Merge pull request #446 from RUB-NDS/falsepositive_fix

ic0ns · web-flow · commit 3aae8c4d317a · 2018-06-01T07:59:33.000Z
Falsepositive fix
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java
@@ -33,6 +33,7 @@
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutorFactory;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
+import de.rub.nds.tlsattacker.core.workflow.action.GenericReceiveAction;
 import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
 import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
@@ -72,8 +73,7 @@ public State executeTlsFlow(Record record) {
         sendAction.setRecords(new LinkedList<AbstractRecord>());
         sendAction.getRecords().add(record);
         trace.addTlsAction(sendAction);
-        AlertMessage alertMessage = new AlertMessage(tlsConfig);
-        trace.addTlsAction(new ReceiveAction(alertMessage));
+        trace.addTlsAction(new GenericReceiveAction());
         tlsConfig.setWorkflowExecutorShouldClose(false);
         State state = new State(tlsConfig, trace);
 
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherWorkflowGenerator.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherWorkflowGenerator.java
@@ -17,6 +17,7 @@
 import de.rub.nds.tlsattacker.core.protocol.message.FinishedMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.RSAClientKeyExchangeMessage;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
+import de.rub.nds.tlsattacker.core.workflow.action.GenericReceiveAction;
 import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
 import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
@@ -54,7 +55,7 @@ public static WorkflowTrace generateWorkflow(Config tlsConfig, BleichenbacherWor
                 default:
                     break;
             }
-        trace.addTlsAction(new ReceiveAction(new AlertMessage(tlsConfig)));
+        trace.addTlsAction(new GenericReceiveAction());
 
         return trace;
     }
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java
@@ -405,7 +405,7 @@ public static Config createConfig(InputStream stream) {
     /**
      * If we generate ClientHello with the SignatureAndHashAlgorithm extension
      */
-    private Boolean addSignatureAndHashAlgorithmsExtension = false;
+    private Boolean addSignatureAndHashAlgorithmsExtension = true;
 
     /**
      * If we generate ClientHello with the SupportedVersion extension
@@ -989,6 +989,30 @@ public static Config createConfig(InputStream stream) {
                 HashAlgorithm.SHA1));
         supportedSignatureAndHashAlgorithms
                 .add(new SignatureAndHashAlgorithm(SignatureAlgorithm.RSA, HashAlgorithm.MD5));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.SHA512));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.SHA384));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.SHA256));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.SHA224));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.SHA1));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.ECDSA,
+                HashAlgorithm.MD5));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA,
+                HashAlgorithm.SHA512));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA,
+                HashAlgorithm.SHA384));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA,
+                HashAlgorithm.SHA256));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA,
+                HashAlgorithm.SHA224));
+        supportedSignatureAndHashAlgorithms.add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA,
+                HashAlgorithm.SHA1));
+        supportedSignatureAndHashAlgorithms
+                .add(new SignatureAndHashAlgorithm(SignatureAlgorithm.DSA, HashAlgorithm.MD5));
         defaultClientSupportedCompressionMethods = new LinkedList<>();
         defaultClientSupportedCompressionMethods.add(CompressionMethod.NULL);
         defaultServerSupportedCompressionMethods = new LinkedList<>();
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ServerHelloMessage.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ServerHelloMessage.java
@@ -83,9 +83,6 @@ public ServerHelloMessage(Config tlsConfig) {
             extension.getServerNameList().add(pair);
             addExtension(extension);
         }
-        if (tlsConfig.isAddSignatureAndHashAlgrorithmsExtension() && !tlsConfig.getHighestProtocolVersion().isTLS13()) {
-            addExtension(new SignatureAndHashAlgorithmsExtensionMessage());
-        }
         if (tlsConfig.isAddKeyShareExtension()) {
             if (tlsConfig.getHighestProtocolVersion() != ProtocolVersion.TLS13
                     && tlsConfig.getHighestProtocolVersion().getMinor() < 0x17) {
diff --git a/TLS-Core/src/main/resources/default_config.xml b/TLS-Core/src/main/resources/default_config.xml
@@ -39,6 +39,54 @@
         <hashAlgorithm>MD5</hashAlgorithm>
         <signatureAlgorithm>RSA</signatureAlgorithm>
     </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA512</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA384</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA256</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA224</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA1</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>MD5</hashAlgorithm>
+        <signatureAlgorithm>ECDSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA512</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA384</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA256</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA224</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>SHA1</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
+    <supportedSignatureAndHashAlgorithms>
+        <hashAlgorithm>MD5</hashAlgorithm>
+        <signatureAlgorithm>DSA</signatureAlgorithm>
+    </supportedSignatureAndHashAlgorithms>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_3DES_EDE_CBC_SHA</defaultClientSupportedCiphersuites>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_AES_128_CBC_SHA</defaultClientSupportedCiphersuites>
     <defaultClientSupportedCiphersuites>TLS_RSA_WITH_NULL_MD5</defaultClientSupportedCiphersuites>
@@ -704,7 +752,7 @@
     <addHeartbeatExtension>false</addHeartbeatExtension>
     <addMaxFragmentLengthExtenstion>false</addMaxFragmentLengthExtenstion>
     <addServerNameIndicationExtension>false</addServerNameIndicationExtension>
-    <addSignatureAndHashAlgorithmsExtension>false</addSignatureAndHashAlgorithmsExtension>
+    <addSignatureAndHashAlgorithmsExtension>true</addSignatureAndHashAlgorithmsExtension>
     <addSupportedVersionsExtension>false</addSupportedVersionsExtension>
     <addKeyShareExtension>false</addKeyShareExtension>
     <addEarlyDataExtension>false</addEarlyDataExtension>
diff --git a/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/config/delegate/GeneralDelegateTest.java b/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/config/delegate/GeneralDelegateTest.java
@@ -12,6 +12,7 @@
 import de.rub.nds.tlsattacker.core.config.Config;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.logging.log4j.Level;
+import org.junit.After;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import org.junit.Before;
@@ -29,6 +30,12 @@ public void setUp() {
         this.jcommander = new JCommander(delegate);
     }
 
+    @After
+    public void tearDown() {
+        this.delegate.setLogLevel(Level.OFF);
+        delegate.applyDelegate(Config.createConfig());
+    }
+
     /**
      * Test of isHelp method, of class GeneralDelegate.
      */
diff --git a/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/util/CertificateFetcherTest.java b/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/util/CertificateFetcherTest.java
@@ -19,11 +19,13 @@
 import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.PublicKey;
+import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.util.Random;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.After;
 import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
@@ -74,10 +76,8 @@ public static void tearDownClass() {
 
     @Before
     public void setUp() {
+        Security.addProvider(new BouncyCastleProvider());
         config = Config.createConfig();
-        GeneralDelegate generalDelegate = new GeneralDelegate();
-        // Setup security provider
-        generalDelegate.applyDelegate(config);
         ClientDelegate clientDelegate = new ClientDelegate();
         clientDelegate.setHost("localhost:" + SERVER_PORT);
         clientDelegate.applyDelegate(config);
diff --git a/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/workflow/WorkflowTraceSerializerTest.java b/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/workflow/WorkflowTraceSerializerTest.java
@@ -129,6 +129,7 @@ public void serializeWithSingleConnectionTest() {
             sb.append("                <extensions>\n");
             sb.append("                    <ECPointFormat/>\n");
             sb.append("                    <EllipticCurves/>\n");
+            sb.append("                    <SignatureAndHashAlgorithmsExtension/>\n");
             sb.append("                    <RenegotiationInfoExtension/>\n");
             sb.append("                </extensions>\n");
             sb.append("            </ClientHello>\n");
@@ -176,6 +177,7 @@ public void serializeWithSingleCustomConnectionTest() {
             sb.append("                <extensions>\n");
             sb.append("                    <ECPointFormat/>\n");
             sb.append("                    <EllipticCurves/>\n");
+            sb.append("                    <SignatureAndHashAlgorithmsExtension/>\n");
             sb.append("                    <RenegotiationInfoExtension/>\n");
             sb.append("                </extensions>\n");
             sb.append("            </ClientHello>\n");
@@ -235,6 +237,7 @@ public void serializeWithMultipleCustomConnectionTest() {
             sb.append("                <extensions>\n");
             sb.append("                    <ECPointFormat/>\n");
             sb.append("                    <EllipticCurves/>\n");
+            sb.append("                    <SignatureAndHashAlgorithmsExtension/>\n");
             sb.append("                    <RenegotiationInfoExtension/>\n");
             sb.append("                </extensions>\n");
             sb.append("            </ClientHello>\n");
