Unable to parse TLS 1.3 Server Hello

[bbayles]

I found that I wasn't able to parse a Server Hello from the TLS 1.3 testing site https://enabled.tls13.com/ with the current development version of scapy (87916fd , Python 3, Linux).

---

Here's a snippet that reproduces the issue:

Code to reproduce

from scapy.all import load_layer
load_layer('tls')

data = bytes.fromhex(
    '160303007a02000076030354d872a960290781a55827539ab607abe2ba8db77a212053ad'
    '7e98c92598ba462033d562b393540c7520405833f06e8c84d0dfb0e8e09f2ea9d4e7b854'
    '81b989ac130100002e00330024001d0020100b726fd77a0fd0e6a00228579d5e649f4105'
    '1a9b2b59f5afb09fe72f793410002b000203041403030001011703030943359c1d734183'
    '288f4c6141d07109241fde952af155d9b6162cf0db7a890322b650f66c54212d93d9bf2f'
    'ac78bb2872e29a89b6ff3ef85d777f3dcb773ccaed62900908a2d310903cf22897d97ed9'
    'e175596d78d4beb061ac6ed885f165ed443696c0ee6d9b5116ed09237e3f5beda2c1ff9f'
    'f33e755ad84450ae9cf7763d3c6aec98eb6dff9c9753cb5a0c60d6f7b20bb7a45ae1e639'
    'ae8a07c73db8db26b37c992f4d4ea7bec54715b696b463dbd5904b6d38bf69f9b4379d2a'
    'bc101cdd5da07a21e4b1913ef5484c3d9b61b5c0abe6cb6dbaa9fbee0a81a4b3bd2aa744'
    '9a4d3127f137b42191a635d8ec2b09a48f659656dae6ed246c1d8d9c8fced1b2a0a610d3'
    '124410f32e9a4000b451a28ca3f1c02f705466bf8f6356cdec497471d78e4f785379ec71'
    '468e8ac9dbce8bb29d249030929f4442003e3a67d4581d97f540e3309a2d8b3eb84b36ca'
    'e9f9e78fb14e5401ff57cdcae2029e62875bc9d5bd9140ce8fae77dbf54495ef4cb4a0af'
    'f591ad6f69eafab106db663adcc183722b62f03b1e273d17438a18be0880fab1c443d7b6'
    '4746f33a5c57bf8f8ac3881ad47400b40f9d1b27e0c86012f2d3b18a5555610e772d3b51'
    '711f591eaa1d5a6826a6390caa537d7db9511c208b668ea88b88c578a5b85cd8862e22b1'
    '7b535156bd9093315b9cd0b47f76f1193d6e27440486dce42316dd342d942aad68e4b35e'
    '31cf7a272a50a35f9fa00dc8f700a2ca981a32757dfa2a1ba0778c3308229e96b74ae350'
    '751945c0286d35924b79763835a4bd05e8a6d2a632fff649615c8d8a1f73ad39b5c3478b'
    'b6b4b4b6b21f26f4526ce710148d2ec37125de1ad72bada016c92c438a2d404a2ed0d246'
    '21606509b8736cd3f99e387667dd23e15d56dc7ffbc3ec61825af7f08d633c7740655ea9'
    '8fb0587a800fc74951b0a28b1724215c877a58a3f9b164edfd09b84508d8b3620413cdcc'
    '2f88be147ff5c393fd2322b516547aae2e6dfcdd7d5ea36ef12b4f11c57c99ccde69d84a'
    '3e08c85f57e1c907b1d9ba2cb011b05a518471d6484d5caddbb34070a7b720d561dec167'
    '1f623e7f16f99897b7bc3f08f24ab00ece158e4bef897d3aca77d87c7fef27dd736fcd6c'
    '8f0cfa7e42db6722bed9d88015afbe5ccdf4d17ce76122971fa4270d443eab4046724d79'
    '1fca2355ca5aeba11f6881c05d4e47b55023aec41d297f744f2b0c23fe02ad1c245ebc78'
    '972e3f6da0792911c793d0132327761e68758c3b5ce49f834de08e46c2c0284ffa2c7c6c'
    '1ec20edfecd04872adba4bf046698e62361235ffc91738f7933bb7dbb65e6d206e747e9e'
    'da02ddfcb1576a55c4a876df38b283aeb9cc965af8e67afa3bc19a66d208ee7fb1018f04'
    '77ad6920bbafe294eb492c86af594adcef0b238a46f11f7c0e3a9c4b8f8db2feb8566f3f'
    '87d9280a03b040fed551ebfeec95a6b7a163f043a209c16571893d61081afb797f3dff90'
    'cd1261b086f64d2bbaaf80eff511d3b40549389d288827f758a620bf2dd7cd1e7ac1fa1d'
    '08810fa595b12204286109b34b662d81759e6b36b300b56bb866b6bc4f9bc725f06d3aa2'
)
parsed = TLS(data)
representation = parsed.show()
print(representation)

---

Wireshark knows that the first part of this is a Server Hello Handshake:

Unfortunately, Scapy doesn't:

###[ TLS ]### 
  type      = application_data
  version   = TLS 1.2
  len       = 122
  iv        = b''
  \msg       \
   |###[ Raw ]### 
   |  load      = "\x02\x00\x00v\x03\x03T\xd8r\xa9`)\x07\x81\xa5X'S\x9a\xb6\x07\xab\xe2\xba\x8d\xb7z! S\xad~\x98\xc9%\x98\xbaF 3\xd5b\xb3\x93T\x0cu @X3\xf0n\x8c\x84\xd0\xdf\xb0\xe8\xe0\x9f.\xa9\xd4\xe7\xb8T\x81\xb9\x89\xac\x13\x01\x00\x00.\x003\x00$\x00\x1d\x00 \x10\x0bro\xd7z\x0f\xd0\xe6\xa0\x02(W\x9d^d\x9fA\x05\x1a\x9b+Y\xf5\xaf\xb0\x9f\xe7/y4\x10\x00+\x00\x02\x03\x04"
  mac       = b''
  pad       = b''
  padlen    = None

It's getting the version and len, but not recognizing anything past that.

---

I can provide other captures if it helps?

[p-l-]

Thanks for this report! Yep, a capture file would help.

[bbayles]

Here's a capture. The server hello is in packet 6:
tls-13-handshake.pcap.gz

[Tschet1]

I think the problem are the TLS1.3 version numbers. I think the message is parsed as TLSServerHello instead of TLS13ServerHello because the version number that is mentioned in the packet is 0x0303 for both TLS1.2 and TLS1.3.

In handshake.py

if _pkt and len(_pkt) >= 6:
    version = struct.unpack("!H", _pkt[4:6])[0]
    if version == 0x0304 or version > 0x7f00:
        return TLS13ServerHello
    return TLSServerHello

[guedou]

@bbayles does PR #2146 fix the issue?

[bbayles]

Here is the new output (see my code to reproduce in the OP). This is better, but still not great.

###[ TLS ]### 
  type      = handshake
  version   = TLS 1.2
  len       = 122    [deciphered_len= 122]
  iv        = b''
  \msg       \
   |###[ Raw ]### 
   |  load      = "\x02\x00\x00v\x03\x03T\xd8r\xa9`)\x07\x81\xa5X'S\x9a\xb6\x07\xab\xe2\xba\x8d\xb7z! S\xad~\x98\xc9%\x98\xbaF 3\xd5b\xb3\x93T\x0cu @X3\xf0n\x8c\x84\xd0\xdf\xb0\xe8\xe0\x9f.\xa9\xd4\xe7\xb8T\x81\xb9\x89\xac\x13\x01\x00\x00.\x003\x00$\x00\x1d\x00 \x10\x0bro\xd7z\x0f\xd0\xe6\xa0\x02(W\x9d^d\x9fA\x05\x1a\x9b+Y\xf5\xaf\xb0\x9f\xe7/y4\x10\x00+\x00\x02\x03\x04"
  mac       = b''
  pad       = b''
  padlen    = None
###[ TLS ]### 
     type      = change_cipher_spec
     version   = TLS 1.2
     len       = 1    [deciphered_len= 1]
     iv        = b''
     \msg       \
      |###[ TLS ChangeCipherSpec ]### 
      |  msgtype   = change_cipher_spec
     mac       = b''
     pad       = b''
     padlen    = None
###[ TLS ]### 
        type      = application_data
        version   = TLS 1.2
        len       = 2371    [deciphered_len= 1122]
        iv        = b''
        \msg       \
         |###[ TLS Application Data ]### 
         |  data      = '5\x9c\x1dsA\x83(\x8fLaA\xd0q\t$\x1f\xde\x95*\xf1U\xd9\xb6\x16,\xf0\xdbz\x89\x03"\xb6P\xf6lT!-\x93\xd9\xbf/\xacx\xbb(r\xe2\x9a\x89\xb6\xff>\xf8]w\x7f=\xcbw<\xca\xedb\x90\t\x08\xa2\xd3\x10\x90<\xf2(\x97\xd9~\xd9\xe1uYmx\xd4\xbe\xb0a\xacn\xd8\x85\xf1e\xedD6\x96\xc0\xeem\x9bQ\x16\xed\t#~?[\xed\xa2\xc1\xff\x9f\xf3>uZ\xd8DP\xae\x9c\xf7v=<j\xec\x98\xebm\xff\x9c\x97S\xcbZ\x0c`\xd6\xf7\xb2\x0b\xb7\xa4Z\xe1\xe69\xae\x8a\x07\xc7=\xb8\xdb&\xb3|\x99/MN\xa7\xbe\xc5G\x15\xb6\x96\xb4c\xdb\xd5\x90Km8\xbfi\xf9\xb47\x9d*\xbc\x10\x1c\xdd]\xa0z!\xe4\xb1\x91>\xf5HL=\x9ba\xb5\xc0\xab\xe6\xcbm\xba\xa9\xfb\xee\n\x81\xa4\xb3\xbd*\xa7D\x9aM1\'\xf17\xb4!\x91\xa65\xd8\xec+\t\xa4\x8fe\x96V\xda\xe6\xed$l\x1d\x8d\x9c\x8f\xce\xd1\xb2\xa0\xa6\x10\xd3\x12D\x10\xf3.\x9a@\x00\xb4Q\xa2\x8c\xa3\xf1\xc0/pTf\xbf\x8fcV\xcd\xecItq\xd7\x8eOxSy\xecqF\x8e\x8a\xc9\xdb\xce\x8b\xb2\x9d$\x900\x92\x9fDB\x00>:g\xd4X\x1d\x97\xf5@\xe30\x9a-\x8b>\xb8K6\xca\xe9\xf9\xe7\x8f\xb1NT\x01\xffW\xcd\xca\xe2\x02\x9eb\x87[\xc9\xd5\xbd\x91@\xce\x8f\xaew\xdb\xf5D\x95\xefL\xb4\xa0\xaf\xf5\x91\xadoi\xea\xfa\xb1\x06\xdbf:\xdc\xc1\x83r+b\xf0;\x1e\'=\x17C\x8a\x18\xbe\x08\x80\xfa\xb1\xc4C\xd7\xb6GF\xf3:\\W\xbf\x8f\x8a\xc3\x88\x1a\xd4t\x00\xb4\x0f\x9d\x1b\'\xe0\xc8`\x12\xf2\xd3\xb1\x8aUUa\x0ew-;Qq\x1fY\x1e\xaa\x1dZh&\xa69\x0c\xaaS}}\xb9Q\x1c \x8bf\x8e\xa8\x8b\x88\xc5x\xa5\xb8\\\xd8\x86."\xb1{SQV\xbd\x90\x931[\x9c\xd0\xb4\x7fv\xf1\x19=n\'D\x04\x86\xdc\xe4#\x16\xdd4-\x94*\xadh\xe4\xb3^1\xcfz\'*P\xa3_\x9f\xa0\r\xc8\xf7\x00\xa2\xca\x98\x1a2u}\xfa*\x1b\xa0w\x8c3\x08"\x9e\x96\xb7J\xe3Pu\x19E\xc0(m5\x92Kyv85\xa4\xbd\x05\xe8\xa6\xd2\xa62\xff\xf6Ia\\\x8d\x8a\x1fs\xad9\xb5\xc3G\x8b\xb6\xb4\xb4\xb6\xb2\x1f&\xf4Rl\xe7\x10\x14\x8d.\xc3q%\xde\x1a\xd7+\xad\xa0\x16\xc9,C\x8a-@J.\xd0\xd2F!`e\t\xb8sl\xd3\xf9\x9e8vg\xdd#\xe1]V\xdc\x7f\xfb\xc3\xeca\x82Z\xf7\xf0\x8dc<w@e^\xa9\x8f\xb0Xz\x80\x0f\xc7IQ\xb0\xa2\x8b\x17$!\\\x87zX\xa3\xf9\xb1d\xed\xfd\t\xb8E\x08\xd8\xb3b\x04\x13\xcd\xcc/\x88\xbe\x14\x7f\xf5\xc3\x93\xfd#"\xb5\x16Tz\xae.m\xfc\xdd}^\xa3n\xf1+O\x11\xc5|\x99\xcc\xdei\xd8J>\x08\xc8_W\xe1\xc9\x07\xb1\xd9\xba,\xb0\x11\xb0ZQ\x84q\xd6HM\\\xad\xdb\xb3@p\xa7\xb7 \xd5a\xde\xc1g\x1fb>\x7f\x16\xf9\x98\x97\xb7\xbc?\x08\xf2J\xb0\x0e\xce\x15\x8eK\xef\x89}:\xcaw\xd8|\x7f\xef\'\xddso\xcdl\x8f\x0c\xfa~B\xdbg"\xbe\xd9\xd8\x80\x15\xaf\xbe\\\xcd\xf4\xd1|\xe7a"\x97\x1f\xa4\'\rD>\xab@FrMy\x1f\xca#U\xcaZ\xeb\xa1\x1fh\x81\xc0]NG\xb5P#\xae\xc4\x1d)\x7ftO+\x0c#\xfe\x02\xad\x1c$^\xbcx\x97.?m\xa0y)\x11\xc7\x93\xd0\x13#\'v\x1ehu\x8c;\\\xe4\x9f\x83M\xe0\x8eF\xc2\xc0(O\xfa,|l\x1e\xc2\x0e\xdf\xec\xd0Hr\xad\xbaK\xf0Fi\x8eb6\x125\xff\xc9\x178\xf7\x93;\xb7\xdb\xb6^m nt~\x9e\xda\x02\xdd\xfc\xb1WjU\xc4\xa8v\xdf8\xb2\x83\xae\xb9\xcc\x96Z\xf8\xe6z\xfa;\xc1\x9af\xd2\x08\xee\x7f\xb1\x01\x8f\x04w\xadi \xbb\xaf\xe2\x94\xebI,\x86\xafYJ\xdc\xef\x0b#\x8aF\xf1\x1f|\x0e:\x9cK\x8f\x8d\xb2\xfe\xb8Vo?\x87\xd9(\n\x03\xb0@\xfe\xd5Q\xeb\xfe\xec\x95\xa6\xb7\xa1c\xf0C\xa2\t\xc1eq\x89=a\x08\x1a\xfby\x7f=\xff\x90\xcd\x12a\xb0\x86\xf6M+\xba\xaf\x80\xef\xf5\x11\xd3\xb4\x05I8\x9d(\x88\'\xf7X\xa6 \xbf-\xd7\xcd\x1ez\xc1\xfa\x1d\x08\x81\x0f\xa5\x95\xb1"\x04(a\t\xb3Kf-\x81u\x9ek6\xb3\x00\xb5k\xb8f\xb6\xbcO\x9b\xc7%\xf0m:\xa2'
        mac       = b''
        pad       = b''
        padlen    = None

[guedou]

Are you using the code from PR #2146 ?

Here is the (truncated) output that I have when the PR is used:

###[ TLS ]###                                                                                                                 
  type      = handshake                                                                                                       
  version   = TLS 1.2                                                                                                         
  len       = 122    [deciphered_len= 122]                                                                                    
  iv        = b''                                                                                                             
  \msg       \                                                                                                                
   |###[ TLS Handshake - Server Hello ]###                                                                                    
   |  msgtype   = server_hello                                                                                                
   |  msglen    = 118                                                                                                         
   |  version   = TLS 1.2                                                                                                     
   |  gmt_unix_time= Mon, 09 Feb 2015 08:41:13 +0000 (1423471273)                                                             
   |  random_bytes= 60290781a55827539ab607abe2ba8db77a212053ad7e98c92598ba46                                                  
   |  sidlen    = 32
   |  sid       = '3\xd5b\xb3\x93T\x0cu @X3\xf0n\x8c\x84\xd0\xdf\xb0\xe8\xe0\x9f.\xa9\xd4\xe7\xb8T\x81\xb9\x89\xac'
   |  cipher    = TLS_AES_128_GCM_SHA256
   |  comp      = null
   |  extlen    = 46
   |  \ext       \
   |   |###[ TLS Extension - Key Share (for ServerHello) ]###
   |   |  type      = key_share
   |   |  len       = 36
   |   |  \server_share\
   |   |   |###[ Key Share Entry ]###
   |   |   |  group     = x25519
   |   |   |  kxlen     = 32
   |   |   |  key_exchange= '\x10\x0bro\xd7z\x0f\xd0\xe6\xa0\x02(W\x9d^d\x9fA\x05\x1a\x9b+Y\xf5\xaf\xb0\x9f\xe7/y4\x10'
   |   |###[ TLS Extension - Supported Versions (for ServerHello) ]###                                                         
   |   |  type      = supported_versions                                                                                       
   |   |  len       = 2                                                                                                        
   |   |  version   = TLS 1.3    
[..]

[bbayles]

Evidently I had the wrong branch checked out; my output now matches yours. The part after you trim is a bit odd still?

[guedou]

Everything looks good on my side.

[guedou]

Closed as #2146 is merged.