From 714933d6073a2e1ceac0b17009e7d576f5920ef6 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Mon, 12 Mar 2018 13:31:29 -0400
Subject: [PATCH] Add X448 support in TLS 1.3

Support for X448 was recently added to the development branch of OpenSSL 1.1.1. This PR adds an X448 key pair to etc/tls_data.txt (that was generated using OpenSSL 1.1.1) and adds X448 to the supported_groups extension for TLS 1.3 ClientHello messages.
---
 etc/tls_data.txt | 10 ++++++++--
 testssl.sh       | 35 ++++++++++++++++++++++++++---------
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/etc/tls_data.txt b/etc/tls_data.txt
index 6761513..c46be6e 100755
--- a/etc/tls_data.txt
+++ b/etc/tls_data.txt
@@ -103,7 +103,12 @@ bONJgO7LSp05PXa79CEi8sydmKYiH1pSLAzRiQnh
 "-----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VuBCIEIACiKGKr1nm2eobXvsI3HrWNKR5wEVAIf7KaCmDPxsJR
 -----END PRIVATE KEY-----
-" "1e" "1f"
+"
+"-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOFxH7JJ8B4AopQls9SqDf5O+ATl/Cue6gnnUMfDMGdg/
+bcPkcJT4nX5fwbVjFKeoCdAYH6i6JJLJ
+-----END PRIVATE KEY-----
+" "1f"
  "20" "21" "22" "23" "24" "25" "26" "27" "28" "29" "2a" "2b" "2c" "2d" "2e" "2f"
  "30" "31" "32" "33" "34" "35" "36" "37" "38" "39" "3a" "3b" "3c" "3d" "3e" "3f"
  "40" "41" "42" "43" "44" "45" "46" "47" "48" "49" "4a" "4b" "4c" "4d" "4e" "4f"
@@ -274,7 +279,8 @@ readonly -a TLS13_PUBLIC_KEY_SHARES=(
  "00,19,00,85,04,00,7b,81,9c,ca,50,fb,7d,25,9d,df,e0,5a,b1,f0,8c,ba,d7,43,e1,30,b7,16,33,32,34,83,91,f4,71,af,45,10,d1,8b,b3,0c,dc,ec,54,fd,1a,cf,29,42,d3,a0,54,95,c0,2f,56,08,97,fb,ad,41,89,46,a9,c3,ed,fb,10,e4,6e,01,a1,ce,96,86,f4,9e,86,e6,14,d0,fb,a5,e3,74,62,09,50,b8,17,92,76,a2,b7,71,b7,4f,fe,ef,63,7d,f1,ab,d8,7f,7d,6c,e3,49,80,ee,cb,4a,9d,39,3d,76,bb,f4,21,22,f2,cc,9d,98,a6,22,1f,5a,52,2c,0c,d1,89,09,e1"
  "1a" "1b" "1c"
  "00,1d,00,20,ad,da,32,b8,c8,41,c6,0a,a3,cd,37,92,f3,4f,a2,4a,97,84,b4,c9,2c,54,c5,70,ab,d1,10,ea,cd,7b,6b,42"
- "1e" "1f"
+ "00,1e,00,38,c8,52,05,c1,be,84,4a,bb,0a,ce,52,1d,84,04,82,64,65,ba,32,39,da,8d,02,6b,86,d2,98,eb,c1,8d,f5,75,43,62,a6,b1,11,22,71,b4,07,83,68,c8,82,13,56,c9,18,ac,5f,97,15,00,86,a0"
+ "1f"
  "20" "21" "22" "23" "24" "25" "26" "27" "28" "29" "2a" "2b" "2c" "2d" "2e" "2f"
  "30" "31" "32" "33" "34" "35" "36" "37" "38" "39" "3a" "3b" "3c" "3d" "3e" "3f"
  "40" "41" "42" "43" "44" "45" "46" "47" "48" "49" "4a" "4b" "4c" "4d" "4e" "4f"
diff --git a/testssl.sh b/testssl.sh
index a1ba421..bee3eb1 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -10832,9 +10832,18 @@ generate_key_share_extension() {
                [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1"* ]] && \
                continue
 
+          # Versions of OpenSSL prior to 1.1.1 cannot perform operations
+          # with X448 keys, so don't include the X448 key share
+          # if the server's response needs to be decrypted and an
+          # older version of OpenSSL is being used.
+          [[ $i -gt 12 ]] && [[ $group -eq 30 ]] && [[ "$2" == "all" ]] && \
+               [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1"* ]] && \
+               continue
+
           # NOTE: The public keys could be extracted from the private keys
-          # (TLS13_KEY_SHARES) using $OPENSSL, but only OpenSSL 1.1.0 can
-          # extract the public key from an X25519 private key.
+          # (TLS13_KEY_SHARES) using $OPENSSL, but only OpenSSL 1.1.0 and newer can
+          # extract the public key from an X25519 private key, and only
+          # OpenSSL 1.1.1 can extract the public key from an X448 private key.
           key_share="${TLS13_PUBLIC_KEY_SHARES[group]}"
           if [[ ${#key_share} -gt 4 ]]; then
                key_shares+=",$key_share"
@@ -10985,21 +10994,29 @@ socksend_tls_clienthello() {
           elif [[ 0x$tls_low_byte -gt 0x03 ]]; then
                # Supported Groups Extension
                if [[ "$process_full" != "all" ]] || \
-                  [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || \
                   [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
                     extension_supported_groups="
                     00,0a,                      # Type: Supported Groups, see draft-ietf-tls-tls13
-                    00,0e, 00,0c,               # lengths
-                    00,1d, 00,17, 00,18, 00,19,
+                    00,10, 00,0e,               # lengths
+                    00,1d, 00,17, 00,1e, 00,18, 00,19,
                     01,00, 01,01"
-               else
-                    # OpenSSL prior to 1.1.0 does not support X25519, so list it as the least
+                    # OpenSSL prior to 1.1.1 does not support X448, so list it as the least
                     # preferred option if the response needs to be decrypted.
+               elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]]; then
                     extension_supported_groups="
                     00,0a,                      # Type: Supported Groups, see draft-ietf-tls-tls13
-                    00,0e, 00,0c,               # lengths
+                    00,10, 00,0e,               # lengths
+                    00,1d, 00,17, 00,18, 00,19,
+                    01,00, 01,01, 00,1e"
+               else
+                    # OpenSSL prior to 1.1.0 does not support either X25519 or X448,
+                    # so list them as the least referred options if the response
+                    # needs to be decrypted.
+                    extension_supported_groups="
+                    00,0a,                      # Type: Supported Groups, see draft-ietf-tls-tls13
+                    00,10, 00,0e,               # lengths
                     00,17, 00,18, 00,19,
-                    01,00, 01,01, 00,1d"
+                    01,00, 01,01, 00,1d, 00,1e"
                fi
 
                code2network "$extension_supported_groups"