Skip to content

Commit

Permalink
Merge pull request #767 from tlsfuzzer/renego-disabled-ecdhe
Browse files Browse the repository at this point in the history 
renegotiation-disabled: add support for ECDHE
  • Loading branch information
@tomato42
tomato42 committed Aug 9, 2021
2 parents ac24ad7 + d0c72ee commit f2ed926
Showing 1 changed file with 163 additions and 21 deletions.
184 changes: 163 additions & 21 deletions scripts/test-renegotiation-disabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,16 @@
ResetHandshakeHashes
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
ExpectAlert, ExpectApplicationData, ExpectClose
ExpectAlert, ExpectApplicationData, ExpectClose, \
ExpectServerKeyExchange

from tlslite.constants import CipherSuite, AlertLevel, AlertDescription, \
ExtensionType
from tlslite.extensions import ALPNExtension, TLSExtension


ExtensionType, GroupName
from tlslite.extensions import ALPNExtension, TLSExtension, \
SupportedGroupsExtension, SignatureAlgorithmsExtension, \
SignatureAlgorithmsCertExtension
from tlsfuzzer.utils.lists import natural_sort_keys
from tlsfuzzer.helpers import SIG_ALL


version = 4
Expand All @@ -45,6 +47,7 @@ def help_msg():
print(" usage: [-x probe-name] [-X exception], order is compulsory!")
print(" -n num run 'num' or all(if 0) tests instead of default(all)")
print(" (excluding \"sanity\" tests)")
print(" -d negotiate (EC)DHE instead of RSA key exchange")
print(" --no-renego-close expect a connection close, after no_renego alert")
print(" --help this message")

Expand All @@ -57,9 +60,10 @@ def main():
expected_failures = {}
last_exp_tmp = None
no_renego_close = False
dhe = False

argv = sys.argv[1:]
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:", ["help", "no-renego-close"])
opts, args = getopt.getopt(argv, "h:p:e:x:X:n:d", ["help", "no-renego-close"])
for opt, arg in opts:
if opt == '-h':
host = arg
Expand All @@ -76,6 +80,8 @@ def main():
expected_failures[last_exp_tmp] = str(arg)
elif opt == '-n':
num_limit = int(arg)
elif opt == '-d':
dhe = True
elif opt == '--no-renego-close':
no_renego_close = True
elif opt == '--help':
Expand All @@ -93,11 +99,29 @@ def main():

conversation = Connect(host, port)
node = conversation
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers))
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
Expand All @@ -117,12 +141,29 @@ def main():
conversation = Connect(host, port)
node = conversation

ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
Expand All @@ -131,7 +172,19 @@ def main():
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info:None}
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
else:
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers,
session_id=bytearray(0),
extensions=ext))
Expand All @@ -158,12 +211,29 @@ def main():
conversation = Connect(host, port)
node = conversation

ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
ext = {ExtensionType.renegotiation_info: None}
node = node.add_child(ExpectServerHello(extensions=ext))
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
Expand All @@ -175,7 +245,19 @@ def main():
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
ext = {ExtensionType.renegotiation_info:None}
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ext[ExtensionType.renegotiation_info] = None
else:
ext = {ExtensionType.renegotiation_info:None}
node = node.add_child(ClientHelloGenerator(ciphers,
session_id=bytearray(0),
extensions=ext))
Expand All @@ -200,10 +282,27 @@ def main():
conversation = Connect(host, port)
node = conversation

ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers))
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
Expand All @@ -212,8 +311,21 @@ def main():
node = node.add_child(ExpectFinished())
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
else:
ext = None
node = node.add_child(ClientHelloGenerator(ciphers,
session_id=bytearray(0)))
session_id=bytearray(0),
extensions=ext))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.no_renegotiation))
if no_renego_close:
Expand All @@ -237,10 +349,27 @@ def main():
conversation = Connect(host, port)
node = conversation

ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers))
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
ciphers = [CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
else:
ext = None
ciphers = [CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA]
node = node.add_child(ClientHelloGenerator(ciphers, extensions=ext))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
if dhe:
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
Expand All @@ -252,8 +381,21 @@ def main():
bytearray(b"GET /?Renegotiation_Test=tlsfuzzer HTTP/1.0\r\n")))
# 2nd handshake
node = node.add_child(ResetHandshakeHashes())
if dhe:
ext = {}
groups = [GroupName.secp256r1,
GroupName.ffdhe2048]
ext[ExtensionType.supported_groups] = SupportedGroupsExtension()\
.create(groups)
ext[ExtensionType.signature_algorithms] = \
SignatureAlgorithmsExtension().create(SIG_ALL)
ext[ExtensionType.signature_algorithms_cert] = \
SignatureAlgorithmsCertExtension().create(SIG_ALL)
else:
ext = None
node = node.add_child(ClientHelloGenerator(ciphers,
session_id=bytearray(0)))
session_id=bytearray(0),
extensions=ext))
node = node.add_child(ExpectAlert(AlertLevel.warning,
AlertDescription.no_renegotiation))
if no_renego_close:
Expand Down

0 comments on commit f2ed926

Please sign in to comment.