Merge branch 'master' into openss2rfc_rfc2openssl

This commit is contained in:
David Cooper 2016-07-26 08:51:10 -04:00
commit 46323602b1
1 changed files with 55 additions and 14 deletions

View File

@ -1602,7 +1602,11 @@ test_just_one(){
neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg"
fi fi
if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it: if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it:
$OPENSSL s_client -cipher $ciph $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>$ERRFILE >$TMPFILE </dev/null if [[ "$sslvers" == "SSLv2" ]]; then
$OPENSSL s_client -ssl2 -cipher $ciph $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY 2>$ERRFILE >$TMPFILE </dev/null
else
$OPENSSL s_client -cipher $ciph $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>$ERRFILE >$TMPFILE </dev/null
fi
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
if [[ $kx == "Kx=ECDH" ]] || [[ $kx == "Kx=DH" ]] || [[ $kx == "Kx=EDH" ]]; then if [[ $kx == "Kx=ECDH" ]] || [[ $kx == "Kx=DH" ]] || [[ $kx == "Kx=EDH" ]]; then
@ -1637,16 +1641,17 @@ test_just_one(){
run_allciphers() { run_allciphers() {
local tmpfile local tmpfile
local -i nr_ciphers=0 local -i nr_ciphers=0
local n sslvers auth mac export local n auth mac export
local -a hexcode ciph kx enc export2 local -a hexcode ciph sslvers kx enc export2
local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check
local -a ciphers_found local -a ciphers_found
local dhlen local dhlen
local available local available
local ciphers_to_test local ciphers_to_test
local sslv2_supported=false
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values) # get a list of all the cipher suites to test (only need the hexcode, ciph, sslvers, kx, enc, and export values)
while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
nr_ciphers=$nr_ciphers+1 nr_ciphers=$nr_ciphers+1
done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE) done < <($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
@ -1656,6 +1661,12 @@ run_allciphers() {
outln outln
neat_header neat_header
if "$HAS_SSL2"; then
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && sslv2_supported=true
fi
# Split ciphers into bundles of size 4**n, starting with an "n" that # Split ciphers into bundles of size 4**n, starting with an "n" that
# splits the ciphers into 4 bundles, and then reducing "n" by one in each # splits the ciphers into 4 bundles, and then reducing "n" by one in each
# round. Only test a bundle of 4**n ciphers against the server if it was # round. Only test a bundle of 4**n ciphers against the server if it was
@ -1694,17 +1705,24 @@ run_allciphers() {
end_of_bundle=$i*$bundle_size+$bundle_size end_of_bundle=$i*$bundle_size+$bundle_size
[[ $end_of_bundle -gt $nr_ciphers ]] && end_of_bundle=$nr_ciphers [[ $end_of_bundle -gt $nr_ciphers ]] && end_of_bundle=$nr_ciphers
for ((j=i*bundle_size;j<end_of_bundle;j++)); do for ((j=i*bundle_size;j<end_of_bundle;j++)); do
ciphers_to_test="${ciphers_to_test}:${ciph[j]}" [[ "${sslvers[j]}" != "SSLv2" ]] && ciphers_to_test="${ciphers_to_test}:${ciph[j]}"
done done
ciphers_found[child]=false ciphers_found[child]=false
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null if [[ -n "${ciphers_to_test:1}" ]]; then
sclient_connect_successful "$?" "$TMPFILE" $OPENSSL s_client -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
[[ "$?" -eq 0 ]] && ciphers_found[child]=true sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && ciphers_found[child]=true
fi
else else
# No need to test, since test of parent demonstrated none of these ciphers work. # No need to test, since test of parent demonstrated none of these ciphers work.
ciphers_found[child]=false ciphers_found[child]=false
fi fi
if $sslv2_supported && [[ $bundle_size -eq 1 ]] && [[ "${sslvers[i]}" == "SSLv2" ]]; then
$OPENSSL s_client -cipher "${ciph[i]}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && ciphers_found[child]=true
fi
# If this is a "leaf" of the test tree, then print out the results. # If this is a "leaf" of the test tree, then print out the results.
if [[ $bundle_size -eq 1 ]] && ( ${ciphers_found[child]} || "$SHOW_EACH_C"); then if [[ $bundle_size -eq 1 ]] && ( ${ciphers_found[child]} || "$SHOW_EACH_C"); then
export=${export2[i]} export=${export2[i]}
@ -1744,7 +1762,7 @@ run_allciphers() {
# test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad) # test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad)
run_cipher_per_proto() { run_cipher_per_proto() {
local proto proto_text local proto proto_text ossl_ciphers_proto
local -i nr_ciphers local -i nr_ciphers
local n sslvers auth mac export local n sslvers auth mac export
local -a hexcode ciph kx enc export2 local -a hexcode ciph kx enc export2
@ -1763,11 +1781,17 @@ run_cipher_per_proto() {
outln outln
has_server_protocol "${proto:1}" || continue has_server_protocol "${proto:1}" || continue
# The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]]; then
ossl_ciphers_proto="$proto"
else
ossl_ciphers_proto="-tls1"
fi
# get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values) # get a list of all the cipher suites to test (only need the hexcode, ciph, kx, enc, and export values)
nr_ciphers=0 nr_ciphers=0
while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do while read hexcode[nr_ciphers] n ciph[nr_ciphers] sslvers kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
nr_ciphers=$nr_ciphers+1 nr_ciphers=$nr_ciphers+1
done < <($OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE) done < <($OPENSSL ciphers $ossl_ciphers_proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)
# Split ciphers into bundles of size 4**n, starting with the smallest # Split ciphers into bundles of size 4**n, starting with the smallest
# "n" that leaves the ciphers in one bundle, and then reducing "n" by # "n" that leaves the ciphers in one bundle, and then reducing "n" by
@ -1809,7 +1833,12 @@ run_cipher_per_proto() {
ciphers_to_test="${ciphers_to_test}:${ciph[j]}" ciphers_to_test="${ciphers_to_test}:${ciph[j]}"
done done
ciphers_found[child]=false ciphers_found[child]=false
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null if [[ "$proto" =~ ssl ]]; then
# SSLv2 and SSLv3 do not have SNI
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
else
$OPENSSL s_client -cipher "${ciphers_to_test:1}" $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
fi
sclient_connect_successful "$?" "$TMPFILE" sclient_connect_successful "$?" "$TMPFILE"
[[ "$?" -eq 0 ]] && ciphers_found[child]=true [[ "$?" -eq 0 ]] && ciphers_found[child]=true
else else
@ -6862,6 +6891,7 @@ run_rc4() {
local -i sclient_success local -i sclient_success
local hexcode dash rc4_cipher sslvers kx auth enc mac export local hexcode dash rc4_cipher sslvers kx auth enc mac export
local rc4_ciphers_list="ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-DSS-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RSA-PSK-RC4-SHA:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5" local rc4_ciphers_list="ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-DSS-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RSA-PSK-RC4-SHA:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5"
local rc4_ssl2_ciphers_list="RC4-MD5:RC4-64-MD5:EXP-RC4-MD5"
local rc4_detected="" local rc4_detected=""
local available="" local available=""
@ -6875,7 +6905,14 @@ run_rc4() {
pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) " pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) "
$OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then sclient_connect_successful $? $TMPFILE
sclient_success=$?
if $HAS_SSL2 && [[ $sclient_success -ne 0 ]]; then
$OPENSSL s_client -cipher $rc4_ssl2_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
fi
if [[ $sclient_success -eq 0 ]]; then
"$WIDE" || pr_svrty_high "VULNERABLE (NOT ok): " "$WIDE" || pr_svrty_high "VULNERABLE (NOT ok): "
rc4_offered=1 rc4_offered=1
if "$WIDE"; then if "$WIDE"; then
@ -6883,7 +6920,11 @@ run_rc4() {
neat_header neat_header
fi fi
while read hexcode dash rc4_cipher sslvers kx auth enc mac; do while read hexcode dash rc4_cipher sslvers kx auth enc mac; do
$OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null >$TMPFILE 2>$ERRFILE if [[ "$sslvers" == "SSLv2" ]]; then
$OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null >$TMPFILE 2>$ERRFILE
else
$OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI </dev/null >$TMPFILE 2>$ERRFILE
fi
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? # here we may have a fp with openssl < 1.0, TBC sclient_success=$? # here we may have a fp with openssl < 1.0, TBC
if [[ $sclient_success -ne 0 ]] && ! "$SHOW_EACH_C"; then if [[ $sclient_success -ne 0 ]] && ! "$SHOW_EACH_C"; then