Add SSLv2 to SWEET32

The information on 64 Block ciphers using SSLv2 in the SWEET32
paper is sparse. Maybe becuase SSLv2 is the bigger problem.

For completeness also SSLv2 ciphers were added to the SWEET32 check.
It fixes finally #613.

Also with --ssl-native when no ciphers or only a handlful of ciphers
are supplied by openssl there's a "Local problem" warning issued and
the test aborted as the results would make much sense otherwise.

A few peices of documenation of parameters and return conditions
for sslv2_sockets() and has_server_protocol() was added.
This commit is contained in:
Dirk Wetter 2019-02-19 20:41:54 +01:00
parent 40f7e15f26
commit 315005fc6f

View File

@ -4649,6 +4649,9 @@ add_tls_offered() {
}
# function which checks whether SSLv2 - TLS 1.2 is being offered, see add_tls_offered()
# arg1: protocol string or hex code for TLS protocol
# echos: 0 if proto known being offered, 1: known not being offered, 2: we don't know yet whether proto is being offered
# return value is always zero
has_server_protocol() {
local proto
local proto_val_pair
@ -12241,9 +12244,10 @@ parse_tls_serverhello() {
}
#arg1: list of ciphers suites or empty
#arg2: "true" if full server response should be parsed.
# return: 6: couldn't open socket, 0: OK, else: return value of parse_sslv2_serverhello()
#arg1 (optional): list of ciphers suites or empty
#arg2 (optional): "true" if full server response should be parsed.
# return: 6: couldn't open socket, 3(!): sslv2 handshake succeeded, 0=no SSLv2
# 1,4,6,7: see return value of parse_sslv2_serverhello()
sslv2_sockets() {
local ret
local client_hello cipher_suites len_client_hello
@ -12252,10 +12256,10 @@ sslv2_sockets() {
local -i response_len server_hello_len
local parse_complete=false
# this could be empty so swe use '=='
if [[ "$2" == true ]]; then
parse_complete=true
fi
if [[ -n "$1" ]]; then
cipher_suites="$1"
else
@ -14048,17 +14052,22 @@ run_breach() {
# SWEET32 (https://sweet32.info/). Birthday attacks on 64-bit block ciphers.
# In a nutshell: don't use 3DES ciphers anymore (DES, RC2 and IDEA too)
# In a nutshell: don't use 3DES ciphers anymore (DES, RC2 and IDEA too).
# Please note as opposed to RC4 (stream cipher) RC2 is a block cipher.
#
run_sweet32() {
local -i sclient_success=1
local -i sclient_success=1 ssl2_sclient_success=1
local sweet32_ciphers="IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DES-CBC3-SHA:RSA-PSK-3DES-EDE-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-PSK-3DES-EDE-CBC-SHA:DHE-PSK-3DES-EDE-CBC-SHA:DES-CFB-M1:EXP1024-DHE-DSS-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:EXP1024-DES-CBC-SHA:DES-CBC-SHA:EXP1024-RC2-CBC-MD5:DES-CBC-MD5:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-DH-DSS-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA"
local sweet32_ciphers_hex="00,07, 00,21, 00,25, c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,17, 00,1b, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,1a, 00,62, 00,09, 00,61, 00,1e, 00,22, fe,fe, ff,e1, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e"
local ssl2_sweet32_ciphers='RC2-CBC-MD5:EXP-RC2-CBC-MD5:IDEA-CBC-MD5:DES-CBC-MD5:DES-CBC-SHA:DES-CBC3-MD5:DES-CBC3-SHA:DES-CFB-M1'
local ssl2_sweet32_ciphers_hex='03,00,80, 04,00,80, 05,00,80, 06,00,40, 06,01,40, 07,00,C0, 07,01,C0, FF,80,00'
local nr_cipher_minimal=21
local proto
local cve="CVE-2016-2183 CVE-2016-6329"
local cwe="CWE-327"
local hint=""
local -i nr_sweet32_ciphers=0
local -i nr_sweet32_ciphers=0 nr_supported_ciphers=0 nr_ssl2_sweet32_ciphers=0 nr_ssl2_supported_ciphers=0
local ssl2_sweet=false
local using_sockets=true
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for SWEET32 (Birthday Attacks on 64-bit Block Ciphers) " && outln
@ -14076,9 +14085,31 @@ run_sweet32() {
[[ $sclient_success -eq 2 ]] && sclient_success=0
[[ $sclient_success -eq 0 ]] && break
done
if [[ 1 -ne $(has_server_protocol "ssl2") ]]; then
sslv2_sockets "$ssl2_sweet32_ciphers_hex"
case $? in
3) ssl2_sweet=true
add_tls_offered ssl2 yes ;;
0) ;; # ssl2_sweet=false
1|4|6|7) debugme "${FUNCNAME[0]}: test problem we don't handle here"
;;
esac
fi
else
nr_sweet32_ciphers=$(count_ciphers $sweet32_ciphers)
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $sweet32_ciphers))
debugme echo "$nr_sweet32_ciphers / $nr_supported_ciphers"
nr_ssl2_sweet32_ciphers=$(count_ciphers $ssl2_sweet32_ciphers)
nr_ssl2_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $ssl2_sweet32_ciphers))
debugme echo "$nr_ssl2_sweet32_ciphers / $nr_ssl2_supported_ciphers"
if [[ $(( nr_supported_ciphers + nr_ssl2_supported_ciphers )) -le $nr_cipher_minimal ]]; then
pr_local_problem "Only ${nr_supported_ciphers}+${nr_ssl2_supported_ciphers} \"SWEET32 ciphers\" found in your $OPENSSL."
outln " Test skipped"
fileout "SWEET32" "WARN" "Not tested, lack of local support ($((nr_supported_ciphers + nr_ssl2_supported_ciphers)) ciphers only)" "$cve" "$cwe" "$hint"
return 1
fi
for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
[[ $nr_supported_ciphers -eq 0 ]] && break
! "$HAS_SSL3" && [[ "$proto" == -ssl3 ]] && continue
@ -14092,22 +14123,52 @@ run_sweet32() {
[[ $DEBUG -ge 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
[[ $sclient_success -eq 0 ]] && break
done
if "$HAS_SSL2"; then
if [[ 1 -ne $(has_server_protocol "ssl2") ]]; then
$OPENSSL s_client $STARTTLS $BUGS -ssl2 -cipher $ssl2_sweet32_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
if [[ $? -eq 0 ]]; then
ssl2_sweet=true
add_tls_offered ssl2 yes
fi
if [[ $sclient_success -eq 0 ]]; then
fi
else
debugme tm_warning "Can't test with SSLv2 here as $OPENSSL lacks support"
# we omit adding a string for DEBUG==0 here as using sockets is the default and the following elif statement becomes ugly
fi
fi
if [[ $sclient_success -eq 0 ]] && "$ssl2_sweet" ; then
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers for SSLv2 and above"
fileout "SWEET32" "LOW" "uses 64 bit block ciphers for SSLv2 and above" "$cve" "$cwe" "$hint"
elif [[ $sclient_success -eq 0 ]]; then
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers"
fileout "SWEET32" "LOW" "uses 64 bit block ciphers" "$cve" "$cwe" "$hint"
elif "$ssl2_sweet"; then
pr_svrty_low "VULNERABLE"; out ", uses 64 bit block ciphers wth SSLv2 only"
fileout "SWEET32" "LOW" "uses 64 bit block ciphers with SSLv2 only" "$cve" "$cwe" "$hint"
else
pr_svrty_best "not vulnerable (OK)";
if "$using_sockets"; then
fileout "SWEET32" "OK" "not vulnerable" "$cve" "$cwe"
else
if [[ "$nr_supported_ciphers" -ge 17 ]]; then
if [[ "$nr_supported_ciphers" -ge 38 ]]; then
# Likely only PSK/KRB5 ciphers are missing: display discrepancy but no warning
if "$HAS_SSL2"; then
out ", $nr_supported_ciphers/$nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers) local ciphers"
fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers)) local ciphers" "$cve" "$cwe"
else
out ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers local ciphers" "$cve" "$cwe"
fi
else
if "$HAS_SSL2"; then
pr_warning ", $nr_supported_ciphers/$nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers) local ciphers"
fileout "SWEET32" "WARN" "not vulnerable but ($nr_supported_ciphers of $nr_sweet32_ciphers (SSLv2: $nr_ssl2_sweet32_ciphers/$nr_ssl2_supported_ciphers)) local ciphers only" "$cve" "$cwe"
else
pr_warning ", $nr_supported_ciphers/$nr_sweet32_ciphers local ciphers"
fileout "SWEET32" "WARN" "not vulnerable but ($nr_supported_ciphers of $nr_sweet32_ciphers) local ciphers only" "$cve" "$cwe"
fi
fi
fileout "SWEET32" "OK" "not vulnerable ($nr_supported_ciphers of $nr_sweet32_ciphers local ciphers" "$cve" "$cwe"
fi
fi
outln