Merge pull request #165 from hcrudolph/development

Bug fixes, dependency updates
hcrudolph · Jul 10, 2023 · 916113f · 916113f
2 parents a728dd8 + 1719acc
commit 916113f
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 54 deletions.
diff --git a/directory/fixtures/00_vulnerabilities.yaml b/directory/fixtures/00_vulnerabilities.yaml
@@ -27,12 +27,17 @@
   pk: 'NULL Encryption'
   fields:
     severity: 2
-    description: 'This cipher suite uses no encryption at all. Hence, it is not providing confidentiality.'
+    description: 'This cipher suite uses no encryption at all. Hence, it does not provide confidentiality protection.'
 - model: directory.Vulnerability
   pk: 'NULL Authentication'
   fields:
     severity: 2
-    description: 'This cipher suite uses no authentication at all. Hence, it is not providing integrity.'
+    description: 'This cipher suite uses no authentication at all.'
+- model: directory.Vulnerability
+  pk: 'NULL Integrity'
+  fields:
+    severity: 2
+    description: 'This cipher suite uses no hash algorithm at all. Hence, it does not provide integrity protection.'
 - model: directory.Vulnerability
   pk: 'Data Encryption Standard'
   fields:

diff --git a/directory/fixtures/01_technologies.yaml b/directory/fixtures/01_technologies.yaml
@@ -82,6 +82,11 @@
   fields:
     long_name: 'gostIMIT28147'
     vulnerabilities: ['GOST']
+- model: directory.AuthAlgorithm
+  pk: 'GOSTR341012'
+  fields:
+    long_name: 'GOST R 34.10-2012 Digital Signature Algorithm'
+    vulnerabilities: ['GOST']
 
 ###########################
 # Key Exchange Algorithms #
@@ -133,9 +138,9 @@
     long_name: 'Secure Remote Password'
     vulnerabilities: []
 - model: directory.KexAlgorithm
-  pk: 'VKO GOSTR3410 2012 256'
+  pk: 'GOSTR341112 256'
   fields:
-    long_name: ''
+    long_name: 'Key agreement Function based on GOST R 34.11-2012'
     vulnerabilities: ['GOST']
 
 ###################
@@ -151,7 +156,7 @@
   pk: 'NULL'
   fields:
     long_name: 'NULL Hash'
-    vulnerabilities: []
+    vulnerabilities: ['NULL Integrity']
 - model: directory.HashAlgorithm
   pk: 'SHA'
   fields:
@@ -173,9 +178,9 @@
     long_name: 'ShangMi 3 Hashing Algorithm'
     vulnerabilities: ['ShangMi 3 Hash']
 - model: directory.HashAlgorithm
-  pk: 'GOST R 34.11-2012'
+  pk: 'GOSTR341112'
   fields:
-    long_name: ''
+    long_name: 'GOST R 34.11-2012 Hash Function'
     vulnerabilities: ['GOST']
 
 #########################
@@ -340,12 +345,32 @@
 - model: directory.EncAlgorithm
   pk: 'KUZNYECHIK CTR'
   fields:
-    long_name: 'Kuznyechik Block Cipher'
+    long_name: 'Kuznyechik Block Cipher in Counter Mode (CTR)'
+    vulnerabilities: ['GOST']
+- model: directory.EncAlgorithm
+  pk: 'KUZNYECHIK MGM S'
+  fields:
+    long_name: 'Kuznyechik Block Cipher in Multilinear Galois Mode (MGM)'
+    vulnerabilities: ['GOST']
+- model: directory.EncAlgorithm
+  pk: 'KUZNYECHIK MGM L'
+  fields:
+    long_name: 'Kuznyechik Block Cipher in Multilinear Galois Mode (MGM)'
     vulnerabilities: ['GOST']
 - model: directory.EncAlgorithm
   pk: 'MAGMA CTR'
   fields:
-    long_name: 'Magma Block Cipher'
+    long_name: 'Magma Block Cipher in Counter Mode (CTR)'
+    vulnerabilities: ['GOST']
+- model: directory.EncAlgorithm
+  pk: 'MAGMA MGM S'
+  fields:
+    long_name: 'Magma Block Cipher in Multilinear Galois Mode (MGM)'
+    vulnerabilities: ['GOST']
+- model: directory.EncAlgorithm
+  pk: 'MAGMA MGM L'
+  fields:
+    long_name: 'Magma Block Cipher in Multilinear Galois Mode (MGM)'
     vulnerabilities: ['GOST']
 - model: directory.EncAlgorithm
   pk: '28147 CNT'

diff --git a/directory/management/commands/filltlsversion.py b/directory/management/commands/filltlsversion.py
@@ -48,12 +48,12 @@ def handle(self, *args, **options):
             'TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384',
         ]
 
-        for cipher_suite in CipherSuite.objects.all():
-            tls10, _ = TlsVersion.objects.get_or_create(major=1, minor=0)
-            tls11, _ = TlsVersion.objects.get_or_create(major=1, minor=1)
-            tls12, _ = TlsVersion.objects.get_or_create(major=1, minor=2)
-            tls13, _ = TlsVersion.objects.get_or_create(major=1, minor=3)
+        tls10, _ = TlsVersion.objects.get_or_create(major=1, minor=0)
+        tls11, _ = TlsVersion.objects.get_or_create(major=1, minor=1)
+        tls12, _ = TlsVersion.objects.get_or_create(major=1, minor=2)
+        tls13, _ = TlsVersion.objects.get_or_create(major=1, minor=3)
 
+        for cipher_suite in CipherSuite.objects.all():
             if not 'WITH' in cipher_suite.name:
                 # TLS1.3 IANA names don't include WITH
                 cipher_suite.tls_version.add(tls13)
@@ -63,6 +63,9 @@ def handle(self, *args, **options):
                 cipher_suite.tls_version.add(tls12)
                 cipher_suite.tls_version.add(tls11)
                 cipher_suite.tls_version.add(tls10)
+            elif 'MGM' in cipher_suite.name:
+                # GOST MGM are supported by TLS1.3 onwards
+                cipher_suite.tls_version.add(tls13)
             elif 'POLY1305' in cipher_suite.name or\
                 'GCM' in cipher_suite.name or\
                 'CCM' in cipher_suite.name or\

diff --git a/directory/signals.py b/directory/signals.py
@@ -107,23 +107,37 @@ def get_status_alt(html):
 def complete_cs_instance(sender, instance, *args, **kwargs):
     '''Derives related algorithms form instance.name of the cipher suites.'''
 
-    tls_13_flag = False
+    flag_tls13 = False
+    flag_pfs = False
+    flag_aead = False
 
     # GOST ciphers
-    if (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x01') or\
+    if (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x00') or\
+        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x01') or\
         (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x02') or\
-        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x03'):
+        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x03') or\
+        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x04') or\
+        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x05') or\
+        (instance.hex_byte_1 == '0xC1' and instance.hex_byte_2 == '0x06'):
         name = instance.name
-        (prt,_,rst) = name.replace("_", " ").partition("WITH")
-        (enc,_,aut) = rst.rpartition(" ")
-        prt = "TLS"
-        kex = "VKO GOSTR3410 2012 256"
-        hsh = "GOST R 34.11-2012"
+        (fst,_,rst) = name.replace("_", " ").partition("WITH")
+        (prt,kex) = fst.split(" ", 1)
+        aut = 'GOSTR341012'
+        hsh = 'GOSTR341112'
+
+        if re.search(r'MGM', rst, re.IGNORECASE):
+            flag_tls13 = True
+            kex = 'ECDHE'
+            enc = rst
+            aut = '-'
+            hsh = '-'
+        else:
+            (enc,_) = rst.rsplit(" ", 1)
 
     # TLS1.3 authentication/integrity-only ciphers
     elif (instance.hex_byte_1 == '0xC0' and instance.hex_byte_2 == '0xB4') or\
         (instance.hex_byte_1 == '0xC0' and instance.hex_byte_2 == '0xB5'):
-        tls_13_flag = True
+        flag_tls13 = True
         name = instance.name
         (prt,_,rst) = name.replace("_", " ").partition(" ")
         (aut,_,hsh) = rst.rpartition(" ")
@@ -134,7 +148,7 @@ def complete_cs_instance(sender, instance, *args, **kwargs):
     elif instance.hex_byte_1 == '0x13'\
         or instance.hex_byte_2 == '0xC6'\
         or instance.hex_byte_2 == '0xC7':
-        tls_13_flag = True
+        flag_tls13 = True
         name = instance.name
         (prt,_,rst) = name.replace("_", " ").partition(" ")
         (enc,_,hsh) = rst.rpartition(" ")
@@ -174,14 +188,12 @@ def complete_cs_instance(sender, instance, *args, **kwargs):
             aut = "PSK"
 
     # identify PFS algorithms
-    pfs_flag = False
-    if re.search(r'ECDHE|DHE', kex, re.IGNORECASE) or tls_13_flag:
-        pfs_flag = True
+    if re.search(r'ECDHE|DHE', kex, re.IGNORECASE) or flag_tls13:
+        flag_pfs = True
 
     # identify AEAD algorithms
-    aead_flag = False
-    if re.search(r'GCM|POLY1305|CCM', enc, re.IGNORECASE):
-        aead_flag = True
+    if re.search(r'GCM|POLY1305|CCM|MGM', enc, re.IGNORECASE):
+        flag_aead = True
 
     # connect foreign keys from other models
     # if aut is not excplicitly defined, set it equal to kex
@@ -195,7 +207,7 @@ def complete_cs_instance(sender, instance, *args, **kwargs):
         )
     instance.kex_algorithm, _ = KexAlgorithm.objects.update_or_create(
         short_name=kex.strip(),
-        defaults={'pfs_support': pfs_flag}
+        defaults={'pfs_support': flag_pfs}
     )
     instance.protocol_version, _ = ProtocolVersion.objects.get_or_create(
         short_name=prt.strip()
@@ -205,7 +217,7 @@ def complete_cs_instance(sender, instance, *args, **kwargs):
     )
     instance.enc_algorithm, _ = EncAlgorithm.objects.update_or_create(
         short_name=enc.strip(),
-        defaults={'aead_algorithm': aead_flag}
+        defaults={'aead_algorithm': flag_aead}
     )
 
 

diff --git a/directory/templates/directory/detail_cs.html b/directory/templates/directory/detail_cs.html
@@ -46,7 +46,9 @@ <h1 class="mb-4">
 
                     {% if atype == 'Encryption' and cipher_suite.enc_algorithm.aead_algorithm %}
                         <span class="badge bg-secondary" data-bs-toggle="tooltip" data-bs-placement="left" title="Data Authentication via Authenticated Encryption with Associated Data">AEAD</span>
-                    {% elif atype == 'Hash' and not cipher_suite.enc_algorithm.aead_algorithm %}
+                    {% endif %}
+
+                    {% if atype == 'Hash' and not algo.short_name == 'NULL' and not cipher_suite.enc_algorithm.aead_algorithm %}
                         <span class="badge bg-secondary" data-bs-toggle="tooltip" data-bs-placement="left" title="Data Authentication via Hash-based Message Authentication Code">HMAC</span>
                     {% endif %}
 

diff --git a/requirements/requirements-dev.txt b/requirements/requirements-dev.txt
@@ -1,39 +1,39 @@
-asgiref==3.7.1
+asgiref==3.7.2
 brotlipy==0.7.0
 certifi==2023.5.7
 cffi==1.15.1
 chardet==5.1.0
-charset-normalizer==3.1.0
-coverage==7.2.6
+charset-normalizer==3.2.0
+coverage==7.2.7
 dj-database-url==2.0.0
-Django==4.2.1
+Django==4.2.3
 django-appconf==1.0.5
-django-compressor==4.3.1
+django-compressor==4.4
 django-markdownx==4.0.2
-django-otp==1.2.1
+django-otp==1.2.2
 django-sass-processor==1.2.2
 exceptiongroup==1.1.1
 idna==3.4
-importlib-metadata==6.6.0
+importlib-metadata==6.8.0
 iniconfig==2.0.0
 libsass==0.22.0
-lxml==4.9.2
+lxml==4.9.3
 Markdown==3.4.3
 packaging==23.1
-Pillow==9.5.0
-pluggy==1.0.0
+Pillow==10.0.0
+pluggy==1.2.0
 psycopg2-binary==2.9.6
 pycparser==2.21
 pypng==0.20220715.0
-pytest==7.3.1
+pytest==7.4.0
 PyYAML==6.0
 qrcode==7.4.2
 rcssmin==1.1.1
 requests==2.31.0
 rjsmin==1.2.1
 sqlparse==0.4.4
 tomli==2.0.1
-typing_extensions==4.5.0
-urllib3==2.0.2
-whitenoise==6.4.0
-zipp==3.15.0
+typing_extensions==4.6.3
+urllib3==2.0.3
+whitenoise==6.5.0
+zipp==3.16.0
diff --git a/requirements/requirements-prod.txt b/requirements/requirements-prod.txt
@@ -1,15 +1,15 @@
-asgiref==3.7.1
+asgiref==3.7.2
 brotlipy==0.7.0
 certifi==2023.5.7
 cffi==1.15.1
 chardet==5.1.0
 charset-normalizer==3.1.0
 dj-database-url==2.0.0
-Django==4.2.1
+Django==4.2.2
 django-appconf==1.0.5
 django-compressor==4.3.1
 django-markdownx==4.0.2
-django-otp==1.2.1
+django-otp==1.2.2
 django-sass-processor==1.2.2
 idna==3.4
 importlib-metadata==6.6.0
@@ -26,7 +26,7 @@ rcssmin==1.1.1
 requests==2.31.0
 rjsmin==1.2.1
 sqlparse==0.4.4
-typing_extensions==4.5.0
-urllib3==2.0.2
-whitenoise==6.4.0
+typing_extensions==4.6.3
+urllib3==2.0.3
+whitenoise==6.5.0
 zipp==3.15.0