkeyString = myprivatekey.writeXMLPublicKey()
data2 = '2010-02-02 21:15:00'
logging.info('%s: %s' % ('data', data))
logging.info('%s: %s' % ('time.time', time.time()))
myhashAndSign = myprivatekey.hashAndSign(
tlslite.utils.compat.stringToBytes('%s%s' % (data2, MYSECRET)))
logging.info('%s: %s' %
('myhashAndSign',
tlslite.utils.cryptomath.bytesToBase64(myhashAndSign)))
verify = mypublickey.hashAndVerify(myhashAndSign,
'%s%s' % (data2, MYSECRET))
if verify:
logging.info('%s: %s' % ('verify', 'TRUE'))
else:
logging.info('%s: %s' % ('verify', 'FALSE'))
mycrypt = mypublickey.encrypt(tlslite.utils.compat.stringToBytes(data))
mydecrypt = myprivatekey.decrypt(mycrypt)
logging.info('%s: %s' % ('mydecrypt', mydecrypt.tostring()))
def __init__(self, cert_fname, pkey_fname, pkey_password, peer_cert_fname):
# Read our own cert
s = open(cert_fname).read()
x509 = X509()
x509.parse(s)
self.cert = X509CertChain([x509])
# Read our own primary key
s = open(pkey_fname).read()
self.pkey = parsePEMKey(s,
private=True,
passwordCallback=lambda: pkey_password)
# Read our peer's cert
s = open(peer_cert_fname).read()
x509 = X509()
x509.parse(s)
cert = X509CertChain([x509])
self.checker = Checker(cert.getFingerprint())
def AuthRest(http_timestamp, http_signed):
#logging.info('%s: %s' % ('http_timestamp', http_timestamp))
#logging.info('%s: %s' % ('http_signed', http_signed))
dif = abs(float(http_timestamp) - time.time())
logging.info('%s: %s' % ('dif', dif))
if dif > 120:
return False
mycertobj = X509.X509()
mycertobj.parse(MYCERT)
mypublickey = mycertobj.publicKey
verify = mypublickey.hashAndVerify(
tlslite.utils.cryptomath.base64ToBytes(http_signed),
tlslite.utils.compat.stringToBytes('%s%s' %
(http_timestamp, MYSECRET)))
if verify:
logging.info('%s: %s' % ('verify', 'TRUE'))
return True
else:
logging.info('%s: %s' % ('verify', 'FALSE'))
return False
def _getFingerprint(fname):
s = open(fname).read()
x509 = X509()
x509.parse(s)
cert = X509CertChain([x509])
return cert.getFingerprint()
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(5)
sock.connect(address)
c = TLSConnection(sock)
return c
test = 0
badFault = False
print("Test 0 - anonymous handshake")
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
print("Test 1 - good X509 (plus SNI)")
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
connection.close()
print("Test 1.a - good X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 1.b - good X509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
print("Test 3 - good SRP")
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 14 - good mutual X509")
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14.a - good mutual X509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
print("Test 18 - good SRP, prepare to resume... (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
print("Test 19 - resumption (plus SNI)")
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
print("Test 20 - invalidated resumption (plus SNI)")
connection.sock.close() #Close the socket without a close_notify!
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
time.sleep(2)
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
time.sleep(2)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers, TLSv1.0")
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = time.clock()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = time.clock()
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
print("Test 24.a - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.b - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.c - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.d - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print("Test 24.e - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
print("Test 24.f - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
print("Test 24.g - Next-Protocol Client Negotiation")
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
print('Test 25 - good standard XMLRPC https client')
time.sleep(2) # Hack for lack of ability to set timeout here
address = address[0], address[1]+1
server = xmlrpclib.Server('https://%s:%s' % address)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 26 - good tlslite XMLRPC client')
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print('Test 27 - good XMLRPC ignored protocol')
server = xmlrpclib.Server('http://%s:%s' % address, transport)
assert server.add(1,2) == 3
assert server.pow(2,4) == 16
print("Test 28 - Internet servers test")
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
print("Test 28: IMAP4 good")
p = POP3_TLS("pop.gmail.com")
p.quit()
print("Test 29: POP3 good")
except socket.error as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
if not badFault:
print("Test succeeded")
else:
print("Test failed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
print("Test 0 - Anonymous server handshake")
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print("Test 1 - good X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 1.a - good X.509, SSL v3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
print("Test 1.b - good X.509, RC4-MD5")
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print("Test 2.a - good X.509, TACK")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
print("Test 2.b - good X.509, TACK unrelated to cert chain")
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print("Test 3 - good SRP")
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB["test"] = entry
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
print("Test 4 - SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB)
assert()
except:
pass
connection.close()
print("Test 6 - good SRP: with X.509 cert")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
print("Test 7 - X.509 with SRP faults")
for fault in Fault.clientSrpFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 11 - X.509 faults")
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except:
pass
connection.close()
print("Test 14 - good mutual X.509")
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 14a - good mutual X.509, SSLv3")
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print("Test 15 - mutual X.509 faults")
for fault in Fault.clientCertFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
assert()
except:
pass
connection.close()
print("Test 18 - good SRP, prepare to resume")
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print("Test 19 - resumption")
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
print("Test 20 - invalidated resumption")
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
print("Test 21 - HTTPS test X.509")
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
print("Test 22 - different ciphers")
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
print("Test 22:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
print("Test 23 - throughput test")
for implementation in implementations:
for cipher in ["aes128", "aes256", "3des", "rc4"]:
if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
continue
print("Test 23:", end=' ')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
print("Test 24.a - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.b - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.c - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.d - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
print("Test 24.e - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
print("Test 24.f - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
print("Test 24.g - Next-Protocol Server Negotiation")
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
print("Tests 25-27 - XMLRPXC server")
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
server.handle_request()
print("Test succeeded")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
datasize = argv[2]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1] - 1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
test_no = 0
for cipher in [
"aes128gcm", "aes128", "aes256", "rc4", "chacha20-poly1305",
"speck128", "speck128gcm", "speck192gcm"
]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = ["python"]
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
if datasize == "3MB":
h = connection.read(min=1500000, max=1500000)
elif datasize == "2MB":
h = connection.read(min=1000000, max=1000000)
elif datasize == "1MB":
h = connection.read(min=500000, max=500000)
elif datasize == "500k":
h = connection.read(min=250000, max=250000)
elif datasize == "100k":
h = connection.read(min=50000, max=50000)
elif datasize == "2k":
h = connection.read(min=1000, max=1000)
else:
print("Datasize not supported or syntax error! Exiting...")
exit(1)
connection.write(h)
connection.close()
synchro.close()
synchroSocket.close()
print("Test succeeded")
super().__init__(sock)
self._recordLayer = MyRecordLayer(sock, data)
# recv first packet
data = conn.recv(BUFFER_SIZE)
hexdump(data)
isTLS = ""
isRunning = True
if data.startswith(b"\x16\x03"):
print(">> Detect ssl request")
# ssl context
x509 = X509()
x509.parse(open(CERT).read())
certChain = X509CertChain([x509])
privateKey = parsePEMKey(open(KEY).read(), private=True)
# wrap it with modified class
connection = MyTLSConnection(conn, data)
# resume the handshake
try:
connection.handshakeServer(certChain=certChain,
privateKey=privateKey,
reqCert=True)
except:
print(">> Failed to switch ssl")
else:
def send_eap_tls_client_key(self):
"""
Generate Client_Certificate, Client_KeyExchange, Client_CertificateVerify,
Client_ChangeCipherSpec & FINISHED Message and send it to the server
"""
if self.state != "TLS HANDSHAKE 1":
print("Wrong Connection State for Client_Key Message: {0} - should be 'TLS HANDSHAKE 1'".format(self.state))
return 1
#May have to move this to the _init_ field
packet_head = Dot11(addr1=self.bssid ,addr2=self.sta_mac ,addr3=self.bssid ,type=2 ,subtype=8 , FCfield="to-DS" )/ Dot11QoS('\x00\x00')/LLC(dsap=0xaa,ssap=0xaa,ctrl=3)/ SNAP(OUI=0x0, code=0x888e) / EAPOL(version=1,type=0)
#---------------------------------------------------------------------------#
x509_1 = X509()
x509_1.parse(self.public_cert_file)
x509_2 = X509()
x509_2.parse(self.ca_certs_file)
cert1 = x509_1.writeBytes()
cert2 = x509_2.writeBytes()
#Add 3 Bytes for every Certificate as Length-Field has to be included
chainLength = len(cert1)+3+len(cert2)+3
cert1_len_hex = "{:06x}".format(len(cert1))
cert2_len_hex = "{:06x}".format(len(cert2))
cert1_len = binascii.unhexlify(cert1_len_hex)
cert2_len = binascii.unhexlify(cert2_len_hex)
client_certs = cert1_len + cert1 + cert2_len + cert2
#We use str() because client_certs is a byte-array
client_cert_load = TLSCertificate(certslen=chainLength, certs=str(client_certs))
print("#########################################################")
print("Generating CLIENT CERTIFICATE PAYLOAD")
print("#########################################################")
client_cert_load.show2()
client_cert = TLS(type="handshake", version="TLS 1.0", iv="", msg=client_cert_load)
print("#########################################################")
print("Generating CLIENTCERTIFICATE")
print("#########################################################")
client_cert.show2()
self.handshake_log = self.handshake_log / client_cert[TLSCertificate]
print("#################################################################################################")
#---------------------------------------------------------------------------#
#Generating ClientKey
curve = reg.get_curve("secp256r1")
self.client_secret = random.getrandbits(256)
client_pubKey = curve.g * self.client_secret
#04 Prefix for "uncompressed" and "41" for length of pubKey as scapy cant parse it right
pubKey_head = binascii.unhexlify("4104")
#This one is for sending
raw_full_client_pubKey = pubKey_head + long_to_bytes(client_pubKey.x) + long_to_bytes(client_pubKey.y)
print("#########################################################")
print("Generated following Coordinates:")
print("X:")
print(client_pubKey.x)
print("Y:")
print(client_pubKey.y)
print("#########################################################")
#Parsing ServerKey
raw_full_server_pubKey = self.handshake_log[TLSServerKeyExchange].params.point
#Remove "uncompressed" indicator
full_server_pubKey = raw_full_server_pubKey[1:]
#splitting the x and y coordinates
server_key_x_raw = full_server_pubKey[0:32]
server_key_y_raw = full_server_pubKey[32:64]
server_key_x = bytes_to_long(server_key_x_raw)
server_key_y = bytes_to_long(server_key_y_raw)
server_parse = ec.Point(curve, server_key_x, server_key_y)
print("#########################################################")
print("Parsed following Server Coordinates:")
print("X:")
print(server_parse.x)
print("Y:")
print(server_parse.y)
print("#########################################################")
#Calculating the pre-master-secret (Returned as a long)
long_premaster = (server_parse * self.client_secret).x
self.premaster = long_to_bytes(long_premaster)
#Generating ClientKeyExchange Layer
print("#########################################################")
print("Generating CLIENTKEYEXCHANGE Payload:")
print("#########################################################")
client_key_load = TLSClientKeyExchange(exchkeys=Raw(load=raw_full_client_pubKey))
client_key_load.show2()
client_key = TLS(type="handshake", version="TLS 1.0", iv="", msg=client_key_load)
print("#########################################################")
print("Generating CLIENTKEYEXCHANGE")
print("#########################################################")
client_key.show2()
self.handshake_log = self.handshake_log / client_key_load
print("#################################################################################################")
#---------------------------------------------------------------------------#
#Generating CertificateVerify Layer
#Hash-Value Calculation
temp = hashlib.md5()
temp.update(str(self.handshake_log))
m_string = temp.digest()
temp = hashlib.sha1()
temp.update(str(self.handshake_log))
s_string = temp.digest()
concat_string = m_string + s_string
concat_string_hex = binascii.hexlify(concat_string)
#Padding Calculation
head = "0001"
bottom = "00"
body = ""
for i in range(0,434):
body = body + "F"
#Combining Hash & Padding
concat_string_build = head + body + bottom + concat_string_hex
concat_string_raw = binascii.unhexlify(concat_string_build)
#Signing Message with M2Crypto using no_padding mode
m2_key = RSA.load_key(self.private_key_file)
signature_m2 = m2_key.private_encrypt(concat_string_raw, m2.no_padding)
#Parsing the Certificate Verify Layer from Wireshark as Scapy has problems generating it
certificate_verify_head = binascii.unhexlify("0f0001020100")
#Works, as the signature has same length every time
certificate_verify_load = TLSCertificateVerify(certificate_verify_head + signature_m2)
certificate_verify = TLS(type="handshake", version="TLS 1.0", iv="", msg=certificate_verify_load)
print("#########################################################")
print("Generated CERTIFICATEVERIFY")
print("#########################################################")
certificate_verify.show2()
#Used for FINISHED Message later
self.handshake_log = self.handshake_log / certificate_verify[TLSCertificateVerify]
print("#################################################################################################")
#---------------------------------------------------------------------------#
#Generate ChangeCipherSpec Message
#IS NOT RELEVANT FOR FINISHED MESSAGE -> Therefore not saved to log
cipher_spec_load = TLSChangeCipherSpec()
cipher_spec = TLS(type="change_cipher_spec", version="TLS 1.0", iv="", msg=cipher_spec_load)
print("#########################################################")
print("Generated CHANGECIPHERSPEC")
print("#########################################################")
cipher_spec.show2()
print("#################################################################################################")
#---------------------------------------------------------------------------#
#Via Scapy: gmt_unix_time + random_bytes = FULL Random_bytes
parsed_time_client = "{0:02x}".format(self.handshake_log[TLSClientHello].gmt_unix_time).zfill(8)
parsed_time_server = "{0:02x}".format(self.handshake_log[TLSServerHello].gmt_unix_time).zfill(8)
client_random = binascii.unhexlify(parsed_time_client) + self.handshake_log[TLSClientHello].random_bytes
server_random = binascii.unhexlify(parsed_time_server) + self.handshake_log[TLSServerHello].random_bytes
print("#########################################################")
print("Parsed following random_bytes:")
print("Client Random:")
print(binascii.hexlify(client_random))
print("Server Random:")
print(binascii.hexlify(server_random))
#master bitaray with length 48 Bytes
self.master = tlslite.mathtls.calcMasterSecret((3,1), None, self.premaster, client_random, server_random)
print("#########################################################")
print("Calculated Master-Secret:")
print(binascii.hexlify(str(self.master)))
print("#########################################################")
#---------------------------------------------------------------------------#
#Calculate FINISHED Message via tlslite
#handshakeHash = MD5(handshake_messages) + SHA-1(handshake_messages)
#No Padding like RSA Signatur PKCS!
#Method expects handshakeHash as byteArray -> makes no difference here
print("#################################################################################################")
#Hash-Value Calculation exactly as in ClientVerify but now with ClientVerify appended to the log
temp = hashlib.md5()
temp.update(str(self.handshake_log))
m_string = temp.digest()
temp = hashlib.sha1()
temp.update(str(self.handshake_log))
s_string = temp.digest()
handshakeHash = m_string + s_string
#content of FINISHED-Message:
verifyData = tlslite.mathtls.PRF(self.master, "client finished", handshakeHash, 12)
#Creating Header for Handshake-Layer (NOT Record!):
#14 -> ContentType 20 = FINISHED
#00000C -> Length of Content = 12 Bytes = VerifyData.length
header_hex = "1400000C"
header = binascii.unhexlify(header_hex)
finished_payload = header + verifyData
#Generating Key-Material to calculate required Keys for Sending:
#Required: client_write_MAC, client_write_key , client_write_IV
#client_write_MAC with SHA-1 -> 20 Bytes
#client_write_key with AES-256 -> 256 Bit -> 32 Bytes
#client/server IV still uses 128 bit blocks, so 128-bit IV -> 16 Bytes
#key_block = PRF(master_secret, "key expansion", server_random + client_random)
#KEYLENGTH = 20 (MAC) + 20(Server MAC) + 32 (AES256) + 32 (AES256 Server) + 16 (IV) + 16 (Server IV) = 136 bytes
#Order of Keys : client_write_MAC , server_write_MAC, client_write_key, server_write_key, client_write_IV, server_write_IV
keys = tlslite.mathtls.PRF(self.master, "key expansion", server_random + client_random, 136)
#20 Bytes per Key (SHA-1)
client_mac_key = keys[0:20]
server_mac_key = keys[20:40]
#32 Bytes per Key (AES-256)
client_write_key = keys[40:72]
server_write_key = keys[72:104]
#16 Bytes per Key (AES-CBC)
client_write_iv = keys[104:120]
server_write_iv = keys[120:136]
print("#########################################################")
print("Client_Mac_Key:")
print(binascii.hexlify(str(client_mac_key)))
print("Server_Mac_Key:")
print(binascii.hexlify(str(server_mac_key)))
print("Client_Write_Key:")
print(binascii.hexlify(str(client_write_key)))
print("Server_Write_Key:")
print(binascii.hexlify(str(server_write_key)))
print("Client_Write_IV:")
print(binascii.hexlify(str(client_write_iv)))
print("Server_Write_IV:")
print(binascii.hexlify(str(server_write_iv)))
print("#########################################################")
#HMAC_SHA1(client_write_mac_key, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment)
#client_write_mac_key = get from master_secret
#seq_num = 0 as 8 Bytes -> 0x0000000000000000
#TLSCompressed.type = 0x16 = 22 from Record-Layer
#TLSCompressed.version = 0x0301
#TLSCompressed.length = length(header+verifyData) -> 0x0010 because we have 16 bytes
#TLSCompressed.fragment = header+verifyData
#label = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length
label = binascii.unhexlify("0000000000000000") + binascii.unhexlify("16") + binascii.unhexlify("0301") + binascii.unhexlify("0010")
fin_mac = hmac.new(client_mac_key, label+finished_payload, hashlib.sha1).digest()
#Padding: (We need 12 Bytes Padding, so 11-Bytes with Value '11' and one Padding-Length-Byte with Value '11')
padding_hex = ""
for i in range(0,11):
padding_hex = padding_hex + "0B"
#Adding the Padding-Length
padding_hex = padding_hex + "0B"
padding = binascii.unhexlify(padding_hex)
#Encrypt the Layer:
#USING IN THIS ORDER : finished_payload + fin_mac + padding
encryptor = EVP.Cipher(alg="aes_256_cbc", key=client_write_key, iv=client_write_iv, op=1, padding=0)
encrypted_payload = encryptor.update(finished_payload + fin_mac + padding)
encrypted_payload += encryptor.final()
#Generate TLS Record Layer:
finished_head = binascii.unhexlify("1603010030")
finished = finished_head + encrypted_payload
print("#########################################################")
print("Generated FINISHED")
print("#########################################################")
#---------------------------------------------------------------------------#
#Construct the whole packet:
packet_tls = str(client_cert) + str(client_key) + str(certificate_verify) + str(cipher_spec) + str(finished)
#Fragment the packet: (In this Case - Fragments of the size of about 1266 Bytes)
fragment1_payload = packet_tls[0:1266]
fragment2_payload = packet_tls[1266:2532]
fragment3_payload = packet_tls[2532:]
#EAP Packet Head -> Remember ID regarding Fragmentation and "More Fragments"-Flag
packet1 = packet_head / EAP_TLS(code="Response", id=(self.current_id - 1), type="EAP-TLS", L=1, M=1, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment1_payload)
packet1[Dot11].SC = 0x0090
packet2 = packet_head / EAP_TLS(code="Response", id=self.current_id , type="EAP-TLS", L=1, M=1, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment2_payload)
packet2[Dot11].SC = 0x00A0
self.current_id += 1
packet3 = packet_head / EAP_TLS(code="Response", id=self.current_id , type="EAP-TLS", L=1, M=0, S=0, reserved=0, tls_message_len=len(packet_tls) ,tls_data=fragment3_payload)
packet3[Dot11].SC = 0x00B0
print("#########################################################")
print("Generated 3 Fragments:")
print("#########################################################")
print("Fragment 1 :")
packet1.show2()
print("#########################################################")
print("Fragment 2 :")
packet2.show2()
print("#########################################################")
print("Fragment 3 :")
packet3.show2()
print("#########################################################")
fragments = list()
#First packet will be sent directly!
fragments.append(packet2)
fragments.append(packet3)
#Send it away!
result_queue = multiprocessing.Queue()
send_process = multiprocessing.Process(
target=self.mon_ifc.send_packet,
args=(packet1,None, ))
send_and_receive_process = multiprocessing.Process(
target=self.mon_ifc.search_eap_tls_server_response,
args=(result_queue, fragments,))
send_and_receive_process.start()
time.sleep(.250)
send_process.start()
send_process.join()
send_and_receive_process.join()
if result_queue.get():
self.state = "TLS SUCCESS"
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = (address[0], int(address[1]))
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.bind(address)
lsock.listen(5)
def connect():
return TLSConnection(lsock.accept()[0])
print "Test 0 - Anonymous server handshake"
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
print "Test 1 - good X.509"
x509Cert = X509().parse(
open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert (connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
print "Test 1.a - good X.509, SSL v3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(
open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
print "Test 2.a - good X.509, TACK"
connection = connect()
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tack],
activationFlags=1,
settings=settings)
testConnServer(connection)
connection.close()
print "Test 2.b - good X.509, TACK unrelated to cert chain"
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
tacks=[tackUnrelated],
settings=settings)
assert (False)
except TLSRemoteAlert, alert:
if alert.description != AlertDescription.illegal_parameter:
raise
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 11 - X.509 faults"
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print " Good Fault %s" % (Fault.faultNames[fault])
except TLSFaultError, e:
print " BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))
badFault = True
print "Test 14 - good mutual X509"
x509Cert = X509().parse(
open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert (isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
print "Test 14.a - good mutual X509, SSLv3"
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3, 0)
settings.maxVersion = (3, 0)
def clientTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#open synchronisation FIFO
synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchro.settimeout(15)
synchro.connect((address[0], address[1]-1))
def connect():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
sock.settimeout(15)
sock.connect(address)
c = TLSConnection(sock)
return c
test_no = 0
badFault = False
print("Test {0} - anonymous handshake".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientAnonymous()
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X509 (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0])
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites)
assert(connection.encryptThenMAC == False)
connection.close()
test_no += 1
print("Test {0} - good X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good X509, RC4-MD5".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["md5"]
settings.cipherNames = ["rc4"]
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
assert(connection.encryptThenMAC == False)
connection.close()
if tackpyLoaded:
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(settings=settings)
assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7")
assert(connection.session.tackExt.activation_flags == 1)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientCert(settings=settings)
assert(False)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
connection.close()
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain...skipped"
" (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - good SRP".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password")
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP: with X.509 certificate, TLSv1.0".format(test_no))
settings = HandshakeSettings()
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", settings=settings)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientSRP("test", "password")
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert()
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good mutual X509".format(test_no))
x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "clientX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(x509Chain, x509Key)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, TLSv1.1".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X509, SSLv3".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.recv(1)
connection = connect()
connection.fault = fault
try:
connection.handshakeClientCert(x509Chain, x509Key)
print(" Good Fault %s" % (Fault.faultNames[fault]))
except TLSFaultError as e:
print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
badFault = True
test_no += 1
print("Test {0} - good SRP, prepare to resume... (plus SNI)".\
format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "password", serverName=address[0])
testConnClient(connection)
connection.close()
session = connection.session
test_no += 1
print("Test {0} - resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientSRP("test", "garbage", serverName=address[0],
session=session)
testConnClient(connection)
#Don't close! -- see below
test_no += 1
print("Test {0} - invalidated resumption (plus SNI)".format(test_no))
synchro.recv(1)
connection.sock.close() #Close the socket without a close_notify!
synchro.recv(1)
connection = connect()
try:
connection.handshakeClientSRP("test", "garbage",
serverName=address[0], session=session)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
address = address[0], address[1]+1
if hasattr(socket, "timeout"):
timeoutEx = socket.timeout
else:
timeoutEx = socket.error
while 1:
try:
htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
fingerprint = None
for y in range(2):
checker =Checker(x509Fingerprint=fingerprint)
h = HTTPTLSConnection(\
address[0], address[1], checker=checker)
for x in range(3):
synchro.recv(1)
h.request("GET", "/index.html")
r = h.getresponse()
assert(r.status == 200)
b = bytearray(r.read())
assert(b == htmlBody)
fingerprint = h.tlsSession.serverCertChain.getFingerprint()
assert(fingerprint)
break
except timeoutEx:
print("timeout, retrying...")
pass
address = address[0], address[1]+1
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers, TLSv1.0".format(test_no))
for implementation in implementations:
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
settings.minVersion = (3,1)
settings.maxVersion = (3,1)
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeClientCert(settings=settings)
print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
startTime = timeit.default_timer()
connection.write(b"hello"*10000)
h = connection.read(min=50000, max=50000)
stopTime = timeit.default_timer()
sizeofdata = len(h)*2
if stopTime-startTime:
print("100K exchanged at rate of %d bytes/sec" % int(sizeofdata/(stopTime-startTime)))
else:
print("100K exchanged very fast")
assert(h == b"hello"*10000)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/3')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'http/1.1')
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Client Negotiation".format(test_no))
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
#print(" Next-Protocol Negotiated: %s" % connection.next_proto)
assert(connection.next_proto == b'spdy/2')
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
connection.handshakeClientCert(settings=settings)
testConnClient(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.sendFallbackSCSV = True
settings.maxVersion = (3, 2)
try:
connection.handshakeClientCert(settings=settings)
assert()
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
assert(settings.useEncryptThenMAC)
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
settings.useEncryptThenMAC = False
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
connection = connect()
connection.handshakeClientCert(serverName=address[0], session=session)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.recv(1)
connection = connect()
settings = HandshakeSettings()
settings.macNames.remove("aead")
connection.handshakeClientCert(serverName=address[0], settings=settings)
testConnClient(connection)
assert(isinstance(connection.session.serverCertChain, X509CertChain))
assert(connection.session.serverName == address[0])
assert(not connection.resumed)
assert(connection.encryptThenMAC)
connection.close()
session = connection.session
# resume
synchro.recv(1)
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
settings.macNames.remove("aead")
connection = connect()
try:
connection.handshakeClientCert(serverName=address[0], session=session,
settings=settings)
except TLSRemoteAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("No exception raised")
connection.close()
test_no += 1
print('Test {0} - good standard XMLRPC https client'.format(test_no))
address = address[0], address[1]+1
synchro.recv(1)
try:
# python 2.7.9 introduced certificate verification (context option)
# python 3.4.2 doesn't have it though
context = ssl.create_default_context(\
cafile=os.path.join(dir, "serverX509Cert.pem"))
server = xmlrpclib.Server('https://%s:%s' % address, context=context)
except (TypeError, AttributeError):
server = xmlrpclib.Server('https://%s:%s' % address)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good tlslite XMLRPC client'.format(test_no))
transport = XMLRPCTransport(ignoreAbruptClose=True)
server = xmlrpclib.Server('https://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print('Test {0} - good XMLRPC ignored protocol'.format(test_no))
server = xmlrpclib.Server('http://%s:%s' % address, transport)
synchro.recv(1)
assert server.add(1,2) == 3
synchro.recv(1)
assert server.pow(2,4) == 16
test_no += 1
print("Test {0} - Internet servers test".format(test_no))
try:
i = IMAP4_TLS("cyrus.andrew.cmu.edu")
i.login("anonymous", "*****@*****.**")
i.logout()
test_no += 1
print("Test {0}: IMAP4 good".format(test_no))
p = POP3_TLS("pop.gmail.com")
p.quit()
test_no += 1
print("Test {0}: POP3 good".format(test_no))
except (socket.error, socket.timeout) as e:
print("Non-critical error: socket error trying to reach internet server: ", e)
synchro.close()
if not badFault:
print("Test succeeded, {0} good".format(test_no))
else:
print("Test failed")
def serverTestCmd(argv):
address = argv[0]
dir = argv[1]
#Split address into hostname/port tuple
address = address.split(":")
address = ( address[0], int(address[1]) )
#Create synchronisation FIFO
synchroSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
synchroSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
synchroSocket.bind((address[0], address[1]-1))
synchroSocket.listen(2)
#Connect to server
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
lsock.bind(address)
lsock.listen(5)
# following is blocking until the other side doesn't open
synchro = synchroSocket.accept()[0]
def connect():
return TLSConnection(lsock.accept()[0])
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
x509Chain = X509CertChain([x509Cert])
s = open(os.path.join(dir, "serverX509Key.pem")).read()
x509Key = parsePEMKey(s, private=True)
with open(os.path.join(dir, "serverRSAPSSSigCert.pem")) as f:
x509CertRSAPSSSig = X509().parse(f.read())
x509ChainRSAPSSSig = X509CertChain([x509CertRSAPSSSig])
with open(os.path.join(dir, "serverRSAPSSSigKey.pem")) as f:
x509KeyRSAPSSSig = parsePEMKey(f.read(), private=True)
with open(os.path.join(dir, "serverRSAPSSCert.pem")) as f:
x509CertRSAPSS = X509().parse(f.read())
x509ChainRSAPSS = X509CertChain([x509CertRSAPSS])
assert x509CertRSAPSS.certAlg == "rsa-pss"
with open(os.path.join(dir, "serverRSAPSSKey.pem")) as f:
x509KeyRSAPSS = parsePEMKey(f.read(), private=True,
implementations=["python"])
test_no = 0
print("Test {0} - Anonymous server handshake".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(anon=True)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS sig".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSSSig,
privateKey=x509KeyRSAPSSSig)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509/w RSA-PSS cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509ChainRSAPSS,
privateKey=x509KeyRSAPSS)
assert(connection.session.serverName == address[0])
assert(connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, SSL v3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
assert(not connection.extendedMasterSecret)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, RC4-MD5".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.macNames = ["sha", "md5"]
settings.cipherNames = ["rc4"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
testConnServer(connection)
connection.close()
if tackpyLoaded:
tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())
settings = HandshakeSettings()
settings.useExperimentalTackExtension = True
test_no += 1
print("Test {0} - good X.509, TACK".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tack], activationFlags=1, settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain".\
format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
tacks=[tackUnrelated], settings=settings)
assert(False)
except TLSRemoteAlert as alert:
if alert.description != AlertDescription.illegal_parameter:
raise
else:
test_no += 1
print("Test {0} - good X.509, TACK...skipped (no tackpy)".\
format(test_no))
test_no += 1
print("Test {0} - good X.509, TACK unrelated to cert chain"
"...skipped (no tackpy)".format(test_no))
test_no += 1
print("Test {0} - good SRP (db)".format(test_no))
try:
(db_file, db_name) = mkstemp()
os.close(db_file)
# this is race'y but the interface dbm interface is stupid like that...
os.remove(db_name)
verifierDB = VerifierDB(db_name)
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
finally:
try:
os.remove(db_name)
except FileNotFoundError:
# dbm module may create files with different names depending on
# platform
os.remove(db_name + ".dat")
test_no += 1
print("Test {0} - good SRP".format(test_no))
verifierDB = VerifierDB()
verifierDB.create()
entry = VerifierDB.makeVerifier("test", "password", 1536)
verifierDB[b"test"] = entry
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB)
connection.close()
test_no += 1
print("Test {0} - good SRP: with X.509 cert".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - X.509 with SRP faults".format(test_no))
for fault in Fault.clientSrpFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(verifierDB=verifierDB, \
certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - X.509 faults".format(test_no))
for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
connection.close()
test_no += 1
print("Test {0} - good mutual X.509".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, TLSv1.1".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,2)
settings.maxVersion = (3,2)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - good mutual X.509, SSLv3".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.minVersion = (3,0)
settings.maxVersion = (3,0)
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
testConnServer(connection)
assert(isinstance(connection.session.clientCertChain, X509CertChain))
connection.close()
test_no += 1
print("Test {0} - mutual X.509 faults".format(test_no))
for fault in Fault.clientCertFaults + Fault.genericFaults:
synchro.send(b'R')
connection = connect()
connection.fault = fault
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
connection.close()
test_no += 1
print("Test {0} - good SRP, prepare to resume".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
assert(connection.session.serverName == address[0])
testConnServer(connection)
#Don't close! -- see next test
test_no += 1
print("Test {0} - invalidated resumption".format(test_no))
synchro.send(b'R')
try:
connection.read(min=1, max=1)
assert() #Client is going to close the socket without a close_notify
except TLSAbruptCloseError as e:
pass
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
except TLSLocalAlert as alert:
if alert.description != AlertDescription.bad_record_mac:
raise
connection.close()
test_no += 1
print("Test {0} - HTTPS test X.509".format(test_no))
#Close the current listening socket
lsock.close()
#Create and run an HTTP Server using TLSSocketServerMixIn
class MyHTTPServer(TLSSocketServerMixIn,
HTTPServer):
def handshake(self, tlsConnection):
tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
return True
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
HTTPServer.server_bind(self)
cd = os.getcwd()
os.chdir(dir)
address = address[0], address[1]+1
httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
for x in range(6):
synchro.send(b'R')
httpd.handle_request()
httpd.server_close()
cd = os.chdir(cd)
#Re-connect the listening socket
lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
lsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
address = address[0], address[1]+1
lsock.bind(address)
lsock.listen(5)
implementations = []
if m2cryptoLoaded:
implementations.append("openssl")
if pycryptoLoaded:
implementations.append("pycrypto")
implementations.append("python")
test_no += 1
print("Test {0} - different ciphers".format(test_no))
for implementation in ["python"] * len(implementations):
for cipher in ["aes128", "aes256", "rc4"]:
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - throughput test".format(test_no))
for implementation in implementations:
for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des",
"rc4", "chacha20-poly1305_draft00",
"chacha20-poly1305"]:
# skip tests with implementations that don't support them
if cipher == "3des" and implementation not in ("openssl",
"pycrypto"):
continue
if cipher in ("aes128gcm", "aes256gcm") and \
implementation not in ("pycrypto",
"python"):
continue
if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
and implementation not in ("python", ):
continue
test_no += 1
print("Test {0}:".format(test_no), end=' ')
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.cipherNames = [cipher]
settings.cipherImplementations = [implementation, "python"]
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
print(connection.getCipherName(), connection.getCipherImplementation())
h = connection.read(min=50000, max=50000)
assert(h == b"hello"*10000)
connection.write(h)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - Next-Protocol Server Negotiation".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings, nextProtos=[])
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - FALLBACK_SCSV".format(test_no))
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
assert()
except TLSLocalAlert as alert:
if alert.description != AlertDescription.inappropriate_fallback:
raise
connection.close()
test_no += 1
print("Test {0} - no EtM server side".format(test_no))
synchro.send(b'R')
connection = connect()
settings = HandshakeSettings()
settings.useEncryptThenMAC = False
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
settings=settings)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - no EtM client side".format(test_no))
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with EtM".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
test_no += 1
print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no))
synchro.send(b'R')
sessionCache = SessionCache()
connection = connect()
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
testConnServer(connection)
connection.close()
# resume
synchro.send(b'R')
connection = connect()
try:
connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
sessionCache=sessionCache)
except TLSLocalAlert as e:
assert(str(e) == "handshake_failure")
else:
raise AssertionError("no exception raised")
connection.close()
test_no += 1
print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
test_no += 2
address = address[0], address[1]+1
class Server(TLSXMLRPCServer):
def handshake(self, tlsConnection):
try:
tlsConnection.handshakeServer(certChain=x509Chain,
privateKey=x509Key,
sessionCache=sessionCache)
tlsConnection.ignoreAbruptClose = True
return True
except TLSError as error:
print("Handshake failure:", str(error))
return False
class MyFuncs:
def pow(self, x, y): return pow(x, y)
def add(self, x, y): return x + y
server = Server(address)
server.register_instance(MyFuncs())
synchro.send(b'R')
#sa = server.socket.getsockname()
#print "Serving HTTPS on", sa[0], "port", sa[1]
for i in range(6):
synchro.send(b'R')
server.handle_request()
synchro.close()
synchroSocket.close()
print("Test succeeded")