Merge pull request #654 from RUB-NDS/fix-tls13

Fix TLS 1.3 implementation

Author: ic0ns

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/InvalidCurveAttacker.java

@@ -257,7 +257,7 @@ private WorkflowTrace prepareRegularTrace(ModifiableByteArray serializedPublicKe
         }
         WorkflowTrace trace = new WorkflowConfigurationFactory(individualConfig).createWorkflowTrace(
                 WorkflowTraceType.HELLO, RunningModeType.CLIENT);
-        if (individualConfig.getHighestProtocolVersion() == ProtocolVersion.TLS13) {
+        if (individualConfig.getHighestProtocolVersion().isTLS13()) {
 
             // replace specific receive action with generic
             trace.removeTlsAction(trace.getTlsActions().size() - 1);
@@ -299,7 +299,7 @@ private WorkflowTrace prepareRegularTrace(ModifiableByteArray serializedPublicKe
     private WorkflowTrace prepareRenegotiationTrace(ModifiableByteArray serializedPublicKey, ModifiableByteArray pms,
             byte[] explicitPMS, Config individualConfig) {
         WorkflowTrace trace;
-        if (individualConfig.getHighestProtocolVersion() == ProtocolVersion.TLS13) {
+        if (individualConfig.getHighestProtocolVersion().isTLS13()) {
             trace = new WorkflowConfigurationFactory(individualConfig).createWorkflowTrace(WorkflowTraceType.HANDSHAKE,
                     RunningModeType.CLIENT);
             trace.addTlsAction(new ReceiveAction(ReceiveOption.CHECK_ONLY_EXPECTED, new NewSessionTicketMessage(false)));

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateByteChooser.java

@@ -11,8 +11,10 @@
 
 import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
 import de.rub.nds.tlsattacker.core.constants.CertificateKeyType;
+import de.rub.nds.tlsattacker.core.constants.HashAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.NamedGroup;
+import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
 import de.rub.nds.tlsattacker.core.workflow.chooser.Chooser;
 import java.io.IOException;
 import java.security.PrivateKey;
@@ -167,6 +169,12 @@ public CertificateKeyPair chooseCertificateKeyPair(Chooser chooser) {
                     .getSelectedCipherSuite());
             switch (keyExchangeAlgorithm) {
                 case DH_RSA:
+                case DHE_RSA:
+                case ECDH_RSA:
+                case ECDHE_RSA:
+                case RSA:
+                case SRP_SHA_RSA:
+                case PSK_RSA:
                     if (prefereredSignatureCertSignatureType != CertificateKeyType.RSA) {
                         LOGGER.warn("PreferedSignatureType does not match Ciphersuite - ignoring preference");
                     }
@@ -181,17 +189,6 @@ public CertificateKeyPair chooseCertificateKeyPair(Chooser chooser) {
                     }
                     prefereredSignatureCertSignatureType = CertificateKeyType.ECDSA;
                     break;
-                case DHE_RSA:
-                case ECDH_RSA:
-                case ECDHE_RSA:
-                case RSA:
-                case SRP_SHA_RSA:
-                case PSK_RSA:
-                    if (prefereredSignatureCertSignatureType != CertificateKeyType.RSA) {
-                        LOGGER.warn("PreferedSignatureType does not match Ciphersuite - ignoring preference");
-                    }
-                    prefereredSignatureCertSignatureType = CertificateKeyType.RSA;
-                    break;
                 case DHE_DSS:
                 case DH_DSS:
                 case SRP_SHA_DSS:
@@ -220,6 +217,8 @@ public CertificateKeyPair chooseCertificateKeyPair(Chooser chooser) {
         for (CertificateKeyPair pair : keyPairList) {
             if (pair.getCertPublicKeyType() == neededPublicKeyType
                     && pair.getCertSignatureType() == prefereredSignatureCertSignatureType) {
+
+                SignatureAndHashAlgorithm sigHashAlgo = SignatureAndHashAlgorithm.forCertificateKeyPair(pair, chooser);
                 nextBestChoice = pair;
                 if (neededPublicKeyType == CertificateKeyType.ECDSA) {
                     if (pair.getSignatureGroup() == null) {
@@ -231,6 +230,12 @@ public CertificateKeyPair chooseCertificateKeyPair(Chooser chooser) {
                         continue;
                     }
                 }
+                if (neededPublicKeyType == CertificateKeyType.RSA
+                        && sigHashAlgo.getSignatureAlgorithm().toString().startsWith("RSA_PSS")
+                        && sigHashAlgo.getHashAlgorithm() == HashAlgorithm.SHA512
+                        && pair.getPublicKey().keysize() < 2048) {
+                    continue;
+                }
                 return pair;
             }
 

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java

@@ -34,7 +34,9 @@
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.CertificateException;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
 import javax.xml.bind.annotation.XmlAccessType;
 import javax.xml.bind.annotation.XmlAccessorType;
@@ -348,6 +350,10 @@ public NamedGroup getPublicKeyGroup() {
         return publicKeyGroup;
     }
 
+    public GOSTCurve getGostCurve() {
+        return gostCurve;
+    }
+
     public void adjustInConfig(Config config, ConnectionEndType connectionEnd) {
         publicKey.adjustInConfig(config, connectionEnd);
         if (privateKey != null) {
@@ -368,40 +374,16 @@ public void adjustInContext(TlsContext context, ConnectionEndType connectionEnd)
         }
         context.setEcCertificateCurve(publicKeyGroup);
         if (context.getConfig().getAutoAdjustSignatureAndHashAlgorithm()) {
-            // TODO rething auto selection
-            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA;
-            HashAlgorithm hashAlgorithm = context.getConfig().getPreferredHashAlgorithm();
-            switch (certPublicKeyType) {
-                case ECDSA:
-                    signatureAlgorithm = SignatureAlgorithm.ECDSA;
-                    break;
-                case RSA:
-                    signatureAlgorithm = SignatureAlgorithm.RSA;
-                    break;
-                case DSS:
-                    signatureAlgorithm = SignatureAlgorithm.DSA;
-                    break;
-                case GOST01:
-                    signatureAlgorithm = SignatureAlgorithm.GOSTR34102001;
-                    hashAlgorithm = HashAlgorithm.GOSTR3411;
-                    context.setSelectedGostCurve(gostCurve);
-                    LOGGER.debug("Adjusting selected gost curve:" + gostCurve);
-
-                    break;
-                case GOST12:
-                    if (gostCurve.is512bit2012()) {
-                        signatureAlgorithm = SignatureAlgorithm.GOSTR34102012_512;
-                        hashAlgorithm = HashAlgorithm.GOSTR34112012_512;
-                    } else {
-                        signatureAlgorithm = SignatureAlgorithm.GOSTR34102012_256;
-                        hashAlgorithm = HashAlgorithm.GOSTR34112012_256;
-                    }
-                    context.setSelectedGostCurve(gostCurve);
-                    LOGGER.debug("Adjusting selected GOST curve:" + gostCurve);
-                    break;
+            SignatureAndHashAlgorithm sigHashAlgo = SignatureAndHashAlgorithm.forCertificateKeyPair(this,
+                    context.getChooser());
+
+            if (sigHashAlgo == SignatureAndHashAlgorithm.GOSTR34102012_512_GOSTR34112012_512
+                    || sigHashAlgo == SignatureAndHashAlgorithm.GOSTR34102012_256_GOSTR34112012_256
+                    || sigHashAlgo == SignatureAndHashAlgorithm.GOSTR34102001_GOSTR3411) {
+                context.setSelectedGostCurve(gostCurve);
+                LOGGER.debug("Adjusting selected GOST curve:" + gostCurve);
             }
-            SignatureAndHashAlgorithm sigHashAlgo = SignatureAndHashAlgorithm.getSignatureAndHashAlgorithm(
-                    signatureAlgorithm, hashAlgorithm);
+
             LOGGER.debug("Setting selected SignatureAndHash algorithm to:" + sigHashAlgo);
             context.setSelectedSignatureAndHashAlgorithm(sigHashAlgo);
         }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java

@@ -2402,17 +2402,12 @@ public void setDefaultClientSupportedSignatureAndHashAlgorithms(
         this.defaultClientSupportedSignatureAndHashAlgorithms = defaultClientSupportedSignatureAndHashAlgorithms;
     }
 
-    public final void setSupportedSignatureAndHashAlgorithms(
+    public final void setDefaultClientSupportedSignatureAndHashAlgorithms(
             SignatureAndHashAlgorithm... supportedSignatureAndHashAlgorithms) {
         this.defaultClientSupportedSignatureAndHashAlgorithms = new ArrayList(
                 Arrays.asList(supportedSignatureAndHashAlgorithms));
     }
 
-    public final void setSupportedSignatureAndHashAlgorithms(
-            List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms) {
-        this.defaultClientSupportedSignatureAndHashAlgorithms = supportedSignatureAndHashAlgorithms;
-    }
-
     public List<ProtocolVersion> getSupportedVersions() {
         return supportedVersions;
     }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherSuite.java

@@ -748,6 +748,9 @@ public static List<CipherSuite> getImplemented() {
         list.add(TLS_ECDHE_ECDSA_WITH_AES_256_CCM);
         list.add(TLS_AES_128_GCM_SHA256);
         list.add(TLS_AES_256_GCM_SHA384);
+        list.add(TLS_CHACHA20_POLY1305_SHA256);
+        list.add(TLS_AES_128_CCM_SHA256);
+        list.add(TLS_AES_128_CCM_8_SHA256);
         list.add(TLS_PSK_WITH_AES_128_CBC_SHA);
         list.add(TLS_PSK_DHE_WITH_AES_128_CCM_8);
         list.add(TLS_PSK_DHE_WITH_AES_256_CCM_8);

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ExtensionType.java

@@ -55,7 +55,12 @@ public enum ExtensionType {
     PRE_SHARED_KEY(new byte[] { (byte) 0, (byte) 41 }),
     EARLY_DATA(new byte[] { (byte) 0, (byte) 42 }),
     SUPPORTED_VERSIONS(new byte[] { (byte) 0, (byte) 43 }),
+    COOKIE(new byte[] { 0x00, (byte) 44 }),
     PSK_KEY_EXCHANGE_MODES(new byte[] { (byte) 0, (byte) 45 }),
+    CERTIFICATE_AUTHORITIES(new byte[] { (byte) 0, (byte) 47 }),
+    OID_FILTERS(new byte[] { (byte) 0, (byte) 48 }),
+    POST_HANDSHAKE_AUTH(new byte[] { (byte) 0, (byte) 49 }),
+    SIGNATURE_ALGORITHMS_CERT(new byte[] { (byte) 0, (byte) 50 }),
     KEY_SHARE(new byte[] { (byte) 0, (byte) 51 }),
     RENEGOTIATION_INFO(new byte[] { (byte) 0xFF, (byte) 0x01 }),
     ENCRYPTED_SERVER_NAME_INDICATION(new byte[] { (byte) 0xFF, (byte) 0xCE }),

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ProtocolVersion.java

@@ -14,6 +14,14 @@
 
 import java.util.*;
 
+class ProtocolVersionComparator implements Comparator<ProtocolVersion> {
+
+    @Override
+    public int compare(ProtocolVersion o1, ProtocolVersion o2) {
+        return o1.compare(o2);
+    }
+}
+
 public enum ProtocolVersion {
 
     SSL2(new byte[] { (byte) 0x00, (byte) 0x02 }),
@@ -75,6 +83,18 @@ public static ProtocolVersion getProtocolVersion(byte[] value) {
         return MAP.get(i);
     }
 
+    public static void sort(List<ProtocolVersion> versions) {
+        sort(versions, true);
+    }
+
+    public static void sort(List<ProtocolVersion> versions, boolean ascending) {
+        Comparator<ProtocolVersion> comparator = new ProtocolVersionComparator();
+        if (!ascending) {
+            comparator = comparator.reversed();
+        }
+        versions.sort(comparator);
+    }
+
     public static List<ProtocolVersion> getProtocolVersions(byte[] values) {
         List<ProtocolVersion> versions = new LinkedList<>();
         if (values.length % 2 != 0) {
@@ -178,4 +198,14 @@ public boolean usesExplicitIv() {
                 || this == ProtocolVersion.DTLS12;
     }
 
+    public int compare(ProtocolVersion o1) {
+        if (o1 == this) {
+            return 0;
+        }
+
+        if (ArrayConverter.bytesToInt(this.getValue()) > ArrayConverter.bytesToInt(o1.getValue())) {
+            return 1;
+        }
+        return -1;
+    }
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/SignatureAndHashAlgorithm.java

@@ -9,12 +9,21 @@
  */
 package de.rub.nds.tlsattacker.core.constants;
 
+import com.google.common.collect.Sets;
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
+import de.rub.nds.tlsattacker.core.certificate.CertificateKeyPair;
 import de.rub.nds.tlsattacker.core.exceptions.UnknownSignatureAndHashAlgorithm;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Signature;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import de.rub.nds.tlsattacker.core.workflow.chooser.Chooser;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -193,6 +202,10 @@ public HashAlgorithm getHashAlgorithm() {
     }
 
     public String getJavaName() {
+        if (this.toString().contains("RSA_PSS")) {
+            return this.getHashAlgorithm().getJavaName().replaceAll("-", "") + "withRSA/PSS";
+        }
+
         String hashAlgorithmName = getHashAlgorithm().getJavaName();
         if (!hashAlgorithmName.contains("GOST")) {
             hashAlgorithmName = hashAlgorithmName.replace("-", "");
@@ -201,4 +214,107 @@ public String getJavaName() {
         return hashAlgorithmName + "with" + signatureAlgorithmName;
     }
 
+    public void setupSignature(Signature signature) throws InvalidAlgorithmParameterException {
+        if (this.getSignatureAlgorithm().toString().startsWith("RSA_PSS")) {
+            String hashName = this.getHashAlgorithm().getJavaName();
+            int saltLength = 0;
+            switch (this.getHashAlgorithm()) {
+                case SHA1:
+                    saltLength = 20;
+                    break;
+                case MD5:
+                    saltLength = 16;
+                    break;
+                case SHA256:
+                case GOSTR3411:
+                case GOSTR34112012_256:
+                    saltLength = 32;
+                    break;
+                case SHA224:
+                    saltLength = 28;
+                    break;
+                case SHA384:
+                    saltLength = 48;
+                    break;
+                case GOSTR34112012_512:
+                case SHA512:
+                    saltLength = 64;
+                    break;
+                case NONE:
+                    break;
+            }
+
+            signature.setParameter(new PSSParameterSpec(hashName, "MGF1", new MGF1ParameterSpec(hashName), saltLength,
+                    1));
+        }
+    }
+
+    public static SignatureAndHashAlgorithm forCertificateKeyPair(CertificateKeyPair keyPair, Chooser chooser) {
+        Sets.SetView<SignatureAndHashAlgorithm> intersection = Sets.intersection(
+                Sets.newHashSet(chooser.getClientSupportedSignatureAndHashAlgorithms()),
+                Sets.newHashSet(chooser.getServerSupportedSignatureAndHashAlgorithms()));
+        List<SignatureAndHashAlgorithm> algorithms = new ArrayList<>(intersection);
+        List<SignatureAndHashAlgorithm> clientPreferredHash = new ArrayList<>(algorithms);
+        clientPreferredHash.removeIf(i -> i.getHashAlgorithm() != chooser.getConfig().getPreferredHashAlgorithm());
+        algorithms.addAll(0, clientPreferredHash);
+
+        if (chooser.getSelectedProtocolVersion().isTLS13()) {
+            algorithms.removeIf(i -> i.toString().contains("RSA_SHA"));
+        }
+
+        SignatureAndHashAlgorithm sigHashAlgo = null;
+        CertificateKeyType certPublicKeyType = keyPair.getCertPublicKeyType();
+
+        boolean found = false;
+        for (SignatureAndHashAlgorithm i : algorithms) {
+            SignatureAlgorithm sig = i.getSignatureAlgorithm();
+
+            switch (certPublicKeyType) {
+                case ECDSA:
+                    if (sig == SignatureAlgorithm.ECDSA) {
+                        found = true;
+                        sigHashAlgo = i;
+                    }
+                    break;
+                case RSA:
+                    if (sig.toString().contains("RSA")) {
+                        found = true;
+                        sigHashAlgo = i;
+                    }
+                    break;
+                case DSS:
+                    if (sig == SignatureAlgorithm.DSA) {
+                        found = true;
+                        sigHashAlgo = i;
+                    }
+                    break;
+                case GOST01:
+                    if (sig == SignatureAlgorithm.GOSTR34102001) {
+                        found = true;
+                        sigHashAlgo = SignatureAndHashAlgorithm.GOSTR34102001_GOSTR3411;
+                    }
+                    break;
+                case GOST12:
+                    if (sig == SignatureAlgorithm.GOSTR34102012_256 || sig == SignatureAlgorithm.GOSTR34102012_512) {
+                        found = true;
+                        if (keyPair.getGostCurve().is512bit2012()) {
+                            sigHashAlgo = SignatureAndHashAlgorithm.GOSTR34102012_512_GOSTR34112012_512;
+                        } else {
+                            sigHashAlgo = SignatureAndHashAlgorithm.GOSTR34102012_256_GOSTR34112012_256;
+                        }
+                    }
+                    break;
+            }
+
+            if (found)
+                break;
+        }
+
+        if (sigHashAlgo == null) {
+            LOGGER.warn("Could not auto select SignatureAndHashAlgorithm, setting default value");
+            sigHashAlgo = SignatureAndHashAlgorithm.RSA_SHA256;
+        }
+
+        return sigHashAlgo;
+    }
 }