Add TLS 1.3 HelloRetryRequest

[romain-perez]

This pull request adds :

• Support for HelloRetryRequest message in automaton (client and server)
• Tests from RFC8448 for HelloRetryRequest

Edits by gpotter2:

• Drops support for cryptography < 2.0.0 (2017)
• fix PR according to review
• rebase

[codecov]

Codecov Report

Merging #2260 into master will decrease coverage by 0.07%.
The diff coverage is 51.58%.

@@            Coverage Diff             @@
##           master    #2260      +/-   ##
==========================================
- Coverage   87.76%   87.69%   -0.08%     
==========================================
  Files         242      242              
  Lines       50553    50639      +86     
==========================================
+ Hits        44369    44406      +37     
- Misses       6184     6233      +49

Impacted Files	Coverage Δ
scapy/layers/tls/record.py	90.46% <0%> (ø)	⬆️
scapy/layers/tls/keyexchange_tls13.py	79.59% <100%> (+0.1%)	⬆️
scapy/config.py	84.13% <100%> (+0.36%)	⬆️
scapy/layers/tls/automaton_cli.py	83.76% <25%> (-2.38%)	⬇️
scapy/layers/tls/cert.py	86.17% <27.27%> (+1.03%)	⬆️
scapy/layers/tls/automaton_srv.py	78.15% <43.9%> (-2.04%)	⬇️
scapy/layers/tls/extensions.py	82.22% <63.63%> (-0.79%)	⬇️
scapy/layers/tls/handshake.py	86.53% <87.5%> (+0.04%)	⬆️
scapy/layers/tls/crypto/groups.py	88.76% <0%> (-8.99%)	⬇️
scapy/layers/tftp.py	89.36% <0%> (-0.29%)	⬇️
... and 3 more

[p-l-]

Hi,

Thanks for this PR. You have two failed tests. Could you have a look?

• https://travis-ci.com/secdev/scapy/jobs/238211535
• https://travis-ci.com/secdev/scapy/jobs/238211537

For the second one, you may need to add ~ crypto_advanced on some of your tests.

[romain-perez]

The first failed test is a bit unclear to me because it failed when generating the doc and I didn't change this part. I am still looking at it.

For the second one, I didn't used ~ crypto_advanced flag on purpose because I thought it was necessary only for key exchange with curve x25519, but the curve used for this test is secp256r1. But I think this flag is also necessary because of the symmetric cipher, so I will add it.

[romain-perez]

Hi,

I have been able to reproduce the first failed test and I found a way to fix it but I am not sure if it's the right way to fix it or not.

The error is caused by a missing module 'cryptography' when importing module 'all' from module 'scapy.layers.tls'. So, if I add the module 'cryptography' in deps for [testenv:docs] defined in the tox.ini as follow, the test is not failing anymore :

[testenv:docs]
skip_install = true
changedir = doc/scapy
deps = sphinx
       sphinx_rtd_theme
       cryptography
commands =
  sphinx-build -q -W -b html . _build/html

But I can't really see why it was failing only in this pull request and not in my previous one. Could it be possible that the module 'scapy.layers.tls' was not imported previously ? Do you have any ideas on this ?

[gpotter2]

TLS files are using a safe check to be able to be imported even without cryptography:

scapy/scapy/layers/tls/crypto/cipher_stream.py

Line 15 in 99d5142

if conf.crypto_valid:

Please continue to use those, that way it won't crash :p I must say I am not sure why it was done this way, I don't know if many things work without cryptography..

Side note: I think you could hardcore the RetryRequest bytes marker with a comment explaining how it got generated.

[ria4]

Hi,

Regarding crypto_valid, I introduced it in order for Scapy not to have a cryptography dependency. If this condition was not met, the TLS 1.3 module would still be able to parse/encode packets -even though you wouldn't be able to decrypt/verify protected contents.

I believe it's still the intention of the maintainers not to depend upon cryptography, so you should keep this validation.

[gpotter2]

@guedou @p-l- ready for review

[gpotter2]

Let's move on. This has staled for too long already

[gpotter2]

@romain-perez Sorry for the delay, feel free to create PRs out of your other branches.