Cleanup extraction of TLS extensions
Currently there is code to extract TLS extensions in three places, in `get_server_certificate()` and two places in `determine_tls_extensions()`. This PR replaces them with one new function, `extract_new_tls_extensions()`. In order for the new function to work correctly whether OpenSSL or `tls_sockets()` is being used, this PR also changes `parse_tls_serverhello()` so that extensions are formatted in the file it creates in the same way as they are formatted by OpenSSL.
This commit is contained in:
parent
43463da4fc
commit
9ad1492236
148
testssl.sh
148
testssl.sh
|
@ -5075,6 +5075,30 @@ sclient_connect_successful() {
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
extract_new_tls_extensions() {
|
||||||
|
local tls_extensions
|
||||||
|
|
||||||
|
# this is not beautiful (grep+sed)
|
||||||
|
# but maybe we should just get the ids and do a private matching, according to
|
||||||
|
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
|
||||||
|
tls_extensions=$(grep -a 'TLS server extension ' "$1" | \
|
||||||
|
sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \
|
||||||
|
-e 's/,.*$/,/g' -e 's/),$/\"/g' \
|
||||||
|
-e 's/elliptic curves\/#10/supported_groups\/#10/g')
|
||||||
|
tls_extensions=$(echo $tls_extensions) # into one line
|
||||||
|
|
||||||
|
if [[ -n "$tls_extensions" ]]; then
|
||||||
|
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
||||||
|
while read -d "\"" -r line; do
|
||||||
|
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
||||||
|
#FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array
|
||||||
|
TLS_EXTENSIONS+=" \"${line}\""
|
||||||
|
fi
|
||||||
|
done <<<$tls_extensions
|
||||||
|
[[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Note that since, at the moment, this function is only called by run_server_defaults()
|
# Note that since, at the moment, this function is only called by run_server_defaults()
|
||||||
# and run_heartbleed(), this function does not look for the status request or NPN
|
# and run_heartbleed(), this function does not look for the status request or NPN
|
||||||
# extensions. For run_heartbleed(), only the heartbeat extension needs to be detected.
|
# extensions. For run_heartbleed(), only the heartbeat extension needs to be detected.
|
||||||
|
@ -5117,7 +5141,7 @@ determine_tls_extensions() {
|
||||||
success=$?
|
success=$?
|
||||||
fi
|
fi
|
||||||
[[ $success -eq 2 ]] && success=0
|
[[ $success -eq 2 ]] && success=0
|
||||||
[[ $success -eq 0 ]] && tls_extensions="$(grep -a 'TLS Extensions: ' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" | sed 's/TLS Extensions: //' )"
|
[[ $success -eq 0 ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
||||||
if [[ -r "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ]]; then
|
if [[ -r "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" ]]; then
|
||||||
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
@ -5144,24 +5168,9 @@ determine_tls_extensions() {
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
success=$?
|
success=$?
|
||||||
fi
|
fi
|
||||||
if [[ $success -eq 0 ]]; then
|
[[ $success -eq 0 ]] && extract_new_tls_extensions $TMPFILE
|
||||||
tls_extensions=$(grep -a 'TLS server extension ' $TMPFILE | \
|
|
||||||
sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \
|
|
||||||
-e 's/,.*$/,/g' -e 's/),$/\"/g' \
|
|
||||||
-e 's/elliptic curves\/#10/supported_groups\/#10/g')
|
|
||||||
tls_extensions=$(echo $tls_extensions) # into one line
|
|
||||||
fi
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
fi
|
fi
|
||||||
if [[ -n "$tls_extensions" ]]; then
|
|
||||||
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
|
||||||
while read -d "\"" -r line; do
|
|
||||||
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
|
||||||
TLS_EXTENSIONS+=" \"${line}\""
|
|
||||||
fi
|
|
||||||
done <<<$tls_extensions
|
|
||||||
[[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}"
|
|
||||||
fi
|
|
||||||
return $success
|
return $success
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5170,7 +5179,7 @@ determine_tls_extensions() {
|
||||||
get_server_certificate() {
|
get_server_certificate() {
|
||||||
local protocols_to_try proto addcmd
|
local protocols_to_try proto addcmd
|
||||||
local success
|
local success
|
||||||
local npn_params="" tls_extensions line
|
local npn_params="" line
|
||||||
local savedir
|
local savedir
|
||||||
local nrsaved
|
local nrsaved
|
||||||
|
|
||||||
|
@ -5246,25 +5255,7 @@ get_server_certificate() {
|
||||||
GOST_STATUS_PROBLEM=true
|
GOST_STATUS_PROBLEM=true
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
#tls_extensions=$(awk -F'"' '/TLS server extension / { printf "\""$2"\" " }' $TMPFILE)
|
extract_new_tls_extensions $TMPFILE
|
||||||
#
|
|
||||||
# this is not beautiful (grep+sed)
|
|
||||||
# but maybe we should just get the ids and do a private matching, according to
|
|
||||||
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
|
|
||||||
tls_extensions=$(grep -a 'TLS server extension ' $TEMPDIR/tlsext.txt | \
|
|
||||||
sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \
|
|
||||||
-e 's/,.*$/,/g' -e 's/),$/\"/g' \
|
|
||||||
-e 's/elliptic curves\/#10/supported_groups\/#10/g')
|
|
||||||
tls_extensions=$(echo $tls_extensions) # into one line
|
|
||||||
|
|
||||||
# check to see if any new TLS extensions were returned and add any new ones to TLS_EXTENSIONS
|
|
||||||
while read -d "\"" -r line; do
|
|
||||||
if [[ $line != "" ]] && [[ ! "$TLS_EXTENSIONS" =~ "$line" ]]; then
|
|
||||||
#FIXME: This is a string of quoted strings, so this seems to deterime the output format already. Better e.g. would be an array
|
|
||||||
TLS_EXTENSIONS+=" \"${line}\""
|
|
||||||
fi
|
|
||||||
done <<<$tls_extensions
|
|
||||||
[[ "${TLS_EXTENSIONS:0:1}" == " " ]] && TLS_EXTENSIONS="${TLS_EXTENSIONS:1}"
|
|
||||||
|
|
||||||
# Place the server's certificate in $HOSTCERT and any intermediate
|
# Place the server's certificate in $HOSTCERT and any intermediate
|
||||||
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
||||||
|
@ -7812,23 +7803,23 @@ parse_tls_serverhello() {
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
case $extension_type in
|
case $extension_type in
|
||||||
0000) tls_extensions+=" \"server name/#0\"" ;;
|
0000) tls_extensions+="TLS server extension \"server name\" (id=0), len=$extension_len\n" ;;
|
||||||
0001) tls_extensions+=" \"max fragment length/#1\"" ;;
|
0001) tls_extensions+="TLS server extension \"max fragment length\" (id=1), len=$extension_len\n" ;;
|
||||||
0002) tls_extensions+=" \"client certificate URL/#2\"" ;;
|
0002) tls_extensions+="TLS server extension \"client certificate URL\" (id=2), len=$extension_len\n" ;;
|
||||||
0003) tls_extensions+=" \"trusted CA keys/#3\"" ;;
|
0003) tls_extensions+="TLS server extension \"trusted CA keys\" (id=3, len=$extension_len\n)" ;;
|
||||||
0004) tls_extensions+=" \"truncated HMAC/#4\"" ;;
|
0004) tls_extensions+="TLS server extension \"truncated HMAC\" (id=4), len=$extension_len\n" ;;
|
||||||
0005) tls_extensions+=" \"status request/#5\"" ;;
|
0005) tls_extensions+="TLS server extension \"status request\" (id=5), len=$extension_len\n" ;;
|
||||||
0006) tls_extensions+=" \"user mapping/#6\"" ;;
|
0006) tls_extensions+="TLS server extension \"user mapping\" (id=6), len=$extension_len\n" ;;
|
||||||
0007) tls_extensions+=" \"client authz/#7\"" ;;
|
0007) tls_extensions+="TLS server extension \"client authz\" (id=7), len=$extension_len\n" ;;
|
||||||
0008) tls_extensions+=" \"server authz/#8\"" ;;
|
0008) tls_extensions+="TLS server extension \"server authz\" (id=8), len=$extension_len\n" ;;
|
||||||
0009) tls_extensions+=" \"cert type/#9\"" ;;
|
0009) tls_extensions+="TLS server extension \"cert type\" (id=9), len=$extension_len\n" ;;
|
||||||
000A) tls_extensions+=" \"supported_groups/#10\"" ;;
|
000A) tls_extensions+="TLS server extension \"supported_groups\" (id=10), len=$extension_len\n" ;;
|
||||||
000B) tls_extensions+=" \"EC point formats/#11\"" ;;
|
000B) tls_extensions+="TLS server extension \"EC point formats\" (id=11), len=$extension_len\n" ;;
|
||||||
000C) tls_extensions+=" \"SRP/#12\"" ;;
|
000C) tls_extensions+="TLS server extension \"SRP\" (id=12), len=$extension_len\n" ;;
|
||||||
000D) tls_extensions+=" \"signature algorithms/#13\"" ;;
|
000D) tls_extensions+="TLS server extension \"signature algorithms\" (id=13), len=$extension_len\n" ;;
|
||||||
000E) tls_extensions+=" \"use SRTP/#14\"" ;;
|
000E) tls_extensions+="TLS server extension \"use SRTP\" (id=14), len=$extension_len\n" ;;
|
||||||
000F) tls_extensions+=" \"heartbeat/#15\"" ;;
|
000F) tls_extensions+="TLS server extension \"heartbeat\" (id=15), len=$extension_len\n" ;;
|
||||||
0010) tls_extensions+=" \"application layer protocol negotiation/#16\""
|
0010) tls_extensions+="TLS server extension \"application layer protocol negotiation\" (id=16), len=$extension_len\n"
|
||||||
if [[ $extension_len -lt 4 ]]; then
|
if [[ $extension_len -lt 4 ]]; then
|
||||||
debugme echo "Malformed application layer protocol negotiation extension."
|
debugme echo "Malformed application layer protocol negotiation extension."
|
||||||
return 1
|
return 1
|
||||||
|
@ -7851,24 +7842,24 @@ parse_tls_serverhello() {
|
||||||
echo "" >> $TMPFILE
|
echo "" >> $TMPFILE
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
;;
|
;;
|
||||||
0011) tls_extensions+=" \"certificate status version 2/#17\"" ;;
|
0011) tls_extensions+="TLS server extension \"certificate status version 2\" (id=17), len=$extension_len\n" ;;
|
||||||
0012) tls_extensions+=" \"signed certificate timestamps/#18\"" ;;
|
0012) tls_extensions+="TLS server extension \"signed certificate timestamps\" (id=18), len=$extension_len\n" ;;
|
||||||
0013) tls_extensions+=" \"client certificate type/#19\"" ;;
|
0013) tls_extensions+="TLS server extension \"client certificate type\" (id=19), len=$extension_len\n" ;;
|
||||||
0014) tls_extensions+=" \"server certificate type/#20\"" ;;
|
0014) tls_extensions+="TLS server extension \"server certificate type\" (id=20), len=$extension_len\n" ;;
|
||||||
0015) tls_extensions+=" \"TLS padding/#21\"" ;;
|
0015) tls_extensions+="TLS server extension \"TLS padding\" (id=21), len=$extension_len\n" ;;
|
||||||
0016) tls_extensions+=" \"encrypt-then-mac/#22\"" ;;
|
0016) tls_extensions+="TLS server extension \"encrypt-then-mac\" (id=22), len=$extension_len\n" ;;
|
||||||
0017) tls_extensions+=" \"extended master secret/#23\"" ;;
|
0017) tls_extensions+="TLS server extension \"extended master secret\" (id=23), len=$extension_len\n" ;;
|
||||||
0018) tls_extensions+=" \"token binding/#24\"" ;;
|
0018) tls_extensions+="TLS server extension \"token binding\" (id=24), len=$extension_len\n" ;;
|
||||||
0019) tls_extensions+=" \"cached info/#25\"" ;;
|
0019) tls_extensions+="TLS server extension \"cached info\" (id=25), len=$extension_len\n" ;;
|
||||||
0023) tls_extensions+=" \"session ticket/#35\"" ;;
|
0023) tls_extensions+="TLS server extension \"session ticket\" (id=35), len=$extension_len\n" ;;
|
||||||
0028) tls_extensions+=" \"key share/#40\"" ;;
|
0028) tls_extensions+="TLS server extension \"key share\" (id=40), len=$extension_len\n" ;;
|
||||||
0029) tls_extensions+=" \"pre-shared key/#41\"" ;;
|
0029) tls_extensions+="TLS server extension \"pre-shared key\" (id=41), len=$extension_len\n" ;;
|
||||||
002A) tls_extensions+=" \"early data/#42\"" ;;
|
002A) tls_extensions+="TLS server extension \"early data\" (id=42), len=$extension_len\n" ;;
|
||||||
002B) tls_extensions+=" \"supported versions/#43\"" ;;
|
002B) tls_extensions+="TLS server extension \"supported versions\" (id=43), len=$extension_len\n" ;;
|
||||||
002C) tls_extensions+=" \"cookie/#44\"" ;;
|
002C) tls_extensions+="TLS server extension \"cookie\" (id=44), len=$extension_len\n" ;;
|
||||||
002D) tls_extensions+=" \"psk key exchange modes/#45\"" ;;
|
002D) tls_extensions+="TLS server extension \"psk key exchange modes\" (id=45), len=$extension_len\n" ;;
|
||||||
002E) tls_extensions+=" \"ticket early data info/#46\"" ;;
|
002E) tls_extensions+="TLS server extension \"ticket early data info\" (id=46), len=$extension_len\n" ;;
|
||||||
3374) tls_extensions+=" \"next protocol/#13172\""
|
3374) tls_extensions+="TLS server extension \"next protocol\" (id=13172), len=$extension_len\n"
|
||||||
local -i protocol_len
|
local -i protocol_len
|
||||||
echo -n "Protocols advertised by server: " >> $TMPFILE
|
echo -n "Protocols advertised by server: " >> $TMPFILE
|
||||||
let offset=$extns_offset+12+$i
|
let offset=$extns_offset+12+$i
|
||||||
|
@ -7890,8 +7881,8 @@ parse_tls_serverhello() {
|
||||||
echo "" >> $TMPFILE
|
echo "" >> $TMPFILE
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
;;
|
;;
|
||||||
FF01) tls_extensions+=" \"renegotiation info/#65281\"" ;;
|
FF01) tls_extensions+="TLS server extension \"renegotiation info\" (id=65281), len=$extension_len\n" ;;
|
||||||
*) tls_extensions+=" \"unrecognized extension/#$(printf "%d\n\n" "0x$extension_type")\"" ;;
|
*) tls_extensions+="TLS server extension \"unrecognized extension\" (id=$(printf "%d\n\n" "0x$extension_type")), len=$extension_len\n" ;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
@ -7921,7 +7912,7 @@ parse_tls_serverhello() {
|
||||||
esac
|
esac
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
fi
|
fi
|
||||||
[[ -n "$tls_extensions" ]] && echo "TLS Extensions: ${tls_extensions:1}" >> $TMPFILE
|
[[ -n "$tls_extensions" ]] && echo -e "$tls_extensions" >> $TMPFILE
|
||||||
|
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
echo "TLS server hello message:"
|
echo "TLS server hello message:"
|
||||||
|
@ -7944,7 +7935,12 @@ parse_tls_serverhello() {
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
if [[ -n "$tls_extensions" ]]; then
|
if [[ -n "$tls_extensions" ]]; then
|
||||||
echo " tls_extensions: ${tls_extensions:1}"
|
echo -n " tls_extensions: "
|
||||||
|
newline_to_spaces "$(grep -a 'TLS server extension ' $TMPFILE | \
|
||||||
|
sed -e 's/TLS server extension //g' -e 's/\" (id=/\/#/g' \
|
||||||
|
-e 's/,.*$/,/g' -e 's/),$/\"/g' \
|
||||||
|
-e 's/elliptic curves\/#10/supported_groups\/#10/g')"
|
||||||
|
echo ""
|
||||||
if [[ "$tls_extensions" =~ "application layer protocol negotiation" ]]; then
|
if [[ "$tls_extensions" =~ "application layer protocol negotiation" ]]; then
|
||||||
echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')"
|
echo " ALPN protocol: $(grep "ALPN protocol:" "$TMPFILE" | sed 's/ALPN protocol: //')"
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue