Merge pull request #590 from RUB-NDS/bbfix

Fix for Bleichenbacher false positives on chaninging pulic key

Author: ic0ns

…tion/PaddingOracleUnstableException.java …s/exception/OracleUnstableException.javaAttacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/PaddingOracleUnstableException.java renamed to Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/OracleUnstableException.java Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/PaddingOracleUnstableException.java renamed to Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/OracleUnstableException.java

@@ -11,13 +11,13 @@
 /**
  *
  */
-public class PaddingOracleUnstableException extends RuntimeException {
+public class OracleUnstableException extends RuntimeException {
 
     /**
      *
      * @param string
      */
-    public PaddingOracleUnstableException(String string) {
+    public OracleUnstableException(String string) {
         super(string);
     }
 

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java

@@ -10,6 +10,7 @@
 
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
+import de.rub.nds.tlsattacker.attacks.exception.OracleUnstableException;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherVulnerabilityMap;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowGenerator;
@@ -128,12 +129,12 @@ public EqualityError getEqualityError() {
         CONSOLE.info("A server is considered vulnerable to this attack if it responds differently to the test vectors.");
         CONSOLE.info("A server is considered secure if it always responds the same way.");
         LOGGER.debug("Testing: " + config.getWorkflowType());
-        errorType = isVulnerable(pkcs1Vectors);
+        errorType = isVulnerable(pkcs1Vectors, publicKey);
         return errorType;
     }
 
-    public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors) {
-        fingerprintPairList = getBleichenbacherMap(config.getWorkflowType(), pkcs1Vectors);
+    public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors, RSAPublicKey publicKey) {
+        fingerprintPairList = getBleichenbacherMap(config.getWorkflowType(), pkcs1Vectors, publicKey);
         if (fingerprintPairList.isEmpty()) {
             LOGGER.warn("Could not extract Fingerprints");
             return null;
@@ -146,14 +147,14 @@ public EqualityError isVulnerable(List<Pkcs1Vector> pkcs1Vectors) {
             // network. In this case we do a rescan
             // and check if we find the exact same answer behaviour (twice)
             List<VectorFingerprintPair> secondBleichenbacherVectorMap = getBleichenbacherMap(config.getWorkflowType(),
-                    pkcs1Vectors);
+                    pkcs1Vectors, publicKey);
             EqualityError error2 = getEqualityError(secondBleichenbacherVectorMap);
             BleichenbacherVulnerabilityMap mapOne = new BleichenbacherVulnerabilityMap(fingerprintPairList, error);
             BleichenbacherVulnerabilityMap mapTwo = new BleichenbacherVulnerabilityMap(secondBleichenbacherVectorMap,
                     error2);
             if (mapOne.looksIdentical(mapTwo)) {
                 List<VectorFingerprintPair> thirdBleichenbacherVectorMap = getBleichenbacherMap(
-                        config.getWorkflowType(), pkcs1Vectors);
+                        config.getWorkflowType(), pkcs1Vectors, publicKey);
                 EqualityError error3 = getEqualityError(secondBleichenbacherVectorMap);
                 BleichenbacherVulnerabilityMap mapThree = new BleichenbacherVulnerabilityMap(
                         thirdBleichenbacherVectorMap, error3);
@@ -202,7 +203,7 @@ private void printBleichenbacherVectormap(List<VectorFingerprintPair> bleichenba
     }
 
     private List<VectorFingerprintPair> getBleichenbacherMap(BleichenbacherWorkflowType bbWorkflowType,
-            List<Pkcs1Vector> pkcs1Vectors) {
+            List<Pkcs1Vector> pkcs1Vectors, RSAPublicKey publicKey) {
         Config tlsConfig = getTlsConfig();
         tlsConfig.setWorkflowExecutorShouldClose(false);
         List<VectorFingerprintPair> bleichenbacherVectorMap = new LinkedList<>();
@@ -226,6 +227,17 @@ private List<VectorFingerprintPair> getBleichenbacherMap(BleichenbacherWorkflowT
                 processFinishedStateVectorPair(stateVectorPair, bleichenbacherVectorMap);
             }
         }
+        // Check that the public key send by the server is actually the public
+        // key used to generate
+        // the vectors. This is currently a limitation of our script as the
+        // attack vectors are
+        // generated statically and not dynamically. We will adjust this in
+        // future versions.
+        for (StateVectorPair pair : stateVectorPairList) {
+            if (!pair.getState().getTlsContext().getServerRsaModulus().equals(publicKey.getModulus())) {
+                throw new OracleUnstableException("Server sent us a different publickey during the scan. Aborting test");
+            }
+        }
 
         return bleichenbacherVectorMap;
     }
@@ -236,7 +248,7 @@ private void processFinishedStateVectorPair(StateVectorPair stateVectorPair,
             ResponseFingerprint fingerprint = ResponseExtractor.getFingerprint(stateVectorPair.getState());
             bleichenbacherVectorMap.add(new VectorFingerprintPair(fingerprint, stateVectorPair.getVector()));
         } else {
-            LOGGER.error("Could not execute Workflow. Something went wrong... Check the debug output for more information");
+            LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
         }
         clearConnections(stateVectorPair.getState());
 

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java

@@ -10,7 +10,7 @@
 
 import de.rub.nds.tlsattacker.attacks.config.PaddingOracleCommandConfig;
 import de.rub.nds.tlsattacker.attacks.exception.AttackFailedException;
-import de.rub.nds.tlsattacker.attacks.exception.PaddingOracleUnstableException;
+import de.rub.nds.tlsattacker.attacks.exception.OracleUnstableException;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingTraceGenerator;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingTraceGeneratorFactory;
 import de.rub.nds.tlsattacker.attacks.padding.PaddingVectorGenerator;
@@ -165,7 +165,7 @@ public Boolean isVulnerable() {
     public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<VectorResponse> responseVectorListTwo) {
         boolean result = true;
         if (responseVectorListOne.size() != responseVectorListTwo.size()) {
-            throw new PaddingOracleUnstableException(
+            throw new OracleUnstableException(
                     "The padding Oracle seems to be unstable - there is something going terrible wrong. We recommend manual analysis");
         }
 
@@ -191,7 +191,7 @@ public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<Vector
                 continue;
             }
             if (equivalentVector.getFingerprint() == null) {
-                LOGGER.error("Equivalent vector has no fingerprint:" + testedSuite + " - " + testedVersion);
+                LOGGER.warn("Equivalent vector has no fingerprint:" + testedSuite + " - " + testedVersion);
                 equivalentVector.setErrorDuringHandshake(true);
                 result = false;
                 continue;
@@ -200,7 +200,7 @@ public boolean lookEqual(List<VectorResponse> responseVectorListOne, List<Vector
             EqualityError error = FingerPrintChecker.checkEquality(vectorResponseOne.getFingerprint(),
                     equivalentVector.getFingerprint(), true);
             if (error != EqualityError.NONE) {
-                LOGGER.error("There is an error beween rescan:" + error + " - " + testedSuite + " - " + testedVersion);
+                LOGGER.warn("There is an error beween rescan:" + error + " - " + testedSuite + " - " + testedVersion);
                 result = false;
                 vectorResponseOne.setShaky(true);
             }
@@ -231,19 +231,17 @@ public List<VectorResponse> createVectorResponseList() {
             ResponseFingerprint fingerprint = null;
             if (pair.getFingerPrintTask().isHasError()) {
                 errornousScans = true;
-                LOGGER.error("Could not extract fingerprint for " + pair.toString());
+                LOGGER.warn("Could not extract fingerprint for " + pair.toString());
                 VectorResponse vectorResponse = new VectorResponse(pair.getVector(), null, testedVersion, testedSuite,
                         tlsConfig.getDefaultApplicationMessageData().getBytes().length);
                 vectorResponse.setErrorDuringHandshake(true);
                 tempResponseVectorList.add(vectorResponse);
-                LOGGER.error("Could not execute whole workflow: " + testedSuite + " - " + testedVersion);
-
             } else {
                 testedSuite = pair.getFingerPrintTask().getState().getTlsContext().getSelectedCipherSuite();
                 testedVersion = pair.getFingerPrintTask().getState().getTlsContext().getSelectedProtocolVersion();
                 if (testedSuite == null || testedVersion == null) {
                     LOGGER.fatal("Could not find ServerHello after successful extraction");
-                    throw new PaddingOracleUnstableException("Fatal Extraction error");
+                    throw new OracleUnstableException("Fatal Extraction error");
                 }
                 fingerprint = pair.getFingerPrintTask().getFingerprint();
                 tempResponseVectorList.add(new VectorResponse(pair.getVector(), fingerprint, testedVersion,

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/task/FingerPrintTask.java

@@ -43,6 +43,7 @@ public void execute() {
         try {
             WorkflowExecutor executor = new DefaultWorkflowExecutor(state);
             executor.executeWorkflow();
+
             if (!state.getWorkflowTrace().executedAsPlanned()) {
                 throw new FingerprintExtractionException(
                         "Could not extract fingerprint. Not all actions executed as planned");