added property for servers that don't enforce ECDSA groups

Author: mmaehren

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/InvalidCurveProbe.java

@@ -49,9 +49,11 @@
 import de.rub.nds.tlsscanner.serverscanner.report.result.VersionSuiteListPair;
 import de.rub.nds.tlsscanner.serverscanner.vectorStatistics.DistributionTest;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
  *
@@ -675,7 +677,7 @@ private boolean groupQualifiedForCiphersuite(NamedGroup testGroup, CipherSuite t
     }
 
     private List<NamedGroup> getRequiredGroups(NamedGroup testGroup, CipherSuite testCipher) {
-        List<NamedGroup> requiredGroups = new LinkedList<>();
+        Set<NamedGroup> requiredGroups = new HashSet<>();
         if (testCipher.isTLS13()) {
             if (namedCurveWitnessesTls13.get(testGroup).getEcdsaPkGroupEphemeral() != null
                     && namedCurveWitnessesTls13.get(testGroup).getEcdsaPkGroupEphemeral() != testGroup) {
@@ -688,27 +690,22 @@ private List<NamedGroup> getRequiredGroups(NamedGroup testGroup, CipherSuite tes
         } else {
             // RSA ciphersuites don't require any additional groups
             if (AlgorithmResolver.getKeyExchangeAlgorithm(testCipher) == KeyExchangeAlgorithm.ECDHE_ECDSA) {
-                if (namedCurveWitnesses.get(testGroup).getEcdsaPkGroupEphemeral() != null &&
-                        namedCurveWitnesses.get(testGroup).getEcdsaPkGroupEphemeral() != testGroup) {
+                if (namedCurveWitnesses.get(testGroup).getEcdsaPkGroupEphemeral() != null
+                        && namedCurveWitnesses.get(testGroup).getEcdsaPkGroupEphemeral() != testGroup) {
                     requiredGroups.add(namedCurveWitnesses.get(testGroup).getEcdsaPkGroupEphemeral());
                 }
                 if (namedCurveWitnesses.get(testGroup).getEcdsaSigGroupEphemeral() != null
                         && namedCurveWitnesses.get(testGroup).getEcdsaSigGroupEphemeral() != testGroup) {
                     requiredGroups.add(namedCurveWitnesses.get(testGroup).getEcdsaSigGroupEphemeral());
                 }
             } else if (AlgorithmResolver.getKeyExchangeAlgorithm(testCipher) == KeyExchangeAlgorithm.ECDH_ECDSA) {
-                if (namedCurveWitnesses.get(testGroup).getEcdsaPkGroupStatic() != null &&
-                        namedCurveWitnesses.get(testGroup).getEcdsaPkGroupStatic() != testGroup) {
-                    requiredGroups.add(namedCurveWitnesses.get(testGroup).getEcdsaPkGroupStatic());
-                }
                 if (namedCurveWitnesses.get(testGroup).getEcdsaSigGroupStatic() != null
                         && namedCurveWitnesses.get(testGroup).getEcdsaSigGroupStatic() != testGroup) {
                     requiredGroups.add(namedCurveWitnesses.get(testGroup).getEcdsaSigGroupStatic());
                 }
             }
         }
-        return requiredGroups;
-
+        return new LinkedList<>(requiredGroups);
     }
 
     private boolean benignHandshakeSuccessfull(InvalidCurveVector vector) {

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/NamedCurvesProbe.java

@@ -18,9 +18,6 @@
 import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
 import de.rub.nds.tlsattacker.core.protocol.message.ECDHEServerKeyExchangeMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.HandshakeMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.extension.KeyShareExtensionMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.extension.keyshare.KeyShareStoreEntry;
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
 import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
@@ -55,7 +52,6 @@ public class NamedCurvesProbe extends TlsProbe {
     private boolean testUsingTls13 = true;
 
     // curves used for ecdsa in key exchange
-    private List<NamedGroup> ecdsaPkGroupsStatic;
     private List<NamedGroup> ecdsaPkGroupsEphemeral;
     private List<NamedGroup> ecdsaPkGroupsTls13;
 
@@ -64,6 +60,8 @@ public class NamedCurvesProbe extends TlsProbe {
     private List<NamedGroup> ecdsaCertSigGroupsEphemeral;
     private List<NamedGroup> ecdsaCertSigGroupsTls13;
 
+    private TestResult ignoresEcdsaGroupDisparity = TestResult.FALSE;
+
     public NamedCurvesProbe(ScannerConfig config, ParallelExecutor parallelExecutor) {
         super(parallelExecutor, ProbeType.NAMED_GROUPS, config);
     }
@@ -83,7 +81,7 @@ public ProbeResult executeTest() {
                 groupsRsa = getSupportedNamedGroupsRsa();
             }
             if (testUsingEcdsaStatic) {
-                groupsEcdsaStatic = getSupportedNamedGroupsEcdsa(getEcdsaStaticCiphersuites(), ecdsaPkGroupsStatic,
+                groupsEcdsaStatic = getSupportedNamedGroupsEcdsa(getEcdsaStaticCiphersuites(), null,
                         ecdsaCertSigGroupsStatic);
             }
             if (testUsingEcdsaEphemeral) {
@@ -101,7 +99,7 @@ public ProbeResult executeTest() {
                     groupsEcdsaStatic, groupsEcdsaEphemeral);
 
             return new NamedGroupResult(overallSupported, groupsTls13, supportsExplicitPrime, supportsExplicitChar2,
-                    groupsDependOnCiphersuite);
+                    groupsDependOnCiphersuite, ignoresEcdsaGroupDisparity);
         } catch (Exception E) {
             LOGGER.error("Could not scan for " + getProbeName(), E);
             return getCouldNotExecuteResult();
@@ -140,54 +138,57 @@ private Map<NamedGroup, NamedCurveWitness> getSupportedNamedGroupsEcdsa(List<Cip
         Config tlsConfig = getBasicConfig();
         tlsConfig.setDefaultClientSupportedCiphersuites(cipherSuites);
         List<NamedGroup> toTestList = new ArrayList<>(Arrays.asList(NamedGroup.values()));
+
+        TlsContext context;
+        NamedGroup selectedGroup = null;
+        NamedGroup certificateGroup = null;
+        NamedGroup certificateSigGroup = null;
+        // place signing groups at the bottom of the list, the server should
+        // choose
+        // all other first
         if (pkGroups != null) {
-            TlsContext context;
-            NamedGroup selectedGroup = null;
-            NamedGroup certificateGroup = null;
-            NamedGroup certificateSigGroup = null;
-            // place signing groups at the bottom of the list, the server should
-            // choose
-            // all other first
             placeRequiredGroupsLast(toTestList, pkGroups);
-            if (sigGroups != null) {
-                placeRequiredGroupsLast(toTestList, sigGroups);
-            }
-
-            do {
-                context = testCurves(toTestList, tlsConfig);
+        }
+        if (sigGroups != null) {
+            placeRequiredGroupsLast(toTestList, sigGroups);
+        }
 
-                if (context != null) {
+        do {
+            context = testCurves(toTestList, tlsConfig);
 
-                    selectedGroup = context.getSelectedGroup();
-                    certificateGroup = context.getEcCertificateCurve();
-                    certificateSigGroup = context.getEcCertificateSignatureCurve();
+            if (context != null) {
 
-                    // remove groups that are not required by the server even
-                    // if they are used for the certificate or KEX signature
-                    if (!toTestList.contains(certificateGroup)) {
-                        certificateGroup = null;
-                    }
-                    if (!toTestList.contains(certificateSigGroup)) {
-                        certificateSigGroup = null;
-                    }
+                selectedGroup = context.getSelectedGroup();
+                certificateGroup = context.getEcCertificateCurve();
+                certificateSigGroup = context.getEcCertificateSignatureCurve();
 
-                    if (!toTestList.contains(selectedGroup)) {
-                        LOGGER.debug("Server chose a Curve we did not offer!");
-                        break;
-                    }
-                    if (cipherSuites.get(0).isEphemeral()) {
-                        namedCurveMap.put(selectedGroup, new NamedCurveWitness(null, certificateGroup, null,
-                                certificateSigGroup, context.getSelectedCipherSuite()));
-                    } else {
-                        namedCurveMap.put(selectedGroup, new NamedCurveWitness(certificateGroup, null,
-                                certificateSigGroup, null, context.getSelectedCipherSuite()));
+                // remove groups that are not required by the server even
+                // if they are used for the certificate or KEX signature
+                if (!toTestList.contains(certificateGroup) && certificateSigGroup != null) {
+                    ignoresEcdsaGroupDisparity = TestResult.TRUE;
+                    certificateGroup = null;
+                }
+                if (!toTestList.contains(certificateSigGroup) && certificateSigGroup != null) {
+                    ignoresEcdsaGroupDisparity = TestResult.TRUE;
+                    certificateSigGroup = null;
+                }
 
-                    }
+                if (!toTestList.contains(selectedGroup)) {
+                    LOGGER.debug("Server chose a Curve we did not offer!");
+                    break;
+                }
+                if (cipherSuites.get(0).isEphemeral()) {
+                    namedCurveMap.put(selectedGroup, new NamedCurveWitness(certificateGroup, null, certificateSigGroup,
+                            context.getSelectedCipherSuite()));
+                } else {
+                    namedCurveMap.put(selectedGroup,
+                            new NamedCurveWitness(null, certificateSigGroup, null, context.getSelectedCipherSuite()));
 
-                    toTestList.remove(selectedGroup);
                 }
-            } while (context != null && toTestList.size() > 0);
-        }
+
+                toTestList.remove(selectedGroup);
+            }
+        } while (context != null && toTestList.size() > 0);
         return namedCurveMap;
     }
 
@@ -276,7 +277,6 @@ public void adjustConfig(SiteReport report) {
         if (report.getResult(AnalyzedProperty.SUPPORTS_TLS_1_3) != TestResult.TRUE) {
             testUsingTls13 = false;
         }
-        ecdsaPkGroupsStatic = report.getEcdsaPkGroupsStatic();
         ecdsaPkGroupsEphemeral = report.getEcdsaPkGroupsEphemeral();
         ecdsaPkGroupsTls13 = report.getEcdsaPkGroupsTls13();
 
@@ -288,7 +288,7 @@ public void adjustConfig(SiteReport report) {
     @Override
     public ProbeResult getCouldNotExecuteResult() {
         return new NamedGroupResult(new HashMap<>(), new HashMap<>(), TestResult.COULD_NOT_TEST,
-                TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST);
+                TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST);
     }
 
     private TestResult getExplicitCurveSupport(EllipticCurveType curveType) {
@@ -377,11 +377,13 @@ private Map<NamedGroup, NamedCurveWitness> getTls13SupportedGroups() {
                 certificateGroup = context.getEcCertificateCurve();
                 certificateSigGroup = context.getEcCertificateSignatureCurve();
 
-                if (!toTestList.contains(certificateGroup)) {
+                if (!toTestList.contains(certificateGroup) && certificateGroup != null) {
+                    ignoresEcdsaGroupDisparity = TestResult.TRUE;
                     certificateGroup = null;
                 }
 
-                if (!toTestList.contains(certificateSigGroup)) {
+                if (!toTestList.contains(certificateSigGroup) && certificateSigGroup != null) {
+                    ignoresEcdsaGroupDisparity = TestResult.TRUE;
                     certificateSigGroup = null;
                 }
 
@@ -391,8 +393,8 @@ private Map<NamedGroup, NamedCurveWitness> getTls13SupportedGroups() {
                     break;
                 }
 
-                namedCurveMap.put(selectedGroup, new NamedCurveWitness(null, certificateGroup, null,
-                        certificateSigGroup, context.getSelectedCipherSuite()));
+                namedCurveMap.put(selectedGroup, new NamedCurveWitness(certificateGroup, null, certificateSigGroup,
+                        context.getSelectedCipherSuite()));
                 toTestList.remove(selectedGroup);
             }
         } while (context != null && !toTestList.isEmpty());
@@ -461,7 +463,6 @@ private Map<NamedGroup, NamedCurveWitness> composeFullMap(Map<NamedGroup, NamedC
             }
             if (groupsEcdsaStatic.containsKey(group)) {
                 witness.getCipherSuites().addAll(groupsEcdsaStatic.get(group).getCipherSuites());
-                witness.setEcdsaPkGroupStatic(groupsEcdsaStatic.get(group).getEcdsaPkGroupStatic());
                 witness.setEcdsaSigGroupStatic(groupsEcdsaStatic.get(group).getEcdsaSigGroupStatic());
             }
             if (groupsEcdsaEphemeral.containsKey(group)) {

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/namedcurve/NamedCurveWitness.java

@@ -21,7 +21,6 @@ public class NamedCurveWitness {
     private Set<CipherSuite> cipherSuites;
 
     // the curves used to generate an ecdsa sig inside the key ex. message
-    private NamedGroup ecdsaPkGroupStatic;
     private NamedGroup ecdsaPkGroupEphemeral;
 
     // the curve used to sign the cert that bears the server's signing key
@@ -32,9 +31,8 @@ public NamedCurveWitness() {
         cipherSuites = new HashSet<>();
     }
 
-    public NamedCurveWitness(NamedGroup ecdsaPkGroupStatic, NamedGroup ecdsaPkGroupEphemeral,
-            NamedGroup ecdsaSigGroupStatic, NamedGroup ecdsaSigGroupEphemeral, CipherSuite cipherSuite) {
-        this.ecdsaPkGroupStatic = ecdsaPkGroupStatic;
+    public NamedCurveWitness(NamedGroup ecdsaPkGroupEphemeral, NamedGroup ecdsaSigGroupStatic,
+            NamedGroup ecdsaSigGroupEphemeral, CipherSuite cipherSuite) {
         this.ecdsaPkGroupEphemeral = ecdsaPkGroupEphemeral;
         this.ecdsaSigGroupStatic = ecdsaSigGroupStatic;
         this.ecdsaSigGroupEphemeral = ecdsaSigGroupEphemeral;
@@ -47,10 +45,6 @@ public NamedCurveWitness(CipherSuite cipherSuite) {
         cipherSuites.add(cipherSuite);
     }
 
-    public NamedGroup getEcdsaPkGroupStatic() {
-        return ecdsaPkGroupStatic;
-    }
-
     public NamedGroup getEcdsaPkGroupEphemeral() {
         return ecdsaPkGroupEphemeral;
     }
@@ -93,10 +87,6 @@ public boolean isFoundUsingEcdsaEphemeralCipher() {
         return false;
     }
 
-    public void setEcdsaPkGroupStatic(NamedGroup ecdsaPkGroupStatic) {
-        this.ecdsaPkGroupStatic = ecdsaPkGroupStatic;
-    }
-
     public void setEcdsaPkGroupEphemeral(NamedGroup ecdsaPkGroupEphemeral) {
         this.ecdsaPkGroupEphemeral = ecdsaPkGroupEphemeral;
     }

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/AnalyzedProperty.java

@@ -179,6 +179,10 @@ public enum AnalyzedProperty {
      * does it ignore the sig hash algorithms
      */
     IGNORES_OFFERED_SIG_HASH_ALGOS(AnalyzedPropertyCategory.QUIRKS),
+    /**
+     * does it accept that named groups for ecdsa are missing
+     */
+    IGNORES_ECDSA_GROUP_DISPARITY(AnalyzedPropertyCategory.QUIRKS),
     VULNERABLE_TO_SESSION_TICKET_ZERO_KEY(AnalyzedPropertyCategory.ATTACKS),
     VULNERABLE_TO_DIRECT_RACCOON(AnalyzedPropertyCategory.ATTACKS),
     VULNERABLE_TO_BLEICHENBACHER(AnalyzedPropertyCategory.ATTACKS),

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/SiteReportPrinter.java

@@ -1584,26 +1584,25 @@ public StringBuilder appendCurves(StringBuilder builder) {
                         builder.append("\n  ECDSA Required Groups:");
                         if (witness.getEcdsaPkGroupEphemeral() != null && witness.getEcdsaPkGroupEphemeral() != group) {
                             builder.append("\n    ").append(witness.getEcdsaPkGroupEphemeral())
-                                    .append(" (Ephemeral Certificate Public Key)");
+                                    .append(" (Certificate Public Key - Ephemeral Cipher Suite)");
                         }
                         if (witness.getEcdsaSigGroupEphemeral() != null && witness.getEcdsaSigGroupEphemeral() != group) {
                             builder.append("\n    ").append(witness.getEcdsaSigGroupEphemeral())
-                                    .append(" (Ephemeral Certificate Signature)");
-                        }
-                        if (witness.getEcdsaPkGroupStatic() != null && witness.getEcdsaPkGroupStatic() != group) {
-                            builder.append("\n    ").append(witness.getEcdsaPkGroupStatic())
-                                    .append(" (Static Certificate Public Key)");
+                                    .append(" (Certificate Signature  - Ephemeral Cipher Suite)");
                         }
                         if (witness.getEcdsaSigGroupStatic() != null && witness.getEcdsaSigGroupStatic() != group) {
                             builder.append("\n    ").append(witness.getEcdsaSigGroupStatic())
-                                    .append(" (Static Certificate Signature)");
+                                    .append(" (Certificate Signature  - Static Cipher Suite)");
                         }
                     }
                     builder.append("\n");
                 }
                 if (report.getResult(AnalyzedProperty.GROUPS_DEPEND_ON_CIPHER) == TestResult.TRUE) {
                     prettyAppend(builder, "Not all Groups are supported for all Cipher Suites");
                 }
+                if (report.getResult(AnalyzedProperty.IGNORES_ECDSA_GROUP_DISPARITY) == TestResult.TRUE) {
+                    prettyAppend(builder, "Groups required for ECDSA validation are not enforced", AnsiColor.YELLOW);
+                }
             } else {
                 builder.append("none\n");
             }

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/result/NamedGroupResult.java

@@ -30,16 +30,19 @@ public class NamedGroupResult extends ProbeResult {
     private final TestResult supportsExplicitPrime;
     private final TestResult supportsExplicitChar2;
     private final TestResult groupsDependOnCiphersuite;
+    private final TestResult ignoresEcdsaGroupDisparity;
 
     public NamedGroupResult(Map<NamedGroup, NamedCurveWitness> namedGroupsMap,
             Map<NamedGroup, NamedCurveWitness> namedGroupsMapTls13, TestResult supportsExplicitPrime,
-            TestResult supportsExplicitChar2, TestResult groupsDependOnCiphersuite) {
+            TestResult supportsExplicitChar2, TestResult groupsDependOnCiphersuite,
+            TestResult ignoresEcdsaGroupDisparity) {
         super(ProbeType.NAMED_GROUPS);
         this.namedGroupsMap = namedGroupsMap;
         this.namedGroupsMapTls13 = namedGroupsMapTls13;
         this.supportsExplicitPrime = supportsExplicitPrime;
         this.supportsExplicitChar2 = supportsExplicitChar2;
         this.groupsDependOnCiphersuite = groupsDependOnCiphersuite;
+        this.ignoresEcdsaGroupDisparity = ignoresEcdsaGroupDisparity;
     }
 
     @Override
@@ -61,6 +64,7 @@ public void mergeData(SiteReport report) {
         report.putResult(AnalyzedProperty.SUPPORTS_EXPLICIT_PRIME_CURVE, supportsExplicitPrime);
         report.putResult(AnalyzedProperty.SUPPORTS_EXPLICIT_CHAR2_CURVE, supportsExplicitChar2);
         report.putResult(AnalyzedProperty.GROUPS_DEPEND_ON_CIPHER, groupsDependOnCiphersuite);
+        report.putResult(AnalyzedProperty.IGNORES_ECDSA_GROUP_DISPARITY, ignoresEcdsaGroupDisparity);
     }
 
 }