From 8dbaab36569f9faf98e25d1b7cd5121521a234f9 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Sat, 7 Mar 2020 15:40:19 +0100
Subject: [PATCH] Socksend modernize part 3, with a PoC for #1535: DONT USE
 THIS OTHERWISE

This moves the run_ticketbleed function to the socketsend_clienthello.

It is not working yet, see also #1535 why. This is just for the PoC,
I'll explain:
  It has now a function named check_bytestream() which will be called
in debug mode 1 and checks whether the byte stream to be send via
bash sockets is properly formatted. It can detect bugs which otherwise
would be hard to discover.

DO NOT USE IT for anything else than the check

---snip:

code:

check_bytestream() {
     local line=""
     local -i i=0

     # We do a search and replace so that \xaa\x29 becomes
     # _xaa
     # _x29
     #
     # "echo -e" helps us to get a multiline string
     while read -r line; do
          if [[ $i -eq 0 ]]; then
               # first line is empty because this is a LF
               :
          elif [[ ${#line} -ne 4 ]] && [[ $i != 0 ]]; then
               echo "length of byte $i called from $2 is not ok"
          elif [[ ${line:0:1} != _ ]]; then
               echo "char $i called from $2 doesn't start with a \"\\\""
          elif [[ ${line:1:1} != x ]]; then
               echo "char $i called from $2 doesn't have an x in second position"
          elif [[ ${line:2:2} != [0-9a-fA-F][0-9a-fA-F] ]]; then
               echo "byte $i called from $2 is not hex"
          fi
          i+=1
     done < <( echo -e ${1//\\/\\n_})
}

socksend_clienthello() {
     local data=""

     code2network "$1"
     data="$NW_STR"
     if [[ "$DEBUG" -ge 1 ]]; then
          check_bytestream "$data" "${FUNCNAME[1]}"
          [[ "$DEBUG" -ge 4 ]] && echo && echo "\"$data\""
[..]

Result (./testssl.sh -q --debug=1 -U dev.testssl.sh):

Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  length of byte 311 called from run_ticketbleed is not ok
length of byte 312 called from run_ticketbleed is not ok
length of byte 313 called from run_ticketbleed is not ok
length of byte 314 called from run_ticketbleed is not ok
length of byte 315 called from run_ticketbleed is not ok
length of byte 316 called from run_ticketbleed is not ok
length of byte 317 called from run_ticketbleed is not ok
[..]

---snap

Besides that:

* dec02hex was corrected (only being used for run_ticketbleed)
* dec04hex is still buggy and part of the problem
* some quotes removed from rhs of [[]]
---
 testssl.sh | 189 ++++++++++++++++++++++++++++++++---------------------
 1 file changed, 113 insertions(+), 76 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 40322fb..6242292 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -747,8 +747,9 @@ debugme() {
      return 0
 }
 
-hex2dec() {
-     echo $((16#$1))
+debugme1() {
+     [[ "$DEBUG" -ge 1 ]] && "$@"
+     return 0
 }
 
 # convert 414243 into ABC
@@ -760,15 +761,20 @@ hex2ascii() {
           done
 }
 
+hex2dec() {
+     echo $((16#$1))
+}
+
+
 # convert decimal number < 256 to hex
 dec02hex() {
-     printf "x%02x" "$1"
+     printf "%02x" "$1"
 }
 
 # convert decimal number between 256 and < 256*256 to hex
 dec04hex() {
      local a=$(printf "%04x" "$1")
-     printf "x%02s, x%02s" "${a:0:2}" "${a:2:2}"
+     printf "%02s, %02s" "${a:0:2}" "${a:2:2}"
 }
 
 
@@ -10476,6 +10482,34 @@ code2network() {
      done <<< "$1")"
 }
 
+# arg1: formatted bytesstream to be send
+# arg2: caller function
+check_bytestream() {
+     local line=""
+     local -i i=0
+
+     # We do a search and replace so that \xaa\x29 becomes
+     # _xaa
+     # _x29
+     #
+     # "echo -e" helps us to get a multiline string
+     while read -r line; do
+          if [[ $i -eq 0 ]]; then
+               # first line is empty because this is a LF
+               :
+          elif [[ ${#line} -ne 4 ]] && [[ $i != 0 ]]; then
+               echo "length of byte $i called from $2 is not ok"
+          elif [[ ${line:0:1} != _ ]]; then
+               echo "char $i called from $2 doesn't start with a \"\\\""
+          elif [[ ${line:1:1} != x ]]; then
+               echo "char $i called from $2 doesn't have an x in second position"
+          elif [[ ${line:2:2} != [0-9a-fA-F][0-9a-fA-F] ]]; then
+               echo "byte $i called from $2 is not hex"
+          fi
+          i+=1
+     done < <( echo -e ${1//\\/\\n_})
+}
+
 # sockets inspired by http://blog.chris007.de/?p=238
 # ARG1: hexbytes separated by commas, with a leading comma
 # ARG2: seconds to sleep
@@ -10484,7 +10518,10 @@ socksend_clienthello() {
 
      code2network "$1"
      data="$NW_STR"
-     [[ "$DEBUG" -ge 4 ]] && echo && echo "\"$data\""
+     if [[ "$DEBUG" -ge 1 ]]; then
+          check_bytestream "$data" "${FUNCNAME[1]}"
+          [[ "$DEBUG" -ge 4 ]] && echo && echo "\"$data\""
+     fi
      if [[ -z "$PRINTF" ]] ;then
           # We could also use "dd ibs=1M obs=1M" here but is seems to be at max 3% slower
           printf -- "$data" | cat >&5 2>/dev/null &
@@ -10501,7 +10538,6 @@ socksend_clienthello() {
 socksend() {
      local data line
 
-     # read line per line and strip comments (bash internal func can't handle multiline statements
      data="$(while read line; do
           printf "${line%%\#*}"
      done <<< "$1" )"
@@ -14880,7 +14916,7 @@ receive_app_data() {
 # mainly adapted from https://gist.github.com/takeshixx/10107280
 #
 run_heartbleed(){
-     local tls_hexcode
+     local tls_hexcode tls_proto
      local heartbleed_payload
      local -i n lines_returned
      local append=""
@@ -14925,8 +14961,8 @@ run_heartbleed(){
      fi
      debugme echo "using protocol $tls_hexcode"
 
-     # attention, this is dangerous as it relies on spaces etc. above
-     tls_sockets "${tls_hexcode:4:2}" "" "ephemeralkey" "" "" "false"
+     tls_proto="${tls_hexcode:4:2}"
+     tls_sockets "${tls_proto}" "" "ephemeralkey" "" "" "false"
 
      [[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
      heartbleed_payload=", 18, $tls_hexcode, 00, 03, 01, 40,00"
@@ -15187,8 +15223,8 @@ sub_session_ticket_tls() {
 run_ticketbleed() {
      local session_tckt_tls=""
      local -i len_ch=300                            # fixed len of prepared clienthello below
-     local sid="x00,x0B,xAD,xC0,xDE,x00,"           # some abitratry bytes
-     local len_sid="$(( ${#sid} / 4))"
+     local sid="00,0B,AD,C0,DE,00,"                 # some abitratry bytes
+     local len_sid="$(( ${#sid} / 3))"
      local xlen_sid="$(dec02hex $len_sid)"
      local -i len_tckt_tls=0 nr_sid_detected=0
      local xlen_tckt_tls="" xlen_handshake_record_layer="" xlen_handshake_ssl_layer=""
@@ -15214,7 +15250,7 @@ run_ticketbleed() {
 
      # highly unlikely that it is NOT supported. We may loose time here but it's more solid
      [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
-     if [[ ! "${TLS_EXTENSIONS}" =~ "session ticket" ]]; then
+     if [[ ! "${TLS_EXTENSIONS}" =~ session\ ticket ]]; then
           pr_svrty_best "not vulnerable (OK)"
           outln ", no session ticket extension"
           fileout "$jsonID" "OK" "no session ticket extension" "$cve" "$cwe"
@@ -15222,26 +15258,26 @@ run_ticketbleed() {
      fi
 
      if [[ 0 -eq $(has_server_protocol tls1) ]]; then
-          tls_hexcode="x03, x01"
+          tls_hexcode="03,01"
      elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
-          tls_hexcode="x03, x02"
+          tls_hexcode="03,02"
      elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
-          tls_hexcode="x03, x03"
+          tls_hexcode="03,03"
      elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
-          tls_hexcode="x03, x00"
+          tls_hexcode="03,00"
      else # no protocol for some reason defined, determine TLS versions offered with a new handshake
           $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
           case "$(get_protocol $TMPFILE)" in
-               *1.2)  tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
-               *1.1)  tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
-               TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
-               SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
+               *1.2)  tls_hexcode="03,03" ; add_tls_offered tls1_2 yes ;;
+               *1.1)  tls_hexcode="03,02" ; add_tls_offered tls1_1 yes ;;
+               TLSv1) tls_hexcode="03,01" ; add_tls_offered tls1 yes ;;
+               SSLv3) tls_hexcode="03,00" ; add_tls_offered ssl3 yes ;;
           esac
      fi
      debugme echo "using protocol $tls_hexcode"
 
      session_tckt_tls="$(sub_session_ticket_tls)"
-     if [[ "$session_tckt_tls" == "," ]]; then
+     if [[ "$session_tckt_tls" == , ]]; then
           pr_svrty_best "not vulnerable (OK)"
           outln ", no session tickets"
           fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
@@ -15268,87 +15304,87 @@ run_ticketbleed() {
 
      client_hello="
      # TLS header (5 bytes)
-     ,x16,               # Content type (x16 for handshake)
-     x03,x01,            # TLS version record layer
+     ,16,               # Content type (x16 for handshake)
+     03,01,            # TLS version record layer
                          # Length Secure Socket Layer follows:
      $xlen_handshake_ssl_layer,
      # Handshake header
-     x01,                # Type (x01 for ClientHello)
+     01,                # Type (x01 for ClientHello)
                          # Length of ClientHello follows:
-     x00, $xlen_handshake_record_layer,
+     00, $xlen_handshake_record_layer,
      $tls_hexcode,        # TLS Version
      # Random (32 byte) Unix time etc, see www.moserware.com/2009/06/first-few-milliseconds-of-https.html
-     xee, xee, x5b, x90, x9d, x9b, x72, x0b,
-     xbc, x0c, xbc, x2b, x92, xa8, x48, x97,
-     xcf, xbd, x39, x04, xcc, x16, x0b, x85,
-     x03, x90, x9f, x77, x04, x33, xff, xff,
+     ee, ee, 5b, 90, 9d, 9b, 72, 0b,
+     bc, 0c, bc, 2b, 92, a8, 48, 97,
+     cf, bd, 39, 04, cc, 16, 0b, 85,
+     03, 90, 9f, 77, 04, 33, ff, ff,
      $xlen_sid,          # Session ID length
      $sid
-     x00, x6a,           # Cipher suites length 106
-     # 53 Cipher suites
-     xc0,x14, xc0,x13, xc0,x0a, xc0,x21,
-     x00,x39, x00,x38, x00,x88, x00,x87,
-     xc0,x0f, xc0,x05, x00,x35, x00,x84,
-     xc0,x12, xc0,x08, xc0,x1c, xc0,x1b,
-     x00,x16, x00,x13, xc0,x0d, xc0,x03,
-     x00,x0a, xc0,x13, xc0,x09, xc0,x1f,
-     xc0,x1e, x00,x33, x00,x32, x00,x9a,
-     x00,x99, x00,x45, x00,x44, xc0,x0e,
-     xc0,x04, x00,x2f, x00,x96, x00,x41,
-     xc0,x11, xc0,x07, xc0,x0c, xc0,x02,
-     x00,x05, x00,x04, x00,x15, x00,x12,
-     xc0,x30, xc0,x2f, x00,x9d, x00,x9c,
-     x00,x3d, x00,x3c, x00,x9f, x00,x9e,
-     x00,xff,
-     x01,               # Compression methods length
-     x00,               # Compression method (x00 for NULL)
-     x01,x5b,           # Extensions length    ####### 10b + x14 + x3c
+     00, 6a,           # Cipher suites length 106
+# 53 Cipher suites
+     c0,14, c0,13, c0,0a, c0,21,
+     00,39, 00,38, 00,88, 00,87,
+     c0,0f, c0,05, 00,35, 00,84,
+     c0,12, c0,08, c0,1c, c0,1b,
+     00,16, 00,13, c0,0d, c0,03,
+     00,0a, c0,13, c0,09, c0,1f,
+     c0,1e, 00,33, 00,32, 00,9a,
+     00,99, 00,45, 00,44, c0,0e,
+     c0,04, 00,2f, 00,96, 00,41,
+     c0,11, c0,07, c0,0c, c0,02,
+     00,05, 00,04, 00,15, 00,12,
+     c0,30, c0,2f, 00,9d, 00,9c,
+     00,3d, 00,3c, 00,9f, 00,9e,
+     00,ff,
+     01,               # Compression methods length
+     00,               # Compression method (x00 for NULL)
+     01,5b,            # Extensions length    ####### 10b + x14 + x3c
 # Extension Padding
-     x00,x15,
+     00,15,
      # length:
-     x00,x38,
-     x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
-     x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
-     x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
+     00,38,
+     00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00,
+     00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00,
+     00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00, 00,00,
 # Extension: ec_point_formats
-     x00,x0b,
+     00,0b,
      # length:
-     x00,x04,
+     00,04,
      # data:
-     x03,x00, x01,x02,
+     03,00, 01,02,
 # Extension: elliptic_curves
-     x00,x0a,
+     00,0a,
      # length
-     x00,x34,
-     x00,x32,
+     00,34,
+     00,32,
      # data:
-     x00,x0e, x00,x0d, x00,x19, x00,x0b, x00,x0c,
-     x00,x18, x00,x09, x00,x0a, x00,x16,
-     x00,x17, x00,x08, x00,x06, x00,x07,
-     x00,x14, x00,x15, x00,x04, x00,x05,
-     x00,x12, x00,x13, x00,x01, x00,x02,
-     x00,x03, x00,x0f, x00,x10, x00,x11,
+     00,0e, 00,0d, 00,19, 00,0b, 00,0c,
+     00,18, 00,09, 00,0a, 00,16,
+     00,17, 00,08, 00,06, 00,07,
+     00,14, 00,15, 00,04, 00,05,
+     00,12, 00,13, 00,01, 00,02,
+     00,03, 00,0f, 00,10, 00,11,
 # Extension: Signature Algorithms
-     x00,x0d,
+     00,0d,
      # length:
-     x00,x10,
+     00,10,
      # data:
-     x00,x0e ,x04,x01, x05,x01 ,x02,x01, x04,x03, x05,x03,
-     x02,x03, x02,x02,
+     00,0e ,04,01, 05,01 ,02,01, 04,03, 05,03,
+     02,03, 02,02,
 # Extension: SessionTicket TLS
-     x00, x23,
+     00, 23,
      # length of SessionTicket TLS
-     x00, $xlen_tckt_tls,
+     00, $xlen_tckt_tls,
      # data, Session Ticket
-     $session_tckt_tls                       # here we have the comma already
+     $session_tckt_tls                       # we have the comma already
 # Extension: Heartbeat
-     x00, x0f, x00, x01, x01"
+     00, 0f, 00, 01, 01"
 
-     # we do 3 client hellos, then see whether different memory is returned
+     # we do 3 client hellos, then we'll look whether different memory is returned
      for i in 1 2 3; do
           fd_socket 5 || return 6
           debugme echo -n "sending client hello... "
-          socksend "$client_hello" 0
+          socksend_clienthello "$client_hello" 0
 
           debugme echo "reading server hello (ticketbleed reply)... "
           if "$FAST_SOCKET"; then
@@ -15386,7 +15422,8 @@ run_ticketbleed() {
                else
                     debugme echo -n "Message type: ${tls_hello_ascii:10:6} -- "
                fi
-               sid_input=$(sed -e 's/x//g' -e 's/,//g' <<< "$sid")
+               sid_input=${sid//x/}
+               sid_input=${sid_input//,/}
                sid_detected[i]="${tls_hello_ascii:88:32}"
                memory[i]="${tls_hello_ascii:$((88+ len_sid*2)):$((32 - len_sid*2))}"
                if [[ "$DEBUG" -ge 3 ]]; then