manually resolved conflict from #839 + change it to new logic

This commit is contained in:
Dirk 2017-10-02 14:55:57 +02:00
parent f3dc53f554
commit 411accb66d
1 changed files with 31 additions and 8 deletions

View File

@ -3972,16 +3972,21 @@ run_prototest_openssl() {
# arg1: protocol # arg1: protocol
# arg2: available (yes) or not (no) # arg2: available (yes) or not (no)
add_tls_offered() { add_tls_offered() {
<<<<<<< HEAD
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
# the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2 # the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2
: :
else else
PROTOS_OFFERED+="${1}:$2 " PROTOS_OFFERED+="${1}:$2 "
fi fi
=======
[[ "$PROTOS_OFFERED" =~ "$1 " ]] || PROTOS_OFFERED+="$1 "
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
} }
# function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered() # function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered()
has_server_protocol() { has_server_protocol() {
<<<<<<< HEAD
local proto_val_pair local proto_val_pair
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
@ -3999,6 +4004,9 @@ has_server_protocol() {
else else
# if empty echo 2, hinting to the caller to check at additional cost/connect # if empty echo 2, hinting to the caller to check at additional cost/connect
echo 2 echo 2
=======
if [[ "$PROTOS_OFFERED" =~ "$1 " ]]; then
>>>>>>> af15bd0f002c0523579b3807949fa54c05c793e3
return 0 return 0
fi fi
} }
@ -4881,6 +4889,7 @@ run_server_preference() {
cipher[i]="" cipher[i]=""
fi fi
fi fi
[[ -n "${cipher[i]}" ]] && add_tls_offered "$proto" yes
i=$((i + 1)) i=$((i + 1))
done done
@ -4997,7 +5006,7 @@ cipher_pref_check() {
pr_bold " Cipher order" pr_bold " Cipher order"
tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do while read p proto_hex proto; do
order=""; ciphers_found_with_sockets=false order=""; ciphers_found_with_sockets=false
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
@ -5168,12 +5177,13 @@ cipher_pref_check() {
fi fi
if [[ -n "$order" ]]; then if [[ -n "$order" ]]; then
add_tls_offered "$p" yes
outln outln
out "$(printf " %-10s " "$proto: ")" out "$(printf " %-10s " "$proto: ")"
out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)" out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)"
fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order" fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
fi fi
done done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n")"
outln outln
outln outln
@ -10808,9 +10818,17 @@ run_beast(){
# first determine whether it's mitigated by higher protocols # first determine whether it's mitigated by higher protocols
for proto in tls1_1 tls1_2; do for proto in tls1_1 tls1_2; do
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
if sclient_connect_successful $? $TMPFILE; then case $proto in
higher_proto_supported="$higher_proto_supported $(get_protocol $TMPFILE)" tls1_1) higher_proto_supported+=" TLSv1.1" ;;
tls1_2) higher_proto_supported+=" TLSv1.2" ;;
esac
else
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then
higher_proto_supported+=" $(get_protocol $TMPFILE)"
add_tls_offered "$proto" yes
fi
fi fi
done done
@ -10820,14 +10838,18 @@ run_beast(){
out " " out " "
continue continue
fi fi
if [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then [[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni="" if [[ $(has_server_protocol "$proto") -eq 0 ]]; then
sclient_success=0
elif [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null $OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$?
else else
tls_sockets "00" "$TLS_CIPHER" tls_sockets "00" "$TLS_CIPHER"
sclient_success=$?
fi fi
if [[ $? -ne 0 ]]; then # protocol supported? if [[ $sclient_success -ne 0 ]]; then # protocol supported?
if "$continued"; then # second round: we hit TLS1 if "$continued"; then # second round: we hit TLS1
if "$HAS_SSL3" || "$using_sockets"; then if "$HAS_SSL3" || "$using_sockets"; then
prln_done_good "no SSL3 or TLS1 (OK)" prln_done_good "no SSL3 or TLS1 (OK)"
@ -10842,6 +10864,7 @@ run_beast(){
continue # protocol not supported, so we do not need to check each cipher with that protocol continue # protocol not supported, so we do not need to check each cipher with that protocol
fi fi
fi # protocol succeeded fi # protocol succeeded
add_tls_offered "$proto" yes
# now we test in one shot with the precompiled ciphers # now we test in one shot with the precompiled ciphers
if "$using_sockets"; then if "$using_sockets"; then