def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = [
TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]), # noqa: E501
TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]), # noqa: E501
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(
group=selected_group)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
]
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
ext = [
TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]),
TLS_Ext_SupportedGroups(groups=supported_groups),
TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)]), # noqa: E501
TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
]
if self.client_hello:
if not self.client_hello.ext:
self.client_hello.ext = ext
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def should_add_ClientHello(self):
if self.client_hello:
p = self.client_hello
else:
p = TLSClientHello()
# Add TLS_Ext_SignatureAlgorithms for TLS 1.2 ClientHello
if self.cur_session.advertised_tls_version == 0x0303:
p.ext = TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsa"])
self.add_msg(p)
raise self.ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
if self.cur_session.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
# When trying to connect to a public TLS 1.3 server,
# you will most likely need to provide an SNI extension.
# sn = ServerName(servername="<put server name here>")
ext = [TLS_Ext_SupportedGroups(groups=["secp256r1"]),
# TLS_Ext_ServerName(servernames=[sn]),
TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]), # noqa: E501
TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]),
TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsapss",
"sha256+rsa"])]
p = TLSClientHello(ciphers=0x1301, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
async def get_sros_certificate(address, port, timeout=3):
"""
Function to connect to a SROS Node, simulate the TLS handshake, and get it's server certificate on the process.
:param address: Address of the node.
:param port: Port of the node.
:param timeout: Timeout for the connection.
:return: A tuple containing the address, port and certificate if found, otherwise,
a tuple containing address, port and None.
"""
client_hello = TLS(
version='TLS 1.0',
msg=TLSClientHello(
ciphers=[
49200, 49196, 49202, 49198, 49199, 49195, 49201, 49197, 165,
163, 161, 159, 164, 162, 160, 158, 49192, 49188, 49172, 49162,
49194, 49190, 49167, 49157, 107, 106, 105, 104,
57, 56, 55, 54, 49191, 49187, 49171, 49161, 49193, 49189,
49166, 49156, 103, 64, 63, 62, 51, 50, 49, 48, 136, 135, 134,
133, 69, 68, 67, 66, 49170, 49160, 49165, 49155,
22, 19, 16, 13, 157, 156, 61, 53, 60, 47, 132, 65, 10, 255
],
comp=[0],
gmt_unix_time=12345566,
ext=[
TLS_Ext_SupportedGroups(
groups=[23, 25, 28, 27, 24, 26, 22, 14, 13, 11, 12, 9, 10
]),
TLS_Ext_SupportedPointFormat(ecpl=[0, 1, 2]),
TLS_Ext_SignatureAlgorithms(sig_algs=[
1537, 1538, 1539, 1281, 1282, 1283, 1025, 1026, 1027, 769,
770, 771, 513, 514, 515
]),
TLS_Ext_Heartbeat(heartbeat_mode=1),
TLS_Ext_Padding(padding=212 * b'\x00')
]))
tls_header = b'\x16\x03\x03'
server_hello_done = b'\x0e\x00\x00\x00'
received_data = b''
is_sros = True
writer = None
try:
conn = asyncio.open_connection(str(address),
port,
loop=asyncio.get_event_loop())
reader, writer = await asyncio.wait_for(conn, timeout=timeout)
writer.write(bytes(client_hello))
await writer.drain()
while received_data[-4:] != server_hello_done:
received_data += await asyncio.wait_for(reader.read(1024),
timeout=3)
if received_data[:3] != tls_header:
is_sros = False
break
except Exception as e:
logger.error('[-] Error connecting to host ' + str(address) + ': ' +
str(e) + '\n\tNot a SROS host')
return address, port, None
else:
if is_sros:
server_hello = TLS(received_data)
cert = server_hello.payload.msg[0].certs[0][1]
logger.warning('[+] SROS host found!!!')
return address, port, cert
finally:
if writer:
writer.close()
await writer.wait_closed()
return address, port, None
def tls13_should_add_ClientHello(self):
# we have to use the legacy, plaintext TLS record here
supported_groups = ["secp256r1", "secp384r1"]
if conf.crypto_valid_advanced:
supported_groups.append("x25519")
self.add_record(is_tls13=False)
if self.client_hello:
p = self.client_hello
else:
if self.ciphersuite is None:
c = 0x1301
else:
c = self.ciphersuite
p = TLS13ClientHello(ciphers=c)
ext = []
ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])
s = self.cur_session
if s.tls13_psk_secret:
# Check if DHE is need (both for out of band and resumption PSK)
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
# RFC844, section 4.2.11.
# "The "pre_shared_key" extension MUST be the last extension
# in the ClientHello "
# Compute the pre_shared_key extension for resumption PSK
if s.client_session_ticket:
cs_cls = _tls_cipher_suites_cls[
s.tls13_ticket_ciphersuite] # noqa: E501
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age
# by adding the "ticket_age_add" value included in the
# ticket (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
# Compute the pre_shared_key extension for out of band PSK
# (SHA256 is used as default hash function for HKDF for out
# of band PSK)
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
# XXX see how to not pass binder as argument
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(groups=supported_groups)
ext += TLS_Ext_KeyShare_CH(
client_shares=[KeyShareEntry(group=self.curve)])
ext += TLS_Ext_SignatureAlgorithms(
sig_algs=["sha256+rsaepss", "sha256+rsa"])
p.ext = ext
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_ClientHello_Retry(self):
s = self.cur_session
s.tls13_retry = True
# we have to use the legacy, plaintext TLS record here
self.add_record(is_tls13=False)
# We retrieve the group to be used and the selected version from the
# previous message
hrr = s.handshake_messages_parsed[-1]
if isinstance(hrr, TLS13HelloRetryRequest):
pass
ciphersuite = hrr.cipher
if hrr.ext:
for e in hrr.ext:
if isinstance(e, TLS_Ext_KeyShare_HRR):
selected_group = e.selected_group
if isinstance(e, TLS_Ext_SupportedVersion_SH):
selected_version = e.version
if not selected_group or not selected_version:
raise self.CLOSE_NOTIFY()
ext = []
ext += TLS_Ext_SupportedVersion_CH(
versions=[_tls_version[selected_version]]) # noqa: E501
if s.tls13_psk_secret:
if self.tls13_psk_mode == "psk_dhe_ke":
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
else:
ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
if s.client_session_ticket:
# XXX Retrieve parameters from first ClientHello...
cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite]
hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
hash_len = hkdf.hash.digest_size
# We compute the client's view of the age of the ticket (ie
# the time since the receipt of the ticket) in ms
agems = int((time.time() - s.client_ticket_age) * 1000)
# Then we compute the obfuscated version of the ticket age by
# adding the "ticket_age_add" value included in the ticket
# (modulo 2^32)
obfuscated_age = ((agems + s.client_session_ticket_age_add)
& 0xffffffff)
psk_id = PSKIdentity(identity=s.client_session_ticket,
obfuscated_ticket_age=obfuscated_age)
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
hkdf = TLS13_HKDF("sha256")
hash_len = hkdf.hash.digest_size
psk_id = PSKIdentity(identity='Client_identity')
psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
binder=b"\x00" * hash_len)
ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
binders=[psk_binder_entry])
else:
ext += TLS_Ext_SupportedGroups(
groups=[_tls_named_groups[selected_group]]) # noqa: E501
ext += TLS_Ext_KeyShare_CH(client_shares=[
KeyShareEntry(group=selected_group)
]) # noqa: E501
ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
self.add_msg(p)
raise self.TLS13_ADDED_CLIENTHELLO()
def tls13_should_add_CertificateRequest(self):
if self.client_auth:
ext = [TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])]
p = TLS13CertificateRequest(ext=ext)
self.add_msg(p)
raise self.tls13_ADDED_CERTIFICATEREQUEST()