From d51195107178f70890119a97c46a175d66d13bcf Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Tue, 28 Jun 2016 19:12:38 +0200
Subject: [PATCH] add test for ClientHello version numbers tolerance

---
 scripts/test-version-numbers.py | 162 ++++++++++++++++++++++++++++++++
 1 file changed, 162 insertions(+)
 create mode 100644 scripts/test-version-numbers.py

diff --git a/scripts/test-version-numbers.py b/scripts/test-version-numbers.py
new file mode 100644
index 000000000..519425a9a
--- /dev/null
+++ b/scripts/test-version-numbers.py
@@ -0,0 +1,162 @@
+# Author: Hubert Kario, (c) 2016
+# Released under Gnu GPL v2.0, see LICENSE file for details
+"""Test version numbers outside the used range"""
+
+from __future__ import print_function
+import traceback
+import sys
+
+from tlsfuzzer.runner import Runner
+from tlsfuzzer.messages import Connect, ClientHelloGenerator, \
+        ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \
+        FinishedGenerator, ApplicationDataGenerator, AlertGenerator
+from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
+        ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
+        ExpectAlert, ExpectClose, ExpectApplicationData
+
+from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, \
+        ExtensionType
+
+def main():
+    """Test version numbers outside used range"""
+    conversations = {}
+
+    conversation = Connect("localhost", 4433, version=(3, 0))
+    node = conversation
+    ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
+    node = node.add_child(ClientHelloGenerator(ciphers,
+                                               extensions={ExtensionType.renegotiation_info:None},
+                                               version=(254, 254)))
+    node = node.add_child(ExpectServerHello(version=(3, 3),
+                                            extensions={ExtensionType.renegotiation_info:None}))
+    node = node.add_child(ExpectCertificate())
+    node = node.add_child(ExpectServerHelloDone())
+    node = node.add_child(ClientKeyExchangeGenerator())
+    node = node.add_child(ChangeCipherSpecGenerator())
+    node = node.add_child(FinishedGenerator())
+    node = node.add_child(ExpectChangeCipherSpec())
+    node = node.add_child(ExpectFinished())
+    node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
+    node = node.add_child(ExpectApplicationData())
+    node = node.add_child(AlertGenerator(AlertLevel.warning,
+                                         AlertDescription.close_notify))
+    node = node.add_child(ExpectAlert())
+    node.next_sibling = ExpectClose()
+
+    conversations["very high version (254, 254)"] = conversation
+
+    conversation = Connect("localhost", 4433, version=(3, 0))
+    node = conversation
+    ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
+    node = node.add_child(ClientHelloGenerator(ciphers,
+                                               extensions={ExtensionType.renegotiation_info:None},
+                                               version=(0, 0)))
+    node = node.add_child(ExpectAlert(description=AlertDescription.protocol_version))
+    node = node.add_child(ExpectClose())
+
+    conversations["very low version (0, 0)"] = conversation
+
+    conversation = Connect("localhost", 4433, version=(3, 0))
+    node = conversation
+    ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
+    node = node.add_child(ClientHelloGenerator(ciphers,
+                                               extensions={ExtensionType.renegotiation_info:None},
+                                               version=(3, 3)))
+    node = node.add_child(ExpectServerHello(version=(3, 3),
+                                            extensions={ExtensionType.renegotiation_info:None}))
+    node = node.add_child(ExpectCertificate())
+    node = node.add_child(ExpectServerHelloDone())
+    node = node.add_child(ClientKeyExchangeGenerator())
+    node = node.add_child(ChangeCipherSpecGenerator())
+    node = node.add_child(FinishedGenerator())
+    node = node.add_child(ExpectChangeCipherSpec())
+    node = node.add_child(ExpectFinished())
+    node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
+    node = node.add_child(ExpectApplicationData())
+    node = node.add_child(AlertGenerator(AlertLevel.warning,
+                                         AlertDescription.close_notify))
+    node = node.add_child(ExpectAlert())
+    node.next_sibling = ExpectClose()
+
+    conversations["low record version (3, 0), TLS1.2 (sanity check)"] = conversation
+
+    conversation = Connect("localhost", 4433, version=(3, 254))
+    node = conversation
+    ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
+    node = node.add_child(ClientHelloGenerator(ciphers,
+                                               extensions={ExtensionType.renegotiation_info:None},
+                                               version=(3, 3)))
+    node = node.add_child(ExpectServerHello(version=(3, 3),
+                                            extensions={ExtensionType.renegotiation_info:None}))
+    node = node.add_child(ExpectCertificate())
+    node = node.add_child(ExpectServerHelloDone())
+    node = node.add_child(ClientKeyExchangeGenerator())
+    node = node.add_child(ChangeCipherSpecGenerator())
+    node = node.add_child(FinishedGenerator())
+    node = node.add_child(ExpectChangeCipherSpec())
+    node = node.add_child(ExpectFinished())
+    node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
+    node = node.add_child(ExpectApplicationData())
+    node = node.add_child(AlertGenerator(AlertLevel.warning,
+                                         AlertDescription.close_notify))
+    node = node.add_child(ExpectAlert())
+    node.next_sibling = ExpectClose()
+
+    conversations["high record version (3, 254), TLS1.2"] = conversation
+
+    conversation = Connect("localhost", 4433, version=(3, 254))
+    node = conversation
+    ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
+    node = node.add_child(ClientHelloGenerator(ciphers,
+                                               extensions={ExtensionType.renegotiation_info:None},
+                                               version=(254, 254)))
+    node = node.add_child(ExpectServerHello(version=(3, 3),
+                                            extensions={ExtensionType.renegotiation_info:None}))
+    node = node.add_child(ExpectCertificate())
+    node = node.add_child(ExpectServerHelloDone())
+    node = node.add_child(ClientKeyExchangeGenerator())
+    node = node.add_child(ChangeCipherSpecGenerator())
+    node = node.add_child(FinishedGenerator())
+    node = node.add_child(ExpectChangeCipherSpec())
+    node = node.add_child(ExpectFinished())
+    node = node.add_child(ApplicationDataGenerator(bytearray(b"GET / HTTP/1.0\n\n")))
+    node = node.add_child(ExpectApplicationData())
+    node = node.add_child(AlertGenerator(AlertLevel.warning,
+                                         AlertDescription.close_notify))
+    node = node.add_child(ExpectAlert())
+    node.next_sibling = ExpectClose()
+
+    conversations["high record version (3, 254), very high protocol version"] = conversation
+
+    good = 0
+    bad = 0
+
+    for conversation_name, conversation in conversations.items():
+        print("{0} ...".format(conversation_name))
+
+        runner = Runner(conversation)
+
+        res = True
+        try:
+            runner.run()
+        except:
+            print("Error while processing")
+            print(traceback.format_exc())
+            print("")
+            res = False
+
+        if res:
+            good+=1
+            print("OK\n")
+        else:
+            bad+=1
+
+    print("Test end")
+    print("successful: {0}".format(good))
+    print("failed: {0}".format(bad))
+
+    if bad > 0:
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()