def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
ext = [
TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]),
TLS_Ext_SupportedGroups(groups=supported_groups),
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
]
if self.client_hello:
if not self.client_hello.ext:
self.client_hello.ext = ext
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = [
TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]), # noqa: E501
TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]), # noqa: E501
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(
group=selected_group)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
]
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
if self.cur_session.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
s = self.cur_session
if s.tls13_psk_secret:
# Check if DHE is need (both for out of band and resumption PSK)
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
# Compute the pre_shared_key extension for resumption PSK
if s.client_session_ticket:
cs_cls = _tls_cipher_suites_cls[
s.tls13_ticket_ciphersuite] # noqa: E501
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age
# by adding the "ticket_age_add" value included in the
# ticket (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
# Compute the pre_shared_key extension for out of band PSK
# (SHA256 is used as default hash function for HKDF for out
# of band PSK)
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
if s.client_session_ticket:
# XXX Retrieve parameters from first ClientHello...
cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite]
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age by
# adding the "ticket_age_add" value included in the ticket
# (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
args = parser.parse_args()
# By default, PFS is set
if args.no_pfs:
psk_mode = "psk_ke"
else:
psk_mode = "psk_dhe_ke"
v = _tls_version_options.get(args.version, None)
if not v:
sys.exit("Unrecognized TLS version option.")
if args.ciphersuite:
ciphers = int(args.ciphersuite, 16)
if ciphers not in list(range(0x1301, 0x1306)):
ch = TLSClientHello(ciphers=ciphers)
else:
ch = TLS13ClientHello(ciphers=ciphers)
else:
ch = None
t = TLSClientAutomaton(
client_hello=ch,
version=args.version,
mycert=basedir + "/test/tls/pki/cli_cert.pem",
mykey=basedir + "/test/tls/pki/cli_key.pem",
psk=args.psk,
psk_mode=psk_mode,
)
t.run()