def test_negotiated_cipher_is_used_in_context(self): # RSA_WITH_NULL_MD5 cipher_suite = 0x1 pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSServerHello(gmt_unix_time=123456, random_bytes="A"*24, cipher_suite=cipher_suite) tls_ctx = tlsc.TLSSessionCtx() tls_ctx.insert(pkt) self.assertEqual(tls_ctx.params.negotiated.key_exchange, tlsc.TLSSecurityParameters.crypto_params[cipher_suite]["key_exchange"]["name"]) self.assertEqual(tls_ctx.params.negotiated.mac, tlsc.TLSSecurityParameters.crypto_params[cipher_suite]["hash"]["name"])
def test_negotiated_compression_method_is_used_in_context(self): # DEFLATE compression_method = 0x1 pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSServerHello(gmt_unix_time=123456, random_bytes="A"*24, compression_method=compression_method) tls_ctx = tlsc.TLSSessionCtx() tls_ctx.insert(pkt) self.assertEqual(tls_ctx.params.negotiated.compression_algo, tlsc.TLSCompressionParameters.comp_params[compression_method]["name"]) input_ = "some data" * 16 self.assertEqual(tls_ctx.compression.method.decompress(tls_ctx.compression.method.compress(input_)), input_)
def test_decrypted_pms_matches_generated_pms(self): tls_ctx = tlsc.TLSSessionCtx() tls_ctx.rsa_load_keys(self.pem_priv_key) pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello() tls_ctx.insert(pkt) epms = tls_ctx.get_encrypted_pms() pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSServerHello() tls_ctx.insert(pkt) pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientKeyExchange()/epms tls_ctx.insert(pkt) self.assertEqual(tls_ctx.crypto.session.encrypted_premaster_secret, epms) self.assertEqual(tls_ctx.crypto.session.premaster_secret, self.priv_key.decrypt(epms, None))
def test_keys_are_set_in_context_when_loaded(self): tls_ctx = tlsc.TLSSessionCtx() pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello(version=0x0301) tls_ctx.insert(pkt) tls_ctx.rsa_load_keys(self.pem_priv_key) self.assertIsNotNone(tls_ctx.crypto.server.rsa.privkey) self.assertIsNotNone(tls_ctx.crypto.server.rsa.pubkey) # Broken due to pycrypto bug: https://github.com/dlitz/pycrypto/issues/114 # Uncomment when fixed upstream #self.assertTrue(tls_ctx.crypto.server.rsa.privkey.can_decrypt()) #self.assertTrue(tls_ctx.crypto.server.rsa.pubkey.can_decrypt()) self.assertTrue(tls_ctx.crypto.server.rsa.privkey.can_encrypt())
def setUp(self): self.pem_priv_key = """-----BEGIN PRIVATE KEY----- MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDDLrmt4lKRpm6P 2blptwJsa1EBuxuuAayLjwNqKGvm5c1CAUEa/NtEpUMM8WYKRDwxzakUIGI/BdP3 NOEMphcs5+OekgJLhzoSdtAIrXPy8JIidENZE6FzCJ2b6fHU5O4hoNvv1Bx5yoZr HVaWJIZMRRocJJ0Nf9oMaU8IE6m6OdBzQHEwcnL2/a8Q3VxstHufzjILmaZD9WL+ 6AESlQMKZPNQ+Xd7d4nvnVkY4ZV46tA+KvADGuotgovQwG+uiyQoGRrQUms21vHF zIvd3G9OCiyCTCHSyfsE3g7tks33NZ8O8gF8xa9OmU9TQPwwAyUr6JQXz0CW77o7 Cr9LpHuNAgMBAAECggEBAJRbMbtfqc8XqDYjEfGur2Lld19Pb0yl7RbvD3NjYhDR X2DqPyhaRfg5fWubGSp4jyBz6C5qJwMsVN80DFNm83qoj7T52lC6aoOaV6og3V8t SIZzxLUyXKdpRxM5kR13HSHmeQYkPbi9HcrRM/1PqdzTMXNuyQl3wq9oZDAJchsf fmoh080htkaxhEb1bMXa2Lj7j2OIkHOsQeIu6BdbxIKRPIT+zrcklE6ocW8fTWAS Qi3IZ1FYLL+fs6TTxjx0VkC8QLaxWxY0pqTiwS7ndZiZKc3l3ARuvRk8buP+X3Jg BD86FQ18OXZC9boMbDbzv2cOLtdkq5pS3lJE4F9gjYECgYEA69ukU2pNWot2OPwK PuPwAXWNrvnvFzQgIc0qOiCmgKJU6wqunlop4Bx5XmetHExVyJVBEhaHoDr0F3Rs gt8IclKDsWGXoVcgfu3llMimiZ05hOf/XtcGTCZwZenMQ30cFh4ZRuUu7WCZ9tqO 28P8jCXB3IcaRpRnNvVvmCr5NXECgYEA09nUzRW993SlohceRW2C9fT9HZ4BaPWO 5wVlnoo5mlUfAyzl+AGT/WlKmrn/1gAHIznQJ8ZIABQvPaBXhvkANXZP5Ie0lObw jA7qFuKt7yV4GGlDnU1MOLh+acABMQBGSx8BJDaomH7glTiPEPTZjoP6wfAsd1uv Knjt7jH2ad0CgYEAx9ghknRd+rx0fbBBVix4riPW20324ihOmZVnlD0aF6B0Z3tz ncUz+irmQ7GBIpsjjIO60QK6BHAvZrhFQVaNp6B26ZORkSlr5WDZyImDYtMPa6fP 36I+OcPQNOo3I3Acnjj+ne2PJ59Ula92oIudr3pGmv72qpsQIacw2TSAWGECgYEA sdNAN+HPMn68ZaGoLDjvW8uIB6tQnay5hhvWn8yA65YV0RGH+7Q/Z9BQ6i3EnPor A5uMqUZbu4011jHYJpiuXzHvf/GVWAO92KLQReOCgqHd/Aen1MtEdrwOiG+90Ebd ukLNL3ud61tc4oS2OlJ8p48LFm2mtY3FLA6UEYPoxhUCgYEAtsfWIGnBh7XC+HwI 2higSgN92VpJHSPOyOi0aG/u5AEQ+fsCUIi3KakxzvmiGMAEvWItkKyz2Gu8smtn 2HVsGxI5UW7aLw9s3qe8kyMSfUk6pGamVhJUQmDr77+5zEzykPBxwGwDwdeR43CR xVgf/Neb/avXgIgi6drj8dp1fWA= -----END PRIVATE KEY----- """ rsa_priv_key = RSA.importKey(self.pem_priv_key) self.priv_key = PKCS1_v1_5.new(rsa_priv_key) self.pub_key = PKCS1_v1_5.new(rsa_priv_key.publickey()) self.tls_ctx = tlsc.TLSSessionCtx() self.tls_ctx.rsa_load_keys(self.pem_priv_key) # SSLv2 self.record_version = 0x0002 # TLSv1.0 self.hello_version = 0x0301 # RSA_WITH_AES_128_SHA self.cipher_suite = 0x2f # DEFLATE self.comp_method = 0x1 self.client_hello = tls.TLSRecord(version=self.record_version)/tls.TLSHandshake()/tls.TLSClientHello(version=self.hello_version, compression_methods=[self.comp_method], cipher_suites=[self.cipher_suite]) self.tls_ctx.insert(self.client_hello) self.server_hello = tls.TLSRecord(version=self.hello_version)/tls.TLSHandshake()/tls.TLSServerHello(version=self.hello_version, compression_method=self.comp_method, cipher_suite=self.cipher_suite) self.tls_ctx.insert(self.server_hello) # Build method to generate EPMS automatically in TLSSessionCtx self.client_kex = tls.TLSRecord(version=self.hello_version)/tls.TLSHandshake()/tls.TLSClientKeyExchange()/self.tls_ctx.get_encrypted_pms() self.tls_ctx.insert(self.client_kex) unittest.TestCase.setUp(self)
def test_fixed_crypto_data_matches_verify_data(self): verify_data = "d948eac6ecac3a73d8b3c8a5" tls_ctx = tlsc.TLSSessionCtx() #tls_ctx.rsa_load_keys(self.pem_priv_key) client_hello = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello(gmt_unix_time=1234, random_bytes="A"*28) tls_ctx.insert(client_hello) tls_ctx.crypto.session.premaster_secret = "B"*48 epms = "C"*256 server_hello = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSServerHello(gmt_unix_time=1234, random_bytes="A"*28) tls_ctx.insert(server_hello) client_kex = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientKeyExchange()/epms tls_ctx.insert(client_kex) self.assertEqual(binascii.hexlify(tls_ctx.get_verify_data()), verify_data)
def __init__(self, socket, client=None, tls_ctx=None): if socket is not None: self._s = socket else: raise ValueError("Socket cannot be None") if client is None: self.client = self._is_listening(socket) else: self.client = client if tls_ctx is None: import ssl_tls_crypto as tlsc self.tls_ctx = tlsc.TLSSessionCtx(self.client) else: self.tls_ctx = tls_ctx
history = [] import scapy from scapy.all import * import socket #<----- for local testing only sys.path.append("../scapy/layers") from ssl_tls import * import ssl_tls_crypto #------> target = ('192.168.220.131', 4433) # MAKE SURE TO CHANGE THIS # create tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target) session = ssl_tls_crypto.TLSSessionCtx() session.rsa_load_privkey(open('c:\\_tmp\\polarssl.key', 'r').read()) # fake initial session packet for session tracking sip, sport = s.getsockname() session.insert( IP(src=sip, dst=target[0]) / TCP(sport=sport, dport=target[1])) # create TLS Handhsake / Client Hello packet p = TLSRecord() / TLSHandshake() / TLSClientHello( compression_methods=None, cipher_suites=[TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA], random_bytes='R' * 28) p.show()
def test_encrypted_pms_is_only_available_after_server_certificate_is_presented(self): pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello() tls_ctx = tlsc.TLSSessionCtx() tls_ctx.insert(pkt) with self.assertRaises(ValueError): tls_ctx.get_encrypted_pms()
def test_random_pms_is_generated_on_client_hello(self): tls_ctx = tlsc.TLSSessionCtx() pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello(version=0x0301) tls_ctx.insert(pkt) self.assertIsNotNone(tls_ctx.crypto.session.premaster_secret)
def test_encrypting_pms_fails_if_no_certificate_in_connection(self): tls_ctx = tlsc.TLSSessionCtx() pkt = tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientHello(version=0x0301) tls_ctx.insert(pkt) with self.assertRaises(ValueError): tls_ctx.get_encrypted_pms()