Merge pull request #543 from RUB-NDS/paddingrelease

Paddingrelease
tls-attacker · Feb 21, 2019 · a549afd · a549afd
2 parents fa188a6 + 7cc303f
commit a549afd
Show file tree

Hide file tree

Showing 17 changed files with 163 additions and 40 deletions.
diff --git a/...rc/main/java/de/rub/nds/tlsattacker/attacks/exception/FingerprintExtractionException.java b/...rc/main/java/de/rub/nds/tlsattacker/attacks/exception/FingerprintExtractionException.java
@@ -0,0 +1,36 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.exception;
+
+/**
+ *
+ * @author ic0ns
+ */
+public class FingerprintExtractionException extends RuntimeException {
+
+    public FingerprintExtractionException() {
+    }
+
+    public FingerprintExtractionException(String string) {
+        super(string);
+    }
+
+    public FingerprintExtractionException(String string, Throwable thrwbl) {
+        super(string, thrwbl);
+    }
+
+    public FingerprintExtractionException(Throwable thrwbl) {
+        super(thrwbl);
+    }
+
+    public FingerprintExtractionException(String string, Throwable thrwbl, boolean bln, boolean bln1) {
+        super(string, thrwbl, bln, bln1);
+    }
+
+}
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java
@@ -48,6 +48,10 @@ public class PaddingOracleAttacker extends Attacker<PaddingOracleCommandConfig>
 
     private boolean groupRecords = true;
 
+    private boolean increasingTimeout = true;
+
+    private long additionalTimeout = 1000;
+
     private List<VectorResponse> vectorResponseList;
     private List<VectorResponse> vectorResponseListTwo;
     private List<VectorResponse> vectorResponseListThree;
@@ -209,34 +213,33 @@ public List<VectorResponse> createVectorResponseList() {
         for (PaddingVector vector : vectorGenerator.getVectors(tlsConfig.getDefaultSelectedCipherSuite(),
                 tlsConfig.getDefaultHighestClientProtocolVersion())) {
             State state = new State(tlsConfig, generator.getPaddingOracleWorkflowTrace(tlsConfig, vector));
-            FingerPrintTask fingerPrintTask = new FingerPrintTask(state, 6);
+            FingerPrintTask fingerPrintTask = new FingerPrintTask(state, additionalTimeout, increasingTimeout, 6);
             taskList.add(fingerPrintTask);
             stateVectorPairList.add(new FingerprintTaskVectorPair(fingerPrintTask, vector));
         }
         List<VectorResponse> tempResponseVectorList = new LinkedList<>();
         executor.bulkExecuteTasks(taskList);
         for (FingerprintTaskVectorPair pair : stateVectorPairList) {
             ResponseFingerprint fingerprint = null;
-            if (pair.getFingerPrintTask().getState().getWorkflowTrace().allActionsExecuted()) {
+            if (pair.getFingerPrintTask().isHasError()) {
+                errornousScans = true;
+                LOGGER.error("Could not extract fingerprint for " + pair.toString());
+                VectorResponse vectorResponse = new VectorResponse(pair.getVector(), null, testedVersion, testedSuite,
+                        tlsConfig.getDefaultApplicationMessageData().getBytes().length);
+                vectorResponse.setErrorDuringHandshake(true);
+                tempResponseVectorList.add(vectorResponse);
+                LOGGER.error("Could not execute whole workflow: " + testedSuite + " - " + testedVersion);
+
+            } else {
                 testedSuite = pair.getFingerPrintTask().getState().getTlsContext().getSelectedCipherSuite();
                 testedVersion = pair.getFingerPrintTask().getState().getTlsContext().getSelectedProtocolVersion();
                 if (testedSuite == null || testedVersion == null) {
-                    // Did not receive ServerHello?!
-                    LOGGER.error("Could not find ServerHello" + testedSuite + " - " + testedVersion);
-                    errornousScans = true;
+                    LOGGER.fatal("Could not find ServerHello after successful extraction");
+                    throw new PaddingOracleUnstableException("Fatal Extraction error");
                 }
                 fingerprint = pair.getFingerPrintTask().getFingerprint();
                 tempResponseVectorList.add(new VectorResponse(pair.getVector(), fingerprint, testedVersion,
                         testedSuite, tlsConfig.getDefaultApplicationMessageData().getBytes().length));
-            } else {
-
-                LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
-                VectorResponse vectorResponse = new VectorResponse(pair.getVector(), null, testedVersion, testedSuite,
-                        tlsConfig.getDefaultApplicationMessageData().getBytes().length);
-                vectorResponse.setErrorDuringHandshake(true);
-                tempResponseVectorList.add(vectorResponse);
-                LOGGER.error("Could not execute whole workflow" + testedSuite + " - " + testedVersion);
-                errornousScans = true;
             }
         }
         return tempResponseVectorList;
@@ -336,4 +339,20 @@ public boolean isShakyScans() {
     public boolean isErrornousScans() {
         return errornousScans;
     }
+
+    public boolean isIncreasingTimeout() {
+        return increasingTimeout;
+    }
+
+    public void setIncreasingTimeout(boolean increasingTimeout) {
+        this.increasingTimeout = increasingTimeout;
+    }
+
+    public long getAdditionalTimeout() {
+        return additionalTimeout;
+    }
+
+    public void setAdditionalTimeout(long additionalTimeout) {
+        this.additionalTimeout = additionalTimeout;
+    }
 }
diff --git a/...rc/main/java/de/rub/nds/tlsattacker/attacks/padding/vector/FingerprintTaskVectorPair.java b/...rc/main/java/de/rub/nds/tlsattacker/attacks/padding/vector/FingerprintTaskVectorPair.java
@@ -31,4 +31,10 @@ public FingerPrintTask getFingerPrintTask() {
     public PaddingVector getVector() {
         return vector;
     }
+
+    @Override
+    public String toString() {
+        return "FingerprintTaskVectorPair{" + "fingerPrintTask=" + fingerPrintTask + ", vector=" + vector + '}';
+    }
+
 }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/task/FingerPrintTask.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/task/FingerPrintTask.java
@@ -8,14 +8,12 @@
  */
 package de.rub.nds.tlsattacker.attacks.task;
 
-import de.rub.nds.tlsattacker.attacks.exception.PaddingOracleUnstableException;
+import de.rub.nds.tlsattacker.attacks.exception.FingerprintExtractionException;
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseExtractor;
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseFingerprint;
-import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.workflow.DefaultWorkflowExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
-import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
 import de.rub.nds.tlsattacker.core.workflow.task.TlsTask;
 import java.io.IOException;
 import org.apache.logging.log4j.LogManager;
@@ -25,7 +23,7 @@ public class FingerPrintTask extends TlsTask {
 
     private static final Logger LOGGER = LogManager.getLogger();
 
-    private State state;
+    private final State state;
 
     private ResponseFingerprint fingerprint;
 
@@ -34,15 +32,23 @@ public FingerPrintTask(State state, int reexecutions) {
         this.state = state;
     }
 
+    public FingerPrintTask(State state, long additionalTimeout, boolean increasingTimeout, int reexecutions) {
+        super(reexecutions, additionalTimeout, increasingTimeout);
+        this.state = state;
+    }
+
     @Override
     public void execute() {
         try {
             WorkflowExecutor executor = new DefaultWorkflowExecutor(state);
             executor.executeWorkflow();
+            if (!state.getWorkflowTrace().executedAsPlanned()) {
+                throw new FingerprintExtractionException("Could not extract fingerprint.");
+            }
             fingerprint = ResponseExtractor.getFingerprint(state);
-            if (fingerprint == null
-                    && !WorkflowTraceUtil.didReceiveMessage(ProtocolMessageType.ALERT, state.getWorkflowTrace())) {
-                throw new PaddingOracleUnstableException("Could not extract fingerprint, rescanning");
+
+            if (fingerprint == null) {
+                throw new FingerprintExtractionException("Could not extract fingerprint.");
             }
         } finally {
             try {
@@ -60,4 +66,10 @@ public State getState() {
     public ResponseFingerprint getFingerprint() {
         return fingerprint;
     }
+
+    @Override
+    public void reset() {
+        state.reset();
+    }
+
 }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/util/response/ResponseExtractor.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/util/response/ResponseExtractor.java
@@ -13,7 +13,6 @@
 import de.rub.nds.tlsattacker.core.record.AbstractRecord;
 import de.rub.nds.tlsattacker.core.record.Record;
 import de.rub.nds.tlsattacker.core.state.State;
-import de.rub.nds.tlsattacker.core.state.TlsContext;
 import de.rub.nds.tlsattacker.core.workflow.action.ReceivingAction;
 import de.rub.nds.tlsattacker.transport.exception.InvalidTransportHandlerStateException;
 import de.rub.nds.tlsattacker.transport.socket.SocketState;
@@ -58,7 +57,6 @@ public static ResponseFingerprint getFingerprint(State state, ReceivingAction ac
      * @return
      */
     public static ResponseFingerprint getFingerprint(State state) {
-        TlsContext context = state.getTlsContext();
         ReceivingAction action = state.getWorkflowTrace().getLastReceivingAction();
         return getFingerprint(state, action);
     }

diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/state/State.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/state/State.java
@@ -91,6 +91,12 @@ public State(Config config, WorkflowTrace workflowTrace) {
         initState();
     }
 
+    public void reset() {
+        contextContainer.clear();
+        workflowTrace.reset();
+        initState();
+    }
+
     /**
      * Normalize trace and initialize TLS contexts.
      */

diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/workflow/task/StateExecutionTask.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/workflow/task/StateExecutionTask.java
@@ -34,4 +34,8 @@ public State getState() {
         return state;
     }
 
+    @Override
+    public void reset() {
+        state.reset();
+    }
 }
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/workflow/task/TlsTask.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/workflow/task/TlsTask.java
@@ -18,10 +18,22 @@ public abstract class TlsTask implements ITask, Callable<ITask> {
 
     private boolean hasError = false;
 
-    private int reexecutions = 0;
+    private final int reexecutions;
+
+    private final long additionalSleepTime;
+
+    private final boolean increasingSleepTimes;
 
     public TlsTask(int reexecutions) {
         this.reexecutions = reexecutions;
+        additionalSleepTime = 1000;
+        increasingSleepTimes = true;
+    }
+
+    public TlsTask(int reexecutions, long additionalSleepTime, boolean increasingSleepTimes) {
+        this.reexecutions = reexecutions;
+        this.additionalSleepTime = additionalSleepTime;
+        this.increasingSleepTimes = increasingSleepTimes;
     }
 
     @Override
@@ -39,7 +51,9 @@ public ITask call() {
             } catch (Exception E) {
                 LOGGER.debug("Encountered an exception during the execution", E);
                 hasError = true;
-                sleepTime += 1000;
+                if (increasingSleepTimes) {
+                    sleepTime += additionalSleepTime;
+                }
                 exception = E;
             }
         }
@@ -52,4 +66,6 @@ public ITask call() {
     public boolean isHasError() {
         return hasError;
     }
+
+    public abstract void reset();
 }
diff --git a/Transport/src/main/java/de/rub/nds/tlsattacker/transport/TransportHandler.java b/Transport/src/main/java/de/rub/nds/tlsattacker/transport/TransportHandler.java
@@ -12,6 +12,9 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.io.PushbackInputStream;
+import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -23,7 +26,7 @@ public abstract class TransportHandler {
 
     protected OutputStream outStream;
 
-    protected InputStream inStream;
+    protected PushbackInputStream inStream;
 
     private boolean initialized = false;
 
@@ -49,12 +52,22 @@ public byte[] fetchData() throws IOException {
                 }
             } else {
                 try {
-                    Thread.sleep(1);
-                } catch (InterruptedException ex) {
-                    throw new RuntimeException("Got Interrupted while waiting for Data");
+                    // dont ask - the java api does not allow this otherwise...
+                    Thread.currentThread().sleep(1);
+                    int read = inStream.read();
+                    if (read == -1) {
+                        // TCP FIN
+                        return stream.toByteArray();
+                    }
+                    inStream.unread(read);
+
+                } catch (SocketException E) {
+                    // TCP RST received
+                    return stream.toByteArray();
+                } catch (Exception E) {
                 }
-            }
 
+            }
         }
         return stream.toByteArray();
     }
@@ -67,7 +80,7 @@ public void sendData(byte[] data) throws IOException {
         outStream.flush();
     }
 
-    protected final void setStreams(InputStream inStream, OutputStream outStream) {
+    protected final void setStreams(PushbackInputStream inStream, OutputStream outStream) {
         this.outStream = outStream;
         this.inStream = inStream;
         initialized = true;

diff --git a/...va/de/rub/nds/tlsattacker/transport/nonblocking/ServerTCPNonBlockingTransportHandler.java b/...va/de/rub/nds/tlsattacker/transport/nonblocking/ServerTCPNonBlockingTransportHandler.java
@@ -11,6 +11,7 @@
 import de.rub.nds.tlsattacker.transport.ConnectionEndType;
 import de.rub.nds.tlsattacker.transport.TransportHandler;
 import java.io.IOException;
+import java.io.PushbackInputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.util.concurrent.ExecutionException;
@@ -66,7 +67,7 @@ public void recheck() throws IOException {
             if (task.isDone()) {
                 try {
                     clientSocket = task.get();
-                    setStreams(clientSocket.getInputStream(), clientSocket.getOutputStream());
+                    setStreams(new PushbackInputStream(clientSocket.getInputStream()), clientSocket.getOutputStream());
                 } catch (InterruptedException | ExecutionException ex) {
                     LOGGER.warn("Could not retrieve clientSocket");
                     LOGGER.debug(ex);
@@ -84,7 +85,7 @@ public void recheck(long timeout) throws IOException {
             if (task != null) {
                 clientSocket = task.get(timeout, TimeUnit.MILLISECONDS);
                 if (clientSocket != null) {
-                    setStreams(clientSocket.getInputStream(), clientSocket.getOutputStream());
+                    setStreams(new PushbackInputStream(clientSocket.getInputStream()), clientSocket.getOutputStream());
                 }
             }
         } catch (InterruptedException | ExecutionException | TimeoutException ex) {

diff --git a/Transport/src/main/java/de/rub/nds/tlsattacker/transport/stream/StreamTransportHandler.java b/Transport/src/main/java/de/rub/nds/tlsattacker/transport/stream/StreamTransportHandler.java
@@ -13,6 +13,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.io.PushbackInputStream;
 
 public class StreamTransportHandler extends TransportHandler {
 
@@ -51,7 +52,7 @@ public void closeConnection() throws IOException {
 
     @Override
     public void initialize() throws IOException {
-        setStreams(inputStream, outputStream);
+        setStreams(new PushbackInputStream(inputStream), outputStream);
     }
 
     public InputStream getInputStream() {

diff --git a/.../src/main/java/de/rub/nds/tlsattacker/transport/tcp/ClientTcpNoDelayTransportHandler.java b/.../src/main/java/de/rub/nds/tlsattacker/transport/tcp/ClientTcpNoDelayTransportHandler.java
@@ -9,6 +9,7 @@
 package de.rub.nds.tlsattacker.transport.tcp;
 
 import java.io.IOException;
+import java.io.PushbackInputStream;
 import java.net.Socket;
 
 public class ClientTcpNoDelayTransportHandler extends ClientTcpTransportHandler {
@@ -21,6 +22,6 @@ public ClientTcpNoDelayTransportHandler(long timeout, String hostname, int port)
     public void initialize() throws IOException {
         socket = new Socket(hostname, port);
         socket.setTcpNoDelay(true);
-        setStreams(socket.getInputStream(), socket.getOutputStream());
+        setStreams(new PushbackInputStream(socket.getInputStream()), socket.getOutputStream());
     }
 }