Continuing work and integration

cboling · cboling · commit 3d15f05da8d6 · 2023-09-24T09:33:30.000-05:00
- Focus on Certificate and Server Key Exchange
diff --git a/Makefile b/Makefile
@@ -138,8 +138,8 @@ dist:										## Create source distribution of the python package
 	python setup.py sdist
 
 upload: clean lint test  dist	## Upload test version of python package to test.pypi.org
-	$(Q) echo "Uploading sdist to test.pypi.org"
-	twine upload --repository-url https://test.pypi.org/legacy/ dist/*
+	$(Q) echo "Uploading sdist to legacy.pypi.org"
+	${PYTHON} -m twine upload --repository tls-packet dist/*
 
 ######################################################################
 ## Utility
diff --git a/tls_packet/auth/eap_tls.py b/tls_packet/auth/eap_tls.py
@@ -51,22 +51,31 @@ def tls_length(self) -> int:
         return self._tls_length
 
     @property
-    def tls_data(self) -> int:
+    def tls_data(self) -> bytes:
         return self._tls_data
 
+    @property
     def length_flag(self) -> bool:
         return self._flags & self.LENGTH_FLAG_MASK == self.LENGTH_FLAG_MASK
 
+    @property
     def more_flag(self) -> bool:
         return self._flags & self.MORE_FLAG_MASK == self.MORE_FLAG_MASK
 
+    @property
     def start_flag(self) -> bool:
         return self._flags & self.START_FLAG_MASK == self.START_FLAG_MASK
 
+    # Following four are for Scapy decode compatibility
+    L = length_flag
+    M = more_flag
+    S = start_flag
+    tls_message_len = tls_length
+
     def pack(self, **argv) -> bytes:
         buffer = struct.pack("!B", self._flags)
 
-        if self.length_flag():
+        if self.length_flag:
             print(f"flags and data:  {self._flags:02x}, len: {self._tls_length}", file=sys.stderr)
             buffer += struct.pack("!I", self._tls_length) + self._tls_data
 
diff --git a/tls_packet/auth/security_params.py b/tls_packet/auth/security_params.py
@@ -16,7 +16,9 @@
 
 import copy
 import os
+
 from enum import IntEnum
+from datetime import datetime
 from typing import Optional
 
 
@@ -97,7 +99,8 @@ def __init__(self,
                  client_random: Optional[bytes] = None,
                  server_random: Optional[bytes] = None):
 
-        client_random = client_random or os.urandom(32)
+        # Desired ones
+        client_random = client_random or int(datetime.now().timestamp()).to_bytes(4, 'big') + os.urandom(28)
 
         self.prf_algorithm = prf_algorithm
         self.bulk_cipher_algorithm = bulk_cipher_algorithm
@@ -114,6 +117,24 @@ def __init__(self,
         self.client_random = client_random
         self.server_random = server_random
 
+        # Ones from ssl book - TODO  Get rid of these
+        # self.active_cipher_suite: Union[CipherSuite, None] = None
+        # self.proposed_cipher_suite: Union[CipherSuite, None] = None
+        #
+        # self.master_key: bytes = b""
+        # self.connection_id: bytes = b""
+        # self.challenge: bytes = int(datetime.now().timestamp()).to_bytes(4, 'big') + os.urandom(28)
+        #
+        # self.server_public_key: RSAKey = RSAKey()
+        #
+        # self.write_sequence_number = 0
+        # self.read_sequence_number = 0
+        #
+        # self.read_key: bytes = b""
+        # self.write_key: bytes = b""
+        # self.read_iv: bytes = b""
+        # self.write_iv: bytes = b""
+
     def copy(self, **kwargs) -> 'SecurityParameters':
         """ Create a copy of the security parameters and optionally override any existing values """
         dup = copy.copy(self)
diff --git a/tls_packet/auth/tls_certificate.py b/tls_packet/auth/tls_certificate.py
@@ -15,6 +15,9 @@
 # -------------------------------------------------------------------------
 
 import struct
+import sys
+
+from cryptography.x509 import load_der_x509_certificate
 from typing import Union, Optional, List, Tuple, Iterable
 
 from tls_packet.auth.tls_handshake import TLSHandshake, TLSHandshakeType
@@ -158,6 +161,16 @@ def length(self) -> int:
     def certificate(self) -> bytes:
         return self._data
 
+    @property
+    def x509_certificate(self) -> 'Certificate':
+        try:
+            cert = load_der_x509_certificate(self._data)
+            return cert
+
+        except Exception as e:
+            print(f"Error loading X.509 certificate: {e}", file=sys.stderr)
+            return None
+
     @staticmethod
     def parse(frame: bytes) -> 'ASN_1_Cert':
         """ Frame to TLSSessionHello """
diff --git a/tls_packet/auth/tls_client.py b/tls_packet/auth/tls_client.py
@@ -54,13 +54,54 @@ def __init__(self, auth_socket,
         # Client random data is 32 bytes long
         client_random = random_data or int(datetime.now().timestamp()).to_bytes(4, 'big') + os.urandom(28)
 
-        self._security_parameters: SecurityParameters = SecurityParameters().copy(client_random=client_random)
+        # Keep separate send/receive parameters so we can handle various receive sequences from server
+
+        self._receive_security_parameters: SecurityParameters = SecurityParameters().copy(client_random=client_random)
+        self._send_security_parameters: SecurityParameters = SecurityParameters().copy(client_random=client_random)
+
+
+        # TLS breaks it up into pending and active  (Look at state machine and its transitions setting of this)
+        # it uses the following, so tie the values below into what we save here
+        #         self._k_send = ""
+        #         self._k_recv = ""
+        #
+        self._security_parameters = {
+            'active_tx':  SecurityParameters().copy(client_random=client_random),
+            'active_rx':  SecurityParameters().copy(client_random=client_random),
+            'pending_tx': SecurityParameters().copy(client_random=client_random),
+            'pending_rx': SecurityParameters().copy(client_random=client_random)
+        }
+        #  So when we get the server_hello, use the 'pending_send_parameters' to stuff values in and later on during
+        #  server_key_exchange download, use that pending value
+        #
+        #
+        # static void init_protection_parameters( ProtectionParameters *parameters )
+        # {
+        #   parameters->MAC_secret = NULL;
+        #   parameters->key = NULL;
+        #   parameters->IV = NULL;
+        #   parameters->seq_num = 0;
+        #   parameters->suite = TLS_NULL_WITH_NULL_NULL;
+        # }
+        # static void init_parameters( TLSParameters *parameters )
+        # {
+        #   init_protection_parameters( &parameters->pending_send_parameters );
+        #   init_protection_parameters( &parameters->pending_recv_parameters );
+        #   init_protection_parameters( &parameters->active_send_parameters );
+        #   init_protection_parameters( &parameters->active_recv_parameters );
+
+
+
+
         # self.server_random = None
         self.session_id = session_id
         self.ciphers = ciphers or get_cipher_suites_by_version(self.tls_version, excluded=("PSK",))
         self.extensions = extensions
         self.cipher_suite: CipherSuite = None
-        self.server_certificate = None
+
+        # Following are decode from server messages.  Any better place for them
+        self.server_certificates = None
+        self.server_public_key = b""
 
         # TODO: Next are copied over from the AUTH machine and may or may not be used
         #       so we need to investigate if they are used or are duplicated above
@@ -75,18 +116,14 @@ def __init__(self, auth_socket,
         self.tls_session = None
         self.eap_tls_state = None
 
-        self.eap_tls_server_data = b''  # Reassembly area for EAP-TLS
-        self.eap_tls_expected_len = 0
-        self.eap_tls_last_id = 256
-        self.eap_tls_client_data_len = 0
-        # self.eap_tls_client_data_max_len = 994        # TODO: support fragmentation....
+
         print("*** Not enforcing client EAP-TLS fragmentation yet")
         self.eap_tls_client_data_max_len = 16000
 
         self._debug = debug
         self.is_server_key_exchange = False
 
-        # Probably want these
+        # Probably want these - TODO Eventually calculate the hash on the fly if possible
         self._client_handshake_records_sent: List['TLSRecord'] = []
         self._server_handshake_records_received: List['TLSRecord'] = []
 
@@ -111,8 +148,12 @@ def __init__(self, auth_socket,
         self.state_machine: TLSClientStateMachine = TLSClientStateMachine(self)
 
     @property
-    def security_parameters(self) -> SecurityParameters:
-        return self._security_parameters
+    def rx_security_parameters(self) -> SecurityParameters:
+        return self._receive_security_parameters
+
+    @property
+    def tx_security_parameters(self) -> SecurityParameters:
+        return self._send_security_parameters
 
     @property
     def tls_version(self) -> TLS:
@@ -163,10 +204,12 @@ def handle_tls_data(self, eap_id: int, eap_tls: 'EAP_TLS', eap: 'EAP') -> None:
         print(f"*** Last EAP ID: {eap_id}, EAP-LAST-ID: {self.eap_tls_last_id}")
 
         if self.state_machine.state == TLSClientStateMachine.INITIAL:
+            print(f"TLSClient.handle_tls_data: Start: {eap_id}")
             self.state_machine.start(eap_id=eap_id)
 
         elif eap_id == self._eap_tls_last_sent_id and self._eap_tls_last_sent_data is not None:
             # Handle a retransmit
+            print(f"TLSClient.handle_tls_data: Rx retransmit: eap_id: {eap_id}")
             self.auth_socket.send_response(eap_id, self._eap_tls_last_sent_data)
 
         else:
@@ -203,7 +246,7 @@ def handle_tls_data(self, eap_id: int, eap_tls: 'EAP_TLS', eap: 'EAP') -> None:
                 self.save_server_record(packet)
                 self.state_machine.rx_packet(eap_id, packet)
 
-    def _rx_server_eap_tls(self, eap_id: int, eap_tls: 'EAP_TLS') -> Union[Packet, List[Packet], None]:
+    def _rx_server_eap_tls(self, eap_id: int, eap_tls: Union['EAP_TLS', 'EapTls']) -> Union[Packet, List[Packet], None]:
         """
         Handle server data
 
@@ -259,7 +302,7 @@ def _rx_server_eap_tls(self, eap_id: int, eap_tls: 'EAP_TLS') -> Union[Packet, L
 
                 try:
                     print(f"Reassembled packet: {self.eap_tls_server_data.hex()}")
-                    record_list = TLSRecord.parse(self.eap_tls_server_data, self.security_parameters)
+                    record_list = TLSRecord.parse(self.eap_tls_server_data, self.rx_security_parameters)
 
                 except Exception as _e:
                     record_list = None
diff --git a/tls_packet/auth/tls_server_hello.py b/tls_packet/auth/tls_server_hello.py
@@ -17,6 +17,7 @@
 import os
 import struct
 from typing import Union, Optional, Iterable
+import sys
 
 from tls_packet.auth.cipher_suites import CipherSuite
 from tls_packet.auth.security_params import TLSCompressionMethod
@@ -89,26 +90,49 @@ def __init__(self, session,
 
         # Error checks
         self.version = version or (int(session.tls_version) if session is not None else int(TLSv1_2()))
-        self.random_bytes = random_data or os.urandom(32)
-        self.session_id = session_id
-        self.cipher = cipher
-        self.compression = compression
+        self._random_bytes = random_data or os.urandom(32)
+        self._session_id = session_id
+        self._cipher = cipher
+        self._compression = TLSCompressionMethod(compression)
         self.extensions = extensions or []
 
+        # TODO: In other client, it created cipher suite with
+        # self.cipher_suite = CipherSuite.get_from_id(self.tls_version, self.client_random, self.server_random,
+        #                                             self.server_certificate, server_cipher_suite)
+        # And used it supported the parse_key_exchange method
+
         # Error checks
         if self.version == int(TLSv1_3()):
             raise NotImplementedError("TLSServerHello: TLSv1.3 not yet supported")
 
-        if len(self.random_bytes) != 32:
+        if len(self._random_bytes) != 32:
             raise ValueError(f"TLSServerHello: Random must be exactly 32 bytes, received {len(self.random_bytes)}")
 
-        if self.session_id > 32 or session_id < 0:
-            raise ValueError(f"TLSServerHello: SessionID is an opaque value: 0..32, found, {self.session_id}")
+        if self._session_id > 32 or session_id < 0:
+            raise ValueError(f"TLSServerHello: SessionID is an opaque value: 0..32, found, {self._session_id}")
 
         # Unsupported at this time
         if extensions and not isinstance(extensions, PacketPayload):  # TODO: not yet supported
             raise NotImplementedError("Unsupported parameter")
 
+    @property
+    def cipher_suite(self) -> CipherSuite:
+        """ Cipher Suite selected by the server """
+        return self._cipher
+
+    @property
+    def compression_method(self) -> TLSCompressionMethod:
+        """ Compression method used """
+        return self._compression
+
+    @property
+    def session_id(self) -> int:
+        return self._session_id
+
+    @property
+    def random_bytes(self) -> bytes:
+        return self._random_bytes
+
     @staticmethod
     def parse(frame: bytes, *args, max_depth: Optional[int] = PARSE_ALL, **kwargs) -> Union[TLSHandshake, None]:
         """ Frame to TLSSessionHello """
@@ -135,7 +159,7 @@ def parse(frame: bytes, *args, max_depth: Optional[int] = PARSE_ALL, **kwargs) -
         compression = TLSCompressionMethod(compression)
 
         if extension_length:
-            print("TODO: Pushing undecoded extensions into a payload object")
+            print("TODO: Pushing undecoded extensions into a payload object", file=sys.stderr)
             payload = PacketPayload(frame[offset:offset + extension_length])
         else:
             payload = None
diff --git a/tls_packet/auth/tls_server_key_exchange.py b/tls_packet/auth/tls_server_key_exchange.py
@@ -293,5 +293,20 @@ def parse(frame: bytes, *args, max_depth: Optional[int] = PARSE_ALL, **kwargs) -
 
         return TLSServerKeyExchange(curve_type, named_curve, pubkey, signature, *args, length=msg_len, original_frame=frame, **kwargs)
 
+        # TODO: In another client, they had the cipher suite parse this message
+
+        # TODO: In other client, it created cipher suite with
+        # self.cipher_suite = CipherSuite.get_from_id(self.tls_version, self.client_random, self.server_random,
+        #                                             self.server_certificate, server_cipher_suite)
+        # And used it supported the parse_key_exchange method
+        #
+        # if self.is_server_key_exchange:  # Server key exchange
+        #     self.cipher_suite.parse_key_exchange_params(next_bytes)
+        #
+        #  key_exchange below is  ECDH, DH, or RSA
+        #
+        # def parse_key_exchange_params(self, params_bytes):
+        #     self.key_exchange.parse_params(params_bytes)
+
     def pack(self, payload: Optional[Union[bytes, None]] = None) -> bytes:
         raise NotImplementedError("TODO: Not yet implemented since we are functioning as a client")
diff --git a/tls_packet/auth/tls_state_machine.py b/tls_packet/auth/tls_state_machine.py
diff --git a/tls_packet/packet.py b/tls_packet/packet.py
