Merge pull request #1279 from dcooper16/compressed_certs

Initial support for certificate compression
This commit is contained in:
Dirk Wetter 2019-06-07 21:33:36 +02:00 committed by GitHub
commit 11add0d4ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 0 deletions

View File

@ -351,6 +351,7 @@ HAS_IRC=false
HAS_CHACHA20=false
HAS_AES128_GCM=false
HAS_AES256_GCM=false
HAS_ZLIB=false
OSSL_CIPHERS_S=""
PORT=443 # unless otherwise auto-determined, see below
NODE=""
@ -11587,6 +11588,7 @@ parse_tls_serverhello() {
16) tmln_out " (certificate_status)" ;;
17) tmln_out " (supplemental_data)" ;;
18) tmln_out " (key_update)" ;;
19) tmln_out " (compressed_certificate)" ;;
FE) tmln_out " (message_hash)" ;;
*) tmln_out ;;
esac
@ -11646,6 +11648,36 @@ parse_tls_serverhello() {
fi
tls_certificate_status_ascii="${tls_handshake_ascii:i:msg_len}"
tls_certificate_status_ascii_len=$msg_len
elif [[ "$tls_msg_type" == 19 ]]; then
if [[ -n "$tls_certificate_ascii" ]]; then
debugme tmln_warning "Response contained more than one Certificate handshake message."
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
return 1
fi
if [[ $DEBUG -ge 3 ]]; then
tm_out " Certificate Compression Algorithm: ${tls_handshake_ascii:i:4}"
case ${tls_handshake_ascii:i:4} in
0001) tmln_out " (ZLIB)" ;;
0002) tmln_out " (Brotli)" ;;
0003) tmln_out " (Zstandard)" ;;
*) tmln_out ;;
esac
offset=$((i+4))
tmln_out " Uncompressed certificate length: $(printf "%d" 0x${tls_handshake_ascii:offset:6})"
tmln_out
fi
if [[ "$process_full" =~ all ]] && "$HAS_ZLIB" && [[ "${tls_handshake_ascii:i:4}" == 0001 ]]; then
offset=$((i+4))
tls_certificate_ascii_len=2*0x${tls_handshake_ascii:offset:6}
offset=$((i+16))
len1=$((msg_len-16))
tls_certificate_ascii="$(asciihex_to_binary_file "${tls_handshake_ascii:offset:len1}" /dev/stdout | $OPENSSL zlib -d 2>/dev/null | hexdump -v -e '16/1 "%02X"')"
tls_certificate_ascii="${tls_certificate_ascii%%[!0-9A-F]*}"
if [[ ${#tls_certificate_ascii} -ne $tls_certificate_ascii_len ]]; then
debugme tmln_warning "Length of uncompressed certificates did not match specified length."
return 1
fi
fi
fi
done
@ -16556,6 +16588,8 @@ find_openssl_binary() {
$OPENSSL enc -aes-256-gcm -K 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 > /dev/null 2> /dev/null <<< "test"
[[ $? -eq 0 ]] && HAS_AES256_GCM=true
[[ "$(echo -e "\x78\x9C\xAB\xCA\xC9\x4C\xE2\x02\x00\x06\x20\x01\xBC" | $OPENSSL zlib -d 2>/dev/null)" == zlib ]] && HAS_ZLIB=true
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
if type -p timeout >/dev/null 2>&1; then
if ! "$do_mass_testing"; then