From 3d113a91628d65e1dab37e5b574c59c9b9bcecb7 Mon Sep 17 00:00:00 2001
From: mtury <maxence.tury@ssi.gouv.fr>
Date: Fri, 18 Aug 2017 03:25:59 +0200
Subject: [PATCH] Fix TLS constants names (#760)
---
scapy/layers/tls/cert.py | 14 ++++-----
scapy/layers/tls/crypto/cipher_aead.py | 4 +--
scapy/layers/tls/crypto/cipher_block.py | 12 ++++----
scapy/layers/tls/crypto/cipher_stream.py | 4 +--
scapy/layers/tls/crypto/ciphers.py | 14 ++++-----
scapy/layers/tls/crypto/h_mac.py | 26 ++++++++---------
scapy/layers/tls/crypto/hash.py | 4 +--
scapy/layers/tls/crypto/kx_algs.py | 4 +--
scapy/layers/tls/crypto/prf.py | 36 ++++++++++++------------
scapy/layers/tls/crypto/suites.py | 32 ++++++++++-----------
scapy/layers/tls/session.py | 8 ++++++
11 files changed, 83 insertions(+), 75 deletions(-)
diff --git a/scapy/layers/tls/cert.py b/scapy/layers/tls/cert.py
index 6228acd6..d2ad36be 100644
--- a/scapy/layers/tls/cert.py
+++ b/scapy/layers/tls/cert.py
@@ -53,9 +53,9 @@ from scapy.layers.tls.crypto.pkcs1 import (pkcs_os2ip, pkcs_i2osp, _get_hash,
# Maximum allowed size in bytes for a certificate file, to avoid
# loading huge file when importing a cert
-MAX_KEY_SIZE = 50*1024
-MAX_CERT_SIZE = 50*1024
-MAX_CRL_SIZE = 10*1024*1024 # some are that big
+_MAX_KEY_SIZE = 50*1024
+_MAX_CERT_SIZE = 50*1024
+_MAX_CRL_SIZE = 10*1024*1024 # some are that big
#####################################################################
@@ -200,7 +200,7 @@ class _PubKeyFactory(_PKIObjMaker):
# _an X509_SubjectPublicKeyInfo, as processed by openssl;
# _an RSAPublicKey;
# _an ECDSAPublicKey.
- obj = _PKIObjMaker.__call__(cls, key_path, MAX_KEY_SIZE)
+ obj = _PKIObjMaker.__call__(cls, key_path, _MAX_KEY_SIZE)
try:
spki = X509_SubjectPublicKeyInfo(obj.der)
pubkey = spki.subjectPublicKey
@@ -354,7 +354,7 @@ class _PrivKeyFactory(_PKIObjMaker):
obj.fill_and_store()
return obj
- obj = _PKIObjMaker.__call__(cls, key_path, MAX_KEY_SIZE)
+ obj = _PKIObjMaker.__call__(cls, key_path, _MAX_KEY_SIZE)
multiPEM = False
try:
privkey = RSAPrivateKey_OpenSSL(obj.der)
@@ -538,7 +538,7 @@ class _CertMaker(_PKIObjMaker):
"""
def __call__(cls, cert_path):
obj = _PKIObjMaker.__call__(cls, cert_path,
- MAX_CERT_SIZE, "CERTIFICATE")
+ _MAX_CERT_SIZE, "CERTIFICATE")
obj.__class__ = Cert
try:
cert = X509_Cert(obj.der)
@@ -733,7 +733,7 @@ class _CRLMaker(_PKIObjMaker):
but we reuse the model instead of creating redundant constructors.
"""
def __call__(cls, cert_path):
- obj = _PKIObjMaker.__call__(cls, cert_path, MAX_CRL_SIZE, "X509 CRL")
+ obj = _PKIObjMaker.__call__(cls, cert_path, _MAX_CRL_SIZE, "X509 CRL")
obj.__class__ = CRL
try:
crl = X509_CRL(obj.der)
diff --git a/scapy/layers/tls/crypto/cipher_aead.py b/scapy/layers/tls/crypto/cipher_aead.py
index 86dbe00c..50dd862a 100644
--- a/scapy/layers/tls/crypto/cipher_aead.py
+++ b/scapy/layers/tls/crypto/cipher_aead.py
@@ -30,7 +30,7 @@ if conf.crypto_valid_advanced:
ChaCha20Poly1305)
-tls_aead_cipher_algs = {}
+_tls_aead_cipher_algs = {}
class _AEADCipherMetaclass(type):
"""
@@ -43,7 +43,7 @@ class _AEADCipherMetaclass(type):
the_class = super(_AEADCipherMetaclass, cls).__new__(cls, ciph_name,
bases, dct)
if not ciph_name.startswith("_AEADCipher"):
- tls_aead_cipher_algs[ciph_name[7:]] = the_class
+ _tls_aead_cipher_algs[ciph_name[7:]] = the_class
return the_class
diff --git a/scapy/layers/tls/crypto/cipher_block.py b/scapy/layers/tls/crypto/cipher_block.py
index bf947b9f..33cc6448 100644
--- a/scapy/layers/tls/crypto/cipher_block.py
+++ b/scapy/layers/tls/crypto/cipher_block.py
@@ -22,7 +22,7 @@ if conf.crypto_valid:
GetCipherByName)
-tls_block_cipher_algs = {}
+_tls_block_cipher_algs = {}
class _BlockCipherMetaclass(type):
"""
@@ -35,7 +35,7 @@ class _BlockCipherMetaclass(type):
the_class = super(_BlockCipherMetaclass, cls).__new__(cls, ciph_name,
bases, dct)
if ciph_name != "_BlockCipher":
- tls_block_cipher_algs[ciph_name[7:]] = the_class
+ _tls_block_cipher_algs[ciph_name[7:]] = the_class
return the_class
@@ -167,10 +167,10 @@ if conf.crypto_valid:
key_len = 16
-sslv2_block_cipher_algs = {}
+_sslv2_block_cipher_algs = {}
if conf.crypto_valid:
- sslv2_block_cipher_algs.update({
+ _sslv2_block_cipher_algs.update({
"IDEA_128_CBC": Cipher_IDEA_CBC,
"DES_64_CBC": Cipher_DES_CBC,
"DES_192_EDE3_CBC": Cipher_3DES_EDE_CBC
@@ -216,8 +216,8 @@ if conf.crypto_valid:
Cipher_RC2_CBC.pc_cls_mode,
GetCipherByName(_gcbn_format))
- sslv2_block_cipher_algs["RC2_128_CBC"] = Cipher_RC2_CBC
+ _sslv2_block_cipher_algs["RC2_128_CBC"] = Cipher_RC2_CBC
-tls_block_cipher_algs.update(sslv2_block_cipher_algs)
+_tls_block_cipher_algs.update(_sslv2_block_cipher_algs)
diff --git a/scapy/layers/tls/crypto/cipher_stream.py b/scapy/layers/tls/crypto/cipher_stream.py
index cb49b89c..26d85d39 100644
--- a/scapy/layers/tls/crypto/cipher_stream.py
+++ b/scapy/layers/tls/crypto/cipher_stream.py
@@ -17,7 +17,7 @@ if conf.crypto_valid:
from cryptography.hazmat.backends import default_backend
-tls_stream_cipher_algs = {}
+_tls_stream_cipher_algs = {}
class _StreamCipherMetaclass(type):
"""
@@ -30,7 +30,7 @@ class _StreamCipherMetaclass(type):
the_class = super(_StreamCipherMetaclass, cls).__new__(cls, ciph_name,
bases, dct)
if ciph_name != "_StreamCipher":
- tls_stream_cipher_algs[ciph_name[7:]] = the_class
+ _tls_stream_cipher_algs[ciph_name[7:]] = the_class
return the_class
diff --git a/scapy/layers/tls/crypto/ciphers.py b/scapy/layers/tls/crypto/ciphers.py
index 331546e2..1e507883 100644
--- a/scapy/layers/tls/crypto/ciphers.py
+++ b/scapy/layers/tls/crypto/ciphers.py
@@ -17,12 +17,12 @@ class CipherError(Exception):
# We have to keep these imports below CipherError definition
# in order to avoid circular dependencies.
-from scapy.layers.tls.crypto.cipher_aead import tls_aead_cipher_algs
-from scapy.layers.tls.crypto.cipher_block import tls_block_cipher_algs
-from scapy.layers.tls.crypto.cipher_stream import tls_stream_cipher_algs
+from scapy.layers.tls.crypto.cipher_aead import _tls_aead_cipher_algs
+from scapy.layers.tls.crypto.cipher_block import _tls_block_cipher_algs
+from scapy.layers.tls.crypto.cipher_stream import _tls_stream_cipher_algs
-tls_cipher_algs = {}
-tls_cipher_algs.update(tls_block_cipher_algs)
-tls_cipher_algs.update(tls_stream_cipher_algs)
-tls_cipher_algs.update(tls_aead_cipher_algs)
+_tls_cipher_algs = {}
+_tls_cipher_algs.update(_tls_block_cipher_algs)
+_tls_cipher_algs.update(_tls_stream_cipher_algs)
+_tls_cipher_algs.update(_tls_aead_cipher_algs)
diff --git a/scapy/layers/tls/crypto/h_mac.py b/scapy/layers/tls/crypto/h_mac.py
index 4c3397dc..c9106062 100644
--- a/scapy/layers/tls/crypto/h_mac.py
+++ b/scapy/layers/tls/crypto/h_mac.py
@@ -10,16 +10,16 @@ HMAC classes.
from __future__ import absolute_import
import hmac
-from scapy.layers.tls.crypto.hash import tls_hash_algs
+from scapy.layers.tls.crypto.hash import _tls_hash_algs
import scapy.modules.six as six
-SSLv3_PAD1_MD5 = b"\x36"*48
-SSLv3_PAD1_SHA1 = b"\x36"*40
-SSLv3_PAD2_MD5 = b"\x5c"*48
-SSLv3_PAD2_SHA1 = b"\x5c"*40
+_SSLv3_PAD1_MD5 = b"\x36"*48
+_SSLv3_PAD1_SHA1 = b"\x36"*40
+_SSLv3_PAD2_MD5 = b"\x5c"*48
+_SSLv3_PAD2_SHA1 = b"\x5c"*40
-tls_hmac_algs = {}
+_tls_hmac_algs = {}
class _GenericHMACMetaclass(type):
"""
@@ -34,13 +34,13 @@ class _GenericHMACMetaclass(type):
hash_name = hmac_name[5:] # remove leading "Hmac_"
if hmac_name != "_GenericHMAC":
dct["name"] = "HMAC-%s" % hash_name
- dct["hash_alg"] = tls_hash_algs[hash_name]
- dct["hmac_len"] = tls_hash_algs[hash_name].hash_len
+ dct["hash_alg"] = _tls_hash_algs[hash_name]
+ dct["hmac_len"] = _tls_hash_algs[hash_name].hash_len
dct["key_len"] = dct["hmac_len"]
the_class = super(_GenericHMACMetaclass, cls).__new__(cls, hmac_name,
bases, dct)
if hmac_name != "_GenericHMAC":
- tls_hmac_algs[dct["name"]] = the_class
+ _tls_hmac_algs[dct["name"]] = the_class
return the_class
@@ -65,11 +65,11 @@ class _GenericHMAC(six.with_metaclass(_GenericHMACMetaclass, object)):
h = self.hash_alg()
if h.name == "SHA":
- pad1 = SSLv3_PAD1_SHA1
- pad2 = SSLv3_PAD2_SHA1
+ pad1 = _SSLv3_PAD1_SHA1
+ pad2 = _SSLv3_PAD2_SHA1
elif h.name == "MD5":
- pad1 = SSLv3_PAD1_MD5
- pad2 = SSLv3_PAD2_MD5
+ pad1 = _SSLv3_PAD1_MD5
+ pad2 = _SSLv3_PAD2_MD5
else:
raise HMACError("Provided hash does not work with SSLv3.")
diff --git a/scapy/layers/tls/crypto/hash.py b/scapy/layers/tls/crypto/hash.py
index da7b3633..a820e233 100644
--- a/scapy/layers/tls/crypto/hash.py
+++ b/scapy/layers/tls/crypto/hash.py
@@ -12,7 +12,7 @@ from hashlib import md5, sha1, sha224, sha256, sha384, sha512
import scapy.modules.six as six
-tls_hash_algs = {}
+_tls_hash_algs = {}
class _GenericHashMetaclass(type):
"""
@@ -25,7 +25,7 @@ class _GenericHashMetaclass(type):
the_class = super(_GenericHashMetaclass, cls).__new__(cls, hash_name,
bases, dct)
if hash_name != "_GenericHash":
- tls_hash_algs[hash_name[5:]] = the_class
+ _tls_hash_algs[hash_name[5:]] = the_class
return the_class
diff --git a/scapy/layers/tls/crypto/kx_algs.py b/scapy/layers/tls/crypto/kx_algs.py
index 7f6c3632..1faad7e2 100644
--- a/scapy/layers/tls/crypto/kx_algs.py
+++ b/scapy/layers/tls/crypto/kx_algs.py
@@ -19,7 +19,7 @@ from scapy.layers.tls.keyexchange import (ServerDHParams,
import scapy.modules.six as six
-tls_kx_algs = {}
+_tls_kx_algs = {}
class _GenericKXMetaclass(type):
"""
@@ -36,7 +36,7 @@ class _GenericKXMetaclass(type):
the_class.anonymous = "_anon" in kx_name
the_class.no_ske = not ("DHE" in kx_name or "_anon" in kx_name)
the_class.no_ske &= not the_class.export
- tls_kx_algs[kx_name[3:]] = the_class
+ _tls_kx_algs[kx_name[3:]] = the_class
return the_class
diff --git a/scapy/layers/tls/crypto/prf.py b/scapy/layers/tls/crypto/prf.py
index 03b7d9c1..afd76d0c 100644
--- a/scapy/layers/tls/crypto/prf.py
+++ b/scapy/layers/tls/crypto/prf.py
@@ -11,8 +11,8 @@ from __future__ import absolute_import
from scapy.error import warning
from scapy.utils import strxor
-from scapy.layers.tls.crypto.hash import tls_hash_algs
-from scapy.layers.tls.crypto.h_mac import tls_hmac_algs
+from scapy.layers.tls.crypto.hash import _tls_hash_algs
+from scapy.layers.tls.crypto.h_mac import _tls_hmac_algs
from scapy.modules.six.moves import range
@@ -50,25 +50,25 @@ def _tls_P_hash(secret, seed, req_len, hm):
def _tls_P_MD5(secret, seed, req_len):
- return _tls_P_hash(secret, seed, req_len, tls_hmac_algs["HMAC-MD5"])
+ return _tls_P_hash(secret, seed, req_len, _tls_hmac_algs["HMAC-MD5"])
def _tls_P_SHA1(secret, seed, req_len):
- return _tls_P_hash(secret, seed, req_len, tls_hmac_algs["HMAC-SHA"])
+ return _tls_P_hash(secret, seed, req_len, _tls_hmac_algs["HMAC-SHA"])
def _tls_P_SHA256(secret, seed, req_len):
- return _tls_P_hash(secret, seed, req_len, tls_hmac_algs["HMAC-SHA256"])
+ return _tls_P_hash(secret, seed, req_len, _tls_hmac_algs["HMAC-SHA256"])
def _tls_P_SHA384(secret, seed, req_len):
- return _tls_P_hash(secret, seed, req_len, tls_hmac_algs["HMAC-SHA384"])
+ return _tls_P_hash(secret, seed, req_len, _tls_hmac_algs["HMAC-SHA384"])
def _tls_P_SHA512(secret, seed, req_len):
- return _tls_P_hash(secret, seed, req_len, tls_hmac_algs["HMAC-SHA512"])
+ return _tls_P_hash(secret, seed, req_len, _tls_hmac_algs["HMAC-SHA512"])
### PRF functions, according to the protocol version
def _sslv2_PRF(secret, seed, req_len):
- hash_md5 = tls_hash_algs["MD5"]()
+ hash_md5 = _tls_hash_algs["MD5"]()
rounds = (req_len + hash_md5.hash_len - 1) / hash_md5.hash_len
res = ""
@@ -101,8 +101,8 @@ def _ssl_PRF(secret, seed, req_len):
d = ["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M",
"N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z"]
res = ""
- hash_sha1 = tls_hash_algs["SHA"]()
- hash_md5 = tls_hash_algs["MD5"]()
+ hash_sha1 = _tls_hash_algs["SHA"]()
+ hash_md5 = _tls_hash_algs["MD5"]()
rounds = (req_len + hash_md5.hash_len - 1) / hash_md5.hash_len
for i in range(rounds):
@@ -247,8 +247,8 @@ class PRF(object):
sslv3_sha1_pad1 = b"\x36"*40
sslv3_sha1_pad2 = b"\x5c"*40
- md5 = tls_hash_algs["MD5"]()
- sha1 = tls_hash_algs["SHA"]()
+ md5 = _tls_hash_algs["MD5"]()
+ sha1 = _tls_hash_algs["SHA"]()
md5_hash = md5.digest(master_secret + sslv3_md5_pad2 +
md5.digest(handshake_msg + label +
@@ -267,14 +267,14 @@ class PRF(object):
label = d[con_end] + " finished"
if self.tls_version <= 0x0302:
- s1 = tls_hash_algs["MD5"]().digest(handshake_msg)
- s2 = tls_hash_algs["SHA"]().digest(handshake_msg)
+ s1 = _tls_hash_algs["MD5"]().digest(handshake_msg)
+ s2 = _tls_hash_algs["SHA"]().digest(handshake_msg)
verify_data = self.prf(master_secret, label, s1 + s2, 12)
else:
if self.hash_name in ["MD5", "SHA"]:
- h = tls_hash_algs["SHA256"]()
+ h = _tls_hash_algs["SHA256"]()
else:
- h = tls_hash_algs[self.hash_name]()
+ h = _tls_hash_algs[self.hash_name]()
s = h.digest(handshake_msg)
verify_data = self.prf(master_secret, label, s, 12)
@@ -297,7 +297,7 @@ class PRF(object):
tbh = key + client_random + server_random
else:
tbh = key + server_random + client_random
- export_key = tls_hash_algs["MD5"]().digest(tbh)[:req_len]
+ export_key = _tls_hash_algs["MD5"]().digest(tbh)[:req_len]
else:
if s:
tag = "client write key"
@@ -326,7 +326,7 @@ class PRF(object):
tbh = client_random + server_random
else:
tbh = server_random + client_random
- iv = tls_hash_algs["MD5"]().digest(tbh)[:req_len]
+ iv = _tls_hash_algs["MD5"]().digest(tbh)[:req_len]
else:
iv_block = self.prf("",
"IV block",
diff --git a/scapy/layers/tls/crypto/suites.py b/scapy/layers/tls/crypto/suites.py
index c2cd40ee..cd3417ca 100644
--- a/scapy/layers/tls/crypto/suites.py
+++ b/scapy/layers/tls/crypto/suites.py
@@ -11,10 +11,10 @@ https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
"""
from __future__ import absolute_import
-from scapy.layers.tls.crypto.kx_algs import tls_kx_algs
-from scapy.layers.tls.crypto.hash import tls_hash_algs
-from scapy.layers.tls.crypto.h_mac import tls_hmac_algs
-from scapy.layers.tls.crypto.ciphers import tls_cipher_algs
+from scapy.layers.tls.crypto.kx_algs import _tls_kx_algs
+from scapy.layers.tls.crypto.hash import _tls_hash_algs
+from scapy.layers.tls.crypto.h_mac import _tls_hmac_algs
+from scapy.layers.tls.crypto.ciphers import _tls_cipher_algs
import scapy.modules.six as six
@@ -29,40 +29,40 @@ def get_algs_from_ciphersuite_name(ciphersuite_name):
if s.endswith("CCM") or s.endswith("CCM_8"):
kx_name, s = s.split("_WITH_")
- kx_alg = tls_kx_algs.get(kx_name)
- hash_alg = tls_hash_algs.get("SHA256")
- cipher_alg = tls_cipher_algs.get(s)
+ kx_alg = _tls_kx_algs.get(kx_name)
+ hash_alg = _tls_hash_algs.get("SHA256")
+ cipher_alg = _tls_cipher_algs.get(s)
hmac_alg = None
else:
if "WITH" in s:
kx_name, s = s.split("_WITH_")
- kx_alg = tls_kx_algs.get(kx_name)
+ kx_alg = _tls_kx_algs.get(kx_name)
else:
tls1_3 = True
- kx_alg = tls_kx_algs.get("TLS13")
+ kx_alg = _tls_kx_algs.get("TLS13")
hash_name = s.split('_')[-1]
- hash_alg = tls_hash_algs.get(hash_name)
+ hash_alg = _tls_hash_algs.get(hash_name)
cipher_name = s[:-(len(hash_name) + 1)]
if tls1_3:
cipher_name += "_TLS13"
- cipher_alg = tls_cipher_algs.get(cipher_name)
+ cipher_alg = _tls_cipher_algs.get(cipher_name)
hmac_alg = None
if cipher_alg is not None and cipher_alg.type != "aead":
hmac_name = "HMAC-%s" % hash_name
- hmac_alg = tls_hmac_algs.get(hmac_name)
+ hmac_alg = _tls_hmac_algs.get(hmac_name)
elif ciphersuite_name.startswith("SSL"):
s = ciphersuite_name[7:]
- kx_alg = tls_kx_algs.get("SSLv2")
+ kx_alg = _tls_kx_algs.get("SSLv2")
cipher_name, hash_name = s.split("_WITH_")
- cipher_alg = tls_cipher_algs.get(cipher_name.rstrip("_EXPORT40"))
+ cipher_alg = _tls_cipher_algs.get(cipher_name.rstrip("_EXPORT40"))
kx_alg.export = cipher_name.endswith("_EXPORT40")
- hmac_alg = tls_hmac_algs.get("HMAC-NULL")
- hash_alg = tls_hash_algs.get(hash_name)
+ hmac_alg = _tls_hmac_algs.get("HMAC-NULL")
+ hash_alg = _tls_hash_algs.get(hash_name)
return kx_alg, cipher_alg, hmac_alg, hash_alg, tls1_3
diff --git a/scapy/layers/tls/session.py b/scapy/layers/tls/session.py
index 0dda8aa3..826c21e6 100644
--- a/scapy/layers/tls/session.py
+++ b/scapy/layers/tls/session.py
@@ -826,6 +826,14 @@ class _GenericTLSSessionInheritance(Packet):
_internal=_internal, _underlayer=_underlayer,
**fields)
+ def __getattr__(self, attr):
+ """
+ The tls_session should be found only through the normal mechanism.
+ """
+ if attr == "tls_session":
+ return None
+ return super(_GenericTLSSessionInheritance, self).__getattr__(attr)
+
def tls_session_update(self, msg_str):
"""
post_{build, dissection}_tls_session_update() are used to update the
--
GitLab