Skip to content

Commit

Permalink
Merge pull request #791 from tlsfuzzer/renego-fips
Browse files Browse the repository at this point in the history 
Renegotiation tests with restrictive servers
  • Loading branch information
@tomato42
tomato42 committed May 10, 2022
2 parents b832247 + a243170 commit 930b8ce
Show file tree
Hide file tree
Showing 4 changed files with 120 additions and 63 deletions.
45 changes: 34 additions & 11 deletions scripts/test-conversation.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Author: Hubert Kario, (c) 2015-2018
# Author: Hubert Kario, (c) 2015-2022
# Released under Gnu GPL v2.0, see LICENSE file for details

from __future__ import print_function
Expand Down Expand Up @@ -26,7 +26,7 @@
from tlsfuzzer.helpers import SIG_ALL


version = 7
version = 8


def help_msg():
Expand All @@ -46,7 +46,10 @@ def help_msg():
print(" usage: [-x probe-name] [-X exception], order is compulsory!")
print(" -n num run 'num' or all(if 0) tests instead of default(all)")
print(" (\"sanity\" tests are always executed)")
print(" -d negotiate (EC)DHE instead of RSA key exchange")
print(" -d negotiate (EC)DHE instead of RSA key exchange, send")
print(" additional extensions, usually used for (EC)DHE ciphers")
print(" -C ciph Use specified ciphersuite. Either numerical value or")
print(" IETF name.")
print(" --help this message")
# already used single-letter options:
# -m test-large-hello.py - min extension number for fuzz testing
Expand Down Expand Up @@ -81,9 +84,10 @@ def main():
expected_failures = {}
last_exp_tmp = None
dhe = False
ciphers = None

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help"])
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:dC:", ["help"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -102,6 +106,14 @@ def main():
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '-C':
if arg[:2] == '0x':
ciphers = [int(arg, 16)]
else:
try:
ciphers = [getattr(CipherSuite, arg)]
except AttributeError:
ciphers = [int(arg)]
elif opt == '--help':
help_msg()
sys.exit(0)
Expand All @@ -113,6 +125,21 @@ def main():
else:
run_only = None

if ciphers:
if not dhe:
# by default send minimal set of extensions, but allow user
# to override it
dhe = ciphers[0] in CipherSuite.ecdhAllSuites or \
ciphers[0] in CipherSuite.dhAllSuites
else:
if dhe:
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]


conversations = {}

conversation = Connect(host, port)
Expand All @@ -127,15 +154,11 @@ def main():
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ClientHelloGenerator(
ciphers + [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV],
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
Expand Down
52 changes: 33 additions & 19 deletions scripts/test-renegotiation-disabled-client-cert.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Author: Hubert Kario, (c) 2018
# Author: Hubert Kario, (c) 2018-2022
# Released under Gnu GPL v2.0, see LICENSE file for details

from __future__ import print_function
Expand Down Expand Up @@ -30,7 +30,7 @@
from tlsfuzzer.utils.lists import natural_sort_keys


version = 5
version = 6


def help_msg():
Expand All @@ -40,7 +40,10 @@ def help_msg():
print(" -p port port number to use for connection, 4433 by default")
print(" probe-name if present, will run only the probes with given")
print(" names and not all of them, e.g \"sanity\"")
print(" -d Use (EC)DHE instead of RSA for key exchange")
print(" -d negotiate (EC)DHE instead of RSA key exchange, send")
print(" additional extensions, usually used for (EC)DHE ciphers")
print(" -C ciph Use specified ciphersuite. Either numerical value or")
print(" IETF name.")
print(" -e probe-name exclude the probe from the list of the ones run")
print(" may be specified multiple times")
print(" -x probe-name expect the probe to fail. When such probe passes despite being marked like this")
Expand Down Expand Up @@ -70,9 +73,10 @@ def main():
cert = None
early_abort = False
dhe = False
ciphers = None

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:d", ["help", "no-ins-renego",
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:k:c:dC:", ["help", "no-ins-renego",
"early-abort"])
for opt, arg in opts:
if opt == '-h':
Expand All @@ -90,6 +94,14 @@ def main():
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-d':
dhe = True
elif opt == '-C':
if arg[:2] == '0x':
ciphers = [int(arg, 16)]
else:
try:
ciphers = [getattr(CipherSuite, arg)]
except AttributeError:
ciphers = [int(arg)]
elif opt == '-n':
num_limit = int(arg)
elif opt == '--no-ins-renego':
Expand Down Expand Up @@ -123,6 +135,20 @@ def main():
else:
run_only = None

if ciphers:
if not dhe:
# by default send minimal set of extensions, but allow user
# to override it
dhe = ciphers[0] in CipherSuite.ecdhAllSuites or \
ciphers[0] in CipherSuite.dhAllSuites
else:
if dhe:
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]

conversations = {}

conversation = Connect(host, port)
Expand All @@ -137,19 +163,15 @@ def main():
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = {}
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(sig_algs)
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ClientHelloGenerator(
ciphers + [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV],
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
Expand Down Expand Up @@ -183,12 +205,8 @@ def main():
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = {ExtensionType.renegotiation_info:None}
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
Expand Down Expand Up @@ -249,12 +267,8 @@ def main():
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = {ExtensionType.renegotiation_info:None}
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext[ExtensionType.signature_algorithms] = SignatureAlgorithmsExtension()\
.create(sig_algs)
ext[ExtensionType.signature_algorithms_cert] = \
Expand Down
60 changes: 33 additions & 27 deletions scripts/test-renegotiation-disabled.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Author: Hubert Kario, (c) 2018
# Author: Hubert Kario, (c) 2018-2022
# Released under Gnu GPL v2.0, see LICENSE file for details

from __future__ import print_function
Expand Down Expand Up @@ -27,7 +27,7 @@
from tlsfuzzer.helpers import SIG_ALL


version = 4
version = 5


def help_msg():
Expand All @@ -47,7 +47,10 @@ def help_msg():
print(" usage: [-x probe-name] [-X exception], order is compulsory!")
print(" -n num run 'num' or all(if 0) tests instead of default(all)")
print(" (excluding \"sanity\" tests)")
print(" -d negotiate (EC)DHE instead of RSA key exchange")
print(" -d negotiate (EC)DHE instead of RSA key exchange, send")
print(" additional extensions, usually used for (EC)DHE ciphers")
print(" -C ciph Use specified ciphersuite. Either numerical value or")
print(" IETF name.")
print(" --no-renego-close expect a connection close, after no_renego alert")
print(" --help this message")

Expand All @@ -61,9 +64,10 @@ def main():
last_exp_tmp = None
no_renego_close = False
dhe = False
ciphers = None

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help", "no-renego-close"])
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:dC:", ["help", "no-renego-close"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -82,6 +86,14 @@ def main():
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '-C':
if arg[:2] == '0x':
ciphers = [int(arg, 16)]
else:
try:
ciphers = [getattr(CipherSuite, arg)]
except AttributeError:
ciphers = [int(arg)]
elif opt == '--no-renego-close':
no_renego_close = True
elif opt == '--help':
Expand All @@ -90,6 +102,20 @@ def main():
else:
raise ValueError("Unknown option: {0}".format(opt))

if ciphers:
if not dhe:
# by default send minimal set of extensions, but allow user
# to override it
dhe = ciphers[0] in CipherSuite.ecdhAllSuites or \
ciphers[0] in CipherSuite.dhAllSuites
else:
if dhe:
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]

if args:
run_only = set(args)
else:
Expand All @@ -109,15 +135,11 @@ def main():
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ClientHelloGenerator(
ciphers + [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV],
extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
Expand Down Expand Up @@ -152,11 +174,7 @@ def main():
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
Expand Down Expand Up @@ -222,11 +240,7 @@ def main():
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
Expand Down Expand Up @@ -292,12 +306,8 @@ def main():
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
Expand Down Expand Up @@ -359,12 +369,8 @@ def main():
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
Expand Down

0 comments on commit 930b8ce

Please sign in to comment.