예제 #1
0
    def tls13_should_add_ClientHello_Retry(self):
        s = self.cur_session
        s.tls13_retry = True
        # we have to use the legacy, plaintext TLS record here
        self.add_record(is_tls13=False)
        # We retrieve the group to be used and the selected version from the
        # previous message
        hrr = s.handshake_messages_parsed[-1]
        if isinstance(hrr, TLS13HelloRetryRequest):
            pass
        ciphersuite = hrr.cipher
        if hrr.ext:
            for e in hrr.ext:
                if isinstance(e, TLS_Ext_KeyShare_HRR):
                    selected_group = e.selected_group
                if isinstance(e, TLS_Ext_SupportedVersion_SH):
                    selected_version = e.version
        if not selected_group or not selected_version:
            raise self.CLOSE_NOTIFY()

        ext = []
        ext += TLS_Ext_SupportedVersion_CH(
            versions=[_tls_version[selected_version]])  # noqa: E501

        if s.tls13_psk_secret:
            if self.tls13_psk_mode == "psk_dhe_ke":
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
                ext += TLS_Ext_SupportedGroups(
                    groups=[_tls_named_groups[selected_group]])  # noqa: E501
                ext += TLS_Ext_KeyShare_CH(client_shares=[
                    KeyShareEntry(group=selected_group)
                ])  # noqa: E501
            else:
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")

            hkdf = TLS13_HKDF("sha256")
            hash_len = hkdf.hash.digest_size
            psk_id = PSKIdentity(identity='Client_identity')
            psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                              binder=b"\x00" * hash_len)

            ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                           binders=[psk_binder_entry])

        else:
            ext += TLS_Ext_SupportedGroups(
                groups=[_tls_named_groups[selected_group]])  # noqa: E501
            ext += TLS_Ext_KeyShare_CH(client_shares=[
                KeyShareEntry(group=selected_group)
            ])  # noqa: E501
            ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])

        p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
        self.add_msg(p)
        raise self.TLS13_ADDED_CLIENTHELLO()
예제 #2
0
    def tls13_should_add_ServerHello(self):

        psk_identity = None
        psk_key_exchange_mode = None
        obfuscated_age = None
        # XXX check ClientHello extensions...
        for m in reversed(self.cur_session.handshake_messages_parsed):
            if isinstance(m, (TLS13ClientHello, TLSClientHello)):
                for e in m.ext:
                    if isinstance(e, TLS_Ext_PreSharedKey_CH):
                        psk_identity = e.identities[0].identity
                        obfuscated_age = e.identities[0].obfuscated_ticket_age
                        # binder = e.binders[0].binder

                        # For out-of-bound PSK, obfuscated_ticket_age should be
                        # 0. We use this field to distinguish between out-of-
                        # bound PSK and resumed PSK
                        is_out_of_band_psk = (obfuscated_age == 0)

                    if isinstance(e, TLS_Ext_PSKKeyExchangeModes):
                        psk_key_exchange_mode = e.kxmodes[0]

        if isinstance(self.mykey, PrivKeyRSA):
            kx = "RSA"
        elif isinstance(self.mykey, PrivKeyECDSA):
            kx = "ECDSA"
        usable_suites = get_usable_ciphersuites(self.cur_pkt.ciphers, kx)
        c = usable_suites[0]
        group = next(iter(self.cur_session.tls13_client_pubshares))
        ext = [TLS_Ext_SupportedVersion_SH(version="TLS 1.3")]
        if (psk_identity and obfuscated_age and psk_key_exchange_mode):
            s = self.cur_session
            if is_out_of_band_psk:
                # Handshake with external PSK authentication
                # XXX test that self.psk_secret is set
                s.tls13_psk_secret = binascii.unhexlify(self.psk_secret)
                # 0: "psk_ke"
                # 1: "psk_dhe_ke"
                if psk_key_exchange_mode == 1:
                    server_kse = KeyShareEntry(group=group)
                    ext += TLS_Ext_KeyShare_SH(server_share=server_kse)
                ext += TLS_Ext_PreSharedKey_SH(selected_identity=0)
        else:
            # Standard Handshake
            ext += TLS_Ext_KeyShare_SH(server_share=KeyShareEntry(group=group))

        if self.cur_session.sid is not None:
            p = TLS13ServerHello(cipher=c, sid=self.cur_session.sid, ext=ext)
        else:
            p = TLS13ServerHello(cipher=c, ext=ext)
        self.add_msg(p)
        raise self.tls13_ADDED_SERVERHELLO()
예제 #3
0
 def tls13_should_add_ClientHello_Retry(self):
     s = self.cur_session
     s.tls13_retry = True
     # we have to use the legacy, plaintext TLS record here
     self.add_record(is_tls13=False)
     # We retrieve the group to be used and the selected version from the
     # previous message
     hrr = s.handshake_messages_parsed[-1]
     if isinstance(hrr, TLS13HelloRetryRequest):
         pass
     ciphersuite = hrr.cipher
     if hrr.ext:
         for e in hrr.ext:
             if isinstance(e, TLS_Ext_KeyShare_HRR):
                 selected_group = e.selected_group
             if isinstance(e, TLS_Ext_SupportedVersion_SH):
                 selected_version = e.version
     if not selected_group or not selected_version:
         raise self.CLOSE_NOTIFY()
     ext = [
         TLS_Ext_SupportedVersion_CH(
             versions=[_tls_version[selected_version]]),  # noqa: E501
         TLS_Ext_SupportedGroups(
             groups=[_tls_named_groups[selected_group]]),  # noqa: E501
         TLS_Ext_KeyShare_CH(
             client_shares=[KeyShareEntry(
                 group=selected_group)]),  # noqa: E501
         TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])
     ]
     p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
     self.add_msg(p)
     raise self.TLS13_ADDED_CLIENTHELLO()
예제 #4
0
 def tls13_should_add_ClientHello(self):
     # we have to use the legacy, plaintext TLS record here
     supported_groups = ["secp256r1", "secp384r1"]
     if conf.crypto_valid_advanced:
         supported_groups.append("x25519")
     self.add_record(is_tls13=False)
     ext = [
         TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"]),
         TLS_Ext_SupportedGroups(groups=supported_groups),
         TLS_Ext_KeyShare_CH(
             client_shares=[KeyShareEntry(group=self.curve)]),  # noqa: E501
         TLS_Ext_SignatureAlgorithms(
             sig_algs=["sha256+rsaepss", "sha256+rsa"])
     ]
     if self.client_hello:
         if not self.client_hello.ext:
             self.client_hello.ext = ext
         p = self.client_hello
     else:
         if self.ciphersuite is None:
             c = 0x1301
         else:
             c = self.ciphersuite
         p = TLS13ClientHello(ciphers=c, ext=ext)
     self.add_msg(p)
     raise self.TLS13_ADDED_CLIENTHELLO()
예제 #5
0
    def tls13_should_add_ClientHello(self):
        # we have to use the legacy, plaintext TLS record here
        supported_groups = ["secp256r1", "secp384r1"]
        if conf.crypto_valid_advanced:
            supported_groups.append("x25519")
        self.add_record(is_tls13=False)
        if self.client_hello:
            p = self.client_hello
        else:
            if self.ciphersuite is None:
                c = 0x1301
            else:
                c = self.ciphersuite
            p = TLS13ClientHello(ciphers=c)

        ext = []
        ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])

        if self.cur_session.tls13_psk_secret:
            if self.tls13_psk_mode == "psk_dhe_ke":
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
                ext += TLS_Ext_SupportedGroups(groups=supported_groups)
                ext += TLS_Ext_KeyShare_CH(
                    client_shares=[KeyShareEntry(group=self.curve)])
            else:
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")
            # RFC844, section 4.2.11.
            # "The "pre_shared_key" extension MUST be the last extension
            # in the ClientHello "
            hkdf = TLS13_HKDF("sha256")
            hash_len = hkdf.hash.digest_size
            psk_id = PSKIdentity(identity='Client_identity')
            # XXX see how to not pass binder as argument
            psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                              binder=b"\x00" * hash_len)

            ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                           binders=[psk_binder_entry])
        else:
            ext += TLS_Ext_SupportedGroups(groups=supported_groups)
            ext += TLS_Ext_KeyShare_CH(
                client_shares=[KeyShareEntry(group=self.curve)])
            ext += TLS_Ext_SignatureAlgorithms(
                sig_algs=["sha256+rsaepss", "sha256+rsa"])
        p.ext = ext
        self.add_msg(p)
        raise self.TLS13_ADDED_CLIENTHELLO()
예제 #6
0
    def tls13_should_add_ServerHello(self):
        if isinstance(self.mykey, PrivKeyRSA):
            kx = "RSA"
        elif isinstance(self.mykey, PrivKeyECDSA):
            kx = "ECDSA"
        usable_suites = get_usable_ciphersuites(self.cur_pkt.ciphers, kx)
        c = usable_suites[0]
        group = next(iter(self.cur_session.tls13_client_pubshares))
        ext = [TLS_Ext_SupportedVersion_SH(version="TLS 1.3")]
        ext += TLS_Ext_KeyShare_SH(server_share=KeyShareEntry(group=group))

        if self.cur_session.sid is not None:
            p = TLS13ServerHello(cipher=c, sid=self.cur_session.sid, ext=ext)
        else:
            p = TLS13ServerHello(cipher=c, ext=ext)
        self.add_msg(p)
        raise self.tls13_ADDED_SERVERHELLO()
예제 #7
0
 def tls13_should_add_ClientHello(self):
     # we have to use the legacy, plaintext TLS record here
     self.add_record(is_tls13=False)
     if self.client_hello:
         p = self.client_hello
     else:
         # When trying to connect to a public TLS 1.3 server,
         # you will most likely need to provide an SNI extension.
         # sn = ServerName(servername="<put server name here>")
         ext = [TLS_Ext_SupportedGroups(groups=["secp256r1"]),
                # TLS_Ext_ServerName(servernames=[sn]),
                TLS_Ext_KeyShare_CH(client_shares=[KeyShareEntry(group=23)]),  # noqa: E501
                TLS_Ext_SupportedVersions(versions=["TLS 1.3-d18"]),
                TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsapss",
                                                      "sha256+rsa"])]
         p = TLSClientHello(ciphers=0x1301, ext=ext)
     self.add_msg(p)
     raise self.TLS13_ADDED_CLIENTHELLO()
예제 #8
0
    def tls13_should_add_ClientHello(self):
        # we have to use the legacy, plaintext TLS record here
        supported_groups = ["secp256r1", "secp384r1"]
        if conf.crypto_valid_advanced:
            supported_groups.append("x25519")
        self.add_record(is_tls13=False)
        if self.client_hello:
            p = self.client_hello
        else:
            if self.ciphersuite is None:
                c = 0x1301
            else:
                c = self.ciphersuite
            p = TLS13ClientHello(ciphers=c)

        ext = []
        ext += TLS_Ext_SupportedVersion_CH(versions=["TLS 1.3"])

        s = self.cur_session

        if s.tls13_psk_secret:
            # Check if DHE is need (both for out of band and resumption PSK)
            if self.tls13_psk_mode == "psk_dhe_ke":
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke")
                ext += TLS_Ext_SupportedGroups(groups=supported_groups)
                ext += TLS_Ext_KeyShare_CH(
                    client_shares=[KeyShareEntry(group=self.curve)])
            else:
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")

            # RFC844, section 4.2.11.
            # "The "pre_shared_key" extension MUST be the last extension
            # in the ClientHello "
            # Compute the pre_shared_key extension for resumption PSK
            if s.client_session_ticket:
                cs_cls = _tls_cipher_suites_cls[
                    s.tls13_ticket_ciphersuite]  # noqa: E501
                hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
                hash_len = hkdf.hash.digest_size
                # We compute the client's view of the age of the ticket (ie
                # the time since the receipt of the ticket) in ms
                agems = int((time.time() - s.client_ticket_age) * 1000)
                # Then we compute the obfuscated version of the ticket age
                # by adding the "ticket_age_add" value included in the
                # ticket (modulo 2^32)
                obfuscated_age = ((agems + s.client_session_ticket_age_add)
                                  & 0xffffffff)

                psk_id = PSKIdentity(identity=s.client_session_ticket,
                                     obfuscated_ticket_age=obfuscated_age)

                psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                                  binder=b"\x00" * hash_len)

                ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                               binders=[psk_binder_entry])
            else:
                # Compute the pre_shared_key extension for out of band PSK
                # (SHA256 is used as default hash function for HKDF for out
                # of band PSK)
                hkdf = TLS13_HKDF("sha256")
                hash_len = hkdf.hash.digest_size
                psk_id = PSKIdentity(identity='Client_identity')
                # XXX see how to not pass binder as argument
                psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                                  binder=b"\x00" * hash_len)

                ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                               binders=[psk_binder_entry])
        else:
            ext += TLS_Ext_SupportedGroups(groups=supported_groups)
            ext += TLS_Ext_KeyShare_CH(
                client_shares=[KeyShareEntry(group=self.curve)])
            ext += TLS_Ext_SignatureAlgorithms(
                sig_algs=["sha256+rsaepss", "sha256+rsa"])
        p.ext = ext
        self.add_msg(p)
        raise self.TLS13_ADDED_CLIENTHELLO()
예제 #9
0
    def tls13_should_add_ClientHello_Retry(self):
        s = self.cur_session
        s.tls13_retry = True
        # we have to use the legacy, plaintext TLS record here
        self.add_record(is_tls13=False)
        # We retrieve the group to be used and the selected version from the
        # previous message
        hrr = s.handshake_messages_parsed[-1]
        if isinstance(hrr, TLS13HelloRetryRequest):
            pass
        ciphersuite = hrr.cipher
        if hrr.ext:
            for e in hrr.ext:
                if isinstance(e, TLS_Ext_KeyShare_HRR):
                    selected_group = e.selected_group
                if isinstance(e, TLS_Ext_SupportedVersion_SH):
                    selected_version = e.version
        if not selected_group or not selected_version:
            raise self.CLOSE_NOTIFY()

        ext = []
        ext += TLS_Ext_SupportedVersion_CH(
            versions=[_tls_version[selected_version]])  # noqa: E501

        if s.tls13_psk_secret:
            if self.tls13_psk_mode == "psk_dhe_ke":
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_dhe_ke"),
                ext += TLS_Ext_SupportedGroups(
                    groups=[_tls_named_groups[selected_group]])  # noqa: E501
                ext += TLS_Ext_KeyShare_CH(client_shares=[
                    KeyShareEntry(group=selected_group)
                ])  # noqa: E501
            else:
                ext += TLS_Ext_PSKKeyExchangeModes(kxmodes="psk_ke")

            if s.client_session_ticket:

                # XXX Retrieve parameters from first ClientHello...
                cs_cls = _tls_cipher_suites_cls[s.tls13_ticket_ciphersuite]
                hkdf = TLS13_HKDF(cs_cls.hash_alg.name.lower())
                hash_len = hkdf.hash.digest_size

                # We compute the client's view of the age of the ticket (ie
                # the time since the receipt of the ticket) in ms
                agems = int((time.time() - s.client_ticket_age) * 1000)

                # Then we compute the obfuscated version of the ticket age by
                # adding the "ticket_age_add" value included in the ticket
                # (modulo 2^32)
                obfuscated_age = ((agems + s.client_session_ticket_age_add)
                                  & 0xffffffff)

                psk_id = PSKIdentity(identity=s.client_session_ticket,
                                     obfuscated_ticket_age=obfuscated_age)

                psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                                  binder=b"\x00" * hash_len)

                ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                               binders=[psk_binder_entry])
            else:
                hkdf = TLS13_HKDF("sha256")
                hash_len = hkdf.hash.digest_size
                psk_id = PSKIdentity(identity='Client_identity')
                psk_binder_entry = PSKBinderEntry(binder_len=hash_len,
                                                  binder=b"\x00" * hash_len)

                ext += TLS_Ext_PreSharedKey_CH(identities=[psk_id],
                                               binders=[psk_binder_entry])

        else:
            ext += TLS_Ext_SupportedGroups(
                groups=[_tls_named_groups[selected_group]])  # noqa: E501
            ext += TLS_Ext_KeyShare_CH(client_shares=[
                KeyShareEntry(group=selected_group)
            ])  # noqa: E501
            ext += TLS_Ext_SignatureAlgorithms(sig_algs=["sha256+rsaepss"])

        p = TLS13ClientHello(ciphers=ciphersuite, ext=ext)
        self.add_msg(p)
        raise self.TLS13_ADDED_CLIENTHELLO()