Commit Graph

4449 Commits

Author SHA1 Message Date
Dirk Wetter e8b7a04e53
Merge pull request #1487 from simondeziel/dup-cipher
Remove (harmless) AESGCM dup in the strong ciphers list
2020-01-31 09:22:03 +01:00
Dirk Wetter 2f54613d6d
Merge pull request #1484 from dcooper16/tls13_post_handshake
TLS 1.3 post-handshake messages
2020-01-31 08:55:08 +01:00
Dirk Wetter 7443a532cf
Merge pull request #1486 from drwetter/fix_ids_friendly
Fix --ids-friendly
2020-01-31 08:48:01 +01:00
Dirk Wetter 89fd902b18
Merge pull request #1483 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-01-31 08:41:43 +01:00
Simon Deziel 772713f497 Remove (harmless) AESGCM dup in the strong ciphers list
Signed-off-by: Simon Deziel <simon@sdeziel.info>
2020-01-30 17:29:44 -05:00
Dirk Wetter c4920f61e4 rename query_globals() --> count_do_variables()
.. and fix one problem instroduced with last patch (testssl.sh
din't work correclty if only an URI was supplied)
2020-01-30 22:25:10 +01:00
Dirk Wetter 073d383f76 Fix switch --ids-friendly
This switch had no effect. There was probably a regression
problem as it worked before.

Besides fixing that the large case statement in parse_cmd_line()
was simplified, in a sense that banner and help functions were
moved to a separate case statement.
2020-01-30 21:49:56 +01:00
David Cooper aba544b188
TLS 1.3 post-handshake messages
This PR adds support for post-handshake messages when using sockets with TLS 1.3 connections. If a TLS 1.3 connection is established and the connection is to remain open after tls_sockets() finishes, then after the client's Finished message is sent the master secret and the application traffic keys are computed. This PR also adds two new functions to send and receive application data over a TLS 1.3 connection.

This PR also includes two proofs-of-concept for the use of the new functions. receive_app_data() is called immediately after the client's Finished message is sent. Some server's will send new session tickets immediately after the handshake is complete. If they do, then the code will decrypt and parse the session ticket messages.

This PR also modifies service_detection() to try using sockets if the server only supports TLS 1.3 and $OPENSSL does not support TLS 1.3. After the handshake is complete, this code sends an HTTP GET request and reads the response. The code is fairly slow and it doesn't always work. However, since it is only used in cases in which $OPENSSL cannot work, it can't hurt to try using sockets.
2020-01-30 15:20:25 -05:00
David Cooper 5d2978fdbe
Minor code cleanup
This PR cleans up the code in a few places by using "case" statements in a few places where the value of a variable is checked multiple times.
2020-01-30 14:00:46 -05:00
David Cooper 19db41742f
Suppress shellcheck issue SC2178
Due to a bug, the shellcheck program will complain if a variable is defined as an array but is later used as an ordinary string, even if the two uses are locally defined variables in different contexts. The error message is:

   SC2178: Variable was used as an array but is now assigned a string.

While the warnings are not highlighting any actual problems in testssl.sh, this PR gets rid of the warnings by renaming a few variables.
2020-01-30 13:53:33 -05:00
Dirk Wetter 3a73a97b67
Merge pull request #1480 from drwetter/readme-patch1
Status update / mir rephrasing of key features
2020-01-30 18:14:43 +01:00
Dirk Wetter 16907cf77e
Status update / mir rephrasing of key features 2020-01-30 18:14:20 +01:00
Dirk Wetter ef21f3f9bf
Merge pull request #1476 from dcooper16/tls13_finished_messages
TLS 1.3 Finished messages
2020-01-30 10:26:27 +01:00
Dirk Wetter 5e9767a17c
Merge pull request #1477 from dcooper16/faster_gcm
Speedup AES-GCM
2020-01-30 10:22:02 +01:00
David Cooper 1ea631addd Speedup AES-GCM
The implementation of AES-GCM in #1473 is much slower than the original version, even when the authentication tag is not being computed. This PR modifies the code in gcm() in order to significantly speed up the encryption/decryption time (when authentication tags are not being computed).
2020-01-29 12:12:04 -05:00
David Cooper 7516c01315
TLS 1.3 Finished messages
This PR adds processing of the Finished messages in TLS 1.3 handshakes. It also addresses some shellcheck issues.

If in debug mode, the HMAC of the transcript hash of the handshake context ($msg_transcript) is computed and compared against the Finished message sent by the server.

If the full server response is parsed and the connection with the server is not to be closed when tls_sockets() completes, then the TLS 1.3 handshake is completed by creating the client Finished message and sending it to the server.
2020-01-28 11:15:03 -05:00
Dirk Wetter 3da67437f3
Merge pull request #1475 from dcooper16/reorganize_key_derivation
Reorganize TLS 1.3 key derivation
2020-01-27 21:52:24 +01:00
David Cooper b8d414b432
Reorganize TLS 1.3 key derivation
This PR reorganizes the code for deriving TLS 1.3 symmetric keys in order to facilitate implementing the full key schedule. For example, rather than having a single function to derive the handshake traffic keys, this PR creates one function to derive the handshake secret and a separate function to derive the handshake traffic keys. The second function has been generalized so that it can derive either client or server traffic keys. Separating into two functions also makes the handshake_secret available for later use to derive the master secret and then the application traffic secrets and the application traffic keys.

This PR also changes where there message transcript is created, a message transcript will also be needed to derive the application traffic secrets. This PR includes the code to add the messages to the initial message transcript that will be needed for the input to the application traffic secret derivation function.
2020-01-27 09:52:15 -05:00
Dirk Wetter c3bab98b92
Merge pull request #1474 from drwetter/backport_4b573dd
Suppress displaying an error in maketempf()
2020-01-26 01:30:58 +01:00
Dirk c63547ca7b Suppress displaying an error in maketempf() 2020-01-26 01:29:18 +01:00
Dirk 4b573dd833 Suppress displaying an error in maketempf() 2020-01-26 01:24:11 +01:00
Dirk Wetter 51ca429b48
Merge pull request #1473 from dcooper16/aead
Full AEAD cipher implementations
2020-01-25 12:37:28 +01:00
David Cooper 351bb7a4e8
Full AEAD cipher implementations
RFC 8446 specifies cipher suites that use three symmetric encryption algorithms, all of which are Authenticated Encryption with Associated Data (AEAD) algorithms. In each of these algorithms when data is encryption an authentication tag is created, which allows the recipient to verify that the data has not been modified. The authentication may also cover some additional data that was not encrypted.

The current implementations of these algorithms in testssl.sh decrypt the ciphertext, but do not check that the authentication tag is correct (which involves the recipient computing the correct tag for the received data and then comparing it to the provided tag). While testssl.sh can get away with not checking authentication tags when receiving data, the ability to compute authentication tags is needed in order to send encrypted data as TLS servers would reject any encrypted data that did not have a correct authentication tag. Being able to send encrypted data is necessary to be able to complete the TLS 1.3 handshake.

This PR replaces the current implementations of the symmetric encryption algorithms with full implementations of each of the algorithms. These full implementations include the ability to encrypt data for sending, and can also verify the authentication tag when decrypting data. Since the Bash implementations of these algorithms is very slow, the decryption code is designed to only compute and check authentication tags in debug mode.

While the implementation of the code to compute authentication tags for AES-CCM was based on NIST Special Publication 800-38C, I was not able to implement the code for AES-GCM or Poly1305 from their specifications (NIST Special Publication 800-38D and RFC 8439, respectively). So, I would very much like to thank the implementers of https://github.com/mko-x/SharedAES-GCM and https://github.com/floodyberry/poly1305-donna. The implementations of AES-GCM and Poly1305 in the PR were developed by translating the C code in https://github.com/mko-x/SharedAES-GCM and https://github.com/floodyberry/poly1305-donna into Bash. I don't understand what that code is doing, but it seems to work. :-)

I have only tested this code on a computer with a 64-bit operating system. While I have not tested it, I believe that the decryption code will work with 32-bit integers if not in debug mode (i.e., if not trying to compute the authentication tags). I also believe that the AES-CCM code for computing authentication tags will work with 32-bit integers. However, AES-GCM and Poly1305 code for computing authentication tags will definitely only work on systems that have 64-bit integers. So, on systems that do not have 64-bit integers, encryption will not work for AES-GCM or ChaCha20-Poly1305, and decryption will not work for these algorithms if in debug mode.
2020-01-24 15:26:13 -05:00
Dirk Wetter 3cdb16a969 Prepare baseline_ipv4_http as a good example ...
... as indicated in CONTRIBUTING.md / Coding_Convention.md
2020-01-24 17:42:17 +01:00
Dirk Wetter 1ad7a65adf
Merge pull request #1472 from drwetter/reorder
Reorder functions and some variables
2020-01-24 14:46:18 +01:00
Dirk Wetter 7d3ff19442 Notes wrt [[, references to bash hackers wiki 2020-01-24 14:24:22 +01:00
Dirk Wetter d44a643fab Reorder functions and some variables
For a fresh start it seemed a good idea to cleanup
the order of functions and some variables so that
those with the same functionality are somewhat grouped.

Some of the functions have now a header and a foooter
to make it easier to spot and use then. Also for added future
functions the hope is that they will be put where they better
fit
2020-01-24 13:58:05 +01:00
Dirk Wetter 6c892afecd Move from wiki hereto plus sorting+rephrasing 2020-01-24 13:09:05 +01:00
Dirk Wetter 385485d39b More friendly phrased. Incl. soon to follow coding convention 2020-01-24 11:33:11 +01:00
Dirk 67598e824f Start next release 2020-01-23 22:24:33 +01:00
Dirk Wetter b0b084dcda
Merge pull request #1442 from drwetter/bump_version
bump version to final
2020-01-23 18:08:23 +01:00
Dirk Wetter a11a060acb
Merge pull request #1456 from drwetter/changes_etc
Update attributions and changes for release
2020-01-23 18:05:50 +01:00
Dirk Wetter a9e5bcc30c
Merge pull request #1470 from drwetter/1xmsg_squash
Squash the last futile -msg for $OPENSSL
2020-01-23 11:03:46 +01:00
Dirk ace4098693 Squash the last futile -msg for $OPENSSL
... see also https://github.com/drwetter/testssl.sh/pull/1468#discussion_r369786007
2020-01-23 09:46:33 +01:00
Dirk Wetter 631755ceb1
Merge pull request #1464 from drwetter/further_handshakes
Further handshakes / minor changes
2020-01-22 22:30:16 +01:00
Dirk Wetter fa4f1e4366
Merge pull request #1468 from nosnilmot/fix-xmpp-starttls
Fix XMPP starttls
2020-01-22 21:09:51 +01:00
Dirk 5083e950d2 Move debugging remainders detection to t/00_testssl_help.t 2020-01-22 21:04:23 +01:00
Dirk Wetter ec722e0e9c
Merge pull request #1469 from dcooper16/simplify_draft_tls13_version_determination
Simplify code to determine draft TLS 1.3 version
2020-01-22 20:39:10 +01:00
Dirk Wetter f7ab5a0821
Move quotes...
as David suggested.
2020-01-22 20:34:00 +01:00
David Cooper 43d83b27d4
Simplify code to determine draft TLS 1.3 version
This PR simplifies the code for determining which draft version of TLS 1.3 a server is offering by making use of a simple regular expression and $BASH_REMATCH rather than looping through every possible draft version.
2020-01-22 13:48:27 -05:00
Stu Tomlinson 0deea8000c Fix XMPP starttls
'-xmpphost' option required in combination with '-starttls xmpp' was missing
in determine_optimal_proto()

Also tweaked a couple of log messages
2020-01-22 18:10:58 +00:00
Dirk Wetter 7619e430f2
Merge pull request #1466 from dcooper16/fix_run_ssl_poodle
Fix run_ssl_poodle()
2020-01-22 18:05:08 +01:00
Dirk Wetter 2602e14191
Merge pull request #1465 from dcooper16/undo_copy_paste_error
Undo copy and paste error
2020-01-22 17:25:33 +01:00
David Cooper cce57c4613
Fix run_ssl_poodle()
PR #1463 changed run_ssl_poodle() to only run the test if it is known that the server supports SSLv3. However, support for SSLv3 may be unknown at the time run_ssl_poodle() is run (e.g., if the server supports TLS 1 and SSLv3, and run_ssl_poodle() is the first test performed). So, run_ssl_poodle() should perform testing unless it is known that SSLv3 is not supported.
2020-01-22 11:20:34 -05:00
David Cooper d49d96ae40
Undo copy and paste error
This PR removes what appears to be a copy and paste error introduced by #1463.
2020-01-22 11:14:55 -05:00
Dirk Wetter 2181061c6e
Merge pull request #1463 from drwetter/shortcurt_vulns
Shortcuts for vulnerability tests for TLS 1.3 only servers
2020-01-22 15:37:11 +01:00
Dirk Wetter eeb1acd749 Android 9 still has 2 signature hash algos: x0201 + x0203 2020-01-22 11:41:42 +01:00
Dirk d4d5a61a0b Hopefully make Travis shut up now
picked a TLS 1.2 host
2020-01-22 11:30:21 +01:00
Dirk cae052cfab Address some HTML check failures in travis
(shouldn't work too late)
2020-01-22 11:29:04 +01:00
Dirk Wetter 7c66ed47c0 All self retrieved Android handshakes modified to service ANY 2020-01-22 10:58:00 +01:00