LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2026-02-11 01:10:55 +01:00
Code Issues Releases Wiki Activity

Add handling for TLS-variant results for the PFS value.

Browse Source 
As before with signature algorithms, we need to handle the case where
the PFS value varies based on SSL protocol version.
This commit is contained in:
Richard Soderberg
2015-09-18 16:12:21 -07:00
parent 0be95b821a
commit 638e0cbd10
1 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cipherscan
View File

@@ -508,10 +508,10 @@ test_cipher_on_target() {
local cmnd="" local cmnd=""
protocols=() protocols=()
versions=() versions=()
pfs=""
previous_cipher="" previous_cipher=""
certificates="" certificates=""
declare -A sigalgs=() declare -A sigalgs=()
declare -A pfses=()
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
# sslv2 client hello doesn't support SNI extension # sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok # in SSLv3 mode OpenSSL just ignores the setting so it's ok
@@ -623,8 +623,8 @@ test_cipher_on_target() {
# connection succeeded, add TLS version to positive results # connection succeeded, add TLS version to positive results
protocols+=("$current_protocol") protocols+=("$current_protocol")
cipher=$current_cipher cipher=$current_cipher
pfs=$current_pfs [[ -z $current_pfs ]] && current_pfs="None"
[[ -z $pfs ]] && pfs="None" pfses[$current_protocol]="$current_pfs"
pubkey=$current_pubkey pubkey=$current_pubkey
sigalgs[$current_protocol]="$current_sigalg" sigalgs[$current_protocol]="$current_sigalg"
trusted=$current_trusted trusted=$current_trusted
@@ -659,6 +659,24 @@ test_cipher_on_target() {
sigalg="${sigalgs[@]}" sigalg="${sigalgs[@]}"
fi fi
# Flatten the pfses list to a single item if every entry is the same.
if (( ${#pfses[*]} > 1 )); then
local pfses_values=()
for each_protocol in "${protocols[@]}"; do
pfses_values+=("${pfses[$each_protocol]}")
done
if [[ $OUTPUTFORMAT == 'json' ]]; then
# Don't deduplicate for JSON.
join_array_by_char ';' "${pfses_values[@]}"
else
flatten_or_join_array_by_char ';' "${pfses_values[@]}"
fi
pfs="$joined_array"
else
# Just extract the one value that's present and use it.
pfs="${pfses[@]}"
fi
# Pre-join this, since we use it in a couple of places below. # Pre-join this, since we use it in a couple of places below.
join_array_by_char ',' "${protocols[@]}" join_array_by_char ',' "${protocols[@]}"
protocols_csv="$joined_array" protocols_csv="$joined_array"
@@ -993,9 +1011,7 @@ display_results_in_json() {
fi fi
echo -n "\"ticket_hint\":\"${cipher_arr[5]}\"," echo -n "\"ticket_hint\":\"${cipher_arr[5]}\","
echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\"," echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\","
pfs="${cipher_arr[7]}" echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]"
[[ -z $pfs ]] && pfs="None"
echo -n "\"pfs\":\"$pfs\""
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
echo -n "," echo -n ","
echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]" echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]"