---
-- A library providing functions for doing TLS/SSL communications
--
-- These functions will build strings and process buffers. Socket communication
-- is left to the script to implement.
--
-- @args tls.servername Hostname to use in the Server Name Indication (SNI)
-- extension. Overrides the target name given on the
-- command line and affects all targets.
-- @author Daniel Miller
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local math = require "math"
local os = require "os"
local table = require "table"
local tableaux = require "tableaux"
local rand = require "rand"
_ENV = stdnse.module("tls", stdnse.seeall)
local pack = string.pack
local unpack = string.unpack
local tostring = tostring
local concat = table.concat
local insert = table.insert
-- Most of the values in the tables below are from:
-- http://www.iana.org/assignments/tls-parameters/
PROTOCOLS = {
["SSLv3"] = 0x0300,
["TLSv1.0"] = 0x0301,
["TLSv1.1"] = 0x0302,
["TLSv1.2"] = 0x0303,
["TLSv1.3"] = 0x0304,
}
HIGHEST_PROTOCOL = "TLSv1.3"
local TLS_PROTOCOL_VERSIONS = tableaux.invert(PROTOCOLS)
--
-- TLS Record Types
--
TLS_RECORD_HEADER_LENGTH = 5
TLS_CONTENTTYPE_REGISTRY = {
["change_cipher_spec"] = 20,
["alert"] = 21,
["handshake"] = 22,
["application_data"] = 23,
["heartbeat"] = 24,
["tls12_cid"] = 25,
["ACK"] = 26,
}
local TLS_CONTENTTYPES = tableaux.invert(TLS_CONTENTTYPE_REGISTRY)
--
-- TLS Alert Levels
--
TLS_ALERT_LEVELS = {
["warning"] = 1,
["fatal"] = 2,
}
--
-- TLS Alert Record Types
--
TLS_ALERT_REGISTRY = {
["close_notify"] = 0,
["unexpected_message"] = 10,
["bad_record_mac"] = 20,
["decryption_failed"] = 21,
["record_overflow"] = 22,
["decompression_failure"] = 30,
["handshake_failure"] = 40,
["no_certificate"] = 41,
["bad_certificate"] = 42,
["unsupported_certificate"] = 43,
["certificate_revoked"] = 44,
["certificate_expired"] = 45,
["certificate_unknown"] = 46,
["illegal_parameter"] = 47,
["unknown_ca"] = 48,
["access_denied"] = 49,
["decode_error"] = 50,
["decrypt_error"] = 51,
["too_many_cids_requested"] = 52,
["export_restriction"] = 60,
["protocol_version"] = 70,
["insufficient_security"] = 71,
["internal_error"] = 80,
["inappropriate_fallback"] = 86,
["user_canceled"] = 90,
["no_renegotiation"] = 100,
["missing_extension"] = 109,
["unsupported_extension"] = 110,
["certificate_unobtainable"] = 111,
["unrecognized_name"] = 112,
["bad_certificate_status_response"] = 113,
["bad_certificate_hash_value"] = 114,
["unknown_psk_identity"] = 115,
["certificate_required"] = 116,
["no_application_protocol"] = 120,
}
--
-- TLS Handshake Record Types
--
TLS_HANDSHAKETYPE_REGISTRY = {
["hello_request"] = 0,
["client_hello"] = 1,
["server_hello"] = 2,
["hello_verify_request"] = 3,
["NewSessionTicket"] = 4,
["end_of_early_data"] = 5,
["hello_retry_request"] = 6,
["encrypted_extensions"] = 8,
["request_connection_id"] = 9,
["new_connection_id"] = 10,
["certificate"] = 11,
["server_key_exchange"] = 12,
["certificate_request"] = 13,
["server_hello_done"] = 14,
["certificate_verify"] = 15,
["client_key_exchange"] = 16,
["client_certificate_request"] = 17,
["finished"] = 20,
["certificate_url"] = 21,
["certificate_status"] = 22,
["supplemental_data"] = 23,
["key_update"] = 24,
["compressed_certificate"] = 25,
["ekt_key"] = 26,
["next_protocol"] = 67,
["message_hash"] = 254,
}
--
-- Compression Algorithms
-- http://www.iana.org/assignments/comp-meth-ids
--
COMPRESSORS = {
["NULL"] = 0,
["DEFLATE"] = 1,
["LZS"] = 64
}
---
-- TLS Supported Groups
-- RFC 4492 section 5.1.1 "Supported Elliptic Curves Extension".
ELLIPTIC_CURVES = {
sect163k1 = 1, --deprecated
sect163r1 = 2, --deprecated
sect163r2 = 3, --deprecated
sect193r1 = 4, --deprecated
sect193r2 = 5, --deprecated
sect233k1 = 6, --deprecated
sect233r1 = 7, --deprecated
sect239k1 = 8, --deprecated
sect283k1 = 9, --deprecated
sect283r1 = 10, --deprecated
sect409k1 = 11, --deprecated
sect409r1 = 12, --deprecated
sect571k1 = 13, --deprecated
sect571r1 = 14, --deprecated
secp160k1 = 15, --deprecated
secp160r1 = 16, --deprecated
secp160r2 = 17, --deprecated
secp192k1 = 18, --deprecated
secp192r1 = 19, --deprecated
secp224k1 = 20, --deprecated
secp224r1 = 21, --deprecated
secp256k1 = 22, --deprecated
secp256r1 = 23,
secp384r1 = 24,
secp521r1 = 25,
brainpoolP256r1 = 26, --RFC7027
brainpoolP384r1 = 27,
brainpoolP512r1 = 28,
ecdh_x25519 = 29, -- rfc8422
ecdh_x448 = 30, -- rfc8422
brainpoolP256r1tls13 = 31, --RFC8734
brainpoolP384r1tls13 = 32,
brainpoolP512r1tls13 = 33,
GC256A = 34, -- draft-smyshlyaev-tls12-gost-suites
GC256B = 35,
GC256C = 36,
GC256D = 37,
GC512A = 38,
GC512B = 39,
GC512C = 40,
curveSM2 = 41, -- RFC 8998
ffdhe2048 = 0x0100, --RFC7919
ffdhe3072 = 0x0101, --RFC7919
ffdhe4096 = 0x0102, --RFC7919
ffdhe6144 = 0x0103, --RFC7919
ffdhe8192 = 0x0104, --RFC7919
arbitrary_explicit_prime_curves = 0xFF01,
arbitrary_explicit_char2_curves = 0xFF02,
}
-- Most likely set, supported by Firefox and Chrome
DEFAULT_ELLIPTIC_CURVES = {
"secp256r1",
"secp384r1",
"secp521r1",
"ecdh_x25519",
"ffdhe2048", -- added for TLSv1.3
}
---
-- RFC 4492 section 5.1.2 "Supported Point Formats Extension".
EC_POINT_FORMATS = {
uncompressed = 0,
ansiX962_compressed_prime = 1,
ansiX962_compressed_char2 = 2,
}
---
-- RFC 5246 section 7.4.1.4.1. Signature Algorithms
HashAlgorithms = {
none = 0,
md5 = 1,
sha1 = 2,
sha224 = 3,
sha256 = 4,
sha384 = 5,
sha512 = 6,
intrinsic = 8,
}
SignatureAlgorithms = {
anonymous = 0,
rsa = 1,
dsa = 2,
ecdsa = 3,
ed25519 = 7,
ed448 = 8,
}
---
-- TLS v1.3 Signature Algorithms
SignatureSchemes = {
-- RSASSA-PKCS1-v1_5 algorithms
rsa_pkcs1_sha256 = 0x0401,
rsa_pkcs1_sha384 = 0x0501,
rsa_pkcs1_sha512 = 0x0601,
-- ECDSA algorithms
ecdsa_secp256r1_sha256 = 0x0403,
ecdsa_secp384r1_sha384 = 0x0503,
ecdsa_secp521r1_sha512 = 0x0603,
-- draft-wang-tls-raw-public-key-with-ibc
eccsi_sha256 = 0x0704,
iso_ibs1 = 0x0705,
iso_ibs2 = 0x0706,
iso_chinese_ibs = 0x0707,
-- RFC8998
sm2sig_sm3 = 0x0708,
-- draft-smyshlyaev-tls13-gost-suites
gostr34102012_256a = 0x0709,
gostr34102012_256b = 0x070A,
gostr34102012_256c = 0x070B,
gostr34102012_256d = 0x070C,
gostr34102012_512a = 0x070D,
gostr34102012_512b = 0x070E,
gostr34102012_512c = 0x070F,
-- RSASSA-PSS algorithms with public key OID rsaEncryption
rsa_pss_rsae_sha256 = 0x0804,
rsa_pss_rsae_sha384 = 0x0805,
rsa_pss_rsae_sha512 = 0x0806,
-- EdDSA algorithms
ed25519 = 0x0807,
ed448 = 0x0808,
-- RSASSA-PSS algorithms with public key OID RSASSA-PSS
rsa_pss_pss_sha256 = 0x0809,
rsa_pss_pss_sha384 = 0x080a,
rsa_pss_pss_sha512 = 0x080b,
-- ECC Brainpool curves
ecdsa_brainpoolP256r1tls13_sha256 = 0x081a,
ecdsa_brainpoolP384r1tls13_sha384 = 0x081b,
ecdsa_brainpoolP512r1tls13_sha512 = 0x081c,
-- Legacy algorithms
rsa_pkcs1_sha1 = 0x0201,
ecdsa_sha1 = 0x0203,
-- RFC 8998
sm2sig_sm3 = 0x0708,
}
---
-- Extensions
-- RFC 6066, draft-agl-tls-nextprotoneg-03
-- https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
--
EXTENSIONS = {
["server_name"] = 0,
["max_fragment_length"] = 1,
["client_certificate_url"] = 2,
["trusted_ca_keys"] = 3,
["truncated_hmac"] = 4,
["status_request"] = 5,
["user_mapping"] = 6,
["client_authz"] = 7,
["server_authz"] = 8,
["cert_type"] = 9,
["elliptic_curves"] = 10,
["ec_point_formats"] = 11,
["srp"] = 12,
["signature_algorithms"] = 13,
-- TLSv1.3 changed the format for this extension. It's just more convenient
-- to call it something else.
["signature_algorithms_13"] = 13,
["use_srtp"] = 14,
["heartbeat"] = 15,
["application_layer_protocol_negotiation"] = 16,
["status_request_v2"] = 17,
["signed_certificate_timestamp"] = 18,
["client_certificate_type"] = 19,
["server_certificate_type"] = 20,
["padding"] = 21, -- rfc7685
["encrypt_then_mac"] = 22, -- rfc7366
["extended_master_secret"] = 23, -- rfc7627
["token_binding"] = 24, -- Temporary, expires 2018-02-04
["cached_info"] = 25, -- rfc7924
["tls_lts"] = 26, -- draft-gutmann-tls-lts
["compress_certificate"] = 27, -- rfc8879
["record_size_limit"] = 28, -- rfc8449
["pwd_protect"] = 29, -- rfc8492
["pwd_clear"] = 30, -- rfc8492
["password_salt"] = 31, -- rfc8492
["ticket_pinning"] = 32,
["tls_cert_with_extern_psk"] = 33,
["delegated_credentials"] = 34,
["TLMSP"] = 35,
["TLMSP_proxying"] = 36,
["TLMSP_delegate"] = 37,
["supported_ekt_ciphers"] = 38,
["SessionTicket TLS"] = 39,
-- TLSv1.3
["pre_shared_key"] = 41,
["early_data"] = 42,
["supported_versions"] = 43,
["cookie"] = 44,
["psk_key_exchange_modes"] = 45,
["certificate_authorities"] = 47,
["oid_filters"] = 48,
["post_handshake_auth"] = 49,
["signature_algorithms_cert"] = 50,
["key_share"] = 51,
["transparency_info"] = 52,
["connection_id-deprecated"] = 53,
["connection_id"] = 54,
["external_id_hash"] = 55,
["external_session_id"] = 56,
["quic_transport_parameters"] = 57,
["ticket_request"] = 58,
["dnssec_chain"] = 59,
--
["next_protocol_negotiation"] = 13172,
["renegotiation_info"] = 65281,
}
---
-- Builds data for each extension
-- Defaults to tostring (i.e. pass in the packed data you want directly)
EXTENSION_HELPERS = {
["server_name"] = function (server_name)
-- Only supports host_name type (0), as per RFC
-- Support for other types could be added later
return pack(">s2", pack(">Bs2", 0, server_name))
end,
["max_fragment_length"] = tostring,
["client_certificate_url"] = tostring,
["trusted_ca_keys"] = tostring,
["truncated_hmac"] = tostring,
["status_request"] = tostring,
["elliptic_curves"] = function (elliptic_curves)
local list = {}
for _, name in ipairs(elliptic_curves) do
list[#list+1] = pack(">I2", ELLIPTIC_CURVES[name])
end
return pack(">s2", concat(list))
end,
["ec_point_formats"] = function (ec_point_formats)
local list = {}
for _, format in ipairs(ec_point_formats) do
list[#list+1] = pack(">B", EC_POINT_FORMATS[format])
end
return pack(">s1", concat(list))
end,
["signature_algorithms"] = function(signature_algorithms)
local list = {}
for _, pair in ipairs(signature_algorithms) do
list[#list+1] = pack(">BB",
HashAlgorithms[pair[1]] or pair[1],
SignatureAlgorithms[pair[2]] or pair[2]
)
end
return pack(">s2", concat(list))
end,
["signature_algorithms_13"] = function (signature_schemes)
local list = {}
for _, name in ipairs(signature_schemes) do
list[#list+1] = pack(">I2", SignatureSchemes[name])
end
return pack(">s2", concat(list))
end,
["application_layer_protocol_negotiation"] = function(protocols)
local list = {}
for _, proto in ipairs(protocols) do
list[#list+1] = pack(">s1", proto)
end
return pack(">s2", concat(list))
end,
["next_protocol_negotiation"] = tostring,
["supported_versions"] = function(versions)
local list = {}
for _, name in ipairs(versions) do
list[#list+1] = pack(">I2", PROTOCOLS[name])
end
return pack(">s1", concat(list))
end,
}
--
-- Encryption Algorithms
--
CIPHERS = {
["TLS_NULL_WITH_NULL_NULL"] = 0x0000,
["TLS_RSA_WITH_NULL_MD5"] = 0x0001,
["TLS_RSA_WITH_NULL_SHA"] = 0x0002,
["TLS_RSA_EXPORT_WITH_RC4_40_MD5"] = 0x0003,
["TLS_RSA_WITH_RC4_128_MD5"] = 0x0004,
["TLS_RSA_WITH_RC4_128_SHA"] = 0x0005,
["TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x0006,
["TLS_RSA_WITH_IDEA_CBC_SHA"] = 0x0007,
["TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0008,
["TLS_RSA_WITH_DES_CBC_SHA"] = 0x0009,
["TLS_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x000A,
["TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x000B,
["TLS_DH_DSS_WITH_DES_CBC_SHA"] = 0x000C,
["TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x000D,
["TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x000E,
["TLS_DH_RSA_WITH_DES_CBC_SHA"] = 0x000F,
["TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0010,
["TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"] = 0x0011,
["TLS_DHE_DSS_WITH_DES_CBC_SHA"] = 0x0012,
["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"] = 0x0013,
["TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"] = 0x0014,
["TLS_DHE_RSA_WITH_DES_CBC_SHA"] = 0x0015,
["TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0x0016,
["TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"] = 0x0017,
["TLS_DH_anon_WITH_RC4_128_MD5"] = 0x0018,
["TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"] = 0x0019,
["TLS_DH_anon_WITH_DES_CBC_SHA"] = 0x001A,
["TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"] = 0x001B,
["SSL_FORTEZZA_KEA_WITH_NULL_SHA"] = 0x001C,
["SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"] = 0x001D,
["TLS_KRB5_WITH_DES_CBC_SHA-or-SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"] = 0x001E, --TLS vs SSLv3
["TLS_KRB5_WITH_3DES_EDE_CBC_SHA"] = 0x001F,
["TLS_KRB5_WITH_RC4_128_SHA"] = 0x0020,
["TLS_KRB5_WITH_IDEA_CBC_SHA"] = 0x0021,
["TLS_KRB5_WITH_DES_CBC_MD5"] = 0x0022,
["TLS_KRB5_WITH_3DES_EDE_CBC_MD5"] = 0x0023,
["TLS_KRB5_WITH_RC4_128_MD5"] = 0x0024,
["TLS_KRB5_WITH_IDEA_CBC_MD5"] = 0x0025,
["TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"] = 0x0026,
["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"] = 0x0027,
["TLS_KRB5_EXPORT_WITH_RC4_40_SHA"] = 0x0028,
["TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"] = 0x0029,
["TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"] = 0x002A,
["TLS_KRB5_EXPORT_WITH_RC4_40_MD5"] = 0x002B,
["TLS_PSK_WITH_NULL_SHA"] = 0x002C,
["TLS_DHE_PSK_WITH_NULL_SHA"] = 0x002D,
["TLS_RSA_PSK_WITH_NULL_SHA"] = 0x002E,
["TLS_RSA_WITH_AES_128_CBC_SHA"] = 0x002F,
["TLS_DH_DSS_WITH_AES_128_CBC_SHA"] = 0x0030,
["TLS_DH_RSA_WITH_AES_128_CBC_SHA"] = 0x0031,
["TLS_DHE_DSS_WITH_AES_128_CBC_SHA"] = 0x0032,
["TLS_DHE_RSA_WITH_AES_128_CBC_SHA"] = 0x0033,
["TLS_DH_anon_WITH_AES_128_CBC_SHA"] = 0x0034,
["TLS_RSA_WITH_AES_256_CBC_SHA"] = 0x0035,
["TLS_DH_DSS_WITH_AES_256_CBC_SHA"] = 0x0036,
["TLS_DH_RSA_WITH_AES_256_CBC_SHA"] = 0x0037,
["TLS_DHE_DSS_WITH_AES_256_CBC_SHA"] = 0x0038,
["TLS_DHE_RSA_WITH_AES_256_CBC_SHA"] = 0x0039,
["TLS_DH_anon_WITH_AES_256_CBC_SHA"] = 0x003A,
["TLS_RSA_WITH_NULL_SHA256"] = 0x003B,
["TLS_RSA_WITH_AES_128_CBC_SHA256"] = 0x003C,
["TLS_RSA_WITH_AES_256_CBC_SHA256"] = 0x003D,
["TLS_DH_DSS_WITH_AES_128_CBC_SHA256"] = 0x003E,
["TLS_DH_RSA_WITH_AES_128_CBC_SHA256"] = 0x003F,
["TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"] = 0x0040,
["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0041,
["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0042,
["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0043,
["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"] = 0x0044,
["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"] = 0x0045,
["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"] = 0x0046,
["TLS_ECDH_ECDSA_WITH_NULL_SHA-draft"] = 0x0047, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0048, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0049, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004A, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA-draft"] = 0x004B, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA-draft"] = 0x004C, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x004D, --draft-ietf-tls-ecc-00
["TLS_ECDH_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x004E, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECDSA_NULL_SHA-draft"] = 0x004F, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECDSA_WITH_RC4_128_SHA-draft"] = 0x0050, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECDSA_WITH_DES_CBC_SHA-draft"] = 0x0051, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECDSA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0052, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECNRA_NULL_SHA-draft"] = 0x0053, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECNRA_WITH_RC4_128_SHA-draft"] = 0x0054, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECNRA_WITH_DES_CBC_SHA-draft"] = 0x0055, --draft-ietf-tls-ecc-00
["TLS_ECMQV_ECNRA_WITH_3DES_EDE_CBC_SHA-draft"] = 0x0056, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_NULL_WITH_SHA-draft"] = 0x0057, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_WITH_RC4_128_SHA-draft"] = 0x0058, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_WITH_DES_CBC_SHA-draft"] = 0x0059, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA-draft"] = 0x005A, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_EXPORT_WITH_DES40_CBC_SHA-draft"] = 0x005B, --draft-ietf-tls-ecc-00
["TLS_ECDH_anon_EXPORT_WITH_RC4_40_SHA-draft"] = 0x005C, --draft-ietf-tls-ecc-00
["TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"] = 0x0060,
["TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"] = 0x0061,
["TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0062,
["TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"] = 0x0063,
["TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"] = 0x0064,
["TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"] = 0x0065,
["TLS_DHE_DSS_WITH_RC4_128_SHA"] = 0x0066,
["TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"] = 0x0067,
["TLS_DH_DSS_WITH_AES_256_CBC_SHA256"] = 0x0068,
["TLS_DH_RSA_WITH_AES_256_CBC_SHA256"] = 0x0069,
["TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"] = 0x006A,
["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"] = 0x006B,
["TLS_DH_anon_WITH_AES_128_CBC_SHA256"] = 0x006C,
["TLS_DH_anon_WITH_AES_256_CBC_SHA256"] = 0x006D,
["TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD-draft"] = 0x0072, --draft-ietf-tls-openpgp-keys-05
["TLS_DHE_DSS_WITH_AES_128_CBC_RMD-draft"] = 0x0073, --draft-ietf-tls-openpgp-keys-05
["TLS_DHE_DSS_WITH_AES_256_CBC_RMD-draft"] = 0x0074, --draft-ietf-tls-openpgp-keys-05
["TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD-draft"] = 0x0077, --draft-ietf-tls-openpgp-keys-05
["TLS_DHE_RSA_WITH_AES_128_CBC_RMD-draft"] = 0x0078, --draft-ietf-tls-openpgp-keys-05
["TLS_DHE_RSA_WITH_AES_256_CBC_RMD-draft"] = 0x0079, --draft-ietf-tls-openpgp-keys-05
["TLS_RSA_WITH_3DES_EDE_CBC_RMD-draft"] = 0x007C, --draft-ietf-tls-openpgp-keys-05
["TLS_RSA_WITH_AES_128_CBC_RMD-draft"] = 0x007D, --draft-ietf-tls-openpgp-keys-05
["TLS_RSA_WITH_AES_256_CBC_RMD-draft"] = 0x007E, --draft-ietf-tls-openpgp-keys-05
["TLS_GOSTR341094_WITH_28147_CNT_IMIT-draft"] = 0x0080, --draft-chudov-cryptopro-cptls-04
["TLS_GOSTR341001_WITH_28147_CNT_IMIT-draft"] = 0x0081, --draft-chudov-cryptopro-cptls-04
["TLS_GOSTR341094_WITH_NULL_GOSTR3411-draft"] = 0x0082, --draft-chudov-cryptopro-cptls-04
["TLS_GOSTR341001_WITH_NULL_GOSTR3411-draft"] = 0x0083, --draft-chudov-cryptopro-cptls-04
["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0084,
["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0085,
["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0086,
["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"] = 0x0087,
["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"] = 0x0088,
["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"] = 0x0089,
["TLS_PSK_WITH_RC4_128_SHA"] = 0x008A,
["TLS_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008B,
["TLS_PSK_WITH_AES_128_CBC_SHA"] = 0x008C,
["TLS_PSK_WITH_AES_256_CBC_SHA"] = 0x008D,
["TLS_DHE_PSK_WITH_RC4_128_SHA"] = 0x008E,
["TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x008F,
["TLS_DHE_PSK_WITH_AES_128_CBC_SHA"] = 0x0090,
["TLS_DHE_PSK_WITH_AES_256_CBC_SHA"] = 0x0091,
["TLS_RSA_PSK_WITH_RC4_128_SHA"] = 0x0092,
["TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"] = 0x0093,
["TLS_RSA_PSK_WITH_AES_128_CBC_SHA"] = 0x0094,
["TLS_RSA_PSK_WITH_AES_256_CBC_SHA"] = 0x0095,
["TLS_RSA_WITH_SEED_CBC_SHA"] = 0x0096,
["TLS_DH_DSS_WITH_SEED_CBC_SHA"] = 0x0097,
["TLS_DH_RSA_WITH_SEED_CBC_SHA"] = 0x0098,
["TLS_DHE_DSS_WITH_SEED_CBC_SHA"] = 0x0099,
["TLS_DHE_RSA_WITH_SEED_CBC_SHA"] = 0x009A,
["TLS_DH_anon_WITH_SEED_CBC_SHA"] = 0x009B,
["TLS_RSA_WITH_AES_128_GCM_SHA256"] = 0x009C,
["TLS_RSA_WITH_AES_256_GCM_SHA384"] = 0x009D,
["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"] = 0x009E,
["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"] = 0x009F,
["TLS_DH_RSA_WITH_AES_128_GCM_SHA256"] = 0x00A0,
["TLS_DH_RSA_WITH_AES_256_GCM_SHA384"] = 0x00A1,
["TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A2,
["TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A3,
["TLS_DH_DSS_WITH_AES_128_GCM_SHA256"] = 0x00A4,
["TLS_DH_DSS_WITH_AES_256_GCM_SHA384"] = 0x00A5,
["TLS_DH_anon_WITH_AES_128_GCM_SHA256"] = 0x00A6,
["TLS_DH_anon_WITH_AES_256_GCM_SHA384"] = 0x00A7,
["TLS_PSK_WITH_AES_128_GCM_SHA256"] = 0x00A8,
["TLS_PSK_WITH_AES_256_GCM_SHA384"] = 0x00A9,
["TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AA,
["TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AB,
["TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"] = 0x00AC,
["TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"] = 0x00AD,
["TLS_PSK_WITH_AES_128_CBC_SHA256"] = 0x00AE,
["TLS_PSK_WITH_AES_256_CBC_SHA384"] = 0x00AF,
["TLS_PSK_WITH_NULL_SHA256"] = 0x00B0,
["TLS_PSK_WITH_NULL_SHA384"] = 0x00B1,
["TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B2,
["TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B3,
["TLS_DHE_PSK_WITH_NULL_SHA256"] = 0x00B4,
["TLS_DHE_PSK_WITH_NULL_SHA384"] = 0x00B5,
["TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"] = 0x00B6,
["TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"] = 0x00B7,
["TLS_RSA_PSK_WITH_NULL_SHA256"] = 0x00B8,
["TLS_RSA_PSK_WITH_NULL_SHA384"] = 0x00B9,
["TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BA,
["TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BB,
["TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BC,
["TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BD,
["TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BE,
["TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"] = 0x00BF,
["TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C0,
["TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C1,
["TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C2,
["TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C3,
["TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C4,
["TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"] = 0x00C5,
["TLS_ECDH_ECDSA_WITH_NULL_SHA"] = 0xC001,
["TLS_ECDH_ECDSA_WITH_RC4_128_SHA"] = 0xC002,
["TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC003,
["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC004,
["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC005,
["TLS_ECDHE_ECDSA_WITH_NULL_SHA"] = 0xC006,
["TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"] = 0xC007,
["TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"] = 0xC008,
["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"] = 0xC009,
["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"] = 0xC00A,
["TLS_ECDH_RSA_WITH_NULL_SHA"] = 0xC00B,
["TLS_ECDH_RSA_WITH_RC4_128_SHA"] = 0xC00C,
["TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC00D,
["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"] = 0xC00E,
["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"] = 0xC00F,
["TLS_ECDHE_RSA_WITH_NULL_SHA"] = 0xC010,
["TLS_ECDHE_RSA_WITH_RC4_128_SHA"] = 0xC011,
["TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC012,
["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"] = 0xC013,
["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"] = 0xC014,
["TLS_ECDH_anon_WITH_NULL_SHA"] = 0xC015,
["TLS_ECDH_anon_WITH_RC4_128_SHA"] = 0xC016,
["TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"] = 0xC017,
["TLS_ECDH_anon_WITH_AES_128_CBC_SHA"] = 0xC018,
["TLS_ECDH_anon_WITH_AES_256_CBC_SHA"] = 0xC019,
["TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"] = 0xC01A,
["TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"] = 0xC01B,
["TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"] = 0xC01C,
["TLS_SRP_SHA_WITH_AES_128_CBC_SHA"] = 0xC01D,
["TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"] = 0xC01E,
["TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"] = 0xC01F,
["TLS_SRP_SHA_WITH_AES_256_CBC_SHA"] = 0xC020,
["TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"] = 0xC021,
["TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"] = 0xC022,
["TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC023,
["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC024,
["TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"] = 0xC025,
["TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"] = 0xC026,
["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"] = 0xC027,
["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"] = 0xC028,
["TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"] = 0xC029,
["TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"] = 0xC02A,
["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02B,
["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02C,
["TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"] = 0xC02D,
["TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"] = 0xC02E,
["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] = 0xC02F,
["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] = 0xC030,
["TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"] = 0xC031,
["TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"] = 0xC032,
["TLS_ECDHE_PSK_WITH_RC4_128_SHA"] = 0xC033,
["TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"] = 0xC034,
["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"] = 0xC035,
["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"] = 0xC036,
["TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"] = 0xC037,
["TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"] = 0xC038,
["TLS_ECDHE_PSK_WITH_NULL_SHA"] = 0xC039,
["TLS_ECDHE_PSK_WITH_NULL_SHA256"] = 0xC03A,
["TLS_ECDHE_PSK_WITH_NULL_SHA384"] = 0xC03B,
["TLS_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC03C,
["TLS_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC03D,
["TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC03E,
["TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC03F,
["TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC040,
["TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC041,
["TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256"] = 0xC042,
["TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384"] = 0xC043,
["TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC044,
["TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC045,
["TLS_DH_anon_WITH_ARIA_128_CBC_SHA256"] = 0xC046,
["TLS_DH_anon_WITH_ARIA_256_CBC_SHA384"] = 0xC047,
["TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC048,
["TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC049,
["TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04A,
["TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04B,
["TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04C,
["TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04D,
["TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256"] = 0xC04E,
["TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384"] = 0xC04F,
["TLS_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC050,
["TLS_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC051,
["TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC052,
["TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC053,
["TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC054,
["TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC055,
["TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC056,
["TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC057,
["TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256"] = 0xC058,
["TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384"] = 0xC059,
["TLS_DH_anon_WITH_ARIA_128_GCM_SHA256"] = 0xC05A,
["TLS_DH_anon_WITH_ARIA_256_GCM_SHA384"] = 0xC05B,
["TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05C,
["TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05D,
["TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256"] = 0xC05E,
["TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384"] = 0xC05F,
["TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC060,
["TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC061,
["TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256"] = 0xC062,
["TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384"] = 0xC063,
["TLS_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC064,
["TLS_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC065,
["TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC066,
["TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC067,
["TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC068,
["TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC069,
["TLS_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06A,
["TLS_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06B,
["TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06C,
["TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06D,
["TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256"] = 0xC06E,
["TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384"] = 0xC06F,
["TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256"] = 0xC070,
["TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384"] = 0xC071,
["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC072,
["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC073,
["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC074,
["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC075,
["TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC076,
["TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC077,
["TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC078,
["TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC079,
["TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07A,
["TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07B,
["TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07C,
["TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07D,
["TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC07E,
["TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC07F,
["TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC080,
["TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC081,
["TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC082,
["TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC083,
["TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC084,
["TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC085,
["TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC086,
["TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC087,
["TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC088,
["TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC089,
["TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08A,
["TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08B,
["TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08C,
["TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08D,
["TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC08E,
["TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC08F,
["TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC090,
["TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC091,
["TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256"] = 0xC092,
["TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384"] = 0xC093,
["TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC094,
["TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC095,
["TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC096,
["TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC097,
["TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC098,
["TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC099,
["TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"] = 0xC09A,
["TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"] = 0xC09B,
["TLS_RSA_WITH_AES_128_CCM"] = 0xC09C,
["TLS_RSA_WITH_AES_256_CCM"] = 0xC09D,
["TLS_DHE_RSA_WITH_AES_128_CCM"] = 0xC09E,
["TLS_DHE_RSA_WITH_AES_256_CCM"] = 0xC09F,
["TLS_RSA_WITH_AES_128_CCM_8"] = 0xC0A0,
["TLS_RSA_WITH_AES_256_CCM_8"] = 0xC0A1,
["TLS_DHE_RSA_WITH_AES_128_CCM_8"] = 0xC0A2,
["TLS_DHE_RSA_WITH_AES_256_CCM_8"] = 0xC0A3,
["TLS_PSK_WITH_AES_128_CCM"] = 0xC0A4,
["TLS_PSK_WITH_AES_256_CCM"] = 0xC0A5,
["TLS_DHE_PSK_WITH_AES_128_CCM"] = 0xC0A6,
["TLS_DHE_PSK_WITH_AES_256_CCM"] = 0xC0A7,
["TLS_PSK_WITH_AES_128_CCM_8"] = 0xC0A8,
["TLS_PSK_WITH_AES_256_CCM_8"] = 0xC0A9,
["TLS_PSK_DHE_WITH_AES_128_CCM_8"] = 0xC0AA,
["TLS_PSK_DHE_WITH_AES_256_CCM_8"] = 0xC0AB,
["TLS_ECDHE_ECDSA_WITH_AES_128_CCM"] = 0xC0AC,
["TLS_ECDHE_ECDSA_WITH_AES_256_CCM"] = 0xC0AD,
["TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"] = 0xC0AE,
["TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"] = 0xC0AF,
["TLS_ECCPWD_WITH_AES_128_GCM_SHA256"] = 0xC0B0, -- RFC8492
["TLS_ECCPWD_WITH_AES_256_GCM_SHA384"] = 0xC0B1, -- RFC8492
["TLS_ECCPWD_WITH_AES_128_CCM_SHA256"] = 0xC0B2, -- RFC8492
["TLS_ECCPWD_WITH_AES_256_CCM_SHA384"] = 0xC0B3, -- RFC8492
["TLS_AKE_WITH_NULL_SHA256"] = 0xC0B4, -- RFC9150
["TLS_AKE_WITH_NULL_SHA384"] = 0xC0B5, -- RFC9150
["TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC"] = 0xC100, -- RFC9189
["TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC"] = 0xC101, -- RFC9189
["TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"] = 0xC102, -- RFC9189
["TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L"] = 0xC103, -- draft-smyshlyaev-tls13-gost-suites
["TLS_GOSTR341112_256_WITH_MAGMA_MGM_L"] = 0xC104, -- draft-smyshlyaev-tls13-gost-suites
["TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S"] = 0xC105, -- draft-smyshlyaev-tls13-gost-suites
["TLS_GOSTR341112_256_WITH_MAGMA_MGM_S"] = 0xC106, -- draft-smyshlyaev-tls13-gost-suites
["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC13, -- RFC7905 superseded
["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC14, -- RFC7905 superseded
["TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256-draft"] = 0xCC15, -- RFC7905 superseded
["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCA8,
["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCA9,
["TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAA,
["TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAB,
["TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAC,
["TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAD,
["TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"] = 0xCCAE,
["TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256"] = 0xD001, -- RFC 8442
["TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384"] = 0xD002, -- RFC 8442
["TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256"] = 0xD003, -- RFC 8442
["TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256"] = 0xD005, -- RFC 8442
["SSL_RSA_FIPS_WITH_DES_CBC_SHA"] = 0xFEFE,
["SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"] = 0xFEFF,
-- TLSv1.3:
-- "Although TLS 1.3 uses the same cipher suite space as previous versions of
-- TLS, TLS 1.3 cipher suites are defined differently, only specifying the
-- symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and
-- lower cipher suites cannot be used with TLS 1.3."
-- We designate these as AKE (Authenticated Key Exchange) ciphersuites, in
-- order to simplify use of the cipher_info function.
TLS_AKE_WITH_AES_128_GCM_SHA256 = 0x1301,
TLS_AKE_WITH_AES_256_GCM_SHA384 = 0x1302,
TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 = 0x1303,
TLS_AKE_WITH_AES_128_CCM_SHA256 = 0x1304,
TLS_AKE_WITH_AES_128_CCM_8_SHA256 = 0x1305,
TLS_AKE_WITH_SM4_GCM_SM3 = 0x00C6, -- RFC 8998
TLS_AKE_WITH_SM4_CCM_SM3 = 0x00C7, -- RFC 8998
}
-- Default ciphers sent by tls.client_hello for TLSv1.2 or earlier
DEFAULT_TLS12_CIPHERS = {
"TLS_RSA_WITH_AES_128_CBC_SHA", -- mandatory TLSv1.2
"TLS_RSA_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.1
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", -- mandatory TLSv1.0
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", -- DHE with strong AES
"TLS_RSA_WITH_RC4_128_MD5", -- Weak and old, but likely supported on old stuff
}
-- Same, but for TLSv1.3
DEFAULT_TLS13_CIPHERS = {
"TLS_AKE_WITH_AES_128_GCM_SHA256", -- mandatory TLSv1.3
"TLS_AKE_WITH_AES_256_GCM_SHA384", -- stronger TLSv1.3
"TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", -- alternate TLSv1.3
}
-- Same, but for handshakes compatible with any TLS version
local DEFAULT_CIPHERS = {
table.unpack(DEFAULT_TLS13_CIPHERS)
}
for _, c in ipairs(DEFAULT_TLS12_CIPHERS) do
insert(DEFAULT_CIPHERS, c)
end
local function find_key(t, value)
local found, v = tableaux.contains(t, value)
return v
end
-- Keep this local to enforce use of the cipher_info function
local cipher_info_cache = {
-- pre-populate the special cases that break the parser below
["TLS_ECDH_anon_NULL_WITH_SHA-draft"] = {
kex = "ECDH", dh = true, ec = true,
server_auth = "anon",
cipher = "NULL",
hash = "SHA",
draft = true
},
["TLS_ECMQV_ECDSA_NULL_SHA-draft"] = {
kex = "ECMQV", ec = true,
server_auth = "ECDSA",
cipher = "NULL",
hash = "SHA",
draft = true
},
["TLS_ECMQV_ECNRA_NULL_SHA-draft"] = {
kex = "ECMQV", ec = true,
server_auth = "ECNRA",
cipher = "NULL",
hash = "SHA",
draft = true
},
["TLS_GOSTR341094_WITH_28147_CNT_IMIT-draft"] = {
kex = "GOSTR341094",
server_auth = "GOSTR341094",
cipher = "GOST28147",
hash = "IMIT_GOST28147",
draft = true
},
["TLS_GOSTR341001_WITH_28147_CNT_IMIT-draft"] = {
kex = "GOSTR341001",
server_auth = "GOSTR341001",
cipher = "GOST28147",
hash = "IMIT_GOST28147",
draft = true
},
["TLS_GOSTR341094_WITH_NULL_GOSTR3411-draft"] = {
kex = "GOSTR341094",
server_auth = "GOSTR341094",
cipher = "NULL",
hash = "HMAC_GOSTR3411",
draft = true
},
["TLS_GOSTR341001_WITH_NULL_GOSTR3411-draft"] = {
kex = "GOSTR341001",
server_auth = "GOSTR341001",
cipher = "NULL",
hash = "HMAC_GOSTR3411",
draft = true
},
}
-- A couple helpers for server_key_exchange parsing
local function unpack_dhparams (blob, pos)
local p, g, y
p, g, y, pos = unpack(">s2s2s2", blob, pos)
return pos, {p=p, g=g, y=y}, #p * 8
end
local function named_group_info (group)
if group:match("^arbitrary") then
return "ec"
end
local ktype, size = group:match("^(%D+)(%d+)")
assert(ktype and size, ("Invalid named group: %s"):format(group))
size = tonumber(size)
if ktype == "ffdhe" then
ktype = "dh"
else
if group == "ecdh_x25519" or group == "curveSM2" then
size = 256
end
ktype = "ec"
end
return ktype, size
end
local function unpack_ecdhparams (blob, pos)
local eccurvetype
eccurvetype, pos = unpack("B", blob, pos)
local ret = {}
local strength
if eccurvetype == 1 then
local p, a, b, base, order, cofactor
p, a, b, base, order, cofactor, pos = unpack("s1s1s1s1s1s1", blob, pos)
strength = math.log(order, 2)
ret.curve_params = {
ec_curve_type = "explicit_prime",
prime_p=p, curve={a=a, b=b}, base=base, order=order, cofactor=cofactor
}
elseif eccurvetype == 2 then
local p = {}
local m, basis
m, basis, pos = unpack(">I2B", blob, pos)
if basis == 1 then -- ec_trinomial
p.k, pos = unpack("s1", blob, pos)
elseif basis == 2 then -- ec_pentanomial
p.k1, p.k2, p.k3, pos = unpack("s1s1s1", blob, pos)
end
local a, b, base, order, cofactor
a, b, base, order, cofactor, pos = unpack("s1s1s1s1s1", blob, pos)
strength = math.log(order, 2)
ret.curve_params = {
ec_curve_type = "explicit_char2",
m=m, basis=basis, field=p, curve={a=a, b=b}, base=base, order=order, cofactor=cofactor
}
elseif eccurvetype == 3 then
local curve
curve, pos = unpack(">I2", blob, pos)
ret.curve_params = {
ec_curve_type = "namedcurve",
curve = find_key(ELLIPTIC_CURVES, curve)
}
local _
_, strength = named_group_info(ret.curve_params.curve)
end
ret.public, pos = unpack("s1", blob, pos)
return pos, ret, strength
end
local function unpack_signed (blob, pos, protocol)
if pos > #blob then -- not-signed
return pos, nil
end
local hash_alg, sig_alg, sig
-- TLSv1.2 changed to allow arbitrary hash and sig algorithms
if protocol and PROTOCOLS[protocol] >= 0x0303 then
hash_alg, sig_alg, sig, pos = unpack(">BBs2", blob, pos)
else
sig, pos = unpack(">s2", blob, pos)
end
return pos, {hash_algorithm=hash_alg, signature_algorithm=sig_alg, signature=sig}
end
--- Get the strength-equivalent RSA key size
--
-- Based on NIST SP800-57 part 1 rev 3
-- @param ktype Key type ("dh", "ec", "rsa", "dsa")
-- @param bits Size of key in bits
-- @return Size in bits of RSA key with equivalent strength
function rsa_equiv (ktype, bits)
if ktype == "rsa" or ktype == "dsa" or ktype == "dh" then
return bits
elseif ktype == "ec" then
if bits < 160 then
return 512 -- Possibly down to 0, but details not published
elseif bits < 224 then
return 1024
elseif bits < 256 then
return 2048
elseif bits < 384 then
return 3072
elseif bits < 512 then
return 7680
else -- 512+
return 15360
end
end
return nil
end
KEX_ALGORITHMS = {}
-- RFC 5246
KEX_ALGORITHMS.NULL = { anon = true }
KEX_ALGORITHMS.DH_anon = {
anon = true,
type = "dh",
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
pos, ret.dhparams, ret.strength = unpack_dhparams(blob)
return ret
end
}
KEX_ALGORITHMS.DH_anon_EXPORT = {
anon=true,
export=true,
type = "dh",
server_key_exchange = KEX_ALGORITHMS.DH_anon.server_key_exchange
}
KEX_ALGORITHMS.ECDH_anon = {
anon=true,
type = "ec",
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob)
return ret
end
}
KEX_ALGORITHMS.ECDH_anon_EXPORT = {
anon=true,
export=true,
type = "ec",
server_key_exchange = KEX_ALGORITHMS.ECDH_anon.server_key_exchange
}
KEX_ALGORITHMS.RSA = {
pubkey="rsa",
}
-- http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
KEX_ALGORITHMS.RSA_FIPS = KEX_ALGORITHMS.RSA
KEX_ALGORITHMS.RSA_EXPORT = {
export=true,
pubkey="rsa",
type = "rsa",
server_key_exchange = function (blob, protocol)
local pos
local ret = {rsa={}}
ret.rsa.modulus, ret.rsa.exponent, pos = unpack(">s2s2", blob)
pos, ret.signed = unpack_signed(blob, pos, protocol)
ret.strength = #ret.rsa.modulus
return ret
end
}
KEX_ALGORITHMS.RSA_EXPORT1024 = KEX_ALGORITHMS.RSA_EXPORT
KEX_ALGORITHMS.DHE_RSA={
pubkey="rsa",
type = "dh",
pfs = true,
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
pos, ret.dhparams, ret.strength = unpack_dhparams(blob)
pos, ret.signed = unpack_signed(blob, pos, protocol)
return ret
end
}
KEX_ALGORITHMS.DHE_RSA_EXPORT={
export=true,
pubkey="rsa",
type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
}
KEX_ALGORITHMS.DHE_DSS={
pubkey="dsa",
type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
}
KEX_ALGORITHMS.DHE_DSS_EXPORT={
export=true,
pubkey="dsa",
type = "dh",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.DHE_RSA.server_key_exchange
}
KEX_ALGORITHMS.DHE_DSS_EXPORT1024 = KEX_ALGORITHMS.DHE_DSS_EXPORT1024
KEX_ALGORITHMS.DH_DSS={
pubkey="dh",
}
KEX_ALGORITHMS.DH_DSS_EXPORT={
export=true,
pubkey="dh",
}
KEX_ALGORITHMS.DH_RSA={
pubkey="dh",
}
KEX_ALGORITHMS.DH_RSA_EXPORT={
export=true,
pubkey="dh",
}
KEX_ALGORITHMS.ECDHE_RSA={
pubkey="rsa",
type = "ec",
pfs = true,
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob)
pos, ret.signed = unpack_signed(blob, pos, protocol)
return ret
end
}
KEX_ALGORITHMS.ECDHE_ECDSA={
pubkey="ec",
type = "ec",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.ECDHE_RSA.server_key_exchange
}
KEX_ALGORITHMS.ECDH_ECDSA={
pubkey="ec",
}
KEX_ALGORITHMS.ECDH_RSA={
pubkey="ec",
}
-- draft-ietf-tls-ecc-00
KEX_ALGORITHMS.ECDH_ECNRA={
pubkey="ec",
}
KEX_ALGORITHMS.ECMQV_ECDSA={
pubkey="ec",
type = "ecmqv",
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
ret.mqvparams, pos = unpack("s1", blob)
return ret
end
}
KEX_ALGORITHMS.ECMQV_ECNRA={
pubkey="ec",
}
-- rfc4279
KEX_ALGORITHMS.PSK = {
type = "psk",
server_key_exchange = function (blob, protocol)
local hint, pos = unpack(">s2", blob)
return {psk_identity_hint=hint}
end
}
KEX_ALGORITHMS.RSA_PSK = {
pubkey="rsa",
type = "psk",
server_key_exchange = KEX_ALGORITHMS.PSK.server_key_exchange
}
KEX_ALGORITHMS.DHE_PSK = {
type = "dh",
pfs = true,
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
ret.psk_identity_hint, pos = unpack(">s2", blob)
pos, ret.dhparams, ret.strength = unpack_dhparams(blob, pos)
return ret
end
}
--nomenclature change
KEX_ALGORITHMS.PSK_DHE = KEX_ALGORITHMS.DHE_PSK
--rfc5489
KEX_ALGORITHMS.ECDHE_PSK={
type = "ec",
pfs = true,
server_key_exchange = function (blob, protocol)
local pos
local ret = {}
ret.psk_identity_hint, pos = unpack(">s2", blob)
pos, ret.ecdhparams, ret.strength = unpack_ecdhparams(blob, pos)
return ret
end
}
-- RFC 5054
KEX_ALGORITHMS.SRP_SHA = {
type = "srp",
pfs = true,
server_key_exchange = function (blob, protocol)
local pos
local ret = {srp={}}
ret.srp.N, ret.srp.g, ret.srp.s, ret.srp.B, pos = unpack(">s2s2s1s2", blob)
pos, ret.signed = unpack_signed(blob, pos, protocol)
ret.strength = #ret.srp.N
return ret
end
}
KEX_ALGORITHMS.SRP_SHA_DSS = {
pubkey="dsa",
type = "srp",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.SRP_SHA.server_key_exchange
}
KEX_ALGORITHMS.SRP_SHA_RSA = {
pubkey="rsa",
type = "srp",
pfs = true,
server_key_exchange = KEX_ALGORITHMS.SRP_SHA.server_key_exchange
}
-- RFC 6101
KEX_ALGORITHMS.FORTEZZA_KEA={}
-- RFC 4491
KEX_ALGORITHMS.GOSTR341001={}
KEX_ALGORITHMS.GOSTR341094={}
-- RFC 2712
KEX_ALGORITHMS.KRB5={}
KEX_ALGORITHMS.KRB5_EXPORT={
export=true,
}
-- TLSv1.3
KEX_ALGORITHMS.AKE = {
tls13ok=true,
tls13only=true,
pfs=true,
-- TLSv1.3 swaps the ServerKeyExchange message for the key_share extension.
-- We'll just pretend that's what this is:
server_key_exchange = function (blob, protocol)
local named_group, pos = unpack(">I2", blob)
stdnse.debug1("named_group = %d", named_group)
named_group = find_key(ELLIPTIC_CURVES, named_group)
local gtype, strength = named_group_info(named_group)
return {
type = gtype,
strength = strength,
ecdhparams={ -- Not always ECC, but reusing structure simplifies things
curve_params={
ec_curve_type = "namedcurve",
curve = named_group,
}
}
}
end,
}
-- RFC 8492
KEX_ALGORITHMS.ECCPWD = {
tls13ok=true,
tls13only=false,
}
local algorithms = {
["3DES"] = {s=112, b=64}, --NIST SP 800-57
CHACHA20 = {s=256, b=128},
IDEA = {s=128, b=64},
SEED = {s=128, b=128},
FORTEZZA = {s=80, b=64},
DES = {s=56, b=64},
RC2 = {s=40, b=64},
DES40 = {s=40, b=64},
NULL = {s=0},
CAMELLIA = {b=128},
ARIA = {b=128},
AES = {b=128},
SM4 = {s=128, b=128},
}
--- Get info about a cipher suite
--
-- Returned table has "kex", "cipher", "mode", "size", and
-- "hash" keys, as well as boolean flag "draft". The "draft"
-- flag is only supported for some suites that have different enumeration
-- values in draft versus final RFC.
-- @param c The cipher suite name, e.g. TLS_RSA_WITH_AES_128_GCM_SHA256
-- @return A table of info as described above.
function cipher_info (c)
local info = cipher_info_cache[c]
if info then return info end
local tokens = stringaux.strsplit("_", c)
local i = 1
if tokens[i] ~= "TLS" and tokens[i] ~= "SSL" then
stdnse.debug2("cipher_info: Not a TLS ciphersuite: %s", c)
return nil
end
-- kex, cipher, size, mode, hash
i = i + 1
while tokens[i] and tokens[i] ~= "WITH" do
i = i + 1
end
local kex = concat(tokens, "_", 2, i-1)
info = KEX_ALGORITHMS[kex]
if info then
info = tableaux.tcopy(info)
info.kex = kex
else
info = {kex = kex}
end
if tokens[i] and tokens[i] ~= "WITH" then
stdnse.debug2("cipher_info: Can't parse (no WITH): %s", c)
return nil
end
-- cipher
i = i + 1
local t = tokens[i]
info.cipher = t
if t == "3DES" then
i = i + 1 -- 3DES_EDE
end
-- key size
local tmp = algorithms[t]
if tmp then
info.size = tmp.s
info.block_size = tmp.b
end
if info.size == nil then
i = i + 1
info.size = tonumber(tokens[i])
end
-- stream ciphers don't have a mode
if info.cipher == "RC4" then
info.mode = "stream"
elseif info.cipher == "CHACHA20" then
i = i + 1
info.cipher = "CHACHA20-POLY1305"
info.mode = "stream"
elseif info.cipher ~= "NULL" then
i = i + 1
info.mode = tokens[i]
end
-- export key size override
if info.export and tonumber(tokens[i+1]) then
i = i + 1
info.size = tonumber(tokens[i])
end
-- Other key size overrides
if info.cipher == "RC4" then -- RFC 7465 prohibits RC4 in TLS
info.size = math.min(info.size or 80, 80) -- Equivalently caps to C grade?
end
-- hash
if info.mode == "CCM" then
info.hash = "SHA256"
end
i = i + 1
if i <= #tokens then
if tokens[i] == "8" and info.mode == "CCM" then
info.mode = "CCM_8"
i = i + 1
elseif info.export and (tokens[i]):match("^%d+$") then
info.size = tonumber(tokens[i])
i = i + 1
end
if i <= #tokens then
local t, w = (tokens[i]):match("(.+)%-([a-z]+)")
if t then
if w == "draft" then
info.draft = true
end
-- else "or"
else
t = tokens[i]
end
info.hash = t
end
end
cipher_info_cache[c] = info
return info
end
SCSVS = {
["TLS_EMPTY_RENEGOTIATION_INFO_SCSV"] = 0x00FF, -- rfc5746
["TLS_FALLBACK_SCSV"] = 0x5600, -- draft-ietf-tls-downgrade-scsv-00
}
handshake_parse = {
server_hello = function (buffer, j, msg_end, protocol)
local b = {}
-- Parse body.
b.protocol, b.time, b.random, b.session_id, j = unpack(">I2 I4 c28 s1", buffer, j)
b.cipher, b.compressor, j = unpack(">I2 B", buffer, j)
-- Optional extensions for TLS only
if j < msg_end and protocol ~= "SSLv3" then
local num_exts
b["extensions"] = {}
num_exts, j = unpack(">I2", buffer, j)
for e = 0, num_exts do
if j >= msg_end then break end
local extcode, datalen
extcode, j = unpack(">I2", buffer, j)
extcode = find_key(EXTENSIONS, extcode) or extcode
b["extensions"][extcode], j = unpack(">s2", buffer, j)
end
end
-- Convert to human-readable form.
b["protocol"] = find_key(PROTOCOLS, b["protocol"])
b["cipher"] = find_key(CIPHERS, b["cipher"])
b["compressor"] = find_key(COMPRESSORS, b["compressor"])
-- RFC 8446: HelloRetryRequest message uses the same structure as the
-- ServerHello, but with Random set to the special value of the SHA-256
-- of "HelloRetryRequest"
if b.protocol == "TLSv1.2" -- TLSv1.3 legacy version
and b.random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C"
then
b.helloretry = true
end
-- RFC 8446: "the legacy_version field MUST be set to 0x0303,
-- which is the version number for TLS 1.2"
if (b.protocol == "TLSv1.2" and b.extensions
and b.extensions.supported_versions == "\x03\x04") then
b.protocol = "TLSv1.3"
end
return b, j
end,
certificate = function (buffer, j, msg_end, protocol)
local cert_end
cert_end, j = unpack(">I3", buffer, j)
cert_end = cert_end + j
if cert_end > msg_end then
stdnse.debug2("server_certificate length > handshake body length!")
end
local b = {certificates = {}}
while j < cert_end do
local cert_len = unpack(">I3", buffer, j)
if cert_len + 3 + j > cert_end then
stdnse.debug1("server_certificate parsing error!")
j = cert_end
break
end
local cert
cert, j = unpack(">s3", buffer, j)
-- parse these with sslcert.parse_ssl_certificate
insert(b["certificates"], cert)
end
return b, j
end,
NewSessionTicket = function (buffer, j, msg_end, protocol)
-- Need 4 bytes for parsing.
local have = #buffer - j + 1
if have < 4 then
return nil, j, 4
end
local b = {}
-- Parse body.
b.ticket_lifetime_hint, b.ticket, j = unpack(">I4 s2", buffer, j)
return b, j
end,
}
message_parse = {
alert = function (buffer, j)
local b = {}
-- Parse body.
b.level, b.description, j = unpack("BB", buffer, j)
-- Convert to human-readable form.
b["level"] = find_key(TLS_ALERT_LEVELS, b["level"])
b["description"] = find_key(TLS_ALERT_REGISTRY, b["description"])
return b, j
end,
handshake = function (buffer, j, protocol)
-- Check for message fragmentation.
-- Need 4 bytes for message header with length
local have = #buffer - j + 1
if have < 4 then
return nil, j, 4
end
-- Parse body.
local btype, len
btype, len, j = unpack("B>I3", buffer, j)
local msg_end = len + j
-- Convert to human-readable form.
btype = find_key(TLS_HANDSHAKETYPE_REGISTRY, btype)
-- Check for message fragmentation.
-- Need 4 bytes for header plus length of message
if have < len + 4 then
return nil, j - 4, len + 4
end
local parser = handshake_parse[btype]
local b
if parser then
b, j = parser(buffer, j, msg_end, protocol)
b.type = btype
else
-- TODO: implement other handshake message types
b = { type = btype }
stdnse.debug2("Unknown handshake message type: %s", b["type"])
b.data, j = unpack("c" .. msg_end - j, buffer, j)
end
return b, j
end,
heartbeat = function (buffer, j)
local b = {}
b.type, b.payload, j = unpack(">B s2", buffer, j)
-- Heartbeat messages are one per record; consume the rest of the record as padding.
b.padding = buffer:sub(j)
return b, #buffer + 1
end,
}
--- Parse a series of TLS messages from a buffer
--@param mbuffer The buffer to parse
--@param mi The index into that buffer to begin parsing
--@param h The TLS/DTLS header. Must contain "type" and "protocol" fields
--@return A table of parsed messages
--@return The position where parsing stopped
function parse_messages (mbuffer, mi, h)
local messages = {}
while mi < #mbuffer do
-- RFC 2246, 6.2.1 "multiple client messages of the same ContentType may
-- be coalesced into a single TLSPlaintext record"
local parser = message_parse[h.type]
if not parser then
stdnse.debug1("Unknown message type: %s", h["type"])
break
end
local b, need
b, mi, need = parser(mbuffer, mi, h.protocol)
if b then
messages[#messages+1] = b
elseif need then
-- Can't finish parsing this message, it'll be left in the fragment
break
end
end
return messages, mi
end
---
-- Read a SSL/TLS record
-- @param buffer The read buffer
-- @param i The position in the buffer to start reading (default: 1)
-- @param fragment Message fragment left over from previous record (nil if none)
-- @return The current position in the buffer
-- @return The record that was read, as a table
-- @return Whether parsing can continue if more data becomes available.
function record_read(buffer, i, fragment)
i = i or 1
-- Ensure we have enough data for the header.
if #buffer - i < TLS_RECORD_HEADER_LENGTH then
return i, nil, true
end
-- Parse header.
local h = {}
local typ, proto, rlength, j = unpack(">B I2 I2", buffer, i)
h.length = rlength
local name = find_key(TLS_CONTENTTYPE_REGISTRY, typ)
if name == nil then
stdnse.debug1("Unknown TLS ContentType: %d", typ)
return j, nil, false
end
h["type"] = name
name = find_key(PROTOCOLS, proto)
if name == nil then
stdnse.debug1("Unknown TLS Protocol: 0x%04x", proto)
return j, nil, false
end
h["protocol"] = name
-- Ensure we have enough data for the body.
if #buffer < j + rlength - 1 then
return i, nil, true
end
-- Adjust buffer and length to account for message fragment left over
-- from last record.
local mbuffer
if fragment then
mbuffer = fragment .. buffer:sub(j, j + rlength)
else
mbuffer = buffer:sub(j, j + rlength)
end
-- Body
local mi = 1
h.body, mi = parse_messages(mbuffer, mi, h)
if mi < #mbuffer then
-- Fragmented message
h.fragment = mbuffer:sub(mi)
end
-- Skip to the end of the record. Ignore unparsed bytes.
-- These should be handled as fragmentation above
j = j + rlength
return j, h, true
end
---
-- Get the record version field appropriate for the protocol version
--
-- TLSv1.3 introduced a change in the interpretation of the record version
-- field. Previously, this was an indication of the TLS protocol, but now it is
-- frozen at TLSv1.2.
-- @param proto_version The numeric value of the protocol, e.g. 0x0303 for TLSv1.2
-- @return The numeric value that should be used in the record layer version field
local function legacy_version (proto_version)
-- TLSv1.2 was the last version where protocol version was negotiated via the
-- record layer version. Later versions use the supported_versions extension
return proto_version <= 0x0303 and proto_version or 0x0303
end
function record_version_ok(received_version, proto_version)
if proto_version == "TLSv1.3" then
return received_version == "TLSv1.2"
end
return proto_version == received_version
end
---
-- Build a SSL/TLS record
-- @param type The type of record ("handshake", "change_cipher_spec", etc.)
-- @param protocol The protocol and version ("SSLv3", "TLSv1.0", etc.)
-- @param b The record body
-- @return The SSL/TLS record as a string
function record_write(type, protocol, b)
return concat({
-- Set the header as a handshake.
pack("B", TLS_CONTENTTYPE_REGISTRY[type]),
-- Set the protocol.
pack(">I2", legacy_version(PROTOCOLS[protocol])),
-- Set the length of the header body.
pack(">s2", b)
})
end
-- Claim to support common hash and signature algorithm combinations (TLSv1.2 only)
--
local DEFAULT_SIGALGS
do
local sigalgs = {
-- most likely signature is rsa, so even use it for weak hashes
{"md5","rsa"},
{"sha1","rsa"},
{"sha224","rsa"},
-- most likely are sha256 and sha512.
{"sha256","rsa"},
{"sha256","dsa"},
{"sha256","ecdsa"},
{"sha512","rsa"},
{"sha512","dsa"},
{"sha512","ecdsa"},
{"intrinsic","ed25519"},
{"intrinsic","ed448"},
}
DEFAULT_SIGALGS = EXTENSION_HELPERS["signature_algorithms"](sigalgs)
end
-- Equivalent for TLSv1.3 is SignatureScheme
-- We'll offer all the sha256 and sha512 variants, plus a few extra
local DEFAULT_SIGSCHEMES
do
local sigalgs = {
"rsa_pkcs1_sha256",
"rsa_pkcs1_sha512",
"ecdsa_secp256r1_sha256",
"ecdsa_secp521r1_sha512",
"rsa_pss_rsae_sha256",
"rsa_pss_rsae_sha512",
"ed25519",
"ed448",
"rsa_pss_pss_sha256",
"rsa_pss_pss_sha512",
"rsa_pkcs1_sha1",
"ecdsa_sha1",
}
DEFAULT_SIGSCHEMES = EXTENSION_HELPERS["signature_algorithms_13"](sigalgs)
end
---
-- Build a client_hello message
--
-- The options table has the following keys:
-- * "protocol"
- The TLS protocol version string for the client_hello. This indicates the highest protocol version supported.
-- * "record_protocol"
- The TLS protocol version string for the TLS record. This indicates the lowest protocol version supported.
-- * "ciphers"
- a table containing the cipher suite names. Defaults to the NULL cipher
-- * "compressors"
- a table containing the compressor names. Default: NULL
-- * "extensions"
- a table containing the extension names. Default: no extensions
-- @param t Table of options
-- @return The client_hello record as a string
function client_hello(t)
local b, ciphers, compressor, compressors, h, len
t = t or {}
----------
-- Body --
----------
b = {}
-- Set the protocol.
local protocol = t["protocol"] or HIGHEST_PROTOCOL
insert(b, pack(">I2 I4",
legacy_version(PROTOCOLS[protocol]),
-- Set the random data.
os.time()
))
local record_proto = t.record_protocol
-- Set the random data.
insert(b, rand.random_string(28))
-- Set the session ID.
local sid = t["session_id"] or ""
insert(b, pack(">s1", sid))
local eccpwd = false
local shangmi = false
-- Cipher suites.
ciphers = {}
-- Add specified ciphers.
for _, cipher in pairs(t.ciphers -- user-specified list
or (record_proto == "TLSv1.3" and DEFAULT_TLS13_CIPHERS) -- TLSv1.3 only
or (PROTOCOLS[protocol] < PROTOCOLS["TLSv1.3"] and DEFAULT_TLS12_CIPHERS) -- non-TLSv1.3
or DEFAULT_CIPHERS) -- combined/compatible handshake
do
if type(cipher) == "string" then
if cipher:match("^TLS_ECCPWD_") then
-- RFC 8492 has specific requirements
eccpwd = true
elseif protocol == "TLSv1.3" and cipher:match("_SM3$") then
-- RFC 8998 has specific requirements
shangmi = true
end
cipher = CIPHERS[cipher] or SCSVS[cipher]
end
if type(cipher) == "number" and cipher >= 0 and cipher <= 0xffff then
insert(ciphers, pack(">I2", cipher))
else
stdnse.debug1("Unknown cipher in client_hello: %s", cipher)
end
end
insert(b, pack(">s2", concat(ciphers)))
-- Compression methods.
compressors = {}
if t["compressors"] ~= nil then
-- Add specified compressors.
for _, compressor in pairs(t["compressors"]) do
if compressor ~= "NULL" then
insert(compressors, pack("B", COMPRESSORS[compressor]))
end
end
end
-- Always include NULL as last choice
insert(compressors, pack("B", COMPRESSORS["NULL"]))
insert(b, pack("s1", concat(compressors)))
-- TLS extensions
local proto_ver = PROTOCOLS[protocol]
if proto_ver and protocol ~= "SSLv3" then
local extensions = {}
-- TLSv1.3 requires supported_versions and key_share extensions
-- OpenSSL also appears to want supported_groups in some cases?
local need_supported_versions = (proto_ver >= PROTOCOLS["TLSv1.3"])
local need_key_share = need_supported_versions
local need_elliptic_curves = need_supported_versions
-- Do we need to add the signature_algorithms extension?
local need_sigalg = (proto_ver >= PROTOCOLS["TLSv1.2"])
-- Add specified extensions.
if t.extensions then
for extension, data in pairs(t["extensions"]) do
if type(extension) == "number" then
insert(extensions, pack(">I2", extension))
else
if extension == "signature_algorithms" or extension == "signature_algorithms_13" then
need_sigalg = false
if shangmi then
local sm2sig_sm3 = pack(">I2", SignatureSchemes.sm2sig_sm3)
if not data:match("^..(..)*" .. sm2sig_sm3) then
data = pack(">s2", data:sub(3) .. sm2sig_sm3)
end
end
elseif extension == "supported_versions" then
need_supported_versions = false
elseif extension == "key_share" then
need_key_share = false
elseif extension == "elliptic_curves" then
need_elliptic_curves = false
if shangmi then
-- For now, RFC 8998 is the only one that enforces particular curves
local curveSM2 = pack(">I2", ELLIPTIC_CURVES.curveSM2)
if not data:match("^..(..)*" .. curveSM2) then
data = pack(">s2", data:sub(3) .. curveSM2)
end
end
end
insert(extensions, pack(">I2", EXTENSIONS[extension]))
end
insert(extensions, pack(">s2", data))
end
end
if need_supported_versions then
insert(extensions, pack(">I2", EXTENSIONS["supported_versions"]))
-- We'd prefer TLS 1.2 or 1.1, since we've tested our scripts on those.
insert(extensions, pack(">s2", EXTENSION_HELPERS["supported_versions"]({"TLSv1.2", "TLSv1.1", "TLSv1.3", "SSLv3"})))
end
if need_sigalg then
insert(extensions, pack(">I2", EXTENSIONS["signature_algorithms"]))
local data = proto_ver >= PROTOCOLS["TLSv1.3"] and DEFAULT_SIGSCHEMES or DEFAULT_SIGALGS
if shangmi then
data = pack(">s2", data:sub(3) .. pack(">I2", SignatureSchemes.sm2sig_sm3))
end
insert(extensions, pack(">s2", data))
end
if need_key_share then
-- RFC 8446: Clients MAY send an empty client_shares vector in order to request
-- group selection from the server, at the cost of an additional round trip
insert(extensions, pack(">I2", EXTENSIONS["key_share"]))
insert(extensions, pack(">s2", "\0\0"))
end
if need_elliptic_curves then
local curves = {table.unpack(DEFAULT_ELLIPTIC_CURVES)}
if shangmi then
curves[#curves+1] = "curveSM2"
end
insert(extensions, pack(">I2", EXTENSIONS["elliptic_curves"]))
insert(extensions, pack(">s2", EXTENSION_HELPERS["elliptic_curves"](curves)))
end
-- Extensions are optional
if #extensions ~= 0 then
insert(b, pack(">s2", concat(extensions)))
end
end
------------
-- Header --
------------
b = concat(b)
h = {}
-- Set type to ClientHello.
insert(h, pack("B", TLS_HANDSHAKETYPE_REGISTRY["client_hello"]))
-- Set the length of the body.
insert(h, pack(">s3", b))
-- Record layer version should be SSLv3 (lowest compatible record version)
-- But some implementations (OpenSSL) will not finish a handshake that could
-- be downgraded by a MITM to SSLv3. So we use TLSv1.0 unless the caller
-- explicitly tries to set SSLv3.0 somewhere (t.record_protocol or
-- t.protocol)
if not record_proto then
record_proto = (t.protocol == "SSLv3") and "SSLv3" or "TLSv1.0"
elseif record_proto == "TLSv1.3" then
-- RFC 8446: "MUST be set to 0x0303 for all records generated by a TLS 1.3
-- implementation other than an initial ClientHello (i.e., one not generated
-- after a HelloRetryRequest), where it MAY also be 0x0301 for compatibility
-- purposes.
record_proto = "TLSv1.2"
end
return record_write("handshake", record_proto, concat(h))
end
local function read_atleast(s, n)
local buf = {}
local count = 0
while count < n do
local status, data = s:receive_bytes(n - count)
if not status then
return status, data, concat(buf)
end
buf[#buf+1] = data
count = count + #data
end
return true, concat(buf)
end
--- Get an entire record into a buffer
--
-- Caller is responsible for closing the socket if necessary.
-- @param sock The socket to read additional data from
-- @param buffer The string buffer holding any previously-read data
-- (default: "")
-- @param i The position in the buffer where the record should start
-- (default: 1)
-- @return status Socket status
-- @return Buffer containing at least 1 record if status is true
-- @return Error text if there was an error
function record_buffer(sock, buffer, i)
buffer = buffer or ""
i = i or 1
local count = #buffer:sub(i)
local status, resp, rem
if count < TLS_RECORD_HEADER_LENGTH then
status, resp, rem = read_atleast(sock, TLS_RECORD_HEADER_LENGTH - count)
if not status then
return false, buffer .. rem, resp
end
buffer = buffer .. resp
count = count + #resp
end
-- ContentType, ProtocolVersion, length
local ctype, pversion, len = unpack(">BI2I2", buffer, i)
if not TLS_PROTOCOL_VERSIONS[pversion] or not TLS_CONTENTTYPES[ctype] then
return false, buffer, "Unknown TLS protocol version or content type"
end
if count < TLS_RECORD_HEADER_LENGTH + len then
status, resp = read_atleast(sock, TLS_RECORD_HEADER_LENGTH + len - count)
if not status then
return false, buffer, resp
end
buffer = buffer .. resp
end
return true, buffer
end
-- Get a server_name for use with the TLS Server Name Indication extension.
--
-- This returns the value of the script argument "tls.servername" if given. Otherwise, it
-- returns the target name of the host parameter.
--
-- @param host Host table as received by the action function
-- @return String of the selected host name
function servername(host)
local script_arg = stdnse.get_script_args("tls.servername")
if script_arg then
return script_arg
elseif type(host) == "table" then
return host.targetname
end
end
local unittest = require "unittest"
if not unittest.testing() then
return _ENV
end
test_suite = unittest.TestSuite:new()
for name, code in pairs(CIPHERS) do
test_suite:add_test(unittest.not_nil(cipher_info(name).kex), name .. ".kex")
end
return _ENV;