Sanity check for clienthello

[drwetter]

While converting run_ticketbleed() to a different socket sending function which omits the leading x in each bytes I thought: Well, as we don't have a unit test for ticketbleed (and I couldn't find a vulnerable server anymore either) .... as a baseline it makes sense to compare the handshakes in debug mode before + after the change whether they match. Then I stumbled over a malformatted client hello:

sending client hello... 
"\x16\x03\x01\xx01\xxf6\x01\x00\xx01\xxf2\x03\x03\xee\xee\x5b\x90\x9d\x9b\x72
[..]
xx7a\xx76\xxcb\xxeb\xxf9\xx80\xx83\xx16\xx0c\xx8d\xx83\x00\x0f\x00\x01\x01"
reading server hello (ticketbleed reply)... 

Note the double x-es.

This would probably not have been discovered otherwise. This particular clienthello is THE check for it. In this case the server reply was empty (means also in a use case scenario not vulnerable).

So what I was thinking on is extending socksend_clienthello() to include a (debug) function which checks whether all he bytes which will be send over the wire are formatted like

1: backslash
2: x
3: 0-9,a-f
4: 0-9,a-f

If we run that in a (to be defined) debug mode we also can use a unit test for shed some light on those kind of problems which otherwise would be hard to discover.

[drwetter]

I was actually easier then I thought, so I just implemented is, see 8dbaab3

code:

check_bytestream() {
     local line=""
     local -i i=0

     # We do a search and replace so that \xaa\x29 becomes
     # _xaa
     # _x29
     #
     # "echo -e" helps us to get a multiline string
     while read -r line; do
          if [[ $i -eq 0 ]]; then
               # first line is empty because this is a LF
               :
          elif [[ ${#line} -ne 4 ]] && [[ $i != 0 ]]; then
               echo "length of byte $i called from $2 is not ok"
          elif [[ ${line:0:1} != _ ]]; then
               echo "char $i called from $2 doesn't start with a \"\\\""
          elif [[ ${line:1:1} != x ]]; then
               echo "char $i called from $2 doesn't have an x in second position"
          elif [[ ${line:2:2} != [0-9a-fA-F][0-9a-fA-F] ]]; then
               echo "byte $i called from $2 is not hex"
          fi
          i+=1
     done < <( echo -e ${1//\\/\\n_})
}

# sockets inspired by http://blog.chris007.de/?p=238
# ARG1: hexbytes separated by commas, with a leading comma
# ARG2: seconds to sleep
socksend_clienthello() {
     local data=""

     code2network "$1"
     data="$NW_STR"
     if [[ "$DEBUG" -ge 1 ]]; then
          check_bytestream "$data" "${FUNCNAME[1]}"
          [[ "$DEBUG" -ge 4 ]] && echo && echo "\"$data\""
[..]

Result (./testssl.sh -q --debug=1 -U dev.testssl.sh):

Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  length of byte 311 called from run_ticketbleed is not ok
length of byte 312 called from run_ticketbleed is not ok
length of byte 313 called from run_ticketbleed is not ok
length of byte 314 called from run_ticketbleed is not ok
length of byte 315 called from run_ticketbleed is not ok
length of byte 316 called from run_ticketbleed is not ok
length of byte 317 called from run_ticketbleed is not ok
[..]

So, if we have a unit test for this we'll have additional robustness! (I still think testssl.sh was robust before but this for sure would add a good piece)

[drwetter]

see 16be686