def sslv2_should_add_RequestCertificate(self):
hs_msg = [type(m) for m in self.cur_session.handshake_messages_parsed]
if not self.client_auth or SSLv2RequestCertificate in hs_msg:
return
self.add_record(is_sslv2=True)
self.add_msg(SSLv2RequestCertificate(challenge=randstring(16)))
raise self.SSLv2_ADDED_REQUESTCERTIFICATE()
def sslv2_should_add_ServerHello(self):
self.add_record(is_sslv2=True)
cert = self.mycert
ciphers = [0x010080, 0x020080, 0x030080, 0x040080,
0x050080, 0x060040, 0x0700C0]
connection_id = randstring(16)
p = SSLv2ServerHello(cert=cert,
ciphers=ciphers,
connection_id=connection_id)
self.add_msg(p)
raise self.SSLv2_ADDED_SERVERHELLO()
def sslv2_should_add_ClientHello(self):
self.add_record(is_sslv2=True)
p = self.client_hello or SSLv2ClientHello(challenge=randstring(16))
self.add_msg(p)
raise self.SSLv2_ADDED_CLIENTHELLO()
def post_build(self, pkt, pay):
"""
Apply the previous methods according to the writing cipher type.
"""
# Compute the length of TLSPlaintext fragment
hdr, frag = pkt[:5], pkt[5:]
tmp_len = len(frag)
hdr = hdr[:3] + struct.pack("!H", tmp_len)
# Compression
cfrag = self._tls_compress(frag)
tmp_len = len(cfrag) # Update the length as a result of compression
hdr = hdr[:3] + struct.pack("!H", tmp_len)
cipher_type = self.tls_session.wcs.cipher.type
if cipher_type == 'block':
# Integrity
mfrag = self._tls_hmac_add(hdr, cfrag)
# Excerpt below better corresponds to TLS 1.1 IV definition,
# but the result is the same as with TLS 1.2 anyway.
# if self.version >= 0x0302:
# l = self.tls_session.wcs.cipher.block_size
# iv = randstring(l)
# mfrag = iv + mfrag
# Add padding
pfrag = self._tls_pad(mfrag)
# Encryption
if self.version >= 0x0302:
# Explicit IV for TLS 1.1 and 1.2
tmp_len = self.tls_session.wcs.cipher.block_size
iv = randstring(tmp_len)
self.tls_session.wcs.cipher.iv = iv
efrag = self._tls_encrypt(pfrag)
efrag = iv + efrag
else:
# Implicit IV for SSLv3 and TLS 1.0
efrag = self._tls_encrypt(pfrag)
elif cipher_type == "stream":
# Integrity
mfrag = self._tls_hmac_add(hdr, cfrag)
# Encryption
efrag = self._tls_encrypt(mfrag)
elif cipher_type == "aead":
# Authenticated encryption (with nonce_explicit as header)
efrag = self._tls_auth_encrypt(cfrag)
if self.len is not None:
# The user gave us a 'len', let's respect this ultimately
hdr = hdr[:3] + struct.pack("!H", self.len)
else:
# Update header with the length of TLSCiphertext.fragment
hdr = hdr[:3] + struct.pack("!H", len(efrag))
# Now we commit the pending write state if it has been triggered (e.g.
# by an underlying TLSChangeCipherSpec or a SSLv2ClientMasterKey). We
# update nothing if the pwcs was not set. This probably means that
# we're working out-of-context (and we need to keep the default wcs).
if self.tls_session.triggered_pwcs_commit:
if self.tls_session.pwcs is not None:
self.tls_session.wcs = self.tls_session.pwcs
self.tls_session.pwcs = None
self.tls_session.triggered_pwcs_commit = False
return hdr + efrag + pay
def post_build(self, pkt, pay):
cs_val = None
if self.cipher is None:
common_cs = self.tls_session.sslv2_common_cs
cs_vals = get_usable_ciphersuites(common_cs, "SSLv2")
if len(cs_vals) == 0:
warning("No known common cipher suite between SSLv2 Hellos.")
cs_val = 0x0700c0
cipher = b"\x07\x00\xc0"
else:
cs_val = cs_vals[0] # XXX choose the best one
cipher = struct.pack(">BH", cs_val >> 16, cs_val & 0x00ffff)
cs_cls = _tls_cipher_suites_cls[cs_val]
self.cipher = cs_val
else:
cipher = pkt[1:4]
cs_val = struct.unpack("!I", b"\x00" + cipher)[0]
if cs_val not in _tls_cipher_suites_cls:
warning("Unknown ciphersuite %d from ClientMasterKey" % cs_val)
cs_cls = None
else:
cs_cls = _tls_cipher_suites_cls[cs_val]
if cs_cls:
if (self.encryptedkey == b"" and
len(self.tls_session.server_certs) > 0):
# else, the user is responsible for export slicing & encryption
key = randstring(cs_cls.cipher_alg.key_len)
if self.clearkey == b"" and cs_cls.kx_alg.export:
self.clearkey = key[:-5]
if self.decryptedkey == b"":
if cs_cls.kx_alg.export:
self.decryptedkey = key[-5:]
else:
self.decryptedkey = key
pubkey = self.tls_session.server_certs[0].pubKey
self.encryptedkey = pubkey.encrypt(self.decryptedkey)
if self.keyarg == b"" and cs_cls.cipher_alg.type == "block":
self.keyarg = randstring(cs_cls.cipher_alg.block_size)
clearkey = self.clearkey or b""
if self.clearkeylen is None:
self.clearkeylen = len(clearkey)
clearkeylen = struct.pack("!H", self.clearkeylen)
encryptedkey = self.encryptedkey or b""
if self.encryptedkeylen is None:
self.encryptedkeylen = len(encryptedkey)
encryptedkeylen = struct.pack("!H", self.encryptedkeylen)
keyarg = self.keyarg or b""
if self.keyarglen is None:
self.keyarglen = len(keyarg)
keyarglen = struct.pack("!H", self.keyarglen)
s = (chb(pkt[0]) + cipher
+ clearkeylen + encryptedkeylen + keyarglen
+ clearkey + encryptedkey + keyarg)
return s + pay
def sslv2_should_add_ServerFinished(self):
self.add_record(is_sslv2=True)
self.add_msg(SSLv2ServerFinished(sid=randstring(16)))
raise self.SSLv2_ADDED_SERVERFINISHED()
def post_build(self, pkt, pay):
cs_val = None
if self.cipher is None:
common_cs = self.tls_session.sslv2_common_cs
cs_vals = get_usable_ciphersuites(common_cs, "SSLv2")
if len(cs_vals) == 0:
warning("No known common cipher suite between SSLv2 Hellos.")
cs_val = 0x0700c0
cipher = b"\x07\x00\xc0"
else:
cs_val = cs_vals[0] # XXX choose the best one
cipher = struct.pack(">BH", cs_val >> 16, cs_val & 0x00ffff)
cs_cls = _tls_cipher_suites_cls[cs_val]
self.cipher = cs_val
else:
cipher = pkt[1:4]
cs_val = struct.unpack("!I", b"\x00" + cipher)[0]
if cs_val not in _tls_cipher_suites_cls:
warning("Unknown ciphersuite %d from ClientMasterKey" % cs_val)
cs_cls = None
else:
cs_cls = _tls_cipher_suites_cls[cs_val]
if cs_cls:
if (self.encryptedkey == b"" and
len(self.tls_session.server_certs) > 0):
# else, the user is responsible for export slicing & encryption
key = randstring(cs_cls.cipher_alg.key_len)
if self.clearkey == b"" and cs_cls.kx_alg.export:
self.clearkey = key[:-5]
if self.decryptedkey == b"":
if cs_cls.kx_alg.export:
self.decryptedkey = key[-5:]
else:
self.decryptedkey = key
pubkey = self.tls_session.server_certs[0].pubKey
self.encryptedkey = pubkey.encrypt(self.decryptedkey)
if self.keyarg == b"" and cs_cls.cipher_alg.type == "block":
self.keyarg = randstring(cs_cls.cipher_alg.block_size)
clearkey = self.clearkey or b""
if self.clearkeylen is None:
self.clearkeylen = len(clearkey)
clearkeylen = struct.pack("!H", self.clearkeylen)
encryptedkey = self.encryptedkey or b""
if self.encryptedkeylen is None:
self.encryptedkeylen = len(encryptedkey)
encryptedkeylen = struct.pack("!H", self.encryptedkeylen)
keyarg = self.keyarg or b""
if self.keyarglen is None:
self.keyarglen = len(keyarg)
keyarglen = struct.pack("!H", self.keyarglen)
s = (chb(pkt[0]) + cipher +
clearkeylen + encryptedkeylen + keyarglen +
clearkey + encryptedkey + keyarg)
return s + pay
def post_build(self, pkt, pay):
"""
Apply the previous methods according to the writing cipher type.
"""
# Compute the length of TLSPlaintext fragment
hdr, frag = pkt[:5], pkt[5:]
tmp_len = len(frag)
hdr = hdr[:3] + struct.pack("!H", tmp_len)
# Compression
cfrag = self._tls_compress(frag)
tmp_len = len(cfrag) # Update the length as a result of compression
hdr = hdr[:3] + struct.pack("!H", tmp_len)
cipher_type = self.tls_session.wcs.cipher.type
if cipher_type == 'block':
# Integrity
mfrag = self._tls_hmac_add(hdr, cfrag)
# Excerpt below better corresponds to TLS 1.1 IV definition,
# but the result is the same as with TLS 1.2 anyway.
# if self.version >= 0x0302:
# l = self.tls_session.wcs.cipher.block_size
# iv = randstring(l)
# mfrag = iv + mfrag
# Add padding
pfrag = self._tls_pad(mfrag)
# Encryption
if self.version >= 0x0302:
# Explicit IV for TLS 1.1 and 1.2
tmp_len = self.tls_session.wcs.cipher.block_size
iv = randstring(tmp_len)
self.tls_session.wcs.cipher.iv = iv
efrag = self._tls_encrypt(pfrag)
efrag = iv + efrag
else:
# Implicit IV for SSLv3 and TLS 1.0
efrag = self._tls_encrypt(pfrag)
elif cipher_type == "stream":
# Integrity
mfrag = self._tls_hmac_add(hdr, cfrag)
# Encryption
efrag = self._tls_encrypt(mfrag)
elif cipher_type == "aead":
# Authenticated encryption (with nonce_explicit as header)
efrag = self._tls_auth_encrypt(cfrag)
if self.len is not None:
# The user gave us a 'len', let's respect this ultimately
hdr = hdr[:3] + struct.pack("!H", self.len)
else:
# Update header with the length of TLSCiphertext.fragment
hdr = hdr[:3] + struct.pack("!H", len(efrag))
# Now we commit the pending write state if it has been triggered (e.g.
# by an underlying TLSChangeCipherSpec or a SSLv2ClientMasterKey). We
# update nothing if the pwcs was not set. This probably means that
# we're working out-of-context (and we need to keep the default wcs).
if self.tls_session.triggered_pwcs_commit:
if self.tls_session.pwcs is not None:
self.tls_session.wcs = self.tls_session.pwcs
self.tls_session.pwcs = None
self.tls_session.triggered_pwcs_commit = False
return hdr + efrag + pay
def sslv2_should_add_ServerFinished(self):
self.add_record(is_sslv2=True)
self.add_msg(SSLv2ServerFinished(sid=randstring(16)))
raise self.SSLv2_ADDED_SERVERFINISHED()
def sslv2_should_add_ClientHello(self):
self.add_record(is_sslv2=True)
p = self.client_hello or SSLv2ClientHello(challenge=randstring(16))
self.add_msg(p)
raise self.SSLv2_ADDED_CLIENTHELLO()
