openssl2rfc and rfc2openssl

This PR provides implementations of openssl2rfc and rfc2openssl. It also uses openssl2rfc() in run_server_preference() to help determine how to display the "negotiated cipher." I believe that using the RFC names addresses the current FIXME:

FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list"
This commit is contained in:
David Cooper 2016-06-07 14:02:48 -04:00
parent 8ed6214b6f
commit 253ba29cde
1 changed files with 31 additions and 10 deletions

View File

@ -1446,13 +1446,34 @@ sockread() {
return $ret return $ret
} }
#FIXME: fill the following two:
openssl2rfc() { openssl2rfc() {
: local hexcode rfcname
hexcode=$($OPENSSL ciphers -V "$1" 2>>$ERRFILE | head -1 | awk '{ print $1 }')
[[ -z "$hexcode" ]] && return 0
normalize_ciphercode $hexcode
rfcname="$(strip_spaces $(grep -iw "$HEXC" "$MAPPING_FILE_RFC" | sed -e 's/^.*TLS/TLS/' -e 's/^.*SSL/SSL/'))"
[[ -n "$rfcname" ]] && out "$rfcname"
return 0
} }
rfc2openssl() { rfc2openssl() {
: local hexcode ossl_hexcode ossl_name
local -i len
hexcode=$(grep -iw "$1" "$MAPPING_FILE_RFC" | head -1 | awk '{ print $1 }')
[[ -z "$hexcode" ]] && return 0
len=${#hexcode}
case $len in
3) ossl_hexcode="0x00,0x${hexcode:1:2}" ;;
5) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2}" ;;
7) ossl_hexcode="0x${hexcode:1:2},0x${hexcode:3:2},0x${hexcode:5:2}" ;;
*) return 0 ;;
esac
ossl_name="$($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " $ossl_hexcode " | awk '{ print $3 }')"
[[ -z "$ossl_name" ]] && ossl_name="-"
out "$ossl_name"
return 0
} }
@ -2580,8 +2601,8 @@ run_server_preference() {
pr_bold " Negotiated cipher " pr_bold " Negotiated cipher "
default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') default_cipher=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g')
case "$default_cipher" in case "$(openssl2rfc $default_cipher)" in
*NULL*|*EXP*) *NULL*|*EXPORT*)
pr_svrty_critical "$default_cipher" pr_svrty_critical "$default_cipher"
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher" fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) $remark4default_cipher"
;; ;;
@ -2589,18 +2610,18 @@ run_server_preference() {
pr_svrty_high "$default_cipher" pr_svrty_high "$default_cipher"
fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher" fileout "order_cipher" "NOT ok" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (NOT ok) remark4default_cipher"
;; ;;
ECDHE*AES*CBC*)
pr_svrty_minor "$default_cipher"
fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
;; # it's CBC. --> lucky13
*CBC*) *CBC*)
pr_svrty_medium "$default_cipher" pr_svrty_medium "$default_cipher"
fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher" fileout "order_cipher" "MEDIUM" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") $remark4default_cipher"
;; # FIXME BEAST: We miss some CBC ciphers here, need to work w/ a list ;;
*GCM*|*CHACHA20*) *GCM*|*CHACHA20*)
pr_done_best "$default_cipher" pr_done_best "$default_cipher"
fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher" fileout "order_cipher" "OK" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (OK) $remark4default_cipher"
;; # best ones ;; # best ones
ECDHE*AES*)
pr_svrty_minor "$default_cipher"
fileout "order_cipher" "WARN" "Default cipher: $default_cipher$(read_dhbits_from_file "$TMPFILE") (cbc) $remark4default_cipher"
;; # it's CBC. --> lucky13
"") "")
pr_warning "default cipher empty" ; pr_warning "default cipher empty" ;
if [[ $OSSL_VER == 1.0.2* ]]; then if [[ $OSSL_VER == 1.0.2* ]]; then