Merge pull request #17 from RUB-NDS/v2.1

ic0ns · web-flow · commit 0dfa55ba770b · 2018-01-15T14:42:05.000+01:00
V2.1
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ TLS-Scanner is a tool created by the Chair for Network and Data Security from th
 **Please note:**  *TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.*
 
 # Compiling
-In order to compile and use TLS-Scanner, you need to have Java installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.2
+In order to compile and use TLS-Scanner, you need to have Java installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.3
  
 ```bash
 $ cd TLS-Scanner
diff --git a/pom.xml b/pom.xml
@@ -3,18 +3,18 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>TLS-Scanner</artifactId>
     <groupId>de.rub.nds.tlsscanner</groupId>
-    <version>2.0</version>
+    <version>2.1</version>
     <packaging>jar</packaging>
     <dependencies>
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>TLS-Core</artifactId>
-            <version>2.2</version>
+            <version>2.3</version>
         </dependency>
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>Attacks</artifactId>
-            <version>2.2</version>
+            <version>2.3</version>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
diff --git a/src/main/java/de/rub/nds/tlsscanner/ScanJobExecutor.java b/src/main/java/de/rub/nds/tlsscanner/ScanJobExecutor.java
@@ -10,6 +10,7 @@
 
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
 import de.rub.nds.tlsscanner.config.ScannerConfig;
+import de.rub.nds.tlsscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.report.result.ProbeResult;
 import de.rub.nds.tlsscanner.report.SiteReport;
 import de.rub.nds.tlsscanner.probe.TlsProbe;
@@ -38,9 +39,13 @@ public ScanJobExecutor(int threadCount) {
     }
 
     public SiteReport execute(ScannerConfig config, ScanJob scanJob) {
+        List<ProbeType> probeTypes = new LinkedList<>();
         List<Future<ProbeResult>> futureResults = new LinkedList<>();
         for (TlsProbe probe : scanJob.getProbeList()) {
-            futureResults.add(executor.submit(probe));
+            if (probe.getDanger() <= config.getDangerLevel()) {
+                futureResults.add(executor.submit(probe));
+                probeTypes.add(probe.getType());
+            }
         }
         List<ProbeResult> resultList = new LinkedList<>();
         for (Future<ProbeResult> probeResult : futureResults) {
@@ -55,13 +60,12 @@ public SiteReport execute(ScannerConfig config, ScanJob scanJob) {
         executor.shutdown();
         ClientDelegate clientDelegate = (ClientDelegate) config.getDelegate(ClientDelegate.class);
         String hostname = clientDelegate.getHost();
-        SiteReport report = new SiteReport(hostname);
+        SiteReport report = new SiteReport(hostname, probeTypes);
         report.setServerIsAlive(Boolean.TRUE);
         for (ProbeResult result : resultList) {
             result.merge(report);
         }
-        for(AfterProbe afterProbe : scanJob.getAfterProbes())
-        {
+        for (AfterProbe afterProbe : scanJob.getAfterProbes()) {
             afterProbe.analyze(report);
         }
         return report;
diff --git a/src/main/java/de/rub/nds/tlsscanner/TlsScanner.java b/src/main/java/de/rub/nds/tlsscanner/TlsScanner.java
@@ -13,6 +13,7 @@
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
 import de.rub.nds.tlsattacker.core.config.delegate.GeneralDelegate;
 import de.rub.nds.tlsscanner.config.ScannerConfig;
+import de.rub.nds.tlsscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.probe.BleichenbacherProbe;
 import de.rub.nds.tlsscanner.probe.CertificateProbe;
 import de.rub.nds.tlsscanner.probe.CiphersuiteOrderProbe;
@@ -96,7 +97,7 @@ public SiteReport scan() {
             return executor.execute(config, job);
         }
         // testList.add(new SignatureAndHashAlgorithmProbe(websiteHost));
-        SiteReport report = new SiteReport(config.getClientDelegate().getHost());
+        SiteReport report = new SiteReport(config.getClientDelegate().getHost(), new LinkedList<ProbeType>());
         report.setServerIsAlive(false);
         return report;
     }
diff --git a/src/main/java/de/rub/nds/tlsscanner/probe/BleichenbacherProbe.java b/src/main/java/de/rub/nds/tlsscanner/probe/BleichenbacherProbe.java
@@ -30,6 +30,9 @@ public ProbeResult executeTest() {
         delegate.setHost(getScannerConfig().getClientDelegate().getHost());
         BleichenbacherAttacker attacker = new BleichenbacherAttacker(bleichenbacherConfig);
         Boolean vulnerable = attacker.isVulnerable();
+        if (vulnerable == null && !getScannerConfig().isImplementation()) {
+            vulnerable = false;
+        }
         return new BleichenbacherResult(vulnerable);
 
     }
diff --git a/src/main/java/de/rub/nds/tlsscanner/probe/CiphersuiteProbe.java b/src/main/java/de/rub/nds/tlsscanner/probe/CiphersuiteProbe.java
@@ -16,6 +16,7 @@
 import de.rub.nds.tlsattacker.core.constants.NamedCurve;
 import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import de.rub.nds.tlsattacker.core.exceptions.ConfigurationException;
 import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
 import de.rub.nds.tlsattacker.core.protocol.message.AlertMessage;
 import de.rub.nds.tlsattacker.core.state.State;
@@ -99,7 +100,7 @@ public List<CipherSuite> getSupportedCipherSuitesWithIntolerance(List<CipherSuit
             WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(WorkflowExecutorType.DEFAULT, state);
             try {
                 workflowExecutor.executeWorkflow();
-            } catch (WorkflowExecutionException ex) {
+            } catch (ConfigurationException | WorkflowExecutionException ex) {
                 LOGGER.warn("Encountered exception while executing WorkflowTrace!");
                 LOGGER.debug(ex);
                 supportsMore = false;
diff --git a/src/main/java/de/rub/nds/tlsscanner/report/SiteReport.java b/src/main/java/de/rub/nds/tlsscanner/report/SiteReport.java
@@ -19,6 +19,7 @@
 import de.rub.nds.tlsscanner.constants.AnsiColors;
 import de.rub.nds.tlsscanner.constants.CipherSuiteGrade;
 import de.rub.nds.tlsscanner.constants.GcmPattern;
+import de.rub.nds.tlsscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.probe.certificate.CertificateReport;
 import de.rub.nds.tlsscanner.report.result.VersionSuiteListPair;
 import java.util.List;
@@ -31,6 +32,8 @@
 public class SiteReport {
 
     //general
+    private final List<ProbeType> probeTypeList;
+    
     private final String host;
     private Boolean serverIsAlive = null;
     private Boolean supportsSslTls = null;
@@ -164,8 +167,9 @@ public class SiteReport {
     private Boolean supportedCurvesIntolerance;
     private Boolean clientHelloSizeIntolerance;
 
-    public SiteReport(String host) {
+    public SiteReport(String host, List<ProbeType> probeTypeList) {
         this.host = host;
+        this.probeTypeList = probeTypeList;
     }
 
     public String getHost() {
@@ -1394,4 +1398,7 @@ public String toString() {
         return getStringReport();
     }
 
+    public List<ProbeType> getProbeTypeList() {
+        return probeTypeList;
+    }
 }
diff --git a/src/main/java/de/rub/nds/tlsscanner/report/result/CiphersuiteProbeResult.java b/src/main/java/de/rub/nds/tlsscanner/report/result/CiphersuiteProbeResult.java
@@ -71,7 +71,7 @@ public void merge(SiteReport report) {
         supportsOnlyPfsCiphers = true;
         prefersPfsCiphers = true;
         for (VersionSuiteListPair pair : pairLists) {
-            if (pair.getCiphersuiteList().size() > 0 && pair.getCiphersuiteList().get(0).isEphemeral()) {
+            if (pair.getCiphersuiteList().size() > 0 && !pair.getCiphersuiteList().get(0).isEphemeral()) {
                 prefersPfsCiphers = false;
             }
             allSupported.addAll(pair.getCiphersuiteList());
@@ -108,7 +108,7 @@ private void adjustKeyExchange(CipherSuite suite) {
         if (suite.name().contains("_DH")) {
             supportsDh = true;
         }
-        if (suite.name().contains("RSA")) {
+        if (suite.name().contains("TLS_RSA")) {
             supportsRsa = true;
         }
         if (suite.name().contains("ECDH")) {
@@ -126,7 +126,7 @@ private void adjustKeyExchange(CipherSuite suite) {
         if (suite.name().contains("TLS_PSK_WITH")) {
             supportsPskPlain = true;
         }
-        if (suite.name().contains("DHE_PSK")) {
+        if (suite.name().contains("_DHE_PSK")) {
             supportsPskDhe = true;
         }
         if (suite.name().contains("ECDHE_PSK")) {

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,9 @@ public ProbeResult executeTest() {`
`30`	`30`	`delegate.setHost(getScannerConfig().getClientDelegate().getHost());`
`31`	`31`	`BleichenbacherAttacker attacker = new BleichenbacherAttacker(bleichenbacherConfig);`
`32`	`32`	`Boolean vulnerable = attacker.isVulnerable();`
	`33`	`+ if (vulnerable == null && !getScannerConfig().isImplementation()) {`
	`34`	`+ vulnerable = false;`
	`35`	`+ }`
`33`	`36`	`return new BleichenbacherResult(vulnerable);`
`34`	`37`
`35`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ public void merge(SiteReport report) {`
`71`	`71`	`supportsOnlyPfsCiphers = true;`
`72`	`72`	`prefersPfsCiphers = true;`
`73`	`73`	`for (VersionSuiteListPair pair : pairLists) {`
`74`		`- if (pair.getCiphersuiteList().size() > 0 && pair.getCiphersuiteList().get(0).isEphemeral()) {`
	`74`	`+ if (pair.getCiphersuiteList().size() > 0 && !pair.getCiphersuiteList().get(0).isEphemeral()) {`
`75`	`75`	`prefersPfsCiphers = false;`
`76`	`76`	`}`
`77`	`77`	`allSupported.addAll(pair.getCiphersuiteList());`
`@@ -108,7 +108,7 @@ private void adjustKeyExchange(CipherSuite suite) {`
`108`	`108`	`if (suite.name().contains("_DH")) {`
`109`	`109`	`supportsDh = true;`
`110`	`110`	`}`
`111`		`- if (suite.name().contains("RSA")) {`
	`111`	`+ if (suite.name().contains("TLS_RSA")) {`
`112`	`112`	`supportsRsa = true;`
`113`	`113`	`}`
`114`	`114`	`if (suite.name().contains("ECDH")) {`
`@@ -126,7 +126,7 @@ private void adjustKeyExchange(CipherSuite suite) {`
`126`	`126`	`if (suite.name().contains("TLS_PSK_WITH")) {`
`127`	`127`	`supportsPskPlain = true;`
`128`	`128`	`}`
`129`		`- if (suite.name().contains("DHE_PSK")) {`
	`129`	`+ if (suite.name().contains("_DHE_PSK")) {`
`130`	`130`	`supportsPskDhe = true;`
`131`	`131`	`}`
`132`	`132`	`if (suite.name().contains("ECDHE_PSK")) {`