Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-07 09:10:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #512 from dcooper16/run_allciphers_sockets

Browse Source 
Use tls_sockets() in run_allciphers()
This commit is contained in:
Dirk Wetter 2016-11-15 12:54:15 +01:00 committed by GitHub
commit 37933d6fa1
1 changed files with 146 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

224
testssl.sh
View File

@ -2026,33 +2026,69 @@ test_just_one(){
# test for all ciphers locally configured (w/o distinguishing whether they are good or bad) # test for all ciphers locally configured (w/o distinguishing whether they are good or bad)
run_allciphers() { run_allciphers() {
local tmpfile local tmpfile
local -i nr_ciphers=0 local -i nr_ciphers=0 ret
local n auth mac export local n auth mac export hexc sslv2_ciphers=""
local -a hexcode ciph sslvers kx enc export2 local -a normalized_hexcode hexcode ciph sslvers kx enc export2
local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check
local -a ciphers_found local -a ciphers_found
local dhlen local dhlen
local available local available
local ciphers_to_test local ciphers_to_test
local sslv2_supported=false local sslv2_supported=false
local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true
# get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values) if "$SSL_NATIVE" || [[ -n "$STARTTLS" ]]; then
while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do using_sockets=false
nr_ciphers=$nr_ciphers+1 fi
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
if "$using_sockets"; then
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
hexc=$(echo "${TLS_CIPHER_HEXCODE[i]}" | tr 'A-Z' 'a-z')
ciph[i]="${TLS_CIPHER_OSSL_NAME[i]}"
sslvers[i]="${TLS_CIPHER_SSLVERS[i]}"
kx[i]="${TLS_CIPHER_KX[i]}"
enc[i]="${TLS_CIPHER_ENC[i]}"
export2[i]="${TLS_CIPHER_EXPORT[i]}"
if [[ ${#hexc} -eq 9 ]]; then
hexcode[i]="${hexc:2:2},${hexc:7:2}"
if [[ "${hexc:2:2}" == "00" ]]; then
normalized_hexcode[i]="x${hexc:7:2}"
else
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}"
fi
else
hexcode[i]="${hexc:2:2},${hexc:7:2},${hexc:12:2}"
normalized_hexcode[i]="x${hexc:2:2}${hexc:7:2}${hexc:12:2}"
sslv2_ciphers="$sslv2_ciphers, ${hexcode[i]}"
fi
done
nr_ciphers=$TLS_NR_CIPHERS
sslv2_sockets "${sslv2_ciphers:2}" "true"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
sslv2_supported=true
fi
else
# get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values)
while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
nr_ciphers=$nr_ciphers+1
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
if "$HAS_SSL2"; then
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && sslv2_supported=true
fi
fi
outln outln
pr_headlineln " Testing all $OPENSSL_NR_CIPHERS locally available ciphers against the server, ordered by encryption strength " pr_headlineln " Testing all $nr_ciphers locally available ciphers against the server, ordered by encryption strength "
"$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" "$using_sockets" || "$HAS_DH_BITS" || pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
outln outln
neat_header neat_header
if "$HAS_SSL2"; then
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && sslv2_supported=true
fi
# Split ciphers into bundles of size 4**n, starting with an "n" that # Split ciphers into bundles of size 4**n, starting with an "n" that
# splits the ciphers into 4 bundles, and then reducing "n" by one in each # splits the ciphers into 4 bundles, and then reducing "n" by one in each
# round. Only test a bundle of 4**n ciphers against the server if it was # round. Only test a bundle of 4**n ciphers against the server if it was
@ -2075,71 +2111,103 @@ run_allciphers() {
done done
for (( bundle_size/=4; bundle_size>=1; bundle_size/=4 )); do for (( bundle_size/=4; bundle_size>=1; bundle_size/=4 )); do
# Note that since the number of ciphers isn't a power of 4, the number # Note that since the number of ciphers isn't a power of 4, the number
# of bundles may be may be less than 4**(round_num+1), and the final # of bundles may be may be less than 4**(round_num+1), and the final
# bundle may have fewer than bundle_size ciphers. # bundle may have fewer than bundle_size ciphers.
num_bundles=$nr_ciphers/$bundle_size num_bundles=$nr_ciphers/$bundle_size
mod_check=$nr_ciphers%$bundle_size mod_check=$nr_ciphers%$bundle_size
[[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1 [[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1
for ((i=0;i<num_bundles;i++)); do for (( i=0; i<num_bundles; i++ )); do
# parent=index of bundle from previous round that includes this bundle of ciphers # parent=index of bundle from previous round that includes this bundle of ciphers
parent=4**$round_num+$i/4 parent=4**$round_num+$i/4
# child=index for this bundle of ciphers # child=index for this bundle of ciphers
child=4*4**$round_num+$i child=4*4**$round_num+$i
if ${ciphers_found[parent]}; then if ${ciphers_found[parent]}; then
ciphers_to_test="" ciphers_to_test=""
end_of_bundle=$i*$bundle_size+$bundle_size end_of_bundle=$i*$bundle_size+$bundle_size
[[ $end_of_bundle -gt $nr_ciphers ]] && end_of_bundle=$nr_ciphers [[ $end_of_bundle -gt $nr_ciphers ]] && end_of_bundle=$nr_ciphers
for ((j=i*bundle_size;j<end_of_bundle;j++)); do if "$using_sockets"; then
[[ "${sslvers[j]}" != "SSLv2" ]] && ciphers_to_test="${ciphers_to_test}:${ciph[j]}" for (( j=i*bundle_size; j<end_of_bundle; j++ )); do
done # Exclude the SSLv2 ciphers
ciphers_found[child]=false hexc="${hexcode[j]}"
if [[ -n "${ciphers_to_test:1}" ]]; then [[ ${#hexc} -eq 5 ]] && ciphers_to_test="${ciphers_to_test}, ${hexcode[j]}"
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null done
sclient_connect_successful "$?" "$TMPFILE" ciphers_found[child]=false
[[ "$?" -eq 0 ]] && ciphers_found[child]=true if [[ -n "${ciphers_to_test:2}" ]]; then
fi if [[ $bundle_size -eq 1 ]]; then
else tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
# No need to test, since test of parent demonstrated none of these ciphers work. else
ciphers_found[child]=false tls_sockets "03" "${ciphers_to_test:2}, 00,ff"
fi fi
ret=$?
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then
ciphers_found[child]=true
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
fi
fi
else
for (( j=i*bundle_size; j<end_of_bundle; j++ )); do
[[ "${sslvers[j]}" != "SSLv2" ]] && ciphers_to_test="${ciphers_to_test}:${ciph[j]}"
done
ciphers_found[child]=false
if [[ -n "${ciphers_to_test:1}" ]]; then
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && ciphers_found[child]=true
fi
fi
else
# No need to test, since test of parent demonstrated none of these ciphers work.
ciphers_found[child]=false
fi
if $sslv2_supported && [[ $bundle_size -eq 1 ]] && [[ "${sslvers[i]}" == "SSLv2" ]]; then if $sslv2_supported && [[ $bundle_size -eq 1 ]] && [[ "${sslvers[i]}" == "SSLv2" ]]; then
$OPENSSL s_client -cipher "${ciph[i]}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null if "$using_sockets"; then
sclient_connect_successful "$?" "$TMPFILE" if grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt" | grep -q "${normalized_hexcode[i]}"; then
[[ "$?" -eq 0 ]] && ciphers_found[child]=true ciphers_found[child]=true
fi echo "" > $TMPFILE
# If this is a "leaf" of the test tree, then print out the results. fi
if [[ $bundle_size -eq 1 ]] && ( ${ciphers_found[child]} || "$SHOW_EACH_C"); then else
export=${export2[i]} $OPENSSL s_client -cipher "${ciph[i]}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
normalize_ciphercode "${hexcode[i]}" sclient_connect_successful "$?" "$TMPFILE"
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then [[ "$?" -eq 0 ]] && ciphers_found[child]=true
if ${ciphers_found[child]}; then fi
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet) fi
kx[i]="${kx[i]} $dhlen" # If this is a "leaf" of the test tree, then print out the results.
fi if [[ $bundle_size -eq 1 ]] && ( ${ciphers_found[child]} || "$SHOW_EACH_C"); then
fi export=${export2[i]}
neat_list "$HEXC" "${ciph[i]}" "${kx[i]}" "${enc[i]}" if ! "$using_sockets"; then
available="" normalize_ciphercode "${hexcode[i]}"
if "$SHOW_EACH_C"; then normalized_hexcode[i]="$HEXC"
if ${ciphers_found[child]}; then fi
available="available" if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
pr_cyan "$available" if ${ciphers_found[child]}; then
else dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
available="not a/v" kx[i]="${kx[i]} $dhlen"
out "$available" fi
fi fi
fi neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}"
if "$SHOW_SIGALGO" && ${ciphers_found[child]}; then available=""
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1 if "$SHOW_EACH_C"; then
else if ${ciphers_found[child]}; then
outln available="available"
fi pr_cyan "$available"
fileout "cipher_$HEXC" "INFO" "$(neat_list "$HEXC" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available" else
fi available="not a/v"
done out "$available"
round_num=round_num+1 fi
fi
if "$SHOW_SIGALGO" && ${ciphers_found[child]}; then
$OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1
else
outln
fi
fileout "cipher_${normalized_hexcode[i]}" "INFO" "$(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available"
fi
done
round_num=round_num+1
done done
"$using_sockets" && HAS_DH_BITS="$has_dh_bits"
outln outln
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt