def main():
"""Verify correct ECDHE shared secret handling."""
host = "localhost"
port = 4433
num_limit = 1
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
min_zeros = 1
record_split = True
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:z", ["help", "min-zeros="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-z':
record_split = False
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--min-zeros':
min_zeros = int(arg)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
collected_premaster_secrets = []
variables_check = \
{'premaster_secret':
collected_premaster_secrets}
groups = [
GroupName.x25519, GroupName.x448, GroupName.secp256r1,
GroupName.secp384r1, GroupName.secp521r1
]
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
groups_ext = SupportedGroupsExtension().create(groups)
points_ext = ECPointFormatsExtension().create([ECPointFormat.uncompressed])
exts = {
ExtensionType.renegotiation_info: None,
ExtensionType.supported_groups: groups_ext,
ExtensionType.ec_point_formats: points_ext
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=exts))
exts = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=exts))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for prot in [(3, 0), (3, 1), (3, 2), (3, 3)]:
for ssl2 in [True, False]:
for group in groups:
# with SSLv2 compatible or with SSLv3 we can't advertise
# curves so do just one check
if (ssl2 or prot == (3, 0)) and group != groups[0]:
continue
conversation = Connect(host,
port,
version=(0, 2) if ssl2 else (3, 0))
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
if ssl2 or prot == (3, 0):
exts = None
else:
groups_ext = SupportedGroupsExtension().create([group])
exts = {
ExtensionType.supported_groups: groups_ext,
ExtensionType.ec_point_formats: points_ext
}
node = node.add_child(
ClientHelloGenerator(ciphers,
version=prot,
extensions=exts,
ssl2=ssl2))
if prot > (3, 0):
if ssl2:
ext = {ExtensionType.renegotiation_info: None}
else:
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
else:
ext = None
node = node.add_child(
ExpectServerHello(extensions=ext, version=prot))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
if prot < (3, 2) and record_split:
# 1/n-1 record splitting
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["Protocol {0}{1}{2}".format(
prot,
"" if ssl2 or prot < (3, 1)
else " with {0} group".format(GroupName.toStr(group)),
" in SSLv2 compatible ClientHello" if ssl2 else "")] = \
conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items()
if k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
i = 0
break_loop = False
while True:
# don't hog the memory unnecessairly
collected_premaster_secrets[:] = []
print("\"{1}\" repeat {0}...".format(i, c_name))
i += 1
if c_name == 'sanity':
break_loop = True
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
break_loop = True
else:
if res:
good += 1
if collected_premaster_secrets[-1][:min_zeros] == \
bytearray(min_zeros):
print("Got premaster secret with {0} most significant "
"bytes equal to zero.".format(min_zeros))
break_loop = True
print("OK\n")
else:
bad += 1
failed.append(c_name)
break_loop = True
if break_loop:
break
print('')
print("Check if the connections work when the calculated ECDH shared")
print("secret must be padded on the left with zeros")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations["tls13-no-ciphers"] = conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha224, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha384, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha512, SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# all algorithms, but in order from strongest to weakest
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(HashAlgorithm.sha512, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha384, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha224, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - strongest to weakest"] = conversation
# test all hashes one by one
for h_alg in ["sha1", "sha224", "sha256", "sha384", "sha512"]:
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(getattr(HashAlgorithm, h_alg), SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["connect with {0}+ecdsa only".format(h_alg)] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items() if
k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items() if
(k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n"
.format(expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test if the server doesn't have the TLSv1.3 limitation on ECDSA")
print("signatures also in TLSv1.2 mode.\n")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2*len(sanity_tests)))
print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed ,key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
run_exclude = set()
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
# check if server selects ECDHE when fully specified
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.secp256r1, GroupName.secp384r1, GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
cipher = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
node = node.add_child(ExpectServerHello(version=(3, 3), cipher=cipher))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["sanity"] = conversation
# check if server selects compatible group if none is selected
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
cipher = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
node = node.add_child(ExpectServerHello(version=(3, 3), cipher=cipher))
node = node.add_child(ExpectCertificate())
groups = [GroupName.secp256r1]
node = node.add_child(ExpectServerKeyExchange(valid_groups=groups))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["default to P-256 when no groups specified"] = conversation
# check if server selects compatible group and hash when none specified
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers))
cipher = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
node = node.add_child(ExpectServerHello(version=(3, 3), cipher=cipher))
node = node.add_child(ExpectCertificate())
groups = [GroupName.secp256r1]
node = node.add_child(ExpectServerKeyExchange(valid_groups=groups))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations[
"default to P-256/sha-1 when no extensions specified"] = conversation
# check if server will fallback to to other cipher when no groups
# are acceptable
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.sect163k1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
cipher = CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
node = node.add_child(ExpectServerHello(version=(3, 3), cipher=cipher))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["only secp163k1 group - fallback to DHE"] = conversation
# check if server will fallback to to other cipher when no groups
# are defined
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [11200] # unknown ECDHE group
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
cipher = CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
node = node.add_child(ExpectServerHello(version=(3, 3), cipher=cipher))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["only unknown group - fallback to DHE"] = conversation
# check if server will abort if no group is acceptable and no fallback
# is possible
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [11200]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations["only unknown group - no fallback to DHE"] = conversation
# check if server will not negotiate x25519
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519, GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations[
"only x25519 and x448 groups - allow for DHE fallback"] = conversation
# check if server will abort if x25519 is not support
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519, GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations[
"only x25519 and x448 groups - no fallback to DHE possible"] = conversation
# check if server will negotiate X25519 with compression supported
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.ec_point_formats] = \
ECPointFormatsExtension().create([ECPointFormat.ansiX962_compressed_prime,
ECPointFormat.ansiX962_compressed_char2,
ECPointFormat.uncompressed])
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["EC point format - all types - x25519"] = conversation
# check if server will negotiate X25519 with typical EC point format ext
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.ec_point_formats] = \
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations[
"EC point format - only uncompressed - x25519"] = conversation
# check if server will negotiate X25519
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["sanity - negotiate x25519"] = conversation
# check if server will negotiate X448
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["sanity - negotiate x448"] = conversation
# check if server will reject too small x25519 share
# (one with too few bytes in the key share)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray([55] *
(X25519_ORDER_SIZE - 1))))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["too small x25519 key share"] = conversation
# check if server will reject empty x25519 share
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientKeyExchangeGenerator(ecdh_Yc=bytearray()))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
# since the ECPoint is defined as <1..2^8-1>, zero length value is an
# incorrect encoding
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["empty x25519 key share"] = conversation
# check if server will reject too big x25519 share
# (one with too many bytes in the key share)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray([55] *
(X25519_ORDER_SIZE + 1))))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["too big x25519 key share"] = conversation
# check if server will reject x25519 share with high order bit set
# per draft-ietf-tls-rfc4492bis:
#
# Since there are some implementation of the X25519 function that
# impose this restriction on their input and others that don't,
# implementations of X25519 in TLS SHOULD reject public keys when the
# high-order bit of the final byte is set
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519] # ecdh_x25519
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(
ecdh_Yc=bytearray([55] * (X25519_ORDER_SIZE - 1) + [0x80])))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
# Because we are sending a key exchange with a public value for which
# we do not know the private valye, the Finished message will be encrypted
# using incorrect keys, so expect a failure that shows that
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
conversations["x25519 key share with high bit set"] = conversation
# check if server will reject empty x448 share
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientKeyExchangeGenerator(ecdh_Yc=bytearray()))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
# since the ECPoint is defined as <1..2^8-1>, zero length value is an
# incorrect encoding
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["empty x448 key share"] = conversation
# check if server will reject too small x448 share
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray([55] *
(X448_ORDER_SIZE - 1))))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["too small x448 key share"] = conversation
# check if server will reject too big x448 share
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448] # ecdh_x448
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray([55] *
(X448_ORDER_SIZE + 1))))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["too big x448 key share"] = conversation
# check if server will reject an all-zero key share for x25519
# (it should result in all-zero shared secret)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray(X25519_ORDER_SIZE)))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["all zero x25519 key share"] = conversation
# check if server will reject an all-zero key share for x448
# (it should result in all-zero shared secret)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(ecdh_Yc=bytearray(X448_ORDER_SIZE)))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["all zero x448 key share"] = conversation
# check if server will reject a key share or 1 for x25519
# (it should result in all-zero shared secret)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x25519]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(
ecdh_Yc=numberToByteArray(1, X25519_ORDER_SIZE, "little")))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["x25519 key share of \"1\""] = conversation
# check if server will reject a key share of 1 for x448
# (it should result in all-zero shared secret)
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [GroupName.x448]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
ClientKeyExchangeGenerator(
ecdh_Yc=numberToByteArray(1, X448_ORDER_SIZE, "little")))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["x448 key share of \"1\""] = conversation
# run the conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_test = ('sanity', conversations['sanity'])
ordered_tests = chain([sanity_test],
filter(lambda x: x[0] != 'sanity',
conversations.items()), [sanity_test])
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Basic test to verify that server selects sane ECDHE parameters and")
print("ciphersuites when x25519 curve is an option\n")
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = GroupName.allFF
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
sig_algs += ECDSA_SIG_TLS1_3_ALL
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for group in groups:
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
ext[ExtensionType.key_share] = key_share_ext_gen([group])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - {0}".format(
GroupName.toRepr(group))] = conversation
# duplicated key share entry
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_shares = []
key_shares.append(key_share_gen(group))
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension()\
.create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - duplicated key share entry".format(
GroupName.toRepr(group))] = conversation
# padded representation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
key_share.key_exchange += bytearray(b'\x00')
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - right 0-padded key_share".format(
GroupName.toRepr(group))] = conversation
# truncated representation (given that all groups use safe primes,
# any integer between 1 and p-1 is a valid key share, it's just that
# after truncation we don't know the private key that generates it)
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
key_share.key_exchange.pop()
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - right-truncated key_share".format(
GroupName.toRepr(group))] = conversation
# key share from wrong group
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
if group == GroupName.ffdhe2048:
key_share2 = key_share_gen(GroupName.ffdhe3072)
else:
key_share2 = key_share_gen(GroupName.ffdhe2048)
key_share.key_exchange = key_share2.key_exchange
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - key share from other group".format(
GroupName.toRepr(group))] = conversation
# just 0
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = KeyShareEntry().create(group, bytearray(b'\x00'))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - 0 as one byte".format(
GroupName.toRepr(group))] = conversation
# 0 key share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
key_share.key_exchange = bytearray(len(key_share.key_exchange))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - 0 as key share".format(
GroupName.toRepr(group))] = conversation
# 1 key share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
key_share.key_exchange = bytearray(len(key_share.key_exchange))
key_share.key_exchange[-1] = 0x01
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - 1 as key share".format(
GroupName.toRepr(group))] = conversation
# all bits set key share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = key_share_gen(group)
key_share.key_exchange = bytearray([0xff] *
len(key_share.key_exchange))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - all bits set key share".format(
GroupName.toRepr(group))] = conversation
if group == GroupName.ffdhe2048:
params = FFDHE2048
elif group == GroupName.ffdhe3072:
params = FFDHE3072
elif group == GroupName.ffdhe4096:
params = FFDHE4096
elif group == GroupName.ffdhe6144:
params = FFDHE6144
else:
assert group == GroupName.ffdhe8192
params = FFDHE8192
# p-1 key share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = KeyShareEntry().create(group,
numberToByteArray(params[1] - 1))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - p-1 as key share".format(
GroupName.toRepr(group))] = conversation
# p key share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = KeyShareEntry().create(group, numberToByteArray(params[1]))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - p as key share".format(
GroupName.toRepr(group))] = conversation
# empty key share entry
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
key_share = KeyShareEntry().create(group, bytearray())
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
[key_share])
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([group])
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["{0} - empty key share entry in key_share ext".format(
GroupName.toRepr(group))] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Basic FFDHE group tests in TLS 1.3")
print("Check if invalid, malformed and incompatible group key_shares are")
print("rejected by server")
print("version: {0}\n".format(version))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
"""Test if server supports unsupported curve fallback"""
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp160k1])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(
cipher=CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["check for unsupported curve fallback"] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items()
if k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
pha_as_reply = False
cert_required = False
pha_in_sanity = False
min_tickets = 0
pha_query = b'GET /secret HTTP/1.0\r\n\r\n'
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:", [
"help", "pha-as-reply", "cert-required", "min-tickets=", "query=",
"pha-in-sanity"
])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--pha-as-reply':
pha_as_reply = True
elif opt == '--pha-in-sanity':
pha_in_sanity = True
elif opt == '--cert-required':
cert_required = True
elif opt == '--query':
pha_query = arg
elif opt == '--min-tickets':
min_tickets = int(arg)
elif opt == '-k':
text_key = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_key = str(text_key, 'utf-8')
private_key = parsePEMKey(text_key, private=True)
elif opt == '-c':
text_cert = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_cert = str(text_cert, 'utf-8')
cert = X509()
cert.parse(text_cert)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
for _ in range(min_tickets):
node = node.add_child(ExpectNewSessionTicket(description="counted"))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# test post-handshake authentication
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.post_handshake_auth] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
if pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
for _ in range(min_tickets):
node = node.add_child(ExpectNewSessionTicket(description="counted"))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket(description="first set")
node = node.add_child(cycle)
node.add_child(cycle)
context = []
node.next_sibling = ExpectCertificateRequest(context=context)
node = node.next_sibling.add_child(
CertificateGenerator(X509CertChain([cert]), context=context))
node = node.add_child(
CertificateVerifyGenerator(private_key, context=context))
node = node.add_child(FinishedGenerator(context=context))
node = node.add_child(ClearContext(context))
if not pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
# just like after the first handshake, after PHA, the NST can be sent
# multiple times
cycle = ExpectNewSessionTicket(description="second set")
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["post-handshake authentication"] = conversation
if pha_in_sanity:
conversations["sanity"] = conversation
# test post-handshake authentication with KeyUpdate
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.post_handshake_auth] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
if pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
for _ in range(min_tickets):
node = node.add_child(ExpectNewSessionTicket(description="counted"))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket(description="first set")
node = node.add_child(cycle)
node.add_child(cycle)
context = []
node.next_sibling = ExpectCertificateRequest(context=context)
node = node.next_sibling.add_child(
KeyUpdateGenerator(KeyUpdateMessageType.update_requested))
node = node.add_child(
CertificateGenerator(X509CertChain([cert]), context=context))
node = node.add_child(
CertificateVerifyGenerator(private_key, context=context))
node = node.add_child(FinishedGenerator(context=context))
if not pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
# just like after the first handshake, after PHA, the NST can be sent
# multiple times
cycle = ExpectNewSessionTicket(description="second set")
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectKeyUpdate(
KeyUpdateMessageType.update_not_requested)
# but KeyUpdate can be sent asynchonously, then NST will be received
# after KeyUpdate
cycle = ExpectNewSessionTicket(description="third set")
node = node.next_sibling.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"post-handshake authentication with KeyUpdate"] = conversation
# test post-handshake with client not providing a certificate
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.post_handshake_auth] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
if pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
for _ in range(min_tickets):
node = node.add_child(ExpectNewSessionTicket(description="counted"))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket(description="first set")
node = node.add_child(cycle)
node.add_child(cycle)
context = []
node.next_sibling = ExpectCertificateRequest(context=context)
node = node.next_sibling.add_child(
CertificateGenerator(X509CertChain([]), context=context))
node = node.add_child(FinishedGenerator(context=context))
if not pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
if cert_required:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.certificate_required))
node.add_child(ExpectClose())
else:
# just like after the first handshake, after PHA, the NST can be sent
# multiple times
cycle = ExpectNewSessionTicket(description="second set")
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"post-handshake authentication with no client cert"] = conversation
# malformed signatures in post-handshake authentication
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.post_handshake_auth] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
if pha_as_reply:
node = node.add_child(ApplicationDataGenerator(bytearray(pha_query)))
for _ in range(min_tickets):
node = node.add_child(ExpectNewSessionTicket(description="counted"))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
context = []
node.next_sibling = ExpectCertificateRequest(context=context)
node = node.next_sibling.add_child(
CertificateGenerator(X509CertChain([cert]), context=context))
node = node.add_child(
CertificateVerifyGenerator(private_key,
padding_xors={-1: 0xff},
context=context))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
#node = node.add_child(FinishedGenerator(context=context))
conversations["malformed signature in PHA"] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Basic post-handshake authentication test case")
print("Check if server will accept PHA, check if server rejects invalid")
print("signatures on PHA CertificateVerify, etc.")
print("version: {0}\n".format(version))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(
[SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.rsa_pss_rsae_sha256])
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["only http/1.1"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.')])}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.no_application_protocol))
node.add_child(ExpectClose())
conversations["only http/1."] = conversation
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.X')])
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.no_application_protocol))
node.add_child(ExpectClose())
conversations["only http/1.X"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn:
ALPNExtension().create([bytearray(b'http/1.'),
bytearray(b'http/1.1')])
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["http/1. and http/1.1"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.alpn: ALPNExtension().create([bytearray(b'')])}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node.add_child(ExpectClose())
conversations["empty element"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.alpn: ALPNExtension().create([])}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node.add_child(ExpectClose())
conversations["empty list"] = conversation
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn:
TLSExtension(extType=ExtensionType.alpn).create(bytearray())
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node.add_child(ExpectClose())
conversations["empty extension"] = conversation
# underflow length of "protocol_name_list" test
conversation = Connect(host, port)
node = conversation
# the ALPN extension needs to be the last one for fuzz_message to work
# correctly
ext = OrderedDict()
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext[ExtensionType.alpn] = ALPNExtension().create(
[bytearray(b'http/1.1'), bytearray(b'http/2')])
msg = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
# -17 is position of second byte in 2 byte long length of "protocol_name_list"
# setting it to value of 9 (bytes) will hide the second item in the "protocol_name_list"
node = node.add_child(fuzz_message(msg, substitutions={-17: 9}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["underflow length of protocol_name_list"] = conversation
# overflow length of "protocol_name_list" test
conversation = Connect(host, port)
node = conversation
# the ALPN extension needs to be the last one for fuzz_message to work
# correctly
ext = OrderedDict()
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext[ExtensionType.alpn] = ALPNExtension().create(
[bytearray(b'http/1.1'), bytearray(b'http/2')])
msg = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
# -17 is position of second byte in 2 byte long length of "protocol_name_list"
# setting it to value of 18 (bytes) will raise the length value for 2 more bytes
node = node.add_child(fuzz_message(msg, substitutions={-17: 18}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["overflow length of protocol_name_list"] = conversation
# overflow length of last item in "protocol_name_list" test
conversation = Connect(host, port)
node = conversation
# the ALPN extension needs to be the last one for fuzz_message to work
# correctly
ext = OrderedDict()
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext[ExtensionType.alpn] = ALPNExtension().create(
[bytearray(b'http/1.1'), bytearray(b'http/2')])
msg = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
# -7 is position of a length (1 byte long) for the last item in "protocol_name_list"
# setting it to value of 8 (bytes) will raise the length value for 2 more bytes
node = node.add_child(fuzz_message(msg, substitutions={-7: 8}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["overflow length of last item"] = conversation
# renegotiation with protocol change
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/2')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/2')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["renegotiation with protocol change"] = conversation
# renegotiation without protocol change
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["renegotiation without protocol change"] = conversation
# renegotiation 2nd handshake alpn
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.renegotiation_info: None}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["renegotiation 2nd handshake alpn"] = conversation
# resumption without alpn change
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext, resume=True))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["resumption without alpn change"] = conversation
# resumption with alpn change
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'h2')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'h2')])
}
node = node.add_child(ExpectServerHello(extensions=ext, resume=True))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["resumption with alpn change"] = conversation
# resumption with alpn
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.renegotiation_info: None}
if dhe:
add_dhe_extensions(ext)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
ext = {
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')]),
ExtensionType.renegotiation_info: None
}
if dhe:
add_dhe_extensions(ext)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext, resume=True))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["resumption with alpn"] = conversation
# 16269 byte long array and 255 byte long items test
# Client Hello longer than 2^14 bytes
conversation = Connect(host, port)
node = conversation
proto = bytearray(b"A" * 255)
lista = []
lista.append(proto)
# 63 items 255 bytes long + 1 item 195 bytes long + 1 item 8 byte long (http/1.1)
for p in range(1, 63):
lista.append(proto)
if dhe:
# (in DHE we send more extensions and longer cipher suite list, so the
# extension has to be shorter)
# 145 + 1 byte to reproduce the issue
lista.append(bytearray(b'B' * 146))
else:
# 195 + 1 byte to reproduce the issue
lista.append(bytearray(b'B' * 196))
lista.append(bytearray(b'http/1.1'))
ext = {ExtensionType.alpn: ALPNExtension().create(lista)}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(
[SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.rsa_pss_rsae_sha256])
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.alpn: ALPNExtension().create([bytearray(b'http/1.1')])
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["16269 byte long array"] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("ALPN extension tests")
print("Verify that the ALPN extenion is supported in the server and has")
print("correct error handling.")
print("version: {0}\n".format(version))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
run_exclude = set()
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha384, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha512, SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
# ECDSA is not supported by tlslite-ng v0.7.0a3
#node = node.add_child(ExpectCertificate())
#node = node.add_child(ExpectServerKeyExchange())
#node = node.add_child(ExpectServerHelloDone())
#node = node.add_child(ClientKeyExchangeGenerator())
#node = node.add_child(ChangeCipherSpecGenerator())
#node = node.add_child(FinishedGenerator())
#node = node.add_child(ExpectChangeCipherSpec())
#node = node.add_child(ExpectFinished())
#node = node.add_child(ApplicationDataGenerator(
# bytearray(b"GET / HTTP/1.0\n\n")))
#node = node.add_child(ExpectApplicationData())
#node = node.add_child(AlertGenerator(AlertLevel.warning,
# AlertDescription.close_notify))
#node = node.add_child(ExpectAlert())
#node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# all algorithms, but in order from strongest to weakest
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(HashAlgorithm.sha512, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha384, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
# ECDSA is not supported by tlslite-ng v0.7.0a3
#node = node.add_child(ExpectCertificate())
#node = node.add_child(ExpectServerKeyExchange())
#node = node.add_child(ExpectServerHelloDone())
#node = node.add_child(ClientKeyExchangeGenerator())
#node = node.add_child(ChangeCipherSpecGenerator())
#node = node.add_child(FinishedGenerator())
#node = node.add_child(ExpectChangeCipherSpec())
#node = node.add_child(ExpectFinished())
#node = node.add_child(ApplicationDataGenerator(
# bytearray(b"GET / HTTP/1.0\n\n")))
#node = node.add_child(ExpectApplicationData())
#node = node.add_child(AlertGenerator(AlertLevel.warning,
# AlertDescription.close_notify))
#node = node.add_child(ExpectAlert())
#node.next_sibling = ExpectClose()
conversations["sanity - strongest to weakest"] = conversation
# test all hashes one by one
for h_alg in ["sha1", "sha256", "sha384", "sha512"]:
conversation = Connect(host, port)
node = conversation
ext = {}
sigalgs = [(getattr(HashAlgorithm, h_alg), SignatureAlgorithm.ecdsa)]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sigalgs)
curves = [GroupName.secp256r1,
GroupName.secp384r1,
GroupName.secp521r1]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(curves)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, version=(3, 3),
extensions=ext))
node = node.add_child(ExpectServerHello())
# ECDSA is not supported by tlslite-ng v0.7.0a3
#node = node.add_child(ExpectCertificate())
#node = node.add_child(ExpectServerKeyExchange())
#node = node.add_child(ExpectServerHelloDone())
#node = node.add_child(ClientKeyExchangeGenerator())
#node = node.add_child(ChangeCipherSpecGenerator())
#node = node.add_child(FinishedGenerator())
#node = node.add_child(ExpectChangeCipherSpec())
#node = node.add_child(ExpectFinished())
#node = node.add_child(ApplicationDataGenerator(
# bytearray(b"GET / HTTP/1.0\n\n")))
#node = node.add_child(ExpectApplicationData())
#node = node.add_child(AlertGenerator(AlertLevel.warning,
# AlertDescription.close_notify))
#node = node.add_child(ExpectAlert())
#node.next_sibling = ExpectClose()
conversations["connect with {0}+ecdsa only".format(h_alg)] = conversation
# run the conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_test = ('sanity', conversations['sanity'])
ordered_tests = chain([sanity_test],
filter(lambda x: x[0] != 'sanity',
conversations.items()),
[sanity_test])
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test if the server doesn't have the TLSv1.3 limitation on ECDSA")
print("signatures also in TLSv1.2 mode.\n")
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
"""check if atypical padding is accepted by server"""
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
dhe = False
echo = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help", "echo-headers"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--echo-headers':
echo = True
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# check if SHA256 ciphers work
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - SHA256 HMAC"] = conversation
# check if SHA384 ciphers work
conversation = Connect(host, port)
node = conversation
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - SHA384 HMAC"] = conversation
# check if Encrypt Then Mac works
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.encrypt_then_mac: AutoEmptyExtension()}
if dhe:
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
extensions = {ExtensionType.encrypt_then_mac:None,
ExtensionType.renegotiation_info:None}
node = node.add_child(ExpectServerHello(extensions=extensions))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - encrypt then MAC"] = conversation
# maximum size of padding
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: a\r\n\r\n"
hmac_tag_length = 20
block_size = 16
# make sure that padding has full blocks to work with
assert (len(text) + hmac_tag_length) % block_size == 0
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["256 bytes of padding"] = \
conversation
# maximum size of padding with SHA256
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: aaaaa\r\n\r\n"
hmac_tag_length = 32
block_size = 16
# make sure that padding has full blocks to work with
assert (len(text) + hmac_tag_length) % block_size == 0, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["256 bytes of padding with SHA256"] = \
conversation
# ... and SHA384
conversation = Connect(host, port)
node = conversation
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: aaaaa\r\n\r\n"
hmac_tag_length = 48
block_size = 16
# make sure that padding has full blocks to work with
assert (len(text) + hmac_tag_length) % block_size == 0, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["256 bytes of padding with SHA384"] = \
conversation
# longest possible padding with max size Application data
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: a\r\n"
for i in range(3):
text += b"X-ba" + compatAscii2Bytes(str(i)) + b": " + \
b"a" * (4096 - 9) + b"\r\n"
text += b"X-ba3: " + b"a" * (4096 - 37) + b"\r\n"
text += b"\r\n"
assert len(text) == 2**14, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=252))
if echo:
node = node.add_child(ExpectApplicationData(size=2**14))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["2^14 bytes of AppData with 253 bytes of padding (SHA1)"] = \
conversation
# longest possible padding with max size Application data (and EtM)
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.encrypt_then_mac: AutoEmptyExtension()}
if dhe:
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
extensions = {ExtensionType.encrypt_then_mac:None,
ExtensionType.renegotiation_info:None}
node = node.add_child(ExpectServerHello(extensions=extensions))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: a\r\n"
for i in range(3):
text += b"X-ba" + compatAscii2Bytes(str(i)) + b": " + \
b"a" * (4096 - 9) + b"\r\n"
text += b"X-ba3: " + b"a" * (4096 - 37) + b"\r\n"
text += b"\r\n"
assert len(text) == 2**14, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
if echo:
node = node.add_child(ExpectApplicationData(size=2**14))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["2^14 bytes of AppData with 256 bytes of padding (SHA1 "
"+ Encrypt then MAC)"] = \
conversation
# longest possible padding with max size Application data with SHA256
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: a\r\n"
for i in range(3):
text += b"X-ba" + compatAscii2Bytes(str(i)) + b": " + \
b"a" * (4096 - 9) + b"\r\n"
text += b"X-ba3: " + b"a" * (4096 - 37) + b"\r\n"
text += b"\r\n"
assert len(text) == 2**14, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
if echo:
node = node.add_child(ExpectApplicationData(size=2**14))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["2^14 bytes of AppData with 256 bytes of padding (SHA256)"] = \
conversation
conversation = Connect(host, port)
node = conversation
ext = {}
add_dhe_extensions(ext)
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
text = b"GET / HTTP/1.0\r\nX-bad: a\r\n"
for i in range(3):
text += b"X-ba" + compatAscii2Bytes(str(i)) + b": " + \
b"a" * (4096 - 9) + b"\r\n"
text += b"X-ba3: " + b"a" * (4096 - 37) + b"\r\n"
text += b"\r\n"
assert len(text) == 2**14, len(text)
node = node.add_child(fuzz_padding(ApplicationDataGenerator(text),
min_length=255))
if echo:
node = node.add_child(ExpectApplicationData(size=2**14))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["2^14 bytes of AppData with 256 bytes of padding (SHA384)"] = \
conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items() if
k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items() if
(k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n"
.format(expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test if server can handle records with large (but valid) padding")
print("Tests both with small records and records that carry maximum amount")
print("of user data.\n")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2*len(sanity_tests)))
print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed ,key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
"""Test if server supports the RFC 7919 key exchange"""
host = "localhost"
port = 4433
num_limit = None
fatal_alert = "insufficient_security"
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
sig_algs = None # `sigalgs` w/o underscore is used for client certificates
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:S:e:x:X:n:", ["help", "alert="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-S':
sig_algs = sig_algs_to_ids(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--alert':
fatal_alert = arg
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.renegotiation_info: None}
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["sanity"] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
ext = {ExtensionType.renegotiation_info: None}
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(cipher=CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["Check if DHE preferred"] = conversation
for group in GroupName.allFF:
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([group])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_groups=[group]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["{0} negotiation".format(GroupName.toStr(group))] = \
conversation
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([511, group])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_groups=[group]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["unassigned tolerance, {0} negotiation".format(GroupName.toStr(group))] = \
conversation
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([GroupName.secp256r1, group])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_groups=[group]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["tolerate ECC curve in groups without ECC cipher, "
"negotiate {0} ".format(GroupName.toStr(group))] = \
conversation
for group2 in GroupName.allFF:
if group == group2:
continue
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([511, group, group2])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(
ExpectServerHello(
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(
ExpectServerKeyExchange(valid_groups=[group, group2]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["{0} or {1} negotiation".format(
GroupName.toStr(group),
GroupName.toStr(group2))] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([511])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(cipher=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations["fallback to non-ffdhe"] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([GroupName.secp256r1, 511])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectServerHello(cipher=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
extensions={ExtensionType.renegotiation_info: None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node.add_child(ExpectClose())
conversations[
"fallback to non-ffdhe with secp256r1 advertised"] = conversation
# first paragraph of section 4 in RFC 7919
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_RSA_WITH_NULL_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create([511])
if sig_algs:
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, getattr(AlertDescription, fatal_alert)))
node.add_child(ExpectClose())
conversations["no overlap between groups"] = conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
num_limit = num_limit or len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
alert_desc = AlertDescription.illegal_parameter
cookie = False
relaxed = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:a:",
["help", "cookie", "relaxed"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == "-a":
try:
alert_desc = int(arg)
except ValueError:
alert_desc = getattr(AlertDescription, arg)
elif opt == "--relaxed":
relaxed = True
elif opt == "--cookie":
cookie = True
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# verify that server supports HRR
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = OrderedDict()
if cookie:
ext[ExtensionType.cookie] = None
ext[ExtensionType.key_share] = None
ext[ExtensionType.supported_versions] = None
node = node.add_child(ExpectHelloRetryRequest(extensions=ext))
ext = OrderedDict()
if cookie:
ext[ExtensionType.cookie] = ch_cookie_handler
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - HRR support"] = conversation
# verify that server replies with HRR when we send valid curve in supported_groups
# and unsupported curve in supported_groups and key_share
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
unsupported_groups = [GroupName.secp224r1]
both_groups = groups + unsupported_groups
key_shares = []
for group in unsupported_groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(both_groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = OrderedDict()
if cookie:
ext[ExtensionType.cookie] = None
ext[ExtensionType.key_share] = None
ext[ExtensionType.supported_versions] = None
if not relaxed:
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
else:
node = node.add_child(ExpectHelloRetryRequest(extensions=ext))
ext = OrderedDict()
if cookie:
ext[ExtensionType.cookie] = ch_cookie_handler
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(SIG_ALL)
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"secp256r1 and secp224r1 in supported_groups, secp224r1 in key_share - HRR"] = conversation
# Check that all the valid groups work correctly
valid_groups = [
GroupName.secp256r1, GroupName.secp384r1, GroupName.secp521r1,
GroupName.x25519, GroupName.x448
]
for valid_group in valid_groups:
groups = [valid_group]
ext = {}
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
conversation = positive_test(host, port, ext)
conversation_name = "{0} in supported_groups and key_share"\
.format(GroupName.toRepr(valid_group))
conversations[conversation_name] = conversation
# https://tools.ietf.org/html/rfc8446#appendix-B.3.1.4
obsolete_groups = chain(range(0x0001,
0x0016 + 1), range(0x001A, 0x001C + 1),
range(0xFF01, 0XFF02 + 1))
for obsolete_group in obsolete_groups:
obsolete_group_name = (GroupName.toRepr(obsolete_group)
or "unknown ({0})".format(obsolete_group))
ext = {}
groups = [obsolete_group]
try:
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
except ValueError:
# bogus value to move on, if it makes problems, these won't result in handshake_failure
key_shares = [
KeyShareEntry().create(obsolete_group, bytearray(b'\xab' * 32))
]
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
conversation = negative_test(host, port, ext, alert_desc)
conversation_name = "{0} in supported_groups and key_share"\
.format(obsolete_group_name)
conversations[conversation_name] = conversation
# check if it's rejected when it's just the one advertised, but not shared
ext = {}
groups = [obsolete_group]
key_shares = []
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
conversation = negative_test(host, port, ext, alert_desc)
conversation_name = "{0} in supported_groups and empty key_share"\
.format(obsolete_group_name)
conversations[conversation_name] = conversation
# check invalid group advertised together with valid in key share
ext = {}
groups = [obsolete_group, GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen([GroupName.secp256r1])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
if relaxed:
conversation = positive_test(host, port, ext)
else:
conversation = negative_test(host, port, ext, alert_desc)
conversation_name = "{0} and secp256r1 in supported_groups and "\
"secp256r1 in key_share".format(obsolete_group_name)
conversations[conversation_name] = conversation
# check with both valid and invalid in key share and supported groups
ext = {}
groups = [obsolete_group, GroupName.secp256r1]
key_shares = []
for group in groups:
try:
key_shares.append(key_share_gen(group))
except ValueError:
# bogus value to move on, if it makes problems, these won't result in handshake_failure
key_shares.append(KeyShareEntry().create(
obsolete_group, bytearray(b'\xab' * 32)))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
if relaxed:
conversation = positive_test(host, port, ext)
else:
conversation = negative_test(host, port, ext, alert_desc)
conversation_name = "{0} and secp256r1 in supported_groups and key_share".format(
obsolete_group_name)
conversations[conversation_name] = conversation
# also check with inverted order
ext = {}
groups = [GroupName.secp256r1, obsolete_group]
key_shares = []
for group in groups:
try:
key_shares.append(key_share_gen(group))
except ValueError:
# bogus value to move on, if it makes problems, these won't result in handshake_failure
key_shares.append(KeyShareEntry().create(
obsolete_group, bytearray(b'\xab' * 32)))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
if relaxed:
conversation = positive_test(host, port, ext)
else:
conversation = negative_test(host, port, ext, alert_desc)
conversation_name = "secp256r1 and {0} in supported_groups and key_share".format(
obsolete_group_name)
conversations[conversation_name] = conversation
# check inconsistent key_share with supported_groups
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
try:
key_shares.append(key_share_gen(obsolete_group))
except ValueError:
# bogus value to move on, if it makes problems, these won't result in handshake_failure
key_shares.append(KeyShareEntry().create(obsolete_group,
bytearray(b'\xab' * 32)))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
conversation = negative_test(host, port, ext,
AlertDescription.illegal_parameter)
conversation_name = \
"{0} in key_share and secp256r1 in "\
"supported_groups (inconsistent extensions)"\
.format(obsolete_group_name)
conversations[conversation_name] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items()
if k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Negotiating obsolete curves with TLS 1.3 server")
print("Check that TLS 1.3 server will not use or accept obsolete curves")
print("in TLS 1.3.")
print("Reproduces https://github.com/openssl/openssl/issues/8369\n")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
no_ins_renego = False
private_key = None
cert = None
early_abort = False
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:k:c:d",
["help", "no-ins-renego", "early-abort"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-d':
dhe = True
elif opt == '-n':
num_limit = int(arg)
elif opt == '--no-ins-renego':
no_ins_renego = True
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--early-abort':
early_abort = True
elif opt == '-k':
text_key = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_key = str(text_key, 'utf-8')
private_key = parsePEMKey(text_key, private=True)
elif opt == '-c':
text_cert = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_cert = str(text_cert, 'utf-8')
cert = X509()
cert.parse(text_cert)
else:
raise ValueError("Unknown option: {0}".format(opt))
if not private_key:
raise ValueError("Specify private key file using -k")
if not cert:
raise ValueError("Specify certificate file using -c")
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = {}
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# renegotiation
conversation = Connect(host, port)
node = conversation
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
if dhe:
ext = {ExtensionType.renegotiation_info: None}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ext = {ExtensionType.renegotiation_info: None}
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /secure/test HTTP/1.0\r\n\r\n")))
# 2nd handshake
node = node.add_child(ExpectHelloRequest())
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info: None}
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(CertificateVerifyGenerator(private_key))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ExpectApplicationData())
conversations["try secure renegotiation"] = conversation
# insecure renegotiation
conversation = Connect(host, port)
node = conversation
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.ecdsa_secp256r1_sha256
]
if dhe:
ext = {ExtensionType.renegotiation_info: None}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ext = {ExtensionType.renegotiation_info: None}
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /secure/test HTTP/1.0\r\n\r\n")))
if early_abort:
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
else:
node = node.add_child(ExpectHelloRequest())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {}
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(
ClientHelloGenerator(ciphers,
session_id=bytearray(0),
extensions=ext))
if no_ins_renego:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
else:
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(CertificateVerifyGenerator(private_key))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ExpectApplicationData())
conversations["try insecure (legacy) renegotiation"] = conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Verify that the server disabled renegotiation (both legacy")
print("and secure). Use client certificates for the test.\n")
print("Test expects the server to ask for renegotiation after the client")
print("asks for \"/secure/test\" resource\n")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
min_zeros = 1
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:", ["help", "min-zeros="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--min-zeros':
min_zeros = int(arg)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
collected_shared_secrets = []
variables_check = \
{'DH shared secret':
collected_shared_secrets}
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for group in [GroupName.secp384r1, GroupName.secp521r1, GroupName.x25519,
GroupName.x448, GroupName.ffdhe2048, GroupName.ffdhe3072]:
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
ext = {}
groups = [group]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["TLS 1.3 with {0}".format(GroupName.toStr(group))] \
= conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_test = ('sanity', conversations['sanity'])
ordered_tests = chain([sanity_test],
islice(filter(lambda x: x[0] != 'sanity',
conversations.items()), num_limit),
[sanity_test])
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
i = 0
break_loop = False
while True:
# don't hog the memory unnecessairly
collected_shared_secrets[:] = []
print("\"{1}\" repeat {0}...".format(i, c_name))
i += 1
if c_name == 'sanity':
break_loop = True
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
if collected_shared_secrets[-1][:min_zeros] == \
bytearray(min_zeros):
print("Got shared secret with {0} most significant "
"bytes equal to zero."
.format(min_zeros))
break_loop = True
print("OK\n")
else:
bad += 1
failed.append(c_name)
break
if break_loop:
break
print('')
print("Check if the connections work when the calculated DH shared secret")
print("must be padded on the left with zeros")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
hostname = "localhost"
port = 4433
run_exclude = set()
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:d", ["help"])
for opt, arg in opts:
if opt == '-h':
hostname = arg
elif opt == '-d':
dhe = True
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(hostname, port)
node = conversation
ext = {ExtensionType.encrypt_then_mac: AutoEmptyExtension()}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
extensions = {
ExtensionType.encrypt_then_mac: None,
ExtensionType.renegotiation_info: None
}
node = node.add_child(ExpectServerHello(extensions=extensions))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
conversation = Connect(hostname, port)
node = conversation
# 1st handshake without encrypt-then-mac extension
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
extensions = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=extensions))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake with encrypt-then-mac extension
node = node.add_child(ResetHandshakeHashes())
ext = {
ExtensionType.encrypt_then_mac: AutoEmptyExtension(),
ExtensionType.renegotiation_info: None
}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
extensions = {
ExtensionType.encrypt_then_mac: None,
ExtensionType.renegotiation_info: None
}
node = node.add_child(ExpectServerHello(extensions=extensions))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
conversations["Encrypt-then-MAC renegotiation crash"] = conversation
# run the conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
shuffled_tests = sample(regular_tests, len(regular_tests))
ordered_tests = chain(sanity_tests, shuffled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
"""Check handling of malformed ECDHE_RSA client key exchange messages"""
host = "localhost"
port = 4433
run_exclude = set()
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# invalid ecdh_Yc value
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
subst = dict((i, 0x00) for i in range(-1, -65, -1))
subst[-1] = 0x01
node = node.add_child(
fuzz_message(ClientKeyExchangeGenerator(), substitutions=subst))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["invalid point (0, 1)"] = conversation
# invalid ecdh_Yc value
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
# point at infinity doesn't have a defined encoding, but some libraries
# encode it as 0, 0, check if it is rejected
subst = dict((i, 0x00) for i in range(-1, -65, -1))
node = node.add_child(
fuzz_message(ClientKeyExchangeGenerator(), substitutions=subst))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["invalid point (0, 0)"] = conversation
# invalid ecdh_Yc value
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
# uncompressed EC points need to be self consistent, by changing
# one coordinate without changing the other we create an invalid point
node = node.add_child(
fuzz_message(ClientKeyExchangeGenerator(),
substitutions=dict(
(i, 0x00) for i in range(-1, -33, -1))))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations[
"invalid point (self-inconsistent, y all zero)"] = conversation
# invalid ecdh_Yc value
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
# uncompressed EC points need to be self consistent, by changing
# one coordinate without changing the other we create an invalid point
node = node.add_child(
fuzz_message(ClientKeyExchangeGenerator(), xors={-1: 0xff}))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node = node.add_child(ExpectClose())
conversations["invalid point (self-inconsistent)"] = conversation
# truncated Client Key Exchange
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
# uncompressed EC points need to be self consistent, by changing
# one coordinate without changing the other we create an invalid point
node = node.add_child(truncate_handshake(ClientKeyExchangeGenerator(), 1))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["truncated ecdh_Yc value"] = conversation
# padded Client Key Exchange
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
ext = {
ExtensionType.renegotiation_info:
None,
ExtensionType.supported_groups:
SupportedGroupsExtension().create([GroupName.secp256r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(TCPBufferingEnable())
# uncompressed EC points need to be self consistent, by changing
# one coordinate without changing the other we create an invalid point
node = node.add_child(pad_handshake(ClientKeyExchangeGenerator(), 1))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["padded Client Key Exchange"] = conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
shuffled_tests = sample(regular_tests, len(regular_tests))
ordered_tests = chain(sanity_tests, shuffled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
"""check if obsolete signature algorithm is rejected by server"""
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
private_key = None
cert = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '-k':
text_key = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_key = str(text_key, 'utf-8')
private_key = parsePEMKey(text_key, private=True)
elif opt == '-c':
text_cert = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_cert = str(text_cert, 'utf-8')
cert = X509()
cert.parse(text_cert)
else:
raise ValueError("Unknown option: {0}".format(opt))
if not private_key:
raise ValueError("Specify private key file using -k")
if not cert:
raise ValueError("Specify certificate file using -c")
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
# sanity check for Client Certificates
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(ECDSA_SIG_ALL + RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(ECDSA_SIG_ALL + RSA_SIG_ALL),
ExtensionType.supported_groups:
SupportedGroupsExtension().create(
[GroupName.secp256r1, GroupName.secp384r1, GroupName.secp521r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(CertificateVerifyGenerator(private_key))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(b"GET / HTTP/1.0\n\n"))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertDescription.close_notify))
node = node.add_child(ExpectClose())
node.next_sibling = ExpectAlert()
node.next_sibling.add_child(ExpectClose())
conversations["sanity"] = conversation
# force MD5 signature on CertificateVerify
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(ECDSA_SIG_ALL + RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(ECDSA_SIG_ALL + RSA_SIG_ALL),
ExtensionType.supported_groups:
SupportedGroupsExtension().create(
[GroupName.secp256r1, GroupName.secp384r1, GroupName.secp521r1]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(TCPBufferingEnable())
sig_type = (HashAlgorithm.md5, SignatureAlgorithm.ecdsa)
node = node.add_child(
CertificateVerifyGenerator(private_key, msg_alg=sig_type))
# the other side can close connection right away, add options to handle it
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
# we expect closure or Alert and then closure of socket
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["md5+ecdsa forced"] = conversation
for h_alg in ["sha512", "sha384", "sha256", "sha224", "sha1"]:
for real_h_alg in ["sha512", "sha384", "sha256", "sha224", "sha1"]:
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(ECDSA_SIG_ALL +
RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(ECDSA_SIG_ALL +
RSA_SIG_ALL),
ExtensionType.supported_groups:
SupportedGroupsExtension().create([
GroupName.secp256r1, GroupName.secp384r1,
GroupName.secp521r1
]),
ExtensionType.ec_point_formats:
ECPointFormatsExtension().create([ECPointFormat.uncompressed])
}
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(ClientKeyExchangeGenerator())
alg = (getattr(HashAlgorithm, h_alg), SignatureAlgorithm.ecdsa)
real_alg = (getattr(HashAlgorithm,
real_h_alg), SignatureAlgorithm.ecdsa)
if alg == real_alg:
node = node.add_child(
CertificateVerifyGenerator(private_key,
msg_alg=alg,
sig_alg=real_alg))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(b"GET / HTTP/1.0\n\n"))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertDescription.close_notify))
node = node.add_child(ExpectClose())
node.next_sibling = ExpectAlert()
node.next_sibling.add_child(ExpectClose())
conversations["make {0}+ecdsa signature in CertificateVerify".
format(h_alg)] = conversation
else:
node = node.add_child(TCPBufferingEnable())
node = node.add_child(
CertificateVerifyGenerator(private_key,
msg_alg=alg,
sig_alg=real_alg))
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.decrypt_error))
node = node.add_child(ExpectClose())
conversations["make {0}+ecdsa signature, advertise it as "
"{1}+ecdsa in CertificateVerify".format(
h_alg, real_h_alg)] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test support for ECDSA signatures in CertificateVerify\n")
print("Version: {0}".format(version))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
num_bytes = 2**14
cookie = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:",
["help", "num-bytes=", "cookie"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--num-bytes':
num_bytes = int(arg)
elif opt == '--cookie':
cookie = True
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
# sanity check
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# sanity check with PSK binders
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320), 0)
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid PSK"] = conversation
# fake 0-RTT resumption with HRR and early data after second client hello
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [0x1300, GroupName.secp256r1]
key_shares = [KeyShareEntry().create(0x1300, bytearray(b'\xab' * 32))]
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
ext = {}
if cookie:
ext[ExtensionType.cookie] = None
ext[ExtensionType.key_share] = None
ext[ExtensionType.supported_versions] = None
node = node.add_child(ExpectHelloRetryRequest(extensions=ext))
node = node.add_child(ExpectChangeCipherSpec())
ext = OrderedDict()
key_shares = []
for group in [GroupName.secp256r1]:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
if cookie:
ext[ExtensionType.cookie] = ch_cookie_handler
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create(
[iden], [getRandomBytes(32)])
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(
PlaintextMessageGenerator(ContentType.application_data,
getRandomBytes(64)))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectAlert(AlertLevel.fatal,
AlertDescription.bad_record_mac)
node.next_sibling.add_child(ExpectClose())
conversations["handshake with 0-RTT, HRR and early data after 2nd Client Hello"]\
= conversation
# fake 0-RTT resumption with HRR
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [0x1300, GroupName.secp256r1]
key_shares = [KeyShareEntry().create(0x1300, bytearray(b'\xab' * 32))]
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
ext = {}
if cookie:
ext[ExtensionType.cookie] = None
ext[ExtensionType.key_share] = None
ext[ExtensionType.supported_versions] = None
node = node.add_child(ExpectHelloRetryRequest(extensions=ext))
node = node.add_child(ExpectChangeCipherSpec())
ext = OrderedDict()
key_shares = []
for group in [GroupName.secp256r1]:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
if cookie:
ext[ExtensionType.cookie] = ch_cookie_handler
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create(
[iden], [getRandomBytes(32)])
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid 0-RTT and HRR"] = conversation
# fake 0-RTT resumption with fragmented early data
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(
ApplicationDataGenerator(getRandomBytes(num_bytes // 2)))
node = node.add_child(
ApplicationDataGenerator(getRandomBytes(num_bytes // 2)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid 0-RTT with fragmented early data"]\
= conversation
# fake 0-RTT and early data spliced into the Finished message
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
finished_fragments = []
node = node.add_child(
split_message(FinishedGenerator(), finished_fragments, 16))
# early data spliced into the Finished message
node = node.add_child(
PlaintextMessageGenerator(ContentType.application_data,
getRandomBytes(64)))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectAlert(AlertLevel.fatal,
AlertDescription.bad_record_mac)
node.next_sibling.add_child(ExpectClose())
conversations["undecryptable record later in handshake together with early_data"]\
= conversation
# fake 0-RTT resumption and CCS between fake early data
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(
ApplicationDataGenerator(getRandomBytes(num_bytes // 2)))
node = node.add_child(ChangeCipherSpecGenerator(fake=True))
node = node.add_child(
ApplicationDataGenerator(getRandomBytes(num_bytes // 2)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid 0-RTT and CCS between early data records"]\
= conversation
# fake 0-RTT resumption and CCS
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ChangeCipherSpecGenerator(fake=True))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid 0-RTT and CCS"] = conversation
# fake 0-RTT resumption with unknown version
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([(3, 5), (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
# section D.3 of draft 28 states that client that receives TLS 1.2
# ServerHello as a reply to 0-RTT Client Hello MUST fail a connection
# consequently, the server does not need to be able to ignore early data
# in TLS 1.2 mode
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.unexpected_message))
node.add_child(ExpectClose())
conversations[
"handshake with invalid 0-RTT and unknown version (downgrade to TLS 1.2)"] = conversation
# fake 0-RTT resumption
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
ext[ExtensionType.early_data] = \
TLSExtension(extType=ExtensionType.early_data)
ext[ExtensionType.psk_key_exchange_modes] = PskKeyExchangeModesExtension()\
.create([PskKeyExchangeMode.psk_dhe_ke, PskKeyExchangeMode.psk_ke])
iden = PskIdentity().create(getRandomBytes(320),
getRandomNumber(2**30, 2**32))
bind = getRandomBytes(32)
ext[ExtensionType.pre_shared_key] = PreSharedKeyExtension().create([iden],
[bind])
node = node.add_child(TCPBufferingEnable())
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(SetRecordVersion((3, 3)))
node = node.add_child(ApplicationDataGenerator(getRandomBytes(num_bytes)))
node = node.add_child(TCPBufferingDisable())
node = node.add_child(TCPBufferingFlush())
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["handshake with invalid 0-RTT"] = conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Basic check if TLS 1.3 server can handle 0-RTT handshake")
print("Verify that the server can handle a 0-RTT handshake from client")
print("even if (or rather, especially if) it doesn't support 0-RTT.\n")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
ext_exclude = set()
cookie = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:", ["help", "cookie", "exc="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--exc':
ext_exclude.add(int(arg))
elif opt == '--cookie':
cookie = True
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
hrr_ext = OrderedDict()
if cookie:
hrr_ext[ExtensionType.cookie] = None
hrr_ext[ExtensionType.key_share] = None
hrr_ext[ExtensionType.supported_versions] = None
node = node.add_child(ExpectHelloRetryRequest(extensions=hrr_ext))
node = node.add_child(ExpectChangeCipherSpec())
# Reverse extensions
rev_ext = OrderedDict()
rev_ext.update(reversed(ext.items()))
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
rev_ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
if cookie:
rev_ext[ExtensionType.cookie] = ch_cookie_handler
node = node.add_child(ClientHelloGenerator(ciphers, extensions=rev_ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations["HRR reversed order of known extensions"] = conversation
unassigned_ext_id = list(range(52, 65279))
# Exclude extensions from a list of unassigned ones
unassigned_ext_id = [
ext for ext in unassigned_ext_id if ext not in ext_exclude
]
chunk_size = 4096
for ext_chunk in (unassigned_ext_id[j:j + chunk_size]
for j in range(0, len(unassigned_ext_id), chunk_size)):
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = OrderedDict()
groups = [GroupName.secp256r1]
key_shares = []
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
for ext_id in ext_chunk:
ext[ext_id] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
hrr_ext = OrderedDict()
if cookie:
hrr_ext[ExtensionType.cookie] = None
hrr_ext[ExtensionType.key_share] = None
hrr_ext[ExtensionType.supported_versions] = None
node = node.add_child(ExpectHelloRetryRequest(extensions=hrr_ext))
node = node.add_child(ExpectChangeCipherSpec())
# Reverse extensions
rev_ext = OrderedDict()
rev_ext.update(reversed(ext.items()))
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
rev_ext[ExtensionType.key_share] = ClientKeyShareExtension().create(
key_shares)
if cookie:
rev_ext[ExtensionType.cookie] = ch_cookie_handler
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=rev_ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
conversations[
"HRR reversed order of unassigned extensions, ext_ids in range from {0} to {1}"
.format(ext_chunk[0], ext_chunk[-1])] = conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("TLS 1.3 communication with shuffled extensions in CH messages.")
print("Verify that server reject second CH message,")
print("when the order of extensions in first and second CH is different.")
print("Also unassigned extensions are used.\n")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = str()
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-d':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ext = None
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext = {
ExtensionType.supported_groups:
SupportedGroupsExtension().create(groups),
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# renegotiation
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
node = node.add_child(ApplicationDataGenerator(bytearray(b'\r\n')))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"secure renegotiation with GET after 2nd handshake"] = conversation
# renegotiation
conversation = Connect(host, port)
node = conversation
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send incomplete GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# finish the GET request
node = node.add_child(ApplicationDataGenerator(bytearray(b'\r\n')))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["secure renegotiation with incomplete GET"] = conversation
# insecure renegotiation
conversation = Connect(host, port)
node = conversation
ext = None
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext = {
ExtensionType.supported_groups:
SupportedGroupsExtension().create(groups),
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = None
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext = {
ExtensionType.supported_groups:
SupportedGroupsExtension().create(groups),
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
node = node.add_child(ApplicationDataGenerator(bytearray(b'\r\n')))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"insecure (legacy) renegotiation with GET after 2nd handshake"] = conversation
# insecure renegotiation
conversation = Connect(host, port)
node = conversation
ext = None
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext = {
ExtensionType.supported_groups:
SupportedGroupsExtension().create(groups),
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# send incomplete GET request
node = node.add_child(
ApplicationDataGenerator(
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = None
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext = {
ExtensionType.supported_groups:
SupportedGroupsExtension().create(groups),
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(RSA_SIG_ALL),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# finish the GET request
node = node.add_child(ApplicationDataGenerator(bytearray(b'\r\n')))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations[
"insecure (legacy) renegotiation with incomplete GET"] = conversation
# sending both SCSV and renegotiation_info: cold, then renegotiated
conversation = Connect(host, port)
node = conversation
# Sending both is NOT RECOMMENDED, though valid, for the first handshake...
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# ... but not for the second handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(
ClientHelloGenerator(ciphers, session_id=bytearray(0), extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations[
"sending both SCSV and renegotiation_info in renegotiated handshake"] = conversation
# sending both SCSV and renegotiation_info: cold, then renegotiated+resumed
conversation = Connect(host, port)
node = conversation
# Sending both is NOT RECOMMENDED, though valid, for the first handshake...
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# ... but not for the second handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info: None}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations[
"sending both SCSV and renegotiation_info in renegotiation+resumption"] = conversation
# non-empty initial renegotiation_info extension (with SCSV)
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.renegotiation_info:
RenegotiationInfoExtension().create(bytearray(b'abc'))
}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations[
"non-empty initial renegotiation_info extension (with SCSV)"] = conversation
# non-empty initial renegotiation_info extension (without SCSV)
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.renegotiation_info:
RenegotiationInfoExtension().create(bytearray(b'abc'))
}
if dhe:
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations[
"non-empty initial renegotiation_info extension (without SCSV)"] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Check if the server supports insecure (legacy) renegotiation")
print("version: {0}\n".format(version))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for hash_alg in ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]:
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [(getattr(HashAlgorithm, hash_alg), SignatureAlgorithm.rsa)]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
.create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectAlert(AlertLevel.fatal,
AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations["rsa_pkcs1_{0} signature".format(hash_alg)] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n"
.format(expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2*len(sanity_tests)))
print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed ,key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
run_exclude = set()
dhe = False
tls13 = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:d", ["help", "tls-1.3"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-d':
dhe = True
elif opt == '--tls-1.3':
tls13 = True
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 3), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 2), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 2), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - TLSv1.1"] = conversation
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 4), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity - SSL3.4 version negotiation"] = conversation
conversation = Connect(host, port, version=(3, 3))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 3), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["record TLSv1.2 hello TLSv1.2"] = conversation
conversation = Connect(host, port, version=(3, 2))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 2), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 2), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["record TLSv1.1 hello TLSv1.1"] = conversation
conversation = Connect(host, port, version=(3, 4))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_AES_128_GCM_SHA256
]
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 4), extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["record SSL3.4 hello SSL3.4"] = conversation
# test with FALLBACK_SCSV
if dhe:
positions = (0, 1, 2, 3)
else:
positions = (0, 1, 2)
for place in positions:
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 3), extensions=ext))
if tls13:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
else:
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(
ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["FALLBACK - hello TLSv1.2 - pos {0}".format(
place)] = conversation
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 2), extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
conversations["FALLBACK - hello TLSv1.1 - pos {0}".format(
place)] = conversation
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 4), extensions=ext))
if tls13:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
else:
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(
ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["FALLBACK - hello SSL3.4 - pos {0}".format(
place)] = conversation
conversation = Connect(host, port, version=(3, 3))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 3), extensions=ext))
if tls13:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
else:
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(
ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["FALLBACK - record TLSv1.2 hello TLSv1.2 - pos {0}".
format(place)] = conversation
conversation = Connect(host, port, version=(3, 2))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 2), extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
conversations["FALLBACK - record TLSv1.1 hello TLSv1.1 - pos {0}".
format(place)] = conversation
conversation = Connect(host, port, version=(3, 4))
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
else:
ext = None
ciphers = [
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_AES_128_GCM_SHA256
]
ciphers.insert(place, CipherSuite.TLS_FALLBACK_SCSV)
node = node.add_child(
ClientHelloGenerator(ciphers, version=(3, 4), extensions=ext))
if tls13:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.inappropriate_fallback))
node = node.add_child(ExpectClose())
else:
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(
ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["FALLBACK - record SSL3.4 hello SSL3.4 - pos {0}".format(
place)] = conversation
# run the conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
shuffled_tests = sample(regular_tests, len(regular_tests))
ordered_tests = chain(sanity_tests, shuffled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Check if server correctly handles FALLBACK_SCSV\n")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
"""Verify correct ECDHE shared secret handling."""
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
min_zeros = 1
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:", ["help", "min-zeros="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--min-zeros':
min_zeros = int(arg)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
collected_premaster_secrets = []
variables_check = \
{'premaster_secret':
collected_premaster_secrets}
groups = [
GroupName.x25519, GroupName.x448, GroupName.secp256r1,
GroupName.secp384r1, GroupName.secp521r1
]
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
groups_ext = SupportedGroupsExtension().create(groups)
points_ext = ECPointFormatsExtension().create([ECPointFormat.uncompressed])
exts = {
ExtensionType.renegotiation_info: None,
ExtensionType.supported_groups: groups_ext,
ExtensionType.ec_point_formats: points_ext
}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=exts))
exts = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
node = node.add_child(ExpectServerHello(extensions=exts))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for prot in [(3, 0), (3, 1), (3, 2), (3, 3)]:
for ssl2 in [True, False]:
for group in groups:
# with SSLv2 compatible or with SSLv3 we can't advertise
# curves so do just one check
if (ssl2 or prot == (3, 0)) and group != groups[0]:
continue
conversation = Connect(host,
port,
version=(0, 2) if ssl2 else (3, 0))
node = conversation
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
if ssl2 or prot == (3, 0):
exts = None
else:
groups_ext = SupportedGroupsExtension().create([group])
exts = {
ExtensionType.supported_groups: groups_ext,
ExtensionType.ec_point_formats: points_ext
}
node = node.add_child(
ClientHelloGenerator(ciphers,
version=prot,
extensions=exts,
ssl2=ssl2))
if prot > (3, 0):
if ssl2:
ext = {ExtensionType.renegotiation_info: None}
else:
ext = {
ExtensionType.renegotiation_info: None,
ExtensionType.ec_point_formats: None
}
else:
ext = None
node = node.add_child(
ExpectServerHello(extensions=ext, version=prot))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(CopyVariables(variables_check))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
if prot < (3, 2):
# 1/n-1 record splitting
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["Protocol {0}{1}{2}".format(
prot,
"" if ssl2 or prot < (3, 1)
else " with {0} group".format(GroupName.toStr(group)),
" in SSLv2 compatible ClientHello" if ssl2 else "")] = \
conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_test = ('sanity', conversations['sanity'])
ordered_tests = chain([sanity_test],
islice(
filter(lambda x: x[0] != 'sanity',
conversations.items()), num_limit),
[sanity_test])
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
i = 0
break_loop = False
while True:
# don't hog the memory unnecessairly
collected_premaster_secrets[:] = []
print("\"{1}\" repeat {0}...".format(i, c_name))
i += 1
if c_name == 'sanity':
break_loop = True
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
if collected_premaster_secrets[-1][:min_zeros] == \
bytearray(min_zeros):
print("Got premaster secret with {0} most significant "
"bytes equal to zero.".format(min_zeros))
break_loop = True
print("OK\n")
else:
bad += 1
failed.append(c_name)
break
if break_loop:
break
print('')
print("Check if the connections work when the calculated ECDH shared")
print("secret must be padded on the left with zeros")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(version=(3, 3), extensions=ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for tls_ver in range(50):
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
# draft versions of TLS 1.3 used major version of 127 and minor version
# equal to the draft version (e.g. draft-23 used (127, 23))
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([(127, tls_ver), (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pkcs1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
# version in TLS 1.3 enabled tlsfuzzer actually does check the
# supported versions extension
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
conversations["try negotiating (127, {0}) - draft version"
.format(tls_ver)] = \
conversation
conversation = Connect(host, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
.create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha256
]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
# version in TLS 1.3 enabled tlsfuzzer actually does check the
# supported versions extension
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
conversations["try negotiating TLS 1.3"] = \
conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test to verify that TLS 1.3 is disabled/not-supported in server")
print("Also attempts connections using draft versions of the protocol.")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
"""Check that server propoerly rejects pkcs1 signatures in TLS 1.3"""
hostname = "localhost"
port = 4433
num_limit = 10
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
cert = None
private_key = None
# algorithms to expect from server in Certificate Request
cr_sigalgs = [
SignatureScheme.ed25519, SignatureScheme.ed448,
SignatureScheme.ecdsa_secp521r1_sha512,
SignatureScheme.ecdsa_secp384r1_sha384,
SignatureScheme.ecdsa_secp256r1_sha256,
(HashAlgorithm.sha224, SignatureAlgorithm.ecdsa),
(HashAlgorithm.sha1,
SignatureAlgorithm.ecdsa), SignatureScheme.rsa_pss_rsae_sha512,
SignatureScheme.rsa_pss_pss_sha512,
SignatureScheme.rsa_pss_rsae_sha384,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pkcs1_sha512,
SignatureScheme.rsa_pkcs1_sha384, SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.rsa_pkcs1_sha224, SignatureScheme.rsa_pkcs1_sha1
]
# algorithms to advertise in ClientHello
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_rsae_sha384, SignatureScheme.rsa_pss_pss_sha384
]
hashalgs = hashes_to_list("sha256 sha384 sha512")
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:s:k:c:",
["help", "hash-order="])
for opt, arg in opts:
if opt == '-h':
hostname = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '-s':
cr_sigalgs = sig_algs_to_ids(arg)
elif opt == '--hash-order':
hashalgs = hashes_to_list(arg)
elif opt == '-k':
text_key = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_key = str(text_key, 'utf-8')
private_key = parsePEMKey(text_key, private=True)
elif opt == '-c':
text_cert = open(arg, 'rb').read()
if sys.version_info[0] >= 3:
text_cert = str(text_cert, 'utf-8')
cert = X509()
cert.parse(text_cert)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
if not cert or not private_key:
raise Exception("A Client certificate and a private key are required")
certType = cert.certAlg
conversations = {}
conversations_long = {}
# sanity check for Client Certificates
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(CertificateVerifyGenerator(private_key))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# verify the advertised hashes
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest(cr_sigalgs))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["check sigalgs in cert request"] = conversation
for sigalg in RSA_SIG_ALL:
# set if test should succeed or fail based on cert type,
# advertisement and forbidden algorithms
expectPass = True
if certType == "rsa" and sigalg in (
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512):
expectPass = False
elif certType == "rsa-pss" and sigalg in (
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_rsae_sha384,
SignatureScheme.rsa_pss_rsae_sha512):
expectPass = False
# also verify that pkcs1 signatures are unconditionally refused
if sigalg in ((HashAlgorithm.md5,
SignatureAlgorithm.rsa), SignatureScheme.rsa_pkcs1_sha1,
SignatureScheme.rsa_pkcs1_sha224,
SignatureScheme.rsa_pkcs1_sha256,
SignatureScheme.rsa_pkcs1_sha384,
SignatureScheme.rsa_pkcs1_sha512):
expectPass = False
# also expect failure if an algorithm is not advertized
if sigalg not in cr_sigalgs:
expectPass = False
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
# force sigalg
node = node.add_child(
CertificateVerifyGenerator(private_key, msg_alg=sigalg))
node = node.add_child(FinishedGenerator())
result = "works"
# only signatures of matching certificate type should work
if expectPass:
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
else:
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.illegal_parameter))
node.add_child(ExpectClose())
result = "is refused"
conversations["check {0} signature {1}".format(
SignatureScheme.toStr(sigalg), result)] = conversation
# verify that rsa-pss signatures with empty, too short or too long
# salt fail
msgalg = sigalg_select("rsa_pss", hashalgs, cr_sigalgs, certType)
hash_name = SignatureScheme.getHash(SignatureScheme.toRepr(msgalg))
digest_len = getattr(tlshashlib, hash_name)().digest_size
for saltlen in (0, digest_len - 1, digest_len + 1):
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
# force salt length
node = node.add_child(
CertificateVerifyGenerator(private_key, rsa_pss_salt_len=saltlen))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
conversations["check signature with salt length {0}".format(
saltlen)] = conversation
# verify that a rsa-pkcs1 signature in a rsa-pss ID envelope fails
sigalg = sigalg_select("rsa_pkcs1", hashalgs)
msgalg = sigalg_select("rsa_pss", hashalgs, cr_sigalgs, certType)
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(
CertificateVerifyGenerator(private_key, sig_alg=sigalg,
msg_alg=msgalg))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
scheme = SignatureScheme.toRepr(sigalg)
conversations["check pkcs1 signature with rsa-pss envelope fails"] = \
conversation
# verify that a rsa-pss signature with mismatched message hash fails
msgalg = sigalg_select("rsa_pss", hashalgs, cr_sigalgs, certType)
# choose a similar scheme with just a different hash, doesn't need to be
# a server supported sigalg
hash_name = SignatureScheme.getHash(SignatureScheme.toRepr(msgalg))
_hashalgs = [x for x in hashalgs if x != hash_name]
sigalg = sigalg_select("rsa_pss", _hashalgs, cert_type=certType)
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(
CertificateVerifyGenerator(private_key, sig_alg=sigalg,
msg_alg=msgalg))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
conversations["check rsa-pss signature with mismatched hash fails"] = \
conversation
# verify that a rsa-pss signature with mismatched MGF1 hash fails
sigalg = sigalg_select("rsa_pss", hashalgs, cr_sigalgs, certType)
# choose a different hash to cause mismtach
hash_name = SignatureScheme.getHash(SignatureScheme.toRepr(msgalg))
mgf1_hash = [x for x in hashalgs if x != hash_name][0]
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(
CertificateVerifyGenerator(private_key,
mgf1_hash=mgf1_hash,
msg_alg=sigalg))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
conversations["check rsa-pss signature with mismatched mgf1 fails"] = \
conversation
# check that fuzzed signatures are rejected
for pos in range(numBytes(private_key.n)):
for xor in [0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80]:
conversation = Connect(hostname, port)
node = conversation
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
ext[ExtensionType.key_share] = key_share_ext_gen(groups)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([(3, 4), (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificateRequest())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(CertificateGenerator(X509CertChain([cert])))
node = node.add_child(
CertificateVerifyGenerator(private_key,
padding_xors={pos: xor}))
node = node.add_child(FinishedGenerator())
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decrypt_error))
node.add_child(ExpectClose())
scheme = SignatureScheme.toRepr(sigalg)
conversations_long["check that fuzzed signatures are rejected." +
" Malformed {0} - xor {1} at {2}".format(
certType, hex(xor), pos)] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations_long)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
short_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k in run_only]
long_tests = [(k, v) for k, v in conversations_long.items()
if k in run_only]
else:
short_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
long_tests = [(k, v) for k, v in conversations_long.items()
if k not in run_exclude]
sampled_tests = sample(long_tests, min(num_limit, len(long_tests)))
ordered_tests = chain(sanity_tests, short_tests, sampled_tests,
sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test to verify that server properly accepts or refuses")
print("signatures in TLS1.3; PKCS1 signatures are always refused.")
print("Other signatures are accepted or refused accordingly to")
print("the certificate type provided ('rsa' vs 'rsa-pss').\n")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(
len(sampled_tests) + len(short_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
run_exclude = set()
http = True
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:", ["help", "no-http"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--no-http':
http = False
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
# check if server works at all
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["sanity"] = conversation
# check if server works with SHA384 PRF ciphersuite
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["sanity sha384 prf"] = conversation
# check if server works at all (TLSv1.1)
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
version=(3, 2),
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
version=(3, 2),
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["sanity TLSv1.1"] = conversation
# check if server supports extended master secret
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["extended master secret"] = conversation
# check if server supports extended master secret with ECDHE
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None,
ExtensionType.supported_groups:SupportedGroupsExtension().
create([GroupName.secp256r1])}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["extended master secret w/ECDHE"] = conversation
# check if server supports extended master secret with DHE
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["extended master secret w/DHE"] = conversation
# check if server rejects malformed EMS extension
# (extension must be empty)
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
ext[ExtensionType.extended_master_secret] = \
TLSExtension(extType=ExtensionType.extended_master_secret).\
create(bytearray(b'\x00'))
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions=ext))
node = node.add_child(ExpectAlert(AlertLevel.fatal,
AlertDescription.decode_error))
node.next_sibling = ExpectClose()
conversations["malformed extended master secret ext"] = conversation
# check if server supports extended master secret with SHA384 PRF
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["extended master secret w/SHA384 PRF"] = conversation
# check if server supports extended master secret
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
version=(3, 2),
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
version=(3, 2),
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["extended master secret in TLSv1.1"] = conversation
# check if server doesn't default to extended master secret
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator(
extended_master_secret=True))
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectAlert(AlertLevel.fatal,
AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
node = node.add_child(Close())
conversations["no EMS by default"] = conversation
# check if server uses EMS for resumed connections
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None},
resume=True))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["EMS with session resume"] = conversation
# check if server uses EMS for resumed connections and SHA384 PRF
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None},
resume=True))
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.add_child(Close())
conversations["EMS with session resume and SHA384 PRF"] = conversation
# check if server aborts session resume without EMS extension
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectAlert(AlertLevel.fatal,
AlertDescription.handshake_failure))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(Close())
conversations["EMS with session resume without extension"] = conversation
# check if server does full handshake on resumed session without EMS
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
close = ExpectClose()
node.next_sibling = close
node = node.add_child(ExpectClose())
node = node.add_child(Close())
node = node.add_child(Connect(host, port))
close.add_child(node)
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ResetRenegotiationInfo())
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None},
resume=False))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node.next_sibling.add_child(Close())
node.add_child(Close())
conversations["resume non-EMS session with EMS extension"] = \
conversation
# EMS with renegotiation
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ClientHelloGenerator(
ciphers,
session_id=bytearray(0), # do not resume
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(Close())
conversations["extended master secret with renegotiation"] = conversation
# renegotiation in non-EMS session
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ClientHelloGenerator(
ciphers,
session_id=bytearray(0), # do not resume
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(Close())
conversations["renegotiate with EMS in session without EMS"] = conversation
# renegotiation of non-EMS session in EMS session
conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(
ciphers,
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None,
ExtensionType.extended_master_secret:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
node = node.add_child(ClientHelloGenerator(
ciphers,
session_id=bytearray(0), # do not resume
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectServerHello(
extensions={ExtensionType.renegotiation_info:None}))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
if http:
node = node.add_child(ApplicationDataGenerator(
bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(AlertGenerator(AlertLevel.warning,
AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(Close())
conversations["renegotiate without EMS in session with EMS"] = conversation
# run the conversation
good = 0
bad = 0
failed = []
# make sure that sanity test is run first and last
# to verify that server was running and kept running throught
sanity_test = ('sanity', conversations['sanity'])
ordered_tests = chain([sanity_test],
filter(lambda x: x[0] != 'sanity',
conversations.items()),
[sanity_test])
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
srv_max_prot = None
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d",
["help", "server-max-protocol="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--server-max-protocol':
srv_max_prot = protocol_name_to_tuple(arg)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
# normal connection
conversation = Connect(host, port)
node = conversation
if srv_max_prot == None or srv_max_prot == (3, 4):
ciphers = [
CipherSuite.TLS_AES_128_GCM_SHA256,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
ext = {}
groups = [GroupName.secp256r1]
key_shares = []
for group in groups:
key_shares.append(key_share_gen(group))
ext[ExtensionType.key_share] = \
ClientKeyShareExtension().create(key_shares)
ext[ExtensionType.supported_versions] = \
SupportedVersionsExtension().create([TLS_1_3_DRAFT, (3, 3)])
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
sig_algs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_pss_sha256
]
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectEncryptedExtensions())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectCertificateVerify())
node = node.add_child(ExpectFinished())
node = node.add_child(FinishedGenerator())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
# This message is optional and may show up 0 to many times
cycle = ExpectNewSessionTicket()
node = node.add_child(cycle)
node.add_child(cycle)
node.next_sibling = ExpectApplicationData()
node = node.next_sibling.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
else:
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
# TLS 1.3 downgrade check
for prot in [(3, 1), (3, 2), (3, 3)]:
if srv_max_prot is not None and prot > srv_max_prot:
continue
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(
ClientHelloGenerator(ciphers, extensions=ext, version=prot))
node = node.add_child(
ExpectServerHello(server_max_protocol=srv_max_prot))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
if prot < (3, 2):
# 1/n-1 record splitting
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["TLS 1.3 downgrade check for Protocol {0}".format(
prot)] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items()
if k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Check if server correctly return ServerHello Random ")
print("with downgrade protection values to TLS1.2 and below ")
print("clients\n")
print("Test end")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad or xpass:
sys.exit(1)
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
timing = False
outdir = "/tmp"
repetitions = 100
interface = None
quick = False
cipher = CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA
affinity = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:l:o:i:C:",
["help", "repeat=", "quick", "cpu-list="])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-C':
if arg[:2] == '0x':
cipher = int(arg, 16)
else:
try:
cipher = getattr(CipherSuite, arg)
except AttributeError:
cipher = int(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-l':
level = int(arg)
elif opt == "-i":
timing = True
interface = arg
elif opt == '-o':
outdir = arg
elif opt == "--repeat":
repetitions = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
elif opt == '--quick':
quick = True
elif opt == '--cpu-list':
affinity = arg
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
mac_sizes = {
"md5": 16,
"sha": 20,
"sha256": 32,
"sha384": 48,
}
if CipherSuite.canonicalMacName(cipher) not in mac_sizes:
print("Unsupported MAC, exiting")
exit(1)
# group conversations that should have the same timing signature
if quick:
groups = {"quick - wrong MAC": {}}
else:
groups = {"wrong padding and MAC": {}, "MAC out of bounds": {}}
dhe = cipher in CipherSuite.ecdhAllSuites
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension() \
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
else:
ext = None
# first run sanity test and verify that server supports this ciphersuite
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(ApplicationDataGenerator(b"GET / HTTP/1.0\r\n\r\n"))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(
ExpectAlert(AlertLevel.warning, AlertDescription.close_notify))
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
for group_name in groups:
groups[group_name]["sanity"] = conversation
runner = Runner(conversation)
try:
runner.run()
except Exception as exp:
# Exception means the server rejected the ciphersuite
print("Failing on {0} because server does not support it. ".format(
CipherSuite.ietfNames[cipher]))
print(20 * '=')
exit(1)
# assume block length of 16 if not 3des
block_len = 8 if CipherSuite.canonicalCipherName(cipher) == "3des" else 16
mac_len = mac_sizes[CipherSuite.canonicalMacName(cipher)]
invert_mac = {}
for index in range(0, mac_len):
invert_mac[index] = 0xff
if quick:
# iterate over min/max padding and first/last byte MAC error
for pad_len, error_pos in product([1, 256], [0, -1]):
payload_len = 512 - mac_len - pad_len - block_len
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(fuzz_mac(ApplicationDataGenerator(
bytearray(payload_len)),
xors={error_pos: 0xff}),
min_length=pad_len))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
groups["quick - wrong MAC"][
"wrong MAC at pos {0}, padding of length {1} ".format(
error_pos, pad_len)] = conversation
else:
# iterate over: padding length with incorrect MAC
# invalid padding length with correct MAC
for pad_len in range(1, 257):
# ciphertext 1 has 512 bytes, calculate payload size
payload_len = 512 - mac_len - pad_len - block_len
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(fuzz_mac(ApplicationDataGenerator(
bytearray(payload_len)),
xors=invert_mac),
min_length=pad_len))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
groups["wrong padding and MAC"]["wrong MAC, padding of length {0} "
.format(pad_len)] = conversation
# incorrect padding of length 255 (256 with the length byte)
# with error byte iterated over the length of padding
# avoid changing the padding length byte
if pad_len < 256:
payload_len = 512 - mac_len - 256 - block_len
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(
ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(ApplicationDataGenerator(
bytearray(payload_len)),
min_length=256,
xors={(pad_len - 1): 0xff}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
groups["wrong padding and MAC"][
"padding of length 255 (256 with the length byte), error at position {0}"
.format(pad_len - 1)] = conversation
# ciphertext 2 has 128 bytes and broken padding to make server check mac "before" the plaintext
padding = 128 - 1 - block_len - mac_len
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(ApplicationDataGenerator(bytearray(1)),
substitutions={
-1: pad_len - 1,
0: 0
},
min_length=padding))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
groups["MAC out of bounds"]["padding length byte={0}".format(
pad_len - 1)] = conversation
# iterate over MAC length and fuzz byte by byte
payload_len = 512 - mac_len - block_len - 256
for mac_index in range(0, mac_len):
conversation = Connect(host, port)
node = conversation
ciphers = [cipher]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(fuzz_mac(ApplicationDataGenerator(
bytearray(payload_len)),
xors={mac_index: 0xff}),
min_length=256))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
groups["wrong padding and MAC"]["incorrect MAC at pos {0}".format(
mac_index)] = conversation
for group_name, conversations in groups.items():
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items()
if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit,
len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
print("Running tests for {0}".format(CipherSuite.ietfNames[cipher]))
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS: expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Lucky 13 attack check for {0} {1}".format(
group_name, CipherSuite.ietfNames[cipher]))
print("Test end")
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
elif timing:
# if regular tests passed, run timing collection and analysis
if TimingRunner.check_tcpdump():
timing_runner = TimingRunner(
"{0}_v{1}_{2}_{3}".format(sys.argv[0], version, group_name,
CipherSuite.ietfNames[cipher]),
sampled_tests, outdir, host, port, interface, affinity)
print("Running timing tests...")
timing_runner.generate_log(run_only, run_exclude, repetitions)
ret_val = timing_runner.run()
print("Statistical analysis exited with {0}".format(ret_val))
else:
print(
"Could not run timing tests because tcpdump is not present!"
)
sys.exit(1)
print(20 * '=')
def main():
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:x:X:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-x':
expected_failures[arg] = None
last_exp_tmp = str(arg)
elif opt == '-X':
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
sigs = [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_rsae_sha384,
SignatureScheme.rsa_pss_rsae_sha512,
SignatureScheme.rsa_pss_pss_sha256, SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512,
(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha224, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa)
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
groups = [
GroupName.secp256r1, GroupName.x25519, GroupName.secp384r1,
GroupName.secp521r1
]
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["sanity"] = conversation
for sig in [
SignatureScheme.rsa_pss_rsae_sha256,
SignatureScheme.rsa_pss_rsae_sha384,
SignatureScheme.rsa_pss_rsae_sha512,
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512
]:
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create([sig]),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["{0} only".format(
SignatureScheme.toRepr(sig))] = conversation
# MD5 not selected, even if first
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.md5, SignatureAlgorithm.rsa),
(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha224, SignatureAlgorithm.rsa),
(HashAlgorithm.sha1, SignatureAlgorithm.rsa),
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_sig_algs=sigs[1:]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["MD5 first"] = conversation
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.md5, SignatureAlgorithm.rsa),
(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha224, SignatureAlgorithm.rsa),
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_sig_algs=sigs[1:]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["MD5 first, no SHA-1"] = conversation
# sha-1 must not be the only option
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha224, SignatureAlgorithm.rsa),
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["no SHA-1"] = conversation
# undefined values
conversation = Connect(host, port)
node = conversation
sigs = [
(HashAlgorithm.sha256, 24), # undefined signature algorithm
(24, SignatureAlgorithm.rsa), # undefined hash algorithm
(10, 10), # undefined pair
(9, 24), # undefined pair
(0xff, 0xff), # undefined pair
(HashAlgorithm.sha512, SignatureAlgorithm.rsa),
(HashAlgorithm.sha384, SignatureAlgorithm.rsa),
(HashAlgorithm.sha256, SignatureAlgorithm.rsa),
(HashAlgorithm.sha224, SignatureAlgorithm.rsa),
SignatureScheme.rsa_pss_pss_sha256,
SignatureScheme.rsa_pss_pss_sha384,
SignatureScheme.rsa_pss_pss_sha512
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_sig_algs=sigs[5:]))
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["extra sigalgs"] = conversation
conversation = Connect(host, port)
node = conversation
sigs = [
(HashAlgorithm.sha256, 24), # undefined signature algorithm
(24, SignatureAlgorithm.rsa), # undefined hash algorithm
(10, 10), # undefined pair
(9, 24), # undefined pair
(0xff, 0xff) # undefined pair
]
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create(sigs),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.handshake_failure))
node = node.add_child(ExpectClose())
conversations["only undefined sigalgs"] = conversation
# invalid formatting
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.signature_algorithms:
SignatureAlgorithmsExtension().create([]),
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["empty sigalgs"] = conversation
# invalid length
conversation = Connect(host, port)
node = conversation
ext = OrderedDict()
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
sigs = [(HashAlgorithm.sha256, SignatureAlgorithm.rsa)]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sigs)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
msg = ClientHelloGenerator(ciphers, extensions=ext)
node = node.add_child(fuzz_message(msg, xors={-3: 1}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["fuzz length of sigalgs"] = conversation
# invalid length
conversation = Connect(host, port)
node = conversation
sigs = [(HashAlgorithm.sha256, SignatureAlgorithm.rsa)]
ext = OrderedDict()
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sigs)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
msg = ClientHelloGenerator(ciphers, extensions=ext)
node = node.add_child(fuzz_message(msg, substitutions={-3: 4}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["truncate sigalgs extension"] = conversation
# odd length
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.signature_algorithms:
TLSExtension(extType=ExtensionType.signature_algorithms).create(
bytearray(b'\x00\x03' # length of array
b'\x04\x01' # sha256 + rsa
b'\x04')), # the odd byte
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
msg = ClientHelloGenerator(ciphers, extensions=ext)
node = node.add_child(msg)
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["odd length of sigalgs"] = conversation
# padded extension
conversation = Connect(host, port)
node = conversation
ext = {
ExtensionType.signature_algorithms:
TLSExtension(extType=ExtensionType.signature_algorithms).create(
bytearray(b'\x00\x04' # length of array
b'\x02\x01' # sha1+rsa
b'\x04\x01' # sha256 + rsa
b'\x04\x03')), # extra bytes
ExtensionType.signature_algorithms_cert:
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
}
ext[ExtensionType.supported_groups] = \
SupportedGroupsExtension().create(groups)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
msg = ClientHelloGenerator(ciphers, extensions=ext)
node = node.add_child(msg)
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.decode_error))
node = node.add_child(ExpectClose())
conversations["padded sigalgs"] = conversation
# run the conversation
good = 0
bad = 0
xfail = 0
xpass = 0
failed = []
xpassed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
if run_only:
if num_limit > len(run_only):
num_limit = len(run_only)
regular_tests = [(k, v) for k, v in conversations.items()
if k in run_only]
else:
regular_tests = [(k, v) for k, v in conversations.items()
if (k != 'sanity') and k not in run_exclude]
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
exception = None
try:
runner.run()
except Exception as exp:
exception = exp
print("Error while processing")
print(traceback.format_exc())
res = False
if c_name in expected_failures:
if res:
xpass += 1
xpassed.append(c_name)
print("XPASS-expected failure but test passed\n")
else:
if expected_failures[c_name] is not None and \
expected_failures[c_name] not in str(exception):
bad += 1
failed.append(c_name)
print("Expected error message: {0}\n".format(
expected_failures[c_name]))
else:
xfail += 1
print("OK-expected failure\n")
else:
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Test end\n")
print("Check if server correctly selects signature algorithm for SKE\n")
print("Test to verify that Server Key Exchange is signed with safe")
print("and correct algorithms.\n")
print("Note that test expects server with support for both rsa_pss_rsae_*")
print("and rsa_pss_pss_* signatures, in other words, one with both")
print("rsaEncryption key in one certificate and rsasse-pss in second")
print("certificate. If there's only one certificate installed in server,")
print("some of the tests that advertise just one algorithm may need to be")
print("configured as expected failures.")
print(20 * '=')
print("version: {0}".format(version))
print(20 * '=')
print("TOTAL: {0}".format(len(sampled_tests) + 2 * len(sanity_tests)))
print("SKIP: {0}".format(
len(run_exclude.intersection(conversations.keys()))))
print("PASS: {0}".format(good))
print("XFAIL: {0}".format(xfail))
print("FAIL: {0}".format(bad))
print("XPASS: {0}".format(xpass))
print(20 * '=')
sort = sorted(xpassed, key=natural_sort_keys)
if len(sort):
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
sort = sorted(failed, key=natural_sort_keys)
if len(sort):
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
if bad > 0:
sys.exit(1)
def main():
"""check if incorrect padding is rejected by server"""
host = "localhost"
port = 4433
num_limit = None
run_exclude = set()
dhe = False
argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:d", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
elif opt == '-p':
port = int(arg)
elif opt == '-e':
run_exclude.add(arg)
elif opt == '-d':
dhe = True
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
help_msg()
sys.exit(0)
else:
raise ValueError("Unknown option: {0}".format(opt))
if args:
run_only = set(args)
else:
run_only = None
conversations = {}
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
fork = node
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator())
# handle servers which ask for client certificates
fork.next_sibling = ExpectServerHelloDone()
join = ClientKeyExchangeGenerator()
fork.next_sibling.add_child(join)
node = node.add_child(join)
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\r\n\r\n")))
node = node.add_child(ExpectApplicationData())
node = node.add_child(
AlertGenerator(AlertLevel.warning, AlertDescription.close_notify))
node = node.add_child(ExpectAlert())
node.next_sibling = ExpectClose()
conversations["sanity"] = conversation
for pos, val in [
(-1, 0x01),
(-1, 0xff),
(-2, 0x01),
(-2, 0xff),
(-6, 0x01),
(-6, 0xff),
(-12, 0x01),
(-12, 0xff),
(-20, 0x01),
(-20, 0xff),
# we're generating at least 20 bytes of padding
]:
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
fork = node
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator())
# handle servers which ask for client certificates
fork.next_sibling = ExpectServerHelloDone()
join = ClientKeyExchangeGenerator()
fork.next_sibling.add_child(join)
node = node.add_child(join)
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(
fuzz_padding(ApplicationDataGenerator(b"GET / HTTP/1.0\n\n"),
xors={pos: val},
min_length=20))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
# node.next_sibling = ExpectClose()
node = node.add_child(ExpectClose())
conversations["XOR position " + str(pos) + " with " + str(hex(val))] = \
conversation
# zero-fill the padding
conversation = Connect(host, port)
node = conversation
if dhe:
ext = {}
groups = [GroupName.secp256r1, GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
ciphers = [
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
else:
ext = None
ciphers = [
CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV
]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectCertificateRequest())
fork = node
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(CertificateGenerator())
# handle servers which ask for client certificates
fork.next_sibling = ExpectServerHelloDone()
join = ClientKeyExchangeGenerator()
fork.next_sibling.add_child(join)
node = node.add_child(join)
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
# block size for AES-128 is 16 bytes
# SHA-1 MAC is 20 bytes long
# length of "GET / HTTP" is 10 bytes
# which means the padding will be two bytes - 1 byte of padding and one
# byte length
node = node.add_child(
fuzz_padding(ApplicationDataGenerator(b"GET / HTTP"),
substitutions={0: 0}))
node = node.add_child(
ExpectAlert(AlertLevel.fatal, AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
conversations["zero-filled"] = \
conversation
# run the conversation
good = 0
bad = 0
failed = []
if not num_limit:
num_limit = len(conversations)
# make sure that sanity test is run first and last
# to verify that server was running and kept running throughout
sanity_tests = [('sanity', conversations['sanity'])]
regular_tests = [(k, v) for k, v in conversations.items() if k != 'sanity']
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
for c_name, c_test in ordered_tests:
if run_only and c_name not in run_only or c_name in run_exclude:
continue
print("{0} ...".format(c_name))
runner = Runner(c_test)
res = True
try:
runner.run()
except Exception:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good += 1
print("OK\n")
else:
bad += 1
failed.append(c_name)
print("Check if incorrect padding is rejected by server")
print("version: {0}\n".format(version))
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
failed_sorted = sorted(failed, key=natural_sort_keys)
print(" {0}".format('\n '.join(repr(i) for i in failed_sorted)))
if bad > 0:
sys.exit(1)
