2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-05 07:23:42 +01:00

Add handling for TLS-variant results for the PFS value.

As before with signature algorithms, we need to handle the case where
the PFS value varies based on SSL protocol version.
This commit is contained in:
Richard Soderberg 2015-09-18 16:12:21 -07:00
parent 0be95b821a
commit 638e0cbd10

View File

@ -508,10 +508,10 @@ test_cipher_on_target() {
local cmnd=""
protocols=()
versions=()
pfs=""
previous_cipher=""
certificates=""
declare -A sigalgs=()
declare -A pfses=()
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
# sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok
@ -623,8 +623,8 @@ test_cipher_on_target() {
# connection succeeded, add TLS version to positive results
protocols+=("$current_protocol")
cipher=$current_cipher
pfs=$current_pfs
[[ -z $pfs ]] && pfs="None"
[[ -z $current_pfs ]] && current_pfs="None"
pfses[$current_protocol]="$current_pfs"
pubkey=$current_pubkey
sigalgs[$current_protocol]="$current_sigalg"
trusted=$current_trusted
@ -659,6 +659,24 @@ test_cipher_on_target() {
sigalg="${sigalgs[@]}"
fi
# Flatten the pfses list to a single item if every entry is the same.
if (( ${#pfses[*]} > 1 )); then
local pfses_values=()
for each_protocol in "${protocols[@]}"; do
pfses_values+=("${pfses[$each_protocol]}")
done
if [[ $OUTPUTFORMAT == 'json' ]]; then
# Don't deduplicate for JSON.
join_array_by_char ';' "${pfses_values[@]}"
else
flatten_or_join_array_by_char ';' "${pfses_values[@]}"
fi
pfs="$joined_array"
else
# Just extract the one value that's present and use it.
pfs="${pfses[@]}"
fi
# Pre-join this, since we use it in a couple of places below.
join_array_by_char ',' "${protocols[@]}"
protocols_csv="$joined_array"
@ -993,9 +1011,7 @@ display_results_in_json() {
fi
echo -n "\"ticket_hint\":\"${cipher_arr[5]}\","
echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\","
pfs="${cipher_arr[7]}"
[[ -z $pfs ]] && pfs="None"
echo -n "\"pfs\":\"$pfs\""
echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]"
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
echo -n ","
echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]"