From 6f73f766ac8e37d054d058ebf7239c5501196c9c Mon Sep 17 00:00:00 2001 From: emdee Date: Thu, 3 Nov 2022 05:31:50 +0000 Subject: [PATCH] Fixed TLS1.3 --- tox-irc-sync.py | 26 ++++++++---- tox-irc-sync_test.bash | 95 +++++++++++++++++++++++++++++------------- 2 files changed, 85 insertions(+), 36 deletions(-) diff --git a/tox-irc-sync.py b/tox-irc-sync.py index 0712894..c3431cc 100644 --- a/tox-irc-sync.py +++ b/tox-irc-sync.py @@ -234,7 +234,7 @@ class SyniTox(Tox): else: override = False # TLSv1_3_METHOD does not exist - context = SSL.Context(SSL.TLSv1_2_METHOD) + context = SSL.Context(SSL.TLS_CLIENT_METHOD) # TLSv1_2_METHOD # SSL.OP_NO_TLSv1_1 is allowed context.set_options(SSL.OP_NO_SSLv2|SSL.OP_NO_SSLv3|SSL.OP_NO_TLSv1) # this maybe necessary even for a 1.3 site to get the handshake @@ -249,12 +249,22 @@ class SyniTox(Tox): val = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT LOG.info('Using keyfile: %s' % self._oArgs.irc_pem) if True: - key = self._oArgs.irc_pem.replace('.pem', '.crt') + # key = self._oArgs.irc_pem.replace('.pem', '.crt') + assert os.path.exists(key), key context.use_certificate_file(key, filetype=SSL.FILETYPE_PEM) if True: - key = self._oArgs.irc_pem.replace('.pem', '.key') + # key = self._oArgs.irc_pem.replace('.pem', '.key') assert os.path.exists(key), key context.use_privatekey_file(key, filetype=SSL.FILETYPE_PEM) + #? load_client_ca + def SSL_hands_cb(oConn,iLine,iRet): + # where in the SSL handshake the function was called, and + # the return code from a internal function call + print(f"iLine={iLine}, iRet={iRet}") + # context.set_info_callback(SSL_hands_cb) + def keylog_callback(oConn,s): + print(s) + context.set_keylog_callback(keylog_callback) else: val = SSL.VERIFY_PEER context.set_verify(val, ssl_verify_cb(HOST, override)) @@ -267,10 +277,10 @@ class SyniTox(Tox): if self._oArgs.irc_ssl == 'tlsv1.1': context.set_min_proto_version(SSL.TLS1_1_VERSION) elif self._oArgs.irc_ssl == 'tlsv1.2': - context.set_cipher_list(bytes(' '.join(lOPENSSL_12_CIPHERS), 'UTF-8')) + context.set_cipher_list(bytes(':'.join(['DEFAULT@SECLEVEL=1']+lOPENSSL_12_CIPHERS), 'UTF-8')) context.set_min_proto_version(SSL.TLS1_2_VERSION) elif self._oArgs.irc_ssl == 'tlsv1.3': -#? context.set_cipher_list(bytes(' '.join(lOPENSSL_13_CIPHERS), 'UTF-8')) + context.set_cipher_list(bytes(':'.join(['DEFAULT@SECLEVEL=1']+lOPENSSL_13_CIPHERS), 'UTF-8')) context.set_min_proto_version(SSL.TLS1_3_VERSION) self._ssl_context = context @@ -567,7 +577,7 @@ class SyniTox(Tox): self.diagnose_ciphers(irc) else: irc.connect((ip, self._oArgs.irc_port)) - LOG.info(f"IRC {'SSL ' if self._oArgs.irc_ssl else ''} connected ") + LOG.info(f"IRC SSL={self._oArgs.irc_ssl} connected ") except wrapper_tests.socks.Socks5Error as e: iSocks5Error += 1 @@ -614,6 +624,7 @@ class SyniTox(Tox): self._oArgs.irc_ident, self._oArgs.irc_host, self._oArgs.irc_name), 'UTF-8')) + # OSError: [Errno 9] Bad file descriptor def dht_init(self): @@ -732,7 +743,8 @@ class SyniTox(Tox): elif l[1] not in ['372']: i = line.find(' ') print(line[i+1:]) - + else: + LOG.info('MOTD') rx = re.match(r':(.*?)!.*? PRIVMSG %s :(.*?)\r' % self._oArgs.irc_chan, line, re.S) if rx: diff --git a/tox-irc-sync_test.bash b/tox-irc-sync_test.bash index 71203ae..c35192a 100644 --- a/tox-irc-sync_test.bash +++ b/tox-irc-sync_test.bash @@ -1,4 +1,5 @@ #!/bin/bash +# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- #export LD_LIBRARY_PATH=/usr/local/lib #export TOXCORE_LIBS=/mnt/linuxPen19/var/local/src/c-toxcore/_build @@ -13,13 +14,50 @@ export PYTHONPATH=/mnt/o/var/local/src/toxygen_wrapper.git/ ERROR() { echo ERROR $* ; } } -TLS=2 +HOST=irc.oftc.net +IRC_PORT=6667 +IRCS_PORT=6697 +ONION=oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion + +TLS=0 a=`openssl ciphers -s -v|grep -c v1.3` if [ "$a" -lt 3 ] ; then WARN no SSSL TLSv1.3 ciphers available to the client. TLS=2 +elif nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $HOST | grep -q 'TLSv1.3:' ; then + TLS=3 +else + TLS=2 +fi +TLS=3 + +if [ "$TLS" -ne 0 ] ; then + SD=$HOME/.config/ssl/$HOST + [ -d $SD ] || mkdir -p $SD || exit 2 + if [ ! -s $SD/$nick.key ] ; then + # ed25519 + openssl req -x509 -nodes -newkey rsa:2048 \ + -keyout $SD/$nick.key \ + -days 3650 -out $SD/$nick.crt || exit 3 + chmod 400 $SD/$nick.key + fi + if [ ! -s $SD/$nick.fp ] ; then + openssl x509 -noout -fingerprint -SHA1 -text \ + < $SD/$nick.crt > $SD/$nick.fp || exit 4 + fi + if [ ! -s $SD/$nick.pem ] ; then + cat $SD/$nick.crt $SD/$nick.key > $SD/$nick.pem + chmod 400 $SD/$nick.pem || exit 5 + fi + ls -l -s $SD/$nick.pem fi +curl -vvvvv --cacert /etc/ssl/cacert-testforge.pem \ + --cert ~/.config/ssl/$HOST/SyniTox.pem \ + https://$HOST:$IRCS_PORT \ + 2>&1| grep "SSL connection using TLSv1.$TLS" + [ $? -gt 0 ] && WARN curl not OK + declare -a RARGS RARGS=( --log_level 10 @@ -32,13 +70,12 @@ RARGS+=( ) declare -a LARGS LARGS=( - --irc_host irc.oftc.net - --irc_port 7000 + --irc_host $HOST + --irc_port $IRC_PORT --irc_ssl "" --irc_ident SyniTox --irc_name SyniTox --irc_nick SyniTox - --irc_pass password ) DBUG $? @@ -50,13 +87,13 @@ fi CIPHER_DOWNGRADE_OVER_TOR=" -Nmap scan report for irc.oftc.net (130.239.18.116) +Nmap scan report for $HOST (130.239.18.116) Host is up (0.26s latency). -Other addresses for irc.oftc.net (not scanned): (null) +Other addresses for $HOST (not scanned): (null) rDNS record for 130.239.18.116: solenoid.acc.umu.se PORT STATE SERVICE -6697/tcp open ircs-u +$IRCS_PORT/tcp open ircs-u | ssl-enum-ciphers: | TLSv1.0: | ciphers: @@ -67,44 +104,44 @@ PORT STATE SERVICE |_ least strength: A " # I know that site does v1.3 3 ciphers -if [ $# -eq 0 -o "$1" = 2 ] ; then - nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 irc.oftc.net - - # oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion - # irc.oftc.net - LARGS=( - --irc_host irc.oftc.net - --irc_port 6697 +LARGS=( + --irc_host $HOST + --irc_port $IRCS_PORT --irc_ssl tlsv1.$TLS --irc_ident SyniTox --irc_name SyniTox --irc_nick SyniTox --irc_pass password - --irc_pem $HOME/.config/ssl/irc.oftc.net/SyniTox.pem + --irc_pem $HOME/.config/ssl/$HOST/SyniTox.pem # E178E7B9BD9E540278118193AD2C84DEF9B35E85 - --irc_fp $HOME/.config/ssl/irc.oftc.net/SyniTox.fp - --irc_cadir '/etc/ssl/certs' - --irc_cafile /etc/ssl/cacert.pem + --irc_fp $HOME/.config/ssl/$HOST/SyniTox.fp + --irc_cafile /usr/local/etc/ssl/cacert-testforge.pem ) + +if [ $# -eq 0 -o "$1" = 2 ] ; then + INFO SSL v1.$TLS + python3 tox-irc-sync.py "${LARGS[@]}" "${RARGS[@]}" "$@" DBUG $? fi -if [ $# -eq 0 -o "$1" = 2 ] ; then - INFO SSL - python3 tox-irc-sync.py "${LARGS[@]}" "${RARGS[@]}" "$@" -fi - -ip=oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion +ip=$ONION if [ $# -eq 0 -o "$1" = 3 ] ; then - nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 $ip - INFO Onion + nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $ip + INFO Onion v1.$TLS python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@" DBUG $? fi -ip=`tor-resolve -4 $ip` +ip=`tor-resolve -4 $ONION` if [ $? -eq 0 -a -n "$ip" ] && [ $# -eq 0 -o "$1" = 4 ] ; then - nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 $ip + curl -vvvvv --cacert /etc/ssl/cacert-testforge.pem \ + --cert ~/.config/ssl/$HOST/SyniTox.pem \ + --connect-to $ip:$IRCS_PORT \ + https://$HOST:$IRCS_PORT \ + 2>&1| grep "SSL connection using TLSv1.$TLS" + + [ $? -gt 0 ] && WARN curl not OK + nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $ip INFO IP $ip python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@" DBUG $?