def test_encrypted_handshake_which_fails_decryption_throws_error(self):
tls_ctx = self._static_tls_handshake()
client_kex = tls.TLS.from_records([tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientKeyExchange()/tls_ctx.get_encrypted_pms(), tls.TLSRecord()/tls.TLSChangeCipherSpec()], tls_ctx)
tls_ctx.insert(client_kex)
tls_ctx.insert(tls.to_raw(tls.TLSFinished(), tls_ctx))
handshake = tls.TLSRecord()/tls.TLSHandshake()/"C"*5
with self.assertRaises(ValueError):
tls.TLS(str(handshake), ctx=tls_ctx)
def test_tls_record_header_is_updated_when_output(self):
data = b"ABCD" * 389
pkt = tls.TLSPlaintext(data=data)
# Use server side keys, include TLSRecord header in output
self.tls_ctx.client = False
record = tls.to_raw(pkt, self.tls_ctx, include_record=True)
self.assertTrue(record.haslayer(tls.TLSRecord))
self.assertEqual(record.content_type, 0x17)
self.assertEqual(record.version, self.tls_ctx.params.negotiated.version)
def test_tls_record_header_is_updated_when_output(self):
data = b"ABCD" * 389
pkt = tls.TLSPlaintext(data=data)
# Use server side keys, include TLSRecord header in output
self.tls_ctx.client = False
record = tls.to_raw(pkt, self.tls_ctx, include_record=True)
self.assertTrue(record.haslayer(tls.TLSRecord))
self.assertEqual(record.content_type, 0x17)
self.assertEqual(record.version,
self.tls_ctx.params.negotiated.version)
def test_format_of_tls_finished_is_as_specified_in_rfc(self):
def encrypt(crypto_container):
self.assertEqual(crypto_container.data, "\x14\x00\x00\x0c%s" % self.tls_ctx.get_verify_data())
self.assertEqual(len(crypto_container.mac), SHA.digest_size)
self.assertEqual(len(crypto_container.padding), 11)
self.assertTrue(all(map(lambda x: True if x == chr(11) else False, crypto_container.padding)))
return "A"*48
client_finished = tls.TLSRecord(content_type=0x16)/tls.to_raw(tls.TLSFinished(), self.tls_ctx, include_record=False, encrypt_hook=encrypt)
pkt = tls.TLS(str(client_finished))
# 4 bytes of TLSHandshake header, 12 bytes of verify_data, 20 bytes of HMAC SHA1, 11 bytes of padding, 1 padding length byte
self.assertEqual(pkt[tls.TLSRecord].length, len(tls.TLSHandshake()) + 12 + SHA.digest_size + 11 + 1)
def test_encrypted_layer_is_decrypted_if_required(self):
tls_ctx = self._static_tls_handshake()
client_kex = tls.TLS.from_records([tls.TLSRecord()/tls.TLSHandshake()/tls.TLSClientKeyExchange()/tls_ctx.get_encrypted_pms(), tls.TLSRecord()/tls.TLSChangeCipherSpec()], tls_ctx)
tls_ctx.insert(client_kex)
tls_ctx.insert(tls.to_raw(tls.TLSFinished(), tls_ctx))
server_finished = binascii.unhexlify("14030100010116030100305b0241932c63c0cf1e4955e0cc65f751a3921fe8227c2bae045c66be327f7e68a39dc163b382c90d2caaf197ba0563a7")
server_finished_records = tls.TLS(server_finished, ctx=tls_ctx)
tls_ctx.insert(server_finished_records)
app_request = tls.to_raw(tls.TLSPlaintext(data="GET / HTTP/1.1\r\nHOST: localhost\r\n\r\n"), tls_ctx)
tls_ctx.insert(app_request)
app_response = binascii.unhexlify("1703010020d691f8104d8fd877e7a7a7f3729936a92272c6fa93999f37a3a4b2355454a26617030107e04c7017bec4bb802bf713f815f692a50d1d911d8d78d8edc14b0e2dfde876b3da4ce748a0c6c1917490f73ba5d04fe61d250f5478416987904aa45461bc64848c3bdc573e6c99338634d9f374cba9b847b06e1f8c56039bda3b1fd5bf0007372472fa45333ccd907cec08d2e1d1beb6e1bbf7f155e09e71e480a32104873c60162d873fb0310d91261b120f51f5a7b75084d6c4bb6ba11ba59334343c96ad849e39ff09e356dcc34ef7b9857112b6a3530b85c17ac2093439e980cc1d3a78d5708ed0aea96e74fdeed11e1a2dd5dbce67f85554706a32b5b98a3a7f0752dcfe30dd1726f28d37d7eea7282efc3db3273e93cb30cec75bd200128372488b74213360ec885e720e8876cdd4a6ff0e4cd34e8726b3ce6e04e1462981f2d5acf00a4b9a478f1a6d39b3c66884364ee7b2c5294380ca140aa41d99af4b809abba5a613e690782b3ea1b09fe0daaadc32a2ca2023e19d07fa1f68d2e1268a4be72f1695676285567111cbfd89360a92227f1b7f3c2cbc92f329f02aee9b45868a11517419e7d70da2ca4709d174b5014e7d823e24d3e29ee8c62dbe7c2f1a631a5aa2571e5c5f23f2c7d78997c41eeabc91f413c90806736438c8d34f8114dfe595a0e22febab37fe04ad2966416ad0c307426dd9d3627b0642be021c5703ec40279115d11415e59dd86102ca018e8a4aed7c1988c8e53a36699fa8e55f903489bbcc9d281bd3822a927ac1536695c9419d87c30653c60b7f4b65647e4b1900b6b3963b5fc981bea5d131f1f92d81570f3dfd52287d6e7171107f2bda5f219eb2cb43d965b46ed425624b527d9c2a8ec0391144c7e9a67fead45d3cc7f0fbaeae21dd0297ecd00eea103675cf843ee7c545c611d41776adc90ddf6a4d4ff0c8fc8899b3eb76c79dbcac0d9f9b6c0e8a334a8bddff6f4f90b5b4004619bc50b65b309048c9b68d610033f2eb73dd2061e418826892494eff8df1adf5dc1b6968f620645c765507b49d48d734dd618c1dac32f28ab99f6dab2e401a8bbf8c19abf1181f8c1b98c7c06179fa096cbba3610710539b50c8f6c39fa92fe50635497dea7a4359a8dc1987ec329b3e06076ee2fa3e55fcc41f01c4c953587f60a14645850bf77675a78c6ac2cdb8a0bcf2eaf7a8f0ec154a6dc75f5c53c8ce8c733ad236b4d635fa49b6210b24a9d18326dcdac12bfff5551636306bdbbbe4190530e5a0704e9fb8f30ef7b1730686eb395c3d11c966caaeb14ee4138e8bcfe8f73119a0fab734eed3443944c6d8800124b6eeed36d530dcafa71d91657d97069b1604e7922094604aacecbf42cd487b15e2de25819fd4179ca615404307127640aa80eb8283e5462fe1abd5f9ebab03f6e95ba2bf2e8ba3e96170aed26565cde86777367e4b2193dfaceb350e1371394109e1f408c994f3c7dcc5eae506263834618a727c919f6e76898214c931f8d0d1b0200fb14a7d46e78d8634cbd918cc560e58cf2516498ecc55af46471ae01ba385727e262afe16510d54516d0c011ce678271f14a007d4c7f314cd5ae51ada413e315f85e3990b1686a8c3f9c06fe0d63e6c3438aa5b31ab526989d1f3577139eed35afdafdeb968fd88f15a670523db921a82428fac13a3cf67584e3bca1d3e7ac52ea6cf8a49992fceab78b837ed1d26cf3ce3aab33c85ac392e0e4baff9b63777f9339bfb8821759c8b4632e4ff41569fd5dda7cdadb44f1efc1dd5e19f76bff4bc9ea3b65dd0ba35cad76de5f075cb2a969a79b24c73ce8c40a2c72eb39c321404f784bd30c09073be67ed7fddcb5e1cecf78258d1b7d75dbc575c693ee045a44e09b020ca11fd62b72c5d5d5a0aa81936db25c400615c6a802bb3d218ec4cf135f27c288ba34db438902073b55e1dcd3afcef4d608d0ba63c1aecec0ea851de52931a6ccb3054a1f37a6cc2d62342226ea5249583aadd87f3bf308f5355d4d349772b14a6dba9076fa8a32cdc72cc2ee8c59bbdf2980192e8de69694d49cb81eb3e32770c477035130593c29288a10d67e0a261352c1d60c1565180c41c4ee7f3e07d4a5fb6f4d6c5ef087741ce6078ed8fecb1cf2894efb0b72d62119934831aab0d93ce7609b1d7b2e3d2b0fc0099e2ef70cd56a8cad09a4407ec34090d138b30adc2b872e286ddd22102ad8149fdb4b69266ba476aad1cc27fa4ca7170f2ac1e36c3800c6109e3e59007a681a2f22f836c1e75d86df4760959475a55e360503481adac9ad89b2f183f3366f8f71436a8717eb8b40ceb1b57e247b6aa79d88372fc45cfec9d26de12b4eb71bd2b322ccb49131b799ef5bfc240c2c6b0c4de812a0458865e85ea4b3738a164b845c82084dee165d0cfe88e96570f7f0eff3acbbcaeede932e2c3329349eae0e6f5b2eac5fe137f7a4ee5896b9dfa3f22e6b7f02868e3ca45be16f6df6f164e43ea4b57d1c2d9929336b0cc1c1267c0828d0e22b22481ab2a2a34824c2cd4408e663d16cf1111f13ddae650c5859da944f18892ff75997dd245c6e728670a5afd485002560b6e2e79cd43d08dbd31994ccbc6b0b222aaa415583cd2f3d12025db6c8bba2eeea56f9b806760c58eead3f71477987019c75d409e0ff1f99a0cb8910c818173823ab0f53f2f94bc8b054fc0bfd5f95e328c0d73fe4e2b9383be452c14d9d6882e371cd76e375d44aecb2e134cd86fdbaa367554f996b7918b4d32f83824a2486a2dafa83e5c0de439253083823311d07963ffb7b17edaa490acd07488868bf4a03eea544787d0eeae87c2079a2c4b0b860717637938660d6cbc4cf65f3e9f8b0eeb09ba8b2fab43fd074da31cc0c13692ea72f377aec89a77babb545b6da2f09a32")
app_response_records = tls.TLS(app_response, ctx=tls_ctx)
tls_ctx.insert(app_response_records)
# Test decryption against given states
self.assertTrue(server_finished_records.haslayer(tls.TLSPlaintext))
self.assertEqual(server_finished_records[tls.TLSPlaintext].padding_len, ord("\x0b"))
self.assertEqual(server_finished_records[tls.TLSPlaintext].padding, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b")
self.assertEqual(server_finished_records[tls.TLSPlaintext].mac, "\xac'\x9a\x94\xf6t'\x18E\x03nD\x0b\xf4\xf7\xf5T\xce\x05q")
self.assertEqual(server_finished_records[tls.TLSPlaintext].data, "\x14\x00\x00\x0c3\x13V\xac\x90.6\x89~7\x13\xbd")
self.assertTrue(app_response_records.haslayer(tls.TLSPlaintext))
self.assertTrue(app_response_records[3][tls.TLSPlaintext].data.startswith("HTTP"))
def test_encrypted_handshake_which_fails_decryption_throws_error(self):
tls_ctx = self._static_tls_handshake()
client_kex = tls.TLS.from_records([
tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientKeyExchange() /
tls_ctx.get_encrypted_pms(),
tls.TLSRecord() / tls.TLSChangeCipherSpec()
], tls_ctx)
tls_ctx.insert(client_kex)
tls_ctx.insert(tls.to_raw(tls.TLSFinished(), tls_ctx))
handshake = tls.TLSRecord() / tls.TLSHandshake() / "C" * 5
with self.assertRaises(ValueError):
tls.TLS(str(handshake), ctx=tls_ctx)
def test_encrypted_layer_is_decrypted_if_required(self):
tls_ctx = self._static_tls_handshake()
client_kex = tls.TLS.from_records([
tls.TLSRecord() / tls.TLSHandshake() / tls.TLSClientKeyExchange() /
tls_ctx.get_encrypted_pms(),
tls.TLSRecord() / tls.TLSChangeCipherSpec()
], tls_ctx)
tls_ctx.insert(client_kex)
tls_ctx.insert(tls.to_raw(tls.TLSFinished(), tls_ctx))
server_finished = binascii.unhexlify(
"14030100010116030100305b0241932c63c0cf1e4955e0cc65f751a3921fe8227c2bae045c66be327f7e68a39dc163b382c90d2caaf197ba0563a7"
)
server_finished_records = tls.TLS(server_finished, ctx=tls_ctx)
tls_ctx.insert(server_finished_records)
app_request = tls.to_raw(
tls.TLSPlaintext(data="GET / HTTP/1.1\r\nHOST: localhost\r\n\r\n"),
tls_ctx)
tls_ctx.insert(app_request)
app_response = binascii.unhexlify(
"1703010020d691f8104d8fd877e7a7a7f3729936a92272c6fa93999f37a3a4b2355454a26617030107e04c7017bec4bb802bf713f815f692a50d1d911d8d78d8edc14b0e2dfde876b3da4ce748a0c6c1917490f73ba5d04fe61d250f5478416987904aa45461bc64848c3bdc573e6c99338634d9f374cba9b847b06e1f8c56039bda3b1fd5bf0007372472fa45333ccd907cec08d2e1d1beb6e1bbf7f155e09e71e480a32104873c60162d873fb0310d91261b120f51f5a7b75084d6c4bb6ba11ba59334343c96ad849e39ff09e356dcc34ef7b9857112b6a3530b85c17ac2093439e980cc1d3a78d5708ed0aea96e74fdeed11e1a2dd5dbce67f85554706a32b5b98a3a7f0752dcfe30dd1726f28d37d7eea7282efc3db3273e93cb30cec75bd200128372488b74213360ec885e720e8876cdd4a6ff0e4cd34e8726b3ce6e04e1462981f2d5acf00a4b9a478f1a6d39b3c66884364ee7b2c5294380ca140aa41d99af4b809abba5a613e690782b3ea1b09fe0daaadc32a2ca2023e19d07fa1f68d2e1268a4be72f1695676285567111cbfd89360a92227f1b7f3c2cbc92f329f02aee9b45868a11517419e7d70da2ca4709d174b5014e7d823e24d3e29ee8c62dbe7c2f1a631a5aa2571e5c5f23f2c7d78997c41eeabc91f413c90806736438c8d34f8114dfe595a0e22febab37fe04ad2966416ad0c307426dd9d3627b0642be021c5703ec40279115d11415e59dd86102ca018e8a4aed7c1988c8e53a36699fa8e55f903489bbcc9d281bd3822a927ac1536695c9419d87c30653c60b7f4b65647e4b1900b6b3963b5fc981bea5d131f1f92d81570f3dfd52287d6e7171107f2bda5f219eb2cb43d965b46ed425624b527d9c2a8ec0391144c7e9a67fead45d3cc7f0fbaeae21dd0297ecd00eea103675cf843ee7c545c611d41776adc90ddf6a4d4ff0c8fc8899b3eb76c79dbcac0d9f9b6c0e8a334a8bddff6f4f90b5b4004619bc50b65b309048c9b68d610033f2eb73dd2061e418826892494eff8df1adf5dc1b6968f620645c765507b49d48d734dd618c1dac32f28ab99f6dab2e401a8bbf8c19abf1181f8c1b98c7c06179fa096cbba3610710539b50c8f6c39fa92fe50635497dea7a4359a8dc1987ec329b3e06076ee2fa3e55fcc41f01c4c953587f60a14645850bf77675a78c6ac2cdb8a0bcf2eaf7a8f0ec154a6dc75f5c53c8ce8c733ad236b4d635fa49b6210b24a9d18326dcdac12bfff5551636306bdbbbe4190530e5a0704e9fb8f30ef7b1730686eb395c3d11c966caaeb14ee4138e8bcfe8f73119a0fab734eed3443944c6d8800124b6eeed36d530dcafa71d91657d97069b1604e7922094604aacecbf42cd487b15e2de25819fd4179ca615404307127640aa80eb8283e5462fe1abd5f9ebab03f6e95ba2bf2e8ba3e96170aed26565cde86777367e4b2193dfaceb350e1371394109e1f408c994f3c7dcc5eae506263834618a727c919f6e76898214c931f8d0d1b0200fb14a7d46e78d8634cbd918cc560e58cf2516498ecc55af46471ae01ba385727e262afe16510d54516d0c011ce678271f14a007d4c7f314cd5ae51ada413e315f85e3990b1686a8c3f9c06fe0d63e6c3438aa5b31ab526989d1f3577139eed35afdafdeb968fd88f15a670523db921a82428fac13a3cf67584e3bca1d3e7ac52ea6cf8a49992fceab78b837ed1d26cf3ce3aab33c85ac392e0e4baff9b63777f9339bfb8821759c8b4632e4ff41569fd5dda7cdadb44f1efc1dd5e19f76bff4bc9ea3b65dd0ba35cad76de5f075cb2a969a79b24c73ce8c40a2c72eb39c321404f784bd30c09073be67ed7fddcb5e1cecf78258d1b7d75dbc575c693ee045a44e09b020ca11fd62b72c5d5d5a0aa81936db25c400615c6a802bb3d218ec4cf135f27c288ba34db438902073b55e1dcd3afcef4d608d0ba63c1aecec0ea851de52931a6ccb3054a1f37a6cc2d62342226ea5249583aadd87f3bf308f5355d4d349772b14a6dba9076fa8a32cdc72cc2ee8c59bbdf2980192e8de69694d49cb81eb3e32770c477035130593c29288a10d67e0a261352c1d60c1565180c41c4ee7f3e07d4a5fb6f4d6c5ef087741ce6078ed8fecb1cf2894efb0b72d62119934831aab0d93ce7609b1d7b2e3d2b0fc0099e2ef70cd56a8cad09a4407ec34090d138b30adc2b872e286ddd22102ad8149fdb4b69266ba476aad1cc27fa4ca7170f2ac1e36c3800c6109e3e59007a681a2f22f836c1e75d86df4760959475a55e360503481adac9ad89b2f183f3366f8f71436a8717eb8b40ceb1b57e247b6aa79d88372fc45cfec9d26de12b4eb71bd2b322ccb49131b799ef5bfc240c2c6b0c4de812a0458865e85ea4b3738a164b845c82084dee165d0cfe88e96570f7f0eff3acbbcaeede932e2c3329349eae0e6f5b2eac5fe137f7a4ee5896b9dfa3f22e6b7f02868e3ca45be16f6df6f164e43ea4b57d1c2d9929336b0cc1c1267c0828d0e22b22481ab2a2a34824c2cd4408e663d16cf1111f13ddae650c5859da944f18892ff75997dd245c6e728670a5afd485002560b6e2e79cd43d08dbd31994ccbc6b0b222aaa415583cd2f3d12025db6c8bba2eeea56f9b806760c58eead3f71477987019c75d409e0ff1f99a0cb8910c818173823ab0f53f2f94bc8b054fc0bfd5f95e328c0d73fe4e2b9383be452c14d9d6882e371cd76e375d44aecb2e134cd86fdbaa367554f996b7918b4d32f83824a2486a2dafa83e5c0de439253083823311d07963ffb7b17edaa490acd07488868bf4a03eea544787d0eeae87c2079a2c4b0b860717637938660d6cbc4cf65f3e9f8b0eeb09ba8b2fab43fd074da31cc0c13692ea72f377aec89a77babb545b6da2f09a32"
)
app_response_records = tls.TLS(app_response, ctx=tls_ctx)
tls_ctx.insert(app_response_records)
# Test decryption against given states
self.assertTrue(server_finished_records.haslayer(tls.TLSPlaintext))
self.assertEqual(server_finished_records[tls.TLSPlaintext].padding_len,
ord("\x0b"))
self.assertEqual(server_finished_records[tls.TLSPlaintext].padding,
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b")
self.assertEqual(
server_finished_records[tls.TLSPlaintext].mac,
"\xac'\x9a\x94\xf6t'\x18E\x03nD\x0b\xf4\xf7\xf5T\xce\x05q")
self.assertEqual(server_finished_records[tls.TLSPlaintext].data,
"\x14\x00\x00\x0c3\x13V\xac\x90.6\x89~7\x13\xbd")
self.assertTrue(app_response_records.haslayer(tls.TLSPlaintext))
self.assertTrue(
app_response_records[3][tls.TLSPlaintext].data.startswith("HTTP"))
def test_all_hooks_are_called_when_defined(self):
# Return the data twice, but do not compress
def custom_compress(comp_method, pre_compress_data):
return pre_compress_data * 2
# Return cleartext, null mac, null padding
def pre_encrypt(crypto_container):
crypto_container.mac = b""
crypto_container.padding = b""
return crypto_container
# Return cleartext
encrypt = lambda x: str(x)
data = b"ABCD"
pkt = tls.TLSPlaintext(data=data)
raw = tls.to_raw(pkt, self.tls_ctx, include_record=False, compress_hook=custom_compress, pre_encrypt_hook=pre_encrypt, encrypt_hook=encrypt)
self.assertEqual(len(raw), len(data) * 2)
self.assertEqual(raw, data * 2)
def test_all_hooks_are_called_when_defined(self):
# Return the data twice, but do not compress
def custom_compress(comp_method, pre_compress_data):
return pre_compress_data * 2
# Return cleartext, null mac, null padding
pre_encrypt = lambda x: (x, b"", b"")
# Return cleartext
encrypt = lambda x, y, z: x
data = b"ABCD"
pkt = tls.TLSPlaintext(data=data)
raw = tls.to_raw(pkt,
self.tls_ctx,
include_record=False,
compress_hook=custom_compress,
pre_encrypt_hook=pre_encrypt,
encrypt_hook=encrypt)
self.assertEqual(len(raw), len(data) * 2)
self.assertEqual(raw, data * 2)
def test_format_of_tls_finished_is_as_specified_in_rfc(self):
def encrypt(cleartext, mac, padding):
self.assertEqual(
cleartext,
"\x14\x00\x00\x0c%s" % self.tls_ctx.get_verify_data())
self.assertEqual(len(mac), SHA.digest_size)
self.assertEqual(len(padding), 11)
self.assertTrue(
all(map(lambda x: True if x == chr(11) else False, padding)))
return "A" * 48
client_finished = tls.TLSRecord(content_type=0x16) / tls.to_raw(
tls.TLSFinished(),
self.tls_ctx,
include_record=False,
encrypt_hook=encrypt)
pkt = tls.TLS(str(client_finished))
# 4 bytes of TLSHandshake header, 12 bytes of verify_data, 20 bytes of HMAC SHA1, 11 bytes of padding, 1 padding length byte
self.assertEqual(
pkt[tls.TLSRecord].length,
len(tls.TLSHandshake()) + 12 + SHA.digest_size + 11 + 1)
def test_record_payload_is_identical_to_raw_payload(self):
pkt = tls.TLSPlaintext(data=b"ABCD")
raw = tls.to_raw(pkt, self.tls_ctx, include_record=False)
record = tls.TLSRecord()/raw
self.assertEqual(len(record[tls.TLSRecord]) - 0x5, len(raw))
self.assertEqual(str(record[tls.TLSRecord].payload), raw)
def test_unsupported_layer_raises_error(self):
pkt = tls.TLSClientHello()
with self.assertRaises(KeyError):
tls.to_raw(pkt, self.tls_ctx)
def test_invalid_tls_session_context_raises_error(self):
with self.assertRaises(ValueError):
tls.to_raw(None, None)
def test_record_payload_is_identical_to_raw_payload(self):
pkt = tls.TLSPlaintext(data=b"ABCD")
raw = tls.to_raw(pkt, self.tls_ctx, include_record=False)
record = tls.TLSRecord() / raw
self.assertEqual(len(record[tls.TLSRecord]) - 0x5, len(raw))
self.assertEqual(str(record[tls.TLSRecord].payload), raw)
def test_unsupported_layer_raises_error(self):
pkt = tls.TLSClientHello()
with self.assertRaises(KeyError):
tls.to_raw(pkt, self.tls_ctx)
def test_invalid_tls_session_context_raises_error(self):
with self.assertRaises(ValueError):
tls.to_raw(None, None)
