FIX #718 (added TLS padding to ticketbleed handshake). Also added TLS extension Signature Algorithms

This commit is contained in:
Dirk 2017-05-09 17:29:57 +02:00
parent 23e6209beb
commit 9ed47eaa19
1 changed files with 54 additions and 30 deletions

View File

@ -9104,7 +9104,7 @@ get_session_ticket_tls() {
local sessticket_tls="" local sessticket_tls=""
#FIXME: we likely have done this already before (either @ run_server_defaults() or at least the output from a previous handshake) --> would save 1x connect #FIXME: we likely have done this already before (either @ run_server_defaults() or at least the output from a previous handshake) --> would save 1x connect
#ATTENTION: we don't do SNI here as we assume this is a vulnerabilty of the TLS stack. If we do SNI here, we'd also need to do it in the ClientHello #ATTENTION: we DO NOT do SNI here as we assume this is a vulnerabilty of the TLS stack. If we do SNI here, we'd also need to do it in the ClientHello
# of run_ticketbleed() otherwise the ticket will be different and the whole thing won't work! # of run_ticketbleed() otherwise the ticket will be different and the whole thing won't work!
sessticket_tls="$($OPENSSL s_client $BUGS $OPTIMAL_PROTO $PROXY -connect $NODEIP:$PORT </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')" sessticket_tls="$($OPENSSL s_client $BUGS $OPTIMAL_PROTO $PROXY -connect $NODEIP:$PORT </dev/null 2>$ERRFILE | awk '/TLS session ticket:/,/^$/' | awk '!/TLS session ticket/')"
sessticket_tls="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_tls" | tr '\n' ',')" sessticket_tls="$(sed -e 's/^.* - /x/g' -e 's/ .*$//g' <<< "$sessticket_tls" | tr '\n' ',')"
@ -9115,7 +9115,7 @@ get_session_ticket_tls() {
# see https://blog.filippo.io/finding-ticketbleed/ | http://ticketbleed.com/ # see https://blog.filippo.io/finding-ticketbleed/ | http://ticketbleed.com/
run_ticketbleed() { run_ticketbleed() {
local session_tckt_tls="" local session_tckt_tls=""
local -i len_ch=216 # fixed len of clienthello below local -i len_ch=300 # fixed len of prepared clienthello below
local sid="x00,x0B,xAD,xC0,xDE,x00," # some abitratry bytes local sid="x00,x0B,xAD,xC0,xDE,x00," # some abitratry bytes
local len_sid="$(( ${#sid} / 4))" local len_sid="$(( ${#sid} / 4))"
local xlen_sid="$(dec02hex $len_sid)" local xlen_sid="$(dec02hex $len_sid)"
@ -9186,7 +9186,7 @@ run_ticketbleed() {
$xlen_handshake_ssl_layer, $xlen_handshake_ssl_layer,
# Handshake header # Handshake header
x01, # Type (x01 for ClientHello) x01, # Type (x01 for ClientHello)
# Length of client hello follows: # Length of ClientHello follows:
x00, $xlen_handshake_record_layer, x00, $xlen_handshake_record_layer,
$tls_hexcode, # TLS Version $tls_hexcode, # TLS Version
# Random (32 byte) Unix time etc, see www.moserware.com/2009/06/first-few-milliseconds-of-https.html # Random (32 byte) Unix time etc, see www.moserware.com/2009/06/first-few-milliseconds-of-https.html
@ -9196,9 +9196,10 @@ run_ticketbleed() {
x03, x90, x9f, x77, x04, x33, xff, xff, x03, x90, x9f, x77, x04, x33, xff, xff,
$xlen_sid, # Session ID length $xlen_sid, # Session ID length
$sid $sid
x00, x66, # Cipher suites length
# Cipher suites (51 suites) x00, x6a, # Cipher suites length 106
xc0, x14, xc0, x0a, xc0, x22, xc0, x21, # 53 Cipher suites
xc0,x14, xc0,x13, xc0,x0a, xc0,x21,
x00,x39, x00,x38, x00,x88, x00,x87, x00,x39, x00,x38, x00,x88, x00,x87,
xc0,x0f, xc0,x05, x00,x35, x00,x84, xc0,x0f, xc0,x05, x00,x35, x00,x84,
xc0,x12, xc0,x08, xc0,x1c, xc0,x1b, xc0,x12, xc0,x08, xc0,x1c, xc0,x1b,
@ -9209,26 +9210,49 @@ run_ticketbleed() {
xc0,x04, x00,x2f, x00,x96, x00,x41, xc0,x04, x00,x2f, x00,x96, x00,x41,
xc0,x11, xc0,x07, xc0,x0c, xc0,x02, xc0,x11, xc0,x07, xc0,x0c, xc0,x02,
x00,x05, x00,x04, x00,x15, x00,x12, x00,x05, x00,x04, x00,x15, x00,x12,
x00, x09, x00, x14, x00, x11, x00, x08, xc0,x30, xc0,x2f, x00,x9d, x00,x9c,
x00, x06, x00, x03, x00, xff, x00,x3d, x00,x3c, x00,x9f, x00,x9e,
x00,xff,
x01, # Compression methods length x01, # Compression methods length
x00, # Compression method (x00 for NULL) x00, # Compression method (x00 for NULL)
x01, x0b, # Extensions length x01,x5b, # Extensions length ####### 10b + x14 + x3c
# Extension Padding
x00,x15,
# length:
x00,x38,
x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00, x00,x00,
# Extension: ec_point_formats # Extension: ec_point_formats
x00, x0b, x00, x04, x03, x00, x01, x02, x00,x0b,
# length:
x00,x04,
# data:
x03,x00, x01,x02,
# Extension: elliptic_curves # Extension: elliptic_curves
x00, x0a, x00, x34, x00, x32, x00, x0e, x00,x0a,
x00, x0d, x00, x19, x00, x0b, x00, x0c, # length
x00,x34,
x00,x32,
# data:
x00,x0e, x00,x0d, x00,x19, x00,x0b, x00,x0c,
x00,x18, x00,x09, x00,x0a, x00,x16, x00,x18, x00,x09, x00,x0a, x00,x16,
x00,x17, x00,x08, x00,x06, x00,x07, x00,x17, x00,x08, x00,x06, x00,x07,
x00,x14, x00,x15, x00,x04, x00,x05, x00,x14, x00,x15, x00,x04, x00,x05,
x00,x12, x00,x13, x00,x01, x00,x02, x00,x12, x00,x13, x00,x01, x00,x02,
x00,x03, x00,x0f, x00,x10, x00,x11, x00,x03, x00,x0f, x00,x10, x00,x11,
# Extension: Signature Algorithms
x00,x0d,
# length:
x00,x10,
# data:
x00,x0e ,x04,x01, x05,x01 ,x02,x01, x04,x03, x05,x03,
x02,x03, x02,x02,
# Extension: SessionTicket TLS # Extension: SessionTicket TLS
x00, x23, x00, x23,
# length of SessionTicket TLS # length of SessionTicket TLS
x00, $xlen_tckt_tls, x00, $xlen_tckt_tls,
# Session Ticket # data, Session Ticket
$session_tckt_tls # here we have the comma already $session_tckt_tls # here we have the comma already
# Extension: Heartbeat # Extension: Heartbeat
x00, x0f, x00, x01, x01" x00, x0f, x00, x01, x01"