LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-09-28 23:53:41 +02:00
Code Issues Releases Wiki Activity

Emit an array of certificate signature algorithms, where applicable.

Browse Source 
Certain SSL servers may emit a different certificate for each TLS
protocol version. Previously, we simply emitted one of their signature
algorithms. Now, we emit an array where each element corresponds to the
array of TLS versions.

This will be extended to the other certificate-dependent attributes in
future commits.
This commit is contained in:
Richard Soderberg 2015-09-18 15:39:07 -07:00
parent 32bf52a452
commit 0be95b821a
1 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
cipherscan
View File

@ -456,6 +456,43 @@ parse_openssl_output() {
fi fi
} }
flatten_or_join_array_by_char() {
# Two or less parameters (join + 0 or 1 value), then no need to join; return the string.
if (( $# <= 2 )); then
joined_array="$2"
return
fi
# Discard the join string (usually ':', could be others).
local join_by="$1"
shift
local found_many=''
local last_value=''
for each_value in "$@"; do
if [[ -z $last_value ]]; then
# This is the first one, so store it.
last_value="$each_value"
continue
fi
if [[ $last_value != "$each_value" ]]; then
# This one is different, so we found many. Stop checking.
found_many=1
break
fi
done
if [[ -z $found_many ]]; then
# We only found one, so emit that.
joined_array="$1"
return
else
# We found many, so join them by whatever.
join_array_by_char "$join_by" "$@"
# joined_array is now set. All done.
return
fi
}
TLS_VERSIONS_TO_TEST=( TLS_VERSIONS_TO_TEST=(
'-ssl2' '-ssl2'
'-ssl3' '-ssl3'
@ -470,9 +507,11 @@ test_cipher_on_target() {
cipher="" cipher=""
local cmnd="" local cmnd=""
protocols=() protocols=()
versions=()
pfs="" pfs=""
previous_cipher="" previous_cipher=""
certificates="" certificates=""
declare -A sigalgs=()
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
# sslv2 client hello doesn't support SNI extension # sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok # in SSLv3 mode OpenSSL just ignores the setting so it's ok
@ -587,7 +626,7 @@ test_cipher_on_target() {
pfs=$current_pfs pfs=$current_pfs
[[ -z $pfs ]] && pfs="None" [[ -z $pfs ]] && pfs="None"
pubkey=$current_pubkey pubkey=$current_pubkey
sigalg=$current_sigalg sigalgs[$current_protocol]="$current_sigalg"
trusted=$current_trusted trusted=$current_trusted
tickethint=$current_tickethint tickethint=$current_tickethint
ocspstaple=$current_ocspstaple ocspstaple=$current_ocspstaple
@ -602,6 +641,24 @@ test_cipher_on_target() {
return 2 return 2
fi fi
# Flatten the sigalgs list to a single item if every entry is the same.
if (( ${#sigalgs[*]} > 1 )); then
local sigalgs_values=()
for each_protocol in "${protocols[@]}"; do
sigalgs_values+=("${sigalgs[$each_protocol]}")
done
if [[ $OUTPUTFORMAT == 'json' ]]; then
# Don't deduplicate for JSON.
join_array_by_char ',' "${sigalgs_values[@]}"
else
flatten_or_join_array_by_char ',' "${sigalgs_values[@]}"
fi
sigalg="$joined_array"
else
# Just extract the one value that's present and use it.
sigalg="${sigalgs[@]}"
fi
# Pre-join this, since we use it in a couple of places below. # Pre-join this, since we use it in a couple of places below.
join_array_by_char ',' "${protocols[@]}" join_array_by_char ',' "${protocols[@]}"
protocols_csv="$joined_array" protocols_csv="$joined_array"