Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-08 09:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Curve X25519 fixes

Browse Source 
This PR fixes two issues related to curve X25519.

First, while OpenSSL 1.1.0 supports curve X25519, it is not included in the output of `$OPENSSL ecparam -list_curves`. I tried several versions of OpenSSL (and one version of LibreSSL), and every version output either "Error with command" or "unknown option" in response to `$OPENSSL s_client -curves $curve` if it either did not support the `-curves` option or did not support `$curve`. (When the `-curve` option was supported with `$curve`, a "connect" error was output.)

The second issue is that the "Server Temp Key" line in the output of `s_client` is different for curve X25519. For other elliptic curves, the output is
```
Server Temp Key: ECDH, P-256, 256 bits
```
For X25519 it is:
```
Server Temp Key: X25519, 253 bits
```
So, `read_dhbits_from_file()` needs to allow for `$what_dh` being "X25519" rather than "ECDH" and `run_pfs()` needs to allow for the possibility that the curve name will be the first field rather than the second.
This commit is contained in:
David Cooper 2016-11-08 10:10:14 -05:00 committed by GitHub
parent 4f99d9d658
commit 43b35b8cc2
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
testssl.sh
View File

@ -3503,6 +3503,10 @@ read_dhbits_from_file() {
grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp) grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp)
bits=$(tr -d ' bits' <<< $bits) bits=$(tr -d ' bits' <<< $bits)
if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then
what_dh="ECDH"
fi
debugme echo ">$HAS_DH_BITS|$what_dh|$bits<" debugme echo ">$HAS_DH_BITS|$what_dh|$bits<"
[[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190 [[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190
@ -5235,8 +5239,8 @@ run_pfs() {
# find out what elliptic curves are supported. # find out what elliptic curves are supported.
curves_offered="" curves_offered=""
for curve in "${curves_ossl[@]}"; do for curve in "${curves_ossl[@]}"; do
$OPENSSL ecparam -list_curves | grep -q $curve $OPENSSL s_client -curves $curve 2>&1 | egrep -iaq "Error with command|unknown option"
[[ $? -eq 0 ]] && nr_curves+=1 && supported_curves+=("$curve") [[ $? -ne 0 ]] && nr_curves+=1 && supported_curves+=("$curve")
done done
# OpenSSL limits the number of curves that can be specified in the # OpenSSL limits the number of curves that can be specified in the
@ -5262,7 +5266,8 @@ run_pfs() {
fi fi
if [[ "$sclient_success" -eq 0 ]]; then if [[ "$sclient_success" -eq 0 ]]; then
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile") temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$tmpfile")
curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)" curve_found="$(awk -F',' '{ print $1 }' <<< $temp)"
[[ "$curve_found" == "ECDH" ]] && curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
j=0; curve_used="" j=0; curve_used=""
for curve in "${curves_ossl[@]}"; do for curve in "${curves_ossl[@]}"; do
[[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break [[ "${curves_ossl_output[j]}" == "$curve_found" ]] && curve_used="${curves_ossl[j]}" && break