Merge pull request #262 from jtesta/key_exchange_fix

Fix for invalid x25519 key share causing TLSv1.3 being skipped against Windows Server 2022 hosts

Author: rbsec

sslscan.c

@@ -4862,6 +4862,43 @@ int bs_read_socket(bs *b, int s, size_t num_bytes) {
 }
 
 
+/* Internal function.  Use  bs_append_x25519_pubkey() and bs_append_x448_pubkey() instead. */
+void __bs_append_xstar_pubkey(bs *b, unsigned int gen_x25519) {
+  unsigned char public_key[64] = {0};  /* X25519 requires 32 bytes minimum, and X448 requires 56 bytes minimum. */
+  size_t public_key_len = sizeof(public_key);
+  EVP_PKEY *pkey = NULL;
+  EVP_PKEY_CTX *pctx = NULL;
+
+
+  /* Create an X25519 or X448 key depending on which is requested. */
+  if (gen_x25519)
+    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
+  else
+    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL);
+
+  /* Create the private and public keys, and append the raw public key to the byte string. */
+  EVP_PKEY_keygen_init(pctx);
+  EVP_PKEY_keygen(pctx, &pkey);
+  EVP_PKEY_get_raw_public_key(pkey, public_key, &public_key_len);
+  bs_append_bytes(b, public_key, public_key_len);
+
+  EVP_PKEY_free(pkey);  pkey = NULL;
+  EVP_PKEY_CTX_free(pctx);  pctx = NULL;
+}
+
+
+/* Generates a random x25519 public key and appends it to the byte string. */
+void bs_append_x25519_pubkey(bs *b) {
+  __bs_append_xstar_pubkey(b, 1);
+}
+
+
+/* Generates a random x448 public key and appends it to the byte string. */
+void bs_append_x448_pubkey(bs *b) {
+  __bs_append_xstar_pubkey(b, 0);
+}
+
+
 /* Returns true if a specific TLS version is supported by the server. */
 unsigned int checkIfTLSVersionIsSupported(struct sslCheckOptions *options, unsigned int tls_version) {
   bs *tls_extensions = NULL, *ciphersuite_list = NULL, *client_hello = NULL, *server_hello = NULL;
@@ -5165,12 +5202,8 @@ void tlsExtensionAddDefaultKeyShare(bs *tls_extensions) {
     0x00, 0x20, // Key Exchange Length (32)
   }, 10);
 
-  /* Add 32 bytes of the (bogus) X25519 key share. */
-  srand(time(NULL) ^ 0xbeefdead);
-  for (int i = 0; i < 32; i++) {
-    unsigned char c = (unsigned char)rand();
-    bs_append_bytes(tls_extensions, &c, 1);
-  }
+  /* Append a random X25519 public key. */
+  bs_append_x25519_pubkey(tls_extensions);
 
   /* Update the length of the extensions. */
   tlsExtensionUpdateLength(tls_extensions);
@@ -5453,9 +5486,11 @@ int testSupportedGroups(struct sslCheckOptions *options) {
 
   /* Auto-generated by ./tools/iana_tls_supported_groups_parser.py on December 24, 2019. */
 #define COL_PLAIN ""
-#define NID_TYPE_NA 0    /* Not Applicable (i.e.: X25519/X448) */
+#define NID_TYPE_UNUSED 0
 #define NID_TYPE_ECDHE 1 /* For ECDHE curves (sec*, P-256/384-521) */
 #define NID_TYPE_DHE 2   /* For ffdhe* */
+#define NID_TYPE_X25519 3
+#define NID_TYPE_X448 4
   /* Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using that document. */
   struct group_key_exchange group_key_exchanges[] = {
     {0x0001, "sect163k1", 81, COL_RED, NID_sect163k1, NID_TYPE_ECDHE, 0},
@@ -5486,8 +5521,8 @@ int testSupportedGroups(struct sslCheckOptions *options) {
     {0x001a, "brainpoolP256r1", 128, COL_PLAIN, NID_brainpoolP256r1, NID_TYPE_ECDHE, 0},
     {0x001b, "brainpoolP384r1", 192, COL_PLAIN, NID_brainpoolP384r1, NID_TYPE_ECDHE, 0},
     {0x001c, "brainpoolP512r1", 256, COL_PLAIN, NID_brainpoolP512r1, NID_TYPE_ECDHE, 0},
-    {0x001d, "x25519", 128, COL_GREEN, -1, NID_TYPE_NA, 32},
-    {0x001e, "x448", 224, COL_GREEN, -1, NID_TYPE_NA, 56},
+    {0x001d, "x25519", 128, COL_GREEN, -1, NID_TYPE_X25519, 32},
+    {0x001e, "x448", 224, COL_GREEN, -1, NID_TYPE_X448, 56},
     {0x0100, "ffdhe2048", 112, COL_PLAIN, NID_ffdhe2048, NID_TYPE_DHE, 256},
     {0x0101, "ffdhe3072", 128, COL_PLAIN, NID_ffdhe3072, NID_TYPE_DHE, 384},
     {0x0102, "ffdhe4096", 150, COL_PLAIN, NID_ffdhe4096, NID_TYPE_DHE, 512},
@@ -5541,16 +5576,11 @@ int testSupportedGroups(struct sslCheckOptions *options) {
       bs_new_size(&key_exchange, key_exchange_len);
 
       /* Generate the right type of key exchange data. */
-      if (nid_type == NID_TYPE_NA) {
-
-        /* Generate "random" data.  X25519 and X448 public keys have no discernible structure. */
-        srand(time(NULL) ^ 0xdeadbeef);
-        for (int j = 0; j < key_exchange_len; j++) {
-          unsigned char c = (unsigned char)rand();
-          bs_append_bytes(key_exchange, &c, 1);
-        }
-
-      } else if (nid_type == NID_TYPE_ECDHE) {
+      if (nid_type == NID_TYPE_X25519)
+	bs_append_x25519_pubkey(key_exchange);
+      else if (nid_type == NID_TYPE_X448)
+        bs_append_x448_pubkey(key_exchange);
+      else if (nid_type == NID_TYPE_ECDHE) {
 
         /* Generate the ECDHE key. */
         EC_KEY *key = EC_KEY_new_by_curve_name(nid);