def test_tls_1_1_and_above_iv_is_null(self): # RSA_WITH_AES_128_CBC_SHA cipher_suite = 0x2f sec_params = tlsc.TLSSecurityParameters(self.prf, cipher_suite, self.pre_master_secret, self.client_random, self.server_random, explicit_iv=True) self.assertEqual(sec_params.client_write_IV, "\x00" * 16) self.assertEqual(sec_params.server_write_IV, "\x00" * 16)
def test_building_with_null_cipher_sets_lengths(self): # RSA_WITH_NULL_MD5 cipher_suite = 0x1 sec_params = tlsc.TLSSecurityParameters(self.prf, cipher_suite, self.pre_master_secret, self.client_random, self.server_random) self.assertEqual(sec_params.cipher_key_length, 0) self.assertEqual(sec_params.mac_key_length, MD5.digest_size) self.assertEqual(sec_params.iv_length, tlsc.NullCipher.block_size)
def test_building_with_supported_cipher_sets_lengths(self): # RSA_WITH_AES_128_CBC_SHA cipher_suite = 0x2f sec_params = tlsc.TLSSecurityParameters(self.prf, cipher_suite, self.pre_master_secret, self.client_random, self.server_random) self.assertEqual(sec_params.cipher_key_length, 16) self.assertEqual(sec_params.mac_key_length, SHA.digest_size) self.assertEqual(sec_params.iv_length, AES.block_size)
def test_cleartext_message_matches_decrypted_message_with_stream_cipher(self): # RSA_WITH_RC4_128_SHA cipher_suite = 0x5 sec_params = tlsc.TLSSecurityParameters(self.prf, cipher_suite, self.pre_master_secret, self.client_random, self.server_random) self.assertEqual(sec_params.master_secret, self.master_secret) client_enc_cipher = sec_params.get_client_enc_cipher() client_dec_cipher = sec_params.get_client_dec_cipher() plaintext = "a" * 32 self.assertEqual(client_dec_cipher.decrypt(client_enc_cipher.encrypt(plaintext)), plaintext)
def test_streaming_mac_and_padding_are_added_if_session_context_is_provided( self): data = "%s%s" % ("A" * 2, "B" * MD5.digest_size) tls_ctx = tlsc.TLSSessionCtx() tls_ctx.sec_params = tlsc.TLSSecurityParameters( tls.TLSCipherSuite.RSA_EXPORT1024_WITH_RC4_56_MD5, "A" * 48, "B" * 32, "C" * 32) records = tls.TLSAlert(data, ctx=tls_ctx) self.assertEqual("B" * MD5.digest_size, records[tls.TLSAlert].mac) self.assertEqual("", records[tls.TLSAlert].padding)
def test_cbc_mac_and_padding_are_added_if_session_context_is_provided( self): data = "%s%s%s" % ("A" * 2, "B" * SHA.digest_size, "\x03" * 4) tls_ctx = tlsc.TLSSessionCtx() tls_ctx.sec_params = tlsc.TLSSecurityParameters( tls.TLSCipherSuite.RSA_WITH_DES_CBC_SHA, "A" * 48, "B" * 32, "C" * 32) records = tls.TLSAlert(data, ctx=tls_ctx) self.assertEqual(ord("\x03"), records[tls.TLSAlert].padding_len) self.assertEqual("\x03" * 3, records[tls.TLSAlert].padding) self.assertEqual("B" * SHA.digest_size, records[tls.TLSAlert].mac)
def test_hmac_used_matches_selected_ciphersuite(self): # RSA_WITH_3DES_EDE_CBC_SHA cipher_suite = 0xa sec_params = tlsc.TLSSecurityParameters(self.prf, cipher_suite, self.pre_master_secret, self.client_random, self.server_random) self.assertEqual(sec_params.master_secret, self.master_secret) client_enc_cipher = sec_params.get_client_enc_cipher() client_dec_cipher = sec_params.get_client_dec_cipher() self.assertEqual(client_enc_cipher.mode, DES3.MODE_CBC) plaintext = "a" * 32 self.assertEqual(client_dec_cipher.decrypt(client_enc_cipher.encrypt(plaintext)), plaintext) client_hmac = sec_params.get_client_hmac() client_hmac.update("some secret") self.assertEqual(client_hmac.hexdigest(), HMAC.new(sec_params.client_write_MAC_key, "some secret", digestmod=SHA).hexdigest())
def test_explicit_iv_is_added_for_tls_1_1_if_session_context_is_provided( self): data = "%s%s%s%s" % ("C" * AES.block_size, "A" * 2, "B" * SHA.digest_size, "\x03" * 4) tls_ctx = tlsc.TLSSessionCtx() tls_ctx.params.negotiated.version = tls.TLSVersion.TLS_1_1 tls_ctx.sec_params = tlsc.TLSSecurityParameters( tls.TLSCipherSuite.RSA_WITH_AES_256_CBC_SHA, "A" * 48, "B" * 32, "C" * 32, True) records = tls.TLSAlert(data, ctx=tls_ctx) self.assertEqual(ord("\x03"), records[tls.TLSAlert].padding_len) self.assertEqual("\x03" * 3, records[tls.TLSAlert].padding) self.assertEqual("B" * SHA.digest_size, records[tls.TLSAlert].mac) self.assertEqual("C" * AES.block_size, records[tls.TLSAlert].explicit_iv)
def test_cleartext_message_matches_decrypted_message_with_block_cipher( self): # RSA_WITH_AES_128_CBC_SHA cipher_suite = 0x2f sec_params = tlsc.TLSSecurityParameters(cipher_suite, self.pre_master_secret, self.client_random, self.server_random) self.assertEqual(sec_params.master_secret, self.master_secret) client_enc_cipher = sec_params.get_client_enc_cipher() client_dec_cipher = sec_params.get_client_dec_cipher() self.assertEqual(client_enc_cipher.mode, AES.MODE_CBC) plaintext = "a" * 32 self.assertEqual( client_dec_cipher.decrypt(client_enc_cipher.encrypt(plaintext)), plaintext)
def test_unsupported_cipher_suite_throws_exception(self): with self.assertRaises(RuntimeError): tlsc.TLSSecurityParameters(0xffff, self.pre_master_secret, self.client_random, self.server_random)