From 04fee3d14cbf3dc0ec4b4335a961f2b3f009354a Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 25 Mar 2015 02:29:25 +0000
Subject: [PATCH] Move TLSv1.2 signature_algorithms extension defaults into
 tls.lua

---
 nselib/tls.lua               | 22 ++++++++++++++++++++++
 scripts/ssl-enum-ciphers.nse |  9 ---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/nselib/tls.lua b/nselib/tls.lua
index f8ef20822..081091ebd 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1257,6 +1257,19 @@ function record_write(type, protocol, b)
   })
 end
 
+-- Claim to support every hash and signature algorithm combination (TLSv1.2 only)
+--
+local signature_algorithms_all
+do
+  local sigalgs = {}
+  for hash, _ in pairs(HashAlgorithms) do
+    for sig, _ in pairs(SignatureAlgorithms) do
+      sigalgs[#sigalgs+1] = {hash, sig}
+    end
+  end
+  signature_algorithms_all = EXTENSION_HELPERS["signature_algorithms"](sigalgs)
+end
+
 ---
 -- Build a client_hello message
 --
@@ -1322,15 +1335,24 @@ function client_hello(t)
   if PROTOCOLS[protocol] and protocol ~= "SSLv3" then
     local extensions = {}
     if t["extensions"] ~= nil then
+      -- Do we need to add the signature_algorithms extension?
+      local need_sigalg = (protocol == "TLSv1.2")
       -- Add specified extensions.
       for extension, data in pairs(t["extensions"]) do
         if type(extension) == "number" then
           table.insert(extensions, bin.pack(">S", extension))
         else
+          if extension == "signature_algorithms" then
+            need_sigalg = false
+          end
           table.insert(extensions, bin.pack(">S", EXTENSIONS[extension]))
         end
         table.insert(extensions, bin.pack(">P", data))
       end
+      if need_sigalg then
+        table.insert(extensions, bin.pack(">S", EXTENSIONS["signature_algorithms"]))
+        table.insert(extensions, bin.pack(">P", signature_algorithms_all))
+      end
     end
     -- Extensions are optional
     if #extensions ~= 0 then
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
index 939e528d7..9b1488962 100644
--- a/scripts/ssl-enum-ciphers.nse
+++ b/scripts/ssl-enum-ciphers.nse
@@ -328,21 +328,12 @@ local function remove_high_byte_ciphers(t)
   return output
 end
 
--- Claim to support every hash and signature algorithm combination (TLSv1.2 only)
-local sigalgs = {}
-for hash, _ in pairs(tls.HashAlgorithms) do
-  for sig, _ in pairs(tls.SignatureAlgorithms) do
-    sigalgs[#sigalgs+1] = {hash, sig}
-  end
-end
-
 -- Claim to support every elliptic curve and EC point format
 local base_extensions = {
   -- Claim to support every elliptic curve
   ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](sorted_keys(tls.ELLIPTIC_CURVES)),
   -- Claim to support every EC point format
   ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"](sorted_keys(tls.EC_POINT_FORMATS)),
-  ["signature_algorithms"] = tls.EXTENSION_HELPERS["signature_algorithms"](sigalgs)
 }
 
 -- Recursively copy a table.