CCS injection: better handling of TLS alert protocols

In certain situations while testting for CCS injection it could have happened
that an error code was sent which was not interpreted properly by testssl.sh.
(https://tools.ietf.org/html/rfc5246#section-7.2)

This has now been fixed and thus addresses #906. Also it has been made sure
that other error codes are reported appropiately.

The case where this test failed before was a non-patched Ubuntu 12.04
with openssl/postfix on port 25.
This commit is contained in:
Dirk 2018-04-20 11:31:05 +02:00
parent 39647d1703
commit 8149c2d5cf

View File

@ -12156,17 +12156,34 @@ run_ccs_injection(){
else else
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
fi fi
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1
elif [[ "$byte6" == "15" ]]; then
# decryption failed received # decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint" fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
# Unexpected message / Handshake failure received # Unexpected message / Handshake failure received
pr_warning "likely " pr_warning "likely "
out "not vulnerable (OK)" out "not vulnerable (OK)"
out " - alert description type: $byte6" out " - alert description type: $byte6"
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint" fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then
# bad_record_mac -- this is not "not vulnerable"
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious \"bad_record_mac\" ($byte6)"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
else
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert # MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
@ -12187,7 +12204,7 @@ run_ccs_injection(){
fi fi
outln outln
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE tmpfile_handle ${FUNCNAME[0]}.dd $SOCK_REPLY_FILE
close_socket close_socket
return $ret return $ret
} }