From 7e506e5c5a2705857c61abf06fc975b4164806b5 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Wed, 13 Apr 2016 15:39:12 -0400
Subject: [PATCH 1/4] More extensions in socksend_tls_clienthello()

This PR adds the signature algorithms, heartbeat, session ticket, and next protocol extensions to the client hello message created by socksend_tls_clienthello() for TLS 1.0 and above. It also adds the supported elliptic curves and ec points format extensions if the client hello message includes any ECC cipher suites.

I tested this version against several servers with $EXPERIMENTAL set to true and get the same results as with the current code with $EXPERIMENTAL set to false.
---
 testssl.sh | 172 ++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 110 insertions(+), 62 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index fb66226..b893487 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4165,41 +4165,128 @@ sslv2_sockets() {
 # ARG1: TLS version low byte (00: SSLv3,  01: TLS 1.0,  02: TLS 1.1,  03: TLS 1.2)
 # ARG2: CIPHER_SUITES string
 socksend_tls_clienthello() {
-#FIXME: redo this with all extensions!
      local tls_low_byte="$1"
      local tls_word_reclayer="03, 01"      # the first TLS version number is the record layer and always 0301 -- except: SSLv3
      local servername_hexstr len_servername len_servername_hex
-     local hexdump_format_str
-     local all_extensions
+     local hexdump_format_str part1 part2
+     local all_extensions=""
+     local -i i j len_extension
      local len_sni_listlen len_sni_ext len_extension_hex
-     local cipher_suites len_ciph_suites len_ciph_suites_word
+     local cipher_suites len_ciph_suites len_ciph_suites_byte len_ciph_suites_word
      local len_client_hello_word len_all_word
-
-     #len_servername=$(echo ${#NODE})
-     len_servername=${#NODE}
-     hexdump_format_str="$len_servername/1 \"%02x,\""
-     servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
+     local ecc_cipher_suite_found=false
+     local extension_signature_algorithms extension_heartbeat
+     local extension_session_ticket extension_next_protocol extensions_ecc
 
      code2network "$2"             # convert CIPHER_SUITES
      cipher_suites="$NW_STR"       # we don't have the leading \x here so string length is two byte less, see next
 
-#formatted example for SNI
-#00 00    # extension server_name
-#00 1a    # length                      = the following +2 = server_name length + 5
-#00 18    # server_name list_length     = server_name length +3
-#00       # server_name type (hostname)
-#00 15    # server_name length
-#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66  target.mydomain1.tld # server_name target
-
-     # convert lengths we need to fill in from dec to hex:
-     len_servername_hex=$(printf "%02x\n" $len_servername)
-     len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
-     len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
-     len_extension_hex=$(printf "%02x\n" $((len_servername+9)))  #FIXME: for TLS 1.2 and IIS servers we need extension_signature_algorithms!!
-
      len_ciph_suites_byte=$(echo ${#cipher_suites})
      let "len_ciph_suites_byte += 2"
 
+     if [[ "$tls_low_byte" != "00" ]]; then
+          # Add extensions
+
+          # Check to see if any ECC cipher suites are included in cipher_suites
+          for (( i=0; i<len_ciph_suites_byte; i=i+8 )); do
+               j=$i+4
+               part1="0x${cipher_suites:$i:2}"
+               part2="0x${cipher_suites:$j:2}"
+               if [[ "$part1" == "0xc0" ]]; then
+                    if [[ "$part2" -ge "0x01" ]] && [[ "$part2" -le "0x19" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x23" ]] && [[ "$part2" -le "0x3b" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x48" ]] && [[ "$part2" -le "0x4f" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x5c" ]] && [[ "$part2" -le "0x63" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x70" ]] && [[ "$part2" -le "0x79" ]]; then
+                    ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x86" ]] && [[ "$part2" -le "0x8d" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0x9a" ]] && [[ "$part2" -le "0x9b" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    elif [[ "$part2" -ge "0xac" ]] && [[ "$part2" -le "0xaf" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    fi
+               elif [[ "$part1" == "0xcc" ]]; then
+                    if [[ "$part2" == "0xa8" ]] || [[ "$part2" == "0xa9" ]] || [[ "$part2" == "0xac" ]] || [[ "$part2" == "13" ]] || [[ "$part2" == "0x14" ]]; then
+                         ecc_cipher_suite_found=true && break
+                    fi
+               fi
+          done
+
+          #formatted example for SNI
+          #00 00    # extension server_name
+          #00 1a    # length                      = the following +2 = server_name length + 5
+          #00 18    # server_name list_length     = server_name length +3
+          #00       # server_name type (hostname)
+          #00 15    # server_name length
+          #66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66  target.mydomain1.tld # server_name target
+          len_servername=${#NODE}
+          hexdump_format_str="$len_servername/1 \"%02x,\""
+          servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
+          # convert lengths we need to fill in from dec to hex:
+          len_servername_hex=$(printf "%02x\n" $len_servername)
+          len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
+          len_sni_ext=$(printf "%02x\n" $((len_servername+5)))
+
+          extension_signature_algorithms="
+          00, 0d,                    # Type: signature_algorithms , see RFC 5246
+          00, 20,                    # len
+          00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03,
+          04,01, 04,02, 04,03, 03,01, 03,02, 03,03, 02,01, 02,02, 02,03"
+
+          extension_heartbeat="
+          00, 0f, 00, 01, 01"
+
+          extension_session_ticket="
+          00, 23, 00, 00"
+
+          extension_next_protocol="
+          33, 74, 00, 00"
+
+          # Supported Elliptic Curves Extension and Supported Point Formats Extension.
+          extensions_ecc="
+          00, 0a,                    # Type: Supported Elliptic Curves , see RFC 4492
+          00, 3a, 00, 38,            # lengths
+          00, 01, 00, 02, 00, 03, 00, 04, 00, 05, 00, 06, 00, 07, 00, 08,
+          00, 09, 00, 0a, 00, 0b, 00, 0c, 00, 0d, 00, 0e, 00, 0f, 00, 10,
+          00, 11, 00, 12, 00, 13, 00, 14, 00, 15, 00, 16, 00, 17, 00, 18,
+          00, 19, 00, 1a, 00, 1b, 00, 1c,
+          00, 0b,                    # Type: Supported Point Formats , see RFC 4492 
+          00, 02,                    # len
+          01, 00"
+          
+          all_extensions="
+           00, 00                  # extension server_name
+          ,00, $len_sni_ext        # length SNI EXT
+          ,00, $len_sni_listlen    # server_name list_length
+          ,00                      # server_name type (hostname)
+          ,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
+          ,$servername_hexstr      # server_name target
+          ,$extension_signature_algorithms
+          ,$extension_heartbeat
+          ,$extension_session_ticket
+          ,$extension_next_protocol"
+
+          if $ecc_cipher_suite_found; then
+               all_extensions="$all_extensions
+               ,$extensions_ecc"
+          fi
+
+          code2network "$all_extensions" # convert extensions
+          all_extensions="$NW_STR"       # we don't have the leading \x here so string length is two byte less, see next
+          len_extension=${#all_extensions}
+          len_extension+=2
+          len_extension=$len_extension/4
+          len_extension_hex=$(printf "%02x\n" $len_extension)
+          all_extensions="
+          ,00, $len_extension_hex  # first the len of all extentions.
+          ,$all_extensions"
+     fi
+
      # we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
      len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 )))
      len2twobytes "$len_ciph_suites"
@@ -4245,45 +4332,6 @@ socksend_tls_clienthello() {
      ,01                      # Compression methods length
      ,00"                     # Compression method (x00 for NULL)
 
-#TODO,add (see heartbleed)
-# extension lenghth (word)
-# extension ec_point_formats (4 words) 1st: 00 0b
-#len                              00 04
-# ec prot formats len:            03
-# uncompressed                    00
-# EC point format: ansiX962_compressed_prime  01
-# EC point format: ansiX962_compressed_char2  02
-
-# ec, 1st:                 00 0a
-#     2nd length: (word)         e.g. 0x34
-#     3rd: ec curve len    ln-2  e.g. 0x32
-#     4.-n.  curves              e.g. 25 words
-
-# Extension: Session Ticket        00 23
-
-     extension_signature_algorithms="
-     00, 0d,                    # Type: signature_algorithms , see RFC 5246
-     00, 20,                    # len
-     00,1e, 06,01, 06,02, 06,03, 05,01, 05,02, 05,03,
-     04,01, 04,02, 04,03, 03,01, 03,02, 03,03, 02,01, 02,02, 02,03"
-
-# Extension: Haertbeat             00 0f
-# len                              00 01
-# peer allowed to send requests       01
-
-     if [[ "$tls_low_byte" == "00" ]]; then
-          all_extensions=""
-     else                          #FIXME: we (probably) need extension_signature_algorithms here. TLS 1.2 fails on IIS otherwise
-          all_extensions="
-          ,00, $len_extension_hex  # first the len of all (here: 1) extentions. We assume len(hostname) < FF - 9
-          ,00, 00                  # extension server_name
-          ,00, $len_sni_ext        # length SNI EXT
-          ,00, $len_sni_listlen    # server_name list_length
-          ,00                      # server_name type (hostname)
-          ,00, $len_servername_hex # server_name length
-          ,$servername_hexstr"     # server_name target
-     fi
-
      fd_socket 5 || return 6
 
      code2network "$TLS_CLIENT_HELLO$all_extensions"

From 120a5c86effb7963a46edefdbdc2b9a7d8b915a1 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Tue, 3 May 2016 16:48:42 -0400
Subject: [PATCH 2/4] Add padding extension

RFC 7685 notes that there is at least one TLS implementation that hangs if the client sends a ClientHello with a TLSCiphertext.length between 256 and 511 bytes, and so the padding extension was defined in order to get around this bug. (OpenSSL s_client includes this extension when the -bugs option is used.) So, I changed socksend_tls_clienthello() to include the padding extension if the CLientHello would have a length between 256 and 511 bytes, making the padding extension just large enough to make the ClientHello 512 bytes.

I also fixed a typo (a missing "0x") in the check for whether any ECC ciphers are included in the Client Hello.
---
 testssl.sh | 47 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index b893487..c0e599a 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4170,13 +4170,13 @@ socksend_tls_clienthello() {
      local servername_hexstr len_servername len_servername_hex
      local hexdump_format_str part1 part2
      local all_extensions=""
-     local -i i j len_extension
-     local len_sni_listlen len_sni_ext len_extension_hex
+     local -i i j len_extension len_padding_extension len_all
+     local len_sni_listlen len_sni_ext len_extension_hex len_padding_extension_hex
      local cipher_suites len_ciph_suites len_ciph_suites_byte len_ciph_suites_word
      local len_client_hello_word len_all_word
      local ecc_cipher_suite_found=false
      local extension_signature_algorithms extension_heartbeat
-     local extension_session_ticket extension_next_protocol extensions_ecc
+     local extension_session_ticket extension_next_protocol extensions_ecc extension_padding
 
      code2network "$2"             # convert CIPHER_SUITES
      cipher_suites="$NW_STR"       # we don't have the leading \x here so string length is two byte less, see next
@@ -4184,6 +4184,12 @@ socksend_tls_clienthello() {
      len_ciph_suites_byte=$(echo ${#cipher_suites})
      let "len_ciph_suites_byte += 2"
 
+     # we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
+     len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 )))
+     len2twobytes "$len_ciph_suites"
+     len_ciph_suites_word="$LEN_STR"
+     #[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word
+
      if [[ "$tls_low_byte" != "00" ]]; then
           # Add extensions
 
@@ -4211,7 +4217,7 @@ socksend_tls_clienthello() {
                          ecc_cipher_suite_found=true && break
                     fi
                elif [[ "$part1" == "0xcc" ]]; then
-                    if [[ "$part2" == "0xa8" ]] || [[ "$part2" == "0xa9" ]] || [[ "$part2" == "0xac" ]] || [[ "$part2" == "13" ]] || [[ "$part2" == "0x14" ]]; then
+                    if [[ "$part2" == "0xa8" ]] || [[ "$part2" == "0xa9" ]] || [[ "$part2" == "0xac" ]] || [[ "$part2" == "0x13" ]] || [[ "$part2" == "0x14" ]]; then
                          ecc_cipher_suite_found=true && break
                     fi
                fi
@@ -4282,16 +4288,31 @@ socksend_tls_clienthello() {
           len_extension+=2
           len_extension=$len_extension/4
           len_extension_hex=$(printf "%02x\n" $len_extension)
-          all_extensions="
-          ,00, $len_extension_hex  # first the len of all extentions.
-          ,$all_extensions"
-     fi
 
-     # we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
-     len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 )))
-     len2twobytes "$len_ciph_suites"
-     len_ciph_suites_word="$LEN_STR"
-     #[[ $DEBUG -ge 3 ]] && echo $len_ciph_suites_word
+          # If the length of the Client Hello would be between 256 and 511 bytes,
+          # then add a padding extension (see RFC 7685)
+          len_all=$((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))
+          if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]]; then
+               if [[ $len_all -gt 508 ]]; then
+                   len_padding_extension=0
+               else
+                   len_padding_extension=$((508 - 0x$len_ciph_suites - 0x2b - 0x$len_extension_hex - 0x2))
+               fi
+               len_padding_extension_hex=$(printf "%02x\n" $len_padding_extension)
+               len2twobytes "$len_padding_extension_hex"
+               all_extensions="$all_extensions\\x00\\x15\\x${LEN_STR:0:2}\\x${LEN_STR:4:2}"
+               for (( i=0; i<len_padding_extension; i++ )); do
+                    all_extensions="$all_extensions\\x00"
+               done
+               len_extension=$len_extension+$len_padding_extension+0x4
+               len_extension_hex=$(printf "%02x\n" $len_extension)
+          fi
+          len2twobytes "$len_extension_hex"
+          all_extensions="
+          ,$LEN_STR  # first the len of all extentions.
+          ,$all_extensions"
+          
+     fi
 
      # RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied
      if [[ "$tls_low_byte" == "00" ]]; then

From 92c2b60d9bd8cdaf31aa650669bfbe89cb6e6fa8 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Thu, 5 May 2016 17:08:40 -0400
Subject: [PATCH 3/4] Signature Algorithms extension for TLSv1.2 only

Changed to only include the signature algorithms extension for TLSv1.2, since RFC 5246 says:

   Note: this extension is not meaningful for TLS versions prior to 1.2.
   Clients MUST NOT offer it if they are offering prior versions.
   However, even if clients do offer it, the rules specified in [TLSEXT]
   require servers to ignore extensions they do not understand.

Inclusion of the extension for TLS 1.1 didn't seem to cause any harm, but it seems better to follow the RFC and not include it for TLSv1.0 or TLSv1.1.
---
 testssl.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index c0e599a..8bc6fc0 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4272,11 +4272,17 @@ socksend_tls_clienthello() {
           ,00                      # server_name type (hostname)
           ,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
           ,$servername_hexstr      # server_name target
-          ,$extension_signature_algorithms
           ,$extension_heartbeat
           ,$extension_session_ticket
           ,$extension_next_protocol"
 
+          # RFC 5246 says that clients MUST NOT offer the signature algorithms
+          # extension if they are offering TLS versions prior to 1.2.
+          if [[ "$tls_low_byte" == "03" ]]; then
+               all_extensions="$all_extensions
+               ,$extension_signature_algorithms"
+          fi
+
           if $ecc_cipher_suite_found; then
                all_extensions="$all_extensions
                ,$extensions_ecc"

From 07a8bd3143203354f6a4b59f99d1505f83c23066 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Wed, 11 May 2016 09:24:07 -0400
Subject: [PATCH 4/4] Support version negotiation test

The new test in PR #346 sends a TLSv1.4 ClientHello, so socksend_tls_clienthello() needs to include the signature algorithms extension if $tls_low_byte >= 3 rather than only if it is equal to 3.
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 8bc6fc0..83a05f6 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4278,7 +4278,7 @@ socksend_tls_clienthello() {
 
           # RFC 5246 says that clients MUST NOT offer the signature algorithms
           # extension if they are offering TLS versions prior to 1.2.
-          if [[ "$tls_low_byte" == "03" ]]; then
+          if [[ "0x$tls_low_byte" -ge "0x03" ]]; then
                all_extensions="$all_extensions
                ,$extension_signature_algorithms"
           fi