def main(): hostname = "localhost" port = 4433 number_of_alerts = 4 run_exclude = set() alert_level = AlertLevel.fatal alert_description = None argv = sys.argv[1:] opts, args = getopt.getopt(argv, "h:p:e:n:", ["help", "alert-level=", "alert-description="]) for opt, arg in opts: if opt == '-h': hostname = arg elif opt == '-p': port = int(arg) elif opt == '-e': run_exclude.add(arg) elif opt == '-n': number_of_alerts = int(arg) elif opt == '--help': help_msg() sys.exit(0) elif opt == '--alert-level': alert_level = flexible_getattr(arg, AlertLevel) elif opt == '--alert-description': alert_description = flexible_getattr(arg, AlertDescription) else: raise ValueError("Unknown option: {0}".format(opt)) if args: run_only = set(args) else: run_only = None conversations = {} conversation = Connect(hostname, port, version=(3, 3)) node = conversation ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA] node = node.add_child(ClientHelloGenerator(ciphers)) for _ in range(number_of_alerts): # sending alerts during handshake node = node.add_child(AlertGenerator( # alert description: 46, 41, 43 AlertLevel.warning, AlertDescription.unsupported_certificate)) node = node.add_child(ExpectServerHello()) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(ExpectChangeCipherSpec()) node = node.add_child(ExpectFinished()) node = node.add_child(AlertGenerator( AlertLevel.warning, AlertDescription.close_notify)) node = node.add_child(ExpectAlert(AlertLevel.warning, AlertDescription.close_notify)) node.next_sibling = ExpectClose() conversations["SSL Death Alert without getting alert"] = conversation conversation = Connect(hostname, port, version=(3, 3)) node = conversation ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA] node = node.add_child(ClientHelloGenerator(ciphers)) for _ in range(number_of_alerts+1): node = node.add_child(AlertGenerator( AlertLevel.warning, AlertDescription.unsupported_certificate)) node = node.add_child(ExpectServerHello()) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ExpectAlert(alert_level, alert_description)) node = node.add_child(ExpectClose()) conversations["SSL Death Alert with getting alert"] = conversation # run the conversation good = 0 bad = 0 failed = [] shuffled_tests = sample(list(conversations.items()), len(conversations)) for conversation_name, conversation in shuffled_tests: if run_only and conversation_name not in run_only: continue if conversation_name in run_exclude: continue print("{0} ...".format(conversation_name)) runner = Runner(conversation) res = True try: runner.run() except Exception: print("Error while processing") print(traceback.format_exc()) res = False if res: good += 1 print("OK\n") else: bad += 1 failed.append(conversation_name) print("Test for the OpenSSL Death Alert (CVE-2016-8610) vulnerability") print("Checks if the server will accept arbitrary number of warning level") print("alerts (specified with the -n option)") print("version: {0}\n".format(version)) print("Test end") print("successful: {0}".format(good)) print("failed: {0}".format(bad)) failed_sorted = sorted(failed, key=natural_sort_keys) print(" {0}".format('\n '.join(repr(i) for i in failed_sorted))) if bad > 0: sys.exit(1)
def test_with_invalid_name(self): with self.assertRaises(AttributeError): flexible_getattr("seccc", GroupName)
def test_with_name(self): self.assertEqual(24, flexible_getattr("secp384r1", GroupName))
def test_with_none(self): self.assertIsNone(flexible_getattr("none", GroupName))
def test_with_number(self): self.assertEqual(12, flexible_getattr("12", None))
def main(): hostname = "localhost" port = 4433 number_of_alerts = 4 run_exclude = set() expected_failures = {} last_exp_tmp = None alert_level = AlertLevel.fatal alert_description = None dhe = False argv = sys.argv[1:] opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help", "alert-level=", "alert-description="]) for opt, arg in opts: if opt == '-h': hostname = arg elif opt == '-p': port = int(arg) elif opt == '-e': run_exclude.add(arg) elif opt == '-x': expected_failures[arg] = None last_exp_tmp = str(arg) elif opt == '-X': if not last_exp_tmp: raise ValueError("-x has to be specified before -X") expected_failures[last_exp_tmp] = str(arg) elif opt == '-n': number_of_alerts = int(arg) elif opt == '-d': dhe = True elif opt == '--help': help_msg() sys.exit(0) elif opt == '--alert-level': alert_level = flexible_getattr(arg, AlertLevel) elif opt == '--alert-description': alert_description = flexible_getattr(arg, AlertDescription) else: raise ValueError("Unknown option: {0}".format(opt)) if args: run_only = set(args) else: run_only = None conversations = {} conversation = Connect(hostname, port, version=(3, 3)) node = conversation if dhe: ext = {} groups = [GroupName.secp256r1, GroupName.ffdhe2048] ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\ .create(groups) ext[ExtensionType.signature_algorithms] = \ SignatureAlgorithmsExtension().create(RSA_SIG_ALL) ext[ExtensionType.signature_algorithms_cert] = \ SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL) ciphers = [ CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA ] else: ext = None ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA] node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext)) for _ in range(number_of_alerts): # sending alerts during handshake node = node.add_child( AlertGenerator( # alert description: 46, 41, 43 AlertLevel.warning, AlertDescription.unsupported_certificate)) node = node.add_child(ExpectServerHello()) node = node.add_child(ExpectCertificate()) if dhe: node = node.add_child(ExpectServerKeyExchange()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(ExpectChangeCipherSpec()) node = node.add_child(ExpectFinished()) node = node.add_child( AlertGenerator(AlertLevel.warning, AlertDescription.close_notify)) node = node.add_child( ExpectAlert(AlertLevel.warning, AlertDescription.close_notify)) node.next_sibling = ExpectClose() conversations["SSL Death Alert without getting alert"] = conversation conversation = Connect(hostname, port, version=(3, 3)) node = conversation if dhe: ext = {} groups = [GroupName.secp256r1, GroupName.ffdhe2048] ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\ .create(groups) ext[ExtensionType.signature_algorithms] = \ SignatureAlgorithmsExtension().create(RSA_SIG_ALL) ext[ExtensionType.signature_algorithms_cert] = \ SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL) ciphers = [ CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA ] else: ext = None ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA] node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext)) for _ in range(number_of_alerts + 1): node = node.add_child( AlertGenerator(AlertLevel.warning, AlertDescription.unsupported_certificate)) node = node.add_child(ExpectServerHello()) node = node.add_child(ExpectCertificate()) if dhe: node = node.add_child(ExpectServerKeyExchange()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ExpectAlert(alert_level, alert_description)) node = node.add_child(ExpectClose()) conversations["SSL Death Alert with getting alert"] = conversation # run the conversation good = 0 bad = 0 xfail = 0 xpass = 0 failed = [] xpassed = [] sampled_tests = sample(list(conversations.items()), len(conversations)) for c_name, conversation in sampled_tests: if run_only and c_name not in run_only: continue if c_name in run_exclude: continue print("{0} ...".format(c_name)) runner = Runner(conversation) res = True exception = None try: runner.run() except Exception as exp: exception = exp print("Error while processing") print(traceback.format_exc()) res = False if c_name in expected_failures: if res: xpass += 1 xpassed.append(c_name) print("XPASS: expected failure but test passed\n") else: if expected_failures[c_name] is not None and \ expected_failures[c_name] not in str(exception): bad += 1 failed.append(c_name) print("Expected error message: {0}\n".format( expected_failures[c_name])) else: xfail += 1 print("OK-expected failure\n") else: if res: good += 1 print("OK\n") else: bad += 1 failed.append(conversation_name) print("Test for the OpenSSL Death Alert (CVE-2016-8610) vulnerability") print("Checks if the server will accept arbitrary number of warning level") print("alerts (specified with the -n option)") print("version: {0}\n".format(version)) print("Test end") print(20 * '=') print("TOTAL: {0}".format(len(sampled_tests))) print("SKIP: {0}".format( len(run_exclude.intersection(conversations.keys())))) print("PASS: {0}".format(good)) print("XFAIL: {0}".format(xfail)) print("FAIL: {0}".format(bad)) print("XPASS: {0}".format(xpass)) print(20 * '=') sort = sorted(xpassed, key=natural_sort_keys) if len(sort): print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) sort = sorted(failed, key=natural_sort_keys) if len(sort): print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) if bad > 0: sys.exit(1)