//------------------------------------------------ //--- 010 Editor v11.0.1 Binary Template // // File: TLS_ClientHello.bt // Authors: Raymond Hulha // Version: 1.0 // Purpose: Parse TLS ClientHello Message // Category: Network // ID Bytes: 22 // History: // 1.0 2023-03-31 Raymond Hulha: Initial Release //------------------------------------------------ BigEndian(); // TLS 1.3 ClientHello's are identified as having // a legacy_version of 0x0303 (this means TLS 1.2) and a supported_versions extension // present with 0x0304 (this means TLS 1.3) as the highest version indicated therein. local int i, j; local int64 file_pos; typedef struct { struct { uchar msg_type; // Message Type (should be 0x16 for handshake messages) uchar major_version; // Protocol Version uchar minor_version; // Protocol Version uint16 length; // Length of Handshake Message uchar handshake_type; // Handshake Type (should be 0x01 for client hello) uchar hlength_1; // Length of Handshake Payload uchar hlength_2; // Length of Handshake Payload uchar hlength_3; // Length of Handshake Payload uchar cversion_1; // Client Version uchar cversion_2; // Client Version uint32 random_gmt; // GMT Unix Time (4 bytes) + Random Bytes (28 bytes) uchar random_bytes[28]; // GMT Unix Time (4 bytes) + Random Bytes (28 bytes) uchar session_id_length; // Session ID Length uchar sid_data[session_id_length]; // Session ID Data uint16 cipher_len; // Cipher Suite Length uint16 cipher_data[cipher_len/2];// Cipher Suite Data uchar comp_len; // Compression Method Length uchar comp_data[comp_len]; // Compression Method Data } header; uint16 exts_len; // Extensions Length // file_pos = FTell(); uchar extensions[ext_len]; FSeek(file_pos); // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml while(!FEof()) { // FTell() < FileSize()-2 struct EXTENSION { uint16 ext_type ; uint16 ext_len; file_pos = FTell(); struct { uchar ext[ext_len]; } ext_body; FSeek(file_pos); if( ext_type == 0 ) { // server_name uint16 serverNameListLength; uchar serverNameType; // 0 == hostname uint16 serverNameLength; char serverName[serverNameLength]; } else if( ext_type == 5 ) { // status_request uchar statusType; if( statusType == 1 ) { // 1 == ocsp // ResponderID // Extensions } uchar ext[ext_len-1]; } else if( ext_type == 10 ) { // supported_groups uint16 supported_groups_length; uint16 supported_groups[supported_groups_length/2]; } else if( ext_type == 11 ) { // ec_point_formats uchar ec_point_formats_length; uchar eliptic_curve_formats[ec_point_formats_length]; } else if( ext_type == 13 ) { // signature_algorithms for (j=0;j 0 ) { // todo uchar ext[ext_len]; } } else if( ext_type == 21 ) { // padding uchar ext[ext_len]; } else if( ext_type == 23 ) { // extended_master_secret if( ext_len > 0 ) { // todo uchar ext[ext_len]; } } else if( ext_type == 35 ) { // session_ticket uchar ext[ext_len]; } else if( ext_type == 43 ) { // supported_versions uchar s_tls_v_len; for (j=0;j; } } TLS_ClientHello; string DescribeExtension( struct EXTENSION &e ) { return DescribeType(e.ext_type); } string DescribeType( uint16 type ) { string s; switch (type) { case 0: return "server_name"; case 5: return "status_request"; case 10: return "supported_groups"; case 11: return "ec_point_formats"; case 13: return "signature_algorithms"; case 16: return "application_layer_protocol_negotiation"; case 17: return "status_request_v2"; case 21: return "padding"; case 22: return "encrypt_then_mac"; case 23: return "extended_master_secret"; case 35: return "session_ticket"; case 43: return "supported_versions"; case 45: return "psk_key_exchange_modes"; case 49: return "post_handshake_auth"; case 50: return "signature_algorithms_cert"; case 51: return "key_share"; default: SPrintf( s, "Type: %d, not found", type ); return s; } } TLS_ClientHello clientHello;