Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@jeremie1112

jeremie1112/tlsdiff.patch

Created November 3, 2018 16:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jeremie1112/6221e8311fc60ad81e7551e604440552 to your computer and use it in GitHub Desktop.
Save jeremie1112/6221e8311fc60ad81e7551e604440552 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tlsdiff.patch
diff --git a/nselib/tls.lua b/nselib/tls.lua
index e57a87f1e..a013bf653 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -28,10 +28,11 @@ PROTOCOLS = {
["SSLv3"] = 0x0300,
["TLSv1.0"] = 0x0301,
["TLSv1.1"] = 0x0302,
- ["TLSv1.2"] = 0x0303
+ ["TLSv1.2"] = 0x0303,
+ ["TLSv1.3"] = 0x0304
}
-HIGHEST_PROTOCOL = "TLSv1.2"
+HIGHEST_PROTOCOL = "TLSv1.3"
--
-- TLS Record Types
--
@@ -234,6 +235,10 @@ EXTENSIONS = {
["token_binding"] = 24, -- Temporary, expires 2018-02-04
["cached_info"] = 25, -- rfc7924
["SessionTicket TLS"] = 35,
+ ["supported_versions"] = 43, -- rfc8443 For TLSv1.3
+ --["cookie"] = 44,
+ ["psk_key_exchange_modes"] = 45,
+ ["key_share"] = 51, -- rfc8443 For TLSv1.3
["next_protocol_negotiation"] = 13172,
["renegotiation_info"] = 65281,
}
@@ -476,6 +481,11 @@ CIPHERS = {
["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C3,
["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C4,
["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C5,
+["TLS13_AES_128_GCM_SHA256"] = 0x1301, --TLSv1.3
+["TLS13_AES_256_GCM_SHA384"] = 0x1302, --TLSv1.3
+["TLS13_CHACHA20_POLY1305_SHA256"] = 0x1303, --TLSv1.3
+["TLS_AES_128_CCM_SHA256"] = 0x1304, --TLSv1.3
+["TLS_AES_128_CCM_8_SHA256"] = 0x1305, --TLSv1.3
["TLS_ECDH_ECDSA_WITH_NULL_SHA"] = 0xC001,
["TLS_ECDH_ECDSA_WITH_RC4_128_SHA"] = 0xC002,
["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC003,
@@ -670,6 +680,7 @@ CIPHERS = {
}
DEFAULT_CIPHERS = {
+ "TLS13_AES_128_GCM_SHA256", --mandatory TLSv1.3
"TLS_RSA_WITH_AES_128_CBC_SHA", -- mandatory TLSv1.2
"TLS_RSA_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.1
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.0
@@ -1194,6 +1205,24 @@ handshake_parse = {
b["extensions"][extcode], j = unpack(">s2", buffer, j)
end
end
+ if (protocol == "TLSv1.3") then
+ --supported_versions
+ table.insert(extensions, unpack(">I2", 43))
+ table.insert(extensions, unpack(">I2", 3))
+ table.insert(extensions, unpack(">I1", 2))
+ table.insert(extensions, unpack(">I2", 772))
+
+ -- key_share
+ table.insert(extensions, unpack(">I2", 51))
+ table.insert(extensions, unpack(">I2", 107))
+ table.insert(extensions, unpack(">I2", 105))
+ table.insert(extensions, unpack(">I2", 23))
+ table.insert(extensions, unpack(">I2", 65))
+ table.insert(extensions, rand.random_string(65))
+ table.insert(extensions, unpack(">I2", 29))
+ table.insert(extensions, unpack(">I2", 32))
+ table.insert(extensions, rand.random_string(32))
+ end
-- Convert to human-readable form.
b["protocol"] = find_key(PROTOCOLS, b["protocol"])
@@ -1497,6 +1526,37 @@ function client_hello(t)
-- Do we need to add the signature_algorithms extension?
local need_sigalg = (protocol == "TLSv1.2")
-- Add specified extensions.
+ -- tls 1.3 (supported_versions) extension
+ if (protocol == "TLSv1.3") then
+ table.insert(extensions, pack(">I2", 43))
+ table.insert(extensions, pack(">I2", 3))
+ table.insert(extensions, pack(">I1", 2))
+ table.insert(extensions, pack(">I2", 772))
+
+ -- key_share
+ table.insert(extensions, pack(">I2", 51))
+ table.insert(extensions, pack(">I2", 107))
+ table.insert(extensions, pack(">I2", 105))
+ table.insert(extensions, pack(">I2", 23))
+ table.insert(extensions, pack(">I2", 65))
+ table.insert(extensions, rand.random_string(65))
+ table.insert(extensions, pack(">I2", 29))
+ table.insert(extensions, pack(">I2", 32))
+ table.insert(extensions, rand.random_string(32))
+ --psk_key_exchange_modes
+ table.insert(extensions, pack(">I2", 45))
+ table.insert(extensions, pack(">I2", 2))
+ table.insert(extensions, pack(">I1", 1))
+ table.insert(extensions, pack(">I1", 1))
+ end
+
+ -- server name
+ --table.insert(extensions, pack(">I2", 0))
+ --table.insert(extensions, pack(">I2", 17))
+ --table.insert(extensions, pack(">I2", 15))
+ --table.insert(extensions, pack(">I1", 0))
+ --table.insert(extensions, pack(">I2", 12))
+ --table.insert(extensions, xmpp.new("tls.servername")) not good
for extension, data in pairs(t["extensions"]) do
if type(extension) == "number" then
table.insert(extensions, pack(">I2", extension))
@@ -1540,7 +1600,7 @@ function client_hello(t)
-- t.protocol)
local record_proto = t.record_protocol
if not record_proto then
- record_proto = (t.protocol == "SSLv3") and "SSLv3" or "TLSv1.0"
+ record_proto = (t.protocol == "SSLv3") and "SSLv3" or "TLSv1.0"
end
return record_write("handshake", record_proto, table.concat(h))
end
@@ -1603,7 +1663,7 @@ end
-- @param host Host table as received by the action function
-- @return String of the selected host name
function servername(host)
- local script_arg = stdnse.get_script_args("tls.servername")
+ local script_arg = stdnse.get_script_args("tls.servername")
if script_arg then
return script_arg
elseif type(host) == "table" then
@@ -1612,3 +1672,4 @@ function servername(host)
end
return _ENV;
+
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 690f04891..cf12259d6 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -609,7 +609,8 @@ local function find_ciphers_group(host, port, protocol, group, scores)
local alert = records.alert
if alert then
ctx_log(2, protocol, "Got alert: %s", alert.body[1].description)
- if alert["protocol"] ~= protocol then
+ if alert["protocol"] ~= protocol and protocol ~= "TLSv1.3" then
+ print("protocol is =",protocol)
ctx_log(1, protocol, "Protocol mismatch (received %s)", alert.protocol)
-- Sometimes this is not an actual rejection of the protocol. Check specifically:
if get_body(alert, "description", "protocol_version") then
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment