Move TLSv1.2 signature_algorithms extension defaults into tls.lua

2026-01-27 08:39:02 +00:00 · 2015-03-25 02:29:25 +00:00
parent ed86473b0c
commit 04fee3d14c
2 changed files with 22 additions and 9 deletions
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1257,6 +1257,19 @@ function record_write(type, protocol, b)
  })
 end

+-- Claim to support every hash and signature algorithm combination (TLSv1.2 only)
+--
+local signature_algorithms_all
+do
+  local sigalgs = {}
+  for hash, _ in pairs(HashAlgorithms) do
+    for sig, _ in pairs(SignatureAlgorithms) do
+      sigalgs[#sigalgs+1] = {hash, sig}
+    end
+  end
+  signature_algorithms_all = EXTENSION_HELPERS["signature_algorithms"](sigalgs)
+end
+
 ---
 -- Build a client_hello message
 --
@@ -1322,15 +1335,24 @@ function client_hello(t)
  if PROTOCOLS[protocol] and protocol ~= "SSLv3" then
    local extensions = {}
    if t["extensions"] ~= nil then
+      -- Do we need to add the signature_algorithms extension?
+      local need_sigalg = (protocol == "TLSv1.2")
      -- Add specified extensions.
      for extension, data in pairs(t["extensions"]) do
        if type(extension) == "number" then
          table.insert(extensions, bin.pack(">S", extension))
        else
+          if extension == "signature_algorithms" then
+            need_sigalg = false
+          end
          table.insert(extensions, bin.pack(">S", EXTENSIONS[extension]))
        end
        table.insert(extensions, bin.pack(">P", data))
      end
+      if need_sigalg then
+        table.insert(extensions, bin.pack(">S", EXTENSIONS["signature_algorithms"]))
+        table.insert(extensions, bin.pack(">P", signature_algorithms_all))
+      end
    end
    -- Extensions are optional
    if #extensions ~= 0 then
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -328,21 +328,12 @@ local function remove_high_byte_ciphers(t)
  return output
 end

-- Claim to support every hash and signature algorithm combination (TLSv1.2 only)
-local sigalgs = {}
-for hash, _ in pairs(tls.HashAlgorithms) do
-  for sig, _ in pairs(tls.SignatureAlgorithms) do
-    sigalgs[#sigalgs+1] = {hash, sig}
-  end
-end
-
 -- Claim to support every elliptic curve and EC point format
 local base_extensions = {
  -- Claim to support every elliptic curve
  ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](sorted_keys(tls.ELLIPTIC_CURVES)),
  -- Claim to support every EC point format
  ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"](sorted_keys(tls.EC_POINT_FORMATS)),
-  ["signature_algorithms"] = tls.EXTENSION_HELPERS["signature_algorithms"](sigalgs)
 }

 -- Recursively copy a table.