word match for -V / -x now only for non-numbers: testssh.sh -x cc google.com tests for chaha ciphers

(before only word matching was done e.g.: testssl.sh -x ECDH chase.com
This commit is contained in:
Dirk Wetter 2015-07-17 15:58:07 +02:00
parent 2d56f3ab3b
commit cbbe7d8dce

View File

@ -948,9 +948,15 @@ normalize_ciphercode() {
} }
prettyprint_local() { prettyprint_local() {
local arg
local hexcode dash ciph sslvers kx auth enc mac export
local re='^[0-9A-Fa-f]+$'
pr_blue "--> Displaying all local ciphers "; pr_blue "--> Displaying all local ciphers ";
if [[ -n "$1" ]]; then if [[ -n "$1" ]]; then
pr_blue "matching word pattern "\"$1\"" (ignore case)"; [[ $1 =~ $re ]] && \
pr_blue "matching number pattern \"$1\" " || \
pr_blue "matching word pattern "\"$1\"" (ignore case)"
fi fi
outln "\n" outln "\n"
neat_header neat_header
@ -965,6 +971,9 @@ prettyprint_local() {
for arg in $(echo $@ | sed 's/,/ /g'); do for arg in $(echo $@ | sed 's/,/ /g'); do
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
# for numbers we don't do word matching:
[[ $arg =~ $re ]] && \
neat_list $HEXC $ciph $kx $enc | grep -ai "$arg" || \
neat_list $HEXC $ciph $kx $enc | grep -wai "$arg" neat_list $HEXC $ciph $kx $enc | grep -wai "$arg"
done done
done done
@ -1099,8 +1108,13 @@ test_just_one(){
local hexcode n ciph sslvers kx auth enc mac export local hexcode n ciph sslvers kx auth enc mac export
local dhlen local dhlen
local ret local ret
local re='^[0-9A-Fa-f]+$'
pr_blue "--> Testing single cipher with word pattern "\"$1\"" (ignore case)"; outln pr_blue "--> Testing single cipher with "
[[ $1 =~ $re ]] && \
pr_blue "matching number pattern \"$1\" " || \
pr_blue "word pattern "\"$1\"" (ignore case)"
outln
! $HAS_DH_BITS && pr_litemagentaln " (Your $OPENSSL cannot show DH/ECDH bits)" ! $HAS_DH_BITS && pr_litemagentaln " (Your $OPENSSL cannot show DH/ECDH bits)"
outln outln
neat_header neat_header
@ -1109,7 +1123,12 @@ test_just_one(){
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' | while read hexcode dash ciph sslvers kx auth enc mac export ; do
# FIXME: e.g. OpenSSL < 1.0 doesn't understand "-V" --> we can't do anything about it! # FIXME: e.g. OpenSSL < 1.0 doesn't understand "-V" --> we can't do anything about it!
normalize_ciphercode $hexcode normalize_ciphercode $hexcode
# is argument a number?
if [[ $arg =~ $re ]]; then
neat_list $HEXC $ciph $kx $enc | grep -qai "$arg"
else
neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg" neat_list $HEXC $ciph $kx $enc | grep -qwai "$arg"
fi
if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it: if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it:
$OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null $OPENSSL s_client -cipher $ciph $STARTTLS -connect $NODEIP:$PORT $PROXY $SNI &>$TMPFILE </dev/null
ret=$? ret=$?
@ -3542,7 +3561,8 @@ $PROG_NAME <options>
-b, --banner displays banner + version of $PROG_NAME -b, --banner displays banner + version of $PROG_NAME
-v, --version same as previous -v, --version same as previous
-V, --local pretty print all local ciphers -V, --local pretty print all local ciphers
-V, --local <pattern> what local cipher with <pattern> is available? -V, --local <pattern> which local ciphers with <pattern> are available?
(if pattern not a number: word match)
$PROG_NAME <options> URI ("$PROG_NAME URI" does everything except -E) $PROG_NAME <options> URI ("$PROG_NAME URI" does everything except -E)
@ -3553,7 +3573,8 @@ $PROG_NAME <options> URI ("$PROG_NAME URI" does everything except -E)
-S, --server_defaults displays the servers default picks and certificate info -S, --server_defaults displays the servers default picks and certificate info
-P, --preference displays the servers picks: protocol+cipher -P, --preference displays the servers picks: protocol+cipher
-y, --spdy, --npn checks for SPDY/NPN -y, --spdy, --npn checks for SPDY/NPN
-x, --single-cipher <pattern> tests matched <pattern> of cipher -x, --single-cipher <pattern> tests matched <pattern> of ciphers
(if <pattern> not a number: word match)
-U, --vulnerable tests all vulnerabilities -U, --vulnerable tests all vulnerabilities
-B, --heartbleed tests for heartbleed vulnerability -B, --heartbleed tests for heartbleed vulnerability
-I, --ccs, --ccs-injection tests for CCS injection vulnerability -I, --ccs, --ccs-injection tests for CCS injection vulnerability
@ -4496,4 +4517,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.321 2015/07/17 12:58:11 dirkw Exp $ # $Id: testssl.sh,v 1.322 2015/07/17 13:58:06 dirkw Exp $