def test_add_in_order(self): d = OrderedDict() d[1] = "a" d[2] = "b" d[3] = "c" d[4] = "d" d[5] = "e" d[6] = "f" d[7] = "g" self.assertEqual([1, 2, 3, 4, 5, 6, 7], list(d.keys())) self.assertEqual(["a", "b", "c", "d", "e", "f", "g"], list(d.values()))
def main(): """Check if server is not vulnerable to Bleichenbacher attack""" host = "localhost" port = 4433 num_limit = None run_exclude = set() expected_failures = {} last_exp_tmp = None timeout = 1.0 alert = AlertDescription.bad_record_mac level = AlertLevel.fatal srv_extensions = {ExtensionType.renegotiation_info: None} no_sni = False repetitions = 100 interface = None timing = False outdir = "/tmp" cipher = CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA affinity = None argv = sys.argv[1:] opts, args = getopt.getopt(argv, "h:p:e:x:X:t:n:a:l:l:o:i:C:", ["help", "no-safe-renego", "no-sni", "repeat=", "cpu-list="]) for opt, arg in opts: if opt == '-h': host = arg elif opt == '-p': port = int(arg) elif opt == '-e': run_exclude.add(arg) elif opt == '-x': expected_failures[arg] = None last_exp_tmp = str(arg) elif opt == '-X': if not last_exp_tmp: raise ValueError("-x has to be specified before -X") expected_failures[last_exp_tmp] = str(arg) elif opt == '-n': num_limit = int(arg) elif opt == '-C': if arg[:2] == '0x': cipher = int(arg, 16) else: try: cipher = getattr(CipherSuite, arg) except AttributeError: cipher = int(arg) elif opt == '-t': timeout = float(arg) elif opt == '-a': alert = int(arg) elif opt == '-l': level = int(arg) elif opt == "-i": timing = True interface = arg elif opt == '-o': outdir = arg elif opt == "--repeat": repetitions = int(arg) elif opt == "--no-safe-renego": srv_extensions = None elif opt == "--no-sni": no_sni = True elif opt == "--cpu-list": affinity = arg elif opt == '--help': help_msg() sys.exit(0) else: raise ValueError("Unknown option: {0}".format(opt)) if args: run_only = set(args) else: run_only = None cln_extensions = {ExtensionType.renegotiation_info: None} if is_valid_hostname(host) and not no_sni: cln_extensions[ExtensionType.server_name] = \ SNIExtension().create(bytearray(host, 'ascii')) # RSA key exchange check if cipher not in CipherSuite.certSuites: print("Ciphersuite has to use RSA key exchange.") exit(1) conversations = OrderedDict() conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(ExpectChangeCipherSpec()) node = node.add_child(ExpectFinished()) node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n"))) node = node.add_child(ExpectApplicationData()) node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify)) node = node.add_child(ExpectAlert()) node.next_sibling = ExpectClose() node = node.add_child(ExpectClose()) conversations["sanity"] = conversation runner = Runner(conversation) try: runner.run() except Exception as exp: # Exception means the server rejected the ciphersuite print("Failing on {0} because server does not support it. ".format(CipherSuite.ietfNames[cipher])) print(20 * '=') exit(1) # check if a certain number doesn't trip up the server # (essentially a second sanity test) conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={2: 1})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(ExpectChangeCipherSpec()) node = node.add_child(ExpectFinished()) node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n"))) node = node.add_child(ExpectApplicationData()) node = node.add_child(AlertGenerator(AlertLevel.warning, AlertDescription.close_notify)) node = node.add_child(ExpectAlert()) node.next_sibling = ExpectClose() node = node.add_child(ExpectClose()) conversations["sanity - static non-zero byte in random padding"] = conversation # first put tests that are the benchmark to be compared to # fuzz MAC in the Finshed message to make decryption fail conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(fuzz_mac(FinishedGenerator(), xors={0:0xff})) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["invalid MAC in Finished on pos 0"] = conversation conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(fuzz_mac(FinishedGenerator(), xors={-1:0xff})) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["invalid MAC in Finished on pos -1"] = conversation # and for good measure, add something that sends invalid padding conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator()) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(fuzz_padding(FinishedGenerator(), xors={-1:0xff, -2:0x01})) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["invalid padding_length in Finished"] = conversation # create a CKE with PMS the runner doesn't know/use conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # use too short PMS but then change padding so that the PMS is # correct length with correct TLS version but the encryption keys # that tlsfuzzer calculates will be incorrect node = node.add_child(ClientKeyExchangeGenerator( padding_subs={-3: 0, -2: 3, -1: 3}, premaster_secret=bytearray([1] * 46))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["fuzzed pre master secret"] = conversation # set 2nd byte of padding to 3 (invalid value) conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={1: 3})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["set PKCS#1 padding type to 3"] = conversation # set 2nd byte of padding to 1 (signing) conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={1: 1})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["set PKCS#1 padding type to 1"] = conversation # test early zero in random data conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={4: 0})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["zero byte in random padding"] = conversation # check if early padding separator is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={-2: 0})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["zero byte in last byte of random padding"] = conversation # check if separator without any random padding is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={2: 0})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["zero byte in first byte of random padding"] = conversation # check if invalid first byte of encoded value is correctly detecte conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={0: 1})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["invalid version number in padding"] = conversation # check if no null separator in padding is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={-1: 1})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["no null separator in padding"] = conversation # check if no null separator in padding is detected # but with PMS set to non-zero conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(padding_subs={-1: 1}, premaster_secret=bytearray([1] * 48))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["no null separator in encrypted value"] = conversation # check if too short PMS is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1, 1]))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["two byte long PMS (TLS version only)"] = conversation # check if no encrypted payload is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # the TLS version is always set, so we mask the real padding separator # and set the last byte of PMS to 0 node = node.add_child(ClientKeyExchangeGenerator(padding_subs={-1: 1}, premaster_secret=bytearray([1, 1, 0]))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["no encrypted value"] = conversation # check if too short encrypted payload is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # the TLS version is always set, so we mask the real padding separator # and set the last byte of PMS to 0 node = node.add_child(ClientKeyExchangeGenerator(padding_subs={-1: 1}, premaster_secret=bytearray([1, 1, 0, 3]))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["one byte encrypted value"] = conversation # check if too short PMS is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1] * 47))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["too short (47-byte) pre master secret"] = conversation # check if too short PMS is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1] * 4))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["very short (4-byte) pre master secret"] = conversation # check if too long PMS is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1] * 49))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["too long (49-byte) pre master secret"] = conversation # check if very long PMS is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1] * 124))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["very long (124-byte) pre master secret"] = conversation conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(premaster_secret=bytearray([1] * 96))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["very long (96-byte) pre master secret"] = conversation # check if wrong TLS version number is rejected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(client_version=(2, 2))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["wrong TLS version (2, 2) in pre master secret"] = conversation # check if wrong TLS version number is rejected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) node = node.add_child(ClientKeyExchangeGenerator(client_version=(0, 0))) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["wrong TLS version (0, 0) in pre master secret"] = conversation # check if too short PKCS padding is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # move the start of the padding forward, essentially encrypting two 0 bytes # at the beginning of the padding, but since those are transformed into a number # their existence is lost and it just like the padding was too small node = node.add_child(ClientKeyExchangeGenerator(padding_subs={1: 0, 2: 2})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["too short PKCS padding"] = conversation # check if very short PKCS padding doesn't have a different behaviour conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # move the start of the padding 40 bytes towards LSB subs = {} for i in range(41): subs[i] = 0 subs[41] = 2 node = node.add_child(ClientKeyExchangeGenerator(padding_subs=subs)) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["very short PKCS padding (40 bytes short)"] = conversation # check if too long PKCS padding is detected conversation = Connect(host, port) node = conversation ciphers = [cipher] node = node.add_child(ClientHelloGenerator(ciphers, extensions=cln_extensions)) node = node.add_child(ExpectServerHello(extensions=srv_extensions)) node = node.add_child(ExpectCertificate()) node = node.add_child(ExpectServerHelloDone()) node = node.add_child(TCPBufferingEnable()) # move the start of the padding backward, essentially encrypting no 0 bytes # at the beginning of the padding, but since those are transformed into a number # its lack is lost and it just like the padding was too big node = node.add_child(ClientKeyExchangeGenerator(padding_subs={0: 2})) node = node.add_child(ChangeCipherSpecGenerator()) node = node.add_child(FinishedGenerator()) node = node.add_child(TCPBufferingDisable()) node = node.add_child(TCPBufferingFlush()) node = node.add_child(ExpectAlert(level, alert)) node.add_child(ExpectClose()) conversations["too long PKCS padding"] = conversation # run the conversation good = 0 bad = 0 xfail = 0 xpass = 0 failed = [] xpassed = [] if not num_limit: num_limit = len(conversations) # make sure that sanity test is run first and last # to verify that server was running and kept running throughout sanity_tests = [('sanity', conversations['sanity'])] if run_only: if num_limit > len(run_only): num_limit = len(run_only) regular_tests = [(k, v) for k, v in conversations.items() if k in run_only] else: regular_tests = [(k, v) for k, v in conversations.items() if (k != 'sanity') and k not in run_exclude] if num_limit < len(conversations): sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests))) else: sampled_tests = regular_tests ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests) print("Running tests for {0}".format(CipherSuite.ietfNames[cipher])) for c_name, c_test in ordered_tests: print("{0} ...".format(c_name)) runner = Runner(c_test) res = True exception = None try: runner.run() except Exception as exp: exception = exp print("Error while processing") print(traceback.format_exc()) res = False if c_name in expected_failures: if res: xpass += 1 xpassed.append(c_name) print("XPASS-expected failure but test passed\n") else: if expected_failures[c_name] is not None and \ expected_failures[c_name] not in str(exception): bad += 1 failed.append(c_name) print("Expected error message: {0}\n" .format(expected_failures[c_name])) else: xfail += 1 print("OK-expected failure\n") else: if res: good += 1 print("OK\n") else: bad += 1 failed.append(c_name) print("Test end") print(20 * '=') print("""Tests for handling of malformed encrypted values in CKE This test script checks if the server correctly handles malformed Client Key Exchange messages in RSA key exchange. When executed with `-i` it will also verify that different errors are rejected in the same amount of time; it checks for timing sidechannel. The script executes tests without \"sanity\" in name multiple times to estimate server response time. Quick reminder: when encrypting a value using PKCS#1 v1.5 standard the plaintext has the following structure, starting from most significant byte: - one byte, the version of the encryption, must be 0 - one byte, the type of encryption, must be 2 (is 1 in case of signature) - one or more bytes of random padding, with no zero bytes. The count must equal the byte size of the public key modulus less size of encrypted value and 3 (for version, type and separator) For signatures the bytes must equal 0xff - one zero byte that acts as separator between padding and encrypted value - one or more bytes that are the encrypted value, for TLS it must be 48 bytes long and the first two bytes need to equal the TLS version advertised in Client Hello All tests should exhibit the same kind of timing behaviour, but if some groups of tests are inconsistent, that points to likely place where the timing leak happens: - the control group, lack of consistency here points to Lucky 13: - 'invalid MAC in Finished on pos 0' - 'invalid MAC in Finished on pos -1' - 'fuzzed pre master secret' - this will end up with random plaintexts in record with Finished, most resembling a randomly selected PMS by the server verification: - 'set PKCS#1 padding type to 3' - 'set PKCS#1 padding type to 1' - incorrect size of encrypted value (pre-master secret), inconsistent results here suggests that the decryption leaks length of plaintext: - 'zero byte in random padding' - this creates a PMS that's 4 bytes shorter than the public key size and has a random TLS version - 'zero byte in last byte of random padding' - this creates a PMS that's one byte too long (49 bytes long), with a TLS version that's (0, major_version) - 'no null separator in padding' - as the PMS is all zero, this effectively sends a PMS that's 45 bytes long with TLS version of (0, 0) - 'two byte long PMS (TLS version only)' - 'one byte encrypted value' - the encrypted value is 3, as a correct value for first byte of TLS version - 'too short (47-byte) pre master secret' - 'very short (4-byte) pre master secret' - 'too long (49-byte) pre master secret' - 'very long (124-byte) pre master secret' - 'very long (96-byte) pre master secret' - invalid PKCS#1 v1.5 encryption padding: - 'zero byte in first byte of random padding' - this is a mix of too long PMS and invalid padding, it actually doesn't send padding at all, the padding length is zero - 'invalid version number in padding' - this sets the first byte of plaintext to 1 - 'no null separator in encrypted value' - this doesn't send a null byte separating padding and encrypted value - 'no encrypted value' - this sends a null separator, but it's the last byte of plaintext - 'too short PKCS padding' - this sends the correct encryption type in the padding (2), but one byte later than required - 'very short PKCS padding (40 bytes short)' - same as above only 40 bytes later - 'too long PKCS padding' this doesn't send the PKCS#1 v1.5 version at all, but starts with padding type - invalid TLS version in PMS, differences here suggest a leak in code checking for correctness of this value: - 'wrong TLS version (2, 2) in pre master secret' - 'wrong TLS version (0, 0) in pre master secret'""") print(20 * '=') print("version: {0}".format(version)) print(20 * '=') print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests))) print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys())))) print("PASS: {0}".format(good)) print("XFAIL: {0}".format(xfail)) print("FAIL: {0}".format(bad)) print("XPASS: {0}".format(xpass)) print(20 * '=') sort = sorted(xpassed, key=natural_sort_keys) if len(sort): print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) sort = sorted(failed, key=natural_sort_keys) if len(sort): print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) if bad > 0: sys.exit(1) elif timing: # if regular tests passed, run timing collection and analysis if TimingRunner.check_tcpdump(): timing_runner = TimingRunner("{0}_{1}".format(sys.argv[0], CipherSuite.ietfNames[cipher]), sampled_tests, outdir, host, port, interface, affinity) print("Running timing tests...") timing_runner.generate_log(run_only, run_exclude, repetitions) ret_val = timing_runner.run() if ret_val == 0: print("No statistically significant difference detected") elif ret_val == 1: print("Statisticaly significant difference detected at alpha=" "0.05") else: print("Statistical analysis exited with {0}".format(ret_val)) else: print("Could not run timing tests because tcpdump is not present!") sys.exit(1) print(20 * '=')
def diff_ecdf_plot(self): """Generate ECDF plot of differences between test classes.""" if not self.draw_ecdf_plot: return data = self.load_data() fig = Figure(figsize=(16, 12)) canvas = FigureCanvas(fig) axes = fig.add_subplot(1, 1, 1) classnames = iter(data) base = next(classnames) base_data = data.loc[:, base] # parameters for the zoomed-in graphs of ecdf zoom_params = OrderedDict([("98", (0.01, 0.99)), ("33", (0.33, 0.66)), ("10", (0.45, 0.55))]) zoom_values = OrderedDict( (name, [float("inf"), float("-inf")]) for name in zoom_params.keys()) for classname in classnames: # calculate the ECDF values = data.loc[:, classname] levels = np.linspace(1. / len(values), 1, len(values)) values = sorted(values - base_data) axes.step(values, levels, where='post') # calculate the bounds for the zoom positions quantiles = np.quantile(values, list(chain(*zoom_params.values()))) quantiles = iter(quantiles) for low, high, name in \ zip(quantiles, quantiles, zoom_params.keys()): zoom_values[name][0] = min(zoom_values[name][0], low) zoom_values[name][1] = max(zoom_values[name][1], high) fig.legend(list("{0}-0".format(i) for i in range(1, len(list(values)))), ncol=6, loc='upper center', bbox_to_anchor=(0.5, -0.05)) axes.set_title("Empirical Cumulative Distribution Function of " "class differences") axes.set_xlabel("Time") axes.set_ylabel("Cumulative probability") formatter = mpl.ticker.EngFormatter('s') axes.get_xaxis().set_major_formatter(formatter) canvas.print_figure(join(self.output, "diff_ecdf_plot.png"), bbox_inches="tight") # now graph progressive zooms of the central portion for name, quantiles, values in \ zip(zoom_params.keys(), zoom_params.values(), zoom_values.values()): axes.set_ylim(quantiles) # make the bounds a little weaker so that the extreme positions # are visible of graph too axes.set_xlim([values[0] * 0.98, values[1] * 1.02]) canvas.print_figure(join( self.output, "diff_ecdf_plot_zoom_in_{0}.png".format(name)), bbox_inches="tight")
def test_update_with_keyword_args(self): d = OrderedDict() d.update(a='1', b='2', c='3') self.assertEqual(set(['1', '2', '3']), set(d.values())) self.assertEqual(set(['a', 'b', 'c']), set(d.keys()))
class TestOrderedDict(unittest.TestCase): def setUp(self): self.d = OrderedDict() self.d[1] = "a" self.d[2] = "b" self.d[3] = "c" def test___init__(self): d = OrderedDict() self.assertIsInstance(d, dict) def test___init___with_invalid_params(self): with self.assertRaises(TypeError): OrderedDict(12, "a") def test___init___with_dict(self): d = OrderedDict({12: "a", 14: "b"}) self.assertEqual({12: "a", 14: "b"}, d) def test_add_in_order(self): d = OrderedDict() d[1] = "a" d[2] = "b" d[3] = "c" d[4] = "d" d[5] = "e" d[6] = "f" d[7] = "g" self.assertEqual([1, 2, 3, 4, 5, 6, 7], list(d.keys())) self.assertEqual(["a", "b", "c", "d", "e", "f", "g"], list(d.values())) def test_del(self): del self.d[2] self.assertEqual([1, 3], list(self.d.keys())) self.assertEqual(["a", "c"], list(self.d.values())) def test_iter(self): self.assertEqual([1, 2, 3], list(iter(self.d))) def test_popitem(self): n, v = self.d.popitem() self.assertEqual(n, 3) self.assertEqual(v, "c") self.assertEqual([1, 2], list(self.d.keys())) self.assertEqual(["a", "b"], list(self.d.values())) def test_popitem_on_empty(self): d = OrderedDict() with self.assertRaises(KeyError): d.popitem() def test_popitem_first(self): if type(self.d) is dict: self.skipTest("not popitem(last=False) in dict") else: n, v = self.d.popitem(last=False) self.assertEqual(n, 1) self.assertEqual(v, "a") self.assertEqual([2, 3], list(self.d.keys())) self.assertEqual(["b", "c"], list(self.d.values())) def test_items(self): self.assertEqual([(1, "a"), (2, "b"), (3, "c")], list(self.d.items())) def test_iterkeys(self): if type(self.d) is dict: self.skipTest("no iterkeys in dict") else: self.assertEqual(list(self.d.iterkeys()), list(iter(self.d))) def test_clear(self): self.d.clear() self.assertEqual([], list(self.d.items())) def test_itervalues(self): if type(self.d) is dict: self.skipTest("no itervalues in dict") else: self.assertEqual(list(self.d.itervalues()), self.d.values()) def test_update_with_too_many_args(self): with self.assertRaises(TypeError): self.d.update(0, None) def test_update_with_dict(self): self.d.update({0: None}) self.assertEqual([(1, "a"), (2, "b"), (3, "c"), (0, None)], list(self.d.items())) def test_update_with_list_of_tuples(self): d = OrderedDict() d.update([(3, "c"), (2, "b"), (1, "a")]) self.assertEqual([3, 2, 1], list(d.keys())) self.assertEqual(["c", "b", "a"], list(d.values())) def test_update_with_keyword_args(self): d = OrderedDict() d.update(a='1', b='2', c='3') self.assertEqual(set(['1', '2', '3']), set(d.values())) self.assertEqual(set(['a', 'b', 'c']), set(d.keys())) def test_pop(self): v = self.d.pop(2) self.assertEqual(v, "b") self.assertEqual([(1, "a"), (3, "c")], list(self.d.items())) def test_pop_non_existent(self): with self.assertRaises(KeyError): self.d.pop(4) def test_pop_with_default(self): if type(self.d) is dict: a = self.d.pop(0, "foo") self.assertEqual(a, "foo") else: a = self.d.pop(0, default="foo") self.assertEqual(a, "foo") def test_repr(self): if type(self.d) is dict: self.assertEqual("{1: 'a', 2: 'b', 3: 'c'}", repr(self.d)) else: self.assertEqual("OrderedDict([(1, 'a'), (2, 'b'), (3, 'c')])", repr(self.d)) def test_repr_with_circular_dependancy(self): del self.d[2] self.d[2] = self.d if type(self.d) is dict: self.assertEqual("{1: 'a', 3: 'c', 2: {...}}", repr(self.d)) else: self.assertEqual("OrderedDict([(1, 'a'), (3, 'c'), (2, ...)])", repr(self.d)) def test_repr_with_empty(self): d = OrderedDict() if type(self.d) is dict: self.assertEqual("{}", repr(d)) else: self.assertEqual("OrderedDict()", repr(d)) def test_compare_different_order(self): d2 = OrderedDict() d2[1] = "a" d2[3] = "c" d2[2] = "b" self.assertNotEqual(list(self.d.items()), list(d2.items()))
def test_update_with_list_of_tuples(self): d = OrderedDict() d.update([(3, "c"), (2, "b"), (1, "a")]) self.assertEqual([3, 2, 1], list(d.keys())) self.assertEqual(["c", "b", "a"], list(d.values()))