Skip to content

Commit

Permalink
fix scsv detection
Browse files Browse the repository at this point in the history
  • Loading branch information
hph86 committed Feb 21, 2016
1 parent 884b13a commit 6d4f508
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 20 deletions.
9 changes: 9 additions & 0 deletions sslscan/module/rating/builtin.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,5 +83,14 @@ def __init__(self, **kwargs):
)
)

self.add_rule(
RatingRule(
"server.security.scsv",
rules=[
lambda v, i, kb: 1 if v is True else None
]
)
)


modules.register(BuiltIn_0_5)
2 changes: 1 addition & 1 deletion sslscan/module/report/terminal.py
Original file line number Diff line number Diff line change
Expand Up @@ -426,7 +426,7 @@ def _print_server_security(self, kb):
)
tmp_value = "-"
if scsv_supported is None:
tmp_value = "unkown"
tmp_value = "unknown"
elif scsv_supported is True:
tmp_value = "supported"
elif scsv_supported is False:
Expand Down
2 changes: 1 addition & 1 deletion sslscan/module/scan/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -665,11 +665,11 @@ def _default_stop_condition(record, records):
record = conn_tls.pop_record()
self.parse_tls_server_records_hooks.call(record)

records.append(record)
if isinstance(record, Alert):
if record.level == 2:
return records

records.append(record)
if stop_condition(record, records):
run = False

Expand Down
57 changes: 39 additions & 18 deletions sslscan/module/scan/server_scsv.py
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
from datetime import datetime

from sslscan import modules
from sslscan.module.scan import BaseScan

import flextls
from flextls.exception import NotEnoughData
from flextls.field import CipherSuiteField
from flextls.protocol.handshake import Handshake, ServerHello
from flextls.protocol.record import SSLv3Record
from flextls.protocol.alert import Alert
import six
from sslscan.exception import Timeout

if six.PY2:
import socket
Expand All @@ -28,11 +25,10 @@ def __init__(self, **kwargs):
BaseScan.__init__(self, **kwargs)

def _connect_with_scsv(self, protocol_version, cipher_suites):
def hook_cipher_suites(record):
cipher_suites = flextls.registry.tls.cipher_suites[:]
for cipher_suite in cipher_suites:
def hook_cipher_suites(record, cipher_suites=None):
for i in cipher_suites:
cipher = CipherSuiteField()
cipher.value = cipher_suite.id
cipher.value = i
record.payload.cipher_suites.append(cipher)

cipher = CipherSuiteField()
Expand All @@ -42,29 +38,48 @@ def hook_cipher_suites(record):
return record

def stop_condition(record, records):
return isinstance(record, Handshake) and \
isinstance(record.payload, ServerHello)
return (isinstance(record, Handshake) and
isinstance(record.payload, ServerHello))

ver_major, ver_minor = flextls.helper.get_tls_version(protocol_version)

is_dtls = False
if protocol_version & flextls.registry.version.DTLS != 0:
is_dtls = True

if is_dtls:
self.build_dtls_client_hello_hooks.connect(
hook_cipher_suites,
name="cipher_suites",
args={
"cipher_suites": cipher_suites
}
)
else:
self.build_tls_client_hello_hooks.connect(
hook_cipher_suites,
name="cipher_suites",
args={
"cipher_suites": cipher_suites
}
)

records = self.connect(
protocol_version,
stop_condition=stop_condition
)

if records is None:
return None
server_hello = None

for record in records:
if isinstance(record, Handshake):
if isinstance(record.payload, ServerHello):
if record.version.major == ver_major and \
record.version.minor == ver_minor:
if record.payload.version.major == ver_major and \
record.payload.version.minor == ver_minor:
return False
elif isinstance(record.payload, Alert):
if record.payload.level == 2 and \
record.payload.description == 86:
elif isinstance(record, Alert):
if record.level == 2 and record.description == 86:
return True

def run(self):
Expand All @@ -87,12 +102,18 @@ def run(self):

if scsv_cur_status is None:
continue

if scsv_cur_status is True:
kb.set("server.security.scsv", True)
break

if scsv_status is False and scsv_cur_status is False:
# At least two protocol versions must reach a ServerHello in
# order to falsify SCSV security. Otherwise, if we
# coincidentally use the highest protocol version that the
# server supports, the server has to proceed with the
# handshake, even if the SCSV suite is present (see RFC 7507,
# section 3).
if scsv_status is False and scsv_cur_status is False:
kb.set("server.security.scsv", False)
break

Expand Down

0 comments on commit 6d4f508

Please sign in to comment.