From 315005fc6f57921d5ae318827672a2ad2399da21 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 19 Feb 2019 20:41:54 +0100
Subject: [PATCH] Add SSLv2 to SWEET32

The information on 64 Block ciphers using SSLv2 in the SWEET32
paper is sparse. Maybe becuase SSLv2 is the bigger problem.

For completeness also SSLv2 ciphers were added to the SWEET32 check.
It fixes finally #613.

Also with --ssl-native when no ciphers or only a handlful of ciphers
are supplied by openssl there's a "Local problem" warning issued and
the test aborted as the results would make much sense otherwise.

A few peices of documenation of parameters and return conditions
for sslv2_sockets() and has_server_protocol() was added.
---
 testssl.sh | 87 ++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 74 insertions(+), 13 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 49ac8de..dcc2273 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -4649,6 +4649,9 @@ add_tls_offered() {
 }
 
 # function which checks whether SSLv2 - TLS 1.2 is being offered, see add_tls_offered()
+# arg1:    protocol string or hex code for TLS protocol
+# echos:   0 if proto known being offered, 1: known not being offered, 2: we don't know yet whether proto is being offered
+# return value is always zero
 has_server_protocol() {
      local proto
      local proto_val_pair
@@ -12241,9 +12244,10 @@ parse_tls_serverhello() {
 }
 
 
-#arg1: list of ciphers suites or empty
-#arg2: "true" if full server response should be parsed.
-# return: 6: couldn't open socket, 0: OK, else: return value of parse_sslv2_serverhello()
+#arg1 (optional): list of ciphers suites or empty
+#arg2 (optional): "true" if full server response should be parsed.
+# return: 6: couldn't open socket, 3(!): sslv2 handshake succeeded, 0=no SSLv2
+#         1,4,6,7: see return value of parse_sslv2_serverhello()
 sslv2_sockets() {
      local ret
      local client_hello cipher_suites len_client_hello
@@ -12252,10 +12256,10 @@ sslv2_sockets() {
      local -i response_len server_hello_len
      local parse_complete=false
 
+     # this could be empty so swe use '=='
      if [[ "$2" == true ]]; then
           parse_complete=true
      fi
-
      if [[ -n "$1" ]]; then
           cipher_suites="$1"
      else
@@ -14048,17 +14052,22 @@ run_breach() {
 
 
 # SWEET32 (https://sweet32.info/). Birthday attacks on 64-bit block ciphers.
-# In a nutshell: don't use 3DES ciphers anymore (DES, RC2 and IDEA too)
+# In a nutshell: don't use 3DES ciphers anymore (DES, RC2 and IDEA too).
+# Please note as opposed to RC4 (stream cipher) RC2 is a block cipher.
 #
 run_sweet32() {
-     local -i sclient_success=1
-      local sweet32_ciphers="IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DES-CBC3-SHA:RSA-PSK-3DES-EDE-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-PSK-3DES-EDE-CBC-SHA:DHE-PSK-3DES-EDE-CBC-SHA:DES-CFB-M1:EXP1024-DHE-DSS-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:EXP1024-DES-CBC-SHA:DES-CBC-SHA:EXP1024-RC2-CBC-MD5:DES-CBC-MD5:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-DH-DSS-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA"
+     local -i sclient_success=1 ssl2_sclient_success=1
+     local sweet32_ciphers="IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DES-CBC3-SHA:RSA-PSK-3DES-EDE-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-PSK-3DES-EDE-CBC-SHA:DHE-PSK-3DES-EDE-CBC-SHA:DES-CFB-M1:EXP1024-DHE-DSS-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:EXP1024-DES-CBC-SHA:DES-CBC-SHA:EXP1024-RC2-CBC-MD5:DES-CBC-MD5:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-DH-DSS-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA"
      local sweet32_ciphers_hex="00,07, 00,21, 00,25, c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,17, 00,1b, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,1a, 00,62, 00,09, 00,61, 00,1e, 00,22, fe,fe, ff,e1, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e"
+     local ssl2_sweet32_ciphers='RC2-CBC-MD5:EXP-RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC-SHA:DES-CBC3-MD5:DES-CBC3-SHA:DES-CFB-M1'
+     local ssl2_sweet32_ciphers_hex='03,00,80, 04,00,80, 05,00,80, 06,00,40, 06,01,40, 07,00,C0, 07,01,C0, FF,80,00'
+     local nr_cipher_minimal=21
      local proto
      local cve="CVE-2016-2183 CVE-2016-6329"
      local cwe="CWE-327"
      local hint=""
-     local -i nr_sweet32_ciphers=0
+     local -i nr_sweet32_ciphers=0 nr_supported_ciphers=0 nr_ssl2_sweet32_ciphers=0 nr_ssl2_supported_ciphers=0
+     local ssl2_sweet=false
      local using_sockets=true
 
      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SWEET32 (Birthday Attacks on 64-bit Block Ciphers)       " && outln
@@ -14076,9 +14085,31 @@ run_sweet32() {
                [[ $sclient_success -eq 2 ]] && sclient_success=0
                [[ $sclient_success -eq 0 ]] && break
           done
+          if [[ 1 -ne $(has_server_protocol "ssl2") ]]; then
+               sslv2_sockets "$ssl2_sweet32_ciphers_hex"
+               case $? in
+                    3)   ssl2_sweet=true
+                         add_tls_offered ssl2 yes ;;
+                    0)   ;; # ssl2_sweet=false
+                    1|4|6|7)  debugme "${FUNCNAME[0]}: test problem we don't handle here"
+                         ;;
+               esac
+          fi
      else
           nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
           nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
+          debugme echo "$nr_sweet32_ciphers / $nr_supported_ciphers"
+
+          nr_ssl2_sweet32_ciphers=$(count_ciphers $ssl2_sweet32_ciphers)
+          nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $ssl2_sweet32_ciphers))
+          debugme echo "$nr_ssl2_sweet32_ciphers / $nr_ssl2_supported_ciphers"
+
+          if [[ $(( nr_supported_ciphers + nr_ssl2_supported_ciphers )) -le $nr_cipher_minimal ]]; then
+               pr_local_problem "Only ${nr_supported_ciphers}+${nr_ssl2_supported_ciphers} \"SWEET32 ciphers\" found in your $OPENSSL."
+               outln " Test skipped"
+               fileout "SWEET32" "WARN" "Not tested, lack of local support ($((nr_supported_ciphers + nr_ssl2_supported_ciphers)) ciphers only)" "$cve" "$cwe" "$hint"
+               return 1
+          fi
           for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
                [[ $nr_supported_ciphers -eq 0 ]] && break
                ! "$HAS_SSL3" && [[ "$proto" == -ssl3 ]] && continue
@@ -14092,22 +14123,52 @@ run_sweet32() {
                [[ $DEBUG -ge 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
                [[ $sclient_success -eq 0 ]] && break
           done
+          if "$HAS_SSL2"; then
+               if [[ 1 -ne $(has_server_protocol "ssl2") ]]; then
+                    $OPENSSL s_client $STARTTLS $BUGS -ssl2 -cipher $ssl2_sweet32_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
+                    sclient_connect_successful $? $TMPFILE
+                    if [[ $? -eq 0 ]]; then
+                         ssl2_sweet=true
+                         add_tls_offered ssl2 yes
+                    fi
+               fi
+          else
+               debugme tm_warning "Can't test with SSLv2 here as $OPENSSL lacks support"
+               #  we omit adding a string for DEBUG==0 here as using sockets is the default and the following elif statement becomes ugly
+          fi
      fi
-     if [[ $sclient_success -eq 0 ]]; then
+     if [[ $sclient_success -eq 0 ]] && "$ssl2_sweet" ; then
+          pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers for SSLv2 and above"
+          fileout "SWEET32" "LOW" "uses 64 bit block ciphers for SSLv2 and above" "$cve" "$cwe" "$hint"
+     elif [[ $sclient_success -eq 0 ]]; then
           pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers"
           fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
+     elif "$ssl2_sweet"; then
+          pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers wth SSLv2 only"
+          fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint"
      else
           pr_svrty_best "not vulnerable (OK)";
           if "$using_sockets"; then
                fileout "SWEET32" "OK" "not vulnerable" "$cve" "$cwe"
           else
-               if [[ "$nr_supported_ciphers" -ge 17 ]]; then
+               if [[ "$nr_supported_ciphers" -ge 38 ]]; then
                     # Likely only PSK/KRB5 ciphers are missing: display discrepancy but no warning
-                    out ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
+                    if "$HAS_SSL2"; then
+                         out ", $nr_supported_ciphers/$nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers) local ciphers"
+                         fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers)) local ciphers" "$cve" "$cwe"
+                    else
+                         out ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
+                         fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers local ciphers" "$cve" "$cwe"
+                    fi
                else
-                    pr_warning ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
+                    if "$HAS_SSL2"; then
+                         pr_warning ", $nr_supported_ciphers/$nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers) local ciphers"
+                         fileout "SWEET32" "WARN" "not vulnerable but ($nr_supported_ciphers of $nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers)) local ciphers only" "$cve" "$cwe"
+                    else
+                         pr_warning ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
+                         fileout "SWEET32" "WARN" "not vulnerable but ($nr_supported_ciphers of $nr_sweet32_ciphers) local ciphers only" "$cve" "$cwe"
+                    fi
                fi
-               fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers local ciphers" "$cve" "$cwe"
           fi
      fi
      outln