781 lines
34 KiB
Python
781 lines
34 KiB
Python
# Author: Hubert Kario, (c) 2016
|
|
# Jakub Jelen, (c) 2018
|
|
# Released under Gnu GPL v2.0, see LICENSE file for details
|
|
|
|
from __future__ import print_function
|
|
import traceback
|
|
import sys
|
|
import getopt
|
|
from itertools import chain
|
|
from random import sample
|
|
|
|
from tlsfuzzer.runner import Runner
|
|
from tlsfuzzer.messages import Connect, ClientHelloGenerator, \
|
|
FinishedGenerator, ApplicationDataGenerator, AlertGenerator, \
|
|
fuzz_message, Close
|
|
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
|
|
ExpectChangeCipherSpec, ExpectFinished, \
|
|
ExpectAlert, ExpectApplicationData, ExpectClose, \
|
|
ExpectEncryptedExtensions, ExpectCertificateVerify, \
|
|
ExpectNewSessionTicket
|
|
from tlsfuzzer.helpers import key_share_gen, RSA_SIG_ALL
|
|
from tlsfuzzer.utils.ordered_dict import OrderedDict
|
|
from tlsfuzzer.utils.lists import natural_sort_keys
|
|
|
|
from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, \
|
|
ExtensionType, GroupName, TLS_1_3_DRAFT, SignatureScheme, \
|
|
HashAlgorithm, SignatureAlgorithm
|
|
from tlslite.extensions import SignatureAlgorithmsExtension, \
|
|
ClientKeyShareExtension, SupportedVersionsExtension, \
|
|
SupportedGroupsExtension, TLSExtension, \
|
|
SignatureAlgorithmsCertExtension
|
|
|
|
|
|
version = 5
|
|
|
|
|
|
def help_msg():
|
|
print("Usage: <script-name> [-h hostname] [OPTIONS] [[probe-name] ...]")
|
|
print(" --alert name name of the expected alert for malformed messages")
|
|
print(" decode_error by default (as per standard)")
|
|
print(" -h hostname name of the host to run the test against")
|
|
print(" localhost by default")
|
|
print(" -p port port number to use for connection, 4433 by default")
|
|
print(" probe-name if present, will run only the probes with given")
|
|
print(" names and not all of them, e.g \"sanity\"")
|
|
print(" -e probe-name exclude the probe from the list of the ones run")
|
|
print(" may be specified multiple times")
|
|
print(" -x probe-name expect the probe to fail. When such probe passes despite being marked like this")
|
|
print(" it will be reported in the test summary and the whole script will fail.")
|
|
print(" May be specified multiple times.")
|
|
print(" -X message expect the `message` substring in exception raised during")
|
|
print(" execution of preceding expected failure probe")
|
|
print(" usage: [-x probe-name] [-X exception], order is compulsory!")
|
|
print(" -n num run 'num' or all(if 0) tests instead of default(100)")
|
|
print(" (excluding \"sanity\" tests)")
|
|
print(" --help this message")
|
|
|
|
|
|
def main():
|
|
host = "localhost"
|
|
port = 4433
|
|
num_limit = 100
|
|
fatal_alert = "decode_error"
|
|
run_exclude = set()
|
|
expected_failures = {}
|
|
last_exp_tmp = None
|
|
|
|
argv = sys.argv[1:]
|
|
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help", "alert="])
|
|
for opt, arg in opts:
|
|
if opt == '-h':
|
|
host = arg
|
|
elif opt == '-p':
|
|
port = int(arg)
|
|
elif opt == '-e':
|
|
run_exclude.add(arg)
|
|
elif opt == '-x':
|
|
expected_failures[arg] = None
|
|
last_exp_tmp = str(arg)
|
|
elif opt == '-X':
|
|
if not last_exp_tmp:
|
|
raise ValueError("-x has to be specified before -X")
|
|
expected_failures[last_exp_tmp] = str(arg)
|
|
elif opt == '-n':
|
|
num_limit = int(arg)
|
|
elif opt == '--alert':
|
|
fatal_alert = arg
|
|
elif opt == '--help':
|
|
help_msg()
|
|
sys.exit(0)
|
|
else:
|
|
raise ValueError("Unknown option: {0}".format(opt))
|
|
|
|
if args:
|
|
run_only = set(args)
|
|
else:
|
|
run_only = None
|
|
|
|
conversations = {}
|
|
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sig_algs = [SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
|
|
node = node.add_child(ExpectAlert())
|
|
node.next_sibling = ExpectClose()
|
|
conversations["sanity"] = conversation
|
|
|
|
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sig_algs = [SignatureScheme.rsa_pkcs1_sha1,
|
|
SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
|
|
node = node.add_child(ExpectAlert())
|
|
node.next_sibling = ExpectClose()
|
|
conversations["tolerance legacy RSA PKCS#1.5"] = conversation
|
|
|
|
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sig_algs = [(10, SignatureAlgorithm.rsa),
|
|
SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
|
|
node = node.add_child(ExpectAlert())
|
|
node.next_sibling = ExpectClose()
|
|
conversations["tolerance unallocated 0x0A01 (10+RSA) method"] = conversation
|
|
|
|
# 32717 is the maximum possible amount of methods that can fit into the
|
|
# ClientHello packet -- in TLS 1.3, there are also other mandatory
|
|
# extensions
|
|
for n in [215, 2355, 8132, 23754, 32717]:
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
n = n - 2 # these are the mandatory methods in the end
|
|
sig_algs = [(HashAlgorithm.sha1, SignatureAlgorithm.dsa)] * n
|
|
sig_algs += [SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
# ApplicationData message may show up 1 to many times
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
cycle_alert = ExpectAlert()
|
|
node = node.add_child(cycle_alert)
|
|
node.next_sibling = ExpectApplicationData()
|
|
node.next_sibling.add_child(cycle_alert)
|
|
node.next_sibling.next_sibling = ExpectClose()
|
|
|
|
conversations["duplicated {0} non-rsa schemes".format(n)] = conversation
|
|
|
|
for n in [215, 2355, 8132, 23754, 32717]:
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
n = n - 2 # these are the mandatory methods in the end
|
|
sig_algs = [SignatureScheme.rsa_pkcs1_sha1] * n
|
|
sig_algs += [SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
# ApplicationData message may show up 1 to many times
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
cycle_alert = ExpectAlert()
|
|
node = node.add_child(cycle_alert)
|
|
node.next_sibling = ExpectApplicationData()
|
|
node.next_sibling.add_child(cycle_alert)
|
|
node.next_sibling.next_sibling = ExpectClose()
|
|
|
|
conversations["{0} invalid schemes".format(n)] = conversation
|
|
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
# Add all supported sig_algs, put rsa at the end
|
|
sig_algs = []
|
|
for sig_alg in ['ecdsa', 'dsa','rsa']:
|
|
sig_algs += [(getattr(HashAlgorithm, x), getattr(SignatureAlgorithm, sig_alg))\
|
|
for x in ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512']]
|
|
# ed25519(0x0807), ed448(0x0808)
|
|
sig_algs += [(8, 7), (8, 8)]
|
|
sig_algs += [SignatureScheme.rsa_pss_pss_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha384,
|
|
SignatureScheme.rsa_pss_pss_sha512,
|
|
SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_rsae_sha384,
|
|
SignatureScheme.rsa_pss_rsae_sha512]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
node = node.next_sibling.add_child(AlertGenerator(AlertLevel.warning,
|
|
AlertDescription.close_notify))
|
|
|
|
node = node.add_child(ExpectAlert())
|
|
node.next_sibling = ExpectClose()
|
|
conversations["unique and well-known sig_algs, rsa algorithms last"] = conversation
|
|
|
|
# 32717 is the maximum possible amount of methods that can fit into the
|
|
# ClientHello packet -- in TLS 1.3, there are also other mandatory
|
|
# extensions
|
|
for n in [215, 2355, 8132, 23754, 32717]:
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
n = n - 2 # these are the mandatory methods in the end
|
|
sig_algs = list(chain(
|
|
((i, j) for i in range(10, 224) for j in range(10, (n // 214) + 10)),
|
|
((i, 163) for i in range(10, (n % 214) + 10)),
|
|
[SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]))
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
# OpenSSL sends the list of advertised and it doesn't fit a single
|
|
# application data
|
|
node = node.next_sibling.add_child(Close())
|
|
conversations["tolerance {0} methods".format(n)] = conversation
|
|
|
|
# 32715 is the maximum possible amount of methods that can fit into the
|
|
# ClientHello packet -- in TLS 1.3, there are also other mandatory
|
|
# extensions
|
|
n = 32715
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
n = n - 2 # these are the mandatory methods in the end
|
|
n = n - len(RSA_SIG_ALL) # number of methods in sig_alg_cert extension
|
|
sig_algs = list(chain(
|
|
((i, j) for i in range(10, 224) for j in range(10, (n // 214) + 10)),
|
|
((i, 163) for i in range(10, (n % 214) + 10)),
|
|
[SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]))
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectServerHello())
|
|
node = node.add_child(ExpectChangeCipherSpec())
|
|
node = node.add_child(ExpectEncryptedExtensions())
|
|
node = node.add_child(ExpectCertificate())
|
|
node = node.add_child(ExpectCertificateVerify())
|
|
node = node.add_child(ExpectFinished())
|
|
node = node.add_child(FinishedGenerator())
|
|
node = node.add_child(ApplicationDataGenerator(
|
|
bytearray(b"GET / HTTP/1.0\r\n\r\n")))
|
|
|
|
# This message is optional and may show up 0 to many times
|
|
cycle = ExpectNewSessionTicket()
|
|
node = node.add_child(cycle)
|
|
node.add_child(cycle)
|
|
|
|
node.next_sibling = ExpectApplicationData()
|
|
# OpenSSL sends the list of advertised and it doesn't fit a single
|
|
# application data
|
|
node = node.next_sibling.add_child(Close())
|
|
conversations["tolerance 32715 methods with sig_alg_cert"] = conversation
|
|
|
|
# Use empty supported algorithm extension
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = OrderedDict()
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sig_algs = []
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
getattr(AlertDescription, fatal_alert)))
|
|
node = node.add_child(ExpectClose())
|
|
conversations["empty list of signature methods"] = \
|
|
conversation
|
|
|
|
|
|
# Only undefined algorithms
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sigs = [(HashAlgorithm.sha256, 24), # undefined signature algorithm
|
|
(24, SignatureAlgorithm.rsa), # undefined hash algorithm
|
|
(10, 10), # undefined pair
|
|
(9, 24), # undefined pair
|
|
(0xff, 0xff) # undefined pair
|
|
]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sigs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
AlertDescription.handshake_failure))
|
|
node = node.next_sibling = ExpectClose()
|
|
conversations["only undefined sigalgs"] = conversation
|
|
|
|
# RSA-PSS is mandatory
|
|
# More thoroughly tested in scripts/test-tls13-pkcs-signature.py
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sigs = [SignatureScheme.rsa_pkcs1_sha1,
|
|
SignatureScheme.rsa_pkcs1_sha512]
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sigs)
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
AlertDescription.handshake_failure))
|
|
node = node.next_sibling = ExpectClose()
|
|
conversations["only legacy sigalgs"] = conversation
|
|
|
|
|
|
# padded extension
|
|
conversation = Connect(host, port)
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
ext[ExtensionType.signature_algorithms] = \
|
|
TLSExtension(extType=ExtensionType.signature_algorithms) \
|
|
.create(bytearray(b'\x00\x04' # length of array
|
|
b'\x08\x04' # rsa_pss_rsae_sha256
|
|
b'\x08\x09' # rsa_pss_pss_sha256
|
|
b'\x04\x03'))
|
|
ext[ExtensionType.signature_algorithms_cert] = \
|
|
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
AlertDescription.decode_error))
|
|
node = node.add_child(ExpectClose())
|
|
conversations["padded sigalgs"] = conversation
|
|
|
|
# send properly formatted one byte extension
|
|
conversation = Connect(host, port)
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
ext[ExtensionType.signature_algorithms] = \
|
|
TLSExtension(extType=ExtensionType.signature_algorithms) \
|
|
.create(bytearray(b'\x00\x01' # length of array
|
|
b'\x02'))
|
|
ext[ExtensionType.signature_algorithms_cert] = \
|
|
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
AlertDescription.decode_error))
|
|
node = node.add_child(ExpectClose())
|
|
conversations["one byte array"] = conversation
|
|
|
|
# send properly formatted three byte extension
|
|
conversation = Connect(host, port)
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = {}
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
ext[ExtensionType.signature_algorithms] = \
|
|
TLSExtension(extType=ExtensionType.signature_algorithms) \
|
|
.create(bytearray(b'\x00\x05' # length of array
|
|
b'\x08\x04' # rsa_pss_rsae_sha256
|
|
b'\x08\x09' # rsa_pss_pss_sha256
|
|
b'\x02'))
|
|
ext[ExtensionType.signature_algorithms_cert] = \
|
|
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
|
|
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
AlertDescription.decode_error))
|
|
node = node.add_child(ExpectClose())
|
|
conversations["three byte array"] = conversation
|
|
|
|
# Fuzz the length of supported extensions
|
|
for i in range(1, 0x100):
|
|
conversation = Connect(host, port)
|
|
node = conversation
|
|
ciphers = [CipherSuite.TLS_AES_128_GCM_SHA256,
|
|
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
|
ext = OrderedDict()
|
|
groups = [GroupName.secp256r1]
|
|
key_shares = []
|
|
for group in groups:
|
|
key_shares.append(key_share_gen(group))
|
|
ext[ExtensionType.key_share] = ClientKeyShareExtension().create(key_shares)
|
|
ext[ExtensionType.supported_versions] = SupportedVersionsExtension()\
|
|
.create([TLS_1_3_DRAFT, (3, 3)])
|
|
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
|
|
.create(groups)
|
|
sig_algs = [SignatureScheme.rsa_pss_rsae_sha256,
|
|
SignatureScheme.rsa_pss_pss_sha256]
|
|
ext[ExtensionType.signature_algorithms_cert] = SignatureAlgorithmsCertExtension()\
|
|
.create(RSA_SIG_ALL)
|
|
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
|
|
.create(sig_algs)
|
|
hello = ClientHelloGenerator(ciphers, extensions=ext)
|
|
node = node.add_child(fuzz_message(hello, xors={-5:i}))
|
|
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
|
getattr(AlertDescription, fatal_alert)))
|
|
node = node.add_child(ExpectClose())
|
|
conversations["fuzz length inside extension to {0}".format(4^i)] = \
|
|
conversation
|
|
|
|
# run the conversation
|
|
good = 0
|
|
bad = 0
|
|
xfail = 0
|
|
xpass = 0
|
|
failed = []
|
|
xpassed = []
|
|
if not num_limit:
|
|
num_limit = len(conversations)
|
|
|
|
# make sure that sanity test is run first and last
|
|
# to verify that server was running and kept running throughout
|
|
sanity_tests = [('sanity', conversations['sanity'])]
|
|
if run_only:
|
|
if num_limit > len(run_only):
|
|
num_limit = len(run_only)
|
|
regular_tests = [(k, v) for k, v in conversations.items() if k in run_only]
|
|
else:
|
|
regular_tests = [(k, v) for k, v in conversations.items() if
|
|
(k != 'sanity') and k not in run_exclude]
|
|
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests)))
|
|
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests)
|
|
|
|
for c_name, c_test in ordered_tests:
|
|
print("{0} ...".format(c_name))
|
|
|
|
runner = Runner(c_test)
|
|
|
|
res = True
|
|
exception = None
|
|
try:
|
|
runner.run()
|
|
except Exception as exp:
|
|
exception = exp
|
|
print("Error while processing")
|
|
print(traceback.format_exc())
|
|
res = False
|
|
|
|
if c_name in expected_failures:
|
|
if res:
|
|
xpass += 1
|
|
xpassed.append(c_name)
|
|
print("XPASS-expected failure but test passed\n")
|
|
else:
|
|
if expected_failures[c_name] is not None and \
|
|
expected_failures[c_name] not in str(exception):
|
|
bad += 1
|
|
failed.append(c_name)
|
|
print("Expected error message: {0}\n"
|
|
.format(expected_failures[c_name]))
|
|
else:
|
|
xfail += 1
|
|
print("OK-expected failure\n")
|
|
else:
|
|
if res:
|
|
good += 1
|
|
print("OK\n")
|
|
else:
|
|
bad += 1
|
|
failed.append(c_name)
|
|
|
|
print("Signature Algorithms in TLS 1.3")
|
|
print("Check if valid signature algorithm extensions are accepted and")
|
|
print("invalid properly rejected by the TLS 1.3 server.\n")
|
|
print("Server must be configured to support only rsa_pss_rsae_sha512")
|
|
print("signature algorithm.")
|
|
|
|
print("Test end")
|
|
print(20 * '=')
|
|
print("version: {0}".format(version))
|
|
print(20 * '=')
|
|
print("TOTAL: {0}".format(len(sampled_tests) + 2*len(sanity_tests)))
|
|
print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys()))))
|
|
print("PASS: {0}".format(good))
|
|
print("XFAIL: {0}".format(xfail))
|
|
print("FAIL: {0}".format(bad))
|
|
print("XPASS: {0}".format(xpass))
|
|
print(20 * '=')
|
|
sort = sorted(xpassed ,key=natural_sort_keys)
|
|
if len(sort):
|
|
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
|
|
sort = sorted(failed, key=natural_sort_keys)
|
|
if len(sort):
|
|
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort)))
|
|
|
|
if bad or xpass:
|
|
sys.exit(1)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|