Skip to content

Commit

Permalink
Merge pull request #828 from ueno/wip/dueno/ems-followup
Browse files Browse the repository at this point in the history 
EMS support followup
  • Loading branch information
@tomato42
tomato42 committed Jul 21, 2023
2 parents 4e68c41 + 28e441f commit 39f3a5b
Show file tree
Hide file tree
Showing 9 changed files with 311 additions and 77 deletions.
16 changes: 13 additions & 3 deletions scripts/test-certificate-verify-malformed-sig.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@
from tlslite.x509 import X509
from tlslite.x509certchain import X509CertChain
from tlsfuzzer.utils.lists import natural_sort_keys
from tlsfuzzer.helpers import RSA_SIG_ALL
from tlsfuzzer.helpers import RSA_SIG_ALL, AutoEmptyExtension


version = 6
version = 7


def help_msg():
Expand All @@ -54,6 +54,7 @@ def help_msg():
print(" -d negotiate (EC)DHE instead of RSA key exchange")
print(" -k file.pem file with private key for client")
print(" -c file.pem file with certificate for client")
print(" -M | --ems Enable support for Extended Master Secret")
print(" --help this message")


Expand All @@ -68,9 +69,10 @@ def main():
private_key = None
cert = None
dhe = False
ems = False

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:d", ["help"])
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:dM", ["help", "ems"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand Down Expand Up @@ -103,6 +105,8 @@ def main():
cert.parse(text_cert)
elif opt == "-d":
dhe = True
elif opt == '-M' or opt == '--ems':
ems = True
else:
raise ValueError("Unknown option: {0}".format(opt))

Expand Down Expand Up @@ -140,6 +144,8 @@ def main():
if dhe:
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([GroupName.secp256r1, GroupName.ffdhe2048])
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
Expand Down Expand Up @@ -196,6 +202,8 @@ def main():
if dhe:
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([GroupName.secp256r1, GroupName.ffdhe2048])
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
Expand Down Expand Up @@ -246,6 +254,8 @@ def main():
if dhe:
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create([GroupName.secp256r1, GroupName.ffdhe2048])
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello(version=(3, 3)))
node = node.add_child(ExpectCertificate())
Expand Down
26 changes: 19 additions & 7 deletions scripts/test-dhe-rsa-key-exchange-signatures.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@

from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, \
ExtensionType, HashAlgorithm, SignatureAlgorithm
from tlsfuzzer.helpers import RSA_SIG_ALL
from tlsfuzzer.helpers import RSA_SIG_ALL, AutoEmptyExtension
from tlsfuzzer.utils.lists import natural_sort_keys


version = 5
version = 6


def help_msg():
Expand All @@ -48,6 +48,7 @@ def help_msg():
print(" -X message expect the `message` substring in exception raised during")
print(" execution of preceding expected failure probe")
print(" usage: [-x probe-name] [-X exception], order is compulsory!")
print(" -M | --ems Enable support for Extended Master Secret")
print(" --help this message")


Expand All @@ -59,9 +60,10 @@ def main():
run_exclude = set()
expected_failures = {}
last_exp_tmp = None
ems = False

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:x:X:", ["help"])
opts, args = getopt.getopt(argv, "h:p:e:n:x:X:M", ["help", "ems"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -78,6 +80,8 @@ def main():
if not last_exp_tmp:
raise ValueError("-x has to be specified before -X")
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-M' or opt == '--ems':
ems = True
elif opt == '--help':
help_msg()
sys.exit(0)
Expand Down Expand Up @@ -106,10 +110,14 @@ def main():
SignatureAlgorithmsExtension().create(sig_algs),
ExtensionType.signature_algorithms_cert :
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)}
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(version=(3, 3),
extensions={ExtensionType.
renegotiation_info:None}))
extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_sig_algs=sig_algs))
node = node.add_child(ExpectServerHelloDone())
Expand Down Expand Up @@ -144,10 +152,14 @@ def main():
SignatureAlgorithmsExtension().create(sig_algs),
ExtensionType.signature_algorithms_cert :
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)}
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(version=(3, 3),
extensions={ExtensionType.
renegotiation_info:None}))
extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange(valid_sig_algs=sig_algs))
node = node.add_child(ExpectServerHelloDone())
Expand Down
66 changes: 49 additions & 17 deletions scripts/test-dhe-rsa-key-exchange-with-bad-messages.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@
from tlsfuzzer.utils.lists import natural_sort_keys
from tlslite.extensions import SignatureAlgorithmsExtension, \
SignatureAlgorithmsCertExtension
from tlsfuzzer.helpers import RSA_SIG_ALL
from tlsfuzzer.helpers import RSA_SIG_ALL, AutoEmptyExtension


version = 4
version = 5


def help_msg():
Expand All @@ -53,6 +53,7 @@ def help_msg():
print(" -a alert numerical value of the expected alert for messages")
print(" with publicly invalid client key shares,")
print(" 47 (illegal_parameter) by default")
print(" -M | --ems Enable support for Extended Master Secret")
print(" --help this message")


Expand All @@ -66,9 +67,10 @@ def main():
expected_failures = {}
last_exp_tmp = None
alert = AlertDescription.illegal_parameter
ems = False

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:n:x:X:a:", ["help"])
opts, args = getopt.getopt(argv, "h:p:e:n:x:X:a:M", ["help", "ems"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -90,6 +92,8 @@ def main():
sys.exit(0)
elif opt == "-a":
alert = int(arg)
elif opt == '-M' or opt == '--ems':
ems = True
else:
raise ValueError("Unknown option: {0}".format(opt))

Expand All @@ -109,11 +113,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand Down Expand Up @@ -144,11 +152,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand All @@ -173,11 +185,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand All @@ -202,11 +218,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand All @@ -231,11 +251,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand All @@ -260,11 +284,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand All @@ -290,11 +318,15 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers,
extensions=ext))
node = node.add_child(ExpectServerHello(extensions={ExtensionType.
renegotiation_info:None}))
srv_ext = {ExtensionType.renegotiation_info:None}
if ems:
srv_ext[ExtensionType.extended_master_secret] = None
node = node.add_child(ExpectServerHello(extensions=srv_ext))
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
Expand Down
21 changes: 17 additions & 4 deletions scripts/test-export-ciphers-rejected.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,11 @@
from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, GroupName, \
ExtensionType
from tlsfuzzer.utils.lists import natural_sort_keys
from tlsfuzzer.helpers import protocol_name_to_tuple, RSA_SIG_ALL
from tlsfuzzer.helpers import protocol_name_to_tuple, RSA_SIG_ALL, \
AutoEmptyExtension


version = 7
version = 8


def help_msg():
Expand All @@ -47,6 +48,7 @@ def help_msg():
print(" (excluding \"sanity\" tests)")
print(" --min-ver val The lowest version support, \"SSLv3\" by default")
print(" may be \"TLSv1.0\", \"TLSv1.1\" or \"TLSv1.2\"")
print(" -M | --ems Enable support for Extended Master Secret")
print(" --help this message")


Expand All @@ -59,9 +61,11 @@ def main():
last_exp_tmp = None
min_ver = (3, 0)
dhe = False
ems = False

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help", "min-ver="])
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:dM", ["help", "min-ver=",
"ems"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -78,6 +82,8 @@ def main():
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-d':
dhe = True
elif opt == '-M' or opt == '--ems':
ems = True
elif opt == '-n':
num_limit = int(arg)
elif opt == '--help':
Expand Down Expand Up @@ -105,6 +111,8 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
if dhe:
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Expand Down Expand Up @@ -168,6 +176,8 @@ def main():
SignatureAlgorithmsExtension().create(RSA_SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(RSA_SIG_ALL)
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
ciphers = [c_id,
expected_cipher,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Expand Down Expand Up @@ -210,7 +220,10 @@ def main():
node = conversation
ciphers = [c_id,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers))
ext = {}
if ems:
ext[ExtensionType.extended_master_secret] = AutoEmptyExtension()
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(
ExpectAlert(AlertLevel.fatal,
(AlertDescription.handshake_failure,
Expand Down

0 comments on commit 39f3a5b

Please sign in to comment.