From bbcc869decad467d077385ecc4404fbebbe754b2 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 31 Mar 2016 09:38:20 -0400 Subject: [PATCH] run_cipher_per_proto speedup This PR makes basically the same changes to run_cipher_per_proto() as I previously made to run_allciphers(). The main difference is that in this function, round 0 consists of a single call to "$OPENSSL s_client" with "-cipher" including all of the locally supported ciphers. The reason for the difference is that in run_allciphers() its saves time to assume the server supports at least one cipher suite. In the case of run_cipher_per_proto(), however, it is likely that the server will not support some protocols at all, so its usually faster to start with a single call to "$OPENSSL s_client" that tests whether the server supports the protocol at all. --- testssl.sh | 122 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 87 insertions(+), 35 deletions(-) diff --git a/testssl.sh b/testssl.sh index 0fe29c2..13f4606 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1670,11 +1670,14 @@ run_allciphers() { return 0 } -# test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad -run_cipher_per_proto(){ +# test for all ciphers per protocol locally configured (w/o distinguishing whether they are good or bad) +run_cipher_per_proto() { local proto proto_text - local hexcode n ciph sslvers kx auth enc mac export - local -i sclient_success=0 + local -i nr_ciphers + local n sslvers auth mac export + local -a hexcode ciph kx enc export2 + local -i i j parent child end_of_bundle round_num bundle_size num_bundles mod_check + local -a ciphers_found local dhlen local available local id @@ -1686,39 +1689,88 @@ run_cipher_per_proto(){ outln " -ssl2 SSLv2\n -ssl3 SSLv3\n -tls1 TLS 1\n -tls1_1 TLS 1.1\n -tls1_2 TLS 1.2"| while read proto proto_text; do locally_supported "$proto" "$proto_text" || continue outln - $OPENSSL ciphers $proto -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode n ciph sslvers kx auth enc mac export; do # -V doesn't work with openssl < 1.0 - $OPENSSL s_client -cipher $ciph $proto $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $ERRFILE) + + # Split ciphers into bundles of size 4**n, starting with the smallest + # "n" that leaves the ciphers in one bundle, and then reducing "n" by + # one in each round. Only test a bundle of 4**n ciphers against the + # server if it was part of a bundle of 4**(n+1) ciphers that included + # a cipher supported by the server. Continue until n=0. + + # Determine the smallest bundle size that will result in their being one bundle. + for(( bundle_size=1; bundle_size < nr_ciphers; bundle_size*=4 )); do + : + done + + # set ciphers_found[1] so that the complete bundle will be tested in round 0. + ciphers_found[1]=true + for (( round_num=0; bundle_size>=1; bundle_size/=4 )); do + # Note that since the number of ciphers isn't a power of 4, the number + # of bundles may be may be less than 4**(round_num+1), and the final + # bundle may have fewer than bundle_size ciphers. + num_bundles=$nr_ciphers/$bundle_size + mod_check=$nr_ciphers%$bundle_size + [[ $mod_check -ne 0 ]] && num_bundles=$num_bundles+1 + for (( i=0; i$TMPFILE 2>$ERRFILE