--- -- A library providing functions for doing TLS/SSL communications -- -- These functions will build strings and process buffers. Socket communication -- is left to the script to implement. -- -- @args tls.servername Hostname to use in the Server Name Indication (SNI) -- extension. Overrides the target name given on the -- command line and affects all targets. -- @author Daniel Miller local stdnse = require "stdnse" local string = require "string" local stringaux = require "stringaux" local math = require "math" local os = require "os" local table = require "table" local tableaux = require "tableaux" local rand = require "rand" _ENV = stdnse.module("tls", stdnse.seeall) local pack = string.pack local unpack = string.unpack local tostring = tostring local concat = table.concat local insert = table.insert -- Most of the values in the tables below are from: -- http://www.iana.org/assignments/tls-parameters/ PROTOCOLS = { ["SSLv3"] = 0x0300, ["TLSv1.0"] = 0x0301, ["TLSv1.1"] = 0x0302, ["TLSv1.2"] = 0x0303, ["TLSv1.3"] = 0x0304, } HIGHEST_PROTOCOL = "TLSv1.3" local TLS_PROTOCOL_VERSIONS = tableaux.invert(PROTOCOLS) -- -- TLS Record Types -- TLS_RECORD_HEADER_LENGTH = 5 TLS_CONTENTTYPE_REGISTRY = { ["change_cipher_spec"] = 20, ["alert"] = 21, ["handshake"] = 22, ["application_data"] = 23, ["heartbeat"] = 24, ["tls12_cid"] = 25, ["ACK"] = 26, } local TLS_CONTENTTYPES = tableaux.invert(TLS_CONTENTTYPE_REGISTRY) -- -- TLS Alert Levels -- TLS_ALERT_LEVELS = { ["warning"] = 1, ["fatal"] = 2, } -- -- TLS Alert Record Types -- TLS_ALERT_REGISTRY = { ["close_notify"] = 0, ["unexpected_message"] = 10, ["bad_record_mac"] = 20, ["decryption_failed"] = 21, ["record_overflow"] = 22, ["decompression_failure"] = 30, ["handshake_failure"] = 40, ["no_certificate"] = 41, ["bad_certificate"] = 42, ["unsupported_certificate"] = 43, ["certificate_revoked"] = 44, ["certificate_expired"] = 45, ["certificate_unknown"] = 46, ["illegal_parameter"] = 47, ["unknown_ca"] = 48, ["access_denied"] = 49, ["decode_error"] = 50, ["decrypt_error"] = 51, ["too_many_cids_requested"] = 52, ["export_restriction"] = 60, ["protocol_version"] = 70, ["insufficient_security"] = 71, ["internal_error"] = 80, ["inappropriate_fallback"] = 86, ["user_canceled"] = 90, ["no_renegotiation"] = 100, ["missing_extension"] = 109, ["unsupported_extension"] = 110, ["certificate_unobtainable"] = 111, ["unrecognized_name"] = 112, ["bad_certificate_status_response"] = 113, ["bad_certificate_hash_value"] = 114, ["unknown_psk_identity"] = 115, ["certificate_required"] = 116, ["no_application_protocol"] = 120, } -- -- TLS Handshake Record Types -- TLS_HANDSHAKETYPE_REGISTRY = { ["hello_request"] = 0, ["client_hello"] = 1, ["server_hello"] = 2, ["hello_verify_request"] = 3, ["NewSessionTicket"] = 4, ["end_of_early_data"] = 5, ["hello_retry_request"] = 6, ["encrypted_extensions"] = 8, ["request_connection_id"] = 9, ["new_connection_id"] = 10, ["certificate"] = 11, ["server_key_exchange"] = 12, ["certificate_request"] = 13, ["server_hello_done"] = 14, ["certificate_verify"] = 15, ["client_key_exchange"] = 16, ["client_certificate_request"] = 17, ["finished"] = 20, ["certificate_url"] = 21, ["certificate_status"] = 22, ["supplemental_data"] = 23, ["key_update"] = 24, ["compressed_certificate"] = 25, ["ekt_key"] = 26, ["next_protocol"] = 67, ["message_hash"] = 254, } -- -- Compression Algorithms -- http://www.iana.org/assignments/comp-meth-ids -- COMPRESSORS = { ["NULL"] = 0, ["DEFLATE"] = 1, ["LZS"] = 64 } --- -- TLS Supported Groups -- RFC 4492 section 5.1.1 "Supported Elliptic Curves Extension". ELLIPTIC_CURVES = { sect163k1 = 1, --deprecated sect163r1 = 2, --deprecated sect163r2 = 3, --deprecated sect193r1 = 4, --deprecated sect193r2 = 5, --deprecated sect233k1 = 6, --deprecated sect233r1 = 7, --deprecated sect239k1 = 8, --deprecated sect283k1 = 9, --deprecated sect283r1 = 10, --deprecated sect409k1 = 11, --deprecated sect409r1 = 12, --deprecated sect571k1 = 13, --deprecated sect571r1 = 14, --deprecated secp160k1 = 15, --deprecated secp160r1 = 16, --deprecated secp160r2 = 17, --deprecated secp192k1 = 18, --deprecated secp192r1 = 19, --deprecated secp224k1 = 20, --deprecated secp224r1 = 21, --deprecated secp256k1 = 22, --deprecated secp256r1 = 23, secp384r1 = 24, secp521r1 = 25, brainpoolP256r1 = 26, --RFC7027 brainpoolP384r1 = 27, brainpoolP512r1 = 28, ecdh_x25519 = 29, -- rfc8422 ecdh_x448 = 30, -- rfc8422 brainpoolP256r1tls13 = 31, --RFC8734 brainpoolP384r1tls13 = 32, brainpoolP512r1tls13 = 33, GC256A = 34, -- draft-smyshlyaev-tls12-gost-suites GC256B = 35, GC256C = 36, GC256D = 37, GC512A = 38, GC512B = 39, GC512C = 40, curveSM2 = 41, -- RFC 8998 ffdhe2048 = 0x0100, --RFC7919 ffdhe3072 = 0x0101, --RFC7919 ffdhe4096 = 0x0102, --RFC7919 ffdhe6144 = 0x0103, --RFC7919 ffdhe8192 = 0x0104, --RFC7919 arbitrary_explicit_prime_curves = 0xFF01, arbitrary_explicit_char2_curves = 0xFF02, } -- Most likely set, supported by Firefox and Chrome DEFAULT_ELLIPTIC_CURVES = { "secp256r1", "secp384r1", "secp521r1", "ecdh_x25519", "ffdhe2048", -- added for TLSv1.3 } --- -- RFC 4492 section 5.1.2 "Supported Point Formats Extension". EC_POINT_FORMATS = { uncompressed = 0, ansiX962_compressed_prime = 1, ansiX962_compressed_char2 = 2, } --- -- RFC 5246 section 7.4.1.4.1. Signature Algorithms HashAlgorithms = { none = 0, md5 = 1, sha1 = 2, sha224 = 3, sha256 = 4, sha384 = 5, sha512 = 6, intrinsic = 8, } SignatureAlgorithms = { anonymous = 0, rsa = 1, dsa = 2, ecdsa = 3, ed25519 = 7, ed448 = 8, } --- -- TLS v1.3 Signature Algorithms SignatureSchemes = { -- RSASSA-PKCS1-v1_5 algorithms rsa_pkcs1_sha256 = 0x0401, rsa_pkcs1_sha384 = 0x0501, rsa_pkcs1_sha512 = 0x0601, -- ECDSA algorithms ecdsa_secp256r1_sha256 = 0x0403, ecdsa_secp384r1_sha384 = 0x0503, ecdsa_secp521r1_sha512 = 0x0603, -- draft-wang-tls-raw-public-key-with-ibc eccsi_sha256 = 0x0704, iso_ibs1 = 0x0705, iso_ibs2 = 0x0706, iso_chinese_ibs = 0x0707, -- RFC8998 sm2sig_sm3 = 0x0708, -- draft-smyshlyaev-tls13-gost-suites gostr34102012_256a = 0x0709, gostr34102012_256b = 0x070A, gostr34102012_256c = 0x070B, gostr34102012_256d = 0x070C, gostr34102012_512a = 0x070D, gostr34102012_512b = 0x070E, gostr34102012_512c = 0x070F, -- RSASSA-PSS algorithms with public key OID rsaEncryption rsa_pss_rsae_sha256 = 0x0804, rsa_pss_rsae_sha384 = 0x0805, rsa_pss_rsae_sha512 = 0x0806, -- EdDSA algorithms ed25519 = 0x0807, ed448 = 0x0808, -- RSASSA-PSS algorithms with public key OID RSASSA-PSS rsa_pss_pss_sha256 = 0x0809, rsa_pss_pss_sha384 = 0x080a, rsa_pss_pss_sha512 = 0x080b, -- ECC Brainpool curves ecdsa_brainpoolP256r1tls13_sha256 = 0x081a, ecdsa_brainpoolP384r1tls13_sha384 = 0x081b, ecdsa_brainpoolP512r1tls13_sha512 = 0x081c, -- Legacy algorithms rsa_pkcs1_sha1 = 0x0201, ecdsa_sha1 = 0x0203, -- RFC 8998 sm2sig_sm3 = 0x0708, } --- -- Extensions -- RFC 6066, draft-agl-tls-nextprotoneg-03 -- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml -- EXTENSIONS = { ["server_name"] = 0, ["max_fragment_length"] = 1, ["client_certificate_url"] = 2, ["trusted_ca_keys"] = 3, ["truncated_hmac"] = 4, ["status_request"] = 5, ["user_mapping"] = 6, ["client_authz"] = 7, ["server_authz"] = 8, ["cert_type"] = 9, ["elliptic_curves"] = 10, ["ec_point_formats"] = 11, ["srp"] = 12, ["signature_algorithms"] = 13, -- TLSv1.3 changed the format for this extension. It's just more convenient -- to call it something else. ["signature_algorithms_13"] = 13, ["use_srtp"] = 14, ["heartbeat"] = 15, ["application_layer_protocol_negotiation"] = 16, ["status_request_v2"] = 17, ["signed_certificate_timestamp"] = 18, ["client_certificate_type"] = 19, ["server_certificate_type"] = 20, ["padding"] = 21, -- rfc7685 ["encrypt_then_mac"] = 22, -- rfc7366 ["extended_master_secret"] = 23, -- rfc7627 ["token_binding"] = 24, -- Temporary, expires 2018-02-04 ["cached_info"] = 25, -- rfc7924 ["tls_lts"] = 26, -- draft-gutmann-tls-lts ["compress_certificate"] = 27, -- rfc8879 ["record_size_limit"] = 28, -- rfc8449 ["pwd_protect"] = 29, -- rfc8492 ["pwd_clear"] = 30, -- rfc8492 ["password_salt"] = 31, -- rfc8492 ["ticket_pinning"] = 32, ["tls_cert_with_extern_psk"] = 33, ["delegated_credentials"] = 34, ["TLMSP"] = 35, ["TLMSP_proxying"] = 36, ["TLMSP_delegate"] = 37, ["supported_ekt_ciphers"] = 38, ["SessionTicket TLS"] = 39, -- TLSv1.3 ["pre_shared_key"] = 41, ["early_data"] = 42, ["supported_versions"] = 43, ["cookie"] = 44, ["psk_key_exchange_modes"] = 45, ["certificate_authorities"] = 47, ["oid_filters"] = 48, ["post_handshake_auth"] = 49, ["signature_algorithms_cert"] = 50, ["key_share"] = 51, ["transparency_info"] = 52, ["connection_id-deprecated"] = 53, ["connection_id"] = 54, ["external_id_hash"] = 55, ["external_session_id"] = 56, ["quic_transport_parameters"] = 57, ["ticket_request"] = 58, ["dnssec_chain"] = 59, -- ["next_protocol_negotiation"] = 13172, ["renegotiation_info"] = 65281, } --- -- Builds data for each extension -- Defaults to tostring (i.e. pass in the packed data you want directly) EXTENSION_HELPERS = { ["server_name"] = function (server_name) -- Only supports host_name type (0), as per RFC -- Support for other types could be added later return pack(">s2", pack(">Bs2", 0, server_name)) end, ["max_fragment_length"] = tostring, ["client_certificate_url"] = tostring, ["trusted_ca_keys"] = tostring, ["truncated_hmac"] = tostring, ["status_request"] = tostring, ["elliptic_curves"] = function (elliptic_curves) local list = {} for _, name in ipairs(elliptic_curves) do list[#list+1] = pack(">I2", ELLIPTIC_CURVES[name]) end return pack(">s2", concat(list)) end, ["ec_point_formats"] = function (ec_point_formats) local list = {} for _, format in ipairs(ec_point_formats) do list[#list+1] = pack(">B", EC_POINT_FORMATS[format]) end return pack(">s1", concat(list)) end, ["signature_algorithms"] = function(signature_algorithms) local list = {} for _, pair in ipairs(signature_algorithms) do list[#list+1] = pack(">BB", HashAlgorithms[pair[1]] or pair[1], SignatureAlgorithms[pair[2]] or pair[2] ) end return pack(">s2", concat(list)) end, ["signature_algorithms_13"] = function (signature_schemes) local list = {} for _, name in ipairs(signature_schemes) do list[#list+1] = pack(">I2", SignatureSchemes[name]) end return pack(">s2", concat(list)) end, ["application_layer_protocol_negotiation"] = function(protocols) local list = {} for _, proto in ipairs(protocols) do list[#list+1] = pack(">s1", proto) end return pack(">s2", concat(list)) end, ["next_protocol_negotiation"] = tostring, ["supported_versions"] = function(versions) local list = {} for _, name in ipairs(versions) do list[#list+1] = pack(">I2", PROTOCOLS[name]) end return pack(">s1", concat(list)) end, } -- -- Encryption Algorithms -- CIPHERS = { ["TLS_NULL_WITH_NULL_NULL"] = 0x0000, ["TLS_RSA_WITH_NULL_MD5"] = 0x0001, ["TLS_RSA_WITH_NULL_SHA"] = 0x0002, ["TLS_RSA_EXPORT_WITH_RC4_40_MD5"] = 0x0003, ["TLS_RSA_WITH_RC4_128_MD5"] = 0x0004, ["TLS_RSA_WITH_RC4_128_SHA"] = 0x0005, ["TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x0006, ["TLS_RSA_WITH_IDEA_CBC_SHA"] = 0x0007, ["TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0008, ["TLS_RSA_WITH_DES_CBC_SHA"] = 0x0009, ["TLS_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x000A, ["TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x000B, ["TLS_DH_DSS_WITH_DES_CBC_SHA"] = 0x000C, ["TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x000D, ["TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x000E, ["TLS_DH_RSA_WITH_DES_CBC_SHA"] = 0x000F, ["TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0010, ["TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x0011, ["TLS_DHE_DSS_WITH_DES_CBC_SHA"] = 0x0012, ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x0013, ["TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0014, ["TLS_DHE_RSA_WITH_DES_CBC_SHA"] = 0x0015, ["TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0016, ["TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"] = 0x0017, ["TLS_DH_anon_WITH_RC4_128_MD5"] = 0x0018, ["TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"] = 0x0019, ["TLS_DH_anon_WITH_DES_CBC_SHA"] = 0x001A, ["TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"] = 0x001B, ["SSL_FORTEZZA_KEA_WITH_NULL_SHA"] = 0x001C, ["SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"] = 0x001D, ["TLS_KRB5_WITH_DES_CBC_SHA-or-SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"] = 0x001E, --TLS vs SSLv3 ["TLS_KRB5_WITH_3DES_EDE_CBC_SHA"] = 0x001F, ["TLS_KRB5_WITH_RC4_128_SHA"] = 0x0020, ["TLS_KRB5_WITH_IDEA_CBC_SHA"] = 0x0021, ["TLS_KRB5_WITH_DES_CBC_MD5"] = 0x0022, ["TLS_KRB5_WITH_3DES_EDE_CBC_MD5"] = 0x0023, ["TLS_KRB5_WITH_RC4_128_MD5"] = 0x0024, ["TLS_KRB5_WITH_IDEA_CBC_MD5"] = 0x0025, ["TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"] = 0x0026, ["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"] = 0x0027, ["TLS_KRB5_EXPORT_WITH_RC4_40_SHA"] = 0x0028, ["TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"] = 0x0029, ["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x002A, ["TLS_KRB5_EXPORT_WITH_RC4_40_MD5"] = 0x002B, ["TLS_PSK_WITH_NULL_SHA"] = 0x002C, ["TLS_DHE_PSK_WITH_NULL_SHA"] = 0x002D, ["TLS_RSA_PSK_WITH_NULL_SHA"] = 0x002E, ["TLS_RSA_WITH_AES_128_CBC_SHA"] = 0x002F, ["TLS_DH_DSS_WITH_AES_128_CBC_SHA"] = 0x0030, ["TLS_DH_RSA_WITH_AES_128_CBC_SHA"] = 0x0031, ["TLS_DHE_DSS_WITH_AES_128_CBC_SHA"] = 0x0032, ["TLS_DHE_RSA_WITH_AES_128_CBC_SHA"] = 0x0033, ["TLS_DH_anon_WITH_AES_128_CBC_SHA"] = 0x0034, ["TLS_RSA_WITH_AES_256_CBC_SHA"] = 0x0035, ["TLS_DH_DSS_WITH_AES_256_CBC_SHA"] = 0x0036, ["TLS_DH_RSA_WITH_AES_256_CBC_SHA"] = 0x0037, ["TLS_DHE_DSS_WITH_AES_256_CBC_SHA"] = 0x0038, ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA"] = 0x0039, ["TLS_DH_anon_WITH_AES_256_CBC_SHA"] = 0x003A, ["TLS_RSA_WITH_NULL_SHA256"] = 0x003B, ["TLS_RSA_WITH_AES_128_CBC_SHA256"] = 0x003C, ["TLS_RSA_WITH_AES_256_CBC_SHA256"] = 0x003D, ["TLS_DH_DSS_WITH_AES_128_CBC_SHA256"] = 0x003E, ["TLS_DH_RSA_WITH_AES_128_CBC_SHA256"] = 0x003F, ["TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"] = 0x0040, ["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0041, ["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0042, ["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0043, ["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0044, ["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0045, ["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"] = 0x0046, ["TLS_ECDH_ECDSA_WITH_NULL_SHA-draft"] = 0x0047, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0048, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0049, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004A, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA-draft"] = 0x004B, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA-draft"] = 0x004C, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x004D, --draft-ietf-tls-ecc-00 ["TLS_ECDH_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004E, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECDSA_NULL_SHA-draft"] = 0x004F, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0050, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0051, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0052, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECNRA_NULL_SHA-draft"] = 0x0053, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECNRA_WITH_RC4_128_SHA-draft"] = 0x0054, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x0055, --draft-ietf-tls-ecc-00 ["TLS_ECMQV_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0056, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_NULL_WITH_SHA-draft"] = 0x0057, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_WITH_RC4_128_SHA-draft"] = 0x0058, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_WITH_DES_CBC_SHA-draft"] = 0x0059, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA-draft"] = 0x005A, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_EXPORT_WITH_DES40_CBC_SHA-draft"] = 0x005B, --draft-ietf-tls-ecc-00 ["TLS_ECDH_anon_EXPORT_WITH_RC4_40_SHA-draft"] = 0x005C, --draft-ietf-tls-ecc-00 ["TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"] = 0x0060, ["TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"] = 0x0061, ["TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0062, ["TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0063, ["TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"] = 0x0064, ["TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"] = 0x0065, ["TLS_DHE_DSS_WITH_RC4_128_SHA"] = 0x0066, ["TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"] = 0x0067, ["TLS_DH_DSS_WITH_AES_256_CBC_SHA256"] = 0x0068, ["TLS_DH_RSA_WITH_AES_256_CBC_SHA256"] = 0x0069, ["TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"] = 0x006A, ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"] = 0x006B, ["TLS_DH_anon_WITH_AES_128_CBC_SHA256"] = 0x006C, ["TLS_DH_anon_WITH_AES_256_CBC_SHA256"] = 0x006D, ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD-draft"] = 0x0072, --draft-ietf-tls-openpgp-keys-05 ["TLS_DHE_DSS_WITH_AES_128_CBC_RMD-draft"] = 0x0073, --draft-ietf-tls-openpgp-keys-05 ["TLS_DHE_DSS_WITH_AES_256_CBC_RMD-draft"] = 0x0074, --draft-ietf-tls-openpgp-keys-05 ["TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD-draft"] = 0x0077, --draft-ietf-tls-openpgp-keys-05 ["TLS_DHE_RSA_WITH_AES_128_CBC_RMD-draft"] = 0x0078, --draft-ietf-tls-openpgp-keys-05 ["TLS_DHE_RSA_WITH_AES_256_CBC_RMD-draft"] = 0x0079, --draft-ietf-tls-openpgp-keys-05 ["TLS_RSA_WITH_3DES_EDE_CBC_RMD-draft"] = 0x007C, --draft-ietf-tls-openpgp-keys-05 ["TLS_RSA_WITH_AES_128_CBC_RMD-draft"] = 0x007D, --draft-ietf-tls-openpgp-keys-05 ["TLS_RSA_WITH_AES_256_CBC_RMD-draft"] = 0x007E, --draft-ietf-tls-openpgp-keys-05 ["TLS_GOSTR341094_WITH_28147_CNT_IMIT-draft"] = 0x0080, --draft-chudov-cryptopro-cptls-04 ["TLS_GOSTR341001_WITH_28147_CNT_IMIT-draft"] = 0x0081, --draft-chudov-cryptopro-cptls-04 ["TLS_GOSTR341094_WITH_NULL_GOSTR3411-draft"] = 0x0082, --draft-chudov-cryptopro-cptls-04 ["TLS_GOSTR341001_WITH_NULL_GOSTR3411-draft"] = 0x0083, --draft-chudov-cryptopro-cptls-04 ["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0084, ["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0085, ["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0086, ["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0087, ["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0088, ["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"] = 0x0089, ["TLS_PSK_WITH_RC4_128_SHA"] = 0x008A, ["TLS_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008B, ["TLS_PSK_WITH_AES_128_CBC_SHA"] = 0x008C, ["TLS_PSK_WITH_AES_256_CBC_SHA"] = 0x008D, ["TLS_DHE_PSK_WITH_RC4_128_SHA"] = 0x008E, ["TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008F, ["TLS_DHE_PSK_WITH_AES_128_CBC_SHA"] = 0x0090, ["TLS_DHE_PSK_WITH_AES_256_CBC_SHA"] = 0x0091, ["TLS_RSA_PSK_WITH_RC4_128_SHA"] = 0x0092, ["TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x0093, ["TLS_RSA_PSK_WITH_AES_128_CBC_SHA"] = 0x0094, ["TLS_RSA_PSK_WITH_AES_256_CBC_SHA"] = 0x0095, ["TLS_RSA_WITH_SEED_CBC_SHA"] = 0x0096, ["TLS_DH_DSS_WITH_SEED_CBC_SHA"] = 0x0097, ["TLS_DH_RSA_WITH_SEED_CBC_SHA"] = 0x0098, ["TLS_DHE_DSS_WITH_SEED_CBC_SHA"] = 0x0099, ["TLS_DHE_RSA_WITH_SEED_CBC_SHA"] = 0x009A, ["TLS_DH_anon_WITH_SEED_CBC_SHA"] = 0x009B, ["TLS_RSA_WITH_AES_128_GCM_SHA256"] = 0x009C, ["TLS_RSA_WITH_AES_256_GCM_SHA384"] = 0x009D, ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"] = 0x009E, ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"] = 0x009F, ["TLS_DH_RSA_WITH_AES_128_GCM_SHA256"] = 0x00A0, ["TLS_DH_RSA_WITH_AES_256_GCM_SHA384"] = 0x00A1, ["TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A2, ["TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A3, ["TLS_DH_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A4, ["TLS_DH_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A5, ["TLS_DH_anon_WITH_AES_128_GCM_SHA256"] = 0x00A6, ["TLS_DH_anon_WITH_AES_256_GCM_SHA384"] = 0x00A7, ["TLS_PSK_WITH_AES_128_GCM_SHA256"] = 0x00A8, ["TLS_PSK_WITH_AES_256_GCM_SHA384"] = 0x00A9, ["TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AA, ["TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AB, ["TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AC, ["TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AD, ["TLS_PSK_WITH_AES_128_CBC_SHA256"] = 0x00AE, ["TLS_PSK_WITH_AES_256_CBC_SHA384"] = 0x00AF, ["TLS_PSK_WITH_NULL_SHA256"] = 0x00B0, ["TLS_PSK_WITH_NULL_SHA384"] = 0x00B1, ["TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B2, ["TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B3, ["TLS_DHE_PSK_WITH_NULL_SHA256"] = 0x00B4, ["TLS_DHE_PSK_WITH_NULL_SHA384"] = 0x00B5, ["TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B6, ["TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B7, ["TLS_RSA_PSK_WITH_NULL_SHA256"] = 0x00B8, ["TLS_RSA_PSK_WITH_NULL_SHA384"] = 0x00B9, ["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BA, ["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BB, ["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BC, ["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BD, ["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BE, ["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BF, ["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C0, ["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C1, ["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C2, ["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C3, ["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C4, ["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C5, ["TLS_ECDH_ECDSA_WITH_NULL_SHA"] = 0xC001, ["TLS_ECDH_ECDSA_WITH_RC4_128_SHA"] = 0xC002, ["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC003, ["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC004, ["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC005, ["TLS_ECDHE_ECDSA_WITH_NULL_SHA"] = 0xC006, ["TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"] = 0xC007, ["TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC008, ["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC009, ["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC00A, ["TLS_ECDH_RSA_WITH_NULL_SHA"] = 0xC00B, ["TLS_ECDH_RSA_WITH_RC4_128_SHA"] = 0xC00C, ["TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC00D, ["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"] = 0xC00E, ["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"] = 0xC00F, ["TLS_ECDHE_RSA_WITH_NULL_SHA"] = 0xC010, ["TLS_ECDHE_RSA_WITH_RC4_128_SHA"] = 0xC011, ["TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC012, ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"] = 0xC013, ["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"] = 0xC014, ["TLS_ECDH_anon_WITH_NULL_SHA"] = 0xC015, ["TLS_ECDH_anon_WITH_RC4_128_SHA"] = 0xC016, ["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"] = 0xC017, ["TLS_ECDH_anon_WITH_AES_128_CBC_SHA"] = 0xC018, ["TLS_ECDH_anon_WITH_AES_256_CBC_SHA"] = 0xC019, ["TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"] = 0xC01A, ["TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC01B, ["TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"] = 0xC01C, ["TLS_SRP_SHA_WITH_AES_128_CBC_SHA"] = 0xC01D, ["TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"] = 0xC01E, ["TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"] = 0xC01F, ["TLS_SRP_SHA_WITH_AES_256_CBC_SHA"] = 0xC020, ["TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"] = 0xC021, ["TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"] = 0xC022, ["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC023, ["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC024, ["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC025, ["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC026, ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"] = 0xC027, ["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"] = 0xC028, ["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"] = 0xC029, ["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"] = 0xC02A, ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02B, ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02C, ["TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02D, ["TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02E, ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] = 0xC02F, ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] = 0xC030, ["TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"] = 0xC031, ["TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"] = 0xC032, ["TLS_ECDHE_PSK_WITH_RC4_128_SHA"] = 0xC033, ["TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0xC034, ["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"] = 0xC035, ["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"] = 0xC036, ["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"] = 0xC037, ["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"] = 0xC038, ["TLS_ECDHE_PSK_WITH_NULL_SHA"] = 0xC039, ["TLS_ECDHE_PSK_WITH_NULL_SHA256"] = 0xC03A, ["TLS_ECDHE_PSK_WITH_NULL_SHA384"] = 0xC03B, ["TLS_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC03C, ["TLS_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC03D, ["TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC03E, ["TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC03F, ["TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC040, ["TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC041, ["TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC042, ["TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC043, ["TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC044, ["TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC045, ["TLS_DH_anon_WITH_ARIA_128_CBC_SHA256"] = 0xC046, ["TLS_DH_anon_WITH_ARIA_256_CBC_SHA384"] = 0xC047, ["TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC048, ["TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC049, ["TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04A, ["TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04B, ["TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04C, ["TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04D, ["TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04E, ["TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04F, ["TLS_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC050, ["TLS_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC051, ["TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC052, ["TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC053, ["TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC054, ["TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC055, ["TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC056, ["TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC057, ["TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC058, ["TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC059, ["TLS_DH_anon_WITH_ARIA_128_GCM_SHA256"] = 0xC05A, ["TLS_DH_anon_WITH_ARIA_256_GCM_SHA384"] = 0xC05B, ["TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05C, ["TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05D, ["TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05E, ["TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05F, ["TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC060, ["TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC061, ["TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC062, ["TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC063, ["TLS_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC064, ["TLS_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC065, ["TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC066, ["TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC067, ["TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC068, ["TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC069, ["TLS_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06A, ["TLS_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06B, ["TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06C, ["TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06D, ["TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06E, ["TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06F, ["TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC070, ["TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC071, ["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC072, ["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC073, ["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC074, ["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC075, ["TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC076, ["TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC077, ["TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC078, ["TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC079, ["TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07A, ["TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07B, ["TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07C, ["TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07D, ["TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07E, ["TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07F, ["TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC080, ["TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC081, ["TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC082, ["TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC083, ["TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC084, ["TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC085, ["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC086, ["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC087, ["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC088, ["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC089, ["TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08A, ["TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08B, ["TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08C, ["TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08D, ["TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08E, ["TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08F, ["TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC090, ["TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC091, ["TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC092, ["TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC093, ["TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC094, ["TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC095, ["TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC096, ["TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC097, ["TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC098, ["TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC099, ["TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC09A, ["TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC09B, ["TLS_RSA_WITH_AES_128_CCM"] = 0xC09C, ["TLS_RSA_WITH_AES_256_CCM"] = 0xC09D, ["TLS_DHE_RSA_WITH_AES_128_CCM"] = 0xC09E, ["TLS_DHE_RSA_WITH_AES_256_CCM"] = 0xC09F, ["TLS_RSA_WITH_AES_128_CCM_8"] = 0xC0A0, ["TLS_RSA_WITH_AES_256_CCM_8"] = 0xC0A1, ["TLS_DHE_RSA_WITH_AES_128_CCM_8"] = 0xC0A2, ["TLS_DHE_RSA_WITH_AES_256_CCM_8"] = 0xC0A3, ["TLS_PSK_WITH_AES_128_CCM"] = 0xC0A4, ["TLS_PSK_WITH_AES_256_CCM"] = 0xC0A5, ["TLS_DHE_PSK_WITH_AES_128_CCM"] = 0xC0A6, ["TLS_DHE_PSK_WITH_AES_256_CCM"] = 0xC0A7, ["TLS_PSK_WITH_AES_128_CCM_8"] = 0xC0A8, ["TLS_PSK_WITH_AES_256_CCM_8"] = 0xC0A9, ["TLS_PSK_DHE_WITH_AES_128_CCM_8"] = 0xC0AA, ["TLS_PSK_DHE_WITH_AES_256_CCM_8"] = 0xC0AB, ["TLS_ECDHE_ECDSA_WITH_AES_128_CCM"] = 0xC0AC, ["TLS_ECDHE_ECDSA_WITH_AES_256_CCM"] = 0xC0AD, ["TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"] = 0xC0AE, ["TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"] = 0xC0AF, ["TLS_ECCPWD_WITH_AES_128_GCM_SHA256"] = 0xC0B0, -- RFC8492 ["TLS_ECCPWD_WITH_AES_256_GCM_SHA384"] = 0xC0B1, -- RFC8492 ["TLS_ECCPWD_WITH_AES_128_CCM_SHA256"] = 0xC0B2, -- RFC8492 ["TLS_ECCPWD_WITH_AES_256_CCM_SHA384"] = 0xC0B3, -- RFC8492 ["TLS_AKE_WITH_NULL_SHA256"] = 0xC0B4, -- RFC9150 ["TLS_AKE_WITH_NULL_SHA384"] = 0xC0B5, -- RFC9150 ["TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC"] = 0xC100, -- RFC9189 ["TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC"] = 0xC101, -- RFC9189 ["TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"] = 0xC102, -- RFC9189 ["TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L"] = 0xC103, -- draft-smyshlyaev-tls13-gost-suites ["TLS_GOSTR341112_256_WITH_MAGMA_MGM_L"] = 0xC104, -- draft-smyshlyaev-tls13-gost-suites ["TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S"] = 0xC105, -- draft-smyshlyaev-tls13-gost-suites ["TLS_GOSTR341112_256_WITH_MAGMA_MGM_S"] = 0xC106, -- draft-smyshlyaev-tls13-gost-suites ["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC13, -- RFC7905 superseded ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC14, -- RFC7905 superseded ["TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC15, -- RFC7905 superseded ["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCA8, ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCA9, ["TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAA, ["TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAB, ["TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAC, ["TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAD, ["TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAE, ["TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256"] = 0xD001, -- RFC 8442 ["TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384"] = 0xD002, -- RFC 8442 ["TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256"] = 0xD003, -- RFC 8442 ["TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256"] = 0xD005, -- RFC 8442 ["SSL_RSA_FIPS_WITH_DES_CBC_SHA"] = 0xFEFE, ["SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"] = 0xFEFF, -- TLSv1.3: -- "Although TLS 1.3 uses the same cipher suite space as previous versions of -- TLS, TLS 1.3 cipher suites are defined differently, only specifying the -- symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and -- lower cipher suites cannot be used with TLS 1.3." -- We designate these as AKE (Authenticated Key Exchange) ciphersuites, in -- order to simplify use of the cipher_info function. TLS_AKE_WITH_AES_128_GCM_SHA256 = 0x1301, TLS_AKE_WITH_AES_256_GCM_SHA384 = 0x1302, TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 = 0x1303, TLS_AKE_WITH_AES_128_CCM_SHA256 = 0x1304, TLS_AKE_WITH_AES_128_CCM_8_SHA256 = 0x1305, TLS_AKE_WITH_SM4_GCM_SM3 = 0x00C6, -- RFC 8998 TLS_AKE_WITH_SM4_CCM_SM3 = 0x00C7, -- RFC 8998 } -- Default ciphers sent by tls.client_hello for TLSv1.2 or earlier DEFAULT_TLS12_CIPHERS = { "TLS_RSA_WITH_AES_128_CBC_SHA", -- mandatory TLSv1.2 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.1 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.0 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", -- DHE with strong AES "TLS_RSA_WITH_RC4_128_MD5", -- Weak and old, but likely supported on old stuff } -- Same, but for TLSv1.3 DEFAULT_TLS13_CIPHERS = { "TLS_AKE_WITH_AES_128_GCM_SHA256", -- mandatory TLSv1.3 "TLS_AKE_WITH_AES_256_GCM_SHA384", -- stronger TLSv1.3 "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", -- alternate TLSv1.3 } -- Same, but for handshakes compatible with any TLS version local DEFAULT_CIPHERS = { table.unpack(DEFAULT_TLS13_CIPHERS) } for _, c in ipairs(DEFAULT_TLS12_CIPHERS) do insert(DEFAULT_CIPHERS, c) end local function find_key(t, value) local found, v = tableaux.contains(t, value) return v end -- Keep this local to enforce use of the cipher_info function local cipher_info_cache = { -- pre-populate the special cases that break the parser below ["TLS_ECDH_anon_NULL_WITH_SHA-draft"] = { kex = "ECDH", dh = true, ec = true, server_auth = "anon", cipher = "NULL", hash = "SHA", draft = true }, ["TLS_ECMQV_ECDSA_NULL_SHA-draft"] = { kex = "ECMQV", ec = true, server_auth = "ECDSA", cipher = "NULL", hash = "SHA", draft = true }, ["TLS_ECMQV_ECNRA_NULL_SHA-draft"] = { kex = "ECMQV", ec = true, server_auth = "ECNRA", cipher = "NULL", hash = "SHA", draft = true }, ["TLS_GOSTR341094_WITH_28147_CNT_IMIT-draft"] = { kex = "GOSTR341094", server_auth = "GOSTR341094", cipher = "GOST28147", hash = "IMIT_GOST28147", draft = true }, ["TLS_GOSTR341001_WITH_28147_CNT_IMIT-draft"] = { kex = "GOSTR341001", server_auth = "GOSTR341001", cipher = "GOST28147", hash = "IMIT_GOST28147", draft = true }, ["TLS_GOSTR341094_WITH_NULL_GOSTR3411-draft"] = { kex = "GOSTR341094", server_auth = "GOSTR341094", cipher = "NULL", hash = "HMAC_GOSTR3411", draft = true }, ["TLS_GOSTR341001_WITH_NULL_GOSTR3411-draft"] = { kex = "GOSTR341001", server_auth = "GOSTR341001", cipher = "NULL", hash = "HMAC_GOSTR3411", draft = true }, } -- A couple helpers for server_key_exchange parsing local function unpack_dhparams (blob, pos) local p, g, y p, g, y, pos = unpack(">s2s2s2", blob, pos) return pos, {p=p, g=g, y=y}, #p * 8 end local function named_group_info (group) if group:match("^arbitrary") then return "ec" end local ktype, size = group:match("^(%D+)(%d+)") assert(ktype and size, ("Invalid named group: %s"):format(group)) size = tonumber(size) if ktype == "ffdhe" then ktype = "dh" else if group == "ecdh_x25519" or group == "curveSM2" then size = 256 end ktype = "ec" end return ktype, size end local function unpack_ecdhparams (blob, pos) local eccurvetype eccurvetype, pos = unpack("B", blob, pos) local ret = {} local strength if eccurvetype == 1 then local p, a, b, base, order, cofactor p, a, b, base, order, cofactor, pos = unpack("s1s1s1s1s1s1", blob, pos) strength = math.log(order, 2) ret.curve_params = { ec_curve_type = "explicit_prime", prime_p=p, curve={a=a, b=b}, base=base, order=order, cofactor=cofactor } elseif eccurvetype == 2 then local p = {} local m, basis m, basis, pos = unpack(">I2B", blob, pos) if basis == 1 then -- ec_trinomial p.k, pos = unpack("s1", blob, pos) elseif basis == 2 then -- ec_pentanomial p.k1, p.k2, p.k3, pos = unpack("s1s1s1", blob, pos) end local a, b, base, order, cofactor a, b, base, order, cofactor, pos = unpack("s1s1s1s1s1", blob, pos) strength = math.log(order, 2) ret.curve_params = { ec_curve_type = "explicit_char2", m=m, basis=basis, field=p, curve={a=a, b=b}, base=base, order=order, cofactor=cofactor } elseif eccurvetype == 3 then local curve curve, pos = unpack(">I2", blob, pos) ret.curve_params = { ec_curve_type = "namedcurve", curve = find_key(ELLIPTIC_CURVES, curve) } local _ _, strength = named_group_info(ret.curve_params.curve) end ret.public, pos = unpack("s1", blob, pos) return pos, ret, strength end local function unpack_signed (blob, pos, protocol) if pos > #blob then -- not-signed return pos, nil end local hash_alg, sig_alg, sig -- TLSv1.2 changed to allow arbitrary hash and sig algorithms if protocol and PROTOCOLS[protocol] >= 0x0303 then hash_alg, sig_alg, sig, pos = unpack(">BBs2", blob, pos) else sig, pos = unpack(">s2", blob, pos) end return pos, {hash_algorithm=hash_alg, signature_algorithm=sig_alg, signature=sig} end --- Get the strength-equivalent RSA key size -- -- Based on NIST SP800-57 part 1 rev 3 -- @param ktype Key type ("dh", "ec", "rsa", "dsa") -- @param bits Size of key in bits -- @return Size in bits of RSA key with equivalent strength function rsa_equiv (ktype, bits) if ktype == "rsa" or ktype == "dsa" or ktype == "dh" then return bits elseif ktype == "ec" then if bits < 160 then return 512 -- Possibly down to 0, but details not published elseif bits < 224 then return 1024 elseif bits < 256 then return 2048 elseif bits < 384 then return 3072 elseif bits < 512 then return 7680 else -- 512+ return 15360 end end return nil end KEX_ALGORITHMS = {} -- RFC 5246 KEX_ALGORITHMS.NULL = { anon = true } KEX_ALGORITHMS.DH_anon = { anon = true, type = "dh", server_key_exchange = function (blob, protocol) local pos local ret = {} pos, ret.dhparams, ret.strength = unpack_dhparams(blob) return ret end } KEX_ALGORITHMS.DH_anon_EXPORT = { anon=true, export=true, type = "dh", server_key_exchange = KEX_ALGORITHMS.DH_anon.server_key_exchange } KEX_ALGORITHMS.ECDH_anon = { anon=true, type = "ec", server_key_exchange = function (blob, protocol) local pos local ret = {} pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob) return ret end } KEX_ALGORITHMS.ECDH_anon_EXPORT = { anon=true, export=true, type = "ec", server_key_exchange = KEX_ALGORITHMS.ECDH_anon.server_key_exchange } KEX_ALGORITHMS.RSA = { pubkey="rsa", } -- http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html KEX_ALGORITHMS.RSA_FIPS = KEX_ALGORITHMS.RSA KEX_ALGORITHMS.RSA_EXPORT = { export=true, pubkey="rsa", type = "rsa", server_key_exchange = function (blob, protocol) local pos local ret = {rsa={}} ret.rsa.modulus, ret.rsa.exponent, pos = unpack(">s2s2", blob) pos, ret.signed = unpack_signed(blob, pos, protocol) ret.strength = #ret.rsa.modulus return ret end } KEX_ALGORITHMS.RSA_EXPORT1024 = KEX_ALGORITHMS.RSA_EXPORT KEX_ALGORITHMS.DHE_RSA={ pubkey="rsa", type = "dh", pfs = true, server_key_exchange = function (blob, protocol) local pos local ret = {} pos, ret.dhparams, ret.strength = unpack_dhparams(blob) pos, ret.signed = unpack_signed(blob, pos, protocol) return ret end } KEX_ALGORITHMS.DHE_RSA_EXPORT={ export=true, pubkey="rsa", type = "dh", pfs = true, server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange } KEX_ALGORITHMS.DHE_DSS={ pubkey="dsa", type = "dh", pfs = true, server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange } KEX_ALGORITHMS.DHE_DSS_EXPORT={ export=true, pubkey="dsa", type = "dh", pfs = true, server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange } KEX_ALGORITHMS.DHE_DSS_EXPORT1024 = KEX_ALGORITHMS.DHE_DSS_EXPORT1024 KEX_ALGORITHMS.DH_DSS={ pubkey="dh", } KEX_ALGORITHMS.DH_DSS_EXPORT={ export=true, pubkey="dh", } KEX_ALGORITHMS.DH_RSA={ pubkey="dh", } KEX_ALGORITHMS.DH_RSA_EXPORT={ export=true, pubkey="dh", } KEX_ALGORITHMS.ECDHE_RSA={ pubkey="rsa", type = "ec", pfs = true, server_key_exchange = function (blob, protocol) local pos local ret = {} pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob) pos, ret.signed = unpack_signed(blob, pos, protocol) return ret end } KEX_ALGORITHMS.ECDHE_ECDSA={ pubkey="ec", type = "ec", pfs = true, server_key_exchange = KEX_ALGORITHMS.ECDHE_RSA.server_key_exchange } KEX_ALGORITHMS.ECDH_ECDSA={ pubkey="ec", } KEX_ALGORITHMS.ECDH_RSA={ pubkey="ec", } -- draft-ietf-tls-ecc-00 KEX_ALGORITHMS.ECDH_ECNRA={ pubkey="ec", } KEX_ALGORITHMS.ECMQV_ECDSA={ pubkey="ec", type = "ecmqv", server_key_exchange = function (blob, protocol) local pos local ret = {} ret.mqvparams, pos = unpack("s1", blob) return ret end } KEX_ALGORITHMS.ECMQV_ECNRA={ pubkey="ec", } -- rfc4279 KEX_ALGORITHMS.PSK = { type = "psk", server_key_exchange = function (blob, protocol) local hint, pos = unpack(">s2", blob) return {psk_identity_hint=hint} end } KEX_ALGORITHMS.RSA_PSK = { pubkey="rsa", type = "psk", server_key_exchange = KEX_ALGORITHMS.PSK.server_key_exchange } KEX_ALGORITHMS.DHE_PSK = { type = "dh", pfs = true, server_key_exchange = function (blob, protocol) local pos local ret = {} ret.psk_identity_hint, pos = unpack(">s2", blob) pos, ret.dhparams, ret.strength = unpack_dhparams(blob, pos) return ret end } --nomenclature change KEX_ALGORITHMS.PSK_DHE = KEX_ALGORITHMS.DHE_PSK --rfc5489 KEX_ALGORITHMS.ECDHE_PSK={ type = "ec", pfs = true, server_key_exchange = function (blob, protocol) local pos local ret = {} ret.psk_identity_hint, pos = unpack(">s2", blob) pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob, pos) return ret end } -- RFC 5054 KEX_ALGORITHMS.SRP_SHA = { type = "srp", pfs = true, server_key_exchange = function (blob, protocol) local pos local ret = {srp={}} ret.srp.N, ret.srp.g, ret.srp.s, ret.srp.B, pos = unpack(">s2s2s1s2", blob) pos, ret.signed = unpack_signed(blob, pos, protocol) ret.strength = #ret.srp.N return ret end } KEX_ALGORITHMS.SRP_SHA_DSS = { pubkey="dsa", type = "srp", pfs = true, server_key_exchange = KEX_ALGORITHMS.SRP_SHA.server_key_exchange } KEX_ALGORITHMS.SRP_SHA_RSA = { pubkey="rsa", type = "srp", pfs = true, server_key_exchange = KEX_ALGORITHMS.SRP_SHA.server_key_exchange } -- RFC 6101 KEX_ALGORITHMS.FORTEZZA_KEA={} -- RFC 4491 KEX_ALGORITHMS.GOSTR341001={} KEX_ALGORITHMS.GOSTR341094={} -- RFC 2712 KEX_ALGORITHMS.KRB5={} KEX_ALGORITHMS.KRB5_EXPORT={ export=true, } -- TLSv1.3 KEX_ALGORITHMS.AKE = { tls13ok=true, tls13only=true, pfs=true, -- TLSv1.3 swaps the ServerKeyExchange message for the key_share extension. -- We'll just pretend that's what this is: server_key_exchange = function (blob, protocol) local named_group, pos = unpack(">I2", blob) stdnse.debug1("named_group = %d", named_group) named_group = find_key(ELLIPTIC_CURVES, named_group) local gtype, strength = named_group_info(named_group) return { type = gtype, strength = strength, ecdhparams={ -- Not always ECC, but reusing structure simplifies things curve_params={ ec_curve_type = "namedcurve", curve = named_group, } } } end, } -- RFC 8492 KEX_ALGORITHMS.ECCPWD = { tls13ok=true, tls13only=false, } local algorithms = { ["3DES"] = {s=112, b=64}, --NIST SP 800-57 CHACHA20 = {s=256, b=128}, IDEA = {s=128, b=64}, SEED = {s=128, b=128}, FORTEZZA = {s=80, b=64}, DES = {s=56, b=64}, RC2 = {s=40, b=64}, DES40 = {s=40, b=64}, NULL = {s=0}, CAMELLIA = {b=128}, ARIA = {b=128}, AES = {b=128}, SM4 = {s=128, b=128}, } --- Get info about a cipher suite -- -- Returned table has "kex", "cipher", "mode", "size", and -- "hash" keys, as well as boolean flag "draft". The "draft" -- flag is only supported for some suites that have different enumeration -- values in draft versus final RFC. -- @param c The cipher suite name, e.g. TLS_RSA_WITH_AES_128_GCM_SHA256 -- @return A table of info as described above. function cipher_info (c) local info = cipher_info_cache[c] if info then return info end local tokens = stringaux.strsplit("_", c) local i = 1 if tokens[i] ~= "TLS" and tokens[i] ~= "SSL" then stdnse.debug2("cipher_info: Not a TLS ciphersuite: %s", c) return nil end -- kex, cipher, size, mode, hash i = i + 1 while tokens[i] and tokens[i] ~= "WITH" do i = i + 1 end local kex = concat(tokens, "_", 2, i-1) info = KEX_ALGORITHMS[kex] if info then info = tableaux.tcopy(info) info.kex = kex else info = {kex = kex} end if tokens[i] and tokens[i] ~= "WITH" then stdnse.debug2("cipher_info: Can't parse (no WITH): %s", c) return nil end -- cipher i = i + 1 local t = tokens[i] info.cipher = t if t == "3DES" then i = i + 1 -- 3DES_EDE end -- key size local tmp = algorithms[t] if tmp then info.size = tmp.s info.block_size = tmp.b end if info.size == nil then i = i + 1 info.size = tonumber(tokens[i]) end -- stream ciphers don't have a mode if info.cipher == "RC4" then info.mode = "stream" elseif info.cipher == "CHACHA20" then i = i + 1 info.cipher = "CHACHA20-POLY1305" info.mode = "stream" elseif info.cipher ~= "NULL" then i = i + 1 info.mode = tokens[i] end -- export key size override if info.export and tonumber(tokens[i+1]) then i = i + 1 info.size = tonumber(tokens[i]) end -- Other key size overrides if info.cipher == "RC4" then -- RFC 7465 prohibits RC4 in TLS info.size = math.min(info.size or 80, 80) -- Equivalently caps to C grade? end -- hash if info.mode == "CCM" then info.hash = "SHA256" end i = i + 1 if i <= #tokens then if tokens[i] == "8" and info.mode == "CCM" then info.mode = "CCM_8" i = i + 1 elseif info.export and (tokens[i]):match("^%d+$") then info.size = tonumber(tokens[i]) i = i + 1 end if i <= #tokens then local t, w = (tokens[i]):match("(.+)%-([a-z]+)") if t then if w == "draft" then info.draft = true end -- else "or" else t = tokens[i] end info.hash = t end end cipher_info_cache[c] = info return info end SCSVS = { ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV"] = 0x00FF, -- rfc5746 ["TLS_FALLBACK_SCSV"] = 0x5600, -- draft-ietf-tls-downgrade-scsv-00 } handshake_parse = { server_hello = function (buffer, j, msg_end, protocol) local b = {} -- Parse body. b.protocol, b.time, b.random, b.session_id, j = unpack(">I2 I4 c28 s1", buffer, j) b.cipher, b.compressor, j = unpack(">I2 B", buffer, j) -- Optional extensions for TLS only if j < msg_end and protocol ~= "SSLv3" then local num_exts b["extensions"] = {} num_exts, j = unpack(">I2", buffer, j) for e = 0, num_exts do if j >= msg_end then break end local extcode, datalen extcode, j = unpack(">I2", buffer, j) extcode = find_key(EXTENSIONS, extcode) or extcode b["extensions"][extcode], j = unpack(">s2", buffer, j) end end -- Convert to human-readable form. b["protocol"] = find_key(PROTOCOLS, b["protocol"]) b["cipher"] = find_key(CIPHERS, b["cipher"]) b["compressor"] = find_key(COMPRESSORS, b["compressor"]) -- RFC 8446: HelloRetryRequest message uses the same structure as the -- ServerHello, but with Random set to the special value of the SHA-256 -- of "HelloRetryRequest" if b.protocol == "TLSv1.2" -- TLSv1.3 legacy version and b.random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" then b.helloretry = true end -- RFC 8446: "the legacy_version field MUST be set to 0x0303, -- which is the version number for TLS 1.2" if (b.protocol == "TLSv1.2" and b.extensions and b.extensions.supported_versions == "\x03\x04") then b.protocol = "TLSv1.3" end return b, j end, certificate = function (buffer, j, msg_end, protocol) local cert_end cert_end, j = unpack(">I3", buffer, j) cert_end = cert_end + j if cert_end > msg_end then stdnse.debug2("server_certificate length > handshake body length!") end local b = {certificates = {}} while j < cert_end do local cert_len = unpack(">I3", buffer, j) if cert_len + 3 + j > cert_end then stdnse.debug1("server_certificate parsing error!") j = cert_end break end local cert cert, j = unpack(">s3", buffer, j) -- parse these with sslcert.parse_ssl_certificate insert(b["certificates"], cert) end return b, j end, NewSessionTicket = function (buffer, j, msg_end, protocol) -- Need 4 bytes for parsing. local have = #buffer - j + 1 if have < 4 then return nil, j, 4 end local b = {} -- Parse body. b.ticket_lifetime_hint, b.ticket, j = unpack(">I4 s2", buffer, j) return b, j end, } message_parse = { alert = function (buffer, j) local b = {} -- Parse body. b.level, b.description, j = unpack("BB", buffer, j) -- Convert to human-readable form. b["level"] = find_key(TLS_ALERT_LEVELS, b["level"]) b["description"] = find_key(TLS_ALERT_REGISTRY, b["description"]) return b, j end, handshake = function (buffer, j, protocol) -- Check for message fragmentation. -- Need 4 bytes for message header with length local have = #buffer - j + 1 if have < 4 then return nil, j, 4 end -- Parse body. local btype, len btype, len, j = unpack("B>I3", buffer, j) local msg_end = len + j -- Convert to human-readable form. btype = find_key(TLS_HANDSHAKETYPE_REGISTRY, btype) -- Check for message fragmentation. -- Need 4 bytes for header plus length of message if have < len + 4 then return nil, j - 4, len + 4 end local parser = handshake_parse[btype] local b if parser then b, j = parser(buffer, j, msg_end, protocol) b.type = btype else -- TODO: implement other handshake message types b = { type = btype } stdnse.debug2("Unknown handshake message type: %s", b["type"]) b.data, j = unpack("c" .. msg_end - j, buffer, j) end return b, j end, heartbeat = function (buffer, j) local b = {} b.type, b.payload, j = unpack(">B s2", buffer, j) -- Heartbeat messages are one per record; consume the rest of the record as padding. b.padding = buffer:sub(j) return b, #buffer + 1 end, } --- Parse a series of TLS messages from a buffer --@param mbuffer The buffer to parse --@param mi The index into that buffer to begin parsing --@param h The TLS/DTLS header. Must contain "type" and "protocol" fields --@return A table of parsed messages --@return The position where parsing stopped function parse_messages (mbuffer, mi, h) local messages = {} while mi < #mbuffer do -- RFC 2246, 6.2.1 "multiple client messages of the same ContentType may -- be coalesced into a single TLSPlaintext record" local parser = message_parse[h.type] if not parser then stdnse.debug1("Unknown message type: %s", h["type"]) break end local b, need b, mi, need = parser(mbuffer, mi, h.protocol) if b then messages[#messages+1] = b elseif need then -- Can't finish parsing this message, it'll be left in the fragment break end end return messages, mi end --- -- Read a SSL/TLS record -- @param buffer The read buffer -- @param i The position in the buffer to start reading (default: 1) -- @param fragment Message fragment left over from previous record (nil if none) -- @return The current position in the buffer -- @return The record that was read, as a table -- @return Whether parsing can continue if more data becomes available. function record_read(buffer, i, fragment) i = i or 1 -- Ensure we have enough data for the header. if #buffer - i < TLS_RECORD_HEADER_LENGTH then return i, nil, true end -- Parse header. local h = {} local typ, proto, rlength, j = unpack(">B I2 I2", buffer, i) h.length = rlength local name = find_key(TLS_CONTENTTYPE_REGISTRY, typ) if name == nil then stdnse.debug1("Unknown TLS ContentType: %d", typ) return j, nil, false end h["type"] = name name = find_key(PROTOCOLS, proto) if name == nil then stdnse.debug1("Unknown TLS Protocol: 0x%04x", proto) return j, nil, false end h["protocol"] = name -- Ensure we have enough data for the body. if #buffer < j + rlength - 1 then return i, nil, true end -- Adjust buffer and length to account for message fragment left over -- from last record. local mbuffer if fragment then mbuffer = fragment .. buffer:sub(j, j + rlength) else mbuffer = buffer:sub(j, j + rlength) end -- Body local mi = 1 h.body, mi = parse_messages(mbuffer, mi, h) if mi < #mbuffer then -- Fragmented message h.fragment = mbuffer:sub(mi) end -- Skip to the end of the record. Ignore unparsed bytes. -- These should be handled as fragmentation above j = j + rlength return j, h, true end --- -- Get the record version field appropriate for the protocol version -- -- TLSv1.3 introduced a change in the interpretation of the record version -- field. Previously, this was an indication of the TLS protocol, but now it is -- frozen at TLSv1.2. -- @param proto_version The numeric value of the protocol, e.g. 0x0303 for TLSv1.2 -- @return The numeric value that should be used in the record layer version field local function legacy_version (proto_version) -- TLSv1.2 was the last version where protocol version was negotiated via the -- record layer version. Later versions use the supported_versions extension return proto_version <= 0x0303 and proto_version or 0x0303 end function record_version_ok(received_version, proto_version) if proto_version == "TLSv1.3" then return received_version == "TLSv1.2" end return proto_version == received_version end --- -- Build a SSL/TLS record -- @param type The type of record ("handshake", "change_cipher_spec", etc.) -- @param protocol The protocol and version ("SSLv3", "TLSv1.0", etc.) -- @param b The record body -- @return The SSL/TLS record as a string function record_write(type, protocol, b) return concat({ -- Set the header as a handshake. pack("B", TLS_CONTENTTYPE_REGISTRY[type]), -- Set the protocol. pack(">I2", legacy_version(PROTOCOLS[protocol])), -- Set the length of the header body. pack(">s2", b) }) end -- Claim to support common hash and signature algorithm combinations (TLSv1.2 only) -- local DEFAULT_SIGALGS do local sigalgs = { -- most likely signature is rsa, so even use it for weak hashes {"md5","rsa"}, {"sha1","rsa"}, {"sha224","rsa"}, -- most likely are sha256 and sha512. {"sha256","rsa"}, {"sha256","dsa"}, {"sha256","ecdsa"}, {"sha512","rsa"}, {"sha512","dsa"}, {"sha512","ecdsa"}, {"intrinsic","ed25519"}, {"intrinsic","ed448"}, } DEFAULT_SIGALGS = EXTENSION_HELPERS["signature_algorithms"](sigalgs) end -- Equivalent for TLSv1.3 is SignatureScheme -- We'll offer all the sha256 and sha512 variants, plus a few extra local DEFAULT_SIGSCHEMES do local sigalgs = { "rsa_pkcs1_sha256", "rsa_pkcs1_sha512", "ecdsa_secp256r1_sha256", "ecdsa_secp521r1_sha512", "rsa_pss_rsae_sha256", "rsa_pss_rsae_sha512", "ed25519", "ed448", "rsa_pss_pss_sha256", "rsa_pss_pss_sha512", "rsa_pkcs1_sha1", "ecdsa_sha1", } DEFAULT_SIGSCHEMES = EXTENSION_HELPERS["signature_algorithms_13"](sigalgs) end --- -- Build a client_hello message -- -- The options table has the following keys: -- * "protocol" - The TLS protocol version string for the client_hello. This indicates the highest protocol version supported. -- * "record_protocol" - The TLS protocol version string for the TLS record. This indicates the lowest protocol version supported. -- * "ciphers" - a table containing the cipher suite names. Defaults to the NULL cipher -- * "compressors" - a table containing the compressor names. Default: NULL -- * "extensions" - a table containing the extension names. Default: no extensions -- @param t Table of options -- @return The client_hello record as a string function client_hello(t) local b, ciphers, compressor, compressors, h, len t = t or {} ---------- -- Body -- ---------- b = {} -- Set the protocol. local protocol = t["protocol"] or HIGHEST_PROTOCOL insert(b, pack(">I2 I4", legacy_version(PROTOCOLS[protocol]), -- Set the random data. os.time() )) local record_proto = t.record_protocol -- Set the random data. insert(b, rand.random_string(28)) -- Set the session ID. local sid = t["session_id"] or "" insert(b, pack(">s1", sid)) local eccpwd = false local shangmi = false -- Cipher suites. ciphers = {} -- Add specified ciphers. for _, cipher in pairs(t.ciphers -- user-specified list or (record_proto == "TLSv1.3" and DEFAULT_TLS13_CIPHERS) -- TLSv1.3 only or (PROTOCOLS[protocol] < PROTOCOLS["TLSv1.3"] and DEFAULT_TLS12_CIPHERS) -- non-TLSv1.3 or DEFAULT_CIPHERS) -- combined/compatible handshake do if type(cipher) == "string" then if cipher:match("^TLS_ECCPWD_") then -- RFC 8492 has specific requirements eccpwd = true elseif protocol == "TLSv1.3" and cipher:match("_SM3$") then -- RFC 8998 has specific requirements shangmi = true end cipher = CIPHERS[cipher] or SCSVS[cipher] end if type(cipher) == "number" and cipher >= 0 and cipher <= 0xffff then insert(ciphers, pack(">I2", cipher)) else stdnse.debug1("Unknown cipher in client_hello: %s", cipher) end end insert(b, pack(">s2", concat(ciphers))) -- Compression methods. compressors = {} if t["compressors"] ~= nil then -- Add specified compressors. for _, compressor in pairs(t["compressors"]) do if compressor ~= "NULL" then insert(compressors, pack("B", COMPRESSORS[compressor])) end end end -- Always include NULL as last choice insert(compressors, pack("B", COMPRESSORS["NULL"])) insert(b, pack("s1", concat(compressors))) -- TLS extensions local proto_ver = PROTOCOLS[protocol] if proto_ver and protocol ~= "SSLv3" then local extensions = {} -- TLSv1.3 requires supported_versions and key_share extensions -- OpenSSL also appears to want supported_groups in some cases? local need_supported_versions = (proto_ver >= PROTOCOLS["TLSv1.3"]) local need_key_share = need_supported_versions local need_elliptic_curves = need_supported_versions -- Do we need to add the signature_algorithms extension? local need_sigalg = (proto_ver >= PROTOCOLS["TLSv1.2"]) -- Add specified extensions. if t.extensions then for extension, data in pairs(t["extensions"]) do if type(extension) == "number" then insert(extensions, pack(">I2", extension)) else if extension == "signature_algorithms" or extension == "signature_algorithms_13" then need_sigalg = false if shangmi then local sm2sig_sm3 = pack(">I2", SignatureSchemes.sm2sig_sm3) if not data:match("^..(..)*" .. sm2sig_sm3) then data = pack(">s2", data:sub(3) .. sm2sig_sm3) end end elseif extension == "supported_versions" then need_supported_versions = false elseif extension == "key_share" then need_key_share = false elseif extension == "elliptic_curves" then need_elliptic_curves = false if shangmi then -- For now, RFC 8998 is the only one that enforces particular curves local curveSM2 = pack(">I2", ELLIPTIC_CURVES.curveSM2) if not data:match("^..(..)*" .. curveSM2) then data = pack(">s2", data:sub(3) .. curveSM2) end end end insert(extensions, pack(">I2", EXTENSIONS[extension])) end insert(extensions, pack(">s2", data)) end end if need_supported_versions then insert(extensions, pack(">I2", EXTENSIONS["supported_versions"])) -- We'd prefer TLS 1.2 or 1.1, since we've tested our scripts on those. insert(extensions, pack(">s2", EXTENSION_HELPERS["supported_versions"]({"TLSv1.2", "TLSv1.1", "TLSv1.3", "SSLv3"}))) end if need_sigalg then insert(extensions, pack(">I2", EXTENSIONS["signature_algorithms"])) local data = proto_ver >= PROTOCOLS["TLSv1.3"] and DEFAULT_SIGSCHEMES or DEFAULT_SIGALGS if shangmi then data = pack(">s2", data:sub(3) .. pack(">I2", SignatureSchemes.sm2sig_sm3)) end insert(extensions, pack(">s2", data)) end if need_key_share then -- RFC 8446: Clients MAY send an empty client_shares vector in order to request -- group selection from the server, at the cost of an additional round trip insert(extensions, pack(">I2", EXTENSIONS["key_share"])) insert(extensions, pack(">s2", "\0\0")) end if need_elliptic_curves then local curves = {table.unpack(DEFAULT_ELLIPTIC_CURVES)} if shangmi then curves[#curves+1] = "curveSM2" end insert(extensions, pack(">I2", EXTENSIONS["elliptic_curves"])) insert(extensions, pack(">s2", EXTENSION_HELPERS["elliptic_curves"](curves))) end -- Extensions are optional if #extensions ~= 0 then insert(b, pack(">s2", concat(extensions))) end end ------------ -- Header -- ------------ b = concat(b) h = {} -- Set type to ClientHello. insert(h, pack("B", TLS_HANDSHAKETYPE_REGISTRY["client_hello"])) -- Set the length of the body. insert(h, pack(">s3", b)) -- Record layer version should be SSLv3 (lowest compatible record version) -- But some implementations (OpenSSL) will not finish a handshake that could -- be downgraded by a MITM to SSLv3. So we use TLSv1.0 unless the caller -- explicitly tries to set SSLv3.0 somewhere (t.record_protocol or -- t.protocol) if not record_proto then record_proto = (t.protocol == "SSLv3") and "SSLv3" or "TLSv1.0" elseif record_proto == "TLSv1.3" then -- RFC 8446: "MUST be set to 0x0303 for all records generated by a TLS 1.3 -- implementation other than an initial ClientHello (i.e., one not generated -- after a HelloRetryRequest), where it MAY also be 0x0301 for compatibility -- purposes. record_proto = "TLSv1.2" end return record_write("handshake", record_proto, concat(h)) end local function read_atleast(s, n) local buf = {} local count = 0 while count < n do local status, data = s:receive_bytes(n - count) if not status then return status, data, concat(buf) end buf[#buf+1] = data count = count + #data end return true, concat(buf) end --- Get an entire record into a buffer -- -- Caller is responsible for closing the socket if necessary. -- @param sock The socket to read additional data from -- @param buffer The string buffer holding any previously-read data -- (default: "") -- @param i The position in the buffer where the record should start -- (default: 1) -- @return status Socket status -- @return Buffer containing at least 1 record if status is true -- @return Error text if there was an error function record_buffer(sock, buffer, i) buffer = buffer or "" i = i or 1 local count = #buffer:sub(i) local status, resp, rem if count < TLS_RECORD_HEADER_LENGTH then status, resp, rem = read_atleast(sock, TLS_RECORD_HEADER_LENGTH - count) if not status then return false, buffer .. rem, resp end buffer = buffer .. resp count = count + #resp end -- ContentType, ProtocolVersion, length local ctype, pversion, len = unpack(">BI2I2", buffer, i) if not TLS_PROTOCOL_VERSIONS[pversion] or not TLS_CONTENTTYPES[ctype] then return false, buffer, "Unknown TLS protocol version or content type" end if count < TLS_RECORD_HEADER_LENGTH + len then status, resp = read_atleast(sock, TLS_RECORD_HEADER_LENGTH + len - count) if not status then return false, buffer, resp end buffer = buffer .. resp end return true, buffer end -- Get a server_name for use with the TLS Server Name Indication extension. -- -- This returns the value of the script argument "tls.servername" if given. Otherwise, it -- returns the target name of the host parameter. -- -- @param host Host table as received by the action function -- @return String of the selected host name function servername(host) local script_arg = stdnse.get_script_args("tls.servername") if script_arg then return script_arg elseif type(host) == "table" then return host.targetname end end local unittest = require "unittest" if not unittest.testing() then return _ENV end test_suite = unittest.TestSuite:new() for name, code in pairs(CIPHERS) do test_suite:add_test(unittest.not_nil(cipher_info(name).kex), name .. ".kex") end return _ENV;