Cleaned up most of the signature and hash algorithm mess

Author: ic0ns

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java

@@ -195,7 +195,7 @@ public static Config createEmptyConfig() {
     /**
      * Which Signature and Hash algorithms we support
      */
-    private List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms;
+    private List<SignatureAndHashAlgorithm> defaultClientSupportedSignatureAndHashAlgorithms;
 
     /**
      * Which Ciphersuites we support by default
@@ -852,8 +852,6 @@ public static Config createEmptyConfig() {
 
     private List<ECPointFormat> defaultClientSupportedPointFormats;
 
-    private List<SignatureAndHashAlgorithm> defaultClientSupportedSignatureAndHashAlgorithms;
-
     private List<SignatureAndHashAlgorithm> defaultServerSupportedSignatureAndHashAlgorithms;
 
     private SignatureAndHashAlgorithm defaultSelectedSignatureAndHashAlgorithm = SignatureAndHashAlgorithm.RSA_SHA1;
@@ -1124,8 +1122,8 @@ public static Config createEmptyConfig() {
         defaultServerConnection = new InboundConnection("server", 443, "localhost");
         workflowTraceType = WorkflowTraceType.HANDSHAKE;
 
-        supportedSignatureAndHashAlgorithms = new LinkedList<>();
-        supportedSignatureAndHashAlgorithms.addAll(SignatureAndHashAlgorithm.getImplemented());
+        defaultClientSupportedSignatureAndHashAlgorithms = new LinkedList<>();
+        defaultClientSupportedSignatureAndHashAlgorithms.addAll(SignatureAndHashAlgorithm.getImplemented());
         defaultClientSupportedCompressionMethods = new LinkedList<>();
         defaultClientSupportedCompressionMethods.add(CompressionMethod.NULL);
         defaultServerSupportedCompressionMethods = new LinkedList<>();
@@ -1938,21 +1936,6 @@ public final void setDefaultClientSNIEntries(SNIEntry... defaultClientSNIEntryLi
         this.defaultClientSNIEntryList = new ArrayList(Arrays.asList(defaultClientSNIEntryList));
     }
 
-    public List<SignatureAndHashAlgorithm> getDefaultClientSupportedSignatureAndHashAlgorithms() {
-        return defaultClientSupportedSignatureAndHashAlgorithms;
-    }
-
-    public void setDefaultClientSupportedSignatureAndHashAlgorithms(
-            List<SignatureAndHashAlgorithm> defaultClientSupportedSignatureAndHashAlgorithms) {
-        this.defaultClientSupportedSignatureAndHashAlgorithms = defaultClientSupportedSignatureAndHashAlgorithms;
-    }
-
-    public final void setDefaultClientSupportedSignatureAndHashAlgorithms(
-            SignatureAndHashAlgorithm... defaultClientSupportedSignatureAndHashAlgorithms) {
-        this.defaultClientSupportedSignatureAndHashAlgorithms = Arrays
-                .asList(defaultClientSupportedSignatureAndHashAlgorithms);
-    }
-
     public List<ECPointFormat> getDefaultServerSupportedPointFormats() {
         return defaultServerSupportedPointFormats;
     }
@@ -2285,18 +2268,19 @@ public void setClientAuthentication(Boolean clientAuthentication) {
         this.clientAuthentication = clientAuthentication;
     }
 
-    public List<SignatureAndHashAlgorithm> getSupportedSignatureAndHashAlgorithms() {
-        return supportedSignatureAndHashAlgorithms;
+    public List<SignatureAndHashAlgorithm> getDefaultClientSupportedSignatureAndHashAlgorithms() {
+        return defaultClientSupportedSignatureAndHashAlgorithms;
     }
 
-    public void setSupportedSignatureAndHashAlgorithms(
-            List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms) {
-        this.supportedSignatureAndHashAlgorithms = supportedSignatureAndHashAlgorithms;
+    public void setDefaultClientSupportedSignatureAndHashAlgorithms(
+            List<SignatureAndHashAlgorithm> defaultClientSupportedSignatureAndHashAlgorithms) {
+        this.defaultClientSupportedSignatureAndHashAlgorithms = defaultClientSupportedSignatureAndHashAlgorithms;
     }
 
     public final void setSupportedSignatureAndHashAlgorithms(
             SignatureAndHashAlgorithm... supportedSignatureAndHashAlgorithms) {
-        this.supportedSignatureAndHashAlgorithms = new ArrayList(Arrays.asList(supportedSignatureAndHashAlgorithms));
+        this.defaultClientSupportedSignatureAndHashAlgorithms = new ArrayList(
+                Arrays.asList(supportedSignatureAndHashAlgorithms));
     }
 
     public List<ProtocolVersion> getSupportedVersions() {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/delegate/SignatureAndHashAlgorithmDelegate.java

@@ -38,7 +38,8 @@ public void setSignatureAndHashAlgorithms(List<SignatureAndHashAlgorithm> signat
     public void applyDelegate(Config config) {
         if (signatureAndHashAlgorithms != null) {
             config.setAddSignatureAndHashAlgorithmsExtension(true);
-            config.setSupportedSignatureAndHashAlgorithms(signatureAndHashAlgorithms);
+            config.setDefaultClientSupportedSignatureAndHashAlgorithms(signatureAndHashAlgorithms);
+            config.setDefaultServerSupportedSignatureAndHashAlgorithms(signatureAndHashAlgorithms);
             config.setDefaultSelectedSignatureAndHashAlgorithm(signatureAndHashAlgorithms.get(0));
         }
     }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/CertificateRequestHandler.java

@@ -8,6 +8,7 @@
  */
 package de.rub.nds.tlsattacker.core.protocol.handler;
 
+import com.google.common.collect.Sets;
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.core.constants.ClientCertificateType;
 import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
@@ -16,6 +17,7 @@
 import de.rub.nds.tlsattacker.core.protocol.preparator.CertificateRequestPreparator;
 import de.rub.nds.tlsattacker.core.protocol.serializer.CertificateRequestSerializer;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
+import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import org.apache.logging.log4j.LogManager;
@@ -49,6 +51,7 @@ public void adjustTLSContext(CertificateRequestMessage message) {
         adjustClientCertificateTypes(message);
         adjustDistinguishedNames(message);
         adjustServerSupportedSignatureAndHashAlgorithms(message);
+        adjustSelectedSignatureAndHashAlgorithm();
     }
 
     private void adjustServerSupportedSignatureAndHashAlgorithms(CertificateRequestMessage message) {
@@ -106,4 +109,19 @@ private List<SignatureAndHashAlgorithm> convertSignatureAndHashAlgorithms(byte[]
         }
         return list;
     }
+
+    private void adjustSelectedSignatureAndHashAlgorithm() {
+        if (Collections.disjoint(tlsContext.getChooser().getClientSupportedSignatureAndHashAlgorithms(), tlsContext
+                .getChooser().getServerSupportedSignatureAndHashAlgorithms())) {
+            LOGGER.warn("Client and Server have no signature and hash algorithm in common");
+        } else {
+            Sets.SetView<SignatureAndHashAlgorithm> intersection = Sets.intersection(
+                    Sets.newHashSet(tlsContext.getChooser().getClientSupportedSignatureAndHashAlgorithms()),
+                    Sets.newHashSet(tlsContext.getChooser().getServerSupportedSignatureAndHashAlgorithms()));
+            SignatureAndHashAlgorithm algo = (SignatureAndHashAlgorithm) intersection.toArray()[0];
+            tlsContext.setSelectedSignatureAndHashAlgorithm(algo);
+            LOGGER.debug("Adjusting selected signature and hash algorithm to: " + algo.name());
+
+        }
+    }
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/preparator/extension/SignatureAndHashAlgorithmsExtensionPreparator.java

@@ -47,7 +47,7 @@ private void prepareSignatureAndHashAlgorithms(SignatureAndHashAlgorithmsExtensi
 
     private byte[] createSignatureAndHashAlgorithmsArray() {
         ByteArrayOutputStream stream = new ByteArrayOutputStream();
-        for (SignatureAndHashAlgorithm algo : chooser.getConfig().getSupportedSignatureAndHashAlgorithms()) {
+        for (SignatureAndHashAlgorithm algo : chooser.getConfig().getDefaultClientSupportedSignatureAndHashAlgorithms()) {
             try {
                 stream.write(algo.getByteValue());
             } catch (IOException ex) {

TLS-Core/src/main/resources/default_config.xml

@@ -96,27 +96,27 @@
     </defaultServerConnection>
     <defaultRunningMode>CLIENT</defaultRunningMode>
     <clientAuthentication>false</clientAuthentication>
-    <supportedSignatureAndHashAlgorithms>DSA_MD5</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>DSA_SHA1</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>DSA_SHA224</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>DSA_SHA256</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>DSA_SHA384</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>DSA_SHA512</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_MD5</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_SHA1</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_SHA224</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_SHA256</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_SHA384</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>RSA_SHA512</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_MD5</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_SHA1</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_SHA224</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_SHA256</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_SHA384</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>ECDSA_SHA512</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>GOSTR34102001_GOSTR3411</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>GOSTR34102012_256_GOSTR34112012_256</supportedSignatureAndHashAlgorithms>
-    <supportedSignatureAndHashAlgorithms>GOSTR34102012_512_GOSTR34112012_512</supportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_MD5</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_SHA1</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_SHA224</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_SHA256</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_SHA384</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>DSA_SHA512</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_MD5</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_SHA1</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_SHA224</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_SHA256</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_SHA384</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>RSA_SHA512</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_MD5</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_SHA1</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_SHA224</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_SHA256</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_SHA384</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>ECDSA_SHA512</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>GOSTR34102001_GOSTR3411</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>GOSTR34102012_256_GOSTR34112012_256</defaultClientSupportedSignatureAndHashAlgorithms>
+    <defaultClientSupportedSignatureAndHashAlgorithms>GOSTR34102012_512_GOSTR34112012_512</defaultClientSupportedSignatureAndHashAlgorithms>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_3DES_EDE_CBC_SHA</defaultClientSupportedCiphersuites>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_AES_128_CBC_SHA</defaultClientSupportedCiphersuites>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_NULL_MD5</defaultClientSupportedCiphersuites>

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/config/delegate/SignatureAndHashAlgorithmDelegateTest.java

@@ -82,8 +82,10 @@ public void testApplyDelegate() {
         assertFalse(config.isAddSignatureAndHashAlgrorithmsExtension());
         delegate.applyDelegate(config);
         assertTrue(config.isAddSignatureAndHashAlgrorithmsExtension());
-        assertTrue(config.getSupportedSignatureAndHashAlgorithms().contains(SignatureAndHashAlgorithm.RSA_SHA512));
-        assertTrue(config.getSupportedSignatureAndHashAlgorithms().contains(SignatureAndHashAlgorithm.DSA_SHA512));
+        assertTrue(config.getDefaultClientSupportedSignatureAndHashAlgorithms().contains(
+                SignatureAndHashAlgorithm.RSA_SHA512));
+        assertTrue(config.getDefaultClientSupportedSignatureAndHashAlgorithms().contains(
+                SignatureAndHashAlgorithm.DSA_SHA512));
     }
 
     @Test

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/preparator/CertificateVerifyPreparatorTest.java

@@ -117,7 +117,7 @@ public void testPrepareRSA() throws NoSuchAlgorithmException {
         algoList.add(SignatureAndHashAlgorithm.RSA_MD5);
         algoList.add(SignatureAndHashAlgorithm.ECDSA_SHA1);
         algoList.add(SignatureAndHashAlgorithm.RSA_SHA1);
-        context.getConfig().setSupportedSignatureAndHashAlgorithms(algoList);
+        context.getConfig().setDefaultClientSupportedSignatureAndHashAlgorithms(algoList);
         preparator.prepare();
         assertArrayEquals(new byte[] { 1, 1, }, message.getSignatureHashAlgorithm().getValue());
         // TODO I dont check if the signature is correctly calcualted or
@@ -137,7 +137,7 @@ public void testPrepareEC() throws NoSuchAlgorithmException, NoSuchProviderExcep
         algoList.add(SignatureAndHashAlgorithm.RSA_MD5);
         algoList.add(SignatureAndHashAlgorithm.ECDSA_SHA1);
         algoList.add(SignatureAndHashAlgorithm.RSA_SHA1);
-        context.getConfig().setSupportedSignatureAndHashAlgorithms(algoList);
+        context.getConfig().setDefaultClientSupportedSignatureAndHashAlgorithms(algoList);
         preparator.prepare();
         LOGGER.info(ArrayConverter.bytesToHexString(message.getSignature().getValue(), false));
 

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/preparator/DHEServerKeyExchangePreparatorTest.java

@@ -55,7 +55,7 @@ public void testPrepare() {
         List<SignatureAndHashAlgorithm> SigAndHashList = new LinkedList<>();
         SigAndHashList.add(SignatureAndHashAlgorithm.RSA_SHA1);
         SigAndHashList.add(SignatureAndHashAlgorithm.DSA_MD5);
-        context.getConfig().setSupportedSignatureAndHashAlgorithms(SigAndHashList);
+        context.getConfig().setDefaultClientSupportedSignatureAndHashAlgorithms(SigAndHashList);
         // Test
         preparator.prepareHandshakeMessageContents();
 

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/preparator/ECDHEServerKeyExchangePreparatorTest.java

@@ -135,7 +135,7 @@ private void loadTestVectorsToContext() throws IOException, NoSuchAlgorithmExcep
 
         List<SignatureAndHashAlgorithm> SigAndHashList = new LinkedList<>();
         SigAndHashList.add(SignatureAndHashAlgorithm.RSA_SHA512);
-        config.setSupportedSignatureAndHashAlgorithms(SigAndHashList);
+        config.setDefaultClientSupportedSignatureAndHashAlgorithms(SigAndHashList);
     }
 
     @Test