Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS 1.3 cert support in --banner #806

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add TLS 1.3 cert support in --banner #806

wants to merge 3 commits into from

Conversation

gpotter2
Copy link
Contributor

@gpotter2 gpotter2 commented Dec 7, 2024
edited
Loading

This PR adds TLS 1.3 support for --banners and certificate retrieval. For context, this is a bit harder than on TLS 1.2 considering the server certificate is encrypted.

Changes:

  • Support TLS 1.3 certificate retrieval in masscan.
  • Properly detect TLS 1.3 by checking the supported_versions extension instead of the announced tls version (that worked only in TLS 1.3 drafts but don't in the final spec)
  • Add proper testing of everything added with real-life TLS1.3 exchanges.
  • Added a note regarding the various licenses included in massacan. It's worth keeping track of

Some notes regarding the implementation:

  • I tried to stay as close as the "masscan spirit" as I could: dissection can happen byte by byte, the only buffer (if required) being the 16 octets required for an AES block (so that if the incoming bytes don't fall on a round block, it still works).
  • The only supported algorithms combo is X25519 with AES256-GCM. The reason for chosing X25519 over other ones is that it's mandatory per RFC8446, but also because it's the only one supported by OpenSSL before version 3.0, so it should increase compatibility.
  • I understand that masscan tries to be dependency-less. This therefore brings several open (and that looked trustworthy enough) crypto-related implementations for the various parts of the exchange. I chose those mostly to be license-compatible with masscan.
    • AES 256 (with a single addition: a function to increase the CTR counter)
    • X25519
    • RFC6234 standard implementation of TLS 1.3 HKDF mechanisms
  • I chose performance over anything else: the crypto implementation is fundamentally unsafe
    • Everything in the TLS 1.3 exchange that could be hardcoded was hardcoded. The server-chosen part during the diffie-hellman key exchange is therefore always the same, so beware that exchanges aren't actually private
    • In the AES-256 GCM implementation, we discard the authentication tag for performance. This means integrity isn't checked

Caveats:

  • I have only one concern over the current implementation: TLS 1.3 requires a few fields, most notably the negotiated master keys, to be added to the StreamState. I haven't really checked what impact this would have on the memory footprint, but it could be a bit important. It's possible to work around this by malloc()'ing a separate TLS state only when required, but I was a bit scared to add some complexity regarding memory management. It's still an option if deemed appropriate

Note that this PR would allow to support sending probes over TLS with minimal effort. I think it's best to have this first part merged though before adding more complexity.

gpotter2 and others added 3 commits July 2, 2024 01:16
@gpotter2
Try TLS 1.0-1.2, then try TLS 1.3 (and detect it)
fbbc6dc 
This commit updates the TLS banners so that:
- by default masscan tries to use a banner that supports TLS 1.0 to 1.2 (only)
- if this fails, masscan retries using a banner that supports TLS 1.3

This is the less ressource-intensive way of always retrieving the
certificates in case banners are enabled, as TLS 1.3 certificates
are encrypted, while still adding support for TLS 1.3 when it is
enforced.
@gpotter2
Add TLS 1.3 certificates decryption support
d320eb4 
This commit adds support to retrieve TLS 1.3 certificates (as they are,
unlike TLS 1.2 and below, encrypted). It embeds implementations of
AES256, SHA384 (from rfc6234) and x25519 which are the minimum, most
supported algorithms for TLS 1.3 (ffdhe was only added to openssl in
3.0+). Those implementations are released under compatible licenses.

Also comes with tests.
Properly use the banner_tls_13.parse if the TLS1.3 probe was used
684f650
@gpotter2 gpotter2 changed the title Add TLS 1.3 support Add TLS 1.3 cert support in --banner Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gpotter2