1# SPDX-License-Identifier: GPL-2.0-only 2# This file is part of Scapy 3# See https://scapy.net/ for more information 4# Copyright (C) 2007, 2008, 2009 Arnaud Ebalard 5# 2015, 2016, 2017 Maxence Tury 6 7""" 8Key Exchange algorithms as listed in appendix C of RFC 4346. 9 10XXX No support yet for PSK (also, no static DH, DSS, SRP or KRB). 11""" 12 13from scapy.layers.tls.keyexchange import (ServerDHParams, 14 ServerRSAParams, 15 ClientDiffieHellmanPublic, 16 ClientECDiffieHellmanPublic, 17 _tls_server_ecdh_cls_guess, 18 EncryptedPreMasterSecret) 19 20 21_tls_kx_algs = {} 22 23 24class _GenericKXMetaclass(type): 25 """ 26 We could try to set server_kx_msg and client_kx_msg while parsing 27 the class name... :) 28 """ 29 def __new__(cls, kx_name, bases, dct): 30 if kx_name != "_GenericKX": 31 dct["name"] = kx_name[3:] # remove leading "KX_" 32 the_class = super(_GenericKXMetaclass, cls).__new__(cls, kx_name, 33 bases, dct) 34 if kx_name != "_GenericKX": 35 the_class.export = kx_name.endswith("_EXPORT") 36 the_class.anonymous = "_anon" in kx_name 37 the_class.no_ske = not ("DHE" in kx_name or "_anon" in kx_name) 38 the_class.no_ske &= not the_class.export 39 _tls_kx_algs[kx_name[3:]] = the_class 40 return the_class 41 42 43class _GenericKX(metaclass=_GenericKXMetaclass): 44 pass 45 46 47class KX_NULL(_GenericKX): 48 descr = "No key exchange" 49 server_kx_msg_cls = lambda _, m: None 50 client_kx_msg_cls = None 51 52 53class KX_SSLv2(_GenericKX): 54 descr = "SSLv2 dummy key exchange class" 55 server_kx_msg_cls = lambda _, m: None 56 client_kx_msg_cls = None 57 58 59class KX_TLS13(_GenericKX): 60 descr = "TLS 1.3 dummy key exchange class" 61 server_kx_msg_cls = lambda _, m: None 62 client_kx_msg_cls = None 63 64 65# Standard RSA-authenticated key exchange 66 67class KX_RSA(_GenericKX): 68 descr = "RSA encryption" 69 server_kx_msg_cls = lambda _, m: None 70 client_kx_msg_cls = EncryptedPreMasterSecret 71 72# class KX_DH_RSA(_GenericKX): 73# descr = "DH with RSA-based certificates" 74# server_kx_msg_cls = lambda _,m: None 75# client_kx_msg_cls = None 76 77 78class KX_DHE_RSA(_GenericKX): 79 descr = "Ephemeral DH with RSA signature" 80 server_kx_msg_cls = lambda _, m: ServerDHParams 81 client_kx_msg_cls = ClientDiffieHellmanPublic 82 83# class KX_ECDH_RSA(_GenericKX): 84# descr = "ECDH RSA key exchange" 85# server_kx_msg_cls = lambda _,m: None 86# client_kx_msg_cls = None 87 88 89class KX_ECDHE_RSA(_GenericKX): 90 descr = "Ephemeral ECDH with RSA signature" 91 server_kx_msg_cls = lambda _, m: _tls_server_ecdh_cls_guess(m) 92 client_kx_msg_cls = ClientECDiffieHellmanPublic 93 94 95class KX_RSA_EXPORT(KX_RSA): 96 descr = "RSA encryption, export version" 97 server_kx_msg_cls = lambda _, m: ServerRSAParams 98 99# class KX_DH_RSA_EXPORT(KX_DH_RSA): 100# descr = "DH with RSA-based certificates - Export version" 101 102 103class KX_DHE_RSA_EXPORT(KX_DHE_RSA): 104 descr = "Ephemeral DH with RSA signature, export version" 105 106 107# Standard ECDSA-authenticated key exchange 108 109# class KX_ECDH_ECDSA(_GenericKX): 110# descr = "ECDH ECDSA key exchange" 111# server_kx_msg_cls = lambda _,m: None 112# client_kx_msg_cls = None 113 114class KX_ECDHE_ECDSA(_GenericKX): 115 descr = "Ephemeral ECDH with ECDSA signature" 116 server_kx_msg_cls = lambda _, m: _tls_server_ecdh_cls_guess(m) 117 client_kx_msg_cls = ClientECDiffieHellmanPublic 118 119 120# Classes below are offered without any guarantee. 121# They may offer some parsing capabilities, 122# but surely won't be able to handle a proper TLS negotiation. 123# Uncomment them at your own risk. 124 125# Standard DSS-authenticated key exchange 126 127# class KX_DH_DSS(_GenericKX): 128# descr = "DH with DSS-based certificates" 129# server_kx_msg_cls = lambda _,m: ServerDHParams 130# client_kx_msg_cls = ClientDiffieHellmanPublic 131 132# class KX_DHE_DSS(_GenericKX): 133# descr = "Ephemeral DH with DSS signature" 134# server_kx_msg_cls = lambda _,m: ServerDHParams 135# client_kx_msg_cls = ClientDiffieHellmanPublic 136 137# class KX_DH_DSS_EXPORT(KX_DH_DSS): 138# descr = "DH with DSS-based certificates - Export version" 139 140# class KX_DHE_DSS_EXPORT(KX_DHE_DSS): 141# descr = "Ephemeral DH with DSS signature, export version" 142 143 144# PSK-based key exchange 145 146# class KX_PSK(_GenericKX): # RFC 4279 147# descr = "PSK key exchange" 148# server_kx_msg_cls = lambda _,m: ServerPSKParams 149# client_kx_msg_cls = None 150 151# class KX_RSA_PSK(_GenericKX): # RFC 4279 152# descr = "RSA PSK key exchange" 153# server_kx_msg_cls = lambda _,m: ServerPSKParams 154# client_kx_msg_cls = None 155 156# class KX_DHE_PSK(_GenericKX): # RFC 4279 157# descr = "Ephemeral DH with PSK key exchange" 158# server_kx_msg_cls = lambda _,m: ServerPSKParams 159# client_kx_msg_cls = ClientDiffieHellmanPublic 160 161# class KX_ECDHE_PSK(_GenericKX): # RFC 5489 162# descr = "Ephemeral ECDH PSK key exchange" 163# server_kx_msg_cls = lambda _,m: _tls_server_ecdh_cls_guess(m) 164# client_kx_msg_cls = ClientDiffieHellmanPublic 165 166 167# SRP-based key exchange 168 169# 170 171 172# Kerberos-based key exchange 173 174# class KX_KRB5(_GenericKX): 175# descr = "Kerberos 5 key exchange" 176# server_kx_msg_cls = lambda _,m: None # No SKE with kerberos 177# client_kx_msg_cls = None 178 179# class KX_KRB5_EXPORT(KX_KRB5): 180# descr = "Kerberos 5 key exchange - Export version" 181 182 183# Unauthenticated key exchange (opportunistic encryption) 184 185class KX_DH_anon(_GenericKX): 186 descr = "Anonymous DH, no signatures" 187 server_kx_msg_cls = lambda _, m: ServerDHParams 188 client_kx_msg_cls = ClientDiffieHellmanPublic 189 190 191class KX_ECDH_anon(_GenericKX): 192 descr = "ECDH anonymous key exchange" 193 server_kx_msg_cls = lambda _, m: _tls_server_ecdh_cls_guess(m) 194 client_kx_msg_cls = ClientECDiffieHellmanPublic 195 196 197class KX_DH_anon_EXPORT(KX_DH_anon): 198 descr = "Anonymous DH, no signatures - Export version" 199