Tls Dtls Config Module

class mtf.network_port.tls.tls_dtls_config.SecureSocketType

Enum representing types of secure socket protocols.

Attributes:

DTLSstr: Datagram Transport Layer Security (DTLS) protocol type, a variant of TLS used for datagram-based applications.
TLSstr: Transport Layer Security (TLS) protocol type, widely used for securing communication over a computer network.

DTLS

TLS

class mtf.network_port.tls.tls_dtls_config.ProtocolVersion

Enum representing different versions of SSL/TLS protocols.

Attributes:

SSL2tuple: Secure Sockets Layer version 2.0, an early and now deprecated version of SSL.
SSL3tuple: Secure Sockets Layer version 3.0, a more secure version than SSL2 but still deprecated.
TLS10tuple: Transport Layer Security version 1.0, the first version of TLS succeeding SSL3.
TLS11tuple: Transport Layer Security version 1.1, an improvement over TLS 1.0 with better security features.
TLS12tuple: Transport Layer Security version 1.2, widely used with advanced security features compared to previous versions.
TLS13tuple: Transport Layer Security version 1.3, the latest and most secure version of the TLS protocol.
DTLS10str: Datagram Transport Layer Security version 1.0, based on TLS 1.1 but designed for datagram-based communications.
DTLS12str: Datagram Transport Layer Security version 1.2, based on TLS 1.2, providing improved security for datagram protocols.

SSL2

SSL3

TLS10

TLS11

TLS12

TLS13

DTLS10

DTLS12

class mtf.network_port.tls.tls_dtls_config.MaxFragmentLength

Enum to represent MaxFragmentLength with corresponding Java enum values.

TWO_9

TWO_10

TWO_11

TWO_12

load_enum(): Dynamically loads and returns the corresponding Java enum value for the current MaxFragmentLength enum member.

class mtf.network_port.tls.tls_dtls_config.NamedGroup

Enum to represent NamedGroup with corresponding Java enum values.

Each NamedGroup enum member contains: - byte_value: A byte representation of the group. - group_name: The name of the group as a string. - group_size: The size of the group, if applicable.

This enum interacts with the de.rub.nds.tlsattacker.core.constants.NamedGroup Java enum via JPype and can dynamically load the Java enum value corresponding to the Python enum member.

SECT163K1

SECT163R1

SECT163R2

SECT193R1

SECT193R2

SECT233K1

SECT233R1

SECT239K1

SECT283K1

SECT283R1

SECT409K1

SECT409R1

SECT571K1

SECT571R1

SECP160K1

SECP160R1

SECP160R2

SECP192K1

SECP192R1

SECP224K1

SECP224R1

SECP256K1

SECP256R1

SECP384R1

SECP521R1

BRAINPOOLP256R1

BRAINPOOLP384R1

BRAINPOOLP512R1

ECDH_X25519

ECDH_X448

CURVE_SM2

FFDHE2048

FFDHE3072

FFDHE4096

FFDHE6144

FFDHE8192

EXPLICIT_PRIME

EXPLICIT_CHAR2

GREASE_00

GREASE_01

GREASE_02

GREASE_03

GREASE_04

GREASE_05

GREASE_06

GREASE_07

GREASE_08

GREASE_09

GREASE_10

GREASE_11

GREASE_12

GREASE_13

GREASE_14

GREASE_15

__init__(byte_value, group_name, group_size)

Initializes a NamedGroup enum member.

Parameters: - byte_value: Byte representation of the group. - group_name: String name of the group. - group_size: Size of the group (or None for GREASE values).

load_enum()

Dynamically loads and returns the corresponding Java enum value for the current NamedGroup enum member.

Uses JPype to load the Java class de.rub.nds.tlsattacker.core.constants.NamedGroup and returns the corresponding enum value based on the group_name.

Returns: - The corresponding Java NamedGroup enum value.

class mtf.network_port.tls.tls_dtls_config.TlsMessage

Enum representing various TLS message types used in the TLS handshake process.

Each enum member corresponds to a fully qualified Java class name that represents a specific type of TLS message. These message types can be dynamically loaded and processed using jpype in the TlsAttacker framework.

Enum Members:

HELLO_VERIFY_REQUESTstr: Represents the HelloVerifyRequestMessage used in DTLS handshakes to verify the client’s IP address.
PSK_SERVER_KEY_EXCHANGEstr: Represents the PskServerKeyExchangeMessage, which is used to exchange key material in PSK-based handshakes.
CHANGE_CIPHER_SPECstr: Represents the ChangeCipherSpecMessage, indicating that the sender is ready to begin using new cryptographic parameters.
CERTIFICATE_REQUESTstr: Represents the CertificateRequestMessage, sent by the server to request the client’s certificate.
SERVER_HELLO_DONEstr: Represents the ServerHelloDoneMessage, indicating the server has finished its part of the handshake.
SERVER_KEY_EXCHANGEstr: Represents the ServerKeyExchangeMessage, used to provide the server’s key-exchange parameters.
FINISHED_MESSAGEstr: Represents the FinishedMessage, indicating the completion of the handshake process.
ALERTstr: Represents the AlertMessage, used to signal errors or important notifications in the TLS session.
SERVER_HELLOstr: Represents the ServerHelloMessage, sent by the server to confirm selected handshake parameters.
CLIENT_HELLOstr: Represents the ClientHelloMessage, sent by the client to initiate the TLS handshake with proposed parameters.
PSK_CLIENT_KEY_EXCHANGEstr: Represents the PskClientKeyExchangeMessage, used to exchange key material in PSK-based handshakes.
CLIENT_KEY_EXCHANGEstr: Represents the ClientKeyExchangeMessage, used to securely exchange key material between the client and server.
CERTIFICATEstr: Represents the CertificateMessage, used to send the sender’s public key to the recipient for authentication.

HELLO_VERIFY_REQUEST

PSK_SERVER_KEY_EXCHANGE

CHANGE_CIPHER_SPEC

CERTIFICATE_REQUEST

SERVER_HELLO_DONE

SERVER_KEY_EXCHANGE

FINISHED_MESSAGE

ALERT

SERVER_HELLO

CLIENT_HELLO

PSK_CLIENT_KEY_EXCHANGE

CLIENT_KEY_EXCHANGE

CERTIFICATE

EncryptedExtensionsMessage

ApplicationMessage

ResetConnectionAction

RenegotiationAction

NewSessionTicketMessage

class mtf.network_port.tls.tls_dtls_config.TlsExtensionType

Enum representing the different types of TLS extensions.

TLS extensions are used in the TLS handshake to negotiate various parameters between the client and server. Each extension type corresponds to a specific functionality that can be negotiated or enabled during the handshake.

Attributes:: SERVER_NAME (int): Server Name Indication (SNI) extension, value 0. MAX_FRAGMENT_LENGTH (int): Maximum Fragment Length extension, value 1. CLIENT_CERTIFICATE_URL (int): Client Certificate URL extension, value 2. TRUSTED_CA_KEYS (int): Trusted CA Keys extension, value 3. TRUNCATED_HMAC (int): Truncated HMAC extension, value 4. STATUS_REQUEST (int): Certificate Status Request extension, value 5. USER_MAPPING (int): User Mapping extension, value 6. CLIENT_AUTHZ (int): Client Authorization extension, value 7. SERVER_AUTHZ (int): Server Authorization extension, value 8. CERT_TYPE (int): Certificate Type extension, value 9. SUPPORTED_GROUPS (int): Supported Elliptic Curves extension, value 10. EC_POINT_FORMATS (int): Supported EC Point Formats extension, value 11. SRP (int): Secure Remote Password (SRP) extension, value 12. SIGNATURE_ALGORITHMS (int): Signature Algorithms extension, value 13. USE_SRTP (int): Use SRTP extension, value 14. HEARTBEAT (int): Heartbeat extension, value 15. ALPN (int): Application-Layer Protocol Negotiation (ALPN) extension, value 16. STATUS_REQUEST_V2 (int): Status Request Version 2 extension, value 17. SIGNED_CERTIFICATE_TIMESTAMP (int): Signed Certificate Timestamp extension, value 18. CLIENT_CERT_TYPE (int): Client Certificate Type extension, value 19. SERVER_CERT_TYPE (int): Server Certificate Type extension, value 20. PADDING (int): Padding extension, value 21. ENCRYPT_THEN_MAC (int): Encrypt-Then-MAC extension, value 22. EXTENDED_MASTER_SECRET (int): Extended Master Secret extension, value 23. TOKEN_BINDING (int): Token Binding extension, value 24. CACHED_INFO (int): Cached Info extension, value 25. COMPRESS_CERTIFICATE (int): Compress Certificate extension, value 27. RECORD_SIZE_LIMIT (int): Record Size Limit extension, value 28. PWD_PROTECT (int): Password Protect extension, value 29. PWD_CLEAR (int): Password Clear extension, value 30. PASSWORD_SALT (int): Password Salt extension, value 31. SESSION_TICKET (int): Session Ticket extension, value 35. EXTENDED_RANDOM (int): Extended Random extension, value 40. PSK_IDENTITY (int): Pre-Shared Key Identity extension, value 41. EARLY_DATA (int): Early Data extension, value 42. SUPPORTED_VERSIONS (int): Supported Versions extension, value 43. COOKIE (int): Cookie extension, value 44. PSK_KEY_EXCHANGE_MODES (int): PSK Key Exchange Modes extension, value 45. CERTIFICATE_AUTHORITIES (int): Certificate Authorities extension, value 47. OID_FILTERS (int): OID Filters extension, value 48. POST_HANDSHAKE_AUTH (int): Post-Handshake Authentication extension, value 49. SIGNATURE_ALGORITHMS_CERT (int): Signature Algorithms for Certificates extension, value 50. KEY_SHARE (int): Key Share extension, value 51. TRANSPARENCY_INFO (int): Certificate Transparency extension, value 52. CONNECTION_ID_DEPRECATED (int): Deprecated Connection ID extension, value 53. CONNECTION_ID (int): Connection ID extension, value 54. EXTERNAL_ID_HASH (int): External ID Hash extension, value 55. EXTERNAL_SESSION_ID (int): External Session ID extension, value 56. QUIC_TRANSPORT_PARAMETERS (int): QUIC Transport Parameters extension, value 57. TICKET_REQUEST (int): Ticket Request extension, value 58. DNSSEC_CHAIN (int): DNSSEC Chain extension, value 59. NPN (int): Next Protocol Negotiation (NPN) extension, value 13172. RENEGOTIATION_INFO (int): Renegotiation Info extension, value 65281. ENCRYPTED_SERVER_NAME_INDICATION (int): Encrypted Server Name Indication extension, value 65486. ENCRYPTED_CLIENT_HELLO_DRAFT_07 (int): Encrypted Client Hello Draft 07 extension, value 65282. ENCRYPTED_CLIENT_HELLO_DRAFT_08 (int): Encrypted Client Hello Draft 08 extension, value 65288. ENCRYPTED_CLIENT_HELLO_DRAFT_09 (int): Encrypted Client Hello Draft 09 extension, value 65289. ENCRYPTED_CLIENT_HELLO_DRAFT_10 (int): Encrypted Client Hello Draft 10 extension, value 65290. ENCRYPTED_CLIENT_HELLO_DRAFT_11 (int): Encrypted Client Hello Draft 11 extension, value 65291. ENCRYPTED_CLIENT_HELLO_DRAFT_12 (int): Encrypted Client Hello Draft 12 extension, value 65292. ENCRYPTED_CLIENT_HELLO (int): Encrypted Client Hello extension, value 65037.

SERVER_NAME

MAX_FRAGMENT_LENGTH

CLIENT_CERTIFICATE_URL

TRUSTED_CA_KEYS

TRUNCATED_HMAC

STATUS_REQUEST

USER_MAPPING

CLIENT_AUTHZ

SERVER_AUTHZ

CERT_TYPE

SUPPORTED_GROUPS

EC_POINT_FORMATS

SRP

SIGNATURE_ALGORITHMS

USE_SRTP

HEARTBEAT

ALPN

STATUS_REQUEST_V2

SIGNED_CERTIFICATE_TIMESTAMP

CLIENT_CERT_TYPE

SERVER_CERT_TYPE

PADDING

ENCRYPT_THEN_MAC

EXTENDED_MASTER_SECRET

TOKEN_BINDING

CACHED_INFO

COMPRESS_CERTIFICATE

RECORD_SIZE_LIMIT

PWD_PROTECT

PWD_CLEAR

PASSWORD_SALT

SESSION_TICKET

EXTENDED_RANDOM

PSK_IDENTITY

EARLY_DATA

SUPPORTED_VERSIONS

COOKIE

PSK_KEY_EXCHANGE_MODES

CERTIFICATE_AUTHORITIES

OID_FILTERS

POST_HANDSHAKE_AUTH

SIGNATURE_ALGORITHMS_CERT

KEY_SHARE

TRANSPARENCY_INFO

CONNECTION_ID_DEPRECATED

CONNECTION_ID

EXTERNAL_ID_HASH

EXTERNAL_SESSION_ID

QUIC_TRANSPORT_PARAMETERS

TICKET_REQUEST

DNSSEC_CHAIN

NPN

RENEGOTIATION_INFO

ENCRYPTED_SERVER_NAME_INDICATION

ENCRYPTED_CLIENT_HELLO

class mtf.network_port.tls.tls_dtls_config.TLSConfigurator

Configuration for TLS/DTLS.

args:

address: The destination address (IP, port) tuple for the TLS/DTLS server or client. src_address: The Source address (IP, port) tuple for the TLS/DTLS client (binding). secure_version: The TLS/DTLS version to use. socket_type: The type of socket (TLS or DTLS). max_secure_version: The maximum TLS/DTLS version to support. min_secure_version: The minimum TLS/DTLS version to support. psk_identity: The identity for PSK (Pre-Shared Key). psk_identity_hint: Set the server PSK identity hint. psk_key: The key for PSK. time_out: The timeout value for the TLS/DTLS connection. backlog: The backlog value for the socket. buffer_size: The buffer size for socket data. cipher_list: The list of ciphers to support. options: Additional options for the TLS/DTLS context. curve_name: The elliptic curve to use for ECDHE key exchange. server_name: The server name for SNI (Server Name Indication). sni_callback: A callback function to handle server name indications. ocsp_callback: Optional callback function for OCSP client/server validation. ocsp_callback_data: Optional data for the OCSP client/server callback. srtp_profiles: Optional SRTP profiles to use(DTLS). alpn_protos: Optional list of ALPN protocols to advertise. alpn_select_callback: Optional callback function for ALPN protocol selection. client_ca_list: Optional list of client certificate authorities. keylog_callback: Optional callback function to handle TLS key material logging. keylog_file_path: Path to the key log file if the default key log callback is used. record_version: The record version of TLS/DTLS, represented as a tuple (major, minor) or as a ProtocolVersion enum. tls_attacker_apps_path: The path to TLS-attacker applications

Notes:

If keylog_callback is not provided, a default callback will be used. This default callback writes keying material to the file specified by keylog_file_path.
Make sure to select the right cipher that supports both PSK and ECDHE. For example: ‘ECDHE-PSK-CHACHA20-POLY1305’. More supported ciphers can be found by running the command: openssl ciphers -v PSK
The list of supported curves can be found in the documentation or by running: openssl ecparam -list_curves
Selecting an unsupported curve will raise a ValueError

address: tuple

socket_type: SecureSocketType

src_address: tuple | None

secure_version: Any | None

max_secure_version: int

min_secure_version: int

psk_identity_hint: bytes | None

psk_identity: bytes

psk_key: bytes

time_out: Any

backlog: int

buffer_size: int

cipher_list: Any

options: int

curve_name: str | None

server_name: str | None

sni_callback: Callable[[Connection], None] | None

ocsp_callback: Callable[[Connection, bytes, Any | None], bool] | None

ocsp_callback_data: Any | None

srtp_profiles: str | None

alpn_protos: List[bytes] | None

alpn_select_callback: Callable[[Connection, List[bytes]], bytes | None] | None

client_ca_list: Sequence[X509Name] | None

keylog_callback: Callable[[Connection, bytes], None] | None

keylog_file_path: str

record_version: ProtocolVersion | None

tls_attacker_apps_path: str | None

__init__(address: tuple, socket_type: SecureSocketType, src_address: tuple | None = None, secure_version: Any | None = 7, max_secure_version: int | None = None, min_secure_version: int | None = None, psk_identity_hint: bytes | None = None, psk_identity: bytes = b'client-identity', psk_key: bytes = b'mysecretpskkey', time_out: Any = 5.0, backlog: int = 5, buffer_size: int = 1024, cipher_list: Any = b'TLS_PSK_WITH_AES_256_CBC_SHA', options: int | None = None, curve_name: str | None = None, server_name: str | None = None, sni_callback: Callable[[Connection], None] | None = None, ocsp_callback: Callable[[Connection, bytes, Any | None], bool] | None = None, ocsp_callback_data: Any | None = None, srtp_profiles: str | None = None, alpn_protos: List[bytes] | None = None, alpn_select_callback: Callable[[Connection, List[bytes]], bytes | None] | None = None, client_ca_list: Sequence[X509Name] | None = None, keylog_callback: Callable[[Connection, bytes], None] | None = None, keylog_file_path: str = 'keylogfile.log', record_version: ProtocolVersion | None = ProtocolVersion.TLS10, tls_attacker_apps_path: str | None = None) → None