Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2024-12-29 04:49:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reorganize ciphers_by_strength()

Browse Source 
This commit modifies ciphers_by_strength() and run_server_preference() so that the message indicating that ciphers are listed by strength is not printed until the list of supported ciphers has been determined. This is in support of #1311, as it will allow the message to be modified based on the set of supported ciphers.

This commit also modifies both ciphers_by_strength() and cipher_pref_check() so that the order in which ciphers are listed (by strength or server preference) is not printed if the server does not support the protocol.
This commit is contained in:
David Cooper 2022-06-06 13:07:00 -04:00
parent 13298ffd19
commit 564dd63efc
1 changed files with 36 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
testssl.sh
View File

@ -4220,7 +4220,7 @@ run_allciphers() {
# are good or bad) and list them in order to encryption strength. # are good or bad) and list them in order to encryption strength.
ciphers_by_strength() { ciphers_by_strength() {
local proto="$1" proto_hex="$2" proto_text="$3" local proto="$1" proto_hex="$2" proto_text="$3"
local using_sockets="$4" wide="$5" local using_sockets="$4" wide="$5" serverpref_known="$6"
local ossl_ciphers_proto local ossl_ciphers_proto
local -i nr_ciphers nr_ossl_ciphers nr_nonossl_ciphers success local -i nr_ciphers nr_ossl_ciphers nr_nonossl_ciphers success
local n sslvers auth mac hexc sslv2_ciphers="" cipher local n sslvers auth mac hexc sslv2_ciphers="" cipher
@ -4229,20 +4229,21 @@ ciphers_by_strength() {
local -i i bundle end_of_bundle bundle_size num_bundles local -i i bundle end_of_bundle bundle_size num_bundles
local -a ciphers_found ciphers_found2 sigalg ossl_supported index local -a ciphers_found ciphers_found2 sigalg ossl_supported index
local dhlen supported_sslv2_ciphers ciphers_to_test tls13_ciphers_to_test addcmd temp local dhlen supported_sslv2_ciphers ciphers_to_test tls13_ciphers_to_test addcmd temp
local available local available proto_supported=false
local id local id
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
# for local problem if it happens # for local problem if it happens
"$wide" || out " " "$wide" || out " "
if ! "$using_sockets" && ! locally_supported "$proto"; then if ! "$using_sockets" && ! sclient_supported "$proto"; then
pr_local_problem "Your $OPENSSL does not support $proto" "$wide" && outln
pr_local_problem "$OPENSSL does not support $proto"
"$wide" && outln "$wide" && outln
return 0 return 0
fi fi
if [[ $(has_server_protocol "${proto:1}") -eq 1 ]]; then if [[ $(has_server_protocol "${proto:1}") -eq 1 ]]; then
"$wide" && outln " - " "$wide" && outln "\n - "
return 0 return 0
fi fi
@ -4333,15 +4334,17 @@ ciphers_by_strength() {
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
ciphers_found[i]=true ciphers_found[i]=true
proto_supported=true
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s" "$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
fi fi
done done
else else
"$wide" && outln
outln " protocol supported with no cipher " outln " protocol supported with no cipher "
fi fi
else else
add_proto_offered ssl2 no add_proto_offered ssl2 no
"$wide" && outln " - " "$wide" && outln "\n - "
fi fi
else else
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
@ -4353,12 +4356,13 @@ ciphers_by_strength() {
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then if [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
ciphers_found[i]=true ciphers_found[i]=true
proto_supported=true
"$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s" "$wide" && "$SHOW_SIGALGO" && sigalg[i]="$s"
fi fi
done done
else else
add_proto_offered ssl2 no add_proto_offered ssl2 no
"$wide" && outln " - " "$wide" && outln "\n - "
fi fi
fi fi
else # no SSLv2 else # no SSLv2
@ -4413,6 +4417,7 @@ ciphers_by_strength() {
done done
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
proto_supported=true
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)" "$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)"
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet) dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
@ -4474,6 +4479,7 @@ ciphers_by_strength() {
done done
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
proto_supported=true
"$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")" "$wide" && [[ "$proto" == -tls1_3 ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then if "$wide" && ( [[ ${kx[i]} == Kx=ECDH ]] || [[ ${kx[i]} == Kx=DH ]] || [[ ${kx[i]} == Kx=EDH ]] ); then
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet) dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
@ -4487,6 +4493,18 @@ ciphers_by_strength() {
done done
fi fi
if "$wide" && [[ "${FUNCNAME[1]}" == run_server_preference ]] && "$proto_supported"; then
if [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)"
elif ! "$serverpref_known"; then
outln " (listed by strength)"
else
prln_svrty_high " (no server order, thus listed by strength)"
fi
elif "$wide" && "$proto_supported" || [[ $proto != -ssl2 ]]; then
outln
fi
cipher="" cipher=""
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
if "${ciphers_found[i]}"; then if "${ciphers_found[i]}"; then
@ -4567,8 +4585,8 @@ run_cipher_per_proto() {
outln outln
neat_header neat_header
while read proto proto_hex proto_text; do while read proto proto_hex proto_text; do
prln_underline "$(printf -- "%b" "$proto_text")" pr_underline "$(printf -- "%b" "$proto_text")"
ciphers_by_strength "$proto" "$proto_hex" "$proto_text" "$using_sockets" "true" ciphers_by_strength "$proto" "$proto_hex" "$proto_text" "$using_sockets" "true" "false"
done <<< "$(tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3")" done <<< "$(tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3")"
return 0 return 0
#FIXME: no error condition #FIXME: no error condition
@ -6773,8 +6791,6 @@ run_server_preference() {
neat_header neat_header
while read proto_ossl proto_hex proto_txt; do while read proto_ossl proto_hex proto_txt; do
pr_underline "$(printf -- "%b" "$proto_txt")" pr_underline "$(printf -- "%b" "$proto_txt")"
# TODO: If there's no cipher we should consider not displaying the text in the round brackets)
# the following takes care of that but only if we know the protocol is not supported
if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then if [[ $(has_server_protocol "$proto_ossl") -eq 1 ]]; then
outln "\n - " outln "\n - "
continue continue
@ -6784,16 +6800,12 @@ run_server_preference() {
if [[ $proto_ossl == ssl2 ]] || \ if [[ $proto_ossl == ssl2 ]] || \
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \ ( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ) || \
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then ( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ); then
if [[ $proto_ossl == ssl2 ]]; then if [[ -n "$cipher2" ]] && [[ $proto_ossl != ssl2 ]]; then
outln " (listed by strength)" ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true" "true"
elif [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)"
elif [[ -z "$cipher2" ]]; then
outln " (listed by strength)"
else else
prln_svrty_high " (no server order, thus listed by strength)" ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true" "false"
fi fi
ciphers_by_strength "-$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
else else
cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true" cipher_pref_check "$proto_ossl" "$proto_hex" "$proto_txt" "$using_sockets" "true"
fi fi
@ -7033,12 +7045,12 @@ cipher_pref_check() {
local ciphers_found_with_sockets=false prioritize_chacha=false local ciphers_found_with_sockets=false prioritize_chacha=false
if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then if [[ $proto == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
outln " (server order)" outln
prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; prln_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
return 0 return 0
fi fi
if [[ $proto == tls1_3 ]] && ! "$HAS_TLS13" && ! "$using_sockets"; then if [[ $proto == tls1_3 ]] && ! "$HAS_TLS13" && ! "$using_sockets"; then
outln " (server order)" outln
prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\""; prln_local_problem "$OPENSSL doesn't support \"s_client -tls1_3\"";
return 0 return 0
fi fi
@ -7339,8 +7351,10 @@ cipher_pref_check() {
fi fi
if "$prioritize_chacha"; then if "$prioritize_chacha"; then
outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)" outln " (server order -- server prioritizes ChaCha ciphers when preferred by clients)"
else elif [[ -n "$order" ]]; then
outln " (server order)" outln " (server order)"
else
outln
fi fi
if [[ -n "$order" ]]; then if [[ -n "$order" ]]; then
add_proto_offered "$proto" yes add_proto_offered "$proto" yes