-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #856 from tlsfuzzer/dsa-support
Dsa support
- Loading branch information
Showing
12 changed files
with
625 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
tlslite-ng==0.8.0-alpha47 | ||
tlslite-ng==0.8.0-beta1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,336 @@ | ||
# Author: Hubert Kario, (c) 2023 | ||
# Released under Gnu GPL v2.0, see LICENSE file for details | ||
|
||
from __future__ import print_function | ||
import traceback | ||
import sys | ||
import getopt | ||
from itertools import chain | ||
from random import sample | ||
|
||
from tlsfuzzer.runner import Runner | ||
from tlsfuzzer.messages import Connect, ClientHelloGenerator, \ | ||
ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \ | ||
FinishedGenerator, ApplicationDataGenerator, AlertGenerator, \ | ||
CertificateGenerator, CertificateVerifyGenerator | ||
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \ | ||
ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \ | ||
ExpectAlert, ExpectApplicationData, ExpectClose, \ | ||
ExpectServerKeyExchange, ExpectCertificateRequest | ||
|
||
|
||
from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, \ | ||
GroupName, ExtensionType, HashAlgorithm, SignatureAlgorithm | ||
from tlslite.x509 import X509 | ||
from tlslite.x509certchain import X509CertChain | ||
from tlslite.utils.keyfactory import parsePEMKey | ||
from tlslite.extensions import SupportedGroupsExtension, \ | ||
SignatureAlgorithmsExtension, SignatureAlgorithmsCertExtension | ||
from tlsfuzzer.utils.lists import natural_sort_keys | ||
from tlsfuzzer.helpers import SIG_ALL, AutoEmptyExtension | ||
|
||
|
||
version = 1 | ||
|
||
|
||
def help_msg(): | ||
print("Usage: <script-name> [-h hostname] [-p port] [[probe-name] ...]") | ||
print(" -h hostname name of the host to run the test against") | ||
print(" localhost by default") | ||
print(" -p port port number to use for connection, 4433 by default") | ||
print(" probe-name if present, will run only the probes with given") | ||
print(" names and not all of them, e.g \"sanity\"") | ||
print(" -e probe-name exclude the probe from the list of the ones run") | ||
print(" may be specified multiple times") | ||
print(" -x probe-name expect the probe to fail. When such probe passes despite being marked like this") | ||
print(" it will be reported in the test summary and the whole script will fail.") | ||
print(" May be specified multiple times.") | ||
print(" -X message expect the `message` substring in exception raised during") | ||
print(" execution of preceding expected failure probe") | ||
print(" usage: [-x probe-name] [-X exception], order is compulsory!") | ||
print(" -n num run 'num' or all(if 0) tests instead of default(all)") | ||
print(" (\"sanity\" tests are always executed)") | ||
print(" -d negotiate (EC)DHE instead of RSA key exchange, send") | ||
print(" additional extensions, usually used for (EC)DHE ciphers") | ||
print(" -C ciph Use specified ciphersuite. Either numerical value or") | ||
print(" IETF name.") | ||
print(" -M | --ems Advertise support for Extended Master Secret") | ||
print(" -k file.pem file with private key for client") | ||
print(" -c file.pem file with certificate for client") | ||
print(" --help this message") | ||
# already used single-letter options: | ||
# -m test-large-hello.py - min extension number for fuzz testing | ||
# -s signature algorithms sent by server | ||
# -k client key | ||
# -c client certificate | ||
# -z don't expect 1/n-1 record split in TLS1.0 | ||
# -a override for expected alert description | ||
# -l override the expected alert level | ||
# -C explicit cipher for connection | ||
# -T expected certificates types in CertificateRequest | ||
# -b server is expected to have multiple (both) certificate types available | ||
# at the same time | ||
# -t timeout to wait for messages (also count of NSTs in | ||
# test-tls13-count-tickets.py) | ||
# -r perform renegotation multiple times | ||
# -S signature algorithms sent by client | ||
# -E additional extensions to be sent by client | ||
# | ||
# reserved: | ||
# -x expected fail for probe (alternative to -e) | ||
# -X expected failure message for probe (to be used together with -x) | ||
# -i enables timing the test using the specified interface | ||
# -o output directory for files related to collection of timing information | ||
|
||
|
||
def main(): | ||
host = "localhost" | ||
port = 4433 | ||
num_limit = None | ||
run_exclude = set() | ||
expected_failures = {} | ||
last_exp_tmp = None | ||
dhe = False | ||
ciphers = None | ||
ems = False | ||
private_key = None | ||
cert = None | ||
|
||
argv = sys.argv[1:] | ||
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:dC:Mk:c:", ["help", "ems"]) | ||
for opt, arg in opts: | ||
if opt == '-h': | ||
host = arg | ||
elif opt == '-p': | ||
port = int(arg) | ||
elif opt == '-e': | ||
run_exclude.add(arg) | ||
elif opt == '-x': | ||
expected_failures[arg] = None | ||
last_exp_tmp = str(arg) | ||
elif opt == '-X': | ||
if not last_exp_tmp: | ||
raise ValueError("-x has to be specified before -X") | ||
expected_failures[last_exp_tmp] = str(arg) | ||
elif opt == '-n': | ||
num_limit = int(arg) | ||
elif opt == '-d': | ||
dhe = True | ||
elif opt == '-C': | ||
if arg[:2] == '0x': | ||
ciphers = [int(arg, 16)] | ||
else: | ||
try: | ||
ciphers = [getattr(CipherSuite, arg)] | ||
except AttributeError: | ||
ciphers = [int(arg)] | ||
elif opt == '-M' or opt == '--ems': | ||
ems = True | ||
elif opt == '-k': | ||
text_key = open(arg, 'rb').read() | ||
if sys.version_info[0] >= 3: | ||
text_key = str(text_key, 'utf-8') | ||
private_key = parsePEMKey(text_key, private=True) | ||
elif opt == '-c': | ||
text_cert = open(arg, 'rb').read() | ||
if sys.version_info[0] >= 3: | ||
text_cert = str(text_cert, 'utf-8') | ||
cert = X509() | ||
cert.parse(text_cert) | ||
elif opt == '--help': | ||
help_msg() | ||
sys.exit(0) | ||
else: | ||
raise ValueError("Unknown option: {0}".format(opt)) | ||
|
||
if not private_key or not cert: | ||
raise ValueError("Both key and certificate have to be provided") | ||
|
||
if args: | ||
run_only = set(args) | ||
else: | ||
run_only = None | ||
|
||
if ciphers: | ||
if not dhe: | ||
# by default send minimal set of extensions, but allow user | ||
# to override it | ||
dhe = ciphers[0] in CipherSuite.ecdhAllSuites or \ | ||
ciphers[0] in CipherSuite.dhAllSuites | ||
else: | ||
if dhe: | ||
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | ||
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | ||
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, | ||
CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA] | ||
else: | ||
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA] | ||
|
||
conversations = {} | ||
|
||
conversation = Connect(host, port) | ||
node = conversation | ||
ext = {} | ||
if ems: | ||
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension() | ||
if dhe: | ||
groups = [GroupName.secp256r1, | ||
GroupName.ffdhe2048] | ||
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\ | ||
.create(groups) | ||
ext[ExtensionType.signature_algorithms] = \ | ||
SignatureAlgorithmsExtension().create(SIG_ALL) | ||
ext[ExtensionType.signature_algorithms_cert] = \ | ||
SignatureAlgorithmsCertExtension().create(SIG_ALL) | ||
if not ext: | ||
ext = None | ||
node = node.add_child(ClientHelloGenerator( | ||
ciphers + [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV], | ||
extensions=ext)) | ||
node = node.add_child(ExpectServerHello()) | ||
node = node.add_child(ExpectCertificate()) | ||
if dhe: | ||
node = node.add_child(ExpectServerKeyExchange()) | ||
node = node.add_child(ExpectCertificateRequest()) | ||
node = node.add_child(ExpectServerHelloDone()) | ||
node = node.add_child(CertificateGenerator(X509CertChain([cert]))) | ||
node = node.add_child(ClientKeyExchangeGenerator()) | ||
node = node.add_child(CertificateVerifyGenerator(private_key)) | ||
node = node.add_child(ChangeCipherSpecGenerator()) | ||
node = node.add_child(FinishedGenerator()) | ||
node = node.add_child(ExpectChangeCipherSpec()) | ||
node = node.add_child(ExpectFinished()) | ||
node = node.add_child(ApplicationDataGenerator( | ||
bytearray(b"GET / HTTP/1.0\r\n\r\n"))) | ||
node = node.add_child(ExpectApplicationData()) | ||
node = node.add_child(AlertGenerator(AlertLevel.warning, | ||
AlertDescription.close_notify)) | ||
node = node.add_child(ExpectAlert()) | ||
node.next_sibling = ExpectClose() | ||
conversations["sanity"] = conversation | ||
|
||
# force MD5 signature | ||
conversation = Connect(host, port) | ||
node = conversation | ||
ext = {} | ||
if ems: | ||
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension() | ||
if dhe: | ||
groups = [GroupName.secp256r1, | ||
GroupName.ffdhe2048] | ||
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\ | ||
.create(groups) | ||
ext[ExtensionType.signature_algorithms] = \ | ||
SignatureAlgorithmsExtension().create(SIG_ALL) | ||
ext[ExtensionType.signature_algorithms_cert] = \ | ||
SignatureAlgorithmsCertExtension().create(SIG_ALL) | ||
if not ext: | ||
ext = None | ||
node = node.add_child(ClientHelloGenerator( | ||
ciphers + [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV], | ||
extensions=ext)) | ||
node = node.add_child(ExpectServerHello()) | ||
node = node.add_child(ExpectCertificate()) | ||
if dhe: | ||
node = node.add_child(ExpectServerKeyExchange()) | ||
node = node.add_child(ExpectCertificateRequest()) | ||
node = node.add_child(ExpectServerHelloDone()) | ||
node = node.add_child(CertificateGenerator(X509CertChain([cert]))) | ||
node = node.add_child(ClientKeyExchangeGenerator()) | ||
sig_type = (HashAlgorithm.md5, SignatureAlgorithm.dsa) | ||
node = node.add_child(CertificateVerifyGenerator(private_key, | ||
msg_alg=sig_type)) | ||
node = node.add_child(ChangeCipherSpecGenerator()) | ||
node = node.add_child(FinishedGenerator()) | ||
node = node.add_child(ExpectAlert()) | ||
node.add_child(ExpectClose()) | ||
conversations["md5+dsa forced"] = conversation | ||
|
||
# run the conversation | ||
good = 0 | ||
bad = 0 | ||
xfail = 0 | ||
xpass = 0 | ||
failed = [] | ||
xpassed = [] | ||
if not num_limit: | ||
num_limit = len(conversations) | ||
|
||
# make sure that sanity test is run first and last | ||
# to verify that server was running and kept running throughout | ||
sanity_tests = [('sanity', conversations['sanity'])] | ||
if run_only: | ||
if num_limit > len(run_only): | ||
num_limit = len(run_only) | ||
regular_tests = [(k, v) for k, v in conversations.items() if k in run_only] | ||
else: | ||
regular_tests = [(k, v) for k, v in conversations.items() if | ||
(k != 'sanity') and k not in run_exclude] | ||
sampled_tests = sample(regular_tests, min(num_limit, len(regular_tests))) | ||
ordered_tests = chain(sanity_tests, sampled_tests, sanity_tests) | ||
|
||
for c_name, c_test in ordered_tests: | ||
print("{0} ...".format(c_name)) | ||
|
||
runner = Runner(c_test) | ||
|
||
res = True | ||
exception = None | ||
try: | ||
runner.run() | ||
except Exception as exp: | ||
exception = exp | ||
print("Error while processing") | ||
print(traceback.format_exc()) | ||
res = False | ||
|
||
if c_name in expected_failures: | ||
if res: | ||
xpass += 1 | ||
xpassed.append(c_name) | ||
print("XPASS-expected failure but test passed\n") | ||
else: | ||
if expected_failures[c_name] is not None and \ | ||
expected_failures[c_name] not in str(exception): | ||
bad += 1 | ||
failed.append(c_name) | ||
print("Expected error message: {0}\n" | ||
.format(expected_failures[c_name])) | ||
else: | ||
xfail += 1 | ||
print("OK-expected failure\n") | ||
else: | ||
if res: | ||
good += 1 | ||
print("OK\n") | ||
else: | ||
bad += 1 | ||
failed.append(c_name) | ||
|
||
print("Basic conversation script; check basic communication with typical") | ||
print("cipher, TLS 1.2 or earlier and RSA key exchange (or (EC)DHE if") | ||
print("-d option is used)\n") | ||
|
||
print("Test end") | ||
print(20 * '=') | ||
print("version: {0}".format(version)) | ||
print(20 * '=') | ||
print("TOTAL: {0}".format(len(sampled_tests) + 2*len(sanity_tests))) | ||
print("SKIP: {0}".format(len(run_exclude.intersection(conversations.keys())))) | ||
print("PASS: {0}".format(good)) | ||
print("XFAIL: {0}".format(xfail)) | ||
print("FAIL: {0}".format(bad)) | ||
print("XPASS: {0}".format(xpass)) | ||
print(20 * '=') | ||
sort = sorted(xpassed ,key=natural_sort_keys) | ||
if len(sort): | ||
print("XPASSED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) | ||
sort = sorted(failed, key=natural_sort_keys) | ||
if len(sort): | ||
print("FAILED:\n\t{0}".format('\n\t'.join(repr(i) for i in sort))) | ||
|
||
if bad or xpass: | ||
sys.exit(1) | ||
|
||
if __name__ == "__main__": | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIEYzCCBBGgAwIBAgIUeLiaH57flwaXt7G1ae3irblrBR0wCwYJYIZIAWUDBAMC | ||
MBQxEjAQBgNVBAMMCWxvY2FsaG9zdDAgFw0yMzA4MDQxNjQ5MzhaGA8yMTIzMDcx | ||
MTE2NDkzOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIDQjCCAjUGByqGSM44BAEw | ||
ggIoAoIBAQCKiKCtENzZfSCSfewPFVgV0vmOVw8WqO4uhiN/nSddlrxNOS58f5fk | ||
whAmtKxH7mQqlFPADuscHy5NQl9GsKZPi5ogVtxImJwP7enyf056tcOCtCUWnMIQ | ||
eEossgWdYE51KQeX+Hmr3XHqJwpsAW9yNkDS46SXut+uAAXLoQ2w+a71BJavCCuZ | ||
P5CqOjMbKVDBMIGPwDUKaL1prq2VBVSZ8WTiAtqqgaQUZQuV88G5R46teyNdOHt8 | ||
zonXF8/6PUuDbI3KXvQZitLo6dhXGrAg99Pwg9k9ztzUJOeZ7kU6DZFaawRT+/9J | ||
f6iG0Le20jVc9aw9SbWNfJBY7szeaq11Ah0A/Rgp6nI7FlqEUqL9GaNBm+2B/E1D | ||
P3Z5n3prNQKCAQBV7L0KOF5OnXYMNUrVSZ7qP9hMP4dnhVPvqVa0LJhXbmYx8CO+ | ||
kdPGbX2t8skg5yM1vK+AZ/nM5tlbA2R/F6Nol3X9lwUwQT0RRlhsHoT7kTVMU+Ip | ||
lv1C3X+H3GthGAnMmGutGsK+48sHl6QAPmy8f6uVHWzh6WQe7pROZPD410U8t2GM | ||
wRUjlo8n5NdQx/Qw7bvT88HX3FpybNQQJvsefeX5gEpK8JQSLhOEEjAqafrJHtBM | ||
FBDsdpn5/5/H9gTBXqjq6zJRxQP+xggmLj2Eo9B249ANmi57pixM2m9NFXVneJJN | ||
zlIZ2DIEzOX8TVjDFyGLmldXIz2/BqG6dmYDA4IBBQACggEAQDA5L5QJubxun5sH | ||
w31gN/oXWyxF9qXoaUyLpUpt2V2lebNCJ6bdR+wstA7ddyAb/pM6kjnjEv+UxD3c | ||
SjzMtW+Eehn8kXv4gdYyJeJjFcziV5sFvjW6RGAQX0+YO1gAv8BxjGzySNoc7bpp | ||
Ta5YywN0sRPG3U0KsVGyBXakYNoS3Hq7n1JnrSuGBKVje1fQyesRtpkWBfD6Dlog | ||
iciOy/iQnTsMCFrlrETJPfOAJ12Gzsr+lL9TLVsIP9tAk++Arp1H/rICf2QpIjsZ | ||
uEehHgg3oA62RecmMBf+7HX2+bZeoRyYYCe6DMyDS7HLzKA/y31iw7E9VLNyKU4q | ||
i6VPLqNTMFEwHQYDVR0OBBYEFBFcfDeT5cNGJwP89U5VkvxojDuzMB8GA1UdIwQY | ||
MBaAFBFcfDeT5cNGJwP89U5VkvxojDuzMA8GA1UdEwEB/wQFMAMBAf8wCwYJYIZI | ||
AWUDBAMCAz8AMDwCHGaJRUSP9RhmtFPC7UZQ3KjyELgZ/vUcfoJa3ysCHEUavN6C | ||
jExdFwdKI/98/jX7Qz7IlKnDbww8K9c= | ||
-----END CERTIFICATE----- |
Oops, something went wrong.