Merge pull request #666 from RUB-NDS/fuzzerfixes

Fuzzer fixes. Fixed also TLS 1.3 code

Author: ic0ns

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateByteChooser.java

@@ -167,6 +167,10 @@ public CertificateKeyPair chooseCertificateKeyPair(Chooser chooser) {
         } else {
             KeyExchangeAlgorithm keyExchangeAlgorithm = AlgorithmResolver.getKeyExchangeAlgorithm(chooser
                     .getSelectedCipherSuite());
+            if (keyExchangeAlgorithm == null) {
+                LOGGER.warn("CipherSuite does not specify a certificate kex. Using  RSA.");
+                keyExchangeAlgorithm = KeyExchangeAlgorithm.RSA;
+            }
             switch (keyExchangeAlgorithm) {
                 case DH_RSA:
                 case DHE_RSA:

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java

@@ -15,6 +15,8 @@
 import de.rub.nds.tlsattacker.core.certificate.CertificateKeyPair;
 import de.rub.nds.tlsattacker.core.connection.InboundConnection;
 import de.rub.nds.tlsattacker.core.connection.OutboundConnection;
+import de.rub.nds.tlsattacker.core.constants.AlertDescription;
+import de.rub.nds.tlsattacker.core.constants.AlertLevel;
 import de.rub.nds.tlsattacker.core.constants.AuthzDataFormat;
 import de.rub.nds.tlsattacker.core.constants.CertificateKeyType;
 import de.rub.nds.tlsattacker.core.constants.CertificateStatusRequestType;
@@ -27,6 +29,7 @@
 import de.rub.nds.tlsattacker.core.constants.ECPointFormat;
 import de.rub.nds.tlsattacker.core.constants.EsniDnsKeyRecordVersion;
 import de.rub.nds.tlsattacker.core.constants.EsniVersion;
+import de.rub.nds.tlsattacker.core.constants.ExtensionType;
 import de.rub.nds.tlsattacker.core.constants.GOSTCurve;
 import de.rub.nds.tlsattacker.core.constants.HashAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.HeartbeatMode;
@@ -514,7 +517,7 @@ public static Config createEmptyConfig() {
      */
     private Boolean addSessionTicketTLSExtension = false;
 
-    /***
+    /**
      * If we generate ClientHello with extended Random Extension
      */
     private Boolean addExtendedRandomExtension = false;
@@ -921,9 +924,9 @@ public static Config createEmptyConfig() {
 
     private PRFAlgorithm defaultPRFAlgorithm = PRFAlgorithm.TLS_PRF_LEGACY;
 
-    private Byte defaultAlertDescription = 0;
+    private AlertDescription defaultAlertDescription = AlertDescription.CLOSE_NOTIFY;
 
-    private Byte defaultAlertLevel = 0;
+    private AlertLevel defaultAlertLevel = AlertLevel.WARNING;
 
     private NamedGroup defaultEcCertificateCurve = NamedGroup.SECP256R1;
 
@@ -1107,7 +1110,7 @@ public static Config createEmptyConfig() {
     /**
      * Min iterations for finding the PWD password element
      */
-    private int defaultPWDIterations = 40;
+    private Integer defaultPWDIterations = 40;
 
     @XmlJavaTypeAdapter(UnformattedByteArrayAdapter.class)
     private byte[] defaultServerPWDPrivate = ArrayConverter
@@ -1184,16 +1187,17 @@ public static Config createEmptyConfig() {
 
     private List<CipherSuite> defaultEsniServerCiphersuites = new LinkedList();
 
-    private int defaultEsniPaddedLength = 260;
+    private Integer defaultEsniPaddedLength = 260;
 
     private Long defaultEsniNotBefore = 1582655135231L;
 
     private Long defaultEsniNotAfter = 1582655135231L + 2592000000L;
 
-    private List<ExtensionMessage> defaultEsniExtensions = new LinkedList();
-    private boolean acceptOnlyFittingDtlsFragments = false;
+    private List<ExtensionType> defaultEsniExtensions = new LinkedList();
+
+    private Boolean acceptOnlyFittingDtlsFragments = false;
 
-    private boolean acceptContentRewritingDtlsFragments = true;
+    private Boolean acceptContentRewritingDtlsFragments = true;
 
     private boolean writeKeylogFile = false;
 
@@ -1303,19 +1307,19 @@ public static Config createEmptyConfig() {
         }
     }
 
-    public boolean isAcceptOnlyFittingDtlsFragments() {
+    public Boolean isAcceptOnlyFittingDtlsFragments() {
         return acceptOnlyFittingDtlsFragments;
     }
 
-    public void setAcceptOnlyFittingDtlsFragments(boolean acceptOnlyFittingDtlsFragments) {
+    public void setAcceptOnlyFittingDtlsFragments(Boolean acceptOnlyFittingDtlsFragments) {
         this.acceptOnlyFittingDtlsFragments = acceptOnlyFittingDtlsFragments;
     }
 
-    public boolean isAcceptContentRewritingDtlsFragments() {
+    public Boolean isAcceptContentRewritingDtlsFragments() {
         return acceptContentRewritingDtlsFragments;
     }
 
-    public void setAcceptContentRewritingDtlsFragments(boolean acceptContentRewritingDtlsFragments) {
+    public void setAcceptContentRewritingDtlsFragments(Boolean acceptContentRewritingDtlsFragments) {
         this.acceptContentRewritingDtlsFragments = acceptContentRewritingDtlsFragments;
     }
 
@@ -1770,19 +1774,19 @@ public void setDefaultServerEcPublicKey(Point defaultServerEcPublicKey) {
         this.defaultServerEcPublicKey = defaultServerEcPublicKey;
     }
 
-    public byte getDefaultAlertDescription() {
+    public AlertDescription getDefaultAlertDescription() {
         return defaultAlertDescription;
     }
 
-    public void setDefaultAlertDescription(byte defaultAlertDescription) {
+    public void setDefaultAlertDescription(AlertDescription defaultAlertDescription) {
         this.defaultAlertDescription = defaultAlertDescription;
     }
 
-    public byte getDefaultAlertLevel() {
+    public AlertLevel getDefaultAlertLevel() {
         return defaultAlertLevel;
     }
 
-    public void setDefaultAlertLevel(byte defaultAlertLevel) {
+    public void setDefaultAlertLevel(AlertLevel defaultAlertLevel) {
         this.defaultAlertLevel = defaultAlertLevel;
     }
 
@@ -3420,11 +3424,11 @@ public void setDefaultPWDPassword(String password) {
         this.defaultPWDPassword = password;
     }
 
-    public int getDefaultPWDIterations() {
+    public Integer getDefaultPWDIterations() {
         return defaultPWDIterations;
     }
 
-    public void setDefaultPWDIterations(int defaultPWDIterations) {
+    public void setDefaultPWDIterations(Integer defaultPWDIterations) {
         this.defaultPWDIterations = defaultPWDIterations;
     }
 
@@ -3600,11 +3604,11 @@ public void setDefaultEsniServerCiphersuites(List<CipherSuite> defaultEsniServer
         this.defaultEsniServerCiphersuites = defaultEsniServerCiphersuites;
     }
 
-    public int getDefaultEsniPaddedLength() {
+    public Integer getDefaultEsniPaddedLength() {
         return defaultEsniPaddedLength;
     }
 
-    public void setDefaultEsniPaddedLength(int defaultEsniPaddedLength) {
+    public void setDefaultEsniPaddedLength(Integer defaultEsniPaddedLength) {
         this.defaultEsniPaddedLength = defaultEsniPaddedLength;
     }
 
@@ -3624,11 +3628,11 @@ public void setDefaultEsniNotAfter(Long defaultEsniNotAfter) {
         this.defaultEsniNotAfter = defaultEsniNotAfter;
     }
 
-    public List<ExtensionMessage> getDefaultEsniExtensions() {
+    public List<ExtensionType> getDefaultEsniExtensions() {
         return defaultEsniExtensions;
     }
 
-    public void setDefaultEsniExtensions(List<ExtensionMessage> defaultEsniExtensions) {
+    public void setDefaultEsniExtensions(List<ExtensionType> defaultEsniExtensions) {
         this.defaultEsniExtensions = defaultEsniExtensions;
     }
 

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherSuite.java

@@ -1003,6 +1003,26 @@ public static List<CipherSuite> getEsniImplemented() {
         return list;
     }
 
+    public static List<CipherSuite> getTls13CipherSuites() {
+        List<CipherSuite> list = new LinkedList();
+        list.add(CipherSuite.TLS_AES_128_GCM_SHA256);
+        list.add(CipherSuite.TLS_AES_256_GCM_SHA384);
+        list.add(CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_8_SHA256);
+        return list;
+    }
+
+    public static List<CipherSuite> getImplementedTls13CipherSuites() {
+        List<CipherSuite> list = new LinkedList();
+        list.add(CipherSuite.TLS_AES_128_GCM_SHA256);
+        list.add(CipherSuite.TLS_AES_256_GCM_SHA384);
+        list.add(CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_8_SHA256);
+        return list;
+    }
+
     public static List<CipherSuite> getNotImplemented() {
         List<CipherSuite> notImplemented = new LinkedList<>();
         for (CipherSuite suite : values()) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/SignatureAndHashAlgorithm.java

@@ -102,6 +102,23 @@ public static List<? extends SignatureAndHashAlgorithm> getImplemented() {
         return algoList;
     }
 
+    public static List<SignatureAndHashAlgorithm> getTls13SignatureAndHashAlgorithms() {
+        List<SignatureAndHashAlgorithm> algos = new LinkedList<>();
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA512);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA256);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA384);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA512);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA512);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA512);
+        return algos;
+    }
+
     private int value;
 
     private static final Map<Integer, SignatureAndHashAlgorithm> MAP;
@@ -306,8 +323,9 @@ public static SignatureAndHashAlgorithm forCertificateKeyPair(CertificateKeyPair
                     break;
             }
 
-            if (found)
+            if (found) {
                 break;
+            }
         }
 
         if (sigHashAlgo == null) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/PseudoRandomFunction.java

@@ -80,7 +80,10 @@ public class PseudoRandomFunction {
      */
     public static byte[] compute(PRFAlgorithm prfAlgorithm, byte[] secret, String label, byte[] seed, int size)
             throws CryptoException {
-
+        if (prfAlgorithm == null) {
+            LOGGER.warn("Trying to compute PRF without specified PRF algorithm. Using TLS 1.0/TLS 1.1 as default.");
+            prfAlgorithm = PRFAlgorithm.TLS_PRF_LEGACY;
+        }
         switch (prfAlgorithm) {
             case TLS_PRF_SHA256:
             case TLS_PRF_SHA384:

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/cipher/ChaCha20Poly1305Cipher.java

@@ -39,6 +39,19 @@ public class ChaCha20Poly1305Cipher implements EncryptionCipher, DecryptionCiphe
     private final Poly1305 mac = new Poly1305();
 
     public ChaCha20Poly1305Cipher(byte[] key) {
+        if (key.length != 32) {
+            LOGGER.warn("Key for ChaCha20Poly1305 has wrong size. Expected 32 byte but found: " + key.length
+                    + ". Padding/Trimming to 32 Byte.");
+            if (key.length > 32) {
+                key = Arrays.copyOfRange(key, 0, 32);
+            } else {
+                byte[] tempKey = new byte[32];
+                for (int i = 0; i < key.length; i++) {
+                    tempKey[i] = key[i];
+                }
+                key = tempKey;
+            }
+        }
         this.key = key;
     }
 

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/cipher/JavaCipher.java

@@ -52,7 +52,7 @@ public byte[] encrypt(byte[] iv, byte[] someBytes) throws CryptoException {
             byte[] result = cipher.doFinal(someBytes);
             this.iv = cipher.getIV();
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not initialize JavaCipher. "
                     + "Did you forget to use UnlimitedStrengthEnabler/add BouncyCastleProvider?", ex);
@@ -68,8 +68,8 @@ public byte[] encrypt(byte[] someBytes) throws CryptoException {
                 cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, keySpecAlgorithm));
             }
             return cipher.doFinal(someBytes);
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException | InvalidKeyException
-                | NoSuchPaddingException ex) {
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+                | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not encrypt data", ex);
         }
     }
@@ -84,7 +84,7 @@ public byte[] encrypt(byte[] iv, int tagLength, byte[] someBytes) throws CryptoE
             byte[] result = cipher.doFinal(someBytes);
             this.iv = cipher.getIV();
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not encrypt data", ex);
         }
@@ -103,7 +103,7 @@ public byte[] encrypt(byte[] iv, int tagLength, byte[] additionAuthenticatedData
             byte[] result = cipher.doFinal(someBytes);
             this.iv = cipher.getIV();
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not enrypt data", ex);
         }
@@ -132,7 +132,7 @@ public byte[] decrypt(byte[] iv, byte[] someBytes) throws CryptoException {
                 System.arraycopy(someBytes, someBytes.length - getBlocksize(), this.iv, 0, getBlocksize());
             }
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not decrypt data", ex);
         }
@@ -148,8 +148,8 @@ public byte[] decrypt(byte[] someBytes) throws CryptoException {
             }
             byte[] result = cipher.doFinal(someBytes);
             return result;
-        } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException
-                | BadPaddingException ex) {
+        } catch (IllegalStateException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException
+                | IllegalBlockSizeException | BadPaddingException ex) {
             throw new CryptoException("Could not decrypt data", ex);
         }
     }
@@ -167,7 +167,7 @@ public byte[] decrypt(byte[] iv, int tagLength, byte[] someBytes) throws CryptoE
                 System.arraycopy(someBytes, someBytes.length - getBlocksize(), this.iv, 0, getBlocksize());
             }
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not decrypt data", ex);
         }
@@ -188,7 +188,7 @@ public byte[] decrypt(byte[] iv, int tagLength, byte[] additionalAuthenticatedDa
                 System.arraycopy(cipherText, cipherText.length - getBlocksize(), this.iv, 0, getBlocksize());
             }
             return result;
-        } catch (IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
+        } catch (IllegalStateException | IllegalBlockSizeException | BadPaddingException | NoSuchAlgorithmException
                 | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchPaddingException ex) {
             throw new CryptoException("Could not decrypt data", ex);
         }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/ec/EllipticCurve.java

@@ -91,9 +91,9 @@ public Point add(Point p, Point q) {
     }
 
     /**
-     * Returns k*p on this curve. If k or p is null, the result will be null. If
-     * the point is not on the curve and the calculations would require dividing
-     * by 0, the result will be the point at infinity.
+     * Returns k*p on this curve. If the point is not on the curve and the
+     * calculations would require dividing by 0, the result will be the point at
+     * infinity.
      *
      * @param p
      *            A point which's coordinates are elements of the field over
@@ -106,7 +106,7 @@ public Point mult(BigInteger k, Point p) {
         }
 
         // Double-and-add
-        Point q = new Point(); // q == O
+        Point q = getPoint(BigInteger.ZERO, BigInteger.ZERO); // q == O
 
         for (int i = k.bitLength(); i > 0; i--) {
 
@@ -129,7 +129,6 @@ public Point mult(BigInteger k, Point p) {
      *            which the curve is defined or the point at infinity.
      */
     public Point inverse(Point p) {
-
         if (p.isAtInfinity()) {
             // -O == O
             return p;

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/ec/EllipticCurveOverF2m.java

@@ -112,6 +112,10 @@ public boolean isOnCurve(Point p) {
 
     @Override
     protected Point inverseAffine(Point p) {
+        if (!(p.getX() instanceof FieldElementF2m && p.getY() instanceof FieldElementF2m)) {
+            LOGGER.warn("Trying to invert non F2m point with F2m curve. Returning point at (0,0)");
+            return this.getPoint(BigInteger.ZERO, BigInteger.ZERO);
+        }
         // -p == (x, x+y)
 
         FieldElementF2m x = (FieldElementF2m) p.getX();
@@ -122,6 +126,11 @@ protected Point inverseAffine(Point p) {
 
     @Override
     protected Point additionFormular(Point p, Point q) {
+        if (!(p.getX() instanceof FieldElementF2m && p.getY() instanceof FieldElementF2m
+                && q.getX() instanceof FieldElementF2m && q.getY() instanceof FieldElementF2m)) {
+            LOGGER.warn("Trying to add non F2m points with F2m curve. Returning point at (0,0)");
+            return this.getPoint(BigInteger.ZERO, BigInteger.ZERO);
+        }
         try {
             FieldElementF2m x1 = (FieldElementF2m) p.getX();
             FieldElementF2m y1 = (FieldElementF2m) p.getY();