mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-10-30 21:35:26 +01:00
first draft of LUCKY13 (128 cipher limit has to be addressed)
This commit is contained in:
Dirk
74
testssl.sh
74
testssl.sh
@@ -10327,14 +10327,59 @@ run_beast(){
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# http://www.isg.rhul.ac.uk/tls/Lucky13.html
|
||||||
|
# in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM
|
||||||
run_lucky13() {
|
run_lucky13() {
|
||||||
|
local spaces=" "
|
||||||
|
local cbc_ciphers="ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:PSK-AES256-CBC-SHA384:PSK-CAMELLIA256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:DH-RSA-CAMELLIA256-SHA256:DH-DSS-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA256:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-CAMELLIA256-SHA384:ECDH-ECDSA-CAMELLIA256-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:CAMELLIA256-SHA:RSA-PSK-AES256-CBC-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:DH-RSA-CAMELLIA128-SHA256:DH-DSS-CAMELLIA128-SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA256:ADH-SEED-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-CAMELLIA128-SHA256:ECDH-ECDSA-CAMELLIA128-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:PSK-AES128-CBC-SHA256:PSK-CAMELLIA128-SHA256:IDEA-CBC-SHA:RSA-PSK-AES128-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:RSA-PSK-3DES-EDE-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-PSK-3DES-EDE-CBC-SHA:DHE-PSK-3DES-EDE-CBC-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:EXP1024-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-DH-DSS-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA"
|
||||||
|
cbc_ciphers_hex="c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,19, 00,6d, 00,3a, 00,c5, 00,89, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,47, c0,49, c0,4b, c0,4d, c0,4f, c0,65, c0,67, c0,69, c0,71, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, 00,43, 00,42, c0,18, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,96, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,07, 00,94, 00,8c, 00,21, 00,25, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,46, c0,48, c0,4a, c0,4c, c0,4e, c0,64, c0,66, c0,68, c0,70, c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,17, 00,1b, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,1a, 00,62, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e"
|
||||||
|
#FIXME: we have 154 ciphers here, some devices can only take 128 ciphers!!
|
||||||
|
local has_dh_bits="$HAS_DH_BITS"
|
||||||
|
local -i nr_supported_ciphers=0
|
||||||
|
local using_sockets=true
|
||||||
local cve="CVE-2013-0169"
|
local cve="CVE-2013-0169"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
#FIXME: to do . CVE-2013-0169
|
local hint=""
|
||||||
# in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM
|
|
||||||
echo "FIXME"
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LUCKY13 vulnerability " && outln
|
||||||
fileout "lucky13" "WARN" "LUCKY13: Not tested. Not implemented. #FIXME" "$cve" "$cwe"
|
pr_bold " LUCKY13"; out " ($cve) "
|
||||||
return 1
|
|
||||||
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
|
# The openssl binary distributed has almost everything we need (PSK, KRB5 ciphers and feff, ffe0 are typically missing).
|
||||||
|
# Measurements show that there's little impact whether we use sockets or TLS here, so the default is sockets here
|
||||||
|
|
||||||
|
if "$using_sockets"; then
|
||||||
|
tls_sockets "03" "${cbc_ciphers_hex}"
|
||||||
|
sclient_success=$?
|
||||||
|
else
|
||||||
|
nr_cbc_ciphers=$(count_ciphers $cbc_ciphers)
|
||||||
|
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $cbc_ciphers))
|
||||||
|
$OPENSSL s_client $STARTTLS $BUGS -cipher $cbc_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE $SNI 2>$ERRFILE </dev/null
|
||||||
|
sclient_connect_successful $? $TMPFILE
|
||||||
|
sclient_success=$?
|
||||||
|
[[ "$DEBUG" -eq 2 ]] && egrep -q "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
|
fi
|
||||||
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
|
pr_svrty_low "VULNERABLE"; out ", uses cipher block chaining (CBC) ciphers"
|
||||||
|
fileout "lucky13" "LOW" "LUCKY13, uses cipher block chaining (CBC) ciphers" "$cve" "$cwe" "$hint"
|
||||||
|
else
|
||||||
|
pr_done_best "not vulnerable (OK)";
|
||||||
|
if "$using_sockets"; then
|
||||||
|
fileout "lucky13" "OK" "LUCKY13: not vulnerable" "$cve" "$cwe"
|
||||||
|
else
|
||||||
|
if [[ "$nr_supported_ciphers" -ge 133 ]]; then
|
||||||
|
# Likely only PSK/KRB5 ciphers are missing: display discrepancy but no warning
|
||||||
|
out ", $nr_supported_ciphers/$nr_cbc_ciphers local ciphers"
|
||||||
|
else
|
||||||
|
pr_warning ", $nr_supported_ciphers/$nr_cbc_ciphers local ciphers"
|
||||||
|
fi
|
||||||
|
fileout "lucky13" "OK" "LUCKY13: not vulnerable ($nr_supported_ciphers of $nr_cbc_ciphers local ciphers" "$cve" "$cwe"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
outln
|
||||||
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
return $sclient_success
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -10870,11 +10915,12 @@ single check as <options> ("$PROG_NAME URI" does everything except -E):
|
|||||||
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
|
-I, --ccs, --ccs-injection tests for CCS injection vulnerability
|
||||||
-R, --renegotiation tests for renegotiation vulnerabilities
|
-R, --renegotiation tests for renegotiation vulnerabilities
|
||||||
-C, --compression, --crime tests for CRIME vulnerability (TLS compression issue)
|
-C, --compression, --crime tests for CRIME vulnerability (TLS compression issue)
|
||||||
-A, --beast tests for BEAST vulnerability (HTTP compression issue)
|
-T, --breach tests for BREACH vulnerability (HTTP compression issue)
|
||||||
-O, --poodle tests for POODLE (SSL) vulnerability
|
-O, --poodle tests for POODLE (SSL) vulnerability
|
||||||
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
|
-Z, --tls-fallback checks TLS_FALLBACK_SCSV mitigation
|
||||||
-W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability
|
-W, --sweet32 tests 64 bit block ciphers (3DES, RC2 and IDEA): SWEET32 vulnerability
|
||||||
-T, --breach tests for BREACH vulnerability
|
-A, --beast tests for BEAST vulnerability
|
||||||
|
-L, --lucky13 tests for LUCKY13
|
||||||
-F, --freak tests for FREAK vulnerability
|
-F, --freak tests for FREAK vulnerability
|
||||||
-J, --logjam tests for LOGJAM vulnerability
|
-J, --logjam tests for LOGJAM vulnerability
|
||||||
-D, --drown tests for DROWN vulnerability
|
-D, --drown tests for DROWN vulnerability
|
||||||
@@ -11892,6 +11938,7 @@ initialize_globals() {
|
|||||||
do_allciphers=false
|
do_allciphers=false
|
||||||
do_vulnerabilities=false
|
do_vulnerabilities=false
|
||||||
do_beast=false
|
do_beast=false
|
||||||
|
do_lucky13=false
|
||||||
do_breach=false
|
do_breach=false
|
||||||
do_ccs_injection=false
|
do_ccs_injection=false
|
||||||
do_cipher_per_proto=false
|
do_cipher_per_proto=false
|
||||||
@@ -11931,6 +11978,7 @@ set_scanning_defaults() {
|
|||||||
do_allciphers=true
|
do_allciphers=true
|
||||||
do_vulnerabilities=true
|
do_vulnerabilities=true
|
||||||
do_beast=true
|
do_beast=true
|
||||||
|
do_lucky13=true
|
||||||
do_breach=true
|
do_breach=true
|
||||||
do_heartbleed=true
|
do_heartbleed=true
|
||||||
do_ccs_injection=true
|
do_ccs_injection=true
|
||||||
@@ -11952,14 +12000,14 @@ set_scanning_defaults() {
|
|||||||
do_http2=true
|
do_http2=true
|
||||||
do_tls_fallback_scsv=true
|
do_tls_fallback_scsv=true
|
||||||
do_client_simulation=true
|
do_client_simulation=true
|
||||||
VULN_COUNT=15
|
VULN_COUNT=16
|
||||||
}
|
}
|
||||||
|
|
||||||
query_globals() {
|
query_globals() {
|
||||||
local gbl
|
local gbl
|
||||||
local true_nr=0
|
local true_nr=0
|
||||||
|
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
||||||
@@ -11972,7 +12020,7 @@ query_globals() {
|
|||||||
debug_globals() {
|
debug_globals() {
|
||||||
local gbl
|
local gbl
|
||||||
|
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
|
||||||
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
do_std_cipherlists do_server_defaults do_server_preference do_spdy do_http2 do_ssl_poodle do_tls_fallback_scsv \
|
||||||
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
do_sweet32 do_client_simulation do_test_just_one do_tls_sockets do_mass_testing do_display_only; do
|
||||||
@@ -12106,6 +12154,7 @@ parse_cmd_line() {
|
|||||||
do_drown=true
|
do_drown=true
|
||||||
do_logjam=true
|
do_logjam=true
|
||||||
do_beast=true
|
do_beast=true
|
||||||
|
do_lucky13=true
|
||||||
do_rc4=true
|
do_rc4=true
|
||||||
VULN_COUNT=10
|
VULN_COUNT=10
|
||||||
;;
|
;;
|
||||||
@@ -12158,6 +12207,10 @@ parse_cmd_line() {
|
|||||||
do_beast=true
|
do_beast=true
|
||||||
let "VULN_COUNT++"
|
let "VULN_COUNT++"
|
||||||
;;
|
;;
|
||||||
|
-L|--lucky13)
|
||||||
|
do_lucky13=true
|
||||||
|
let "VULN_COUNT++"
|
||||||
|
;;
|
||||||
-4|--rc4|--appelbaum)
|
-4|--rc4|--appelbaum)
|
||||||
do_rc4=true
|
do_rc4=true
|
||||||
let "VULN_COUNT++"
|
let "VULN_COUNT++"
|
||||||
@@ -12439,6 +12492,7 @@ lets_roll() {
|
|||||||
$do_drown && { run_drown ret=$(($? + ret)); }
|
$do_drown && { run_drown ret=$(($? + ret)); }
|
||||||
$do_logjam && { run_logjam; ret=$(($? + ret)); }
|
$do_logjam && { run_logjam; ret=$(($? + ret)); }
|
||||||
$do_beast && { run_beast; ret=$(($? + ret)); }
|
$do_beast && { run_beast; ret=$(($? + ret)); }
|
||||||
|
$do_lucky13 && { run_lucky13; ret=$(($? + ret)); }
|
||||||
$do_rc4 && { run_rc4; ret=$(($? + ret)); }
|
$do_rc4 && { run_rc4; ret=$(($? + ret)); }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
|
|||||||
Reference in New Issue
Block a user