Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/scapy/layers/tls/__init__.py: 86%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

7 statements  

1# SPDX-License-Identifier: GPL-2.0-only 

2# This file is part of Scapy 

3# See https://scapy.net/ for more information 

4# Copyright (C) 2007, 2008, 2009 Arnaud Ebalard <arno@natisbad.com> 

5# 2015, 2016, 2017 Maxence Tury <maxence.tury@ssi.gouv.fr> 

6# 2019 Romain Perez 

7 

8""" 

9Tools for handling TLS sessions and digital certificates. 

10Use load_layer('tls') to load them to the main namespace. 

11 

12Prerequisites: 

13 

14 - You may need to 'pip install cryptography' for the module to be loaded. 

15 

16 

17Main features: 

18 

19 - X.509 certificates parsing/building. 

20 

21 - RSA & ECDSA keys sign/verify methods. 

22 

23 - TLS records and sublayers (handshake...) parsing/building. Works with 

24 versions SSLv2 to TLS 1.3. This may be enhanced by a TLS context. For 

25 instance, if Scapy reads a ServerHello with version TLS 1.2 and a cipher 

26 suite using AES, it will assume the presence of IVs prepending the data. 

27 See test/tls.uts for real examples. 

28 

29 - TLS encryption/decryption capabilities with many ciphersuites, including 

30 some which may be deemed dangerous. Once again, the TLS context enables 

31 Scapy to transparently send/receive protected data if it learnt the 

32 session secrets. Note that if Scapy acts as one side of the handshake 

33 (e.g. reads all server-related packets and builds all client-related 

34 packets), it will indeed compute the session secrets. 

35 

36 - TLS client & server basic automatons, provided for testing and tweaking 

37 purposes. These make for a very primitive TLS stack. 

38 

39 - Additionally, a basic test PKI (key + certificate for a CA, a client and 

40 a server) is provided in tls/examples/pki_test. 

41 

42 

43Unit tests: 

44 

45 - Various cryptography checks. 

46 

47 - Reading a TLS handshake between a Firefox client and a GitHub server. 

48 

49 - Reading TLS 1.3 handshakes from test vectors of the 8448 RFC. 

50 

51 - Reading a SSLv2 handshake between s_client and s_server, without PFS. 

52 

53 - Test our TLS server against s_client with different cipher suites. 

54 

55 - Test our TLS client against our TLS server (s_server is unscriptable). 

56 

57 - Test our TLS client against python's SSL Socket wrapper (for TLS 1.3) 

58 

59 

60TODO list (may it be carved away by good souls): 

61 

62 - Features to add (or wait for) in the cryptography library: 

63 

64 - the compressed EC point format. 

65 

66 - About the automatons: 

67 

68 - Allow upgrade from TLS 1.2 to TLS 1.3 in the Automaton client. 

69 Currently we'll use TLS 1.3 only if the automaton client was given 

70 version="tls13". 

71 

72 - Add various checks for discrepancies between client and server. 

73 Is the ServerHello ciphersuite ok? What about the SKE params? Etc. 

74 

75 - Add some examples which illustrate how the automatons could be used. 

76 Typically, we could showcase this with Heartbleed. 

77 

78 - Allow the server to store both one RSA key and one ECDSA key, and 

79 select the right one to use according to the ClientHello suites. 

80 

81 

82 - Miscellaneous: 

83 

84 - Define several Certificate Transparency objects. 

85 

86 - Mostly unused features : DSS, fixed DH, SRP, char2 curves... 

87""" 

88 

89from scapy.config import conf 

90 

91if not conf.crypto_valid: 

92 import logging 

93 log_loading = logging.getLogger("scapy.loading") 

94 log_loading.info("Can't import python-cryptography v1.7+. " 

95 "Disabled PKI & TLS crypto-related features.")