Don't parse SSLv2 ServerHello unless successful response

This PR is a proposed alternative to #537. It only attempts to extract the certificate and list of ciphers from the SSLv2 ServerHello is `ret=3`.
This commit is contained in:
David Cooper 2016-12-06 11:23:01 -05:00 committed by GitHub
parent 72a96f64e4
commit 8b9bc3ca2c
1 changed files with 14 additions and 13 deletions

View File

@ -6514,20 +6514,21 @@ parse_sslv2_serverhello() {
fi fi
fi fi
certificate_len=2*$(hex2dec "$v2_hello_cert_length") [[ "$2" == "true" ]] && [[ -e $HOSTCERT ]] && rm $HOSTCERT
[[ -e $HOSTCERT ]] && rm $HOSTCERT [[ "$2" == "true" ]] && [[ -e $TEMPDIR/intermediatecerts.pem ]] && rm $TEMPDIR/intermediatecerts.pem
[[ -e $TEMPDIR/intermediatecerts.pem ]] && rm $TEMPDIR/intermediatecerts.pem if [[ "$2" == "true" ]] && [[ $ret -eq 3 ]]; then
if [[ "$2" == "true" ]] && [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then certificate_len=2*$(hex2dec "$v2_hello_cert_length")
tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
rm $tmp_der_certfile
get_pub_key_size
echo "======================================" >> $TMPFILE
fi
# Output list of supported ciphers if [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
if [[ "$2" == "true" ]]; then tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
rm $tmp_der_certfile
get_pub_key_size
echo "======================================" >> $TMPFILE
fi
# Output list of supported ciphers
let offset=26+$certificate_len let offset=26+$certificate_len
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
for (( i=0 ; i<nr_ciphers_detected; i++ )); do for (( i=0 ; i<nr_ciphers_detected; i++ )); do