Skip to content

Commit

Permalink
Fix/cipher bits (1.12) (#1882)
Browse files Browse the repository at this point in the history 
Co-authored-by: noamblitz <[email protected]>
  • Loading branch information
@dekkers @noamblitz
dekkers and noamblitz authored Oct 5, 2023
1 parent 16b05e2 commit 3a6f893
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 48 deletions.
28 changes: 23 additions & 5 deletions boefjes/boefjes/plugins/kat_testssl_sh_ciphers/normalize.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,36 @@
def parse_cipher(cipher: Dict) -> Union[Dict, None]:
if cipher["id"].startswith("cipher-tls"):
parts = cipher["finding"].split()
return {

cipher_dict = {
parts[0]: { # parts[0] is the protocol
"cipher_suite_code": parts[1],
"cipher_suite_name": parts[2],
"key_exchange_algorithm": parts[3],
"bits": int(parts[4]),
"encryption_algorithm": parts[5],
"key_size": int(parts[6]),
"cipher_suite_alias": parts[7],
}
}

# if key size is found
if parts[4].isdigit():
cipher_dict[parts[0]].update(
{
"key_size": int(parts[4]),
"encryption_algorithm": parts[5],
"bits": int(parts[6]),
"cipher_suite_alias": parts[7],
}
)
else:
cipher_dict[parts[0]].update(
{
"encryption_algorithm": parts[4],
"bits": int(parts[5]),
"cipher_suite_alias": parts[6],
}
)

return cipher_dict


def run(normalizer_meta: NormalizerMeta, raw: Union[bytes, str]) -> Iterable[OOI]:
boefje_meta = normalizer_meta.raw_data.boefje_meta
Expand Down
32 changes: 16 additions & 16 deletions boefjes/tests/test_testssl_sh.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,26 +40,26 @@ def test_ciphered_service(self):
"cipher_suite_alias": "TLS_AES_256_GCM_SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "TLS_AES_256_GCM_SHA384",
"bits": 253,
"key_size": 256,
"key_size": 253,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1302",
},
{
"cipher_suite_alias": "TLS_CHACHA20_POLY1305_SHA256",
"encryption_algorithm": "ChaCha20",
"cipher_suite_name": "TLS_CHACHA20_POLY1305_SHA256",
"bits": 253,
"key_size": 256,
"key_size": 253,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1303",
},
{
"cipher_suite_alias": "TLS_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "TLS_AES_128_GCM_SHA256",
"bits": 253,
"key_size": 128,
"key_size": 253,
"bits": 128,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1301",
},
Expand All @@ -69,44 +69,44 @@ def test_ciphered_service(self):
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "ECDHE-RSA-AES256-GCM-SHA384",
"bits": 521,
"key_size": 256,
"key_size": 521,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xc030",
},
{
"cipher_suite_alias": "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "DHE-RSA-AES256-GCM-SHA384",
"bits": 2048,
"key_size": 256,
"key_size": 2048,
"bits": 256,
"key_exchange_algorithm": "DH",
"cipher_suite_code": "x9f",
},
{
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"encryption_algorithm": "ChaCha20",
"cipher_suite_name": "ECDHE-RSA-CHACHA20-POLY1305",
"bits": 521,
"key_size": 256,
"key_size": 521,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xcca8",
},
{
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "ECDHE-RSA-AES128-GCM-SHA256",
"bits": 521,
"key_size": 128,
"key_size": 521,
"bits": 128,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xc02f",
},
{
"cipher_suite_alias": "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "DHE-RSA-AES128-GCM-SHA256",
"bits": 2048,
"key_size": 128,
"key_size": 2048,
"bits": 128,
"key_exchange_algorithm": "DH",
"cipher_suite_code": "x9e",
},
Expand Down
2 changes: 1 addition & 1 deletion octopoes/bits/cipher_classification/list-ciphers-openssl-with-finding-type.csv
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Cipher suite,Protocol version,Notes,Severity rating protocol version,Title finding protocol versie,Key exchange,Severity rating key exchange,Title finding key exchange algorithm,Authentication,Severity rating certificate verification algorithm,Title finding based on certificate verification algorithm,Encryption,Severity rating based on bulk encryption algorithm,Title finding bulk encryption algorithm,Hash,Severity rating based on hash algorithm,Title finding based on hash algorithm
Cipher suite,Protocol version,Notes,Rating protocol version,Finding protocol versie,Key exchange,Severity rating key exchange,Title finding key exchange algorithm,Authentication,Severity rating certificate verification algorithm,Title finding based on certificate verification algorithm,Encryption,Severity rating based on bulk encryption algorithm,Title finding bulk encryption algorithm,Hash,Severity rating based on hash algorithm,Title finding based on hash algorithm
DHE-PSK-AES128-CCM,TLSv1.2,,Recommendation,TLSv1.2 protocol detected,Kx=DHEPSK,Critical,"Unsafe key exchange algorithm, using PSK",Au=PSK,Critical,PSK as certificate verification cipher detected,Enc=AESCCM(128),Medium,Using CCM as bulk encryption algorithm,Mac=AEAD,n/a,
PSK-AES128-CCM,TLSv1.2,,Recommendation,TLSv1.2 protocol detected,Kx=PSK,Critical,"Unsafe key exchange algorithm, using PSK",Au=PSK,Critical,PSK as certificate verification cipher detected,Enc=AESCCM(128),Medium,Using CCM as bulk encryption algorithm,Mac=AEAD,n/a,
ECDHE-ECDSA-AES128-CCM,TLSv1.2,,Recommendation,TLSv1.2 protocol detected,Kx=ECDH,n/a,,Au=ECDSA,n/a,,Enc=AESCCM(128),Medium,Using CCM as bulk encryption algorithm,Mac=AEAD,n/a,
Expand Down
48 changes: 22 additions & 26 deletions octopoes/tests/test_bit_cipher.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
from octopoes.models.ooi.service import IPService, Service, TLSCipher


def test_recommendation_bad_ciphers():
def test_medium_bad_ciphers():
address = IPAddressV4(address="8.8.8.8", network="fake")
port = IPPort(address=address.reference, protocol="tcp", port=22)
ip_service = IPService(ip_port=port.reference, service=Service(name="https").reference)
Expand All @@ -17,73 +17,73 @@ def test_recommendation_bad_ciphers():
"cipher_suite_alias": "TLS_AES_256_GCM_SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "TLS_AES_256_GCM_SHA384",
"bits": 253,
"key_size": 256,
"key_size": 253,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1302",
},
{
"cipher_suite_alias": "TLS_CHACHA20_POLY1305_SHA256",
"encryption_algorithm": "ChaCha20",
"cipher_suite_name": "TLS_CHACHA20_POLY1305_SHA256",
"bits": 253,
"key_size": 256,
"key_size": 253,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1303",
},
{
"cipher_suite_alias": "TLS_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "TLS_AES_128_GCM_SHA256",
"bits": 253,
"key_size": 128,
"key_size": 253,
"bits": 128,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "x1301",
},
],
"TLSv1.2": [
{
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"cipher_suite_alias": "TLS_ECDHE-RSA-AES256-SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "ECDHE-RSA-AES256-GCM-SHA384",
"bits": 521,
"key_size": 256,
"cipher_suite_name": "ECDHE-RSA-AES256-SHA384",
"key_size": 521,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xc030",
},
{
"cipher_suite_alias": "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "DHE-RSA-AES256-GCM-SHA384",
"bits": 2048,
"key_size": 256,
"key_size": 2048,
"bits": 256,
"key_exchange_algorithm": "DH",
"cipher_suite_code": "x9f",
},
{
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"encryption_algorithm": "ChaCha20",
"cipher_suite_name": "ECDHE-RSA-CHACHA20-POLY1305",
"bits": 521,
"key_size": 256,
"key_size": 521,
"bits": 256,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xcca8",
},
{
"cipher_suite_alias": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "ECDHE-RSA-AES128-GCM-SHA256",
"bits": 521,
"key_size": 128,
"key_size": 521,
"bits": 128,
"key_exchange_algorithm": "ECDH",
"cipher_suite_code": "xc02f",
},
{
"cipher_suite_alias": "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"encryption_algorithm": "AESGCM",
"cipher_suite_name": "DHE-RSA-AES128-GCM-SHA256",
"bits": 2048,
"key_size": 128,
"key_size": 2048,
"bits": 128,
"key_exchange_algorithm": "DH",
"cipher_suite_code": "x9e",
},
Expand All @@ -94,16 +94,12 @@ def test_recommendation_bad_ciphers():
results = list(cipher_classification(cipher, {}, {}))

assert len(results) == 2
assert results[0].reference == "KATFindingType|KAT-RECOMMENDATION-BAD-CIPHER"
assert results[0].reference == "KATFindingType|KAT-MEDIUM-BAD-CIPHER"
finding = results[-1]
assert isinstance(finding, Finding)
assert (
finding.description
== "One or more of the cipher suites should not be used because:\nECDHE-RSA-AES256-GCM-SHA384 - "
"TLSv1.2 protocol detected (Recommendation).\nDHE-RSA-AES256-GCM-SHA384 - TLSv1.2 protocol detected "
"(Recommendation).\nECDHE-RSA-CHACHA20-POLY1305 - TLSv1.2 protocol detected (Recommendation).\n"
"ECDHE-RSA-AES128-GCM-SHA256 - TLSv1.2 protocol detected (Recommendation).\nDHE-RSA-AES128-GCM-SHA256 - "
"TLSv1.2 protocol detected (Recommendation)."
finding.description == "One or more of the cipher suites should not be used because:\n"
"ECDHE-RSA-AES256-SHA384 - Using CBC as bulk encryption algorithm (Medium)."
)


Expand Down

0 comments on commit 3a6f893

Please sign in to comment.