def tls13_should_add_ClientHello_Retry(self): s = self.cur_session s.tls13_retry = True # we have to use the legacy, plaintext TLS record here self.add_record(is_tls13=False) # We retrieve the group to be used and the selected version from the # previous message hrr = s.handshake_messages_parsed[-1] if isinstance(hrr, TLS13HelloRetryRequest): pass ciphersuite = hrr.cipher if hrr.ext: for e in hrr.ext: if isinstance(e, TLS_Ext_KeyShare_HRR): selected_group = e.selected_group if isinstance(e, TLS_Ext_SupportedVersion_SH): selected_version = e.version if not selected_group or not selected_version: raise self.CLOSE_NOTIFY() ext = [] ext += TLS_Ext_SupportedVersion_CH( versions=[_tls_version[selected_version]]) # noqa: E501 if s.tls13_psk_secret: if self.tls13_psk_mode == "psk_dhe_ke": ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"), ext += TLS_Ext_SupportedGroups( groups=[_tls_named_groups[selected_group]]) # noqa: E501 ext += TLS_Ext_KeyShare_CH(client_shares=[ KeyShareEntry(group=selected_group) ]) # noqa: E501 else: ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke") hkdf = TLS13_HKDF("sha256") hash_len = hkdf.hash.digest_size psk_id = PSKIdentity(identity='Client_identity') psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: ext += TLS_Ext_SupportedGroups( groups=[_tls_named_groups[selected_group]]) # noqa: E501 ext += TLS_Ext_KeyShare_CH(client_shares=[ KeyShareEntry(group=selected_group) ]) # noqa: E501 ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"]) p = TLS13ClientHello(ciphers=ciphersuite, ext=ext) self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self): s = self.cur_session s.tls13_retry = True # we have to use the legacy, plaintext TLS record here self.add_record(is_tls13=False) # We retrieve the group to be used and the selected version from the # previous message hrr = s.handshake_messages_parsed[-1] if isinstance(hrr, TLS13HelloRetryRequest): pass ciphersuite = hrr.cipher if hrr.ext: for e in hrr.ext: if isinstance(e, TLS_Ext_KeyShare_HRR): selected_group = e.selected_group if isinstance(e, TLS_Ext_SupportedVersion_SH): selected_version = e.version if not selected_group or not selected_version: raise self.CLOSE_NOTIFY() ext = [ TLS_Ext_SupportedVersion_CH( versions=[_tls_version[selected_version]]), # noqa: E501 TLS_Ext_SupportedGroups( groups=[_tls_named_groups[selected_group]]), # noqa: E501 TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry( group=selected_group)]), # noqa: E501 TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"]) ] p = TLS13ClientHello(ciphers=ciphersuite, ext=ext) self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self): # we have to use the legacy, plaintext TLS record here supported_groups = ["secp256r1", "secp384r1"] if conf.crypto_valid_advanced: supported_groups.append("x25519") self.add_record(is_tls13=False) ext = [ TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]), TLS_Ext_SupportedGroups(groups=supported_groups), TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry(group=self.curve)]), # noqa: E501 TLS_Ext_SignatureAlgorithms( sig_algs=["sha256+rsaepss", "sha256+rsa"]) ] if self.client_hello: if not self.client_hello.ext: self.client_hello.ext = ext p = self.client_hello else: if self.ciphersuite is None: c = 0x1301 else: c = self.ciphersuite p = TLS13ClientHello(ciphers=c, ext=ext) self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self): # we have to use the legacy, plaintext TLS record here supported_groups = ["secp256r1", "secp384r1"] if conf.crypto_valid_advanced: supported_groups.append("x25519") self.add_record(is_tls13=False) if self.client_hello: p = self.client_hello else: if self.ciphersuite is None: c = 0x1301 else: c = self.ciphersuite p = TLS13ClientHello(ciphers=c) ext = [] ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]) if self.cur_session.tls13_psk_secret: if self.tls13_psk_mode == "psk_dhe_ke": ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke") ext += TLS_Ext_SupportedGroups(groups=supported_groups) ext += TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry(group=self.curve)]) else: ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke") # RFC844, section 4.2.11. # "The "pre_shared_key" extension MUST be the last extension # in the ClientHello " hkdf = TLS13_HKDF("sha256") hash_len = hkdf.hash.digest_size psk_id = PSKIdentity(identity='Client_identity') # XXX see how to not pass binder as argument psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: ext += TLS_Ext_SupportedGroups(groups=supported_groups) ext += TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry(group=self.curve)]) ext += TLS_Ext_SignatureAlgorithms( sig_algs=["sha256+rsaepss", "sha256+rsa"]) p.ext = ext self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self): # we have to use the legacy, plaintext TLS record here self.add_record(is_tls13=False) if self.client_hello: p = self.client_hello else: # When trying to connect to a public TLS 1.3 server, # you will most likely need to provide an SNI extension. # sn = ServerName(servername="<put server name here>") ext = [TLS_Ext_SupportedGroups(groups=["secp256r1"]), # TLS_Ext_ServerName(servernames=[sn]), TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]), # noqa: E501 TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]), TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsapss", "sha256+rsa"])] p = TLSClientHello(ciphers=0x1301, ext=ext) self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
async def get_sros_certificate(address, port, timeout=3): """ Function to connect to a SROS Node, simulate the TLS handshake, and get it's server certificate on the process. :param address: Address of the node. :param port: Port of the node. :param timeout: Timeout for the connection. :return: A tuple containing the address, port and certificate if found, otherwise, a tuple containing address, port and None. """ client_hello = TLS( version='TLS 1.0', msg=TLSClientHello( ciphers=[ 49200, 49196, 49202, 49198, 49199, 49195, 49201, 49197, 165, 163, 161, 159, 164, 162, 160, 158, 49192, 49188, 49172, 49162, 49194, 49190, 49167, 49157, 107, 106, 105, 104, 57, 56, 55, 54, 49191, 49187, 49171, 49161, 49193, 49189, 49166, 49156, 103, 64, 63, 62, 51, 50, 49, 48, 136, 135, 134, 133, 69, 68, 67, 66, 49170, 49160, 49165, 49155, 22, 19, 16, 13, 157, 156, 61, 53, 60, 47, 132, 65, 10, 255 ], comp=[0], gmt_unix_time=12345566, ext=[ TLS_Ext_SupportedGroups( groups=[23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10 ]), TLS_Ext_SupportedPointFormat(ecpl=[0, 1, 2]), TLS_Ext_SignatureAlgorithms(sig_algs=[ 1537, 1538, 1539, 1281, 1282, 1283, 1025, 1026, 1027, 769, 770, 771, 513, 514, 515 ]), TLS_Ext_Heartbeat(heartbeat_mode=1), TLS_Ext_Padding(padding=212 * b'\x00') ])) tls_header = b'\x16\x03\x03' server_hello_done = b'\x0e\x00\x00\x00' received_data = b'' is_sros = True writer = None try: conn = asyncio.open_connection(str(address), port, loop=asyncio.get_event_loop()) reader, writer = await asyncio.wait_for(conn, timeout=timeout) writer.write(bytes(client_hello)) await writer.drain() while received_data[-4:] != server_hello_done: received_data += await asyncio.wait_for(reader.read(1024), timeout=3) if received_data[:3] != tls_header: is_sros = False break except Exception as e: logger.error('[-] Error connecting to host ' + str(address) + ': ' + str(e) + '\n\tNot a SROS host') return address, port, None else: if is_sros: server_hello = TLS(received_data) cert = server_hello.payload.msg[0].certs[0][1] logger.warning('[+] SROS host found!!!') return address, port, cert finally: if writer: writer.close() await writer.wait_closed() return address, port, None
def tls13_should_add_ClientHello(self): # we have to use the legacy, plaintext TLS record here supported_groups = ["secp256r1", "secp384r1"] if conf.crypto_valid_advanced: supported_groups.append("x25519") self.add_record(is_tls13=False) if self.client_hello: p = self.client_hello else: if self.ciphersuite is None: c = 0x1301 else: c = self.ciphersuite p = TLS13ClientHello(ciphers=c) ext = [] ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]) s = self.cur_session if s.tls13_psk_secret: # Check if DHE is need (both for out of band and resumption PSK) if self.tls13_psk_mode == "psk_dhe_ke": ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke") ext += TLS_Ext_SupportedGroups(groups=supported_groups) ext += TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry(group=self.curve)]) else: ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke") # RFC844, section 4.2.11. # "The "pre_shared_key" extension MUST be the last extension # in the ClientHello " # Compute the pre_shared_key extension for resumption PSK if s.client_session_ticket: cs_cls = _tls_cipher_suites_cls[ s.tls13_ticket_ciphersuite] # noqa: E501 hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower()) hash_len = hkdf.hash.digest_size # We compute the client's view of the age of the ticket (ie # the time since the receipt of the ticket) in ms agems = int((time.time() - s.client_ticket_age) * 1000) # Then we compute the obfuscated version of the ticket age # by adding the "ticket_age_add" value included in the # ticket (modulo 2^32) obfuscated_age = ((agems + s.client_session_ticket_age_add) & 0xffffffff) psk_id = PSKIdentity(identity=s.client_session_ticket, obfuscated_ticket_age=obfuscated_age) psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: # Compute the pre_shared_key extension for out of band PSK # (SHA256 is used as default hash function for HKDF for out # of band PSK) hkdf = TLS13_HKDF("sha256") hash_len = hkdf.hash.digest_size psk_id = PSKIdentity(identity='Client_identity') # XXX see how to not pass binder as argument psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: ext += TLS_Ext_SupportedGroups(groups=supported_groups) ext += TLS_Ext_KeyShare_CH( client_shares=[KeyShareEntry(group=self.curve)]) ext += TLS_Ext_SignatureAlgorithms( sig_algs=["sha256+rsaepss", "sha256+rsa"]) p.ext = ext self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self): s = self.cur_session s.tls13_retry = True # we have to use the legacy, plaintext TLS record here self.add_record(is_tls13=False) # We retrieve the group to be used and the selected version from the # previous message hrr = s.handshake_messages_parsed[-1] if isinstance(hrr, TLS13HelloRetryRequest): pass ciphersuite = hrr.cipher if hrr.ext: for e in hrr.ext: if isinstance(e, TLS_Ext_KeyShare_HRR): selected_group = e.selected_group if isinstance(e, TLS_Ext_SupportedVersion_SH): selected_version = e.version if not selected_group or not selected_version: raise self.CLOSE_NOTIFY() ext = [] ext += TLS_Ext_SupportedVersion_CH( versions=[_tls_version[selected_version]]) # noqa: E501 if s.tls13_psk_secret: if self.tls13_psk_mode == "psk_dhe_ke": ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"), ext += TLS_Ext_SupportedGroups( groups=[_tls_named_groups[selected_group]]) # noqa: E501 ext += TLS_Ext_KeyShare_CH(client_shares=[ KeyShareEntry(group=selected_group) ]) # noqa: E501 else: ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke") if s.client_session_ticket: # XXX Retrieve parameters from first ClientHello... cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite] hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower()) hash_len = hkdf.hash.digest_size # We compute the client's view of the age of the ticket (ie # the time since the receipt of the ticket) in ms agems = int((time.time() - s.client_ticket_age) * 1000) # Then we compute the obfuscated version of the ticket age by # adding the "ticket_age_add" value included in the ticket # (modulo 2^32) obfuscated_age = ((agems + s.client_session_ticket_age_add) & 0xffffffff) psk_id = PSKIdentity(identity=s.client_session_ticket, obfuscated_ticket_age=obfuscated_age) psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: hkdf = TLS13_HKDF("sha256") hash_len = hkdf.hash.digest_size psk_id = PSKIdentity(identity='Client_identity') psk_binder_entry = PSKBinderEntry(binder_len=hash_len, binder=b"\x00" * hash_len) ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id], binders=[psk_binder_entry]) else: ext += TLS_Ext_SupportedGroups( groups=[_tls_named_groups[selected_group]]) # noqa: E501 ext += TLS_Ext_KeyShare_CH(client_shares=[ KeyShareEntry(group=selected_group) ]) # noqa: E501 ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"]) p = TLS13ClientHello(ciphers=ciphersuite, ext=ext) self.add_msg(p) raise self.TLS13_ADDED_CLIENTHELLO()