def test_fixed_crypto_data_matches_verify_data(self):
client_verify_data = "e23f73911909a86be9e93fdb"
server_verify_data = "c83b8eb028d3c4a8d82c1c17"
tls_ctx = tlsc.TLSSessionCtx()
# tls_ctx.rsa_load_keys(self.pem_priv_key)
client_hello = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientHello(gmt_unix_time=1234,
random_bytes="A" * 28)
# Hello Request should be ignored in verify_data calculation
tls_ctx.insert(tls.TLSHelloRequest())
tls_ctx.insert(client_hello)
tls_ctx.premaster_secret = "B" * 48
epms = "C" * 256
server_hello = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSServerHello(gmt_unix_time=1234,
session_id="",
random_bytes="A" * 28)
tls_ctx.insert(server_hello)
client_kex = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientKeyExchange() /\
tls.TLSClientRSAParams(data=epms)
tls_ctx.insert(client_kex)
self.assertEqual(client_verify_data, binascii.hexlify(tls_ctx.get_verify_data()))
# Make sure that client finish is included in server finish calculation
tls_ctx.set_mode(server=True)
client_finish = tls.TLSRecord() / tls.TLSHandshake() / tls.tls_to_raw(
tls.TLSFinished(data=tls_ctx.get_verify_data()), tls_ctx)
tls_ctx.insert(client_finish)
self.assertEqual(server_verify_data, binascii.hexlify(tls_ctx.get_verify_data()))
def _do_kex(self, version):
self.pem_priv_key = """-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDDLrmt4lKRpm6P
2blptwJsa1EBuxuuAayLjwNqKGvm5c1CAUEa/NtEpUMM8WYKRDwxzakUIGI/BdP3
NOEMphcs5+OekgJLhzoSdtAIrXPy8JIidENZE6FzCJ2b6fHU5O4hoNvv1Bx5yoZr
HVaWJIZMRRocJJ0Nf9oMaU8IE6m6OdBzQHEwcnL2/a8Q3VxstHufzjILmaZD9WL+
6AESlQMKZPNQ+Xd7d4nvnVkY4ZV46tA+KvADGuotgovQwG+uiyQoGRrQUms21vHF
zIvd3G9OCiyCTCHSyfsE3g7tks33NZ8O8gF8xa9OmU9TQPwwAyUr6JQXz0CW77o7
Cr9LpHuNAgMBAAECggEBAJRbMbtfqc8XqDYjEfGur2Lld19Pb0yl7RbvD3NjYhDR
X2DqPyhaRfg5fWubGSp4jyBz6C5qJwMsVN80DFNm83qoj7T52lC6aoOaV6og3V8t
SIZzxLUyXKdpRxM5kR13HSHmeQYkPbi9HcrRM/1PqdzTMXNuyQl3wq9oZDAJchsf
fmoh080htkaxhEb1bMXa2Lj7j2OIkHOsQeIu6BdbxIKRPIT+zrcklE6ocW8fTWAS
Qi3IZ1FYLL+fs6TTxjx0VkC8QLaxWxY0pqTiwS7ndZiZKc3l3ARuvRk8buP+X3Jg
BD86FQ18OXZC9boMbDbzv2cOLtdkq5pS3lJE4F9gjYECgYEA69ukU2pNWot2OPwK
PuPwAXWNrvnvFzQgIc0qOiCmgKJU6wqunlop4Bx5XmetHExVyJVBEhaHoDr0F3Rs
gt8IclKDsWGXoVcgfu3llMimiZ05hOf/XtcGTCZwZenMQ30cFh4ZRuUu7WCZ9tqO
28P8jCXB3IcaRpRnNvVvmCr5NXECgYEA09nUzRW993SlohceRW2C9fT9HZ4BaPWO
5wVlnoo5mlUfAyzl+AGT/WlKmrn/1gAHIznQJ8ZIABQvPaBXhvkANXZP5Ie0lObw
jA7qFuKt7yV4GGlDnU1MOLh+acABMQBGSx8BJDaomH7glTiPEPTZjoP6wfAsd1uv
Knjt7jH2ad0CgYEAx9ghknRd+rx0fbBBVix4riPW20324ihOmZVnlD0aF6B0Z3tz
ncUz+irmQ7GBIpsjjIO60QK6BHAvZrhFQVaNp6B26ZORkSlr5WDZyImDYtMPa6fP
36I+OcPQNOo3I3Acnjj+ne2PJ59Ula92oIudr3pGmv72qpsQIacw2TSAWGECgYEA
sdNAN+HPMn68ZaGoLDjvW8uIB6tQnay5hhvWn8yA65YV0RGH+7Q/Z9BQ6i3EnPor
A5uMqUZbu4011jHYJpiuXzHvf/GVWAO92KLQReOCgqHd/Aen1MtEdrwOiG+90Ebd
ukLNL3ud61tc4oS2OlJ8p48LFm2mtY3FLA6UEYPoxhUCgYEAtsfWIGnBh7XC+HwI
2higSgN92VpJHSPOyOi0aG/u5AEQ+fsCUIi3KakxzvmiGMAEvWItkKyz2Gu8smtn
2HVsGxI5UW7aLw9s3qe8kyMSfUk6pGamVhJUQmDr77+5zEzykPBxwGwDwdeR43CR
xVgf/Neb/avXgIgi6drj8dp1fWA=
-----END PRIVATE KEY-----
"""
rsa_priv_key = RSA.importKey(self.pem_priv_key)
self.priv_key = PKCS1_v1_5.new(rsa_priv_key)
self.pub_key = PKCS1_v1_5.new(rsa_priv_key.publickey())
self.tls_ctx = tlsc.TLSSessionCtx()
self.tls_ctx.rsa_load_keys(self.pem_priv_key)
# SSLv2
self.record_version = 0x0002
self.version = version
# RSA_WITH_AES_128_SHA
self.cipher_suite = tls.TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA
# DEFLATE
self.comp_method = tls.TLSCompressionMethod.NULL
self.client_hello = tls.TLSRecord(
version=self.record_version) / tls.TLSHandshake(
) / tls.TLSClientHello(version=version,
compression_methods=[self.comp_method],
cipher_suites=[self.cipher_suite])
self.tls_ctx.insert(self.client_hello)
self.server_hello = tls.TLSRecord(
version=self.version) / tls.TLSHandshake() / tls.TLSServerHello(
version=version,
compression_method=self.comp_method,
cipher_suite=self.cipher_suite)
self.tls_ctx.insert(self.server_hello)
# Build method to generate EPMS automatically in TLSSessionCtx
self.client_kex = tls.TLSRecord(
version=self.version) / tls.TLSHandshake(
) / tls.TLSClientKeyExchange(data=self.tls_ctx.get_encrypted_pms())
self.tls_ctx.insert(self.client_kex)
def test_negotiated_cipher_is_used_in_context(self):
# RSA_WITH_NULL_MD5
cipher_suite = 0x1
pkt = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSServerHello(gmt_unix_time=123456, random_bytes="A" * 28,
cipher_suite=cipher_suite)
tls_ctx = tlsc.TLSSessionCtx()
tls_ctx.insert(pkt)
self.assertEqual(tls_ctx.negotiated.key_exchange,
tlsc.TLSSecurityParameters.crypto_params[cipher_suite]["key_exchange"]["name"])
self.assertEqual(tls_ctx.negotiated.mac,
tlsc.TLSSecurityParameters.crypto_params[cipher_suite]["hash"]["name"])
def test_negotiated_compression_method_is_used_in_context(self):
# DEFLATE
compression_method = 0x1
pkt = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSServerHello(gmt_unix_time=123456, random_bytes="A" * 28,
compression_method=compression_method)
tls_ctx = tlsc.TLSSessionCtx()
tls_ctx.insert(pkt)
self.assertEqual(tls_ctx.params.negotiated.compression_algo,
tlsc.TLSCompressionParameters.comp_params[compression_method]["name"])
input_ = "some data" * 16
self.assertEqual(tls_ctx.compression.method.decompress(tls_ctx.compression.method.compress(input_)), input_)
def test_decrypted_pms_matches_generated_pms(self):
tls_ctx = tlsc.TLSSessionCtx()
tls_ctx.server_ctx.load_rsa_keys(self.pem_priv_key)
pkt = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientHello()
tls_ctx.insert(pkt)
epms = tls_ctx.get_encrypted_pms()
pkt = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSServerHello()
tls_ctx.insert(pkt)
pkt = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientKeyExchange() / tls.TLSClientRSAParams(data=epms)
tls_ctx.insert(pkt)
self.assertEqual(tls_ctx.encrypted_premaster_secret, epms)
self.assertEqual(tls_ctx.premaster_secret, self.priv_key.decrypt(epms, None))
def setUp(self):
self.server_hello = tls.TLSRecord() / tls.TLSHandshake(
) / tls.TLSServerHello()
self.cert_list = tls.TLSRecord() / tls.TLSHandshake(
) / tls.TLSCertificateList()
self.server_hello_done = tls.TLSRecord() / tls.TLSHandshake(
) / tls.TLSServerHelloDone()
self.stacked_pkt = tls.TLS.from_records(
[self.server_hello, self.cert_list, self.server_hello_done])
# issue 28
der_cert = '0\x82\x03\xe70\x82\x02\xcf\xa0\x03\x02\x01\x02\x02\t\x00\xb9\xee\xd4\xd9U\xa5\x9e\xb30\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x000p1\x0b0\t\x06\x03U\x04\x06\x13\x02UK1\x160\x14\x06\x03U\x04\n\x0c\rOpenSSL Group1"0 \x06\x03U\x04\x0b\x0c\x19FOR TESTING PURPOSES ONLY1%0#\x06\x03U\x04\x03\x0c\x1cOpenSSL Test Intermediate CA0\x1e\x17\r111208140148Z\x17\r211016140148Z0d1\x0b0\t\x06\x03U\x04\x06\x13\x02UK1\x160\x14\x06\x03U\x04\n\x0c\rOpenSSL Group1"0 \x06\x03U\x04\x0b\x0c\x19FOR TESTING PURPOSES ONLY1\x190\x17\x06\x03U\x04\x03\x0c\x10Test Server Cert0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xf3\x84\xf3\x926\xdc\xb2F\xcafz\xe5)\xc5\xf3I("\xd3\xb9\xfe\xe0\xde\xe48\xce\xee"\x1c\xe9\x91;\x94\xd0r/\x87\x85YKf\xb1\xc5\xf5z\x85]\xc2\x0f\xd3.)X6\xccHk\xa2\xa2\xb5&\xceg\xe2G\xb6\xdfI\xd2?\xfa\xa2\x10\xb7\xc2\x97D~\x874mm\xf2\x8b\xb4U+\xd6!\xdeSK\x90\xea\xfd\xea\xf985+\xf4\xe6\x9a\x0e\xf6\xbb\x12\xab\x87!\xc3/\xbc\xf4\x06\xb8\x8f\x8e\x10\x07\'\x95\xe5B\xcb\xd1\xd5\x10\x8c\x92\xac\xee\x0f\xdc#H\x89\xc9\xc6\x93\x0c"\x02\xe7t\xe7%\x00\xab\xf8\x0f\\\x10\xb5\x85;f\x94\xf0\xfbMW\x06U!"%\xdb\xf3\xaa\xa9`\xbfM\xaay\xd1\xab\x92H\xba\x19\x8e\x12\xech\xd9\xc6\xba\xdf\xecZ\x1c\xd8C\xfe\xe7R\xc9\xcf\x02\xd0\xc7\x7f\xc9~\xb0\x94\xe3SDX\x0b.\xfd)t\xb5\x06\x9b\\D\x8d\xfb2u\xa4:\xa8g{\x872\nP\x8d\xe1\xa2\x13J%\xaf\xe6\x1c\xb1%\xbf\xb4\x99\xa2S\xd3\xa2\x02\xbf\x11\x02\x03\x01\x00\x01\xa3\x81\x8f0\x81\x8c0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xe00,\x06\t`\x86H\x01\x86\xf8B\x01\r\x04\x1f\x16\x1dOpenSSL Generated Certificate0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x82\xbc\xcf\x00\x00\x13\xd1\xf79%\x9a\'\xe7\xaf\xd2\xef \x1bn\xac0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x146\xc3l\x88\xe7\x95\xfe\xb0\xbd\xec\xce>=\x86\xab!\x81\x87\xda\xda0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xa9\xbdMW@t\xfe\x96\xe9+\xd6x\xfd\xb3c\xcc\xf4\x0bM\x12\xcaZt\x8d\x9b\xf2a\xe6\xfd\x06\x11C\x84\xfc\x17\xa0\xeccc6\xb9\x9e6j\xb1\x02Zj[?j\xa1\xea\x05e\xac~@\x1aHe\x88\xd19M\xd3Kw\xe9\xc8\xbb+\x9eZ\xf4\x0849G\xb9\x02\x081\x9a\xf1\xd9\x17\xc5\xe9\xa6\xa5\x96Km@\xa9[e(\xcb\xcb\x00\x03\x82c7\xd3\xad\xb1\x96;v\xf5\x17\x16\x02{\xbdSSFr4\xd6\x08d\x9d\xbbC\xfbd\xb1I\x07w\tazB\x17\x110\x0c\xd9\'\\\xf5q\xb6\xf0\x180\xf3~\xf1\x85?2~J\xaf\xb3\x10\xf7l\xc6\x85K-\'\xad\n \\\xfb\x8d\x19p4\xb9u_|\x87\xd5\xc3\xec\x93\x13A\xfcs\x03\xb9\x8d\x1a\xfe\xf7&\x86I\x03\xa9\xc5\x82?\x80\r)I\xb1\x8f\xed$\x1b\xfe\xcfX\x90F\xe7\xa8\x87\xd4\x1ey\xef\x99m\x18\x9f>\x8b\x82\x07\xc1C\xc7\xe0%\xb6\xf1\xd3\x00\xd7@\xabK\x7f+z>\xa6\x99LT'
stacked_handshake_layers = [
tls.TLSHandshake() / tls.TLSServerHello(),
tls.TLSHandshake() / tls.TLSCertificateList(certificates=[
tls.TLSCertificate(data=x509.X509Cert(der_cert))
]),
tls.TLSHandshake() / tls.TLSServerHelloDone()
]
self.stacked_handshake = tls.TLS(
str(
tls.TLSRecord(content_type="handshake") /
"".join(list(map(str, stacked_handshake_layers)))))
unittest.TestCase.setUp(self)
def test_fixed_crypto_data_matches_verify_data(self):
verify_data = "12003ac89553b7a233da64b9"
tls_ctx = tlsc.TLSSessionCtx()
# tls_ctx.rsa_load_keys(self.pem_priv_key)
client_hello = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientHello(gmt_unix_time=1234,
random_bytes="A" * 28)
tls_ctx.insert(client_hello)
tls_ctx.crypto.session.premaster_secret = "B" * 48
epms = "C" * 256
server_hello = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSServerHello(gmt_unix_time=1234,
random_bytes="A" * 28)
tls_ctx.insert(server_hello)
client_kex = tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientKeyExchange() /\
tls.TLSClientRSAParams(data=epms)
tls_ctx.insert(client_kex)
self.assertEqual(binascii.hexlify(tls_ctx.get_verify_data()), verify_data)