1# SPDX-License-Identifier: GPL-2.0-only 2# This file is part of Scapy 3# See https://scapy.net/ for more information 4# Copyright (C) 2007, 2008, 2009 Arnaud Ebalard 5# 2015, 2016, 2017 Maxence Tury 6# 2019 Romain Perez 7 8""" 9TLS client automaton. This makes for a primitive TLS stack. 10Obviously you need rights for network access. 11 12We support versions SSLv2 to TLS 1.3, along with many features. 13 14In order to run a client to tcp/50000 with one cipher suite of your choice:: 15 16 from scapy.layers.tls import * 17 ch = TLSClientHello(ciphers=<int code of the cipher suite>) 18 t = TLSClientAutomaton(dport=50000, client_hello=ch) 19 t.run() 20 21You can also use it as a SuperSocket using the ``tlslink`` io:: 22 23 from scapy.layers.tls import * 24 a = TLSClientAutomaton.tlslink(Raw, server="scapy.net", dport=443) 25 a.send(HTTP()/HTTPRequest()) 26 while True: 27 a.recv() 28 29You can also use the io with a TCPSession, e.g. to get an HTTPS answer:: 30 31 from scapy.all import * 32 from scapy.layers.http import * 33 from scapy.layers.tls.automaton_cli import * 34 a = TLSClientAutomaton.tlslink(HTTP, server="www.google.com", dport=443) 35 pkt = a.sr1(HTTP()/HTTPRequest(), session=TCPSession(app=True), 36 timeout=2) 37""" 38 39import socket 40import binascii 41import struct 42import time 43 44from scapy.config import conf 45from scapy.utils import randstring, repr_hex 46from scapy.automaton import ATMT, select_objects 47from scapy.error import warning 48from scapy.layers.tls.automaton import _TLSAutomaton 49from scapy.layers.tls.basefields import _tls_version, _tls_version_options 50from scapy.layers.tls.session import tlsSession 51from scapy.layers.tls.extensions import ( 52 ServerName, 53 TLS_Ext_PSKKeyExchangeModes, 54 TLS_Ext_PostHandshakeAuth, 55 TLS_Ext_ServerName, 56 TLS_Ext_SignatureAlgorithms, 57 TLS_Ext_SupportedGroups, 58 TLS_Ext_SupportedVersion_CH, 59 TLS_Ext_SupportedVersion_SH, 60) 61from scapy.layers.tls.handshake import TLSCertificate, TLSCertificateRequest, \ 62 TLSCertificateVerify, TLSClientHello, TLSClientKeyExchange, \ 63 TLSEncryptedExtensions, TLSFinished, TLSServerHello, TLSServerHelloDone, \ 64 TLSServerKeyExchange, TLS13Certificate, TLS13ClientHello, \ 65 TLS13ServerHello, TLS13HelloRetryRequest, TLS13CertificateRequest, \ 66 _ASN1CertAndExt, TLS13KeyUpdate, TLS13NewSessionTicket 67from scapy.layers.tls.handshake_sslv2 import SSLv2ClientHello, \ 68 SSLv2ServerHello, SSLv2ClientMasterKey, SSLv2ServerVerify, \ 69 SSLv2ClientFinished, SSLv2ServerFinished, SSLv2ClientCertificate, \ 70 SSLv2RequestCertificate 71from scapy.layers.tls.keyexchange_tls13 import TLS_Ext_KeyShare_CH, \ 72 KeyShareEntry, TLS_Ext_KeyShare_HRR, PSKIdentity, PSKBinderEntry, \ 73 TLS_Ext_PreSharedKey_CH 74from scapy.layers.tls.record import TLSAlert, TLSChangeCipherSpec, \ 75 TLSApplicationData 76from scapy.layers.tls.crypto.suites import _tls_cipher_suites, \ 77 _tls_cipher_suites_cls 78from scapy.layers.tls.crypto.groups import _tls_named_groups 79from scapy.layers.tls.crypto.hkdf import TLS13_HKDF 80from scapy.packet import Raw 81from scapy.compat import bytes_encode 82 83# Typing imports 84from typing import ( 85 Optional, 86) 87 88 89class TLSClientAutomaton(_TLSAutomaton): 90 """ 91 A simple TLS test client automaton. Try to overload some states or 92 conditions and see what happens on the other side. 93 94 Rather than with an interruption, the best way to stop this client is by 95 typing 'quit'. This won't be a message sent to the server. 96 97 :param server: the server IP or hostname. defaults to 127.0.0.1 98 :param dport: the server port. defaults to 4433 99 :param server_name: the SNI to use. It does not need to be set 100 :param mycert: 101 :param mykey: may be provided as filenames. They will be used in the (or post) 102 handshake, should the server ask for client authentication. 103 :param client_hello: may hold a TLSClientHello, TLS13ClientHello or 104 SSLv2ClientHello to be sent to the server. This is particularly useful 105 for extensions tweaking. If not set, a default is populated accordingly. 106 :param version: is a quicker way to advertise a protocol version ("sslv2", 107 "tls1", "tls12", "tls13", etc.) It may be overridden by the previous 108 'client_hello'. 109 :param session_ticket_file_in: path to a file that contains a session ticket 110 acquired in a previous session. 111 :param session_ticket_file_out: path to store any session ticket acquired during 112 this session. 113 :param data: is a list of raw data to be sent to the server once the 114 handshake has been completed. Both 'stop_server' and 'quit' will 115 work this way. 116 """ 117 118 def parse_args(self, server="127.0.0.1", dport=4433, server_name=None, 119 mycert=None, mykey=None, 120 client_hello=None, version=None, 121 resumption_master_secret=None, 122 session_ticket_file_in=None, 123 session_ticket_file_out=None, 124 psk=None, psk_mode=None, 125 data=None, 126 ciphersuite: Optional[int] = None, 127 curve: Optional[str] = None, 128 supported_groups=None, 129 supported_signature_algorithms=None, 130 **kargs): 131 132 super(TLSClientAutomaton, self).parse_args(mycert=mycert, 133 mykey=mykey, 134 **kargs) 135 tmp = socket.getaddrinfo(server, dport) 136 self.remote_family = tmp[0][0] 137 self.remote_ip = tmp[0][4][0] 138 self.remote_port = dport 139 self.server_name = server_name 140 self.local_ip = None 141 self.local_port = None 142 self.socket = None 143 144 if isinstance(client_hello, (SSLv2ClientHello, TLSClientHello, 145 TLS13ClientHello)): 146 self.client_hello = client_hello 147 else: 148 self.client_hello = None 149 self.advertised_tls_version = None 150 if version: 151 v = _tls_version_options.get(version, None) 152 if not v: 153 self.vprint("Unrecognized TLS version option.") 154 else: 155 self.advertised_tls_version = v 156 157 self.linebreak = False 158 if isinstance(data, bytes): 159 self.data_to_send = [data] 160 elif isinstance(data, str): 161 self.data_to_send = [bytes_encode(data)] 162 elif isinstance(data, list): 163 self.data_to_send = list(bytes_encode(d) for d in reversed(data)) 164 else: 165 self.data_to_send = [] 166 167 if supported_groups is None: 168 supported_groups = ["secp256r1", "secp384r1", "x448"] 169 if conf.crypto_valid_advanced: 170 supported_groups.extend([ 171 "x25519", 172 "ffdhe2048", 173 ]) 174 self.supported_groups = supported_groups 175 176 if supported_signature_algorithms is None: 177 supported_signature_algorithms = [ 178 "sha256+rsaepss", 179 "sha256+rsa", 180 "ed25519", 181 "ed448", 182 ] 183 self.supported_signature_algorithms = supported_signature_algorithms 184 185 self.curve = None 186 self.ciphersuite = None 187 188 if ciphersuite is not None: 189 if ciphersuite in _tls_cipher_suites.keys(): 190 self.ciphersuite = ciphersuite 191 else: 192 self.vprint("Unrecognized cipher suite.") 193 194 if self.advertised_tls_version == 0x0304: 195 if conf.crypto_valid_advanced: 196 # Default to x25519 if supported 197 self.curve = 29 198 else: 199 # Or secp256r1 otherwise 200 self.curve = 23 201 self.resumption_master_secret = resumption_master_secret 202 self.session_ticket_file_in = session_ticket_file_in 203 self.session_ticket_file_out = session_ticket_file_out 204 self.tls13_psk_secret = psk 205 self.tls13_psk_mode = psk_mode 206 self.tls13_doing_client_postauth = False 207 if curve is not None: 208 for (group_id, ng) in _tls_named_groups.items(): 209 if ng == curve: 210 if curve == "x25519": 211 if conf.crypto_valid_advanced: 212 self.curve = group_id 213 else: 214 self.curve = group_id 215 216 def vprint_sessioninfo(self): 217 if self.verbose: 218 s = self.cur_session 219 v = _tls_version[s.tls_version] 220 self.vprint("Version : %s" % v) 221 cs = s.wcs.ciphersuite.name 222 self.vprint("Cipher suite : %s" % cs) 223 kx_groupname = s.kx_group 224 self.vprint("Server temp key : %s" % kx_groupname) 225 if s.tls_version >= 0x0304: 226 ms = s.tls13_master_secret 227 else: 228 ms = s.master_secret 229 self.vprint("Master secret : %s" % repr_hex(ms)) 230 if s.server_certs: 231 self.vprint("Server certificate chain: %r" % s.server_certs) 232 if s.tls_version >= 0x0304: 233 res_secret = s.tls13_derived_secrets["resumption_secret"] 234 self.vprint("Resumption master secret : %s" % 235 repr_hex(res_secret)) 236 self.vprint() 237 238 @ATMT.state(initial=True) 239 def INITIAL(self): 240 self.vprint("Starting TLS client automaton.") 241 raise self.INIT_TLS_SESSION() 242 243 @ATMT.ioevent(INITIAL, name="tls", as_supersocket="tlslink") 244 def _socket(self, fd): 245 pass 246 247 @ATMT.state() 248 def INIT_TLS_SESSION(self): 249 self.cur_session = tlsSession(connection_end="client") 250 s = self.cur_session 251 s.client_certs = self.mycert 252 s.client_key = self.mykey 253 v = self.advertised_tls_version 254 if v: 255 s.advertised_tls_version = v 256 else: 257 default_version = s.advertised_tls_version 258 self.advertised_tls_version = default_version 259 260 if s.advertised_tls_version >= 0x0304: 261 # For out of band PSK, the PSK is given as an argument 262 # to the automaton 263 if self.tls13_psk_secret: 264 s.tls13_psk_secret = binascii.unhexlify(self.tls13_psk_secret) 265 266 # For resumed PSK, the PSK is computed from 267 if self.session_ticket_file_in: 268 with open(self.session_ticket_file_in, 'rb') as f: 269 270 resumed_ciphersuite_len = struct.unpack("B", f.read(1))[0] 271 s.tls13_ticket_ciphersuite = \ 272 struct.unpack("!H", f.read(resumed_ciphersuite_len))[0] 273 274 ticket_nonce_len = struct.unpack("B", f.read(1))[0] 275 # XXX add client_session_nonce member in tlsSession 276 s.client_session_nonce = f.read(ticket_nonce_len) 277 278 client_ticket_age_len = struct.unpack("!H", f.read(2))[0] 279 tmp = f.read(client_ticket_age_len) 280 s.client_ticket_age = struct.unpack("!I", tmp)[0] 281 282 client_ticket_age_add_len = struct.unpack( 283 "!H", f.read(2))[0] 284 tmp = f.read(client_ticket_age_add_len) 285 s.client_session_ticket_age_add = struct.unpack( 286 "!I", tmp)[0] 287 288 ticket_len = struct.unpack("!H", f.read(2))[0] 289 s.client_session_ticket = f.read(ticket_len) 290 291 if self.resumption_master_secret: 292 293 if s.tls13_ticket_ciphersuite not in _tls_cipher_suites_cls: # noqa: E501 294 warning("Unknown cipher suite %d", s.tls13_ticket_ciphersuite) # noqa: E501 295 # we do not try to set a default nor stop the execution 296 else: 297 cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite] # noqa: E501 298 299 hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower()) 300 hash_len = hkdf.hash.digest_size 301 302 s.tls13_psk_secret = hkdf.expand_label(binascii.unhexlify(self.resumption_master_secret), # noqa: E501 303 b"resumption", 304 s.client_session_nonce, # noqa: E501 305 hash_len) 306 raise self.CONNECT() 307 308 @ATMT.state() 309 def CONNECT(self): 310 s = socket.socket(self.remote_family, socket.SOCK_STREAM) 311 self.vprint() 312 self.vprint("Trying to connect on %s:%d" % (self.remote_ip, 313 self.remote_port)) 314 s.connect((self.remote_ip, self.remote_port)) 315 self.socket = s 316 self.local_ip, self.local_port = self.socket.getsockname()[:2] 317 self.vprint() 318 if self.cur_session.advertised_tls_version in [0x0200, 0x0002]: 319 raise self.SSLv2_PREPARE_CLIENTHELLO() 320 elif self.cur_session.advertised_tls_version >= 0x0304: 321 raise self.TLS13_START() 322 else: 323 raise self.PREPARE_CLIENTFLIGHT1() 324 325 # TLS handshake # 326 327 @ATMT.state() 328 def PREPARE_CLIENTFLIGHT1(self): 329 self.add_record() 330 331 @ATMT.condition(PREPARE_CLIENTFLIGHT1) 332 def should_add_ClientHello(self): 333 if self.client_hello: 334 p = self.client_hello 335 else: 336 p = TLSClientHello(ciphers=self.ciphersuite) 337 ext = [] 338 # Add TLS_Ext_SignatureAlgorithms for TLS 1.2 ClientHello 339 if self.cur_session.advertised_tls_version == 0x0303: 340 ext += [TLS_Ext_SignatureAlgorithms( 341 sig_algs=self.supported_signature_algorithms, 342 )] 343 # Add TLS_Ext_ServerName 344 if self.server_name: 345 ext += TLS_Ext_ServerName( 346 servernames=[ServerName(servername=self.server_name)] 347 ) 348 p.ext = ext 349 self.add_msg(p) 350 raise self.ADDED_CLIENTHELLO() 351 352 @ATMT.state() 353 def ADDED_CLIENTHELLO(self): 354 pass 355 356 @ATMT.condition(ADDED_CLIENTHELLO) 357 def should_send_ClientFlight1(self): 358 self.flush_records() 359 raise self.SENT_CLIENTFLIGHT1() 360 361 @ATMT.state() 362 def SENT_CLIENTFLIGHT1(self): 363 raise self.WAITING_SERVERFLIGHT1() 364 365 @ATMT.state() 366 def WAITING_SERVERFLIGHT1(self): 367 self.get_next_msg() 368 raise self.RECEIVED_SERVERFLIGHT1() 369 370 @ATMT.state() 371 def RECEIVED_SERVERFLIGHT1(self): 372 pass 373 374 @ATMT.condition(RECEIVED_SERVERFLIGHT1, prio=1) 375 def should_handle_ServerHello(self): 376 """ 377 XXX We should check the ServerHello attributes for discrepancies with 378 our own ClientHello. 379 """ 380 self.raise_on_packet(TLSServerHello, 381 self.HANDLED_SERVERHELLO) 382 383 @ATMT.state() 384 def HANDLED_SERVERHELLO(self): 385 pass 386 387 @ATMT.condition(RECEIVED_SERVERFLIGHT1, prio=2) 388 def missing_ServerHello(self): 389 raise self.MISSING_SERVERHELLO() 390 391 @ATMT.state() 392 def MISSING_SERVERHELLO(self): 393 self.vprint("Missing TLS ServerHello message!") 394 raise self.CLOSE_NOTIFY() 395 396 @ATMT.condition(HANDLED_SERVERHELLO, prio=1) 397 def should_handle_ServerCertificate(self): 398 if not self.cur_session.prcs.key_exchange.anonymous: 399 self.raise_on_packet(TLSCertificate, 400 self.HANDLED_SERVERCERTIFICATE) 401 raise self.HANDLED_SERVERCERTIFICATE() 402 403 @ATMT.state() 404 def HANDLED_SERVERCERTIFICATE(self): 405 pass 406 407 @ATMT.condition(HANDLED_SERVERHELLO, prio=2) 408 def missing_ServerCertificate(self): 409 raise self.MISSING_SERVERCERTIFICATE() 410 411 @ATMT.state() 412 def MISSING_SERVERCERTIFICATE(self): 413 self.vprint("Missing TLS Certificate message!") 414 raise self.CLOSE_NOTIFY() 415 416 @ATMT.state() 417 def HANDLED_CERTIFICATEREQUEST(self): 418 self.vprint("Server asked for a certificate...") 419 if not self.mykey or not self.mycert: 420 self.vprint("No client certificate to send!") 421 self.vprint("Will try and send an empty Certificate message...") 422 423 @ATMT.condition(HANDLED_SERVERCERTIFICATE, prio=1) 424 def should_handle_ServerKeyExchange_from_ServerCertificate(self): 425 """ 426 XXX We should check the ServerKeyExchange attributes for discrepancies 427 with our own ClientHello, along with the ServerHello and Certificate. 428 """ 429 self.raise_on_packet(TLSServerKeyExchange, 430 self.HANDLED_SERVERKEYEXCHANGE) 431 432 @ATMT.state(final=True) 433 def MISSING_SERVERKEYEXCHANGE(self): 434 pass 435 436 @ATMT.condition(HANDLED_SERVERCERTIFICATE, prio=2) 437 def missing_ServerKeyExchange(self): 438 if not self.cur_session.prcs.key_exchange.no_ske: 439 raise self.MISSING_SERVERKEYEXCHANGE() 440 441 @ATMT.state() 442 def HANDLED_SERVERKEYEXCHANGE(self): 443 pass 444 445 def should_handle_CertificateRequest(self): 446 """ 447 XXX We should check the CertificateRequest attributes for discrepancies 448 with the cipher suite, etc. 449 """ 450 self.raise_on_packet(TLSCertificateRequest, 451 self.HANDLED_CERTIFICATEREQUEST) 452 453 @ATMT.condition(HANDLED_SERVERKEYEXCHANGE, prio=2) 454 def should_handle_CertificateRequest_from_ServerKeyExchange(self): 455 self.should_handle_CertificateRequest() 456 457 @ATMT.condition(HANDLED_SERVERCERTIFICATE, prio=3) 458 def should_handle_CertificateRequest_from_ServerCertificate(self): 459 self.should_handle_CertificateRequest() 460 461 def should_handle_ServerHelloDone(self): 462 self.raise_on_packet(TLSServerHelloDone, 463 self.HANDLED_SERVERHELLODONE) 464 465 @ATMT.condition(HANDLED_SERVERKEYEXCHANGE, prio=1) 466 def should_handle_ServerHelloDone_from_ServerKeyExchange(self): 467 return self.should_handle_ServerHelloDone() 468 469 @ATMT.condition(HANDLED_CERTIFICATEREQUEST) 470 def should_handle_ServerHelloDone_from_CertificateRequest(self): 471 return self.should_handle_ServerHelloDone() 472 473 @ATMT.condition(HANDLED_SERVERCERTIFICATE, prio=4) 474 def should_handle_ServerHelloDone_from_ServerCertificate(self): 475 return self.should_handle_ServerHelloDone() 476 477 @ATMT.state() 478 def HANDLED_SERVERHELLODONE(self): 479 raise self.PREPARE_CLIENTFLIGHT2() 480 481 @ATMT.state() 482 def PREPARE_CLIENTFLIGHT2(self): 483 self.add_record() 484 485 @ATMT.condition(PREPARE_CLIENTFLIGHT2, prio=1) 486 def should_add_ClientCertificate(self): 487 """ 488 If the server sent a CertificateRequest, we send a Certificate message. 489 If no certificate is available, an empty Certificate message is sent: 490 - this is a SHOULD in RFC 4346 (Section 7.4.6) 491 - this is a MUST in RFC 5246 (Section 7.4.6) 492 493 XXX We may want to add a complete chain. 494 """ 495 if not self.in_handshake(TLSCertificateRequest): 496 return 497 498 certs = [] 499 if self.mycert: 500 certs = [self.mycert] 501 502 self.add_msg(TLSCertificate(certs=certs)) 503 raise self.ADDED_CLIENTCERTIFICATE() 504 505 @ATMT.state() 506 def ADDED_CLIENTCERTIFICATE(self): 507 pass 508 509 def should_add_ClientKeyExchange(self): 510 self.add_msg(TLSClientKeyExchange()) 511 raise self.ADDED_CLIENTKEYEXCHANGE() 512 513 @ATMT.condition(PREPARE_CLIENTFLIGHT2, prio=2) 514 def should_add_ClientKeyExchange_from_ClientFlight2(self): 515 return self.should_add_ClientKeyExchange() 516 517 @ATMT.condition(ADDED_CLIENTCERTIFICATE) 518 def should_add_ClientKeyExchange_from_ClientCertificate(self): 519 return self.should_add_ClientKeyExchange() 520 521 @ATMT.state() 522 def ADDED_CLIENTKEYEXCHANGE(self): 523 pass 524 525 @ATMT.condition(ADDED_CLIENTKEYEXCHANGE, prio=1) 526 def should_add_ClientVerify(self): 527 """ 528 XXX Section 7.4.7.1 of RFC 5246 states that the CertificateVerify 529 message is only sent following a client certificate that has signing 530 capability (i.e. not those containing fixed DH params). 531 We should verify that before adding the message. We should also handle 532 the case when the Certificate message was empty. 533 """ 534 if not self.in_handshake(TLSCertificateRequest): 535 return 536 if self.mycert is None or self.mykey is None: 537 return 538 self.add_msg(TLSCertificateVerify()) 539 raise self.ADDED_CERTIFICATEVERIFY() 540 541 @ATMT.state() 542 def ADDED_CERTIFICATEVERIFY(self): 543 pass 544 545 @ATMT.condition(ADDED_CERTIFICATEVERIFY) 546 def should_add_ChangeCipherSpec_from_CertificateVerify(self): 547 self.add_record() 548 self.add_msg(TLSChangeCipherSpec()) 549 raise self.ADDED_CHANGECIPHERSPEC() 550 551 @ATMT.condition(ADDED_CLIENTKEYEXCHANGE, prio=2) 552 def should_add_ChangeCipherSpec_from_ClientKeyExchange(self): 553 self.add_record() 554 self.add_msg(TLSChangeCipherSpec()) 555 raise self.ADDED_CHANGECIPHERSPEC() 556 557 @ATMT.state() 558 def ADDED_CHANGECIPHERSPEC(self): 559 pass 560 561 @ATMT.condition(ADDED_CHANGECIPHERSPEC) 562 def should_add_ClientFinished(self): 563 self.add_record() 564 self.add_msg(TLSFinished()) 565 raise self.ADDED_CLIENTFINISHED() 566 567 @ATMT.state() 568 def ADDED_CLIENTFINISHED(self): 569 pass 570 571 @ATMT.condition(ADDED_CLIENTFINISHED) 572 def should_send_ClientFlight2(self): 573 self.flush_records() 574 raise self.SENT_CLIENTFLIGHT2() 575 576 @ATMT.state() 577 def SENT_CLIENTFLIGHT2(self): 578 raise self.WAITING_SERVERFLIGHT2() 579 580 @ATMT.state() 581 def WAITING_SERVERFLIGHT2(self): 582 self.get_next_msg() 583 raise self.RECEIVED_SERVERFLIGHT2() 584 585 @ATMT.state() 586 def RECEIVED_SERVERFLIGHT2(self): 587 pass 588 589 @ATMT.condition(RECEIVED_SERVERFLIGHT2) 590 def should_handle_ChangeCipherSpec(self): 591 self.raise_on_packet(TLSChangeCipherSpec, 592 self.HANDLED_CHANGECIPHERSPEC) 593 594 @ATMT.state() 595 def HANDLED_CHANGECIPHERSPEC(self): 596 pass 597 598 @ATMT.condition(HANDLED_CHANGECIPHERSPEC) 599 def should_handle_Finished(self): 600 self.raise_on_packet(TLSFinished, 601 self.HANDLED_SERVERFINISHED) 602 603 @ATMT.state() 604 def HANDLED_SERVERFINISHED(self): 605 self.vprint("TLS handshake completed!") 606 self.vprint_sessioninfo() 607 self.vprint("You may send data or use 'quit'.") 608 609 # end of TLS handshake # 610 611 @ATMT.condition(HANDLED_SERVERFINISHED) 612 def should_wait_ClientData(self): 613 raise self.WAIT_CLIENTDATA() 614 615 @ATMT.state() 616 def WAIT_CLIENTDATA(self): 617 pass 618 619 @ATMT.condition(WAIT_CLIENTDATA, prio=1) 620 def add_ClientData(self): 621 r""" 622 The user may type in: 623 GET / HTTP/1.1\r\nHost: testserver.com\r\n\r\n 624 Special characters are handled so that it becomes a valid HTTP request. 625 """ 626 if not self.data_to_send: 627 if self.is_atmt_socket: 628 # Socket mode 629 fd = select_objects([self.ioin["tls"]], 0) 630 if fd: 631 self.add_record() 632 self.add_msg(TLSApplicationData(data=fd[0].recv())) 633 raise self.ADDED_CLIENTDATA() 634 raise self.WAITING_SERVERDATA() 635 else: 636 data = input().replace('\\r', '\r').replace('\\n', '\n').encode() 637 else: 638 data = self.data_to_send.pop() 639 if data == b"quit": 640 return 641 # Command to skip sending 642 elif data == b"wait": 643 raise self.WAITING_SERVERDATA() 644 # Command to perform a key_update (for a TLS 1.3 session) 645 elif data == b"key_update": 646 if self.cur_session.tls_version >= 0x0304: 647 self.add_record() 648 self.add_msg(TLS13KeyUpdate(request_update="update_requested")) 649 raise self.ADDED_CLIENTDATA() 650 651 if self.linebreak: 652 data += b"\n" 653 self.add_record() 654 self.add_msg(TLSApplicationData(data=data)) 655 raise self.ADDED_CLIENTDATA() 656 657 @ATMT.condition(WAIT_CLIENTDATA, prio=2) 658 def no_more_ClientData(self): 659 raise self.CLOSE_NOTIFY() 660 661 @ATMT.state() 662 def ADDED_CLIENTDATA(self): 663 pass 664 665 @ATMT.condition(ADDED_CLIENTDATA) 666 def should_send_ClientData(self): 667 self.flush_records() 668 raise self.SENT_CLIENTDATA() 669 670 @ATMT.state() 671 def SENT_CLIENTDATA(self): 672 raise self.WAITING_SERVERDATA() 673 674 @ATMT.state() 675 def WAITING_SERVERDATA(self): 676 self.get_next_msg(0.3, 1) 677 if not self.buffer_in: 678 raise self.WAIT_CLIENTDATA() 679 raise self.RECEIVED_SERVERDATA() 680 681 @ATMT.state() 682 def RECEIVED_SERVERDATA(self): 683 pass 684 685 @ATMT.condition(RECEIVED_SERVERDATA, prio=1) 686 def should_handle_CertificateRequest_postauth(self): 687 self.raise_on_packet(TLS13CertificateRequest, 688 self.TLS13_RECEIVED_POST_AUTHENTICATION_REQUEST) 689 690 @ATMT.state() 691 def TLS13_RECEIVED_POST_AUTHENTICATION_REQUEST(self): 692 self.vprint("Server asked for a certificate...") 693 self.tls13_doing_client_postauth = True 694 if not self.mykey or not self.mycert: 695 self.vprint("No client certificate to send!") 696 self.vprint("Will try and send an empty Certificate message...") 697 self.add_record(is_tls13=True) 698 699 @ATMT.condition(TLS13_RECEIVED_POST_AUTHENTICATION_REQUEST, prio=1) 700 def should_send_CertificateRequest_postauth(self): 701 if self.cur_session.post_handshake_auth: 702 self.tls13_should_add_ClientCertificate() 703 704 @ATMT.condition(TLS13_RECEIVED_POST_AUTHENTICATION_REQUEST, prio=2) 705 def should_fail_CertificateRequest_postauth(self): 706 self.add_msg(TLSAlert(level=2, descr=0x0A)) 707 self.flush_records() 708 self.vprint( 709 "Received CertificateRequest without post_handshake_auth extension!" 710 ) 711 raise self.FINAL() 712 713 @ATMT.condition(RECEIVED_SERVERDATA, prio=2) 714 def should_handle_NewSessionTicket(self): 715 self.raise_on_packet(TLS13NewSessionTicket, 716 self.TLS13_RECEIVED_NEW_SESSION_TICKET) 717 718 @ATMT.state() 719 def TLS13_RECEIVED_NEW_SESSION_TICKET(self): 720 pass 721 722 @ATMT.condition(TLS13_RECEIVED_NEW_SESSION_TICKET) 723 def should_store_session_ticket_file(self): 724 # If arg session_ticket_file_out is set, we save 725 # the ticket for resumption... 726 if self.session_ticket_file_out: 727 # Struct of ticket file : 728 # * ciphersuite_len (1 byte) 729 # * ciphersuite (ciphersuite_len bytes) : 730 # we need to the store the ciphersuite for resumption 731 # * ticket_nonce_len (1 byte) 732 # * ticket_nonce (ticket_nonce_len bytes) : 733 # we need to store the nonce to compute the PSK 734 # for resumption 735 # * ticket_age_len (2 bytes) 736 # * ticket_age (ticket_age_len bytes) : 737 # we need to store the time we received the ticket for 738 # computing the obfuscated_ticket_age when resuming 739 # * ticket_age_add_len (2 bytes) 740 # * ticket_age_add (ticket_age_add_len bytes) : 741 # we need to store the ticket_age_add value from the 742 # ticket to compute the obfuscated ticket age 743 # * ticket_len (2 bytes) 744 # * ticket (ticket_len bytes) 745 with open(self.session_ticket_file_out, 'wb') as f: 746 f.write(struct.pack("B", 2)) 747 # we choose wcs arbitrarily... 748 f.write(struct.pack("!H", 749 self.cur_session.wcs.ciphersuite.val)) 750 f.write(struct.pack("B", self.cur_pkt.noncelen)) 751 f.write(self.cur_pkt.ticket_nonce) 752 f.write(struct.pack("!H", 4)) 753 f.write(struct.pack("!I", int(time.time()))) 754 f.write(struct.pack("!H", 4)) 755 f.write(struct.pack("!I", self.cur_pkt.ticket_age_add)) 756 f.write(struct.pack("!H", self.cur_pkt.ticketlen)) 757 f.write(self.cur_session.client_session_ticket) 758 self.vprint( 759 "Received a TLS 1.3 NewSessionTicket that was stored to %s" % ( 760 self.session_ticket_file_out 761 ) 762 ) 763 else: 764 self.vprint("Ignored TLS 1.3 NewSessionTicket.") 765 raise self.WAIT_CLIENTDATA() 766 767 @ATMT.condition(RECEIVED_SERVERDATA, prio=3) 768 def should_handle_ServerData(self): 769 p = self.buffer_in[0] 770 if isinstance(p, TLSApplicationData): 771 if self.is_atmt_socket: 772 # Socket mode 773 self.oi.tls.send(p.data) 774 else: 775 self.vprint("Received: %r" % p.data) 776 elif isinstance(p, TLSAlert): 777 self.vprint("Received: %r" % p) 778 raise self.CLOSE_NOTIFY() 779 else: 780 self.vprint("Received: %r" % p) 781 self.buffer_in = self.buffer_in[1:] 782 raise self.HANDLED_SERVERDATA() 783 784 @ATMT.state() 785 def HANDLED_SERVERDATA(self): 786 raise self.WAIT_CLIENTDATA() 787 788 @ATMT.state() 789 def CLOSE_NOTIFY(self): 790 self.vprint() 791 self.vprint("Trying to send a TLSAlert to the server...") 792 793 @ATMT.condition(CLOSE_NOTIFY) 794 def close_session(self): 795 self.add_record() 796 self.add_msg(TLSAlert(level=1, descr=0)) 797 try: 798 self.flush_records() 799 except Exception: 800 self.vprint("Could not send termination Alert, maybe the server stopped?") # noqa: E501 801 raise self.FINAL() 802 803 # SSLv2 handshake # 804 805 @ATMT.state() 806 def SSLv2_PREPARE_CLIENTHELLO(self): 807 pass 808 809 @ATMT.condition(SSLv2_PREPARE_CLIENTHELLO) 810 def sslv2_should_add_ClientHello(self): 811 self.add_record(is_sslv2=True) 812 p = self.client_hello or SSLv2ClientHello(challenge=randstring(16)) 813 self.add_msg(p) 814 raise self.SSLv2_ADDED_CLIENTHELLO() 815 816 @ATMT.state() 817 def SSLv2_ADDED_CLIENTHELLO(self): 818 pass 819 820 @ATMT.condition(SSLv2_ADDED_CLIENTHELLO) 821 def sslv2_should_send_ClientHello(self): 822 self.flush_records() 823 raise self.SSLv2_SENT_CLIENTHELLO() 824 825 @ATMT.state() 826 def SSLv2_SENT_CLIENTHELLO(self): 827 raise self.SSLv2_WAITING_SERVERHELLO() 828 829 @ATMT.state() 830 def SSLv2_WAITING_SERVERHELLO(self): 831 self.get_next_msg() 832 raise self.SSLv2_RECEIVED_SERVERHELLO() 833 834 @ATMT.state() 835 def SSLv2_RECEIVED_SERVERHELLO(self): 836 pass 837 838 @ATMT.condition(SSLv2_RECEIVED_SERVERHELLO, prio=1) 839 def sslv2_should_handle_ServerHello(self): 840 self.raise_on_packet(SSLv2ServerHello, 841 self.SSLv2_HANDLED_SERVERHELLO) 842 843 @ATMT.state() 844 def SSLv2_HANDLED_SERVERHELLO(self): 845 pass 846 847 @ATMT.condition(SSLv2_RECEIVED_SERVERHELLO, prio=2) 848 def sslv2_missing_ServerHello(self): 849 raise self.SSLv2_MISSING_SERVERHELLO() 850 851 @ATMT.state() 852 def SSLv2_MISSING_SERVERHELLO(self): 853 self.vprint("Missing SSLv2 ServerHello message!") 854 raise self.SSLv2_CLOSE_NOTIFY() 855 856 @ATMT.condition(SSLv2_HANDLED_SERVERHELLO) 857 def sslv2_should_add_ClientMasterKey(self): 858 self.add_record(is_sslv2=True) 859 self.add_msg(SSLv2ClientMasterKey()) 860 raise self.SSLv2_ADDED_CLIENTMASTERKEY() 861 862 @ATMT.state() 863 def SSLv2_ADDED_CLIENTMASTERKEY(self): 864 pass 865 866 @ATMT.condition(SSLv2_ADDED_CLIENTMASTERKEY) 867 def sslv2_should_send_ClientMasterKey(self): 868 self.flush_records() 869 raise self.SSLv2_SENT_CLIENTMASTERKEY() 870 871 @ATMT.state() 872 def SSLv2_SENT_CLIENTMASTERKEY(self): 873 raise self.SSLv2_WAITING_SERVERVERIFY() 874 875 @ATMT.state() 876 def SSLv2_WAITING_SERVERVERIFY(self): 877 # We give the server 0.5 second to send his ServerVerify. 878 # Else we assume that he's waiting for our ClientFinished. 879 self.get_next_msg(0.5, 0) 880 raise self.SSLv2_RECEIVED_SERVERVERIFY() 881 882 @ATMT.state() 883 def SSLv2_RECEIVED_SERVERVERIFY(self): 884 pass 885 886 @ATMT.condition(SSLv2_RECEIVED_SERVERVERIFY, prio=1) 887 def sslv2_should_handle_ServerVerify(self): 888 self.raise_on_packet(SSLv2ServerVerify, 889 self.SSLv2_HANDLED_SERVERVERIFY, 890 get_next_msg=False) 891 892 @ATMT.state() 893 def SSLv2_HANDLED_SERVERVERIFY(self): 894 pass 895 896 def sslv2_should_add_ClientFinished(self): 897 if self.in_handshake(SSLv2ClientFinished): 898 return 899 self.add_record(is_sslv2=True) 900 self.add_msg(SSLv2ClientFinished()) 901 raise self.SSLv2_ADDED_CLIENTFINISHED() 902 903 @ATMT.condition(SSLv2_HANDLED_SERVERVERIFY, prio=1) 904 def sslv2_should_add_ClientFinished_from_ServerVerify(self): 905 return self.sslv2_should_add_ClientFinished() 906 907 @ATMT.condition(SSLv2_HANDLED_SERVERVERIFY, prio=2) 908 def sslv2_should_wait_ServerFinished_from_ServerVerify(self): 909 raise self.SSLv2_WAITING_SERVERFINISHED() 910 911 @ATMT.condition(SSLv2_RECEIVED_SERVERVERIFY, prio=2) 912 def sslv2_should_add_ClientFinished_from_NoServerVerify(self): 913 return self.sslv2_should_add_ClientFinished() 914 915 @ATMT.condition(SSLv2_RECEIVED_SERVERVERIFY, prio=3) 916 def sslv2_missing_ServerVerify(self): 917 raise self.SSLv2_MISSING_SERVERVERIFY() 918 919 @ATMT.state(final=True) 920 def SSLv2_MISSING_SERVERVERIFY(self): 921 self.vprint("Missing SSLv2 ServerVerify message!") 922 raise self.SSLv2_CLOSE_NOTIFY() 923 924 @ATMT.state() 925 def SSLv2_ADDED_CLIENTFINISHED(self): 926 pass 927 928 @ATMT.condition(SSLv2_ADDED_CLIENTFINISHED) 929 def sslv2_should_send_ClientFinished(self): 930 self.flush_records() 931 raise self.SSLv2_SENT_CLIENTFINISHED() 932 933 @ATMT.state() 934 def SSLv2_SENT_CLIENTFINISHED(self): 935 if self.in_handshake(SSLv2ServerVerify): 936 raise self.SSLv2_WAITING_SERVERFINISHED() 937 else: 938 self.get_next_msg() 939 raise self.SSLv2_RECEIVED_SERVERVERIFY() 940 941 @ATMT.state() 942 def SSLv2_WAITING_SERVERFINISHED(self): 943 self.get_next_msg() 944 raise self.SSLv2_RECEIVED_SERVERFINISHED() 945 946 @ATMT.state() 947 def SSLv2_RECEIVED_SERVERFINISHED(self): 948 pass 949 950 @ATMT.condition(SSLv2_RECEIVED_SERVERFINISHED, prio=1) 951 def sslv2_should_handle_ServerFinished(self): 952 self.raise_on_packet(SSLv2ServerFinished, 953 self.SSLv2_HANDLED_SERVERFINISHED) 954 955 # SSLv2 client authentication # 956 957 @ATMT.condition(SSLv2_RECEIVED_SERVERFINISHED, prio=2) 958 def sslv2_should_handle_RequestCertificate(self): 959 self.raise_on_packet(SSLv2RequestCertificate, 960 self.SSLv2_HANDLED_REQUESTCERTIFICATE) 961 962 @ATMT.state() 963 def SSLv2_HANDLED_REQUESTCERTIFICATE(self): 964 self.vprint("Server asked for a certificate...") 965 if not self.mykey or not self.mycert: 966 self.vprint("No client certificate to send!") 967 raise self.SSLv2_CLOSE_NOTIFY() 968 969 @ATMT.condition(SSLv2_HANDLED_REQUESTCERTIFICATE) 970 def sslv2_should_add_ClientCertificate(self): 971 self.add_record(is_sslv2=True) 972 self.add_msg(SSLv2ClientCertificate(certdata=self.mycert)) 973 raise self.SSLv2_ADDED_CLIENTCERTIFICATE() 974 975 @ATMT.state() 976 def SSLv2_ADDED_CLIENTCERTIFICATE(self): 977 pass 978 979 @ATMT.condition(SSLv2_ADDED_CLIENTCERTIFICATE) 980 def sslv2_should_send_ClientCertificate(self): 981 self.flush_records() 982 raise self.SSLv2_SENT_CLIENTCERTIFICATE() 983 984 @ATMT.state() 985 def SSLv2_SENT_CLIENTCERTIFICATE(self): 986 raise self.SSLv2_WAITING_SERVERFINISHED() 987 988 # end of SSLv2 client authentication # 989 990 @ATMT.state() 991 def SSLv2_HANDLED_SERVERFINISHED(self): 992 self.vprint("SSLv2 handshake completed!") 993 self.vprint_sessioninfo() 994 self.vprint("You may send data or use 'quit'.") 995 996 @ATMT.condition(SSLv2_RECEIVED_SERVERFINISHED, prio=3) 997 def sslv2_missing_ServerFinished(self): 998 raise self.SSLv2_MISSING_SERVERFINISHED() 999 1000 @ATMT.state() 1001 def SSLv2_MISSING_SERVERFINISHED(self): 1002 self.vprint("Missing SSLv2 ServerFinished message!") 1003 raise self.SSLv2_CLOSE_NOTIFY() 1004 1005 # end of SSLv2 handshake # 1006 1007 @ATMT.condition(SSLv2_HANDLED_SERVERFINISHED) 1008 def sslv2_should_wait_ClientData(self): 1009 raise self.SSLv2_WAITING_CLIENTDATA() 1010 1011 @ATMT.state() 1012 def SSLv2_WAITING_CLIENTDATA(self): 1013 pass 1014 1015 @ATMT.condition(SSLv2_WAITING_CLIENTDATA, prio=1) 1016 def sslv2_add_ClientData(self): 1017 if not self.data_to_send: 1018 data = input().replace('\\r', '\r').replace('\\n', '\n').encode() 1019 else: 1020 data = self.data_to_send.pop() 1021 self.vprint("Read from list: %s" % data) 1022 if data == "quit": 1023 return 1024 if self.linebreak: 1025 data += "\n" 1026 self.add_record(is_sslv2=True) 1027 self.add_msg(Raw(data)) 1028 raise self.SSLv2_ADDED_CLIENTDATA() 1029 1030 @ATMT.condition(SSLv2_WAITING_CLIENTDATA, prio=2) 1031 def sslv2_no_more_ClientData(self): 1032 raise self.SSLv2_CLOSE_NOTIFY() 1033 1034 @ATMT.state() 1035 def SSLv2_ADDED_CLIENTDATA(self): 1036 pass 1037 1038 @ATMT.condition(SSLv2_ADDED_CLIENTDATA) 1039 def sslv2_should_send_ClientData(self): 1040 self.flush_records() 1041 raise self.SSLv2_SENT_CLIENTDATA() 1042 1043 @ATMT.state() 1044 def SSLv2_SENT_CLIENTDATA(self): 1045 raise self.SSLv2_WAITING_SERVERDATA() 1046 1047 @ATMT.state() 1048 def SSLv2_WAITING_SERVERDATA(self): 1049 self.get_next_msg(0.3, 1) 1050 raise self.SSLv2_RECEIVED_SERVERDATA() 1051 1052 @ATMT.state() 1053 def SSLv2_RECEIVED_SERVERDATA(self): 1054 pass 1055 1056 @ATMT.condition(SSLv2_RECEIVED_SERVERDATA) 1057 def sslv2_should_handle_ServerData(self): 1058 if not self.buffer_in: 1059 raise self.SSLv2_WAITING_CLIENTDATA() 1060 p = self.buffer_in[0] 1061 self.vprint("Received: %r" % p.load) 1062 if p.load.startswith(b"goodbye"): 1063 raise self.SSLv2_CLOSE_NOTIFY() 1064 self.buffer_in = self.buffer_in[1:] 1065 raise self.SSLv2_HANDLED_SERVERDATA() 1066 1067 @ATMT.state() 1068 def SSLv2_HANDLED_SERVERDATA(self): 1069 raise self.SSLv2_WAITING_CLIENTDATA() 1070 1071 @ATMT.state() 1072 def SSLv2_CLOSE_NOTIFY(self): 1073 """ 1074 There is no proper way to end an SSLv2 session. 1075 We try and send a 'goodbye' message as a substitute. 1076 """ 1077 self.vprint() 1078 self.vprint("Trying to send a 'goodbye' to the server...") 1079 1080 @ATMT.condition(SSLv2_CLOSE_NOTIFY) 1081 def sslv2_close_session(self): 1082 self.add_record() 1083 self.add_msg(Raw('goodbye')) 1084 try: 1085 self.flush_records() 1086 except Exception: 1087 self.vprint("Could not send our goodbye. The server probably stopped.") # noqa: E501 1088 self.socket.close() 1089 raise self.FINAL() 1090 1091 # TLS 1.3 handshake # 1092 1093 @ATMT.state() 1094 def TLS13_START(self): 1095 pass 1096 1097 @ATMT.condition(TLS13_START) 1098 def tls13_should_add_ClientHello(self): 1099 # we have to use the legacy, plaintext TLS record here 1100 self.add_record(is_tls13=False) 1101 if self.client_hello: 1102 p = self.client_hello 1103 else: 1104 if self.ciphersuite is None: 1105 c = 0x1301 1106 else: 1107 c = self.ciphersuite 1108 p = TLS13ClientHello(ciphers=c) 1109 1110 ext = [] 1111 ext += TLS_Ext_SupportedVersion_CH(versions=[self.advertised_tls_version]) 1112 1113 s = self.cur_session 1114 1115 # Add TLS_Ext_ServerName 1116 if self.server_name: 1117 ext += TLS_Ext_ServerName( 1118 servernames=[ServerName(servername=self.server_name)] 1119 ) 1120 1121 # Add TLS_Ext_PostHandshakeAuth 1122 if self.mycert is not None and self.mykey is not None: 1123 ext += TLS_Ext_PostHandshakeAuth() 1124 1125 if s.tls13_psk_secret: 1126 # Check if DHE is need (both for out of band and resumption PSK) 1127 if self.tls13_psk_mode == "psk_dhe_ke": 1128 ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke") 1129 ext += TLS_Ext_SupportedGroups(groups=self.supported_groups) 1130 ext += TLS_Ext_KeyShare_CH( 1131 client_shares=[KeyShareEntry(group=self.curve)] 1132 ) 1133 else: 1134 ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke") 1135 1136 # RFC8446, section 4.2.11. 1137 # "The "pre_shared_key" extension MUST be the last extension 1138 # in the ClientHello " 1139 # Compute the pre_shared_key extension for resumption PSK 1140 if s.client_session_ticket: 1141 cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite] # noqa: E501 1142 hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower()) 1143 hash_len = hkdf.hash.digest_size 1144 # We compute the client's view of the age of the ticket (ie 1145 # the time since the receipt of the ticket) in ms 1146 agems = int((time.time() - s.client_ticket_age) * 1000) 1147 # Then we compute the obfuscated version of the ticket age 1148 # by adding the "ticket_age_add" value included in the 1149 # ticket (modulo 2^32) 1150 obfuscated_age = ((agems + s.client_session_ticket_age_add) & 1151 0xffffffff) 1152 1153 psk_id = PSKIdentity(identity=s.client_session_ticket, 1154 obfuscated_ticket_age=obfuscated_age) 1155 1156 psk_binder_entry = PSKBinderEntry(binder_len=hash_len, 1157 binder=b"\x00" * hash_len) 1158 1159 ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], 1160 binders=[psk_binder_entry]) 1161 else: 1162 # Compute the pre_shared_key extension for out of band PSK 1163 # (SHA256 is used as default hash function for HKDF for out 1164 # of band PSK) 1165 hkdf = TLS13_HKDF("sha256") 1166 hash_len = hkdf.hash.digest_size 1167 psk_id = PSKIdentity(identity='Client_identity') 1168 # XXX see how to not pass binder as argument 1169 psk_binder_entry = PSKBinderEntry(binder_len=hash_len, 1170 binder=b"\x00" * hash_len) 1171 1172 ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], 1173 binders=[psk_binder_entry]) 1174 else: 1175 ext += TLS_Ext_SupportedGroups(groups=self.supported_groups) 1176 ext += TLS_Ext_KeyShare_CH( 1177 client_shares=[KeyShareEntry(group=self.curve)] 1178 ) 1179 ext += TLS_Ext_SignatureAlgorithms( 1180 sig_algs=self.supported_signature_algorithms, 1181 ) 1182 p.ext = ext 1183 self.add_msg(p) 1184 raise self.TLS13_ADDED_CLIENTHELLO() 1185 1186 @ATMT.state() 1187 def TLS13_ADDED_CLIENTHELLO(self): 1188 raise self.TLS13_SENDING_CLIENTFLIGHT1() 1189 1190 @ATMT.state() 1191 def TLS13_SENDING_CLIENTFLIGHT1(self): 1192 pass 1193 1194 @ATMT.condition(TLS13_SENDING_CLIENTFLIGHT1) 1195 def tls13_should_send_ClientFlight1(self): 1196 self.flush_records() 1197 raise self.TLS13_SENT_CLIENTFLIGHT1() 1198 1199 @ATMT.state() 1200 def TLS13_SENT_CLIENTFLIGHT1(self): 1201 raise self.TLS13_WAITING_SERVERFLIGHT1() 1202 1203 @ATMT.state() 1204 def TLS13_WAITING_SERVERFLIGHT1(self): 1205 self.get_next_msg() 1206 raise self.TLS13_RECEIVED_SERVERFLIGHT1() 1207 1208 @ATMT.state() 1209 def TLS13_RECEIVED_SERVERFLIGHT1(self): 1210 pass 1211 1212 @ATMT.condition(TLS13_RECEIVED_SERVERFLIGHT1, prio=1) 1213 def tls13_should_handle_ServerHello(self): 1214 """ 1215 XXX We should check the ServerHello attributes for discrepancies with 1216 our own ClientHello. 1217 """ 1218 self.raise_on_packet(TLS13ServerHello, 1219 self.TLS13_HANDLED_SERVERHELLO) 1220 1221 @ATMT.condition(TLS13_RECEIVED_SERVERFLIGHT1, prio=2) 1222 def tls13_should_handle_HelloRetryRequest(self): 1223 """ 1224 XXX We should check the ServerHello attributes for discrepancies with 1225 our own ClientHello. 1226 """ 1227 self.raise_on_packet(TLS13HelloRetryRequest, 1228 self.TLS13_HELLO_RETRY_REQUESTED) 1229 1230 @ATMT.condition(TLS13_RECEIVED_SERVERFLIGHT1, prio=3) 1231 def tls13_should_handle_AlertMessage_(self): 1232 self.raise_on_packet(TLSAlert, 1233 self.TLS13_HANDLED_ALERT_FROM_SERVERFLIGHT1) 1234 1235 @ATMT.condition(TLS13_RECEIVED_SERVERFLIGHT1, prio=4) 1236 def tls13_should_handle_ChangeCipherSpec_after_tls13_retry(self): 1237 # Middlebox compatibility mode after a HelloRetryRequest. 1238 if self.cur_session.tls13_retry: 1239 self.raise_on_packet(TLSChangeCipherSpec, 1240 self.TLS13_RECEIVED_SERVERFLIGHT1) 1241 1242 @ATMT.state() 1243 def TLS13_HANDLED_ALERT_FROM_SERVERFLIGHT1(self): 1244 self.vprint("Received Alert message !") 1245 self.vprint(self.cur_pkt.mysummary()) 1246 raise self.CLOSE_NOTIFY() 1247 1248 @ATMT.condition(TLS13_RECEIVED_SERVERFLIGHT1, prio=5) 1249 def tls13_missing_ServerHello(self): 1250 raise self.MISSING_SERVERHELLO() 1251 1252 @ATMT.state() 1253 def TLS13_HELLO_RETRY_REQUESTED(self): 1254 pass 1255 1256 @ATMT.condition(TLS13_HELLO_RETRY_REQUESTED) 1257 def tls13_should_add_ClientHello_Retry(self): 1258 s = self.cur_session 1259 s.tls13_retry = True 1260 # We retrieve the group to be used and the selected version from the 1261 # previous message 1262 hrr = self.cur_pkt 1263 self.ciphersuite = hrr.cipher 1264 # "The server's extensions MUST contain supported_versions." 1265 self.advertised_tls_version = None 1266 if hrr.ext: 1267 for e in hrr.ext: 1268 if isinstance(e, TLS_Ext_KeyShare_HRR): 1269 self.curve = e.selected_group 1270 if isinstance(e, TLS_Ext_SupportedVersion_SH): 1271 self.advertised_tls_version = e.version 1272 1273 if _tls_named_groups[self.curve] not in self.supported_groups: 1274 self.vprint("No common groups found in TLS 1.3 Hello Retry Request!") 1275 raise self.CLOSE_NOTIFY() 1276 1277 if not self.advertised_tls_version: 1278 self.vprint("No supported_versions found in TLS 1.3 Hello Retry Request!") 1279 raise self.CLOSE_NOTIFY() 1280 1281 self.tls13_should_add_ClientHello() 1282 1283 @ATMT.state() 1284 def TLS13_HANDLED_SERVERHELLO(self): 1285 pass 1286 1287 @ATMT.condition(TLS13_HANDLED_SERVERHELLO, prio=1) 1288 def tls13_should_handle_encrytpedExtensions(self): 1289 self.raise_on_packet(TLSEncryptedExtensions, 1290 self.TLS13_HANDLED_ENCRYPTEDEXTENSIONS) 1291 1292 @ATMT.condition(TLS13_HANDLED_SERVERHELLO, prio=2) 1293 def tls13_should_handle_ChangeCipherSpec(self): 1294 self.raise_on_packet(TLSChangeCipherSpec, 1295 self.TLS13_HANDLED_CHANGE_CIPHER_SPEC) 1296 1297 @ATMT.state() 1298 def TLS13_HANDLED_CHANGE_CIPHER_SPEC(self): 1299 self.cur_session.middlebox_compatibility = True 1300 raise self.TLS13_HANDLED_SERVERHELLO() 1301 1302 @ATMT.condition(TLS13_HANDLED_SERVERHELLO, prio=3) 1303 def tls13_missing_encryptedExtension(self): 1304 self.vprint("Missing TLS 1.3 EncryptedExtensions message!") 1305 raise self.CLOSE_NOTIFY() 1306 1307 @ATMT.state() 1308 def TLS13_HANDLED_ENCRYPTEDEXTENSIONS(self): 1309 pass 1310 1311 @ATMT.condition(TLS13_HANDLED_ENCRYPTEDEXTENSIONS, prio=1) 1312 def tls13_should_handle_certificateRequest_from_encryptedExtensions(self): 1313 """ 1314 XXX We should check the CertificateRequest attributes for discrepancies 1315 with the cipher suite, etc. 1316 """ 1317 self.raise_on_packet(TLS13CertificateRequest, 1318 self.TLS13_HANDLED_CERTIFICATEREQUEST) 1319 1320 @ATMT.condition(TLS13_HANDLED_ENCRYPTEDEXTENSIONS, prio=2) 1321 def tls13_should_handle_certificate_from_encryptedExtensions(self): 1322 self.tls13_should_handle_Certificate() 1323 1324 @ATMT.condition(TLS13_HANDLED_ENCRYPTEDEXTENSIONS, prio=3) 1325 def tls13_should_handle_finished_from_encryptedExtensions(self): 1326 if self.cur_session.tls13_psk_secret: 1327 self.raise_on_packet(TLSFinished, 1328 self.TLS13_HANDLED_FINISHED) 1329 1330 @ATMT.state() 1331 def TLS13_HANDLED_CERTIFICATEREQUEST(self): 1332 pass 1333 1334 @ATMT.condition(TLS13_HANDLED_CERTIFICATEREQUEST, prio=1) 1335 def tls13_should_handle_Certificate_from_CertificateRequest(self): 1336 return self.tls13_should_handle_Certificate() 1337 1338 def tls13_should_handle_Certificate(self): 1339 self.raise_on_packet(TLS13Certificate, 1340 self.TLS13_HANDLED_CERTIFICATE) 1341 1342 @ATMT.state() 1343 def TLS13_HANDLED_CERTIFICATE(self): 1344 pass 1345 1346 @ATMT.condition(TLS13_HANDLED_CERTIFICATE, prio=1) 1347 def tls13_should_handle_CertificateVerify(self): 1348 self.raise_on_packet(TLSCertificateVerify, 1349 self.TLS13_HANDLED_CERTIFICATE_VERIFY) 1350 1351 @ATMT.condition(TLS13_HANDLED_CERTIFICATE, prio=2) 1352 def tls13_missing_CertificateVerify(self): 1353 self.vprint("Missing TLS 1.3 CertificateVerify message!") 1354 raise self.CLOSE_NOTIFY() 1355 1356 @ATMT.state() 1357 def TLS13_HANDLED_CERTIFICATE_VERIFY(self): 1358 pass 1359 1360 @ATMT.condition(TLS13_HANDLED_CERTIFICATE_VERIFY, prio=1) 1361 def tls13_should_handle_finished(self): 1362 self.raise_on_packet(TLSFinished, 1363 self.TLS13_HANDLED_FINISHED) 1364 1365 @ATMT.state() 1366 def TLS13_HANDLED_FINISHED(self): 1367 raise self.TLS13_PREPARE_CLIENTFLIGHT2() 1368 1369 @ATMT.state() 1370 def TLS13_PREPARE_CLIENTFLIGHT2(self): 1371 if self.cur_session.middlebox_compatibility: 1372 self.add_record(is_tls12=True) 1373 self.add_msg(TLSChangeCipherSpec()) 1374 self.add_record(is_tls13=True) 1375 1376 @ATMT.condition(TLS13_PREPARE_CLIENTFLIGHT2, prio=1) 1377 def tls13_should_add_ClientCertificate(self): 1378 """ 1379 If the server sent a CertificateRequest, we send a Certificate message. 1380 If no certificate is available, an empty Certificate message is sent: 1381 - this is a SHOULD in RFC 4346 (Section 7.4.6) 1382 - this is a MUST in RFC 5246 (Section 7.4.6) 1383 1384 XXX We may want to add a complete chain. 1385 """ 1386 if not (isinstance(self.cur_pkt, TLS13CertificateRequest) or 1387 self.in_handshake(TLS13CertificateRequest)): 1388 return 1389 1390 certs = [] 1391 if self.mycert: 1392 certs += _ASN1CertAndExt(cert=self.mycert) 1393 1394 self.add_msg( 1395 TLS13Certificate( 1396 certs=certs, 1397 cert_req_ctxt=self.cur_session.tls13_cert_req_ctxt, 1398 ) 1399 ) 1400 raise self.TLS13_ADDED_CLIENTCERTIFICATE() 1401 1402 @ATMT.state() 1403 def TLS13_ADDED_CLIENTCERTIFICATE(self): 1404 pass 1405 1406 @ATMT.condition(TLS13_ADDED_CLIENTCERTIFICATE, prio=0) 1407 def tls13_should_skip_ClientCertificateVerify(self): 1408 if not self.mycert: 1409 return self.tls13_should_add_ClientFinished() 1410 1411 @ATMT.condition(TLS13_ADDED_CLIENTCERTIFICATE, prio=1) 1412 def tls13_should_add_ClientCertificateVerify(self): 1413 """ 1414 XXX Section 7.4.7.1 of RFC 5246 states that the CertificateVerify 1415 message is only sent following a client certificate that has signing 1416 capability (i.e. not those containing fixed DH params). 1417 We should verify that before adding the message. We should also handle 1418 the case when the Certificate message was empty. 1419 """ 1420 self.add_msg(TLSCertificateVerify()) 1421 raise self.TLS13_ADDED_CERTIFICATEVERIFY() 1422 1423 @ATMT.state() 1424 def TLS13_ADDED_CERTIFICATEVERIFY(self): 1425 return self.tls13_should_add_ClientFinished() 1426 1427 @ATMT.condition(TLS13_PREPARE_CLIENTFLIGHT2, prio=2) 1428 def tls13_should_add_ClientFinished(self): 1429 self.add_msg(TLSFinished()) 1430 raise self.TLS13_ADDED_CLIENTFINISHED() 1431 1432 @ATMT.state() 1433 def TLS13_ADDED_CLIENTFINISHED(self): 1434 pass 1435 1436 @ATMT.condition(TLS13_ADDED_CLIENTFINISHED) 1437 def tls13_should_send_ClientFlight2(self): 1438 self.flush_records() 1439 raise self.TLS13_SENT_CLIENTFLIGHT2() 1440 1441 @ATMT.state() 1442 def TLS13_SENT_CLIENTFLIGHT2(self): 1443 if self.tls13_doing_client_postauth: 1444 self.tls13_doing_client_postauth = False 1445 self.vprint("TLS 1.3 post-handshake authentication sent!") 1446 raise self.WAIT_CLIENTDATA() 1447 self.vprint("TLS 1.3 handshake completed!") 1448 self.vprint_sessioninfo() 1449 self.vprint("You may send data or use 'quit'.") 1450 raise self.WAIT_CLIENTDATA() 1451 1452 @ATMT.state() 1453 def SOCKET_CLOSED(self): 1454 raise self.FINAL() 1455 1456 @ATMT.state(stop=True) 1457 def STOP(self): 1458 # Called on atmt.stop() 1459 if self.cur_session.advertised_tls_version in [0x0200, 0x0002]: 1460 raise self.SSLv2_CLOSE_NOTIFY() 1461 else: 1462 raise self.CLOSE_NOTIFY() 1463 1464 @ATMT.state(final=True) 1465 def FINAL(self): 1466 # We might call shutdown, but it may happen that the server 1467 # did not wait for us to shutdown after answering our data query. 1468 # self.socket.shutdown(1) 1469 self.vprint("Closing client socket...") 1470 self.socket.close() 1471 self.vprint("Ending TLS client automaton.") 1472