Merge pull request #83 from RUB-NDS/releasepreps

Releasepreps

Author: ic0ns

Dockerfile

@@ -1,6 +1,7 @@
 FROM maven:3.6.1-jdk-8 AS build-image
 WORKDIR /build
-
+RUN git clone https://github.com/RUB-NDS/ASN.1-Tool.git && cd ASN.1-Tool && mvn clean install && cd ..
+RUN git clone https://github.com/RUB-NDS/X509-Attacker.git && cd X509-Attacker && mvn clean install && cd ..
 RUN git clone https://github.com/RUB-NDS/TLS-Scanner.git --recurse-submodules
 
 RUN git clone https://github.com/RUB-NDS/TLS-Attacker.git && \

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/TlsScanner.java

@@ -88,7 +88,6 @@ private void fillDefaultProbeLists() {
         probeList.add(new DirectRaccoonProbe(config, parallelExecutor));
         probeList.add(new CiphersuiteOrderProbe(config, parallelExecutor));
         probeList.add(new ExtensionProbe(config, parallelExecutor));
-        probeList.add(new Tls13Probe(config, parallelExecutor));
         probeList.add(new TokenbindingProbe(config, parallelExecutor));
         probeList.add(new HttpHeaderProbe(config, parallelExecutor));
         probeList.add(new ECPointFormatProbe(config, parallelExecutor));
@@ -102,7 +101,7 @@ private void fillDefaultProbeLists() {
         probeList.add(new InvalidCurveProbe(config, parallelExecutor));
         probeList.add(new DrownProbe(config, parallelExecutor));
         probeList.add(new EarlyCcsProbe(config, parallelExecutor));
-        probeList.add(new MacProbe(config, parallelExecutor));
+        // probeList.add(new MacProbe(config, parallelExecutor));
         probeList.add(new CcaSupportProbe(config, parallelExecutor));
         probeList.add(new CcaRequiredProbe(config, parallelExecutor));
         probeList.add(new CcaProbe(config, parallelExecutor));

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/config/ScannerConfig.java

@@ -41,7 +41,7 @@ public class ScannerConfig extends TLSDelegateConfig {
     private ScannerDetail scanDetail = ScannerDetail.NORMAL;
 
     @Parameter(names = "-reportDetail", required = false, description = "How detailed do you want the report to be?")
-    private ScannerDetail reportDetail = ScannerDetail.ALL;
+    private ScannerDetail reportDetail = ScannerDetail.NORMAL;
 
     @Parameter(names = "-threads", required = false, description = "The maximum number of threads used to execute TLS probes located in the scanning queue. This is also the maximum number of threads communicating with the analyzed server.")
     private int overallThreads = 1;

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/CiphersuiteProbe.java

@@ -16,13 +16,16 @@
 import de.rub.nds.tlsattacker.core.constants.NamedGroup;
 import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
 import de.rub.nds.tlsattacker.core.protocol.message.AlertMessage;
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import de.rub.nds.tlsscanner.serverscanner.config.ScannerConfig;
 import de.rub.nds.tlsscanner.serverscanner.constants.ProbeType;
+import de.rub.nds.tlsscanner.serverscanner.rating.TestResult;
+import de.rub.nds.tlsscanner.serverscanner.report.AnalyzedProperty;
 import de.rub.nds.tlsscanner.serverscanner.report.SiteReport;
 import de.rub.nds.tlsscanner.serverscanner.report.result.CiphersuiteProbeResult;
 import de.rub.nds.tlsscanner.serverscanner.report.result.ProbeResult;
@@ -39,10 +42,6 @@ public class CiphersuiteProbe extends TlsProbe {
     public CiphersuiteProbe(ScannerConfig config, ParallelExecutor parallelExecutor) {
         super(parallelExecutor, ProbeType.CIPHERSUITE, config);
         protocolVersions = new LinkedList<>();
-        protocolVersions.add(ProtocolVersion.SSL3);
-        protocolVersions.add(ProtocolVersion.TLS10);
-        protocolVersions.add(ProtocolVersion.TLS11);
-        protocolVersions.add(ProtocolVersion.TLS12);
     }
 
     @Override
@@ -51,33 +50,97 @@ public ProbeResult executeTest() {
             List<VersionSuiteListPair> pairLists = new LinkedList<>();
             for (ProtocolVersion version : protocolVersions) {
                 LOGGER.debug("Testing:" + version.name());
-                List<CipherSuite> toTestList = new LinkedList<>();
-                List<CipherSuite> versionSupportedSuites = new LinkedList<>();
-                if (version == ProtocolVersion.SSL3) {
-                    toTestList.addAll(CipherSuite.SSL3_SUPPORTED_CIPHERSUITES);
-                    versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(toTestList, version);
+                if (version.isTLS13()) {
+                    pairLists.add(new VersionSuiteListPair(version, getSupportedCiphersuites()));
                 } else {
-                    toTestList.addAll(Arrays.asList(CipherSuite.values()));
-                    toTestList.remove(CipherSuite.TLS_FALLBACK_SCSV);
-                    toTestList.remove(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
-                    versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(toTestList, version);
-                    if (versionSupportedSuites.isEmpty()) {
-                        versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(version);
+                    List<CipherSuite> toTestList = new LinkedList<>();
+                    List<CipherSuite> versionSupportedSuites = new LinkedList<>();
+                    if (version == ProtocolVersion.SSL3) {
+                        toTestList.addAll(CipherSuite.SSL3_SUPPORTED_CIPHERSUITES);
+                        versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(toTestList, version);
+                    } else {
+                        toTestList.addAll(Arrays.asList(CipherSuite.values()));
+                        toTestList.remove(CipherSuite.TLS_FALLBACK_SCSV);
+                        toTestList.remove(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+                        versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(toTestList, version);
+                        if (versionSupportedSuites.isEmpty()) {
+                            versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(version);
+                        }
+                    }
+                    if (versionSupportedSuites.size() > 0) {
+                        pairLists.add(new VersionSuiteListPair(version, versionSupportedSuites));
                     }
                 }
-                if (versionSupportedSuites.size() > 0) {
-                    pairLists.add(new VersionSuiteListPair(version, versionSupportedSuites));
-                }
-
             }
-
             return new CiphersuiteProbeResult(pairLists);
         } catch (Exception E) {
             LOGGER.error("Could not scan for " + getProbeName(), E);
             return new CiphersuiteProbeResult(null);
         }
     }
 
+    private List<CipherSuite> getSupportedCiphersuites() {
+        CipherSuite selectedSuite = null;
+        List<CipherSuite> toTestList = new LinkedList<>();
+        List<CipherSuite> supportedSuits = new LinkedList<>();
+        for (CipherSuite suite : CipherSuite.values()) {
+            if (suite.isTLS13()) {
+                toTestList.add(suite);
+            }
+        }
+        do {
+            selectedSuite = getSelectedCiphersuite(toTestList);
+
+            if (selectedSuite != null) {
+                if (!toTestList.contains(selectedSuite)) {
+                    LOGGER.warn("Server chose a CipherSuite we did not propose!");
+                    // TODO write to sitereport
+                    break;
+                }
+                supportedSuits.add(selectedSuite);
+                toTestList.remove(selectedSuite);
+            }
+        } while (selectedSuite != null && !toTestList.isEmpty());
+        return supportedSuits;
+    }
+
+    private CipherSuite getSelectedCiphersuite(List<CipherSuite> toTestList) {
+        Config tlsConfig = getScannerConfig().createConfig();
+        tlsConfig.setQuickReceive(true);
+        tlsConfig.setDefaultClientSupportedCiphersuites(toTestList);
+        tlsConfig.setHighestProtocolVersion(ProtocolVersion.TLS13);
+        tlsConfig.setSupportedVersions(ProtocolVersion.TLS13);
+        tlsConfig.setEnforceSettings(false);
+        tlsConfig.setEarlyStop(true);
+        tlsConfig.setStopReceivingAfterFatal(true);
+        tlsConfig.setStopActionsAfterFatal(true);
+        tlsConfig.setWorkflowTraceType(WorkflowTraceType.HELLO);
+        tlsConfig.setDefaultClientNamedGroups(NamedGroup.getImplemented());
+        tlsConfig.setAddECPointFormatExtension(false);
+        tlsConfig.setAddEllipticCurveExtension(true);
+        tlsConfig.setAddSignatureAndHashAlgorithmsExtension(true);
+        tlsConfig.setAddSupportedVersionsExtension(true);
+        tlsConfig.setAddKeyShareExtension(true);
+        tlsConfig.setAddServerNameIndicationExtension(true);
+        tlsConfig.setAddCertificateStatusRequestExtension(true);
+        tlsConfig.setUseFreshRandom(true);
+        tlsConfig.setDefaultClientSupportedSignatureAndHashAlgorithms(SignatureAndHashAlgorithm
+                .getTls13SignatureAndHashAlgorithms());
+
+        State state = new State(tlsConfig);
+        executeState(state);
+        if (WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace())) {
+            return state.getTlsContext().getSelectedCipherSuite();
+        } else if (WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.HELLO_RETRY_REQUEST,
+                state.getWorkflowTrace())) {
+            return state.getTlsContext().getSelectedCipherSuite();
+        } else {
+            LOGGER.debug("Did not receive ServerHello Message");
+            LOGGER.debug(state.getWorkflowTrace().toString());
+            return null;
+        }
+    }
+
     public List<CipherSuite> getSupportedCipherSuitesWithIntolerance(ProtocolVersion version) {
         return getSupportedCipherSuitesWithIntolerance(new ArrayList<>(CipherSuite.getImplemented()), version);
     }
@@ -149,11 +212,30 @@ public List<CipherSuite> getSupportedCipherSuitesWithIntolerance(List<CipherSuit
 
     @Override
     public boolean canBeExecuted(SiteReport report) {
-        return true;
+        if (report.isProbeAlreadyExecuted(ProbeType.PROTOCOL_VERSION)) {
+            return true;
+        } else {
+            return false;
+        }
     }
 
     @Override
     public void adjustConfig(SiteReport report) {
+        if (report.getResult(AnalyzedProperty.SUPPORTS_SSL_3) == TestResult.TRUE) {
+            protocolVersions.add(ProtocolVersion.SSL3);
+        }
+        if (report.getResult(AnalyzedProperty.SUPPORTS_TLS_1_0) == TestResult.TRUE) {
+            protocolVersions.add(ProtocolVersion.TLS10);
+        }
+        if (report.getResult(AnalyzedProperty.SUPPORTS_TLS_1_1) == TestResult.TRUE) {
+            protocolVersions.add(ProtocolVersion.TLS11);
+        }
+        if (report.getResult(AnalyzedProperty.SUPPORTS_TLS_1_2) == TestResult.TRUE) {
+            protocolVersions.add(ProtocolVersion.TLS12);
+        }
+        if (report.getResult(AnalyzedProperty.SUPPORTS_TLS_1_3) == TestResult.TRUE) {
+            protocolVersions.add(ProtocolVersion.TLS13);
+        }
     }
 
     @Override

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/CompressionsProbe.java

@@ -100,16 +100,6 @@ private CompressionMethod testCompressionMethods(List<CompressionMethod> compres
         }
     }
 
-    private List<CipherSuite> getEcCiphersuites() {
-        List<CipherSuite> suiteList = new LinkedList<>();
-        for (CipherSuite suite : CipherSuite.values()) {
-            if (suite.name().contains("ECDH")) {
-                suiteList.add(suite);
-            }
-        }
-        return suiteList;
-    }
-
     @Override
     public boolean canBeExecuted(SiteReport report) {
         return true;

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/DirectRaccoonProbe.java

@@ -76,7 +76,7 @@ public ProbeResult executeTest() {
             return new DirectRaccoonResult(testResultList);
         } catch (Exception E) {
             LOGGER.error("Could not scan for " + getProbeName(), E);
-            return new DirectRaccoonResult(null);
+            return new DirectRaccoonResult(TestResult.ERROR_DURING_TEST);
         }
     }
 
@@ -189,6 +189,6 @@ public void adjustConfig(SiteReport report) {
 
     @Override
     public ProbeResult getCouldNotExecuteResult() {
-        return new DirectRaccoonResult(null);
+        return new DirectRaccoonResult(TestResult.COULD_NOT_TEST);
     }
 }