mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-31 22:09:44 +01:00
Revert #1113
This PR removes the changes that were added in #1113. As noted in the conversation for #1113, it was eventually determined that the actual bug was related to the first message fragment being too short rather than the overall length of the message. So, the warning message that is displayed by the code is misleading. In addition, if changes are made to avoid TCP fragmentation, then this code will no longer even test for intolerance to short message fragments.
This commit is contained in:
parent
305eefc9e8
commit
83a9302718
63
testssl.sh
63
testssl.sh
@ -14532,12 +14532,12 @@ run_tls_truncation() {
|
||||
run_grease() {
|
||||
local -i success
|
||||
local bug_found=false
|
||||
local normal_hello_ok=false clienthello_size_bug=false
|
||||
local normal_hello_ok=false
|
||||
local cipher_list proto selected_cipher selected_cipher_hex="" extn rnd_bytes
|
||||
local alpn_proto alpn alpn_list_len_hex extn_len_hex
|
||||
local selected_alpn_protocol grease_selected_alpn_protocol
|
||||
local ciph list temp curve_found
|
||||
local -i i j rnd alpn_list_len extn_len base_len clienthello_len debug_level=""
|
||||
local -i i j rnd alpn_list_len extn_len debug_level=""
|
||||
local -i ret=0
|
||||
# Note: The following values were taken from https://datatracker.ietf.org/doc/draft-ietf-tls-grease.
|
||||
# These arrays may need to be updated if the values change in the final version of this document.
|
||||
@ -14738,68 +14738,9 @@ run_grease() {
|
||||
prln_svrty_medium " Server fails if ClientHello is between 256 and 511 bytes in length."
|
||||
fileout "$jsonID" "MEDIUM" "Server fails if ClientHello is between 256 and 511 bytes in length."
|
||||
bug_found=true
|
||||
clienthello_size_bug=true
|
||||
fi
|
||||
fi
|
||||
|
||||
# Some servers fail if the length of the ClientHello is 522, 778, 1034, 1290, ... bytes.
|
||||
# A few servers also fail if the length is 526, 782, 1038, 1294, ... bytes.
|
||||
# So, send a number of ClientHello messages of extactly these lengths to see whether
|
||||
# the connection fails.
|
||||
if "$normal_hello_ok" && [[ "$proto" != "00" ]] && [[ ${#SNI} -le 92 ]]; then
|
||||
if [[ "$proto" == "03" ]]; then
|
||||
if [[ -z "$SNI" ]]; then
|
||||
base_len=426
|
||||
else
|
||||
base_len=423+${#SNI}
|
||||
fi
|
||||
else
|
||||
if [[ -z "$SNI" ]]; then
|
||||
base_len=294
|
||||
else
|
||||
base_len=291+${#SNI}
|
||||
fi
|
||||
fi
|
||||
for clienthello_len in 266 522 526 778 782 1034 1290 1546 1802 2058; do
|
||||
if [[ $clienthello_len -eq 266 ]]; then
|
||||
# If the server cannot handle ClientHello message lengths between
|
||||
# 256 and 511, there is no need to test a ClientHello message of
|
||||
# length 266.
|
||||
"$clienthello_size_bug" && continue
|
||||
# In order to create a message of length 266, need to send a message
|
||||
# with fewer cipher suites, so the "true" base length of the messsage
|
||||
# will be shorter.
|
||||
extn_len=$((clienthello_len+250-base_len))
|
||||
else
|
||||
extn_len=$((clienthello_len-base_len))
|
||||
fi
|
||||
extn=""
|
||||
for (( i=0; i < extn_len; i++ )); do
|
||||
extn+=",00"
|
||||
done
|
||||
extn_len_hex=$(printf "%04x" $extn_len)
|
||||
debugme echo -e "\nSending ClientHello with length $clienthello_len bytes"
|
||||
if [[ $clienthello_len -eq 266 ]]; then
|
||||
# Some extensions are only included if the ClientHello includes a TLS_ECDHE cipher suite.
|
||||
# So, add one (either c0,01 or c0,02 in order to ensure that the message length will
|
||||
# be correct.
|
||||
if [[ "$selected_cipher_hex" == "C0,01" ]]; then
|
||||
tls_sockets "$proto" "$selected_cipher_hex, c0,02, 00,ff" "" "00,15,${extn_len_hex:0:2},${extn_len_hex:2:2}${extn}"
|
||||
else
|
||||
tls_sockets "$proto" "$selected_cipher_hex, c0,01, 00,ff" "" "00,15,${extn_len_hex:0:2},${extn_len_hex:2:2}${extn}"
|
||||
fi
|
||||
else
|
||||
tls_sockets "$proto" "$cipher_list" "" "00,15,${extn_len_hex:0:2},${extn_len_hex:2:2}${extn}"
|
||||
fi
|
||||
success=$?
|
||||
if [[ $success -ne 0 ]] && [[ $success -ne 2 ]]; then
|
||||
prln_svrty_medium " Server fails if ClientHello is $clienthello_len bytes in length."
|
||||
fileout "$jsonID" "MEDIUM" "Server fails if ClientHello is $clienthello_len bytes in length."
|
||||
bug_found=true
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Check that server ignores unrecognized cipher suite values
|
||||
# see https://datatracker.ietf.org/doc/draft-ietf-tls-grease
|
||||
if "$normal_hello_ok"; then
|
||||
|
Loading…
Reference in New Issue
Block a user