Merge branch 'main' into fix/httpHeaderCaseInsensitivity

Author: mmaehren

TLS-Client-Scanner/src/main/java/de/rub/nds/tlsscanner/clientscanner/probe/DheParameterProbe.java

@@ -58,7 +58,9 @@ public DheParameterProbe(ParallelExecutor parallelExecutor, ClientScannerConfig
         super(parallelExecutor, TlsProbeType.DHE_PARAMETERS, scannerConfig);
         register(
                 TlsAnalyzedProperty.SUPPORTS_MODULUS_ONE,
+                TlsAnalyzedProperty.SUPPORTS_MODULUS_ZERO,
                 TlsAnalyzedProperty.SUPPORTS_GENERATOR_ONE,
+                TlsAnalyzedProperty.SUPPORTS_GENERATOR_ZERO,
                 TlsAnalyzedProperty.SUPPORTS_MOD3_MODULUS,
                 TlsAnalyzedProperty.SUPPORTS_EVEN_MODULUS,
                 TlsAnalyzedProperty.LOWEST_POSSIBLE_DHE_MODULUS_SIZE,
@@ -212,8 +214,12 @@ private HashMap<SmallSubgroupType, TlsAnalyzedProperty> getSmallSubgroupTypeMap(
         HashMap<SmallSubgroupType, TlsAnalyzedProperty> smallSubgroupTypeMap = new HashMap<>();
         smallSubgroupTypeMap.put(
                 SmallSubgroupType.MODULUS_ONE, TlsAnalyzedProperty.SUPPORTS_MODULUS_ONE);
+        smallSubgroupTypeMap.put(
+                SmallSubgroupType.MODULUS_ZERO, TlsAnalyzedProperty.SUPPORTS_MODULUS_ZERO);
         smallSubgroupTypeMap.put(
                 SmallSubgroupType.GENERATOR_ONE, TlsAnalyzedProperty.SUPPORTS_GENERATOR_ONE);
+        smallSubgroupTypeMap.put(
+                SmallSubgroupType.GENERATOR_ZERO, TlsAnalyzedProperty.SUPPORTS_GENERATOR_ZERO);
         return smallSubgroupTypeMap;
     }
 

TLS-Scanner-Core/src/main/java/de/rub/nds/tlsscanner/core/constants/TlsAnalyzedProperty.java

@@ -319,7 +319,9 @@ public enum TlsAnalyzedProperty implements AnalyzedProperty {
     SUPPORTS_EVEN_MODULUS(TlsAnalyzedPropertyCategory.FFDHE),
     SUPPORTS_MOD3_MODULUS(TlsAnalyzedPropertyCategory.FFDHE),
     SUPPORTS_MODULUS_ONE(TlsAnalyzedPropertyCategory.FFDHE),
+    SUPPORTS_MODULUS_ZERO(TlsAnalyzedPropertyCategory.FFDHE),
     SUPPORTS_GENERATOR_ONE(TlsAnalyzedPropertyCategory.FFDHE),
+    SUPPORTS_GENERATOR_ZERO(TlsAnalyzedPropertyCategory.FFDHE),
     WEAKEST_DH_STRENGTH(TlsAnalyzedPropertyCategory.FFDHE),
     /** DTLS */
     SUPPORTS_DTLS_FRAGMENTATION(TlsAnalyzedPropertyCategory.QUIRKS),

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/EsniProbe.java

@@ -20,6 +20,8 @@
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceResultUtil;
+import de.rub.nds.tlsattacker.core.workflow.action.EsniKeyDnsRequestAction;
+import de.rub.nds.tlsattacker.core.workflow.action.TlsAction;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import de.rub.nds.tlsscanner.core.constants.ProtocolType;
 import de.rub.nds.tlsscanner.core.constants.TlsAnalyzedProperty;
@@ -49,6 +51,8 @@ protected void executeTest() {
         tlsConfig.setDefaultClientKeyShareNamedGroups(NamedGroup.ECDH_X25519);
         State state = new State(tlsConfig);
         executeState(state);
+        TlsAction firstFailedAction =
+                WorkflowTraceResultUtil.getFirstFailedAction(state.getWorkflowTrace());
 
         TlsContext context = state.getTlsContext();
         boolean isDnsKeyRecordAvailable = context.getEsniRecordBytes() != null;
@@ -57,7 +61,8 @@ protected void executeTest() {
                         && Arrays.equals(
                                 context.getEsniServerNonce(), context.getEsniClientNonce());
         if (!WorkflowTraceResultUtil.didReceiveMessage(
-                state.getWorkflowTrace(), HandshakeMessageType.SERVER_HELLO)) {
+                        state.getWorkflowTrace(), HandshakeMessageType.SERVER_HELLO)
+                && !EsniKeyDnsRequestAction.class.equals(firstFailedAction.getClass())) {
             receivedCorrectNonce = TestResults.ERROR_DURING_TEST;
         } else if (isDnsKeyRecordAvailable && isReceivedCorrectNonce) {
             receivedCorrectNonce = TestResults.TRUE;

TLS-Server-Scanner/src/main/resources/configs/default.config

@@ -357,7 +357,6 @@
         <defaultClientSupportedCipherSuite>TLS_PSK_WITH_AES_256_CCM_8</defaultClientSupportedCipherSuite>
         <defaultClientSupportedCipherSuite>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultClientSupportedCipherSuite>
         <defaultClientSupportedCipherSuite>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultClientSupportedCipherSuite>
-        <defaultClientSupportedCipherSuite>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultClientSupportedCipherSuite>
         <defaultClientSupportedCipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CCM</defaultClientSupportedCipherSuite>
         <defaultClientSupportedCipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CCM</defaultClientSupportedCipherSuite>
         <defaultClientSupportedCipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8</defaultClientSupportedCipherSuite>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BEARSSL_0.4.config

@@ -236,7 +236,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BORINGSSL_2272.config

@@ -232,7 +232,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BORINGSSL_2311.config

@@ -232,7 +232,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BORINGSSL_2357.config

@@ -232,7 +232,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BORINGSSL_2490.config

@@ -231,7 +231,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>

TLS-Server-Scanner/src/main/resources/extracted_client_configs/client_BORINGSSL_2564.config

@@ -230,7 +230,6 @@
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_128_CCM_8</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_8</defaultServerSupportedCipherSuites>
-        <defaultServerSupportedCipherSuites>TLS_PSK_DHE_WITH_AES_256_CCM_80</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_3DES_EDE_CBC_SHA</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CBC_SHA256</defaultServerSupportedCipherSuites>
         <defaultServerSupportedCipherSuites>TLS_PSK_WITH_AES_128_CCM</defaultServerSupportedCipherSuites>