Skip to content

Commit

Permalink
merge public into dev
Browse files Browse the repository at this point in the history
  • Loading branch information
Conradowatz committed Jan 23, 2024
2 parents 997c461 + 760905d commit 0f94d86
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/BuildPushDockerImage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ jobs:
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ fromJSON(env.SHOULD_PUSH) }}
tags: 'ghcr.io/tls-attacker/tlsanvil:${{ env.DOCKER_TAG }}'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
*/
package de.rub.nds.tlstest.suite.tests.server.tls13.rfc8446;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

import de.rub.nds.anvilcore.annotation.*;
Expand All @@ -16,12 +17,15 @@
import de.rub.nds.tlsattacker.core.constants.CipherSuite;
import de.rub.nds.tlsattacker.core.constants.ExtensionType;
import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
import de.rub.nds.tlsattacker.core.protocol.message.ChangeCipherSpecMessage;
import de.rub.nds.tlsattacker.core.protocol.message.ClientHelloMessage;
import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
import de.rub.nds.tlsattacker.core.protocol.message.extension.KeyShareExtensionMessage;
import de.rub.nds.tlsattacker.core.protocol.message.extension.SupportedVersionsExtensionMessage;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
import de.rub.nds.tlsscanner.core.constants.TlsAnalyzedProperty;
import de.rub.nds.tlstest.framework.Validator;
Expand Down Expand Up @@ -129,6 +133,7 @@ public void selectsSameCipherSuiteAllAtOnce(
.validateFinal(
i -> {
Validator.executedAsPlanned(i);
checkForDuplicateCcs(workflowTrace);

ServerHelloMessage helloRetryRequest =
(ServerHelloMessage)
Expand Down Expand Up @@ -176,6 +181,7 @@ public void selectsSameCipherSuite(ArgumentsAccessor argumentAccessor, WorkflowR
.validateFinal(
i -> {
Validator.executedAsPlanned(i);
checkForDuplicateCcs(workflowTrace);

ServerHelloMessage helloRetryRequest =
(ServerHelloMessage)
Expand Down Expand Up @@ -220,6 +226,7 @@ public void retainsProtocolVersion(ArgumentsAccessor argumentAccessor, WorkflowR
.validateFinal(
i -> {
Validator.executedAsPlanned(i);
checkForDuplicateCcs(workflowTrace);

ServerHelloMessage helloRetryRequest =
(ServerHelloMessage)
Expand Down Expand Up @@ -293,7 +300,33 @@ private WorkflowTrace getHelloRetryWorkflowTrace(WorkflowRunner runner) {
.getFirstSendMessage(ClientHelloMessage.class)
.setRandom(Modifiable.explicit(fixedRandom));

// In middlebox compatibility mode, a CCS message is sent
// immediately after a ServerHello/HelloRetryRequest message. Since the
// workflow trace considers the CCS message optional, it does not wait
// for CCS before executing the SendAction. In this case, the CSS is received
// in the second ReceiveAction. Therefore, an optional CCS option must be
// allowed in the second receive action. A CCS message after the
// second ServerHello is invalid, though.
ChangeCipherSpecMessage optionalCCSMessage = new ChangeCipherSpecMessage();
optionalCCSMessage.setRequired(false);

ReceiveAction firstReceive = (ReceiveAction) secondHelloTrace.getFirstReceivingAction();
firstReceive.getExpectedMessages().removeIf(msg -> msg instanceof ChangeCipherSpecMessage);
firstReceive.getExpectedMessages().add(0, optionalCCSMessage);

workflowTrace.addTlsActions(secondHelloTrace.getTlsActions());
return workflowTrace;
}

private void checkForDuplicateCcs(WorkflowTrace executedTrace) {
// due to our workflow structure, CCS may be parsed with the first ServerHello or before the
// new
// ServerHello but it must not be sent twice by the server
assertFalse(
"Received more than one compatibility CCS from Server",
WorkflowTraceUtil.getAllReceivedMessages(
executedTrace, ProtocolMessageType.CHANGE_CIPHER_SPEC)
.size()
> 1);
}
}

0 comments on commit 0f94d86

Please sign in to comment.