def test_requireExtendedMasterSecret_with_incompatible_use_EMS(self):
hs = HandshakeSettings()
hs.useExtendedMasterSecret = False
hs.requireExtendedMasterSecret = True
with self.assertRaises(ValueError):
hs.validate()
def test_maxKeySize_smaller_than_minKeySize(self):
hs = HandshakeSettings()
hs.maxKeySize = 1024
hs.minKeySize = 2048
with self.assertRaises(ValueError):
hs.validate()
def test_minVersion_higher_than_maxVersion(self):
hs = HandshakeSettings()
hs.minVersion = (3, 3)
hs.maxVersion = (3, 0)
with self.assertRaises(ValueError):
hs.validate()
def test_cipherNames_with_unknown_name(self):
hs = HandshakeSettings()
hs.cipherNames = ["aes256"]
newHs = hs.validate()
self.assertEqual(["aes256"], newHs.cipherNames)
def test_client_with_server_responing_without_EMS(self):
# socket to generate the faux response
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 2)
server_hello = ServerHello().create(
version=(3, 3),
random=bytearray(32),
session_id=bytearray(0),
cipher_suite=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
certificate_type=None,
tackExt=None,
next_protos_advertised=None)
for res in gen_record_layer.sendRecord(server_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
hs = HandshakeSettings()
hs.requireExtendedMasterSecret = True
conn = TLSConnection(sock)
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeClientCert(settings=hs)
self.assertEqual(err.exception.description,
AlertDescription.insufficient_security)
def test_getTLS13Suites(self):
hs = HandshakeSettings()
hs.maxVersion = (3, 4)
self.assertEqual(CipherSuite.getTLS13Suites(hs),
[CipherSuite.TLS_AES_256_GCM_SHA384,
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_CHACHA20_POLY1305_SHA256])
def test_requireExtendedMasterSecret(self):
hs = HandshakeSettings()
self.assertFalse(hs.requireExtendedMasterSecret)
hs.requireExtendedMasterSecret = True
n_hs = hs.validate()
self.assertTrue(n_hs.requireExtendedMasterSecret)
def test_maxVersion_without_TLSv1_2(self):
hs = HandshakeSettings()
hs.maxVersion = (3, 2)
self.assertTrue("sha256" in hs.macNames)
new_hs = hs.validate()
self.assertFalse("sha256" in new_hs.macNames)
def test_useEncryptThenMAC(self):
hs = HandshakeSettings()
self.assertTrue(hs.useEncryptThenMAC)
hs.useEncryptThenMAC = False
n_hs = hs.validate()
self.assertFalse(n_hs.useEncryptThenMAC)
def test_client_SRP_key_exchange_with_too_small_params(self):
keyExchange = self.keyExchange.makeServerKeyExchange('sha1')
settings = HandshakeSettings()
settings.minKeySize = 3072
client_keyExchange = SRPKeyExchange(self.cipher_suite,
self.client_hello,
self.server_hello,
None, None,
srpUsername=bytearray(b'user'),
password=bytearray(b'password'),
settings=settings)
with self.assertRaises(TLSInsufficientSecurity):
client_keyExchange.processServerKeyExchange(None, keyExchange)
def test_client_SRP_key_exchange_with_too_big_params(self):
keyExchange = self.keyExchange.makeServerKeyExchange('sha1')
settings = HandshakeSettings()
settings.minKeySize = 512
settings.maxKeySize = 1024
client_keyExchange = SRPKeyExchange(self.cipher_suite,
self.client_hello,
self.server_hello,
None, None,
srpUsername='******',
password='******',
settings=settings)
with self.assertRaises(TLSInsufficientSecurity):
client_keyExchange.processServerKeyExchange(None, keyExchange)
def test_server_with_client_not_using_required_EMS(self):
gen_sock = MockSocket(bytearray(0))
gen_record_layer = RecordLayer(gen_sock)
gen_record_layer.version = (3, 0)
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
client_hello = ClientHello().create(version=(3, 3),
random=bytearray(32),
session_id=bytearray(0),
cipher_suites=ciphers)
for res in gen_record_layer.sendRecord(client_hello):
if res in (0, 1):
self.assertTrue(False, "Blocking socket")
else:
break
# test proper
sock = MockSocket(gen_sock.sent[0])
conn = TLSConnection(sock)
hs = HandshakeSettings()
hs.requireExtendedMasterSecret = True
srv_private_key = parsePEMKey(srv_raw_key, private=True)
srv_cert_chain = X509CertChain([X509().parse(srv_raw_certificate)])
with self.assertRaises(TLSLocalAlert) as err:
conn.handshakeServer(certChain=srv_cert_chain,
privateKey=srv_private_key,
settings=hs)
self.assertEqual(err.exception.description,
AlertDescription.insufficient_security)
def test_invalid_usePaddingExtension(self):
hs = HandshakeSettings()
hs.usePaddingExtension = -1
with self.assertRaises(ValueError):
hs.validate()
def test_no_signature_hashes_set_with_TLS1_1(self):
hs = HandshakeSettings()
hs.rsaSigHashes = []
hs.maxVersion = (3, 2)
self.assertIsNotNone(hs.validate())
def test_invalid_signature_algorithm(self):
hs = HandshakeSettings()
hs.rsaSigHashes += ['md2']
with self.assertRaises(ValueError):
hs.validate()
def test_certificateTypes_empty(self):
hs = HandshakeSettings()
hs.certificateTypes = []
with self.assertRaises(ValueError):
hs.validate()
def test_getTLS13Suites_with_TLS1_2(self):
hs = HandshakeSettings()
hs.maxVersion = (3, 4)
self.assertEqual(CipherSuite.getTLS13Suites(hs, (3, 3)), [])
def test_getCertificateTypes_with_unsupported_type(self):
hs = HandshakeSettings()
hs.certificateTypes = ["x509", "openpgp"]
with self.assertRaises(AssertionError):
hs.getCertificateTypes()
def test_invalid_keyShares_name(self):
hs = HandshakeSettings()
hs.keyShares = ["ffdhe1024"]
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_defaultCurve_name(self):
hs = HandshakeSettings()
hs.defaultCurve = "ffdhe2048"
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_rsaScheme(self):
hs = HandshakeSettings()
hs.rsaSchemes += ["rsassa-pkcs1-1_5"]
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_dhGroups(self):
hs = HandshakeSettings()
hs.dhGroups = ["ffdhe2048", "ffdhe1024"]
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_dhParams(self):
hs = HandshakeSettings()
hs.dhParams = (2, 'bd')
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_usePaddingExtension(self):
hs = HandshakeSettings()
hs.usePaddingExtension = -1
with self.assertRaises(ValueError):
hs.validate()
def test_usePaddingExtension(self):
hs = HandshakeSettings()
self.assertTrue(hs.usePaddingExtension)
def test_requireExtendedMasterSecret_with_wrong_value(self):
hs = HandshakeSettings()
hs.requireExtendedMasterSecret = None
with self.assertRaises(ValueError):
hs.validate()
def test_useEncryptThenMAC_with_wrong_value(self):
hs = HandshakeSettings()
hs.useEncryptThenMAC = None
with self.assertRaises(ValueError):
hs.validate()
def test___init__(self):
hs = HandshakeSettings()
self.assertIsNotNone(hs)
def test_maxKeySize_too_small(self):
hs = HandshakeSettings()
hs.maxKeySize = 511
with self.assertRaises(ValueError):
hs.validate()
def test_getCertificateTypes(self):
hs = HandshakeSettings()
self.assertEqual([0], hs.getCertificateTypes())
def test_cipherNames_with_unknown_name(self):
hs = HandshakeSettings()
hs.cipherNames = ["aes256gcm", "aes256"]
with self.assertRaises(ValueError):
hs.validate()
def test_getCertificateTypes_with_unsupported_type(self):
hs = HandshakeSettings()
hs.certificateTypes = ["x509", "openpgp"]
with self.assertRaises(AssertionError):
hs.getCertificateTypes()
def test_cipherImplementations_empty(self):
hs = HandshakeSettings()
hs.cipherImplementations = []
with self.assertRaises(ValueError):
hs.validate()
def test_validate(self):
hs = HandshakeSettings()
newHS = hs.validate()
self.assertIsNotNone(newHS)
self.assertIsNot(hs, newHS)
def test_invalid_additional_signature(self):
hs = HandshakeSettings()
hs.more_sig_schemes = ["rsa_pkcs1_sha1"]
with self.assertRaises(ValueError):
hs.validate()
def test_maxKeySize_too_small(self):
hs = HandshakeSettings()
hs.maxKeySize = 511
with self.assertRaises(ValueError):
hs.validate()
def test_no_signature_hashes_set_with_TLS1_2(self):
hs = HandshakeSettings()
hs.rsaSigHashes = []
with self.assertRaises(ValueError):
hs.validate()
def test_maxKeySize_too_large(self):
hs = HandshakeSettings()
hs.maxKeySize = 16385
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_curve_name(self):
hs = HandshakeSettings()
hs.eccCurves = ['P-256']
with self.assertRaises(ValueError):
hs.validate()
def test_cipherNames_with_unknown_name(self):
hs = HandshakeSettings()
hs.cipherNames = ["aes256gcm", "aes256"]
with self.assertRaises(ValueError):
hs.validate()
def test_cipherImplementations_with_unknown_implementations(self):
hs = HandshakeSettings()
hs.cipherImplementations = ["openssl", "NSS"]
with self.assertRaises(ValueError):
hs.validate()
def test_cipherNames_empty(self):
hs = HandshakeSettings()
hs.cipherNames = []
with self.assertRaises(ValueError):
hs.validate()
def test_maxVersion_with_unknown_version(self):
hs = HandshakeSettings()
hs.maxVersion = (3, 4)
with self.assertRaises(ValueError):
hs.validate()
def test_certificateTypes_empty(self):
hs = HandshakeSettings()
hs.certificateTypes = []
with self.assertRaises(ValueError):
hs.validate()
def test_getCertificateTypes(self):
hs = HandshakeSettings()
self.assertEqual([0], hs.getCertificateTypes())
def test_certificateTypes_with_unknown_type(self):
hs = HandshakeSettings()
hs.certificateTypes = [0, 42]
with self.assertRaises(ValueError):
hs.validate()
def test_validate(self):
hs = HandshakeSettings()
newHS = hs.validate()
self.assertIsNotNone(newHS)
self.assertIsNot(hs, newHS)
def test_cipherImplementations_empty(self):
hs = HandshakeSettings()
hs.cipherImplementations = []
with self.assertRaises(ValueError):
hs.validate()
def test_maxKeySize_too_large(self):
hs = HandshakeSettings()
hs.maxKeySize = 16385
with self.assertRaises(ValueError):
hs.validate()
def test_maxVersion_with_unknown_version(self):
hs = HandshakeSettings()
hs.maxVersion = (3, 5)
with self.assertRaises(ValueError):
hs.validate()
def test_no_signature_hashes_set_with_TLS1_1(self):
hs = HandshakeSettings()
hs.rsaSigHashes = []
hs.maxVersion = (3, 2)
self.assertIsNotNone(hs.validate())
def test_invalid_signature_ecdsa_algorithm(self):
hs = HandshakeSettings()
hs.ecdsaSigHashes += ['md5']
with self.assertRaises(ValueError):
hs.validate()
def test_cipherNames_empty(self):
hs = HandshakeSettings()
hs.cipherNames = []
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_KEX(self):
hs = HandshakeSettings()
hs.keyExchangeNames = ['rsa', 'ecdhe_rsa', 'gost']
with self.assertRaises(ValueError):
hs.validate()
def test_certificateTypes_with_unknown_type(self):
hs = HandshakeSettings()
hs.certificateTypes = [0, 42]
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_MAC(self):
hs = HandshakeSettings()
hs.macNames = ['sha1', 'whirpool']
with self.assertRaises(ValueError):
hs.validate()
def test_no_signature_hashes_set_with_TLS1_2(self):
hs = HandshakeSettings()
hs.rsaSigHashes = []
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_KEX(self):
hs = HandshakeSettings()
hs.keyExchangeNames = ['rsa', 'ecdhe_rsa', 'gost']
with self.assertRaises(ValueError):
hs.validate()
def test_cipherImplementations_with_unknown_implementations(self):
hs = HandshakeSettings()
hs.cipherImplementations = ["openssl", "NSS"]
with self.assertRaises(ValueError):
hs.validate()
def test_invalid_curve_name(self):
hs = HandshakeSettings()
hs.eccCurves = ['P-256']
with self.assertRaises(ValueError):
hs.validate()
