package de.rub.nds.tlsscanner.serverscanner.probe;

import de.rub.nds.modifiablevariable.util.Modifiable;
import de.rub.nds.tlsattacker.core.config.Config;
import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
import de.rub.nds.tlsattacker.core.constants.CipherSuite;
import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
import de.rub.nds.tlsattacker.core.constants.NamedGroup;
import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
import de.rub.nds.tlsattacker.core.protocol.ProtocolMessage;
import de.rub.nds.tlsattacker.core.protocol.message.ChangeCipherSpecMessage;
import de.rub.nds.tlsattacker.core.protocol.message.ClientHelloMessage;
import de.rub.nds.tlsattacker.core.protocol.message.FinishedMessage;
import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloDoneMessage;
import de.rub.nds.tlsattacker.core.state.State;
import de.rub.nds.tlsattacker.core.workflow.ParallelExecutor;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
import de.rub.nds.tlsattacker.core.workflow.action.ReceiveTillAction;
import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
import de.rub.nds.tlsattacker.core.workflow.action.SendDynamicClientKeyExchangeAction;
import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowConfigurationFactory;
import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
import de.rub.nds.tlsscanner.serverscanner.config.ScannerConfig;
import de.rub.nds.tlsscanner.serverscanner.constants.ProbeType;
import de.rub.nds.tlsscanner.serverscanner.rating.TestResult;
import de.rub.nds.tlsscanner.serverscanner.report.AnalyzedProperty;
import de.rub.nds.tlsscanner.serverscanner.report.SiteReport;
import de.rub.nds.tlsscanner.serverscanner.report.result.ProbeResult;
import de.rub.nds.tlsscanner.serverscanner.report.result.RenegotiationResult;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/probe/RenegotiationProbe.class */
public class RenegotiationProbe extends TlsProbe {
    private Set<CipherSuite> supportedSuites;
    private TestResult supportsRenegotiationExtension;

    public RenegotiationProbe(ScannerConfig scannerConfig, ParallelExecutor parallelExecutor) {
        super(parallelExecutor, ProbeType.RENEGOTIATION, scannerConfig);
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public ProbeResult executeTest() {
        try {
            return new RenegotiationResult(this.supportsRenegotiationExtension == TestResult.TRUE ? supportsSecureClientRenegotiationExtension() : TestResult.FALSE, supportsSecureClientRenegotiationCipherSuite(), supportsInsecureClientRenegotiation(), vulnerableToRenegotiationAttackExtension(), vulnerableToRenegotiationAttackCipherSuite());
        } catch (Exception e) {
            LOGGER.error("Could not scan for " + getProbeName(), e);
            return new RenegotiationResult(TestResult.ERROR_DURING_TEST, TestResult.ERROR_DURING_TEST, TestResult.ERROR_DURING_TEST, TestResult.ERROR_DURING_TEST, TestResult.ERROR_DURING_TEST);
        }
    }

    private TestResult vulnerableToRenegotiationAttackExtension() {
        Config baseConfig = getBaseConfig();
        baseConfig.setAddRenegotiationInfoExtension(false);
        WorkflowTrace createTlsEntryWorkflowTrace = new WorkflowConfigurationFactory(baseConfig).createTlsEntryWorkflowTrace(baseConfig.getDefaultClientConnection());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ClientHelloMessage(baseConfig)}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(baseConfig)));
        createTlsEntryWorkflowTrace.addTlsAction(new SendDynamicClientKeyExchangeAction());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        baseConfig.setAddRenegotiationInfoExtension(true);
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ClientHelloMessage(baseConfig)}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(baseConfig)));
        createTlsEntryWorkflowTrace.addTlsAction(new SendDynamicClientKeyExchangeAction());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        State state = new State(baseConfig, createTlsEntryWorkflowTrace);
        executeState(state);
        return !WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, createTlsEntryWorkflowTrace) ? TestResult.COULD_NOT_TEST : state.getWorkflowTrace().executedAsPlanned() ? TestResult.TRUE : TestResult.FALSE;
    }

    private TestResult vulnerableToRenegotiationAttackCipherSuite() {
        Config baseConfig = getBaseConfig();
        baseConfig.setAddRenegotiationInfoExtension(false);
        WorkflowTrace createTlsEntryWorkflowTrace = new WorkflowConfigurationFactory(baseConfig).createTlsEntryWorkflowTrace(baseConfig.getDefaultClientConnection());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ClientHelloMessage(baseConfig)}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(baseConfig)));
        createTlsEntryWorkflowTrace.addTlsAction(new SendDynamicClientKeyExchangeAction());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        baseConfig.setAddRenegotiationInfoExtension(true);
        ProtocolMessage clientHelloMessage = new ClientHelloMessage(baseConfig);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            Iterator it = baseConfig.getDefaultClientSupportedCipherSuites().iterator();
            while (it.hasNext()) {
                byteArrayOutputStream.write(((CipherSuite) it.next()).getByteValue());
            }
            byteArrayOutputStream.write(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.getByteValue());
        } catch (IOException e) {
            LOGGER.error("Could not write cipher suite value to stream");
        }
        clientHelloMessage.setCipherSuites(Modifiable.explicit(byteArrayOutputStream.toByteArray()));
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{clientHelloMessage}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveTillAction(new ServerHelloDoneMessage(baseConfig)));
        createTlsEntryWorkflowTrace.addTlsAction(new SendDynamicClientKeyExchangeAction());
        createTlsEntryWorkflowTrace.addTlsAction(new SendAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        createTlsEntryWorkflowTrace.addTlsAction(new ReceiveAction(new ProtocolMessage[]{new ChangeCipherSpecMessage(), new FinishedMessage()}));
        State state = new State(baseConfig, createTlsEntryWorkflowTrace);
        executeState(state);
        return !WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, createTlsEntryWorkflowTrace) ? TestResult.COULD_NOT_TEST : state.getWorkflowTrace().executedAsPlanned() ? TestResult.TRUE : TestResult.FALSE;
    }

    private TestResult supportsSecureClientRenegotiationExtension() {
        Config baseConfig = getBaseConfig();
        baseConfig.setAddRenegotiationInfoExtension(true);
        State state = new State(baseConfig);
        executeState(state);
        return !WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace()) ? TestResult.COULD_NOT_TEST : state.getWorkflowTrace().executedAsPlanned() ? TestResult.TRUE : TestResult.FALSE;
    }

    private TestResult supportsSecureClientRenegotiationCipherSuite() {
        Config baseConfig = getBaseConfig();
        baseConfig.setAddRenegotiationInfoExtension(false);
        baseConfig.getDefaultClientSupportedCipherSuites().add(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
        State state = new State(baseConfig);
        executeState(state);
        return !WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace()) ? TestResult.COULD_NOT_TEST : state.getWorkflowTrace().executedAsPlanned() ? TestResult.TRUE : TestResult.FALSE;
    }

    private TestResult supportsInsecureClientRenegotiation() {
        Config baseConfig = getBaseConfig();
        baseConfig.setAddRenegotiationInfoExtension(false);
        State state = new State(baseConfig);
        executeState(state);
        return !WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.SERVER_HELLO, state.getWorkflowTrace()) ? TestResult.COULD_NOT_TEST : state.getWorkflowTrace().executedAsPlanned() ? TestResult.TRUE : TestResult.FALSE;
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public boolean canBeExecuted(SiteReport siteReport) {
        return siteReport.getCipherSuites() != null && (siteReport.getCipherSuites().size() > 0 || supportsOnlyTls13(siteReport));
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public void adjustConfig(SiteReport siteReport) {
        this.supportedSuites = new HashSet();
        this.supportedSuites.addAll(Arrays.asList(CipherSuite.values()));
        this.supportedSuites.remove(CipherSuite.TLS_FALLBACK_SCSV);
        this.supportedSuites.remove(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
        this.supportsRenegotiationExtension = TestResult.TRUE;
    }

    @Override // de.rub.nds.tlsscanner.serverscanner.probe.TlsProbe
    public ProbeResult getCouldNotExecuteResult() {
        return new RenegotiationResult(TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST, TestResult.COULD_NOT_TEST);
    }

    private boolean supportsOnlyTls13(SiteReport siteReport) {
        return siteReport.getResult(AnalyzedProperty.SUPPORTS_TLS_1_0) == TestResult.FALSE && siteReport.getResult(AnalyzedProperty.SUPPORTS_TLS_1_1) == TestResult.FALSE && siteReport.getResult(AnalyzedProperty.SUPPORTS_TLS_1_2) == TestResult.FALSE;
    }

    private Config getBaseConfig() {
        Config createConfig = getScannerConfig().createConfig();
        createConfig.setQuickReceive(true);
        createConfig.setDefaultClientSupportedCipherSuites(new ArrayList(this.supportedSuites));
        createConfig.setDefaultSelectedCipherSuite((CipherSuite) createConfig.getDefaultClientSupportedCipherSuites().get(0));
        createConfig.setDefaultClientNamedGroups(NamedGroup.getImplemented());
        createConfig.setHighestProtocolVersion(ProtocolVersion.TLS12);
        createConfig.setWorkflowTraceType(WorkflowTraceType.DYNAMIC_CLIENT_RENEGOTIATION_WITHOUT_RESUMPTION);
        boolean z = false;
        Iterator it = createConfig.getDefaultClientSupportedCipherSuites().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            KeyExchangeAlgorithm keyExchangeAlgorithm = AlgorithmResolver.getKeyExchangeAlgorithm((CipherSuite) it.next());
            if (keyExchangeAlgorithm != null && keyExchangeAlgorithm.name().toUpperCase().contains("EC")) {
                z = true;
                break;
            }
        }
        createConfig.setAddECPointFormatExtension(Boolean.valueOf(z));
        createConfig.setAddEllipticCurveExtension(Boolean.valueOf(z));
        createConfig.setAddServerNameIndicationExtension(true);
        createConfig.setAddRenegotiationInfoExtension(true);
        createConfig.setAddSignatureAndHashAlgorithmsExtension(true);
        createConfig.setEnforceSettings(false);
        createConfig.setEarlyStop(true);
        createConfig.setStopReceivingAfterFatal(true);
        createConfig.setStopActionsAfterFatal(true);
        createConfig.setStopReceivingAfterWarning(true);
        createConfig.setStopActionsAfterWarning(true);
        createConfig.setStopActionsAfterIOException(true);
        createConfig.setStopTraceAfterUnexpected(true);
        createConfig.setQuickReceive(true);
        return createConfig;
    }
}
