mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-18 19:49:40 +00:00
security/py-nassl: Add py-nassl 4.0.2
nassl is an experimental OpenSSL wrapper for SSLyze. WWW: https://github.com/nabla-c0d3/nassl
This commit is contained in:
parent
5a9261cbac
commit
d9cd2e534e
@ -900,6 +900,7 @@
|
||||
SUBDIR += py-mnemonic
|
||||
SUBDIR += py-msoffcrypto-tool
|
||||
SUBDIR += py-muacrypt
|
||||
SUBDIR += py-nassl
|
||||
SUBDIR += py-netbox-secretstore
|
||||
SUBDIR += py-netmiko
|
||||
SUBDIR += py-noiseprotocol
|
||||
|
27
security/py-nassl/Makefile
Normal file
27
security/py-nassl/Makefile
Normal file
@ -0,0 +1,27 @@
|
||||
# Created by: Po-Chuan Hsieh <sunpoet@FreeBSD.org>
|
||||
|
||||
PORTNAME= nassl
|
||||
PORTVERSION= 4.0.2
|
||||
CATEGORIES= security python
|
||||
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
|
||||
|
||||
MAINTAINER= sunpoet@FreeBSD.org
|
||||
COMMENT= Experimental OpenSSL wrapper for SSLyze
|
||||
|
||||
LICENSE= AGPLv3
|
||||
LICENSE_FILE= ${WRKSRC}/LICENSE.txt
|
||||
|
||||
USES= python:3.7+ ssl
|
||||
USE_PYTHON= autoplist concurrent distutils
|
||||
|
||||
GH_ACCOUNT= nabla-c0d3
|
||||
USE_GITHUB= yes
|
||||
|
||||
post-patch:
|
||||
@${RM} ${WRKSRC}/build_tasks.py ${WRKSRC}/tasks.py ${WRKSRC}/nassl/legacy_ssl_client.py
|
||||
@${REINPLACE_CMD} -e 's|%%OPENSSLINC%%|${OPENSSLINC}|; s|%%OPENSSLLIB%%|${OPENSSLLIB}|' ${WRKSRC}/setup.py
|
||||
|
||||
post-install:
|
||||
${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name '*.so' -exec ${STRIP_CMD} {} +
|
||||
|
||||
.include <bsd.port.mk>
|
3
security/py-nassl/distinfo
Normal file
3
security/py-nassl/distinfo
Normal file
@ -0,0 +1,3 @@
|
||||
TIMESTAMP = 1656092882
|
||||
SHA256 (nabla-c0d3-nassl-4.0.2_GH0.tar.gz) = 440296e07ee021dc283bfe7b810f3139349e26445bc21b5e05820808e15186a2
|
||||
SIZE (nabla-c0d3-nassl-4.0.2_GH0.tar.gz) = 212003
|
480
security/py-nassl/files/patch-openssl
Normal file
480
security/py-nassl/files/patch-openssl
Normal file
@ -0,0 +1,480 @@
|
||||
--- nassl/_nassl/nassl_SSL.c.orig 2022-01-01 11:07:11 UTC
|
||||
+++ nassl/_nassl/nassl_SSL.c
|
||||
@@ -1034,6 +1034,7 @@ static PyObject *nassl_SSL_get_dh_info(nassl_SSL_Objec
|
||||
return return_dict;
|
||||
}
|
||||
#ifndef LEGACY_OPENSSL
|
||||
+#if defined(EVP_PKEY_X25519) && defined(EVP_PKEY_X448)
|
||||
else if(key_id == EVP_PKEY_X25519 || key_id == EVP_PKEY_X448){
|
||||
|
||||
// If the connection uses X25519 or X448
|
||||
@@ -1074,6 +1075,7 @@ static PyObject *nassl_SSL_get_dh_info(nassl_SSL_Objec
|
||||
EVP_PKEY_free(key);
|
||||
return return_dict;
|
||||
}
|
||||
+#endif
|
||||
#endif
|
||||
else
|
||||
{
|
||||
--- nassl/_nassl/nassl_SSL_CTX.c.orig 2022-01-01 11:07:11 UTC
|
||||
+++ nassl/_nassl/nassl_SSL_CTX.c
|
||||
@@ -88,8 +88,10 @@ static PyObject* nassl_SSL_CTX_new(PyTypeObject *type,
|
||||
// Replicate the pre-1.1.0 OpenSSL API to avoid breaking _nassl's API
|
||||
// TODO(AD): Break modern _nassl's API to make it nicer by exposing min/max_proto_version
|
||||
sslCtx = SSL_CTX_new(TLS_client_method());
|
||||
+#if defined(TLS1_3_VERSION)
|
||||
// Force TLS 1.3
|
||||
SSL_CTX_set_min_proto_version(sslCtx, TLS1_3_VERSION);
|
||||
+#endif
|
||||
SSL_CTX_set_max_proto_version(sslCtx, 0);
|
||||
break;
|
||||
#endif
|
||||
--- nassl/ssl_client.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ nassl/ssl_client.py
|
||||
@@ -417,6 +417,25 @@ class SslClient(BaseSslClient):
|
||||
# The default client uses the modern OpenSSL
|
||||
_NASSL_MODULE = _nassl
|
||||
|
||||
+ def do_renegotiate(self) -> None:
|
||||
+ """Initiate an SSL renegotiation."""
|
||||
+ if not self._is_handshake_completed:
|
||||
+ raise IOError("SSL Handshake was not completed; cannot renegotiate.")
|
||||
+
|
||||
+ self._ssl.renegotiate()
|
||||
+ self.do_handshake()
|
||||
+
|
||||
+ @staticmethod
|
||||
+ def get_available_compression_methods() -> List[str]:
|
||||
+ """Returns the list of SSL compression methods supported by SslClient."""
|
||||
+ return _nassl.SSL.get_available_compression_methods()
|
||||
+
|
||||
+ def get_current_compression_method(self) -> Optional[str]:
|
||||
+ return self._ssl.get_current_compression_method()
|
||||
+
|
||||
+ def get_secure_renegotiation_support(self) -> bool:
|
||||
+ return self._ssl.get_secure_renegotiation_support()
|
||||
+
|
||||
def write_early_data(self, data: bytes) -> int:
|
||||
"""Returns the number of (encrypted) bytes sent."""
|
||||
if self._is_handshake_completed:
|
||||
--- setup.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ setup.py
|
||||
@@ -2,29 +2,25 @@ import copy
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
-from build_tasks import (
|
||||
- ModernOpenSslBuildConfig,
|
||||
- ZlibBuildConfig,
|
||||
- LegacyOpenSslBuildConfig,
|
||||
- SupportedPlatformEnum,
|
||||
- CURRENT_PLATFORM,
|
||||
-)
|
||||
from nassl import __author__, __version__
|
||||
from setuptools import setup, Extension, find_packages
|
||||
|
||||
+from platform import architecture, machine
|
||||
+from sys import platform
|
||||
+
|
||||
+CURRENT_PLATFORM = 'linux'
|
||||
+SupportedPlatformEnum = platform
|
||||
SHOULD_BUILD_FOR_DEBUG = False
|
||||
|
||||
-
|
||||
NASSL_SETUP = {
|
||||
"name": "nassl",
|
||||
"version": __version__,
|
||||
- "packages": find_packages(exclude=["docs", "tests"]),
|
||||
+ "packages": find_packages(exclude=["docs*", "tests*"]),
|
||||
"package_data": {"nassl": ["py.typed"]},
|
||||
"py_modules": [
|
||||
"nassl.__init__",
|
||||
"nassl.ssl_client",
|
||||
"nassl.ephemeral_key_info",
|
||||
- "nassl.legacy_ssl_client",
|
||||
"nassl.ocsp_response",
|
||||
"nassl.cert_chain_verifier",
|
||||
],
|
||||
@@ -70,58 +66,21 @@ BASE_NASSL_EXT_SETUP = {
|
||||
],
|
||||
}
|
||||
|
||||
-if CURRENT_PLATFORM in [SupportedPlatformEnum.WINDOWS_32, SupportedPlatformEnum.WINDOWS_64]:
|
||||
- # Build using the Python that was used to run this script; will not work for cross-compiling
|
||||
- PYTHON_LIBS_PATH = Path(sys.executable).parent / "libs"
|
||||
+BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall")
|
||||
+BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,noexecstack")
|
||||
+BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,notext")
|
||||
|
||||
- BASE_NASSL_EXT_SETUP.update(
|
||||
- {
|
||||
- "library_dirs": [str(PYTHON_LIBS_PATH)],
|
||||
- "libraries": ["user32", "kernel32", "Gdi32", "Advapi32", "Ws2_32", "crypt32"],
|
||||
- }
|
||||
- )
|
||||
-else:
|
||||
- BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall")
|
||||
-
|
||||
- if CURRENT_PLATFORM == SupportedPlatformEnum.LINUX_64:
|
||||
- # Explicitly disable executable stack on Linux 64 to address issues with Ubuntu on Windows
|
||||
- # https://github.com/nabla-c0d3/nassl/issues/28
|
||||
- BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,noexecstack")
|
||||
-
|
||||
-zlib_config = ZlibBuildConfig(CURRENT_PLATFORM)
|
||||
-
|
||||
-
|
||||
-# The configure the setup for legacy nassl
|
||||
-legacy_openssl_config = LegacyOpenSslBuildConfig(CURRENT_PLATFORM)
|
||||
-
|
||||
-LEGACY_NASSL_EXT_SETUP = copy.deepcopy(BASE_NASSL_EXT_SETUP)
|
||||
-LEGACY_NASSL_EXT_SETUP["name"] = "nassl._nassl_legacy"
|
||||
-LEGACY_NASSL_EXT_SETUP["define_macros"] = [("LEGACY_OPENSSL", "1")]
|
||||
-LEGACY_NASSL_EXT_SETUP.update(
|
||||
- {
|
||||
- "include_dirs": [str(legacy_openssl_config.include_path)],
|
||||
- "extra_objects": [
|
||||
- # The order matters on some flavors of Linux
|
||||
- str(legacy_openssl_config.libssl_path),
|
||||
- str(legacy_openssl_config.libcrypto_path),
|
||||
- str(zlib_config.libz_path),
|
||||
- ],
|
||||
- }
|
||||
-)
|
||||
-
|
||||
# The configure the setup for modern nassl
|
||||
-modern_openssl_config = ModernOpenSslBuildConfig(CURRENT_PLATFORM)
|
||||
-
|
||||
MODERN_NASSL_EXT_SETUP = copy.deepcopy(BASE_NASSL_EXT_SETUP)
|
||||
MODERN_NASSL_EXT_SETUP["name"] = "nassl._nassl"
|
||||
MODERN_NASSL_EXT_SETUP.update(
|
||||
{
|
||||
- "include_dirs": [str(modern_openssl_config.include_path)],
|
||||
+ "include_dirs": [str('%%OPENSSLINC%%'), str('/usr/include')],
|
||||
"extra_objects": [
|
||||
# The order matters on some flavors of Linux
|
||||
- str(modern_openssl_config.libssl_path),
|
||||
- str(modern_openssl_config.libcrypto_path),
|
||||
- str(zlib_config.libz_path),
|
||||
+ str('%%OPENSSLLIB%%/libssl.so'),
|
||||
+ str('%%OPENSSLLIB%%/libcrypt.so'),
|
||||
+ str('/usr/lib/libz.so'),
|
||||
],
|
||||
}
|
||||
)
|
||||
@@ -130,18 +89,11 @@ MODERN_NASSL_EXT_SETUP["sources"].append(
|
||||
) # API only available in modern nassl
|
||||
|
||||
|
||||
-if CURRENT_PLATFORM in [SupportedPlatformEnum.WINDOWS_32, SupportedPlatformEnum.WINDOWS_64]:
|
||||
- if SHOULD_BUILD_FOR_DEBUG:
|
||||
- LEGACY_NASSL_EXT_SETUP.update({"extra_compile_args": ["/Zi"], "extra_link_args": ["/DEBUG"]})
|
||||
- MODERN_NASSL_EXT_SETUP.update({"extra_compile_args": ["/Zi"], "extra_link_args": ["/DEBUG"]})
|
||||
-else:
|
||||
- # Add arguments specific to Unix builds
|
||||
- LEGACY_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl"))
|
||||
- MODERN_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl"))
|
||||
+MODERN_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl"))
|
||||
|
||||
|
||||
NASSL_SETUP.update(
|
||||
- {"ext_modules": [Extension(**LEGACY_NASSL_EXT_SETUP), Extension(**MODERN_NASSL_EXT_SETUP)]}
|
||||
+ {"ext_modules": [Extension(**MODERN_NASSL_EXT_SETUP)]}
|
||||
)
|
||||
|
||||
|
||||
--- tests/SSL_CTX_test.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ tests/SSL_CTX_test.py
|
||||
@@ -2,11 +2,11 @@ import tempfile
|
||||
|
||||
import pytest
|
||||
|
||||
-from nassl import _nassl, _nassl_legacy
|
||||
+from nassl import _nassl
|
||||
from nassl.ssl_client import OpenSslVersionEnum, OpenSslVerifyEnum, OpenSslFileTypeEnum
|
||||
|
||||
|
||||
-@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy])
|
||||
+@pytest.mark.parametrize("nassl_module", [_nassl])
|
||||
class TestCommonSSL_CTX:
|
||||
def test_new(self, nassl_module):
|
||||
assert nassl_module.SSL_CTX(OpenSslVersionEnum.SSLV23.value)
|
||||
--- tests/SSL_test.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ tests/SSL_test.py
|
||||
@@ -1,11 +1,10 @@
|
||||
import pytest
|
||||
|
||||
from nassl import _nassl
|
||||
-from nassl import _nassl_legacy
|
||||
from nassl.ssl_client import SslClient, OpenSslVersionEnum, OpenSslVerifyEnum
|
||||
|
||||
|
||||
-@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy])
|
||||
+@pytest.mark.parametrize("nassl_module", [_nassl])
|
||||
class TestCommonSSL:
|
||||
def test_new(self, nassl_module):
|
||||
nassl_module.SSL(nassl_module.SSL_CTX(OpenSslVersionEnum.SSLV23.value))
|
||||
@@ -134,34 +133,3 @@ class TestModernSSL:
|
||||
test_ssl = _nassl.SSL(_nassl.SSL_CTX(OpenSslVersionEnum.TLSV1_2.value))
|
||||
with pytest.raises(_nassl.OpenSSLError, match="no cipher match"):
|
||||
test_ssl.set_ciphersuites("lol")
|
||||
-
|
||||
-
|
||||
-class TestLegacySSL:
|
||||
-
|
||||
- # The following tests don't pass with modern OpenSSL - the API might have changed
|
||||
- def test_set_cipher_list_bad(self):
|
||||
- # Invalid cipher string
|
||||
- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value))
|
||||
- with pytest.raises(_nassl.OpenSSLError):
|
||||
- test_ssl.set_cipher_list("badcipherstring")
|
||||
-
|
||||
- def test_do_handshake_bad_eof(self):
|
||||
- # No BIO attached to the SSL object
|
||||
- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value))
|
||||
- test_ssl.set_connect_state()
|
||||
- with pytest.raises(_nassl.SslError, match="An EOF was observed that violates the protocol"):
|
||||
- test_ssl.do_handshake()
|
||||
-
|
||||
- def test_read_bad(self):
|
||||
- # No BIO attached to the SSL object
|
||||
- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value))
|
||||
- test_ssl.set_connect_state()
|
||||
- with pytest.raises(_nassl.OpenSSLError, match="ssl handshake failure"):
|
||||
- test_ssl.read(128)
|
||||
-
|
||||
- def test_write_bad(self):
|
||||
- # No BIO attached to the SSL object
|
||||
- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value))
|
||||
- test_ssl.set_connect_state()
|
||||
- with pytest.raises(_nassl.OpenSSLError, match="ssl handshake failure"):
|
||||
- test_ssl.write("tests")
|
||||
--- tests/X509_test.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ tests/X509_test.py
|
||||
@@ -1,10 +1,9 @@
|
||||
import pytest
|
||||
|
||||
from nassl import _nassl
|
||||
-from nassl import _nassl_legacy
|
||||
|
||||
|
||||
-@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy])
|
||||
+@pytest.mark.parametrize("nassl_module", [_nassl])
|
||||
class TestX509:
|
||||
def test_from_pem(self, nassl_module):
|
||||
# Given a PEM-formatted certificate
|
||||
--- tests/ocsp_response_test.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ tests/ocsp_response_test.py
|
||||
@@ -5,7 +5,6 @@ import pytest
|
||||
import socket
|
||||
import tempfile
|
||||
|
||||
-from nassl.legacy_ssl_client import LegacySslClient
|
||||
from nassl.ocsp_response import OcspResponseNotTrustedError, verify_ocsp_response
|
||||
from nassl.ssl_client import SslClient, OpenSslVerifyEnum
|
||||
|
||||
@@ -31,7 +30,7 @@ Pd2eQ9+DkopOz3UGU7c=
|
||||
-----END CERTIFICATE-----"""
|
||||
|
||||
|
||||
-@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient])
|
||||
+@pytest.mark.parametrize("ssl_client_cls", [SslClient])
|
||||
class TestCommonOcspResponseOnline:
|
||||
def test(self, ssl_client_cls):
|
||||
# Given a website that support OCSP stapling
|
||||
--- tests/ssl_client_test.py.orig 2022-01-01 11:07:11 UTC
|
||||
+++ tests/ssl_client_test.py
|
||||
@@ -4,7 +4,6 @@ from pathlib import Path
|
||||
import pytest
|
||||
|
||||
from nassl import _nassl
|
||||
-from nassl.legacy_ssl_client import LegacySslClient
|
||||
from nassl.ssl_client import (
|
||||
ClientCertificateRequested,
|
||||
OpenSslVersionEnum,
|
||||
@@ -21,75 +20,10 @@ from nassl.ephemeral_key_info import (
|
||||
EcDhEphemeralKeyInfo,
|
||||
)
|
||||
from nassl.cert_chain_verifier import CertificateChainVerificationFailed
|
||||
-from tests.openssl_server import ModernOpenSslServer, ClientAuthConfigEnum, LegacyOpenSslServer
|
||||
+from tests.openssl_server import ModernOpenSslServer, ClientAuthConfigEnum
|
||||
|
||||
|
||||
-# TODO(AD): Switch to legacy server and add a TODO; skip tests for TLS 1.3
|
||||
-@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient])
|
||||
-class TestSslClientClientAuthentication:
|
||||
- def test_client_authentication_no_certificate_supplied(self, ssl_client_cls):
|
||||
- # Given a server that requires client authentication
|
||||
- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
|
||||
- # And the client does NOT provide a client certificate
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- )
|
||||
- # When doing the handshake the right error is returned
|
||||
- with pytest.raises(ClientCertificateRequested):
|
||||
- ssl_client.do_handshake()
|
||||
-
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
- def test_client_authentication_no_certificate_supplied_but_ignore(self, ssl_client_cls):
|
||||
- # Given a server that accepts optional client authentication
|
||||
- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.OPTIONAL) as server:
|
||||
- # And the client does NOT provide a client cert but is configured to ignore the client auth request
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- ignore_client_authentication_requests=True,
|
||||
- )
|
||||
- # When doing the handshake, it succeeds
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
- def test_client_authentication_succeeds(self, ssl_client_cls):
|
||||
- # Given a server that requires client authentication
|
||||
- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
|
||||
- # And the client provides a client certificate
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- client_certificate_chain=server.get_client_certificate_path(),
|
||||
- client_key=server.get_client_key_path(),
|
||||
- )
|
||||
-
|
||||
- # When doing the handshake, it succeeds
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
-
|
||||
-@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient])
|
||||
+@pytest.mark.parametrize("ssl_client_cls", [SslClient])
|
||||
class TestSslClientOnline:
|
||||
def test(self, ssl_client_cls):
|
||||
# Given an SslClient connecting to Google
|
||||
@@ -118,80 +52,7 @@ class TestSslClientOnline:
|
||||
finally:
|
||||
ssl_client.shutdown()
|
||||
|
||||
- def test_get_dh_info_ecdh(self, ssl_client_cls):
|
||||
- with LegacyOpenSslServer(cipher="ECDHE-RSA-AES256-SHA") as server:
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- )
|
||||
-
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
- dh_info = ssl_client.get_ephemeral_key()
|
||||
-
|
||||
- assert isinstance(dh_info, NistEcDhKeyExchangeInfo)
|
||||
- assert dh_info.type == OpenSslEvpPkeyEnum.EC
|
||||
- assert dh_info.size > 0
|
||||
- assert len(dh_info.public_bytes) > 0
|
||||
- assert len(dh_info.x) > 0
|
||||
- assert len(dh_info.y) > 0
|
||||
-
|
||||
- def test_get_dh_info_dh(self, ssl_client_cls):
|
||||
- with LegacyOpenSslServer(cipher="DHE-RSA-AES256-SHA") as server:
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- )
|
||||
-
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
- dh_info = ssl_client.get_ephemeral_key()
|
||||
-
|
||||
- assert isinstance(dh_info, DhEphemeralKeyInfo)
|
||||
- assert dh_info.type == OpenSslEvpPkeyEnum.DH
|
||||
- assert dh_info.size > 0
|
||||
- assert len(dh_info.public_bytes) > 0
|
||||
- assert len(dh_info.prime) > 0
|
||||
- assert len(dh_info.generator) > 0
|
||||
-
|
||||
- def test_get_dh_info_no_dh(self, ssl_client_cls):
|
||||
- with LegacyOpenSslServer(cipher="AES256-SHA") as server:
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = ssl_client_cls(
|
||||
- ssl_version=OpenSslVersionEnum.TLSV1_2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- )
|
||||
-
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
-
|
||||
- dh_info = ssl_client.get_ephemeral_key()
|
||||
-
|
||||
- assert dh_info is None
|
||||
-
|
||||
-
|
||||
class TestModernSslClientOnline:
|
||||
def test_get_verified_chain(self):
|
||||
# Given an SslClient connecting to Google
|
||||
@@ -352,27 +213,6 @@ class TestModernSslClientOnline:
|
||||
assert dh_info.type == OpenSslEvpPkeyEnum.X448
|
||||
assert dh_info.size == 448
|
||||
assert len(dh_info.public_bytes) == 56
|
||||
-
|
||||
-
|
||||
-class TestLegacySslClientOnline:
|
||||
- def test_ssl_2(self):
|
||||
- # Given a server that supports SSL 2.0
|
||||
- with LegacyOpenSslServer() as server:
|
||||
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
- sock.settimeout(5)
|
||||
- sock.connect((server.hostname, server.port))
|
||||
-
|
||||
- ssl_client = LegacySslClient(
|
||||
- ssl_version=OpenSslVersionEnum.SSLV2,
|
||||
- underlying_socket=sock,
|
||||
- ssl_verify=OpenSslVerifyEnum.NONE,
|
||||
- ignore_client_authentication_requests=True,
|
||||
- )
|
||||
- # When doing the special SSL 2.0 handshake, it succeeds
|
||||
- try:
|
||||
- ssl_client.do_handshake()
|
||||
- finally:
|
||||
- ssl_client.shutdown()
|
||||
|
||||
|
||||
class TestModernSslClientOnlineTls13:
|
3
security/py-nassl/pkg-descr
Normal file
3
security/py-nassl/pkg-descr
Normal file
@ -0,0 +1,3 @@
|
||||
nassl is an experimental OpenSSL wrapper for SSLyze.
|
||||
|
||||
WWW: https://github.com/nabla-c0d3/nassl
|
Loading…
Reference in New Issue
Block a user