Merge pull request #1052 from dcooper16/draft28

TLS 1.3 draft 28
This commit is contained in:
Dirk Wetter 2018-05-07 10:58:49 +02:00 committed by GitHub
commit be743e0c9b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 73 additions and 53 deletions

View File

@ -4599,7 +4599,7 @@ run_protocols() {
local key_share_extn_nr="$KEY_SHARE_EXTN_NR" local key_share_extn_nr="$KEY_SHARE_EXTN_NR"
local lines nr_ciphers_detected local lines nr_ciphers_detected
local tls13_ciphers_to_test="" local tls13_ciphers_to_test=""
local drafts_offered="" debug_recomm="" local i drafts_offered="" drafts_offered_str="" supported_versions debug_recomm=""
local -i ret=0 subret=0 local -i ret=0 subret=0
local jsonID="SSLv2" local jsonID="SSLv2"
@ -4998,59 +4998,79 @@ run_protocols() {
outln "offered (OK)" outln "offered (OK)"
fileout "$jsonID" "OK" "offered" fileout "$jsonID" "OK" "offered"
else else
# Determine which version of TLS 1.3 was offered. For drafts 18-21 the
# version appears in the ProtocolVersion field of the ServerHello. For
# drafts 22-28 and the final TLS 1.3 the ProtocolVersion field contains
# 0303 and the actual version appears in the supported_versions extension.
if [[ "${TLS_SERVER_HELLO:8:3}" == "7F1" ]]; then
drafts_offered+=" ${TLS_SERVER_HELLO:8:4} "
elif [[ "$TLS_SERVER_HELLO" =~ "002B00020304" ]]; then
drafts_offered+=" 0304 "
else
for i in 1C 1B 1A 19 18 17 16 15 14 13 12; do
if [[ "$TLS_SERVER_HELLO" =~ "002B00027F$i" ]]; then
drafts_offered+=" 7F$i "
break
fi
done
fi
KEY_SHARE_EXTN_NR="28" KEY_SHARE_EXTN_NR="28"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 12" while true; do
[[ $? -eq 0 ]] && drafts_offered="draft 18" supported_versions=""
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 13" for i in 16 15 14 13 12; do
if [[ $? -eq 0 ]]; then [[ "$drafts_offered" =~ " 7F$i " ]] || supported_versions+=",7f,$i"
[[ -n "$drafts_offered" ]] && drafts_offered+=", " done
drafts_offered+="draft 19" [[ -z "$supported_versions" ]] && break
fi supported_versions="00, 2b, 00, $(printf "%02x" $((${#supported_versions}/3+1))), $(printf "%02x" $((${#supported_versions}/3))) $supported_versions"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 14" tls_sockets "04" "$TLS13_CIPHER" "" "$supported_versions"
if [[ $? -eq 0 ]]; then [[ $? -eq 0 ]] || break
[[ -n "$drafts_offered" ]] && drafts_offered+=", " if [[ "${TLS_SERVER_HELLO:8:3}" == "7F1" ]]; then
drafts_offered+="draft 20" drafts_offered+=" ${TLS_SERVER_HELLO:8:4} "
fi else
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 15" for i in 16 15 14 13 12; do
if [[ $? -eq 0 ]]; then if [[ "$TLS_SERVER_HELLO" =~ "002B00027F$i" ]]; then
[[ -n "$drafts_offered" ]] && drafts_offered+=", " drafts_offered+=" 7F$i "
drafts_offered+="draft 21" break
fi fi
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 16" done
if [[ $? -eq 0 ]]; then fi
[[ -n "$drafts_offered" ]] && drafts_offered+=", " done
drafts_offered+="draft 22"
fi
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 17" while true; do
if [[ $? -eq 0 ]]; then supported_versions=""
[[ -n "$drafts_offered" ]] && drafts_offered+=", " for i in 1C 1B 1A 19 18 17; do
drafts_offered+="draft 23" [[ "$drafts_offered" =~ " 7F$i " ]] || supported_versions+=",7f,$i"
fi done
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 18" [[ "$drafts_offered" =~ " 0304 " ]] || supported_versions+=",03,04"
if [[ $? -eq 0 ]]; then [[ -z "$supported_versions" ]] && break
[[ -n "$drafts_offered" ]] && drafts_offered+=", " supported_versions="00, 2b, 00, $(printf "%02x" $((${#supported_versions}/3+1))), $(printf "%02x" $((${#supported_versions}/3))) $supported_versions"
drafts_offered+="draft 24" tls_sockets "04" "$TLS13_CIPHER" "" "$supported_versions"
fi [[ $? -eq 0 ]] || break
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 19" if [[ "$TLS_SERVER_HELLO" =~ "002B00020304" ]]; then
if [[ $? -eq 0 ]]; then drafts_offered+=" 0304 "
[[ -n "$drafts_offered" ]] && drafts_offered+=", " else
drafts_offered+="draft 25" for i in 1C 1B 1A 19 18 17; do
fi if [[ "$TLS_SERVER_HELLO" =~ "002B00027F$i" ]]; then
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 7f, 1a" drafts_offered+=" 7F$i "
if [[ $? -eq 0 ]]; then break
[[ -n "$drafts_offered" ]] && drafts_offered+=", " fi
drafts_offered+="draft 26" done
fi fi
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 03, 02, 03, 04" done
if [[ $? -eq 0 ]]; then
[[ -n "$drafts_offered" ]] && drafts_offered+=", "
drafts_offered+="final"
fi
KEY_SHARE_EXTN_NR="$key_share_extn_nr" KEY_SHARE_EXTN_NR="$key_share_extn_nr"
if [[ -n "$drafts_offered" ]]; then if [[ -n "$drafts_offered" ]]; then
pr_svrty_best "offered (OK)"; outln ": $drafts_offered" for i in 1C 1B 1A 19 18 17 16 15 14 13 12; do
fileout "$jsonID" "OK" "offered with $drafts_offered" if [[ "$drafts_offered" =~ " 7F$i " ]]; then
[[ -n "$drafts_offered_str" ]] && drafts_offered_str+=", "
drafts_offered_str+="draft $(printf "%d" 0x$i)"
fi
done
if [[ "$drafts_offered" =~ " 0304 " ]]; then
[[ -n "$drafts_offered_str" ]] && drafts_offered_str+=", "
drafts_offered_str+="final"
fi
pr_svrty_best "offered (OK)"; outln ": $drafts_offered_str"
fileout "$jsonID" "OK" "offered with $drafts_offered_str"
else else
pr_warning "Unexpected results"; outln "$debug_recomm" pr_warning "Unexpected results"; outln "$debug_recomm"
fileout "$jsonID" "WARN" "unexpected results" fileout "$jsonID" "WARN" "unexpected results"
@ -11450,7 +11470,7 @@ socksend_tls_clienthello() {
# draft versions of TLSv1.3. Eventually it should only adversize # draft versions of TLSv1.3. Eventually it should only adversize
# support for the final version (0304). # support for the final version (0304).
if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then
extension_supported_versions+=", 03, 04, 7f, 1a, 7f, 19, 7f, 18, 7f, 17" extension_supported_versions+=", 03, 04, 7f, 1c, 7f, 1b, 7f, 1a, 7f, 19, 7f, 18, 7f, 17"
else else
extension_supported_versions+=", 7f, 16, 7f, 15, 7f, 14, 7f, 13, 7f, 12" extension_supported_versions+=", 7f, 16, 7f, 15, 7f, 14, 7f, 13, 7f, 12"
fi fi
@ -11461,7 +11481,7 @@ socksend_tls_clienthello() {
[[ -n "$all_extensions" ]] && all_extensions+="," [[ -n "$all_extensions" ]] && all_extensions+=","
# FIXME: Adjust the lengths ("+7" and "+6") when the draft versions of TLSv1.3 are removed. # FIXME: Adjust the lengths ("+7" and "+6") when the draft versions of TLSv1.3 are removed.
if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions" all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+15))), $(printf "%02x" $((2*0x$tls_low_byte+14)))$extension_supported_versions"
else else
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions" all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions"
fi fi
@ -16021,7 +16041,7 @@ determine_optimal_proto() {
# sent. # sent.
if [[ -z "$1" ]]; then if [[ -z "$1" ]]; then
KEY_SHARE_EXTN_NR="33" KEY_SHARE_EXTN_NR="33"
tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0b, 0a, 03,04, 7f,1a, 7f,19, 7f,18, 7f,17" tls_sockets "04" "$TLS13_CIPHER" "" "00, 2b, 00, 0f, 0e, 03,04, 7f,1c, 7f,1b, 7f,1a, 7f,19, 7f,18, 7f,17"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
add_tls_offered tls1_3 yes add_tls_offered tls1_3 yes
else else