def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ServerHello(self):
psk_identity = None
psk_key_exchange_mode = None
obfuscated_age = None
# XXX check ClientHello extensions...
for m in reversed(self.cur_session.handshake_messages_parsed):
if isinstance(m, (TLS13ClientHello, TLSClientHello)):
for e in m.ext:
if isinstance(e, TLS_Ext_PreSharedKey_CH):
psk_identity = e.identities[0].identity
obfuscated_age = e.identities[0].obfuscated_ticket_age
# binder = e.binders[0].binder
# For out-of-bound PSK, obfuscated_ticket_age should be
# 0. We use this field to distinguish between out-of-
# bound PSK and resumed PSK
is_out_of_band_psk = (obfuscated_age == 0)
if isinstance(e, TLS_Ext_PSKKeyExchangeModes):
psk_key_exchange_mode = e.kxmodes[0]
if isinstance(self.mykey, PrivKeyRSA):
kx = "RSA"
elif isinstance(self.mykey, PrivKeyECDSA):
kx = "ECDSA"
usable_suites = get_usable_ciphersuites(self.cur_pkt.ciphers, kx)
c = usable_suites[0]
group = next(iter(self.cur_session.tls13_client_pubshares))
ext = [TLS_Ext_SupportedVersion_SH(version="TLS 1.3")]
if (psk_identity and obfuscated_age and psk_key_exchange_mode):
s = self.cur_session
if is_out_of_band_psk:
# Handshake with external PSK authentication
# XXX test that self.psk_secret is set
s.tls13_psk_secret = binascii.unhexlify(self.psk_secret)
# 0: "psk_ke"
# 1: "psk_dhe_ke"
if psk_key_exchange_mode == 1:
server_kse = KeyShareEntry(group=group)
ext += TLS_Ext_KeyShare_SH(server_share=server_kse)
ext += TLS_Ext_PreSharedKey_SH(selected_identity=0)
else:
# Standard Handshake
ext += TLS_Ext_KeyShare_SH(server_share=KeyShareEntry(group=group))
if self.cur_session.sid is not None:
p = TLS13ServerHello(cipher=c, sid=self.cur_session.sid, ext=ext)
else:
p = TLS13ServerHello(cipher=c, ext=ext)
self.add_msg(p)
raise self.tls13_ADDED_SERVERHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = [
TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]), # noqa: E501
TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]), # noqa: E501
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(
group=selected_group)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
]
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
ext = [
TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]),
TLS_Ext_SupportedGroups(groups=supported_groups),
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
]
if self.client_hello:
if not self.client_hello.ext:
self.client_hello.ext = ext
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
if self.cur_session.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ServerHello(self):
if isinstance(self.mykey, PrivKeyRSA):
kx = "RSA"
elif isinstance(self.mykey, PrivKeyECDSA):
kx = "ECDSA"
usable_suites = get_usable_ciphersuites(self.cur_pkt.ciphers, kx)
c = usable_suites[0]
group = next(iter(self.cur_session.tls13_client_pubshares))
ext = [TLS_Ext_SupportedVersion_SH(version="TLS 1.3")]
ext += TLS_Ext_KeyShare_SH(server_share=KeyShareEntry(group=group))
if self.cur_session.sid is not None:
p = TLS13ServerHello(cipher=c, sid=self.cur_session.sid, ext=ext)
else:
p = TLS13ServerHello(cipher=c, ext=ext)
self.add_msg(p)
raise self.tls13_ADDED_SERVERHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
# When trying to connect to a public TLS 1.3 server,
# you will most likely need to provide an SNI extension.
# sn = ServerName(servername="<put server name here>")
ext = [TLS_Ext_SupportedGroups(groups=["secp256r1"]),
# TLS_Ext_ServerName(servernames=[sn]),
TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]), # noqa: E501
TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]),
TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsapss",
"sha256+rsa"])]
p = TLSClientHello(ciphers=0x1301, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
s = self.cur_session
if s.tls13_psk_secret:
# Check if DHE is need (both for out of band and resumption PSK)
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
# Compute the pre_shared_key extension for resumption PSK
if s.client_session_ticket:
cs_cls = _tls_cipher_suites_cls[
s.tls13_ticket_ciphersuite] # noqa: E501
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age
# by adding the "ticket_age_add" value included in the
# ticket (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
# Compute the pre_shared_key extension for out of band PSK
# (SHA256 is used as default hash function for HKDF for out
# of band PSK)
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
if s.client_session_ticket:
# XXX Retrieve parameters from first ClientHello...
cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite]
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age by
# adding the "ticket_age_add" value included in the ticket
# (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()