Add TLSv1.3 support for run_allciphers()

This PR adds TLSv1.3 support for run_allciphers(). It also addresses issue #660 for run_allciphers().
This commit is contained in:
David Cooper 2017-10-18 14:25:43 -04:00
parent 50fa1e74bd
commit fb5c049fd7
1 changed files with 72 additions and 55 deletions

View File

@ -3026,6 +3026,7 @@ run_allciphers() {
local -i i end_of_bundle bundle bundle_size num_bundles mod_check local -i i end_of_bundle bundle bundle_size num_bundles mod_check
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2
local -i -a index local -i -a index
local proto protos_to_try
local dhlen available ciphers_to_test supported_sslv2_ciphers local dhlen available ciphers_to_test supported_sslv2_ciphers
local has_dh_bits="$HAS_DH_BITS" local has_dh_bits="$HAS_DH_BITS"
local using_sockets=true local using_sockets=true
@ -3129,6 +3130,7 @@ run_allciphers() {
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if "${ossl_supported[i]}"; then if "${ossl_supported[i]}"; then
[[ "${sslvers[i]}" == "SSLv2" ]] && continue
ciphers_found2[nr_ossl_ciphers]=false ciphers_found2[nr_ossl_ciphers]=false
sslvers2[nr_ossl_ciphers]="${sslvers[i]}" sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
ciph2[nr_ossl_ciphers]="${ciph[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}"
@ -3151,42 +3153,54 @@ run_allciphers() {
[[ $mod_check -ne 0 ]] && bundle_size+=1 [[ $mod_check -ne 0 ]] && bundle_size+=1
fi fi
for (( bundle=0; bundle < num_bundles; bundle++ )); do if "$HAS_TLS13"; then
end_of_bundle=$bundle*$bundle_size+$bundle_size protos_to_try="-no_ssl2 -tls1_2 -tls1_1 -tls1"
[[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers else
for (( success=0; success==0 ; 1 )); do protos_to_try="-no_ssl2 -tls1_1 -tls1"
ciphers_to_test="" fi
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do "$HAS_SSL3" && protos_to_try+=" -ssl3"
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
done for proto in $protos_to_try; do
success=1 if [[ "$proto" == "-tls1_1" ]]; then
if [[ -n "$ciphers_to_test" ]]; then num_bundles=1
$OPENSSL s_client $(s_client_options "-no_ssl2 -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null bundle_size=$nr_ossl_ciphers
sclient_connect_successful "$?" "$TMPFILE" fi
if [[ "$?" -eq 0 ]]; then
cipher=$(get_cipher $TMPFILE) [[ "$proto" != "-no_ssl2" ]] && [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
if [[ -n "$cipher" ]]; then for (( bundle=0; bundle < num_bundles; bundle++ )); do
success=0 end_of_bundle=$bundle*$bundle_size+$bundle_size
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do [[ $end_of_bundle -gt $nr_ossl_ciphers ]] && end_of_bundle=$nr_ossl_ciphers
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break while true; do
done ciphers_to_test=""
i=${index[i]} for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
ciphers_found[i]=true ! "${ciphers_found2[i]}" && ciphers_to_test+=":${ciph2[i]}"
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then done
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet) [[ -z "$ciphers_to_test" ]] && break
kx[i]="${kx[i]} $dhlen" $OPENSSL s_client $(s_client_options "$proto -cipher "${ciphers_to_test:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
fi sclient_connect_successful "$?" "$TMPFILE" || break
"$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \ cipher=$(get_cipher $TMPFILE)
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)" [[ -z "$cipher" ]] && break
fi for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
[[ "$cipher" == "${ciph2[i]}" ]] && ciphers_found2[i]=true && break
done
[[ $i -eq $end_of_bundle ]] && break
i=${index[i]}
ciphers_found[i]=true
[[ "$cipher" == TLS13* ]] && kx[i]="$(read_dhtype_from_file $TMPFILE)"
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
dhlen=$(read_dhbits_from_file "$TMPFILE" quiet)
kx[i]="${kx[i]} $dhlen"
fi fi
fi "$SHOW_SIGALGO" && grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TMPFILE && \
sigalg[i]="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
done done
done done
if "$using_sockets"; then if "$using_sockets"; then
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if ! "${ciphers_found[i]}"; then if ! "${ciphers_found[i]}"; then
[[ "${sslvers[i]}" == "SSLv2" ]] && continue
ciphers_found2[nr_nonossl_ciphers]=false ciphers_found2[nr_nonossl_ciphers]=false
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}" sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
@ -3211,37 +3225,40 @@ run_allciphers() {
[[ $mod_check -ne 0 ]] && bundle_size+=1 [[ $mod_check -ne 0 ]] && bundle_size+=1
fi fi
for (( bundle=0; bundle < num_bundles; bundle++ )); do for proto in 04 03 02 01 00; do
end_of_bundle=$bundle*$bundle_size+$bundle_size for (( bundle=0; bundle < num_bundles; bundle++ )); do
[[ $end_of_bundle -gt $nr_nonossl_ciphers ]] && end_of_bundle=$nr_nonossl_ciphers end_of_bundle=$bundle*$bundle_size+$bundle_size
for (( success=0; success==0 ; 1 )); do [[ $end_of_bundle -gt $nr_nonossl_ciphers ]] && end_of_bundle=$nr_nonossl_ciphers
ciphers_to_test="" while true; do
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do ciphers_to_test=""
[[ "${sslvers2[i]}" != "SSLv2" ]] && ! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}" for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
done ! "${ciphers_found2[i]}" && ciphers_to_test+=", ${hexcode2[i]}"
success=1 done
if [[ -n "$ciphers_to_test" ]]; then [[ -z "$ciphers_to_test" ]] && break
[[ "$proto" == "04" ]] && [[ ! "${ciphers_to_test:2}" =~ ,\ 13,[0-9a-f][0-9a-f] ]] && break
ciphers_to_test="$(strip_inconsistent_ciphers "$proto" "$ciphers_to_test")"
[[ -z "$ciphers_to_test" ]] && break
if "$SHOW_SIGALGO"; then if "$SHOW_SIGALGO"; then
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "all" tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "all"
else else
tls_sockets "03" "${ciphers_to_test:2}, 00,ff" "ephemeralkey" tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey"
fi fi
ret=$? ret=$?
if [[ $ret -eq 0 ]] || [[ $ret -eq 2 ]]; then [[ $ret -ne 0 ]] && [[ $ret -ne 2 ]] && break
success=0 cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt") for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do
for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do [[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break
[[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break done
done [[ $i -eq $end_of_bundle ]] && break
i=${index[i]} i=${index[i]}
ciphers_found[i]=true ciphers_found[i]=true
if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then [[ "${kx[i]}" == "Kx=any" ]] && kx[i]="$(read_dhtype_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")"
dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet) if [[ ${kx[i]} == "Kx=ECDH" ]] || [[ ${kx[i]} == "Kx=DH" ]] || [[ ${kx[i]} == "Kx=EDH" ]]; then
kx[i]="${kx[i]} $dhlen" dhlen=$(read_dhbits_from_file "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" quiet)
fi kx[i]="${kx[i]} $dhlen"
"$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
fi fi
fi "$SHOW_SIGALGO" && [[ -r "$HOSTCERT" ]] && sigalg[i]="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
done
done done
done done