Send supported signature algorithms for TLSv1.2

nselib/tls.lua

@@ -152,6 +152,24 @@ EC_POINT_FORMATS = {
   ansiX962_compressed_char2 = 2,
 }
 
+---
+-- RFC 5246 section 7.4.1.4.1. Signature Algorithms
+HashAlgorithms = {
+  none = 0,
+  md5 = 1,
+  sha1 = 2,
+  sha224 = 3,
+  sha256 = 4,
+  sha384 = 5,
+  sha512 = 6,
+}
+SignatureAlgorithms = {
+  anonymous = 0,
+  rsa = 1,
+  dsa = 2,
+  ecdsa = 3,
+}
+
 ---
 -- Extensions
 -- RFC 6066, draft-agl-tls-nextprotoneg-03
@@ -213,6 +231,16 @@ EXTENSION_HELPERS = {
     end
     return bin.pack(">p", table.concat(list))
   end,
+  ["signature_algorithms"] = function(signature_algorithms)
+    local list = {}
+    for _, pair in ipairs(signature_algorithms) do
+      list[#list+1] = bin.pack(">CC",
+        HashAlgorithms[pair[1]] or pair[1],
+        SignatureAlgorithms[pair[2]] or pair[2]
+        )
+    end
+    return bin.pack(">P", table.concat(list))
+  end,
   ["next_protocol_negotiation"] = tostring,
 }
 

scripts/ssl-enum-ciphers.nse

@@ -328,12 +328,21 @@ local function remove_high_byte_ciphers(t)
   return output
 end
 
+-- Claim to support every hash and signature algorithm combination (TLSv1.2 only)
+local sigalgs = {}
+for hash, _ in pairs(tls.HashAlgorithms) do
+  for sig, _ in pairs(tls.SignatureAlgorithms) do
+    sigalgs[#sigalgs+1] = {hash, sig}
+  end
+end
+
 -- Claim to support every elliptic curve and EC point format
 local base_extensions = {
   -- Claim to support every elliptic curve
   ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](sorted_keys(tls.ELLIPTIC_CURVES)),
   -- Claim to support every EC point format
   ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"](sorted_keys(tls.EC_POINT_FORMATS)),
+  ["signature_algorithms"] = tls.EXTENSION_HELPERS["signature_algorithms"](sigalgs)
 }
 
 -- Recursively copy a table.