probes with invalid cert_type ext from RFC 6091

prober.py

@@ -182,7 +182,13 @@
     ServerAuthzNull12PFS(),
     ServerAuthzOverflow(),
     ServerAuthzOverflow12(),
-    ServerAuthzOverflow12PFS()
+    ServerAuthzOverflow12PFS(),
+    CertTypeNull(),
+    CertTypeNull12(),
+    CertTypeNull12PFS(),
+    CertTypeOverflow(),
+    CertTypeOverflow12(),
+    CertTypeOverflow12PFS()
 ]
 
 def probe(ipaddress, port, starttls, specified_probe):

probes.py

@@ -1709,3 +1709,47 @@ class ServerAuthzOverflow12(ServerAuthzOverflow, NormalHandshake12):
 class ServerAuthzOverflow12PFS(ServerAuthzOverflow, NormalHandshake12PFS):
     '''As with ServerAuthzOverflow but in PFS TLSv1.2 hello'''
     pass
+
+
+class CertTypeNull(NormalHandshake):
+    '''Send empty cert type extension in hello'''
+
+    def make_cert_type_hello(self, value):
+        cert_type_ext = Extension.create(
+            extension_type=9,
+            data=value)
+        return self.make_hello([cert_type_ext])
+
+    def test(self, sock):
+        logging.debug('Sending Client Hello...')
+        # normal extension has an array, don't send anything
+        sock.write(self.make_cert_type_hello(b''))
+
+
+class CertTypeNull12(CertTypeNull, NormalHandshake12):
+    '''Send empty cert type extension in TLSv1.2 hello'''
+    pass
+
+
+class CertTypeNull12PFS(CertTypeNull, NormalHandshake12PFS):
+    '''Send empty cert type extension in PFS TLSv1.2 hello'''
+    pass
+
+
+class CertTypeOverflow(CertTypeNull):
+    '''Send cert type extension with too large length in hello'''
+
+    def test(self, sock):
+        logging.debug('Sending Client Hello...')
+        # first byte is a length of array, send invalid one
+        sock.write(self.make_cert_type_hello(b'\x04\x01'))
+
+
+class CertTypeOverflow12(CertTypeOverflow, NormalHandshake12):
+    '''Send cert type extension with too large length in TLSv1.2 hello'''
+    pass
+
+
+class CertTypeOverflow12PFS(CertTypeOverflow, NormalHandshake12PFS):
+    '''Send cert type extension with too large length in PFS TLSv1.2 hello'''
+    pass

tests/test_probes.py

@@ -3391,3 +3391,129 @@ def test_test(self):
                           b'\x00\x07'
                           b'\x00\x08\x00\x03'
                           b'\x04\x00\x01'])
+
+
+class TestCertTypeNull(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeNull()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.assertEqual(sock.sent_data,
+                         [b'\x16\x03\x01\x00?'
+                          b'\x01\x00\x00;'
+                          b'\x03\x01' +
+                          RANDOM_STR +
+                          b'\x00'
+                          b'\x00\x0e' +
+                          DEFAULT_CIPHERS_STR +
+                          b'\x01\x00'
+                          b'\x00\x04'
+                          b'\x00\x09\x00\x00'])
+
+
+class TestCertTypeNull12(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeNull12()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.assertEqual(sock.sent_data,
+                         [b'\x16\x03\x01\x00W'
+                          b'\x01\x00\x00S'
+                          b'\x03\x03' +
+                          RANDOM_STR +
+                          b'\x00'
+                          b'\x00&' +
+                          DEFAULT_12_CIPHERS_STR +
+                          b'\x01\x00'
+                          b'\x00\x04'
+                          b'\x00\x09\x00\x00'])
+
+
+class TestCertTypeNull12PFS(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeNull12PFS()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.maxDiff = None
+        self.assertEqual(sock.sent_data,
+                         [b"\x16\x03\x01\x00\x8f"
+                          b"\x01\x00\x00\x8b"
+                          b"\x03\x03" +
+                          RANDOM_STR +
+                          b"\x00"
+                          b"\x00^" +
+                          DEFAULT_PFS_CIPHERS_STR +
+                          b"\x01\x00"
+                          b'\x00\x04'
+                          b'\x00\x09\x00\x00'])
+
+
+class TestCertTypeOverflow(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeOverflow()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.maxDiff = None
+        self.assertEqual(sock.sent_data,
+                         [b'\x16\x03\x01\x00A'
+                          b'\x01\x00\x00='
+                          b'\x03\x01' +
+                          RANDOM_STR +
+                          b'\x00'
+                          b'\x00\x0e' +
+                          DEFAULT_CIPHERS_STR +
+                          b'\x01\x00'
+                          b'\x00\x06'
+                          b'\x00\x09\x00\x02'
+                          b'\x04\x01'])
+
+
+class TestCertTypeOverflow12(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeOverflow12()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.assertEqual(sock.sent_data,
+                         [b'\x16\x03\x01\x00Y'
+                          b'\x01\x00\x00U'
+                          b'\x03\x03' +
+                          RANDOM_STR +
+                          b'\x00'
+                          b'\x00&' +
+                          DEFAULT_12_CIPHERS_STR +
+                          b'\x01\x00'
+                          b'\x00\x06'
+                          b'\x00\x09\x00\x02'
+                          b'\x04\x01'])
+
+
+class TestCertTypeOverflow12PFS(unittest.TestCase):
+    def test_test(self):
+        probe = CertTypeOverflow12PFS()
+        sock = MockSock()
+
+        probe.test(sock)
+
+        self.maxDiff = None
+        self.assertEqual(sock.sent_data,
+                         [b"\x16\x03\x01\x00\x91"
+                          b"\x01\x00\x00\x8d"
+                          b"\x03\x03" +
+                          RANDOM_STR +
+                          b"\x00"
+                          b"\x00^" +
+                          DEFAULT_PFS_CIPHERS_STR +
+                          b"\x01\x00"
+                          b'\x00\x06'
+                          b'\x00\x09\x00\x02'
+                          b'\x04\x01'])