def test_requireExtendedMasterSecret_with_incompatible_use_EMS(self): hs = HandshakeSettings() hs.useExtendedMasterSecret = False hs.requireExtendedMasterSecret = True with self.assertRaises(ValueError): hs.validate()
def test_maxKeySize_smaller_than_minKeySize(self): hs = HandshakeSettings() hs.maxKeySize = 1024 hs.minKeySize = 2048 with self.assertRaises(ValueError): hs.validate()
def test_minVersion_higher_than_maxVersion(self): hs = HandshakeSettings() hs.minVersion = (3, 3) hs.maxVersion = (3, 0) with self.assertRaises(ValueError): hs.validate()
def test_cipherNames_with_unknown_name(self): hs = HandshakeSettings() hs.cipherNames = ["aes256"] newHs = hs.validate() self.assertEqual(["aes256"], newHs.cipherNames)
def test_client_with_server_responing_without_EMS(self): # socket to generate the faux response gen_sock = MockSocket(bytearray(0)) gen_record_layer = RecordLayer(gen_sock) gen_record_layer.version = (3, 2) server_hello = ServerHello().create( version=(3, 3), random=bytearray(32), session_id=bytearray(0), cipher_suite=CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256, certificate_type=None, tackExt=None, next_protos_advertised=None) for res in gen_record_layer.sendRecord(server_hello): if res in (0, 1): self.assertTrue(False, "Blocking socket") else: break # test proper sock = MockSocket(gen_sock.sent[0]) hs = HandshakeSettings() hs.requireExtendedMasterSecret = True conn = TLSConnection(sock) with self.assertRaises(TLSLocalAlert) as err: conn.handshakeClientCert(settings=hs) self.assertEqual(err.exception.description, AlertDescription.insufficient_security)
def test_getTLS13Suites(self): hs = HandshakeSettings() hs.maxVersion = (3, 4) self.assertEqual(CipherSuite.getTLS13Suites(hs), [CipherSuite.TLS_AES_256_GCM_SHA384, CipherSuite.TLS_AES_128_GCM_SHA256, CipherSuite.TLS_CHACHA20_POLY1305_SHA256])
def test_requireExtendedMasterSecret(self): hs = HandshakeSettings() self.assertFalse(hs.requireExtendedMasterSecret) hs.requireExtendedMasterSecret = True n_hs = hs.validate() self.assertTrue(n_hs.requireExtendedMasterSecret)
def test_maxVersion_without_TLSv1_2(self): hs = HandshakeSettings() hs.maxVersion = (3, 2) self.assertTrue("sha256" in hs.macNames) new_hs = hs.validate() self.assertFalse("sha256" in new_hs.macNames)
def test_useEncryptThenMAC(self): hs = HandshakeSettings() self.assertTrue(hs.useEncryptThenMAC) hs.useEncryptThenMAC = False n_hs = hs.validate() self.assertFalse(n_hs.useEncryptThenMAC)
def test_client_SRP_key_exchange_with_too_small_params(self): keyExchange = self.keyExchange.makeServerKeyExchange('sha1') settings = HandshakeSettings() settings.minKeySize = 3072 client_keyExchange = SRPKeyExchange(self.cipher_suite, self.client_hello, self.server_hello, None, None, srpUsername=bytearray(b'user'), password=bytearray(b'password'), settings=settings) with self.assertRaises(TLSInsufficientSecurity): client_keyExchange.processServerKeyExchange(None, keyExchange)
def test_client_SRP_key_exchange_with_too_big_params(self): keyExchange = self.keyExchange.makeServerKeyExchange('sha1') settings = HandshakeSettings() settings.minKeySize = 512 settings.maxKeySize = 1024 client_keyExchange = SRPKeyExchange(self.cipher_suite, self.client_hello, self.server_hello, None, None, srpUsername='******', password='******', settings=settings) with self.assertRaises(TLSInsufficientSecurity): client_keyExchange.processServerKeyExchange(None, keyExchange)
def test_server_with_client_not_using_required_EMS(self): gen_sock = MockSocket(bytearray(0)) gen_record_layer = RecordLayer(gen_sock) gen_record_layer.version = (3, 0) ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256, CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV] client_hello = ClientHello().create(version=(3, 3), random=bytearray(32), session_id=bytearray(0), cipher_suites=ciphers) for res in gen_record_layer.sendRecord(client_hello): if res in (0, 1): self.assertTrue(False, "Blocking socket") else: break # test proper sock = MockSocket(gen_sock.sent[0]) conn = TLSConnection(sock) hs = HandshakeSettings() hs.requireExtendedMasterSecret = True srv_private_key = parsePEMKey(srv_raw_key, private=True) srv_cert_chain = X509CertChain([X509().parse(srv_raw_certificate)]) with self.assertRaises(TLSLocalAlert) as err: conn.handshakeServer(certChain=srv_cert_chain, privateKey=srv_private_key, settings=hs) self.assertEqual(err.exception.description, AlertDescription.insufficient_security)
def test_invalid_usePaddingExtension(self): hs = HandshakeSettings() hs.usePaddingExtension = -1 with self.assertRaises(ValueError): hs.validate()
def test_no_signature_hashes_set_with_TLS1_1(self): hs = HandshakeSettings() hs.rsaSigHashes = [] hs.maxVersion = (3, 2) self.assertIsNotNone(hs.validate())
def test_invalid_signature_algorithm(self): hs = HandshakeSettings() hs.rsaSigHashes += ['md2'] with self.assertRaises(ValueError): hs.validate()
def test_certificateTypes_empty(self): hs = HandshakeSettings() hs.certificateTypes = [] with self.assertRaises(ValueError): hs.validate()
def test_getTLS13Suites_with_TLS1_2(self): hs = HandshakeSettings() hs.maxVersion = (3, 4) self.assertEqual(CipherSuite.getTLS13Suites(hs, (3, 3)), [])
def test_getCertificateTypes_with_unsupported_type(self): hs = HandshakeSettings() hs.certificateTypes = ["x509", "openpgp"] with self.assertRaises(AssertionError): hs.getCertificateTypes()
def test_invalid_keyShares_name(self): hs = HandshakeSettings() hs.keyShares = ["ffdhe1024"] with self.assertRaises(ValueError): hs.validate()
def test_invalid_defaultCurve_name(self): hs = HandshakeSettings() hs.defaultCurve = "ffdhe2048" with self.assertRaises(ValueError): hs.validate()
def test_invalid_rsaScheme(self): hs = HandshakeSettings() hs.rsaSchemes += ["rsassa-pkcs1-1_5"] with self.assertRaises(ValueError): hs.validate()
def test_invalid_dhGroups(self): hs = HandshakeSettings() hs.dhGroups = ["ffdhe2048", "ffdhe1024"] with self.assertRaises(ValueError): hs.validate()
def test_invalid_dhParams(self): hs = HandshakeSettings() hs.dhParams = (2, 'bd') with self.assertRaises(ValueError): hs.validate()
def test_usePaddingExtension(self): hs = HandshakeSettings() self.assertTrue(hs.usePaddingExtension)
def test_requireExtendedMasterSecret_with_wrong_value(self): hs = HandshakeSettings() hs.requireExtendedMasterSecret = None with self.assertRaises(ValueError): hs.validate()
def test_useEncryptThenMAC_with_wrong_value(self): hs = HandshakeSettings() hs.useEncryptThenMAC = None with self.assertRaises(ValueError): hs.validate()
def test___init__(self): hs = HandshakeSettings() self.assertIsNotNone(hs)
def test_maxKeySize_too_small(self): hs = HandshakeSettings() hs.maxKeySize = 511 with self.assertRaises(ValueError): hs.validate()
def test_getCertificateTypes(self): hs = HandshakeSettings() self.assertEqual([0], hs.getCertificateTypes())
def test_cipherNames_with_unknown_name(self): hs = HandshakeSettings() hs.cipherNames = ["aes256gcm", "aes256"] with self.assertRaises(ValueError): hs.validate()
def test_cipherImplementations_empty(self): hs = HandshakeSettings() hs.cipherImplementations = [] with self.assertRaises(ValueError): hs.validate()
def test_validate(self): hs = HandshakeSettings() newHS = hs.validate() self.assertIsNotNone(newHS) self.assertIsNot(hs, newHS)
def test_invalid_additional_signature(self): hs = HandshakeSettings() hs.more_sig_schemes = ["rsa_pkcs1_sha1"] with self.assertRaises(ValueError): hs.validate()
def test_no_signature_hashes_set_with_TLS1_2(self): hs = HandshakeSettings() hs.rsaSigHashes = [] with self.assertRaises(ValueError): hs.validate()
def test_maxKeySize_too_large(self): hs = HandshakeSettings() hs.maxKeySize = 16385 with self.assertRaises(ValueError): hs.validate()
def test_invalid_curve_name(self): hs = HandshakeSettings() hs.eccCurves = ['P-256'] with self.assertRaises(ValueError): hs.validate()
def test_cipherImplementations_with_unknown_implementations(self): hs = HandshakeSettings() hs.cipherImplementations = ["openssl", "NSS"] with self.assertRaises(ValueError): hs.validate()
def test_cipherNames_empty(self): hs = HandshakeSettings() hs.cipherNames = [] with self.assertRaises(ValueError): hs.validate()
def test_maxVersion_with_unknown_version(self): hs = HandshakeSettings() hs.maxVersion = (3, 4) with self.assertRaises(ValueError): hs.validate()
def test_certificateTypes_with_unknown_type(self): hs = HandshakeSettings() hs.certificateTypes = [0, 42] with self.assertRaises(ValueError): hs.validate()
def test_maxVersion_with_unknown_version(self): hs = HandshakeSettings() hs.maxVersion = (3, 5) with self.assertRaises(ValueError): hs.validate()
def test_invalid_signature_ecdsa_algorithm(self): hs = HandshakeSettings() hs.ecdsaSigHashes += ['md5'] with self.assertRaises(ValueError): hs.validate()
def test_invalid_KEX(self): hs = HandshakeSettings() hs.keyExchangeNames = ['rsa', 'ecdhe_rsa', 'gost'] with self.assertRaises(ValueError): hs.validate()
def test_invalid_MAC(self): hs = HandshakeSettings() hs.macNames = ['sha1', 'whirpool'] with self.assertRaises(ValueError): hs.validate()