Open alexmgr opened 6 years ago
TLSServerECDHParams is defined as:
TLSServerECDHParams
class TLSServerECDHParams(PacketNoPayload): name = "TLS EC Diffie-Hellman Server Params" fields_desc = [ByteEnumField("curve_type", TLSECCurveTypes.NAMED_CURVE, TLS_EC_CURVE_TYPES), ShortEnumField("curve_name", TLSSupportedGroup.SECP256R1, TLS_SUPPORTED_GROUPS), XFieldLenField("p_length", None, length_of="p", fmt="!B"), StrLenField("p", '', length_from=lambda x:x.p_length), ShortEnumField("scheme_type", TLSSignatureScheme.RSA_PKCS1_SHA256, TLS_SIGNATURE_SCHEMES), XFieldLenField("sig_length", None, length_of="sig", fmt="!H"), StrLenField("sig", '', length_from=lambda x:x.sig_length)]
which is correct for TLS 1.2 and above. In TLS1.1 and below, there is no scheme_type field. This causes the guess_payload_class heuristics of TLSServerKeyExchange to fail for TLS 1.1 traffic.
scheme_type
guess_payload_class
TLSServerKeyExchange
TLSServerKeyExchange needs to be made version tolerant.
TLSServerECDHParams
is defined as:which is correct for TLS 1.2 and above. In TLS1.1 and below, there is no
scheme_type
field. This causes theguess_payload_class
heuristics ofTLSServerKeyExchange
to fail for TLS 1.1 traffic.TLSServerKeyExchange
needs to be made version tolerant.