From a26aae381ceb4206c4f0253322d6ed9350256bf1 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 8 Feb 2019 15:40:28 -0500 Subject: [PATCH] Fix TLSv1.3 second ClientHello This PR fixes two problems with modify_clienthello(). First, the function was incorrectly using the variable $key_share instead of $new_key_share. Since $key_share is defined when modify_clienthello() is called from resend_if_hello_retry_request(), but not when it is called from client_simulation_sockets(), this bug does not seem to result in incorrect behavior, but it should still be fixed. Second, when this function is used to create a second ClientHello in response to a HelloRetryRequest, it removes the key_share extension from the original ClientHello and then appends the new key_share extension at the end. According to https://mailarchive.ietf.org/arch/msg/tls/8ZKCyamcYFaV90h6nf4MUnSPkEE, however, extensions must appear in the second ClientHello in the same order in which they appeared in the first ClientHello. I am not aware of any servers that will actually complain if the extensions in the second ClientHello do not appear in the same order as in the first ClientHello, bug this fix helps to ensure that the ClientHello messages testssl.sh sends are in compliance with the standard. --- testssl.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 1945fe7..78d7ed0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4301,7 +4301,7 @@ modify_clienthello() { offset+=+4 len_extension=2*$(hex2dec "${tls_handshake_ascii:$offset:4}") - if [[ "$extension_type" == 0000 ]] && [[ -z "$key_share" ]]; then + if [[ "$extension_type" == 0000 ]] && [[ -z "$new_key_share" ]]; then # If this is an initial ClientHello, then either remove # the SNI extension or replace it with the correct server name. sni_extension_found=true @@ -4317,7 +4317,7 @@ modify_clienthello() { tls_extensions+="000000${len_sni_ext}00${len_sni_listlen}0000${len_servername_hex}${servername_hexstr}" offset+=$len_extension+4 fi - elif [[ "$extension_type" != 00$KEY_SHARE_EXTN_NR ]] || [[ -z "$key_share" ]]; then + elif [[ "$extension_type" != 00$KEY_SHARE_EXTN_NR ]] || [[ -z "$new_key_share" ]]; then # If this is in response to a HelloRetryRequest, then do # not copy over the old key_share extension, but # all other extensions should be copied into the new ClientHello. @@ -4326,12 +4326,16 @@ modify_clienthello() { tls_extensions+="${tls_handshake_ascii:$offset:$len}" offset+=$len else + # This is the key_share extension, and the modified ClientHello + # is being created in response to a HelloRetryRequest. Replace + # the existing key_share extension with the new one. + tls_extensions+="$new_key_share" offset+=$len_extension+4 fi done - tls_extensions+="$new_key_share$cookie" + tls_extensions+="$cookie" - if ! "$sni_extension_found" && [[ -z "$key_share" ]]; then + if ! "$sni_extension_found" && [[ -z "$new_key_share" ]]; then tm_out "$tls_handshake_ascii" return 0 fi