2016-07-08 11:40:17 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
#
|
|
|
|
# PoC for checking the ellipticale curves negotiated
|
|
|
|
# x448 and x25519 are missing, others are not supported
|
|
|
|
# License see testssl.sh
|
|
|
|
|
2016-07-09 14:24:38 +02:00
|
|
|
readonly RUN_DIR=$(dirname "$0")
|
|
|
|
|
|
|
|
test_openssl_suffix() {
|
|
|
|
local naming_ext="$(uname).$(uname -m)"
|
|
|
|
local uname_arch="$(uname -m)"
|
|
|
|
local myarch_suffix=""
|
|
|
|
|
|
|
|
[[ $uname_arch =~ 64 ]] && myarch_suffix=64 || myarch_suffix=32
|
|
|
|
if [[ -f "$1/openssl" ]] && [[ -x "$1/openssl" ]]; then
|
|
|
|
OPENSSL="$1/openssl"
|
|
|
|
return 0
|
|
|
|
elif [[ -f "$1/openssl.$naming_ext" ]] && [[ -x "$1/openssl.$naming_ext" ]]; then
|
|
|
|
OPENSSL="$1/openssl.$naming_ext"
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
find_openssl_binary() {
|
|
|
|
# 0. check environment variable whether it's executable
|
|
|
|
if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
|
|
|
|
pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
|
|
|
|
outln " Looking some place else ..."
|
|
|
|
elif [[ -x "$OPENSSL" ]]; then
|
2018-04-10 13:46:43 +02:00
|
|
|
: # 1. all ok supplied $OPENSSL was found and has executable bit set -- testrun comes below
|
2016-07-09 14:24:38 +02:00
|
|
|
elif test_openssl_suffix $RUN_DIR; then
|
|
|
|
: # 2. otherwise try openssl in path of testssl.sh
|
|
|
|
elif test_openssl_suffix ../$RUN_DIR; then
|
|
|
|
: # 2. otherwise try openssl in path of testssl.sh
|
|
|
|
elif test_openssl_suffix ../$RUN_DIR/bin; then
|
2018-04-10 13:46:43 +02:00
|
|
|
: # 3. otherwise here, this is supposed to be the standard --platform independent path in the future!!!
|
2022-09-13 01:24:26 +02:00
|
|
|
elif test_openssl_suffix "$(dirname "$(command -v openssl)")"; then
|
2016-07-09 14:24:38 +02:00
|
|
|
: # 5. we tried hard and failed, so now we use the system binaries
|
|
|
|
fi
|
|
|
|
|
|
|
|
# no ERRFILE initialized yet, thus we use /dev/null for stderr directly
|
|
|
|
$OPENSSL version -a 2>/dev/null >/dev/null
|
|
|
|
if [[ $? -ne 0 ]] || [[ ! -x "$OPENSSL" ]]; then
|
|
|
|
echo "\ncannot exec or find any openssl binary"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo
|
|
|
|
echo "using $OPENSSL"
|
|
|
|
echo
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
VERBOSE=false
|
|
|
|
if [[ $1 == "-v" ]]; then
|
|
|
|
VERBOSE=true
|
|
|
|
shift
|
|
|
|
fi
|
2016-07-08 11:40:17 +02:00
|
|
|
|
|
|
|
HN="$1"
|
|
|
|
[ -z "$HN" ] && HN=testssl.sh
|
2016-07-09 14:24:38 +02:00
|
|
|
find_openssl_binary
|
|
|
|
|
2021-06-15 04:04:23 +02:00
|
|
|
ERRFILE=$(mktemp /tmp/curve_tester.R.XXXXXX) || exit 6
|
|
|
|
TMPFILE=$(mktemp /tmp/curve_tester.T.XXXXXX) || exit 6
|
2016-07-09 14:24:38 +02:00
|
|
|
|
|
|
|
|
|
|
|
for curve in $($OPENSSL ecparam -list_curves | awk -F':' '/:/ { print $1 }'); do
|
2016-07-08 11:40:17 +02:00
|
|
|
#if bin/openssl.Linux.x86_64 s_client -curves $curve -connect $HN:443 -servername $HN </dev/null 2>/dev/null | grep -q "BEGIN CERTIFICATE" ; then
|
|
|
|
# echo 'YES'
|
|
|
|
#else
|
|
|
|
# echo '--'
|
|
|
|
#fi
|
2016-07-09 14:24:38 +02:00
|
|
|
$OPENSSL s_client -cipher ECDH -curves $curve -connect $HN:443 -servername $HN </dev/null 2>$ERRFILE | grep "Server Temp Key:" >$TMPFILE
|
|
|
|
if [[ $? -eq 0 ]]; then
|
|
|
|
printf "$curve: "
|
|
|
|
cat $TMPFILE | sed 's/^.*Server Temp Key: //'
|
2016-07-08 11:40:17 +02:00
|
|
|
else
|
2016-07-09 14:24:38 +02:00
|
|
|
if grep -q 'Error with' $ERRFILE; then
|
|
|
|
if "$VERBOSE"; then
|
|
|
|
echo "$curve: no client support"
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
echo "$curve: --"
|
|
|
|
fi
|
2016-07-08 11:40:17 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
2016-07-09 14:24:38 +02:00
|
|
|
rm -f $ERRFILE $TMPFILE
|
|
|
|
|
2016-07-08 11:40:17 +02:00
|
|
|
# vim:ts=5:sw=5:expandtab
|
2016-07-09 14:24:38 +02:00
|
|
|
# $Id: curves.bash,v 1.3 2016/07/09 12:22:13 dirkw Exp $
|
2016-07-08 11:40:17 +02:00
|
|
|
|