Merge pull request #572 from dcooper16/run_logjam_sockets

Use sockets for run_logjam()
2025-01-20 23:49:30 +01:00 · 2016-12-29 15:38:54 +01:00 · 2016-12-29 15:38:54 +01:00 · b8e1ede08c
commit b8e1ede08c
parent c3671928ae 324a78a47d
1 changed files with 38 additions and 12 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -8879,16 +8879,24 @@ run_freak() {
 run_logjam() {
     local -i sclient_success=0
     local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA"
-     local -i nr_supported_ciphers=0
-     local addtl_warning=""
+     local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11"
+     local -i i nr_supported_ciphers=0
+     local addtl_warning="" hexc
     local cve="CVE-2015-4000"
     local cwe="CWE-310"
     local hint=""
+     local using_sockets=true
+
+     "$SSL_NATIVE" && using_sockets=false

     [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln
     pr_bold " LOGJAM"; out " ($cve), experimental      "

-     nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
+     if "$using_sockets"; then
+          nr_supported_ciphers=$(count_words "$exportdhe_cipher_list_hex")
+     else
+          nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
+     fi

     case $nr_supported_ciphers in
          0)
@ -8900,16 +8908,22 @@ run_logjam() {
          3)   addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;;
          4)   ;;
     esac
-     $OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
-     sclient_connect_successful $? $TMPFILE
-     sclient_success=$?
-     debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
+     if "$using_sockets"; then
+          tls_sockets "03" "$exportdhe_cipher_list_hex"
+          sclient_success=$?
+          [[ $sclient_success -eq 2 ]] && sclient_success=0
+     else
+          $OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
+          sclient_connect_successful $? $TMPFILE
+          sclient_success=$?
+          debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
+     fi
     addtl_warning="$addtl_warning, common primes not checked."
-     if "$HAS_DH_BITS"; then
-          if ! "$do_allciphers" && ! "$do_cipher_per_proto" && "$HAS_DH_BITS"; then
+     if "$HAS_DH_BITS" || ( ! "$SSL_NATIVE" && ! "$FAST" && [[ $TLS_NR_CIPHERS -ne 0 ]] ); then
+          if ! "$do_allciphers" && ! "$do_cipher_per_proto"; then
               addtl_warning="$addtl_warning \"$PROG_NAME -E/-e\" spots candidates"
          else
-               "$HAS_DH_BITS" && addtl_warning="$addtl_warning See below for any DH ciphers + bit size"
+               addtl_warning="$addtl_warning See below for any DH ciphers + bit size"
          fi
     fi

@ -8922,13 +8936,25 @@ run_logjam() {
     fi
     outln

-     debugme echo $(actually_supported_ciphers $exportdhe_cipher_list)
+     if [[ $DEBUG -ge 2 ]]; then
+          if "$using_sockets"; then
+               for hexc in $(sed 's/, / /g' <<< "$exportdhe_cipher_list_hex"); do
+                    hexc="0x${hexc:0:2},0x${hexc:3:2}"
+                    for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
+                         [[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break
+                    done
+                    [[ $i -eq $TLS_NR_CIPHERS ]] && out "$hexc " || out "${TLS_CIPHER_OSSL_NAME[i]} "
+               done
+               outln
+          else
+               echo $(actually_supported_ciphers $exportdhe_cipher_list)
+          fi
+     fi
     debugme echo $nr_supported_ciphers

     tmpfile_handle $FUNCNAME.txt
     return $sclient_success
 }
-# TODO: perfect candidate for replacement by sockets, so is freak


 run_drown() {