Avoid ClientHello size bug

David Cooper · David Cooper · commit d9d68012101a · 2018-09-12T11:53:28.000-04:00
As described in testssl#1113, some servers will fail if the length of the ClientHello message is 522, 778, 1034, ... bytes (i.e., if length mod 256 = 10) or 526, 782, 1038, ... bytes (i.e., if length mod 256 = 14). This commit avoid this issue for normal testing by adding a 5-byte padding extension to the message if the length would otherwise be one of these lengths.
diff --git a/testssl.sh b/testssl.sh
@@ -11827,6 +11827,7 @@ socksend_tls_clienthello() {
           # then add a padding extension (see RFC 7685)
           len_all=$((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))
           "$offer_compression" && len_all+=2
+          [[ 0x$tls_low_byte -gt 0x03 ]] && len_all+=32 # TLSv1.3 ClientHello includes a 32-byte session id
           if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]] && [[ ! "$extra_extensions_list" =~ " 0015 " ]]; then
                if [[ $len_all -gt 508 ]]; then
                     len_padding_extension=1 # Final extension cannot be empty: see PR #792
@@ -11841,12 +11842,18 @@ socksend_tls_clienthello() {
                done
                len_extension=$len_extension+$len_padding_extension+0x4
                len_extension_hex=$(printf "%02x\n" $len_extension)
+          elif [[ ! "$extra_extensions_list" =~ " 0015 " ]] && ( [[ $((len_all%256)) -eq 10 ]] || [[ $((len_all%256)) -eq 14 ]] ); then
+               # Some servers fail if the length of the ClientHello is 522, 778, 1034, 1290, ... bytes.
+               # A few servers also fail if the length is 526, 782, 1038, 1294, ... bytes.
+               # So, if the ClientHello would be one of these length, add a 5-byte padding extension.
+               all_extensions="$all_extensions\\x00\\x15\\x00\\x01\\x00"
+               len_extension+=5
+               len_extension_hex=$(printf "%02x\n" $len_extension)
           fi
           len2twobytes "$len_extension_hex"
           all_extensions="
           ,$LEN_STR  # first the len of all extensions.
           ,$all_extensions"
-
      fi
 
      if [[ 0x$tls_low_byte -gt 0x03 ]]; then
