run_rc4() and #660

This PR addresses issue #660 for run_rc4(), ensuring that support for RC4 ciphers is detected even if no RC4 ciphers are supported with the highest protocol that the server supports.
This commit is contained in:
David Cooper 2017-10-13 16:50:36 -04:00 committed by GitHub
parent 22fd594334
commit 605d0178ec
1 changed files with 52 additions and 53 deletions

View File

@ -11578,7 +11578,7 @@ run_rc4() {
local -i i local -i i
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
local -i -a index local -i -a index
local dhlen available="" ciphers_to_test supported_sslv2_ciphers local dhlen available="" ciphers_to_test supported_sslv2_ciphers proto
local has_dh_bits="$HAS_DH_BITS" rc4_detected="" local has_dh_bits="$HAS_DH_BITS" rc4_detected=""
local using_sockets=true local using_sockets=true
local cve="CVE-2013-2566, CVE-2015-2808" local cve="CVE-2013-2566, CVE-2015-2808"
@ -11692,34 +11692,33 @@ run_rc4() {
fi fi
done done
for (( success=0; success==0 ; 1 )); do for proto in -no_ssl2 -tls1_1 -tls1 -ssl3; do
ciphers_to_test="" [[ "$proto" != "-no_ssl2" ]] && [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
for (( i=0; i < nr_ossl_ciphers; i++ )); do ! "$HAS_SSL3" && [[ "$proto" == "-ssl3" ]] && continue
! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}" while true; do
done ciphers_to_test=""
success=1 for (( i=0; i < nr_ossl_ciphers; i++ )); do
if [[ -n "$ciphers_to_test" ]]; then ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null done
sclient_connect_successful "$?" "$TMPFILE" [[ -z "$ciphers_to_test" ]] && break
if [[ "$?" -eq 0 ]]; then $OPENSSL s_client $(s_client_options "$proto -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
cipher=$(get_cipher $TMPFILE) sclient_connect_successful "$?" "$TMPFILE" || break
if [[ -n "$cipher" ]]; then cipher=$(get_cipher $TMPFILE)
success=0 [[ -z "$cipher" ]] && break
rc4_offered=1 for (( i=0; i < nr_ossl_ciphers; i++ )); do
for (( i=0; i < nr_ossl_ciphers; i++ )); do [[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break done
done [[ $i -eq $nr_ossl_ciphers ]] && break
i=${index[i]} rc4_offered=1
ciphers_found[i]=true i=${index[i]}
if "$WIDE" && ( [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]] ); then ciphers_found[i]=true
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet) if "$WIDE" && ( [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]] ); then
kx[i]="${kx[i]} $dhlen" dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
fi kx[i]="${kx[i]} $dhlen"
"$WIDE" && "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
fi
fi fi
fi "$WIDE" && "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
done done
if "$using_sockets"; then if "$using_sockets"; then
@ -11735,36 +11734,36 @@ run_rc4() {
done done
fi fi
for (( success=0; success==0 ; 1 )); do for proto in 03 02 01 00; do
ciphers_to_test="" [[ $(has_server_protocol "$proto") -eq 1 ]] && continue
for (( i=0; i < nr_nonossl_ciphers; i++ )); do while true; do
! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}" ciphers_to_test=""
done for (( i=0; i < nr_nonossl_ciphers; i++ )); do
success=1 ! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
if [[ -n "$ciphers_to_test" ]]; then done
[[ -z "$ciphers_to_test" ]] && break
if "$WIDE" && "$SHOW_SIGALGO"; then if "$WIDE" && "$SHOW_SIGALGO"; then
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "all" tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "all"
else else
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey" tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
fi fi
ret=$? ret=$?
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then [[ $ret -ne 0 ]] && [[ $ret -ne 2 ]] && break
success=0 cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
rc4_offered=1 for (( i=0; i < nr_nonossl_ciphers; i++ )); do
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt") [[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
for (( i=0; i < nr_nonossl_ciphers; i++ )); do done
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break [[ $i -eq $nr_nonossl_ciphers ]] && break
done rc4_offered=1
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if "$WIDE" && ( [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]] ); then if "$WIDE" && ( [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]] ); then
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet) dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
kx[i]="${kx[i]} $dhlen" kx[i]="${kx[i]} $dhlen"
fi
"$WIDE" && "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
fi fi
fi "$WIDE" && "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && \
sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
done done
if [[ $rc4_offered -eq 1 ]]; then if [[ $rc4_offered -eq 1 ]]; then