tlsfuzzer.helpers module
Helper functions for test scripts.
- class tlsfuzzer.helpers.AutoEmptyExtension[source]
Bases:
object
Identifier used to tell ClientHelloGenerator to create empty extension.
- tlsfuzzer.helpers.ECDSA_SIG_ALL = [(6, 3), (5, 3), (4, 3), (3, 3), (2, 3)]
List of all ECDSA signature algorithms supported by tlsfuzzer, as used in
signature_algorithms
orsignature_algorithms_cert
extensions.
- tlsfuzzer.helpers.ECDSA_SIG_TLS1_3_ALL = [(6, 3), (5, 3), (4, 3)]
List of all ECDSA signature algorithms that can be used in TLS 1.3.
Subset of
ECDSA_SIG_ALL
.
- tlsfuzzer.helpers.EDDSA_SIG_ALL = [(8, 8), (8, 7)]
List of all EdDSA signature algorithms that can be used in TLS 1.2 and later.
- tlsfuzzer.helpers.RSA_PKCS1_ALL = [(6, 1), (5, 1), (4, 1), (3, 1), (2, 1), (1, 1)]
List of all signature algorithms that use PKCS#1 v1.5 padding.
- tlsfuzzer.helpers.RSA_PSS_PSS_ALL = [(8, 11), (8, 10), (8, 9)]
List of all signature algorithms that use RSA-PSS padding and have been made with RSA-PSS key.
- tlsfuzzer.helpers.RSA_PSS_RSAE_ALL = [(8, 6), (8, 5), (8, 4)]
List of all signature algorithms that use RSA-PSS padding and have been made with rsaEncryption (PKCS#1) key.
- tlsfuzzer.helpers.RSA_SIG_ALL = [(6, 1), (5, 1), (4, 1), (3, 1), (2, 1), (1, 1), (8, 4), (8, 5), (8, 6), (8, 9), (8, 10), (8, 11)]
List of all RSA signature algorithms supported by tlsfuzzer, as used in
signature_algorithms
orsignature_algorithms_cert
extensions.
- tlsfuzzer.helpers.SIG_ALL = [(8, 11), (8, 10), (8, 9), (8, 6), (8, 5), (8, 4), (6, 1), (5, 1), (4, 1), (3, 1), (2, 1), (1, 1), (6, 3), (5, 3), (4, 3), (3, 3), (2, 3), (8, 8), (8, 7), (6, 2), (5, 2), (4, 2), (3, 2), (2, 2), (1, 2)]
List of all signature algorithms supported by tlsfuzzer, as used in
signature_algorithms
orsignature_algorithms_cert
extension.For now includes only RSA, ECDSA and EdDSA algorithms, will include DSA algorithms later on.
Sorted in order of strongest to weakest hash.
- tlsfuzzer.helpers.client_cert_types_to_ids(names)[source]
Convert a string with client certificate method names to list of IDs.
- Parameters:
names (str) – whitespace separated list of names of client certificate types (used in CertificateRequest message in TLS 1.2 and earlier). Identifiers can be names (e.g.
rsa_sign
), or integers (e.g.1
instead ofrsa_sign
).- Raises:
AttributeError – when the specified identifier is not defined in
ClientCertificateType
- Return type:
- tlsfuzzer.helpers.flexible_getattr(val, val_type)[source]
Convert a string of number, name, or None to object.
If the
val
is a number, return a number, when it’s a string likenone
returnNone
object. When it’s a string representing one of the fields in provided type, return that value.
Generator of key_share extension.
Generator that can be used to delay the generation of key shares for TLS 1.3 ClientHello.
- Parameters:
groups (list) – TLS numerical IDs from GroupName identifying groups that should be present in the extension or ready to use KeyShareEntries.
- Return type:
callable
Create a random key share for a group of a given id.
- tlsfuzzer.helpers.psk_ext_gen(psk_settings)[source]
Create a PreSharedKeyExtension from given settings.
Takes a list of 2 or 3-element tuples, where the first element is an identity name, the second is the shared secret and the third is the name of the associated hash (
sha256` or ``sha384
, withsha256
being the default). The names and shared secrets need to be bytes-like objects.- Parameters:
psk_settings (list) – list of tuples
- Returns:
extension
- tlsfuzzer.helpers.psk_ext_updater(psk_settings=())[source]
Uses the provided settings to update the PSK binders in CH PSK extension.
Generator that can be used to generate the callback for the ClientHelloGenerator.modifiers setting.
See
psk_ext_gen()
for a specification ofpsk_settings
.This updater requires that the PSK extension be the last one in ClientHello.
Please note that if the ClientHello is subsequently modified (either by modifiers placed after this one or generic message fuzzers) after this updater was run, the binders it has created will likely become invalid. This is because the binders sign (using an HMAC) the whole ClientHello message, including the handshake protocol header (the one byte handshake type and the 3-byte length), but excluding other binders.
- tlsfuzzer.helpers.psk_session_ext_gen(psk_settings=None)[source]
Generator that uses last New Session Ticket to create PSK extension.
Can optionally take a list of tuples that define static PSKs that will be added after the NST PSK. See
psk_ext_gen()
for description of their format.- Parameters:
psk_settings (list) – list of tuples
- Returns:
extension generator
- tlsfuzzer.helpers.session_ticket_ext_gen(which=-1)[source]
Create a session_ticket extension based on ticket from server.
Session needs to have processed tickets with ExpectNewSessionTicket nodes before. By default the last ticket will be used.
- Parameters:
which (int) – the subscript to use for selecting the ticket in session -1 for last, 0 for first, 1 for second, etc.
- Returns:
extension generator
- tlsfuzzer.helpers.sig_algs_to_ids(names)[source]
Convert a string with signature algorithm names to list of IDs.
- Parameters:
names (str) – whitespace separated list of names of hash algorithm names. Names can be specified as the legacy (TLS1.2) hash algorithm and hash type pairs (e.g.
sha256+rsa
), as a pair of numbers (e.g4+1
) or as the new TLS 1.3 signature scheme (e.g.rsa_pkcs1_sha256
). Full parameter string then can look like:sha256+rsa 5+rsa rsa_pss_pss_sha256
.- Raises:
AttributeError – when the specified identifier is not defined in HashAlgorithm, SignatureAlgorithm or SignatureScheme
- Returns:
list of tuples