Fixed various intolerances and bugs

Author: ic0ns

pom.xml

@@ -9,12 +9,12 @@
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>TLS-Core</artifactId>
-            <version>2.1</version>
+            <version>2.2</version>
         </dependency>
         <dependency>
             <groupId>de.rub.nds.tlsattacker</groupId>
             <artifactId>Attacks</artifactId>
-            <version>2.1</version>
+            <version>2.2</version>
         </dependency>
         <dependency>
             <groupId>junit</groupId>

src/main/java/de/rub/nds/tlsscanner/config/ScannerConfig.java

@@ -76,8 +76,9 @@ public void setImplementation(boolean implementation) {
 
     @Override
     public Config createConfig() {
-        Config config = super.createConfig(); //To change body of generated methods, choose Tools | Templates.
+        Config config = super.createConfig();
         config.setSniHostname(clientDelegate.getHost());
+        config.getDefaultClientConnection().setTimeout(1000);
         return config;
     }
 

src/main/java/de/rub/nds/tlsscanner/constants/ProbeType.java

@@ -28,4 +28,5 @@ public enum ProbeType {
     SIGNATURE_AND_HASH,
     EXTENSIONS,
     COMPRESSIONS,
+    INTOLERANCES,
 }

src/main/java/de/rub/nds/tlsscanner/probe/CertificateProbe.java

@@ -11,6 +11,7 @@
 import de.rub.nds.tlsscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.report.result.CertificateResult;
 import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import de.rub.nds.tlsattacker.core.util.CertificateFetcher;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import de.rub.nds.tlsscanner.config.ScannerConfig;
@@ -37,9 +38,10 @@ public ProbeResult executeTest() {
         tlsConfig.setEarlyStop(true);
         tlsConfig.setWorkflowTraceType(WorkflowTraceType.HELLO);
         tlsConfig.setAddServerNameIndicationExtension(true);
+        tlsConfig.setDefaultClientSupportedCiphersuites(CipherSuite.values());
         tlsConfig.setStopActionsAfterFatal(true);
         Certificate serverCert = CertificateFetcher.fetchServerCertificate(tlsConfig);
         List<CertificateReport> reportList = CertificateReportGenerator.generateReports(serverCert);
-        return new CertificateResult(getType(), reportList);
+        return new CertificateResult(getType(), reportList, serverCert);
     }
 }

src/main/java/de/rub/nds/tlsscanner/probe/CiphersuiteProbe.java

@@ -27,6 +27,7 @@
 import de.rub.nds.tlsscanner.config.ScannerConfig;
 import de.rub.nds.tlsscanner.report.result.ProbeResult;
 import de.rub.nds.tlsscanner.report.result.VersionSuiteListPair;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
@@ -55,17 +56,25 @@ public ProbeResult executeTest() {
             List<CipherSuite> toTestList = new LinkedList<>();
             toTestList.addAll(Arrays.asList(CipherSuite.values()));
             toTestList.remove(CipherSuite.TLS_FALLBACK_SCSV);
-            List<CipherSuite> versionSupportedSuites = getSupportedCipherSuitesFromList(toTestList, version);
+            List<CipherSuite> versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(toTestList, version);
+            if (versionSupportedSuites.isEmpty()) {
+                versionSupportedSuites = getSupportedCipherSuitesWithIntolerance(version);
+            }
             if (versionSupportedSuites.size() > 0) {
                 pairLists.add(new VersionSuiteListPair(version, versionSupportedSuites));
             }
+
         }
 
         return new CiphersuiteProbeResult(pairLists);
 
     }
 
-    public List<CipherSuite> getSupportedCipherSuitesFromList(List<CipherSuite> toTestList, ProtocolVersion version) {
+    public List<CipherSuite> getSupportedCipherSuitesWithIntolerance(ProtocolVersion version) {
+        return getSupportedCipherSuitesWithIntolerance(new ArrayList<>(CipherSuite.getImplemented()), version);
+    }
+
+    public List<CipherSuite> getSupportedCipherSuitesWithIntolerance(List<CipherSuite> toTestList, ProtocolVersion version) {
         List<CipherSuite> listWeSupport = new LinkedList<>(toTestList);
         List<CipherSuite> supported = new LinkedList<>();
 

src/main/java/de/rub/nds/tlsscanner/probe/ProtocolVersionProbe.java

@@ -70,17 +70,27 @@ public ProbeResult executeTest() {
         List<ProtocolVersion> supportedVersionList = new LinkedList<>();
         List<ProtocolVersion> unsupportedVersionList = new LinkedList<>();
         for (ProtocolVersion version : toTestList) {
-            if (isProtocolVersionSupported(version)) {
+            if (isProtocolVersionSupported(version, false)) {
 
                 supportedVersionList.add(version);
             } else {
                 unsupportedVersionList.add(version);
             }
         }
+        if (supportedVersionList.isEmpty()) {
+            unsupportedVersionList = new LinkedList<>();
+            for (ProtocolVersion version : toTestList) {
+                if (isProtocolVersionSupported(version, true)) {
+                    supportedVersionList.add(version);
+                } else {
+                    unsupportedVersionList.add(version);
+                }
+            }
+        }
         return new ProtocolVersionResult(supportedVersionList, unsupportedVersionList);
     }
 
-    public boolean isProtocolVersionSupported(ProtocolVersion toTest) {
+    public boolean isProtocolVersionSupported(ProtocolVersion toTest, boolean intolerance) {
         if (toTest == ProtocolVersion.SSL2) {
             return isSSL2Supported();
         }
@@ -89,8 +99,12 @@ public boolean isProtocolVersionSupported(ProtocolVersion toTest) {
         }
         Config tlsConfig = getScannerConfig().createConfig();
         List<CipherSuite> cipherSuites = new LinkedList<>();
-        cipherSuites.addAll(Arrays.asList(CipherSuite.values()));
-        cipherSuites.remove(CipherSuite.TLS_FALLBACK_SCSV);
+        if (intolerance) {
+            cipherSuites.addAll(CipherSuite.getImplemented());
+        } else {
+            cipherSuites.addAll(Arrays.asList(CipherSuite.values()));
+            cipherSuites.remove(CipherSuite.TLS_FALLBACK_SCSV);
+        }
         tlsConfig.setDefaultSelectedProtocolVersion(toTest);
         tlsConfig.setQuickReceive(true);
         tlsConfig.setDefaultClientSupportedCiphersuites(cipherSuites);
@@ -172,6 +186,7 @@ private boolean isTls13Supported(ProtocolVersion toTest) {
         tlsConfig.setAddSignatureAndHashAlgrorithmsExtension(true);
         tlsConfig.setAddSupportedVersionsExtension(true);
         tlsConfig.setAddKeyShareExtension(true);
+        tlsConfig.setAddServerNameIndicationExtension(true);
         tlsConfig.setUseRandomUnixTime(true);
         tlsConfig.setSupportedSignatureAndHashAlgorithms(getTls13SignatureAndHashAlgorithms());
         State state = new State(tlsConfig);

src/main/java/de/rub/nds/tlsscanner/report/SiteReport.java

@@ -162,6 +162,7 @@ public class SiteReport {
     private Boolean extensionIntolerance;
     private Boolean cipherSuiteIntolerance;
     private Boolean supportedCurvesIntolerance;
+    private Boolean clientHelloSizeIntolerance;
 
     public SiteReport(String host) {
         this.host = host;
@@ -1376,6 +1377,14 @@ public void setVersionSuitePairs(List<VersionSuiteListPair> versionSuitePairs) {
         this.versionSuitePairs = versionSuitePairs;
     }
 
+    public Boolean getClientHelloSizeIntolerance() {
+        return clientHelloSizeIntolerance;
+    }
+
+    public void setClientHelloSizeIntolerance(Boolean clientHelloSizeIntolerance) {
+        this.clientHelloSizeIntolerance = clientHelloSizeIntolerance;
+    }
+    
     @Override
     public String toString() {
         return getStringReport();

src/main/java/de/rub/nds/tlsscanner/report/result/CertificateResult.java

@@ -10,45 +10,48 @@
 import de.rub.nds.tlsscanner.probe.certificate.CertificateReport;
 import de.rub.nds.tlsscanner.report.SiteReport;
 import java.util.List;
+import org.bouncycastle.crypto.tls.Certificate;
 
 /**
  *
  * @author Robert Merget <[email protected]>
  */
 public class CertificateResult extends ProbeResult {
-    
+
     private List<CertificateReport> reportList;
-    
+
     private boolean expiredCertificates = false;
     private boolean notYetValidCertificates = false;
     private boolean weakHashAlgorithms = false;
     private boolean weakSignatureAlgorithms = false;
     private boolean matchesDomain = false;
     private boolean isTrusted = true;
     private boolean containsBlacklisted = false;
-    
-    public CertificateResult(ProbeType type, List<CertificateReport> reportList) {
+    private Certificate certs;
+
+    public CertificateResult(ProbeType type, List<CertificateReport> reportList, Certificate certs) {
         super(type);
         this.reportList = reportList;
+        this.certs = certs;
     }
-    
+
     @Override
     public void merge(SiteReport report) {
         report.setCertificateReports(reportList);
+        report.setCertificate(certs);
         for (CertificateReport certReport : reportList) {
             CertificateJudger judger = new CertificateJudger(certReport.getCertificate(), certReport, report.getHost());
             expiredCertificates |= judger.checkExpired();
             notYetValidCertificates |= judger.checkNotYetValid();
             weakHashAlgorithms |= judger.isWeakHashAlgo(certReport);
             weakSignatureAlgorithms |= judger.isWeakSigAlgo(certReport);
-            
-            
+
         }
         report.setCertificateExpired(expiredCertificates);
         report.setCertificateNotYetValid(notYetValidCertificates);
         report.setCertificateHasWeakHashAlgorithm(weakHashAlgorithms);
         report.setCertificateHasWeakSignAlgorithm(weakSignatureAlgorithms);
-        
+
     }
-    
+
 }

src/main/java/de/rub/nds/tlsscanner/report/result/ProtocolVersionResult.java

@@ -15,19 +15,22 @@
  * @author Robert Merget <[email protected]>
  */
 public class ProtocolVersionResult extends ProbeResult {
-
+    
     private final List<ProtocolVersion> supportedProtocolVersions;
-
+    
     private final List<ProtocolVersion> unsupportedProtocolVersions;
-
+    
     public ProtocolVersionResult(List<ProtocolVersion> supportedProtocolVersions, List<ProtocolVersion> unsupportedProtocolVersions) {
         super(ProbeType.CIPHERSUITE);
         this.supportedProtocolVersions = supportedProtocolVersions;
         this.unsupportedProtocolVersions = unsupportedProtocolVersions;
     }
-
+    
     @Override
     public void merge(SiteReport report) {
+        if (supportedProtocolVersions.size() > 0) {
+            report.setSupportsSslTls(true);
+        }
         report.setVersions(supportedProtocolVersions);
         for (ProtocolVersion version : supportedProtocolVersions) {
             if (version == ProtocolVersion.DTLS10) {
@@ -138,5 +141,5 @@ public void merge(SiteReport report) {
         }
         report.setVersions(supportedProtocolVersions);
     }
-
+    
 }