TLS: add support for post-handshake auth (#4295)

secdev · Feb 26, 2024 · 4a86d93 · 4a86d93
1 parent 4067950
commit 4a86d93
Show file tree

Hide file tree

Showing 7 changed files with 416 additions and 192 deletions.
diff --git a/scapy/layers/tls/__init__.py b/scapy/layers/tls/__init__.py
@@ -54,6 +54,8 @@
 
     - Test our TLS client against our TLS server (s_server is unscriptable).
 
+    - Test our TLS client against python's SSL Socket wrapper (for TLS 1.3)
+
 
 TODO list (may it be carved away by good souls):
 
@@ -76,16 +78,11 @@
         - Allow the server to store both one RSA key and one ECDSA key, and
           select the right one to use according to the ClientHello suites.
 
-        - Find a way to shutdown the automatons sockets properly without
-          simultaneously breaking the unit tests.
-
 
     - Miscellaneous:
 
         - Define several Certificate Transparency objects.
 
-        - Add the extended master secret and encrypt-then-mac logic.
-
         - Mostly unused features : DSS, fixed DH, SRP, char2 curves...
 """
 

diff --git a/scapy/layers/tls/automaton.py b/scapy/layers/tls/automaton.py
@@ -211,16 +211,23 @@ def raise_on_packet(self, pkt_cls, state, get_next_msg=True):
         # Maybe we already parsed the expected packet, maybe not.
         if get_next_msg:
             self.get_next_msg()
-        from scapy.layers.tls.handshake import TLSClientHello
         if (not self.buffer_in or
-                (not isinstance(self.buffer_in[0], pkt_cls) and
-                 not (isinstance(self.buffer_in[0], TLSClientHello) and
-                 self.cur_session.advertised_tls_version == 0x0304))):
+                not isinstance(self.buffer_in[0], pkt_cls)):
             return
         self.cur_pkt = self.buffer_in[0]
         self.buffer_in = self.buffer_in[1:]
         raise state()
 
+    def in_handshake(self, pkt_cls):
+        """
+        Return True if the pkt_cls was present during the handshake.
+        This is used to detect whether Certificates were requested, etc.
+        """
+        return any(
+            isinstance(m, pkt_cls)
+            for m in self.cur_session.handshake_messages_parsed
+        )
+
     def add_record(self, is_sslv2=None, is_tls13=None, is_tls12=None):
         """
         Add a new TLS or SSLv2 or TLS 1.3 record to the packets buffered out.