From d343ee37b47776cace5389340bb43e7ac09ed5d1 Mon Sep 17 00:00:00 2001 From: Denis Pronin Date: Tue, 20 Aug 2024 16:08:42 +0300 Subject: [PATCH 1/2] support signature algorithms embedded in ClientHello message for TLSv1.2 Signed-off-by: Denis Pronin --- tlse.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tlse.c b/tlse.c index c198d9b..f0fc88e 100644 --- a/tlse.c +++ b/tlse.c @@ -6151,6 +6151,11 @@ struct TLSPacket *tls_build_hello(struct TLSContext *context, int tls13_downgrad #endif } #endif + if ((context->version == TLS_V12) || (context->version == DTLS_V12)) { + // signature algorithms + extension_len += 28; + } + tls_packet_uint16(packet, extension_len); if (sni_len) { @@ -6306,6 +6311,9 @@ struct TLSPacket *tls_build_hello(struct TLSContext *context, int tls13_downgrad #endif } } + } +#endif + if ((context->version == TLS_V12) || (context->version == TLS_V13) || (context->version == DTLS_V13)) { if (!context->is_server) { // signature algorithms tls_packet_uint16(packet, 0x0D); @@ -6324,7 +6332,6 @@ struct TLSPacket *tls_build_hello(struct TLSContext *context, int tls13_downgrad tls_packet_uint16(packet, 0x0201); } } -#endif if ((!packet->broken) && (packet->buf)) { int remaining = packet->len - start_len; From 3659130c770f95dcdd339c55417f4204407f8b79 Mon Sep 17 00:00:00 2001 From: Denis Pronin Date: Tue, 20 Aug 2024 18:16:50 +0300 Subject: [PATCH 2/2] update ClientHello message with actual supported signature algorithms Signed-off-by: Denis Pronin --- tlse.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/tlse.c b/tlse.c index f0fc88e..749c044 100644 --- a/tlse.c +++ b/tlse.c @@ -888,6 +888,8 @@ typedef enum { _md5_sha1 = 255 } TLSHashAlgorithm; +#define TLS_HASH_ALGO_NUMBER (sha512 - md5 + 1) + typedef enum { anonymous = 0, rsa = 1, @@ -895,6 +897,8 @@ typedef enum { ecdsa = 3 } TLSSignatureAlgorithm; +#define TLS_SIGN_ALGO_NUMBER (ecdsa - rsa + 1) + struct _private_OID_chain { void *top; unsigned char *oid; @@ -6153,7 +6157,7 @@ struct TLSPacket *tls_build_hello(struct TLSContext *context, int tls13_downgrad #endif if ((context->version == TLS_V12) || (context->version == DTLS_V12)) { // signature algorithms - extension_len += 28; + extension_len += 6 + 2 * TLS_HASH_ALGO_NUMBER * TLS_SIGN_ALGO_NUMBER; } tls_packet_uint16(packet, extension_len); @@ -6316,20 +6320,14 @@ struct TLSPacket *tls_build_hello(struct TLSContext *context, int tls13_downgrad if ((context->version == TLS_V12) || (context->version == TLS_V13) || (context->version == DTLS_V13)) { if (!context->is_server) { // signature algorithms - tls_packet_uint16(packet, 0x0D); - tls_packet_uint16(packet, 24); - tls_packet_uint16(packet, 22); - tls_packet_uint16(packet, 0x0403); - tls_packet_uint16(packet, 0x0503); - tls_packet_uint16(packet, 0x0603); - tls_packet_uint16(packet, 0x0804); - tls_packet_uint16(packet, 0x0805); - tls_packet_uint16(packet, 0x0806); - tls_packet_uint16(packet, 0x0401); - tls_packet_uint16(packet, 0x0501); - tls_packet_uint16(packet, 0x0601); - tls_packet_uint16(packet, 0x0203); - tls_packet_uint16(packet, 0x0201); + tls_packet_uint16(packet, 0x0D); // type + tls_packet_uint16(packet, 2 + 2 * TLS_HASH_ALGO_NUMBER * TLS_SIGN_ALGO_NUMBER); // length + tls_packet_uint16(packet, 2 * TLS_HASH_ALGO_NUMBER * TLS_SIGN_ALGO_NUMBER); // actual length of the list and items themselves further + for (TLSHashAlgorithm hash = md5; !(hash > sha512); ++hash) { + for (TLSSignatureAlgorithm sign = rsa; !(sign > ecdsa); ++sign) { + tls_packet_uint16(packet, ((uint16_t)(hash) << 8) | (sign & 0xFF)); + } + } } }