Reorganize run_cipher_per_proto()

This PR reorganizes run_cipher_per_proto(). Currently run_cipher_per_proto() runs a for loop, which loops over each protocol and prints the set of supported ciphers for each protocol. This PR simply places the body of the for loop in a separate function from the loop itself. This allows the body of the loop to be called for just a single protocol. While this PR does not change the way that testssl.sh functions, it would allow for a future change in which run_server_preferences() called cipher_pref_check() for protocols in which the server enforces a cipher order and calls ciphers_by_strength() for protocols in which the server does not enforce a cipher order.
2025-01-07 17:20:57 +01:00 · 2019-02-12 12:50:24 -05:00 · 2019-02-12 12:50:24 -05:00 · 8fdb388dc3
commit 8fdb388dc3
parent 5d1109a582
1 changed files with 276 additions and 262 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -3955,8 +3955,12 @@ run_allciphers() {
 }

 # test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad)
-run_cipher_per_proto() {
-     local proto proto_hex proto_text ossl_ciphers_proto
+# for the specified protocol, test for all ciphers locally configured (w/o distinguishing whether they
+# are good or bad) and list them in order to encryption strength.
+ciphers_by_strength() {
+     local proto="$1" proto_hex="$2" proto_text="$3"
+     local using_sockets="$4"
+     local ossl_ciphers_proto
     local -i nr_ciphers nr_ossl_ciphers nr_nonossl_ciphers success
     local n sslvers auth mac export hexc sslv2_ciphers="" cipher
     local -a hexcode normalized_hexcode ciph rfc_ciph kx enc export2
@ -3967,36 +3971,16 @@ run_cipher_per_proto() {
     local available
     local id
     local has_dh_bits="$HAS_DH_BITS"
-     local using_sockets=true

-     "$SSL_NATIVE" && using_sockets=false
-     "$FAST" && using_sockets=false
-     [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
-
-     outln
-     if "$using_sockets"; then
-          pr_headlineln " Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength "
-     else
-          pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength "
-          [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
-          outln
-          if ! "$HAS_DH_BITS"; then
-               [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "."
-               prln_warning "    (Your $OPENSSL cannot show DH/ECDH bits)"
-          fi
-     fi
-     outln
-     neat_header
-     echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3" | while read proto proto_hex proto_text; do
     pr_underline "$(printf "%s" "$proto_text")"
     # for local problem if it happens
     out "  "
     if ! "$using_sockets" && ! locally_supported "$proto"; then
-               continue
+          return 0
     fi
     outln

-          [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
+     [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && return 0

     # get a list of all the cipher suites to test
     nr_ciphers=0
@ -4246,9 +4230,39 @@ run_cipher_per_proto() {
               fileout "$id" "INFO" "$proto_text  $(neat_list "${normalized_hexcode[i]}" "${ciph[i]}" "${kx[i]}" "${enc[i]}") $available"
          fi
     done
-     done
+
     "$using_sockets" && HAS_DH_BITS="$has_dh_bits"
-     tmpfile_handle ${FUNCNAME[0]}.txt
+     tmpfile_handle ${FUNCNAME[0]}${proto}.txt
+     return 0
+#FIXME: no error condition
+}
+
+# test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad)
+run_cipher_per_proto() {
+     local proto proto_hex proto_text
+     local using_sockets=true
+
+     "$SSL_NATIVE" && using_sockets=false
+     "$FAST" && using_sockets=false
+     [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false
+
+     outln
+     if "$using_sockets"; then
+          pr_headlineln " Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength "
+     else
+          pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength "
+          [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
+          outln
+          if ! "$HAS_DH_BITS"; then
+               [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "."
+               prln_warning "    (Your $OPENSSL cannot show DH/ECDH bits)"
+          fi
+     fi
+     outln
+     neat_header
+     echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3" | while read proto proto_hex proto_text; do
+          ciphers_by_strength "$proto" "$proto_hex" "$proto_text" "$using_sockets"
+     done
     return 0
 #FIXME: no error condition
 }