Skip to content

Commit 21e2050

Browse files
pietigitpietigit
committed
Merge origin/master into CertificateCN
2 parents fc036ba + f81aeaf commit 21e2050

27 files changed

+1270
-236
lines changed

Dockerfile

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
FROM openjdk:8-slim-stretch
2+
RUN apt-get update && apt-get upgrade -y && apt-get -y install git maven
3+
RUN git clone https://github.com/RUB-NDS/TLS-Attacker.git
4+
RUN git clone https://github.com/RUB-NDS/TLS-Scanner.git
5+
WORKDIR /TLS-Attacker/
6+
RUN mvn clean install -DskipTests=true
7+
RUN git clone https://github.com/RUB-NDS/TLS-Scanner.git
8+
WORKDIR /TLS-Scanner/
9+
RUN mvn clean install -DskipTests=true
10+
WORKDIR /TLS-Scanner/apps/
11+
ENTRYPOINT ["java" ,"-jar","TLS-Scanner.jar"]

README.md

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ TLS-Scanner is a tool created by the Chair for Network and Data Security from th
44
**Please note:** *TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.*
55

66
# Compiling
7-
In order to compile and use TLS-Scanner, you need to have Java and Maven installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.8
7+
In order to compile and use TLS-Scanner, you need to have Java and Maven installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.9
88

99
```bash
1010
$ cd TLS-Scanner
@@ -23,7 +23,7 @@ $ mvn clean install
2323

2424
For hints on installing the required libraries checkout the corresponding GitHub repositories.
2525

26-
**Please note:** *In order to run this tool you need TLS-Attacker version 2.8*
26+
**Please note:** *In order to run this tool you need TLS-Attacker version 2.9*
2727

2828
# Running
2929
In order to run TLS-Scanner you need to run the jar file in the apps/ folder.
@@ -33,3 +33,14 @@ $ java -jar apps/TLS-Scanner.jar -connect localhost:4433
3333
```
3434

3535
You can specify a host you want to scan with the -connect parameter. If you want to improve the performance of the scan you can use the -threads parameter (default=1).
36+
37+
38+
# Docker
39+
We provide you with a Dockerfile, which lets you run the scanner directly:
40+
41+
```bash
42+
$ docker build . -t tlsscanner
43+
$ docker run -t tlsscanner
44+
```
45+
46+
**Please note:** *I am by no means familiar with Docker best practices. If you know how to improve the Dockerfile feel free to issue a pullrequest*

pom.xml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,18 +3,18 @@
33
<modelVersion>4.0.0</modelVersion>
44
<artifactId>TLS-Scanner</artifactId>
55
<groupId>de.rub.nds.tlsscanner</groupId>
6-
<version>2.6</version>
6+
<version>2.7</version>
77
<packaging>jar</packaging>
88
<dependencies>
99
<dependency>
1010
<groupId>de.rub.nds.tlsattacker</groupId>
1111
<artifactId>TLS-Core</artifactId>
12-
<version>2.8</version>
12+
<version>2.9</version>
1313
</dependency>
1414
<dependency>
1515
<groupId>de.rub.nds.tlsattacker</groupId>
1616
<artifactId>Attacks</artifactId>
17-
<version>2.8</version>
17+
<version>2.9</version>
1818
</dependency>
1919
<dependency>
2020
<groupId>junit</groupId>
@@ -32,6 +32,11 @@
3232
<artifactId>json-simple</artifactId>
3333
<version>1.1.1</version>
3434
</dependency>
35+
<dependency>
36+
<groupId>org.apache.commons</groupId>
37+
<artifactId>commons-math3</artifactId>
38+
<version>3.6.1</version>
39+
</dependency>
3540
</dependencies>
3641
<profiles>
3742
<profile>

src/main/java/de/rub/nds/tlsscanner/TlsScanner.java

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010

1111
import de.rub.nds.tlsattacker.attacks.connectivity.ConnectivityChecker;
1212
import de.rub.nds.tlsattacker.core.config.Config;
13+
import de.rub.nds.tlsattacker.core.constants.StarttlsType;
1314
import de.rub.nds.tlsattacker.core.workflow.NamedThreadFactory;
1415
import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
1516
import de.rub.nds.tlsscanner.config.ScannerConfig;
@@ -46,6 +47,7 @@
4647
import de.rub.nds.tlsscanner.report.after.EvaluateRandomnessAfterProbe;
4748
import de.rub.nds.tlsscanner.report.after.FreakAfterProbe;
4849
import de.rub.nds.tlsscanner.report.after.LogjamAfterprobe;
50+
import de.rub.nds.tlsscanner.report.after.PaddingOracleIdentificationAfterProbe;
4951
import de.rub.nds.tlsscanner.report.after.Sweet32AfterProbe;
5052
import java.util.LinkedList;
5153
import java.util.List;
@@ -147,14 +149,15 @@ private void fillDefaultProbeLists() {
147149
afterList.add(new EvaluateRandomnessAfterProbe());
148150
afterList.add(new EcPublicKeyAfterProbe());
149151
afterList.add(new DhValueAfterProbe());
152+
afterList.add(new PaddingOracleIdentificationAfterProbe());
150153
}
151154

152155
public SiteReport scan() {
153156
boolean isConnectable = false;
154157
try {
155158
if (isConnectable()) {
156159
LOGGER.debug(config.getClientDelegate().getHost() + " is connectable");
157-
if (speaksTls()) {
160+
if ((config.getStarttlsDelegate().getStarttlsType() == StarttlsType.NONE && speaksTls()) || (config.getStarttlsDelegate().getStarttlsType() != StarttlsType.NONE && speaksStartTls())) {
158161
LOGGER.debug(config.getClientDelegate().getHost() + " is connectable");
159162
ScanJob job = new ScanJob(phaseOneTestList, phaseTwoTestList, afterList);
160163
SiteReport report = executor.execute(config, job);
@@ -192,4 +195,10 @@ private boolean speaksTls() {
192195
ConnectivityChecker checker = new ConnectivityChecker(tlsConfig.getDefaultClientConnection());
193196
return checker.speaksTls(tlsConfig);
194197
}
198+
199+
private boolean speaksStartTls() {
200+
Config tlsConfig = config.createConfig();
201+
ConnectivityChecker checker = new ConnectivityChecker(tlsConfig.getDefaultClientConnection());
202+
return checker.speaksStartTls(tlsConfig);
203+
}
195204
}

src/main/java/de/rub/nds/tlsscanner/config/ScannerConfig.java

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,6 @@
2323
*/
2424
public class ScannerConfig extends TLSDelegateConfig {
2525

26-
public static final String COMMAND = "scan";
27-
2826
@ParametersDelegate
2927
private ClientDelegate clientDelegate;
3028

@@ -144,11 +142,14 @@ public void setReportDetail(ScannerDetail reportDetail) {
144142

145143
@Override
146144
public Config createConfig() {
147-
Config config = super.createConfig();
148-
config.setSniHostname(clientDelegate.getHost());
149-
config.setStarttlsType(starttlsDelegate.getStarttlsType());
145+
Config config = super.createConfig(Config.createConfig());
146+
config.setAddServerNameIndicationExtension(true);
147+
String sniHostname = clientDelegate.getHost();
148+
if (sniHostname.contains(":")) {
149+
sniHostname = sniHostname.split(":")[0];
150+
}
151+
config.setSniHostname(sniHostname);
150152
config.getDefaultClientConnection().setTimeout(timeout);
151-
152153
return config;
153154
}
154155

src/main/java/de/rub/nds/tlsscanner/probe/BleichenbacherProbe.java

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
1616
import de.rub.nds.tlsattacker.core.config.delegate.CiphersuiteDelegate;
1717
import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
18+
import de.rub.nds.tlsattacker.core.config.delegate.StarttlsDelegate;
1819
import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
1920
import de.rub.nds.tlsattacker.core.constants.CipherSuite;
2021
import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
@@ -46,6 +47,8 @@ public BleichenbacherProbe(ScannerConfig config, ParallelExecutor parallelExecut
4647
public ProbeResult executeTest() {
4748
BleichenbacherCommandConfig bleichenbacherConfig = new BleichenbacherCommandConfig(getScannerConfig().getGeneralDelegate());
4849
ClientDelegate delegate = (ClientDelegate) bleichenbacherConfig.getDelegate(ClientDelegate.class);
50+
StarttlsDelegate starttlsDelegate = (StarttlsDelegate) bleichenbacherConfig.getDelegate(StarttlsDelegate.class);
51+
starttlsDelegate.setStarttlsType(scannerConfig.getStarttlsDelegate().getStarttlsType());
4952
delegate.setHost(getScannerConfig().getClientDelegate().getHost());
5053
((CiphersuiteDelegate) (bleichenbacherConfig.getDelegate(CiphersuiteDelegate.class))).setCipherSuites(suiteList);
5154
RSAPublicKey publicKey = (RSAPublicKey) CertificateFetcher.fetchServerPublicKey(bleichenbacherConfig.createConfig());
@@ -56,19 +59,17 @@ public ProbeResult executeTest() {
5659
LOGGER.info("Fetched the following server public key: " + publicKey);
5760
List<Pkcs1Vector> pkcs1Vectors;
5861
if (scannerConfig.getScanDetail().isGreaterEqualTo(ScannerDetail.DETAILED)) {
59-
pkcs1Vectors = Pkcs1VectorGenerator.generatePkcs1Vectors(publicKey, BleichenbacherCommandConfig.Type.FULL,
60-
bleichenbacherConfig.createConfig().getDefaultHighestClientProtocolVersion());
61-
62+
bleichenbacherConfig.setType(BleichenbacherCommandConfig.Type.FULL);
6263
} else {
63-
pkcs1Vectors = Pkcs1VectorGenerator.generatePkcs1Vectors(publicKey, BleichenbacherCommandConfig.Type.FAST,
64-
bleichenbacherConfig.createConfig().getDefaultHighestClientProtocolVersion());
64+
bleichenbacherConfig.setType(BleichenbacherCommandConfig.Type.FAST);
6565
}
6666
List<BleichenbacherTestResult> resultList = new LinkedList<>();
6767
boolean vulnerable = false;
6868
for (BleichenbacherWorkflowType bbWorkflowType : BleichenbacherWorkflowType.values()) {
69+
bleichenbacherConfig.setWorkflowType(bbWorkflowType);
6970
LOGGER.debug("Testing: " + bbWorkflowType);
7071
BleichenbacherAttacker attacker = new BleichenbacherAttacker(bleichenbacherConfig, scannerConfig.createConfig(), getParallelExecutor());
71-
EqualityError errorType = attacker.isVulnerable(bbWorkflowType, pkcs1Vectors);
72+
EqualityError errorType = attacker.getEqualityError();
7273
vulnerable |= (errorType != EqualityError.NONE);
7374
resultList.add(new BleichenbacherTestResult(errorType != EqualityError.NONE, bleichenbacherConfig.getType(), bbWorkflowType, attacker.getFingerprintPairList(), errorType));
7475
}

src/main/java/de/rub/nds/tlsscanner/probe/CommonBugProbe.java

Lines changed: 32 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
2121
import de.rub.nds.tlsattacker.core.workflow.action.ReceiveTillAction;
2222
import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
23+
import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
2324
import de.rub.nds.tlsscanner.config.ScannerConfig;
2425
import de.rub.nds.tlsscanner.constants.ProbeType;
2526
import de.rub.nds.tlsscanner.report.SiteReport;
@@ -111,7 +112,9 @@ private int getClientHelloLength(ClientHelloMessage message, Config config) {
111112

112113
private boolean hasExtensionIntolerance() {
113114
Config config = getWorkingConfig();
114-
WorkflowTrace trace = new WorkflowTrace();
115+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
116+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
117+
115118
ClientHelloMessage message = new ClientHelloMessage(config);
116119
UnknownExtensionMessage extension = new UnknownExtensionMessage();
117120
extension.setTypeConfig(new byte[]{(byte) 3F, (byte) 3F});
@@ -126,7 +129,8 @@ private boolean hasExtensionIntolerance() {
126129

127130
private Boolean hasBigClientHelloIntolerance() {
128131
Config config = getWorkingConfig();
129-
WorkflowTrace trace = new WorkflowTrace();
132+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
133+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
130134
config.setAddPaddingExtension(true);
131135
config.setPaddingLength(65535);
132136
ClientHelloMessage message = new ClientHelloMessage(config);
@@ -139,7 +143,8 @@ private Boolean hasBigClientHelloIntolerance() {
139143

140144
private Boolean hasIgnoresSigHashAlgoOfferingBug() {
141145
Config config = getWorkingConfig();
142-
WorkflowTrace trace = new WorkflowTrace();
146+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
147+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
143148
config.setAddSignatureAndHashAlgorithmsExtension(false);
144149
List<CipherSuite> suiteList = new LinkedList<>();
145150
for (CipherSuite suite : CipherSuite.getImplemented()) {
@@ -163,7 +168,8 @@ private Boolean hasIgnoresSigHashAlgoOfferingBug() {
163168

164169
private Boolean hasIgnoresNamedGroupsOfferingBug() {
165170
Config config = getWorkingConfig();
166-
WorkflowTrace trace = new WorkflowTrace();
171+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
172+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
167173
config.setAddSignatureAndHashAlgorithmsExtension(true);
168174
List<CipherSuite> suiteList = new LinkedList<>();
169175
for (CipherSuite suite : CipherSuite.getImplemented()) {
@@ -191,7 +197,8 @@ private Boolean hasIgnoresNamedGroupsOfferingBug() {
191197

192198
private void adjustCipherSuiteSelectionBugs() {
193199
Config config = getWorkingConfig();
194-
WorkflowTrace trace = new WorkflowTrace();
200+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
201+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
195202
ClientHelloMessage message = new ClientHelloMessage(config);
196203
message.setCipherSuites(Modifiable.explicit(new byte[]{(byte) 0xEE, (byte) 0xCC}));
197204
trace.addTlsAction(new SendAction(message));
@@ -216,7 +223,8 @@ private void adjustCipherSuiteSelectionBugs() {
216223

217224
private Boolean hasSignatureAndHashAlgorithmIntolerance() {
218225
Config config = getWorkingConfig();
219-
WorkflowTrace trace = new WorkflowTrace();
226+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
227+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
220228
config.setAddSignatureAndHashAlgorithmsExtension(false);
221229
List<CipherSuite> suiteList = new LinkedList<>();
222230
for (CipherSuite suite : CipherSuite.getImplemented()) {
@@ -240,7 +248,8 @@ private Boolean hasSignatureAndHashAlgorithmIntolerance() {
240248

241249
private Boolean hasNamedGroupIntolerance() {
242250
Config config = getWorkingConfig();
243-
WorkflowTrace trace = new WorkflowTrace();
251+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
252+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
244253
config.setAddSignatureAndHashAlgorithmsExtension(true);
245254
List<CipherSuite> suiteList = new LinkedList<>();
246255
for (CipherSuite suite : CipherSuite.getImplemented()) {
@@ -273,7 +282,8 @@ private Boolean hasNamedGroupIntolerance() {
273282

274283
private Boolean hasOnlySecondCiphersuiteByteEvaluatedBug() {
275284
Config config = getWorkingConfig();
276-
WorkflowTrace trace = new WorkflowTrace();
285+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
286+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
277287
ClientHelloMessage message = new ClientHelloMessage(config);
278288
ByteArrayOutputStream stream = new ByteArrayOutputStream();
279289
for (CipherSuite suite : CipherSuite.values()) {
@@ -296,7 +306,8 @@ private Boolean hasOnlySecondCiphersuiteByteEvaluatedBug() {
296306

297307
private Boolean hasEmptyLastExtensionIntolerance() {
298308
Config config = getWorkingConfig();
299-
WorkflowTrace trace = new WorkflowTrace();
309+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
310+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
300311
ClientHelloMessage message = new ClientHelloMessage(config);
301312
ExtendedMasterSecretExtensionMessage extension = new ExtendedMasterSecretExtensionMessage();
302313
message.getExtensions().add(extension);
@@ -310,7 +321,8 @@ private Boolean hasEmptyLastExtensionIntolerance() {
310321
private Boolean hasVersionIntolerance() {
311322

312323
Config config = getWorkingConfig();
313-
WorkflowTrace trace = new WorkflowTrace();
324+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
325+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
314326
ClientHelloMessage message = new ClientHelloMessage(config);
315327
message.setProtocolVersion(Modifiable.explicit(new byte[]{0x03, 0x05}));
316328
trace.addTlsAction(new SendAction(message));
@@ -322,7 +334,8 @@ private Boolean hasVersionIntolerance() {
322334

323335
private Boolean hasCompressionIntolerance() {
324336
Config config = getWorkingConfig();
325-
WorkflowTrace trace = new WorkflowTrace();
337+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
338+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
326339
ClientHelloMessage message = new ClientHelloMessage(config);
327340
message.setCompressions(new byte[]{(byte) 0xFF, (byte) 0x00});
328341
trace.addTlsAction(new SendAction(message));
@@ -339,7 +352,8 @@ private Boolean hasCiphersuiteLengthIntolerance512() {
339352
toTestList.remove(CipherSuite.TLS_FALLBACK_SCSV);
340353
toTestList.remove(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
341354
config.setDefaultClientSupportedCiphersuites(toTestList);
342-
WorkflowTrace trace = new WorkflowTrace();
355+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
356+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
343357
ClientHelloMessage message = new ClientHelloMessage(config);
344358
trace.addTlsAction(new SendAction(message));
345359
trace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(config)));
@@ -350,7 +364,8 @@ private Boolean hasCiphersuiteLengthIntolerance512() {
350364

351365
private Boolean hasCiphersuiteIntolerance() {
352366
Config config = getWorkingConfig();
353-
WorkflowTrace trace = new WorkflowTrace();
367+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
368+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
354369
ClientHelloMessage message = new ClientHelloMessage(config);
355370
message.setCipherSuites(Modifiable.insert(new byte[]{(byte) 0xCF, (byte) 0xAA}, 1));
356371
trace.addTlsAction(new SendAction(message));
@@ -364,7 +379,8 @@ private Boolean hasAlpnIntolerance() {
364379
Config config = getWorkingConfig();
365380
config.setAddAlpnExtension(true);
366381
config.setAlpnAnnouncedProtocols(new String[]{"This is not an ALPN Protocol"});
367-
WorkflowTrace trace = new WorkflowTrace();
382+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
383+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
368384
ClientHelloMessage message = new ClientHelloMessage(config);
369385
trace.addTlsAction(new SendAction(message));
370386
trace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(config)));
@@ -378,7 +394,8 @@ private Boolean hasClientHelloLengthIntolerance() {
378394
config.setAddAlpnExtension(true);
379395
config.setAddPaddingExtension(true);
380396

381-
WorkflowTrace trace = new WorkflowTrace();
397+
WorkflowConfigurationFactory factory = new WorkflowConfigurationFactory(config);
398+
WorkflowTrace trace = factory.createTlsEntryWorkflowtrace(config.getDefaultClientConnection());
382399
ClientHelloMessage message = new ClientHelloMessage(config);
383400
int newLength = 384 - getClientHelloLength(message, config) - config.getPaddingLength();
384401
config.setPaddingLength(newLength);

0 commit comments

Comments
 (0)