Merge branch 'master' into raw_publickeys

Author: ic0ns

.gitignore

@@ -42,3 +42,5 @@ Utils/.settings/org.eclipse.core.resources.prefs
 Utils/.settings/org.eclipse.jdt.core.prefs
 .project
 test.sh
+.settings/
+.classpath

Attacks/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>de.rub.nds.tlsattacker</groupId>
         <artifactId>TLS-Attacker</artifactId>
-        <version>3.0</version>
+        <version>3.3.1</version>
     </parent>
     <artifactId>Attacks</artifactId>
     <packaging>jar</packaging>

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/constants/PaddingRecordGeneratorType.java

@@ -28,5 +28,7 @@ public enum PaddingRecordGeneratorType {
     /**
      *
      */
-    LONG
+    LONG,
+
+    LONG_RECORD
 }

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/ec/oracles/RealDirectMessageECOracle.java

@@ -76,6 +76,7 @@ public boolean checkSecretCorrectnes(Point ecPoint, BigInteger secret) {
 
         ECDHClientKeyExchangeMessage message = (ECDHClientKeyExchangeMessage) WorkflowTraceUtil.getFirstSendMessage(
                 HandshakeMessageType.CLIENT_KEY_EXCHANGE, trace);
+        message.prepareComputations();
 
         // modify public point base X coordinate
         ModifiableBigInteger x = ModifiableVariableFactory.createBigIntegerModifiableVariable();
@@ -92,7 +93,6 @@ public boolean checkSecretCorrectnes(Point ecPoint, BigInteger secret) {
         ModifiableByteArray pms = ModifiableVariableFactory.createByteArrayModifiableVariable();
         byte[] explicitePMS = BigIntegers.asUnsignedByteArray(curve.getModulus().bitLength() / 8, secret);
         pms.setModification(ByteArrayModificationFactory.explicitValue(explicitePMS));
-        message.prepareComputations();
         message.getComputations().setPremasterSecret(pms);
 
         if (numberOfQueries % 100 == 0) {

…tion/PaddingOracleUnstableException.java …s/exception/OracleUnstableException.javaAttacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/PaddingOracleUnstableException.java renamed to Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/OracleUnstableException.java Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/PaddingOracleUnstableException.java renamed to Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/OracleUnstableException.java

@@ -11,13 +11,13 @@
 /**
  *
  */
-public class PaddingOracleUnstableException extends RuntimeException {
+public class OracleUnstableException extends RuntimeException {
 
     /**
      *
      * @param string
      */
-    public PaddingOracleUnstableException(String string) {
+    public OracleUnstableException(String string) {
         super(string);
     }
 

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java

@@ -10,6 +10,7 @@
 
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
+import de.rub.nds.tlsattacker.attacks.exception.OracleUnstableException;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherVulnerabilityMap;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowGenerator;
@@ -128,12 +129,12 @@ public EqualityError getEqualityError() {
         CONSOLE.info("A server is considered vulnerable to this attack if it responds differently to the test vectors.");
         CONSOLE.info("A server is considered secure if it always responds the same way.");
         LOGGER.debug("Testing: " + config.getWorkflowType());
-        errorType = isVulnerable(pkcs1Vectors);
+        errorType = isVulnerable(pkcs1Vectors, publicKey);
         return errorType;
     }
 
-    public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors) {
-        fingerprintPairList = getBleichenbacherMap(config.getWorkflowType(), pkcs1Vectors);
+    public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors, RSAPublicKey publicKey) {
+        fingerprintPairList = getBleichenbacherMap(config.getWorkflowType(), pkcs1Vectors, publicKey);
         if (fingerprintPairList.isEmpty()) {
             LOGGER.warn("Could not extract Fingerprints");
             return null;
@@ -146,14 +147,14 @@ public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors) {
             // network. In this case we do a rescan
             // and check if we find the exact same answer behaviour (twice)
             List<VectorFingerprintPair> secondBleichenbacherVectorMap = getBleichenbacherMap(config.getWorkflowType(),
-                    pkcs1Vectors);
+                    pkcs1Vectors, publicKey);
             EqualityError error2 = getEqualityError(secondBleichenbacherVectorMap);
             BleichenbacherVulnerabilityMap mapOne = new BleichenbacherVulnerabilityMap(fingerprintPairList, error);
             BleichenbacherVulnerabilityMap mapTwo = new BleichenbacherVulnerabilityMap(secondBleichenbacherVectorMap,
                     error2);
             if (mapOne.looksIdentical(mapTwo)) {
                 List<VectorFingerprintPair> thirdBleichenbacherVectorMap = getBleichenbacherMap(
-                        config.getWorkflowType(), pkcs1Vectors);
+                        config.getWorkflowType(), pkcs1Vectors, publicKey);
                 EqualityError error3 = getEqualityError(secondBleichenbacherVectorMap);
                 BleichenbacherVulnerabilityMap mapThree = new BleichenbacherVulnerabilityMap(
                         thirdBleichenbacherVectorMap, error3);
@@ -202,7 +203,7 @@ private void printBleichenbacherVectormap(List<VectorFingerprintPair> bleichenba
     }
 
     private List<VectorFingerprintPair> getBleichenbacherMap(BleichenbacherWorkflowType bbWorkflowType,
-            List<Pkcs1Vector> pkcs1Vectors) {
+            List<Pkcs1Vector> pkcs1Vectors, RSAPublicKey publicKey) {
         Config tlsConfig = getTlsConfig();
         tlsConfig.setWorkflowExecutorShouldClose(false);
         List<VectorFingerprintPair> bleichenbacherVectorMap = new LinkedList<>();
@@ -226,6 +227,17 @@ private List<VectorFingerprintPair> getBleichenbacherMap(BleichenbacherWorkflowT
                 processFinishedStateVectorPair(stateVectorPair, bleichenbacherVectorMap);
             }
         }
+        // Check that the public key send by the server is actually the public
+        // key used to generate
+        // the vectors. This is currently a limitation of our script as the
+        // attack vectors are
+        // generated statically and not dynamically. We will adjust this in
+        // future versions.
+        for (StateVectorPair pair : stateVectorPairList) {
+            if (!pair.getState().getTlsContext().getServerRsaModulus().equals(publicKey.getModulus())) {
+                throw new OracleUnstableException("Server sent us a different publickey during the scan. Aborting test");
+            }
+        }
 
         return bleichenbacherVectorMap;
     }
@@ -236,7 +248,7 @@ private void processFinishedStateVectorPair(StateVectorPair stateVectorPair,
             ResponseFingerprint fingerprint = ResponseExtractor.getFingerprint(stateVectorPair.getState());
             bleichenbacherVectorMap.add(new VectorFingerprintPair(fingerprint, stateVectorPair.getVector()));
         } else {
-            LOGGER.error("Could not execute Workflow. Something went wrong... Check the debug output for more information");
+            LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
         }
         clearConnections(stateVectorPair.getState());
 

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/HeartbleedAttacker.java

@@ -19,6 +19,8 @@
 import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
 import de.rub.nds.tlsattacker.core.constants.RunningModeType;
 import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
+import de.rub.nds.tlsattacker.core.protocol.message.ChangeCipherSpecMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.FinishedMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.HeartbeatMessage;
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
@@ -27,6 +29,7 @@
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
 import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
 import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
+import de.rub.nds.tlsattacker.core.workflow.action.SendDynamicClientKeyExchangeAction;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import org.apache.logging.log4j.LogManager;
@@ -61,8 +64,11 @@ public void executeAttack() {
     @Override
     public Boolean isVulnerable() {
         Config tlsConfig = getTlsConfig();
-        WorkflowTrace trace = new WorkflowConfigurationFactory(tlsConfig).createWorkflowTrace(
-                WorkflowTraceType.HANDSHAKE, RunningModeType.CLIENT);
+        WorkflowTrace trace = new WorkflowConfigurationFactory(tlsConfig).createWorkflowTrace(WorkflowTraceType.HELLO,
+                RunningModeType.CLIENT);
+        trace.addTlsAction(new SendDynamicClientKeyExchangeAction());
+        trace.addTlsAction(new SendAction(new ChangeCipherSpecMessage(), new FinishedMessage()));
+        trace.addTlsAction(new ReceiveAction(new ChangeCipherSpecMessage(), new FinishedMessage()));
         HeartbeatMessage message = new HeartbeatMessage(tlsConfig);
         trace.addTlsAction(new SendAction(message));
         trace.addTlsAction(new ReceiveAction(new HeartbeatMessage()));

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/InvalidCurveAttacker.java

@@ -85,22 +85,18 @@ public Boolean isVulnerable() {
         EllipticCurve curve = CurveFactory.getCurve(config.getNamedGroup());
         Point point = Point.createPoint(config.getPublicPointBaseX(), config.getPublicPointBaseY(),
                 config.getNamedGroup());
-        for (int i = 0; i < getConfig().getProtocolFlows(); i++) {
-            if (config.getPremasterSecret() != null) {
-                premasterSecret = config.getPremasterSecret();
-            } else {
-                Point sharedPoint = curve.mult(new BigInteger("" + i + 1), point);
-                premasterSecret = sharedPoint.getX().getData();
-                if (premasterSecret == null) {
-                    premasterSecret = BigInteger.ZERO;
-                }
-                LOGGER.debug("PMS: " + premasterSecret.toString());
-            }
+
+        int protocolFlows = getConfig().getProtocolFlows();
+        if (config.getPremasterSecret() != null) {
+            protocolFlows = 1;
+        }
+
+        for (int i = 0; i < protocolFlows; i++) {
+            setPremasterSecret(curve, i, point);
             try {
                 WorkflowTrace trace = executeProtocolFlow();
                 if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, trace)) {
                     LOGGER.info("Did not receive ServerHello. Check your config");
-
                     return null;
                 }
                 if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.FINISHED, trace)) {
@@ -116,6 +112,20 @@ public Boolean isVulnerable() {
         return false;
     }
 
+    private void setPremasterSecret(EllipticCurve curve, int i, Point point) {
+        if (config.getPremasterSecret() != null) {
+            premasterSecret = config.getPremasterSecret();
+        } else {
+            Point sharedPoint = curve.mult(new BigInteger("" + (i + 1)), point);
+            if (sharedPoint.getX() != null) {
+                premasterSecret = sharedPoint.getX().getData();
+            } else {
+                premasterSecret = BigInteger.ZERO;
+            }
+            LOGGER.debug("PMS: " + premasterSecret.toString());
+        }
+    }
+
     private WorkflowTrace executeProtocolFlow() {
         Config tlsConfig = getTlsConfig();
         WorkflowTrace trace = new WorkflowConfigurationFactory(tlsConfig).createWorkflowTrace(WorkflowTraceType.HELLO,

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java

@@ -10,7 +10,7 @@
 
 import de.rub.nds.tlsattacker.attacks.config.PaddingOracleCommandConfig;
 import de.rub.nds.tlsattacker.attacks.exception.AttackFailedException;
-import de.rub.nds.tlsattacker.attacks.exception.PaddingOracleUnstableException;
+import de.rub.nds.tlsattacker.attacks.exception.OracleUnstableException;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingTraceGenerator;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingTraceGeneratorFactory;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingVectorGenerator;
@@ -165,7 +165,7 @@ public Boolean isVulnerable() {
     public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<VectorResponse> responseVectorListTwo) {
         boolean result = true;
         if (responseVectorListOne.size() != responseVectorListTwo.size()) {
-            throw new PaddingOracleUnstableException(
+            throw new OracleUnstableException(
                     "The padding Oracle seems to be unstable - there is something going terrible wrong. We recommend manual analysis");
         }
 
@@ -191,7 +191,7 @@ public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<Vector
                 continue;
             }
             if (equivalentVector.getFingerprint() == null) {
-                LOGGER.error("Equivalent vector has no fingerprint:" + testedSuite + " - " + testedVersion);
+                LOGGER.warn("Equivalent vector has no fingerprint:" + testedSuite + " - " + testedVersion);
                 equivalentVector.setErrorDuringHandshake(true);
                 result = false;
                 continue;
@@ -200,7 +200,7 @@ public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<Vector
             EqualityError error = FingerPrintChecker.checkEquality(vectorResponseOne.getFingerprint(),
                     equivalentVector.getFingerprint(), true);
             if (error != EqualityError.NONE) {
-                LOGGER.error("There is an error beween rescan:" + error + " - " + testedSuite + " - " + testedVersion);
+                LOGGER.warn("There is an error beween rescan:" + error + " - " + testedSuite + " - " + testedVersion);
                 result = false;
                 vectorResponseOne.setShaky(true);
             }
@@ -231,19 +231,17 @@ public List<VectorResponse> createVectorResponseList() {
             ResponseFingerprint fingerprint = null;
             if (pair.getFingerPrintTask().isHasError()) {
                 errornousScans = true;
-                LOGGER.error("Could not extract fingerprint for " + pair.toString());
+                LOGGER.warn("Could not extract fingerprint for " + pair.toString());
                 VectorResponse vectorResponse = new VectorResponse(pair.getVector(), null, testedVersion, testedSuite,
                         tlsConfig.getDefaultApplicationMessageData().getBytes().length);
                 vectorResponse.setErrorDuringHandshake(true);
                 tempResponseVectorList.add(vectorResponse);
-                LOGGER.error("Could not execute whole workflow: " + testedSuite + " - " + testedVersion);
-
             } else {
                 testedSuite = pair.getFingerPrintTask().getState().getTlsContext().getSelectedCipherSuite();
                 testedVersion = pair.getFingerPrintTask().getState().getTlsContext().getSelectedProtocolVersion();
                 if (testedSuite == null || testedVersion == null) {
                     LOGGER.fatal("Could not find ServerHello after successful extraction");
-                    throw new PaddingOracleUnstableException("Fatal Extraction error");
+                    throw new OracleUnstableException("Fatal Extraction error");
                 }
                 fingerprint = pair.getFingerPrintTask().getFingerprint();
                 tempResponseVectorList.add(new VectorResponse(pair.getVector(), fingerprint, testedVersion,

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/padding/LongRecordPaddingGenerator.java

@@ -0,0 +1,55 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.padding;
+
+import de.rub.nds.modifiablevariable.bytearray.ByteArrayExplicitValueModification;
+import de.rub.nds.tlsattacker.attacks.padding.vector.PaddingVector;
+import de.rub.nds.tlsattacker.attacks.padding.vector.TrippleVector;
+import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
+import de.rub.nds.tlsattacker.core.constants.CipherSuite;
+import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import java.util.LinkedList;
+import java.util.List;
+
+public class LongRecordPaddingGenerator extends PaddingVectorGenerator {
+
+    /**
+     *
+     * @param suite
+     * @param version
+     * @return
+     */
+    @Override
+    public List<PaddingVector> getVectors(CipherSuite suite, ProtocolVersion version) {
+        // Total plaintext size is not allowed to be bigger than 16384
+        // MAC + Plaintext
+        List<PaddingVector> vectorList = new LinkedList<>();
+        int blockSize = AlgorithmResolver.getCipher(suite).getBlocksize();
+        int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize();
+        vectorList.add(new TrippleVector("ValidPlainData", "ValidPlainData", new ByteArrayExplicitValueModification(
+                new byte[16384]), new ByteArrayExplicitValueModification(new byte[AlgorithmResolver.getMacAlgorithm(
+                version, suite).getSize()]), new ByteArrayExplicitValueModification(
+                createPaddingBytes(calculateValidPaddingSize(blockSize, macSize)))));
+        vectorList.add(new TrippleVector("InvalidPlainData", "InvalidPlainData",
+                new ByteArrayExplicitValueModification(new byte[16385]), new ByteArrayExplicitValueModification(
+                        new byte[AlgorithmResolver.getMacAlgorithm(version, suite).getSize()]),
+                new ByteArrayExplicitValueModification(createPaddingBytes(calculateInvalidPaddingSize(blockSize,
+                        macSize)))));
+        return vectorList;
+    }
+
+    private int calculateValidPaddingSize(int blocksize, int macSize) {
+        return blocksize - (macSize % blocksize);
+    }
+
+    private int calculateInvalidPaddingSize(int blocksize, int macSize) {
+        return (blocksize - (macSize % blocksize)) - 1;
+    }
+
+}