diff --git a/cipherscan b/cipherscan index 985eb07..4183fe9 100755 --- a/cipherscan +++ b/cipherscan @@ -42,6 +42,11 @@ if [[ "$TIMEOUTOUTPUT" =~ BusyBox ]]; then TIMEOUTBIN="$TIMEOUTBIN -t" fi +# use custom config file to enable GOST ciphers +if [[ -e $(dirname $0)/openssl.cnf ]]; then + export OPENSSL_CONF="$(dirname $0)/openssl.cnf" +fi + # find a list of trusted CAs on the local system, or use the provided list if [ -z "$CACERTS" ]; then for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do @@ -306,7 +311,12 @@ parse_openssl_output() { while read data; do if [[ $data =~ Signature\ Algorithm ]]; then local match=($data) - current_sigalg="${match[2]}" + unset match[0] + unset match[1] + local old_IFS="$IFS" + IFS="_" + current_sigalg="${match[*]}" + IFS="$old_IFS" fi done <<<"$ossl_out" fi diff --git a/openssl.cnf b/openssl.cnf new file mode 100644 index 0000000..4f5b324 --- /dev/null +++ b/openssl.cnf @@ -0,0 +1,12 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +gost = gost_section + +[gost_section] +engine_id = gost +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet diff --git a/top1m/parse_results.py b/top1m/parse_results.py index 6c5326a..00a30db 100644 --- a/top1m/parse_results.py +++ b/top1m/parse_results.py @@ -87,6 +87,7 @@ for r,d,flist in os.walk(path): tempkeystats = {} tempecckeystats = {} tempdsakeystats = {} + tempgostkeystats = {} tempsigstats = {} tempticketstats = {} tempeccfallback = "unknown" @@ -101,6 +102,7 @@ for r,d,flist in os.walk(path): DES3 = False CAMELLIA = False RC4 = False + GOST89_cipher = False """ variables to support handshake simulation for different clients """ client_RC4_Only={} client_compat={} @@ -124,6 +126,7 @@ for r,d,flist in os.walk(path): RSA = False ECDH = False DH = False + GOST2001_kex = False SSL2 = False SSL3 = False TLS1 = False @@ -220,6 +223,11 @@ for r,d,flist in os.walk(path): ciphertypes += 1 name = "y:" + entry['cipher'] tempcipherstats[name] = 1 + elif 'GOST89-GOST89' in entry['cipher']: + GOST89_cipher = True + ciphertypes += 1 + name = "y:" + entry['cipher'] + tempcipherstats[name] = 1 else: ciphertypes += 1 name = "z:" + entry['cipher'] @@ -241,6 +249,8 @@ for r,d,flist in os.walk(path): ECDH = True elif 'DH' in entry['cipher']: DH = True + elif entry['cipher'].startswith('GOST2001'): + GOST2001_kex = True else: RSA = True @@ -252,6 +262,8 @@ for r,d,flist in os.walk(path): tempdsakeystats[entry['pubkey'][0]] = 1 elif 'AECDH' in entry['cipher'] or 'ADH' in entry['cipher']: """ skip """ + elif 'GOST' in entry['cipher']: + tempgostkeystats[entry['pubkey'][0]] = 1 else: tempkeystats[entry['pubkey'][0]] = 1 if ECDSA: @@ -320,6 +332,8 @@ for r,d,flist in os.walk(path): keysize['ECDSA ' + s] += 1 for s in tempdsakeystats: keysize['DSA ' + s] += 1 + for s in tempgostkeystats: + keysize['GOST ' + s] += 1 if dualstack: dsarsastack += 1 @@ -449,6 +463,8 @@ for r,d,flist in os.walk(path): handshakestats['ECDH'] += 1 if DH: handshakestats['DH'] += 1 + if GOST2001_kex: + handshakestats['GOST2001'] += 1 if RSA: handshakestats['RSA'] += 1