How to do SSL renegotiation using the scapy-ssl_tls tool?

[mukundamj]

I am having trouble in doing a SSL renegotiation using the renegotiation_info extension of the client hello packet. While doing a SSL renegotiation I also want to be able to change some of the attributes of the client hello packet like cipher suites and elliptic curves. I am not very familiar with the scapy-ssl_tls tool. Can someone help me regarding this?

[alexmgr]

Hi,

For the most part this should work out of the box. Do something like that:

pkt = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, extensions=[TLSExtension() / TLSExtRenegotiationInfo()])
with TLSSocket(socket.socket(), client=True) as s:
    s.connect(("127.0.0.1", 8443))
    s.sendall(pkt)
    r = s.recvall()
    r[TLSServerHello].extensions[0].show()

Will output:

###[ TLS Extension ]###
  type= renegotiation_info
  length= 0x1
###[ TLS Extension Renegotiation Info ]###
     length= 0x0
     data= ''

Just continue the full handshake as examplified in examples/full_rsa_connection_with_application_data.py, but after sending a few bytes of payload, send a new client hello with the verify_data set in the renegotiation_info extension.

Ciphers can be specified at TLSClientHello time, as well as ECs through the use of extensions:

TLSClientHello(cipher_suites=TLSCipherSuite.ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, extensions=[TLSExtension() / TLSExtEllipticCurves(elliptic_curves=TLSEllipticCurve.SECP521R1), TLSExtension() / TLSExtECPointsFormat(ec_point_formats=TLSEcPointFormat.UNCOMPRESSED)]).show2()
###[ TLS Client Hello ]###
  version= TLS_1_0
  gmt_unix_time= 1476220482
  random_bytes= '\x9d\xbc\xd9\x84\xa5\xe9\x1d\x9b7-\xbeN\xc7h+:1\xf1\xe5Y}\xee\x89\xdb\x87KZK'
  session_id_length= 0x0
  session_id= ''
  cipher_suites_length= 0x2
  cipher_suites= ['ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']
  compression_methods_length= 0x1
  compression_methods= ['NULL']
  extensions_length= 0xe
  \extensions\
   |###[ TLS Extension ]###
   |  type= supported_groups
   |  length= 0x4
   |###[ TLS Extension Elliptic Curves ]###
   |     length= 0x2
   |     elliptic_curves= ['secp521r1']
   |###[ TLS Extension ]###
   |  type= ec_point_formats
   |  length= 0x2
   |###[ TLS Extension EC Points Format ]###
   |     length= 0x1
   |     ec_point_formats= ['uncompressed']

Now for the issues ;):

1. verify_data is not exposed in the TLSSessionCtx, meaning that you'll have a hard time getting a hold of it. I'll fix that once TLS Session Context refactoring #73 is merged.
2. All this would be way easier if do_handshake() accepted an extension argument. I'll add that in the same PR

Hope that helps with the general flow.

[mukundamj]

Thanks very much for the response.
I will keep watching for the #73 merger.

[alexmgr]

Hi @mukundamj,

#73 has been merged. I'll have a look into addressing this. You can follow progress on renegotiation branch if interested.

Alex

[alexmgr]

OK, so this is way more complicated then I initially thought. I've got this working until the second symmetric encryption kicks in. So master-secret and symmetrical keys are re-negotiated OK.

For this to work fully, I'd have to split the _process function into a client and a server state machine like construct. I don't have time to do this major work right now, so I'll be putting this on hold.

Sorry, this will have to wait a bit.

If you want to play with the half backed solution, you can checkout the renegotiation branch. It's hacky though.

[mukundamj]

Thanks Alex. I will try if I can figure out something in the renegotiation branch.