Compare commits

...

8 Commits

Author SHA1 Message Date
Odinmylord 7d5b7f59c0
Merge 156d82ee09 into e3b3c358fd 2024-04-26 07:33:49 -07:00
Dirk Wetter e3b3c358fd
Merge pull request #2492 from drwetter/fix2490_add
Add / improve #2490
2024-04-26 16:31:12 +02:00
Dirk e49747ca14 Add / improve #2490 2024-04-26 16:29:43 +02:00
Dirk Wetter 7eadfd12fb
Merge pull request #2491 from drwetter/fix2490_add
Add / improve #2490
2024-04-26 16:11:45 +02:00
Dirk a3d3133c59 Add / improve #2490 2024-04-26 16:10:03 +02:00
Odinmylord 156d82ee09 Added support for signature_algorithms extensions in CertificateRequest. Still missing the check for both TLS1.2 and TLS1.3 2024-04-16 11:42:41 +02:00
Odinmylord ca7aca6d62
Merge branch 'drwetter:3.2' into 3.2 2024-04-12 11:30:46 +02:00
Odinmylord 0602963cd5 Add support for signature_algorithms_cert extension 2024-03-22 17:48:39 +01:00
1 changed files with 89 additions and 11 deletions

View File

@ -288,6 +288,8 @@ TMPFILE=""
ERRFILE=""
CLIENT_AUTH="none"
CLIENT_AUTH_CA_LIST=""
CLIENT_AUTH_SIGALGS_LIST=""
CLIENT_AUTH_SIGALGS_CERT_LIST=""
TLS_TICKETS=false
NO_SSL_SESSIONID=true
CERT_COMPRESSION=${CERT_COMPRESSION:-false} # secret flag to set in addition to --devel for certificate compression
@ -10356,6 +10358,16 @@ run_server_defaults() {
i+=1
done <<< "$CLIENT_AUTH_CA_LIST"
fi
jsonID="clientAuth_Signature_Algorithms"
pr_bold " Offered Signature Algorithms "
out_row_aligned "$CLIENT_AUTH_SIGALGS_LIST"
fileout "$jsonID" "INFO" "$CLIENT_AUTH_SIGALGS_LIST"
jsonID="clientAuth_Signature_Algorithms_Cert "
if [[ "$CLIENT_AUTH_SIGALGS_CERT_LIST" != empty\ ]] ; then
pr_bold " Offered Signature Algorithms for Certificates "
out_row_aligned "$CLIENT_AUTH_SIGALGS_CERT_LIST"
fileout "$jsonID" "INFO" "$CLIENT_AUTH_SIGALGS_CERT_LIST"
fi
fi
@ -17363,12 +17375,12 @@ run_breach() {
detected_compression=$(sub_breach_helper "$get_command")
case "$detected_compression" in
warn_stalled)
pr_warning "First request failed (HTTP header request stalled and was terminated)\n"
prln_warning "First request failed (HTTP header request stalled and was terminated)"
fileout "$jsonID" "WARN" "Test failed as first HTTP request stalled and was terminated" "$cve" "$cwe"
ret=1
;;
warn_failed)
pr_warning "First request failed (HTTP header request was empty)"
prln_warning "First request failed (HTTP header request was empty)"
fileout "$jsonID" "WARN" "Test failed as first HTTP response was empty" "$cve" "$cwe"
ret=1
;;
@ -21592,13 +21604,15 @@ print_dn() {
}
# Given the OpenSSL output of a response from a TLS server (with the -msg option)
# in which the response includes a CertificateRequest message, return the list of
# distinguished names that are in the CA list.
# in which the response includes a CertificateRequest message, update the CLIENT_AUTH_CA_LIST,
# CLIENT_AUTH_SIGALGS_LIST and CLIENT_AUTH_SIGALGS_CERT_LIST variables with data from the message.
extract_calist() {
local response="$1"
local is_tls12=false is_tls13=false
local certreq calist="" certtypes sigalgs dn
local certreq calist="" certtypes sigalgs sigalgs_cert dn
local calist_string=""
local sigalgs_string=""
local sigalgs_string_cert=""
local -i len type
# Determine whether this is a TLS 1.2 or TLS 1.3 response, since the information
@ -21631,12 +21645,25 @@ extract_calist() {
[[ -z "$certreq" ]] && break
type=$(hex2dec "${certreq:0:4}")
len=2*$(hex2dec "${certreq:4:4}")
if [[ $type -eq 47 ]]; then
if [[ $type -eq 13 ]]; then
# This is the signature_algorithms extension
# First two bytes are the extension type, the next two bytes are the length of the extension
sigalgs="${certreq:8:len}"
# The variable name is el_len so that it does not overwrite the len of the whole extension
el_len=2*$(hex2dec "${sigalgs:0:4}")
# Since the structure of this extension only has one element in it, we can take everything
# after the two bytes which contain the length of the element.
sigalgs="${sigalgs:4:el_len}"
elif [[ $type -eq 47 ]]; then
# This is the certificate_authorities extension
calist="${certreq:8:len}"
len=2*$(hex2dec "${calist:0:4}")
calist="${calist:4:len}"
break
el_len=2*$(hex2dec "${calist:0:4}")
calist="${calist:4:el_len}"
elif [[ $type -eq 50 ]]; then
# This is the signature_algorithms_cert extension
sigalgs_cert="${certreq:8:len}"
el_len=2*$(hex2dec "${sigalgs_cert:0:4}")
sigalgs_cert="${sigalgs_cert:4:el_len}"
fi
certreq="${certreq:$((len+8))}"
done
@ -21667,7 +21694,58 @@ extract_calist() {
calist="${calist:$((len+4))}"
done
[[ -z "$calist_string" ]] && calist_string="empty"
tm_out "$calist_string"
CLIENT_AUTH_CA_LIST="$(safe_echo "$calist_string")"
sigalgs_string="$(sigalgs_converter "$sigalgs")"
CLIENT_AUTH_SIGALGS_LIST="${sigalgs_string} "
[[ -z "$sigalgs_string" ]] && CLIENT_AUTH_SIGALGS_LIST="empty "
sigalgs_string_cert="$(sigalgs_converter "$sigalgs_cert")"
CLIENT_AUTH_SIGALGS_CERT_LIST="${sigalgs_string_cert} "
[[ -z "$sigalgs_string_cert" ]] && CLIENT_AUTH_SIGALGS_CERT_LIST="empty "
return 0
}
# Given the list of signature algorithms in hex format (no space) take each four
# characters group and convert it to the corresponding signature algorithm.
sigalgs_converter() {
local sigalgs=$1
local sigalgs_string=""
while true; do
[[ -z "$sigalgs" ]] && break
case "${sigalgs:0:4}" in
0101) sigalgs_string+=" RSA+MD5" ;;
0102) sigalgs_string+=" DSA+MD5" ;;
0103) sigalgs_string+=" ECDSA+MD5" ;;
0201) sigalgs_string+=" RSA+SHA1" ;;
0202) sigalgs_string+=" DSA+SHA1" ;;
0203) sigalgs_string+=" ECDSA+SHA1" ;;
0301) sigalgs_string+=" RSA+SHA224" ;;
0302) sigalgs_string+=" DSA+SHA224" ;;
0303) sigalgs_string+=" ECDSA+SHA224" ;;
0401|0420) sigalgs_string+=" RSA+SHA256" ;;
0402) sigalgs_string+=" DSA+SHA256" ;;
0403) sigalgs_string+=" ECDSA+SHA256" ;;
0501|0520) sigalgs_string+=" RSA+SHA384" ;;
0502) sigalgs_string+=" DSA+SHA384" ;;
0503) sigalgs_string+=" ECDSA+SHA384" ;;
0601|0620) sigalgs_string+=" RSA+SHA512" ;;
0602) sigalgs_string+=" DSA+SHA512" ;;
0603) sigalgs_string+=" ECDSA+SHA512" ;;
0708) sigalgs_string+=" SM2+SM3" ;;
0804) sigalgs_string+=" RSA-PSS-RSAE+SHA256" ;;
0805) sigalgs_string+=" RSA-PSS-RSAE+SHA384" ;;
0806) sigalgs_string+=" RSA-PSS-RSAE+SHA512" ;;
0807) sigalgs_string+=" Ed25519" ;;
0808) sigalgs_string+=" Ed448" ;;
0809) sigalgs_string+=" RSA-PSS-PSS+SHA256" ;;
080a) sigalgs_string+=" RSA-PSS-PSS+SHA384" ;;
080b) sigalgs_string+=" RSA-PSS-PSS+SHA512" ;;
081a) sigalgs_string+=" ECDSA-BRAINPOOL+SHA256" ;;
081b) sigalgs_string+=" ECDSA-BRAINPOOL+SHA384" ;;
081c) sigalgs_string+=" ECDSA-BRAINPOOL+SHA512" ;;
*) sigalgs_string+=" unknown(${sigalgs:0:4})";;
esac
sigalgs="${sigalgs:4}"
done
echo $sigalgs_string
return 0
}
@ -21698,7 +21776,7 @@ sclient_auth() {
# CertificateRequest message in -msg
CLIENT_AUTH="required"
[[ $1 -eq 0 ]] && CLIENT_AUTH="optional"
CLIENT_AUTH_CA_LIST="$(extract_calist "$server_hello")"
extract_calist "$server_hello"
return 0
fi
[[ $1 -eq 0 ]] && return 0