diff --git a/testssl.sh b/testssl.sh index a29637a..1cb2acc 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2008,23 +2008,50 @@ listciphers() { } -# argv[1]: cipher list to test +# argv[1]: cipher list to test in OpenSSL syntax # argv[2]: string on console # argv[3]: ok to offer? 0: yes, 1: no # argv[4]: string for fileout +# argv[5]: non-SSLv2 cipher list to test (hexcodes), if using sockets +# argv[6]: SSLv2 cipher list to test (hexcodes), if using sockets std_cipherlists() { - local -i sclient_success + local -i i len sclient_success + local sslv2_cipherlist detected_ssl2_ciphers local singlespaces proto="" addcmd="" local debugname="$(sed -e s'/\!/not/g' -e 's/\:/_/g' <<< "$1")" - [[ "$OPTIMAL_PROTO" == "-ssl2" ]] && addcmd="$OPTIMAL_PROTO" && proto="$OPTIMAL_PROTO" - [[ ! "$OPTIMAL_PROTO" =~ ssl ]] && addcmd="$SNI" + [[ "$OPTIMAL_PROTO" == "-ssl2" ]] && proto="$OPTIMAL_PROTO" pr_bold "$2 " # indenting to be in the same row as server preferences - if listciphers "$1" $proto; then # is that locally available?? - $OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY $addcmd 2>$ERRFILE >$TMPFILE $ERRFILE >$TMPFILE $ERRFILE >$TMPFILE $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE sclient_connect_successful $? $TMPFILE sclient_success=$? fi @@ -4018,8 +4045,8 @@ run_client_simulation() { if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... for tls in ${tlsvers[i]}; do - $OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE sclient_connect_successful $? $TMPFILE sclient_success=$? if [[ $sclient_success -eq 0 ]]; then @@ -4411,21 +4438,58 @@ run_protocols() { #TODO: work with fixed lists here run_std_cipherlists() { + local hexc hexcode strength + local -i i + local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff" + local sslv2_null_ciphers="" + local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff" + local sslv2_anon_ciphers="" + local adh_ciphers="00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, 00,18, 00,1b, 00,1a, 00,19, 00,17, 00,ff" + local sslv2_adh_ciphers="" + local exp40_ciphers="00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" + local sslv2_exp40_ciphers="04,00,80, 02,00,80" + local exp56_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,ff" + local sslv2_exp56_ciphers="" + local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" + local sslv2_exp_ciphers="04,00,80, 02,00,80" + local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff" + local sslv2_low_ciphers="08,00,80, 06,00,40" + local des_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff" + local sslv2_des_ciphers="06,00,40" + local medium_ciphers="00,9a, 00,99, 00,98, 00,97, 00,96, 00,07, 00,21, 00,25, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff" + local sslv2_medium_ciphers="" + local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff" + local sslv2_tdes_ciphers="07,00,c0" + local high_ciphers="13,02, 13,03, cc,14, cc,13, cc,15, c0,30, c0,2c, c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,a5, 00,a3, 00,a1, 00,9f, cc,a9, cc,a8, cc,aa, c0,af, c0,ad, c0,a3, c0,9f, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, 00,ad, 00,ab, cc,ae, cc,ad, cc,ac, c0,ab, c0,a7, c0,32, c0,2e, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,9d, c0,a1, c0,9d, 00,a9, cc,ab, c0,a9, c0,a5, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,51, c0,53, c0,55, c0,57, c0,59, c0,5d, c0,5f, c0,61, c0,63, c0,65, c0,67, c0,69, c0,6b, c0,6d, c0,6f, c0,71, c0,7b, c0,7d, c0,7f, c0,81, c0,83, c0,87, c0,89, c0,8b, c0,8d, c0,8f, c0,91, c0,93, 00,80, 00,81, ff,00, ff,01, ff,02, ff,03, ff,85, 16,b7, 16,b8, 16,b9, 16,ba, 13,01, 13,04, 13,05, c0,2f, c0,2b, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,a4, 00,a2, 00,a0, 00,9e, c0,ae, c0,ac, c0,a2, c0,9e, 00,ac, 00,aa, c0,aa, c0,a6, c0,a0, c0,9c, 00,a8, c0,a8, c0,a4, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,45, 00,44, 00,43, 00,42, c0,31, c0,2d, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,9c, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,50, c0,52, c0,54, c0,56, c0,58, c0,5c, c0,5e, c0,60, c0,62, c0,64, c0,66, c0,68, c0,6a, c0,6c, c0,6e, c0,70, c0,7a, c0,7c, c0,7e, c0,80, c0,82, c0,86, c0,88, c0,8a, c0,8c, c0,8e, c0,90, c0,92, 00,ff" + local sslv2_high_ciphers="" + local using_sockets=true + + "$SSL_NATIVE" && using_sockets=false + + if ! "$using_sockets"; then + null_ciphers=""; anon_ciphers=""; adh_ciphers=""; exp40_ciphers="" + exp56_ciphers=""; exp_ciphers=""; low_ciphers=""; des_ciphers="" + medium_ciphers=""; tdes_ciphers=""; high_ciphers="" + sslv2_null_ciphers=""; sslv2_anon_ciphers=""; sslv2_adh_ciphers=""; sslv2_exp40_ciphers="" + sslv2_exp56_ciphers=""; sslv2_exp_ciphers=""; sslv2_low_ciphers=""; sslv2_des_ciphers="" + sslv2_medium_ciphers=""; sslv2_tdes_ciphers=""; sslv2_high_ciphers="" + fi + outln pr_headlineln " Testing ~standard cipher lists " outln # see ciphers(1ssl) or run 'openssl ciphers -v' - std_cipherlists 'NULL:eNULL' " Null Ciphers " 1 "NULL" - std_cipherlists 'aNULL' " Anonymous NULL Ciphers " 1 "aNULL" - std_cipherlists 'ADH' " Anonymous DH Ciphers " 1 "ADH" - std_cipherlists 'EXPORT40' " 40 Bit encryption " 1 "EXPORT40" - std_cipherlists 'EXPORT56' " 56 Bit encryption " 1 "EXPORT56" - std_cipherlists 'EXPORT' " Export Ciphers (general) " 1 "EXPORT" - std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1 "LOW" - std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1 "DES" - std_cipherlists 'MEDIUM:!NULL:!aNULL:!SSLv2:!3DES' " \"Medium\" grade encryption" 2 "MEDIUM" - std_cipherlists '3DES:!ADH:!aNULL' " Triple DES Ciphers " 3 "3DES" - std_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES' " High grade encryption " 0 "HIGH" + std_cipherlists 'NULL:eNULL' " Null Ciphers " 1 "NULL" "$null_ciphers" "$sslv2_null_ciphers" + std_cipherlists 'aNULL' " Anonymous NULL Ciphers " 1 "aNULL" "$anon_ciphers" "$sslv2_anon_ciphers" + std_cipherlists 'ADH' " Anonymous DH Ciphers " 1 "ADH" "$adh_ciphers" "$sslv2_adh_ciphers" + std_cipherlists 'EXPORT40' " 40 Bit encryption " 1 "EXPORT40" "$exp40_ciphers" "$sslv2_exp40_ciphers" + std_cipherlists 'EXPORT56' " 56 Bit encryption " 1 "EXPORT56" "$exp56_ciphers" "$sslv2_exp56_ciphers" + std_cipherlists 'EXPORT' " Export Ciphers (general) " 1 "EXPORT" "$exp_ciphers" "$sslv2_exp_ciphers" + std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1 "LOW" "$low_ciphers" "$sslv2_low_ciphers" + std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1 "DES" "$des_ciphers" "$sslv2_des_ciphers" + std_cipherlists 'MEDIUM:!NULL:!aNULL:!SSLv2:!3DES' " \"Medium\" grade encryption" 2 "MEDIUM" "$medium_ciphers" "$sslv2_medium_ciphers" + std_cipherlists '3DES:!ADH:!aNULL' " Triple DES Ciphers " 3 "3DES" "$tdes_ciphers" "$sslv2_tdes_ciphers" + std_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES' " High grade encryption " 0 "HIGH" "$high_ciphers" "$sslv2_high_ciphers" outln return 0 } diff --git a/utils/generate_static_cipher_lists.sh b/utils/generate_static_cipher_lists.sh new file mode 100644 index 0000000..b85914d --- /dev/null +++ b/utils/generate_static_cipher_lists.sh @@ -0,0 +1,336 @@ +#!/usr/bin/env bash +# +# vim:ts=5:sw=5:expandtab +# we have a spaces softtab, that ensures readability with other editors too + +[ -z "$BASH_VERSINFO" ] && printf "\n\033[1;35m Please make sure you're using \"bash\"! Bye...\033[m\n\n" >&2 && exit 245 +[ $(kill -l | grep -c SIG) -eq 0 ] && printf "\n\033[1;35m Please make sure you're calling me without leading \"sh\"! Bye...\033[m\n\n" >&2 && exit 245 + +# This shell script generates the various static cipher lists that are used in testssl.sh. +# It should be re-run whenever new ciphers are added to cipher-mapping.txt to determine +# whether any of the variables in testssl.sh containing cipher lists need to be updated. + +# debugging help: +readonly PS4='${LINENO}> ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +COLOR=${COLOR:-2} # 2: Full color, 1: b/w+positioning, 0: no ESC at all +readonly RUN_DIR=$(dirname "$0") +TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # if you run testssl.sh from a different path you can set either TESTSSL_INSTALL_DIR +CIPHERS_BY_STRENGTH_FILE="" + +###### Cipher suite information ##### +declare -i TLS_NR_CIPHERS=0 +declare TLS_CIPHER_HEXCODE=() +declare TLS_CIPHER_OSSL_NAME=() +declare TLS_CIPHER_RFC_NAME=() +declare TLS_CIPHER_SSLVERS=() +declare TLS_CIPHER_KX=() +declare TLS_CIPHER_AUTH=() +declare TLS_CIPHER_ENC=() +declare TLS_CIPHER_EXPORT=() + +###### output functions ###### +# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. +out(){ +# if [[ "$BASH_VERSINFO" -eq 4 ]]; then + printf -- "%b" "${1//%/%%}" +# else +# /usr/bin/printf -- "${1//%/%%}" +# fi +} +outln() { out "$1\n"; } +pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; } +pr_underline() { [[ "$COLOR" -ne 0 ]] && out "\033[4m$1" || out "$1"; pr_off; } + +if [[ $(uname) == "Linux" ]] ; then + toupper() { echo -n "${1^^}" ; } + tolower() { echo -n "${1,,}" ; } +else + toupper() { echo -n "$1" | tr 'a-z' 'A-Z'; } + tolower() { echo -n "$1" | tr 'A-Z' 'a-z' ; } +fi + +# try very hard to determine the install path to get ahold of the mapping file. +# TESTSSL_INSTALL_DIR can be supplied via environment so that the cipher mapping and CA bundles can be found +# www.carbonwind.net/TLS_Cipher_Suites_Project/tls_ssl_cipher_suites_simple_table_all.htm +get_mapping_file() { + local mac + + [[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$(dirname ${BASH_SOURCE[0]})" + + [[ -r "$RUN_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/cipher-mapping.txt" + [[ -r "$RUN_DIR/../etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/../etc/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then + [[ -r "$RUN_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" + fi + + # we haven't found the cipher file yet... + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && which readlink &>/dev/null ; then + readlink -f ls &>/dev/null && \ + TESTSSL_INSTALL_DIR=$(readlink -f $(basename ${BASH_SOURCE[0]})) || \ + TESTSSL_INSTALL_DIR=$(readlink $(basename ${BASH_SOURCE[0]})) + # not sure whether Darwin has -f + TESTSSL_INSTALL_DIR=$(dirname $TESTSSL_INSTALL_DIR 2>/dev/null) + [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + fi + + # still no cipher mapping file: + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && which realpath &>/dev/null ; then + TESTSSL_INSTALL_DIR=$(dirname $(realpath ${BASH_SOURCE[0]})) + CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" + fi + + # still no cipher mapping file (and realpath is not present): + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && which readlink &>/dev/null ; then + readlink -f ls &>/dev/null && \ + TESTSSL_INSTALL_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]})) || \ + TESTSSL_INSTALL_DIR=$(dirname $(readlink ${BASH_SOURCE[0]})) + # not sure whether Darwin has -f + CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" + [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" + fi + + if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] ; then + outln "\nATTENTION: No cipher mapping file found!" + exit -2 + fi + + while read TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS] n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] mac TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do + TLS_NR_CIPHERS+=1 + done < $CIPHERS_BY_STRENGTH_FILE +} + +get_robust_pfs_ciphers() { + local -i i + local pfs_cipher hexc pfs_cipher_list="" pfs_hex_cipher_list="" + + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + pfs_cipher="${TLS_CIPHER_RFC_NAME[i]}" + if ( [[ "$pfs_cipher" == "TLS_DHE_"* ]] || [[ "$pfs_cipher" == "TLS_ECDHE_"* ]] ) && \ + [[ ! "$pfs_cipher" =~ "NULL" ]] && [[ ! "$pfs_cipher" =~ "DES" ]] && [[ ! "$pfs_cipher" =~ "RC4" ]] && \ + [[ ! "$pfs_cipher" =~ "PSK" ]]; then + hexc="${TLS_CIPHER_HEXCODE[i]}" + pfs_hex_cipher_list+=", ${hexc:2:2},${hexc:7:2}" + [[ "${TLS_CIPHER_OSSL_NAME[i]}" != "-" ]] && pfs_cipher_list+=":${TLS_CIPHER_OSSL_NAME[i]}" + fi + done + outln ; pr_underline "Robust PFS Cipher Lists for SSLv3 - TLSv1.2" ; outln + echo "ROBUST_PFS_CIPHERS=\"${pfs_cipher_list:1}\"" + echo "ROBUST_PFS_CIPHERS_HEX=\"$(tolower "${pfs_hex_cipher_list:2}")\"" +} + +get_std_cipherlists() { + local hexc hexcode strength + local -i i + local null_ciphers="" anon_ciphers="" adh_ciphers="" exp40_ciphers="" + local exp56_ciphers="" exp_ciphers="" low_ciphers="" des_ciphers="" + local medium_ciphers="" tdes_ciphers="" high_ciphers="" + local sslv2_null_ciphers="" sslv2_anon_ciphers="" sslv2_adh_ciphers="" sslv2_exp40_ciphers="" + local sslv2_exp56_ciphers="" sslv2_exp_ciphers="" sslv2_low_ciphers="" sslv2_des_ciphers="" + local sslv2_medium_ciphers="" sslv2_tdes_ciphers="" sslv2_high_ciphers="" + local using_sockets=true + + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + hexc="${TLS_CIPHER_HEXCODE[i]}" + strength="${TLS_CIPHER_ENC[i]}" + strength="${strength//\)/}" + strength="${strength#*\(}" + + if [[ ${#hexc} -eq 9 ]]; then + hexcode="${hexc:2:2},${hexc:7:2}" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=None" ]] && \ + null_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_AUTH[i]}" == "Au=None" ]] && \ + anon_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ "TLS_DH_anon_" ]] && \ + adh_ciphers+=", $hexcode" + [[ $strength -eq 40 ]] && exp40_ciphers+=", $hexcode" +# [[ $strength -eq 56 ]] && exp56_ciphers+=", $hexcode" + [[ $strength -eq 56 ]] && \ + [[ "${TLS_CIPHER_EXPORT[i]}" == "export" ]] && \ + exp56_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_EXPORT[i]}" == "export" ]] && \ + exp_ciphers+=", $hexcode" + if [[ "${TLS_CIPHER_AUTH[i]}" != "Au=None" ]]; then +# [[ $strength -le 64 ]] && low_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" != "Enc=None" ]] && \ + [[ $strength -le 64 ]] && \ + [[ "${TLS_CIPHER_EXPORT[i]}" != "export" ]] && \ + low_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=DES(56)" ]] && \ + [[ "${TLS_CIPHER_EXPORT[i]}" != "export" ]] && \ + des_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=SEED(128)" ]] && \ + medium_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=RC4(128)" ]] && \ + medium_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=IDEA(128)" ]] && \ + medium_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=3DES(168)" ]] && \ + tdes_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=AES"* ]] && \ + high_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=Camellia"* ]] && \ + high_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=ChaCha20"* ]] && \ + high_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=GOST"* ]] && \ + high_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=ARIA"* ]] && \ + high_ciphers+=", $hexcode" + fi + else + hexcode="${hexc:2:2},${hexc:7:2},${hexc:12:2}" + [[ $strength -eq 40 ]] && sslv2_exp40_ciphers+=", $hexcode" +# [[ $strength -eq 56 ]] && sslv2_exp56_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_EXPORT[i]}" == "export" ]] && \ + sslv2_exp_ciphers+=", $hexcode" +# [[ $strength -le 64 ]] && sslv2_low_ciphers+=", $hexcode" + [[ $strength -le 64 ]] && \ + [[ "${TLS_CIPHER_EXPORT[i]}" != "export" ]] && \ + sslv2_low_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=DES(56)" ]] && \ + sslv2_des_ciphers+=", $hexcode" + [[ "${TLS_CIPHER_ENC[i]}" == "Enc=3DES(168)" ]] && \ + sslv2_tdes_ciphers+=", $hexcode" + fi + done + [[ -n "$null_ciphers" ]] && null_ciphers="${null_ciphers:2}, 00,ff" + [[ -n "$anon_ciphers" ]] && anon_ciphers="${anon_ciphers:2}, 00,ff" + [[ -n "$adh_ciphers" ]] && adh_ciphers="${adh_ciphers:2}, 00,ff" + [[ -n "$exp40_ciphers" ]] && exp40_ciphers="${exp40_ciphers:2}, 00,ff" + [[ -n "$exp56_ciphers" ]] && exp56_ciphers="${exp56_ciphers:2}, 00,ff" + [[ -n "$exp_ciphers" ]] && exp_ciphers="${exp_ciphers:2}, 00,ff" + [[ -n "$low_ciphers" ]] && low_ciphers="${low_ciphers:2}, 00,ff" + [[ -n "$des_ciphers" ]] && des_ciphers="${des_ciphers:2}, 00,ff" + [[ -n "$medium_ciphers" ]] && medium_ciphers="${medium_ciphers:2}, 00,ff" + [[ -n "$tdes_ciphers" ]] && tdes_ciphers="${tdes_ciphers:2}, 00,ff" + [[ -n "$high_ciphers" ]] && high_ciphers="${high_ciphers:2}, 00,ff" + [[ -n "$sslv2_null_ciphers" ]] && sslv2_null_ciphers="${sslv2_null_ciphers:2}" + [[ -n "$sslv2_anon_ciphers" ]] && sslv2_anon_ciphers="${sslv2_anon_ciphers:2}" + [[ -n "$sslv2_adh_ciphers" ]] && sslv2_adh_ciphers="${sslv2_adh_ciphers:2}" + [[ -n "$sslv2_exp40_ciphers" ]] && sslv2_exp40_ciphers="${sslv2_exp40_ciphers:2}" + [[ -n "$sslv2_exp56_ciphers" ]] && sslv2_exp56_ciphers="${sslv2_exp56_ciphers:2}" + [[ -n "$sslv2_exp_ciphers" ]] && sslv2_exp_ciphers="${sslv2_exp_ciphers:2}" + [[ -n "$sslv2_low_ciphers" ]] && sslv2_low_ciphers="${sslv2_low_ciphers:2}" + [[ -n "$sslv2_des_ciphers" ]] && sslv2_des_ciphers="${sslv2_des_ciphers:2}" + [[ -n "$sslv2_medium_ciphers" ]] && sslv2_medium_ciphers="${sslv2_medium_ciphers:2}" + [[ -n "$sslv2_tdes_ciphers" ]] && sslv2_tdes_ciphers="${sslv2_tdes_ciphers:2}" + [[ -n "$sslv2_high_ciphers" ]] && sslv2_high_ciphers="${sslv2_high_ciphers:2}" + + outln ; pr_underline "Cipher lists for run_std_cipherlists()"; outln + outln "null_ciphers=\"$(tolower "$null_ciphers")\"" + outln "sslv2_null_ciphers=\"$(tolower "$sslv2_null_ciphers")\"" + outln "anon_ciphers=\"$(tolower "$anon_ciphers")\"" + outln "sslv2_anon_ciphers=\"$(tolower "$sslv2_anon_ciphers")\"" + outln "adh_ciphers=\"$(tolower "$adh_ciphers")\"" + outln "sslv2_adh_ciphers=\"$(tolower "$sslv2_adh_ciphers")\"" + outln exp40_ciphers"=\"$(tolower "$exp40_ciphers")\"" + outln "sslv2_exp40_ciphers=\"$(tolower "$sslv2_exp40_ciphers")\"" + outln "exp56_ciphers=\"$(tolower "$exp56_ciphers")\"" + outln "sslv2_exp56_ciphers=\"$(tolower "$sslv2_exp56_ciphers")\"" + outln "exp_ciphers=\"$(tolower "$exp_ciphers")\"" + outln "sslv2_exp_ciphers=\"$(tolower "$sslv2_exp_ciphers")\"" + outln "low_ciphers=\"$(tolower "$low_ciphers")\"" + outln "sslv2_low_ciphers=\"$(tolower "$sslv2_low_ciphers")\"" + outln "des_ciphers=\"$(tolower "$des_ciphers")\"" + outln "sslv2_des_ciphers=\"$(tolower "$sslv2_des_ciphers")\"" + outln "medium_ciphers=\"$(tolower "$medium_ciphers")\"" + outln "sslv2_medium_ciphers=\"$(tolower "$sslv2_medium_ciphers")\"" + outln "tdes_ciphers=\"$(tolower "$tdes_ciphers")\"" + outln "sslv2_tdes_ciphers=\"$(tolower "$sslv2_tdes_ciphers")\"" + outln "high_ciphers=\"$(tolower "$high_ciphers")\"" + outln "sslv2_high_ciphers=\"$(tolower "$sslv2_high_ciphers")\"" +} + +get_cbc_ciphers() { + local -i + local hexc cbc_cipher_list="" cbc_cipher_list_hex="" + + # Want to keep ciphers lists to under 128 ciphers. Since there are a number of CBC ciphers + # that do not currently have OpenSSL names, the ciphers with Null authentication can be + # included in the OpenSSL list, but need to be excluded from the hex list. + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + if [[ "${TLS_CIPHER_SSLVERS[i]}" != "SSLv2" ]] && [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ CBC ]] && \ + [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ PSK ]] && [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SRP ]] && \ + [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ KRB5 ]]; then + hexc="${TLS_CIPHER_HEXCODE[i]}" + [[ "${TLS_CIPHER_AUTH[i]}" != "Au=None" ]] && cbc_cipher_list_hex+=", ${hexc:2:2},${hexc:7:2}" + [[ "${TLS_CIPHER_OSSL_NAME[i]}" != "-" ]] && cbc_cipher_list+=":${TLS_CIPHER_OSSL_NAME[i]}" + fi + done + + outln ; pr_underline "CBC Ciphers for determine_tls_extensions()"; outln + outln "cbc_cipher_list=\"${cbc_cipher_list:1}\"" + outln "cbc_cipher_list_hex=\"$(tolower "${cbc_cipher_list_hex:2}")\"" +} + +get_sslv3_tls1_cbc_ciphers() { + local -i + local hexc cbc_ciphers="" cbc_ciphers_hex="" + + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + if [[ "${TLS_CIPHER_SSLVERS[i]}" != "SSLv2" ]] && [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ CBC ]] && \ + [[ "${TLS_CIPHER_RFC_NAME[i]}" != *SHA256 ]] && [[ "${TLS_CIPHER_RFC_NAME[i]}" != *SHA384 ]]; then + hexc="${TLS_CIPHER_HEXCODE[i]}" + cbc_ciphers_hex+=", ${hexc:2:2},${hexc:7:2}" + [[ "${TLS_CIPHER_OSSL_NAME[i]}" != "-" ]] && cbc_ciphers+=":${TLS_CIPHER_OSSL_NAME[i]}" + fi + done + + outln ; pr_underline "SSLv3/TLSv1.0 CBC Ciphers for run_ssl_poodle() and run_beast()"; outln + outln "cbc_ciphers=\"${cbc_ciphers:1}\"" + outln "cbc_ciphers_hex=\"$(tolower "${cbc_ciphers_hex:2}")\"" +} + +get_export_rsa_ciphers() { + local -i i + local exportrsa_cipher_list="" exportrsa_tls_cipher_list_hex="" exportrsa_ssl2_cipher_list_hex="" + + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + if [[ "${TLS_CIPHER_EXPORT[i]}" == "export" ]] && \ + ( [[ "${TLS_CIPHER_KX[i]}" =~ RSA ]] || [[ "${TLS_CIPHER_AUTH[i]}" =~ RSA ]] ); then + hexc="${TLS_CIPHER_HEXCODE[i]}" + [[ "${TLS_CIPHER_SSLVERS[i]}" == "SSLv2" ]] && exportrsa_ssl2_cipher_list_hex+=", ${hexc:2:2},${hexc:7:2},${hexc:12:2}" + [[ "${TLS_CIPHER_SSLVERS[i]}" != "SSLv2" ]] && exportrsa_tls_cipher_list_hex+=", ${hexc:2:2},${hexc:7:2}" + [[ ! ":${exportrsa_cipher_list}:" =~ "${TLS_CIPHER_OSSL_NAME[i]}" ]] && exportrsa_cipher_list+=":${TLS_CIPHER_OSSL_NAME[i]}" + fi + done + + outln ; pr_underline "Export RSA ciphers for run_freak()"; outln + outln "exportrsa_cipher_list=\"${exportrsa_cipher_list:1}\"" + outln "exportrsa_tls_cipher_list_hex=\"${exportrsa_tls_cipher_list_hex:2}\"" + outln "exportrsa_ssl2_cipher_list_hex=\"${exportrsa_ssl2_cipher_list_hex:2}\"" +} + +get_weak_dh_ciphers() { + local -i + local hexc exportdhe_cipher_list="" exportdhe_cipher_list_hex="" + + for (( i=0; i < TLS_NR_CIPHERS; i++ )); do + if [[ "${TLS_CIPHER_RFC_NAME[i]}" == "TLS_DHE_"* ]] && [[ "${TLS_CIPHER_EXPORT[i]}" == "export" ]]; then + hexc="${TLS_CIPHER_HEXCODE[i]}" + [[ "${TLS_CIPHER_OSSL_NAME[i]}" != "-" ]] && exportdhe_cipher_list+=":${TLS_CIPHER_OSSL_NAME[i]}" + exportdhe_cipher_list_hex+=", ${hexc:2:2},${hexc:7:2}" + fi + done + + outln; pr_underline "Weak DH ciphers for run_logjam()"; outln + outln "exportdhe_cipher_list=\"${exportdhe_cipher_list:1}\"" + outln "exportdhe_cipher_list_hex=\"${exportdhe_cipher_list_hex:2}\"" +} + +get_mapping_file +get_robust_pfs_ciphers +get_std_cipherlists +get_cbc_ciphers +get_sslv3_tls1_cbc_ciphers +get_export_rsa_ciphers +get_weak_dh_ciphers +outln + +exit $?