search

tintinweb / scapy-ssl_tls

SSL/TLS layers for scapy the interactive packet manipulation tool
GNU General Public License v2.0
419 stars 156 forks source link

Handshake protocol "Certificate" is not parsed correctly #112

Closed caiqs-sys closed 7 years ago

caiqs-sys commented 7 years ago

I got a TLSRecord, whoes show() is like the following:

###[ TLS Record ]###
  content_type= handshake
  version   = TLS_1_0
  length    = 0xe52
###[ TLS Ciphertext ]###
     data      = '\x0b\x00\x0eN\x00\x0eK\x00\x07[0\x82\x07W0\x82\x06?\xa0\x03\x02\x01\x02\x02\x10\x07XU\xd2\xf1R\x93\x04\xcb\x93\xa0\xb9\xccS\x84b0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x000i1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\n\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1(0&\x06\x03U\x04\x03\x13\x1fDigiCert High Assurance EV CA-10\x1e\x17\r151228000000Z\x17\r180327120000Z0\x82\x01\x051\x1d0\x1b\x06\x03U\x04\x0f\x0c\x14Private Organization1\x130\x11\x06\x0b+\x06\x01\x04\x01\x827<\x02\x01\x03\x13\x02US1\x1b0\x19\x06\x0b+\x06\x01\x04\x01\x827<\x02\x01\x02\x13\nCalifornia1\x110\x0f\x06\x03U\x04\x05\x13\x08C25434361\x1e0\x1c\x06\x03U\x04\t\x13\x15650 Castro St Ste 3001\x0e0\x0c\x06\x03U\x04\x11\x13\x05940411\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\nCalifornia1\x160\x14\x06\x03U\x04\x07\x13\rMountain View1\x1b0\x19\x06\x03U\x04\n\x13\x12Mozilla Foundation1\x180\x16\x06\x03U\x04\x03\x13\x0fwww.mozilla.org0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xb8q\xc1\xe0\xd1\x87 \x8d\xbcVn\x16\xad!cd\xdeX3F\xc4\x06\xe5[=\xcc\x1b\xc0\x10\x04\x8at^\xf4\x8c0\xc3\'\xb7\xe7\xdb\xd5\xb3n(\xe5\x84gJH\xe4%\x87\xeb\\q\x1b\xf1\xff7\xe8e\xc1\xa2\xd3u\xc5\xccl\xac\xe8\xbbn\xb4\xc9p\x0e*xNg\xb5\xbc\xbaW\xac\x1d\x97\x12\x84\xcb\x99\xad\xd8W}?\xbc%\xf6\xfdT\x95y\x87\xc8\\i\x17\xd5%\x0c:\x12\xba \xc6P\xef\x90\xd1Oe\x8a\x92\x8e\xac\xaa\x00\xdd\rT\xce\x9f\xe7\xb7\n\xd9/MAW\x80\x14\x814\x1f\xe9\xbdG.\xed\xd9\x0f\xc0\x94\x1b\xdck\xab\x82,\x8b\x83\x881\xa2P_\xe9\x15\xc2\xb4*\xc4\xb7\xb7\x02\x19\xa3\xab\xdb\x8f\xda%\xc0\x88\xb7\xfbiYnO!`|\x07\xef\xbf_\xe9\x7fM}\xdf8\x10\xa1\xed(\x184^\x87\x9f\xd0\xad\xb3\xba\x8f\xe5\xedWk\x07\x0ep\xde\x9f\xe9\x90;o\xc67\x01\x13}\x03\xc2 \xa2+\xa0g\xf8%I\xdf\xb6\xde\xc2\xc3=J\x99\x02\x03\x01\x00\x01\xa3\x82\x03[0\x82\x03W0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14LX\xcb%\xf0AOR\xf4(\xc8\x81C\x9b\xa6\xa8\xa0\xe6\x92\xe50\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x83\xd4\xd4\x0f5\xa4\xba\x8b\xbea7b\xc1\x96\r6\xc7\xc7790\'\x06\x03U\x1d\x11\x04 0\x1e\x82\x0fwww.mozilla.org\x82\x0bmozilla.org0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020c\x06\x03U\x1d\x1f\x04\\0Z0+\xa0)\xa0\'\x86%http://crl3.digicert.com/evca1-g5.crl0+\xa0)\xa0\'\x86%http://crl4.digicert.com/evca1-g5.crl0K\x06\x03U\x1d \x04D0B07\x06\t`\x86H\x01\x86\xfdl\x02\x010*0(\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16\x1chttps://www.digicert.com/CPS0\x07\x06\x05g\x81\x0c\x01\x010}\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04q0o0$\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x18http://ocsp.digicert.com0G\x06\x08+\x06\x01\x05\x05\x070\x02\x86;http://cacerts.digicert.com/DigiCertHighAssuranceEVCA-1.crt0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x82\x01|\x06\n+\x06\x01\x04\x01\xd6y\x02\x04\x02\x04\x82\x01l\x04\x82\x01h\x01f\x00v\x00\xa4\xb9\t\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\n<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\r\xdc\x10\x00\x00\x01Q\xeaW\xc9\xa9\x00\x00\x04\x03\x00G0E\x02!\x00\xd6\xccn\xb2!P\xd4\x0f!\xe5\xca\x86&\x9f\xbd\xd9\xbb\xd6\xd36\x18\x1f\x83\x10_\xc4\x19Zqh\x89|\x02 _\xb8\xee\r(\xe5\xf1w\x8eu\x96\x1b\xa4w\xc6\x8em\x02j"\x915\xff\xe4\xcc\xdc\x9cS?'

It should be a Certificate message ,but not parsed correctly. How to solve this problem, thanks!

bestrocker221 commented 7 years ago

Are you 100% sure all the bytes were correctly received? I got this when, for some reason, the receiver didn't get all of those bytes in the sock.recv()

caiqs-sys commented 7 years ago

I use it to deal with pcap file, but I have got the reason, it's like what you said. The record length is 0xe52, but the left payload is only 1390. The code at ssl_tls.py, line 439 set cls to TLSCiphertext, which means it can not deal with a "TCP segment of a reassembled PDU". I will remove the code and try to deal with it in my own app. Thanks!

def guess_payload_class(self, payload):
        """ Sense for ciphertext
        """
        cls = StackedLenPacket.guess_payload_class(self, payload)
        p = cls(payload, _internal=1, _underlayer=self)
        if p.haslayer(TLSHandshakes) and len(p[TLSHandshakes].handshakes) > 0:
            p = p[TLSHandshakes].handshakes[0]
        try:
            if cls == Raw().__class__ or p.length > len(payload):
                # length does not fit len raw_bytes, assume its corrupt or encrypted
                cls = TLSCiphertext
        except AttributeError:
            # e.g. TLSChangeCipherSpec might land here
            pass
        return cls
tintinweb commented 7 years ago

Hi @deliciousdish,

likely a tcp stream reassembly issue. I worked around this with a minimalistic non-valid(!) stream reassembly class that reassembles based on some assumptions examples/sessionctx_sniffer.py. It is working in many settings but not all. Maybe it is of help to you. Let me know if you come across a python tcp stream reassembly project :)

tin