2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

Add handling for TLS-dependent trusted values.

As per previous commits, this adds TLS-dependent support for the
'Trusted' value in the output.
This commit is contained in:
Richard Soderberg 2015-09-18 16:36:03 -07:00
parent eb752c541c
commit 8757bbd039

View File

@ -513,6 +513,8 @@ test_cipher_on_target() {
declare -A sigalgs=() declare -A sigalgs=()
declare -A pfses=() declare -A pfses=()
declare -A tickethints=() declare -A tickethints=()
declare -A ocspstaples=()
declare -A trusteds=()
for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do
# sslv2 client hello doesn't support SNI extension # sslv2 client hello doesn't support SNI extension
# in SSLv3 mode OpenSSL just ignores the setting so it's ok # in SSLv3 mode OpenSSL just ignores the setting so it's ok
@ -628,9 +630,9 @@ test_cipher_on_target() {
pfses[$current_protocol]="$current_pfs" pfses[$current_protocol]="$current_pfs"
pubkey=$current_pubkey pubkey=$current_pubkey
sigalgs[$current_protocol]="$current_sigalg" sigalgs[$current_protocol]="$current_sigalg"
trusted=$current_trusted trusteds[$current_protocol]=$current_trusted
tickethints[$current_protocol]=$current_tickethint tickethints[$current_protocol]=$current_tickethint
ocspstaple=$current_ocspstaple ocspstaples[$current_protocol]=$current_ocspstaple
certificates="$current_certificates" certificates="$current_certificates"
# grab the cipher and PFS key size # grab the cipher and PFS key size
done done
@ -696,6 +698,42 @@ test_cipher_on_target() {
tickethint="${tickethints[@]}" tickethint="${tickethints[@]}"
fi fi
# Flatten the ocspstaples list to a single item if every entry is the same.
if (( ${#ocspstaples[*]} > 1 )); then
local ocspstaples_values=()
for each_protocol in "${protocols[@]}"; do
ocspstaples_values+=("${ocspstaples[$each_protocol]}")
done
if [[ $OUTPUTFORMAT == 'json' ]]; then
# Don't deduplicate for JSON.
join_array_by_char ',' "${ocspstaples_values[@]}"
else
flatten_or_join_array_by_char ',' "${ocspstaples_values[@]}"
fi
ocspstaple="$joined_array"
else
# Just extract the one value that's present and use it.
ocspstaple="${ocspstaples[@]}"
fi
# Flatten the trusteds list to a single item if every entry is the same.
if (( ${#trusteds[*]} > 1 )); then
local trusteds_values=()
for each_protocol in "${protocols[@]}"; do
trusteds_values+=("${trusteds[$each_protocol]}")
done
if [[ $OUTPUTFORMAT == 'json' ]]; then
# Don't deduplicate for JSON.
join_array_by_char ',' "${trusteds_values[@]}"
else
flatten_or_join_array_by_char ',' "${trusteds_values[@]}"
fi
trusted="$joined_array"
else
# Just extract the one value that's present and use it.
trusted="${trusteds[@]}"
fi
# Pre-join this, since we use it in a couple of places below. # Pre-join this, since we use it in a couple of places below.
join_array_by_char ',' "${protocols[@]}" join_array_by_char ',' "${protocols[@]}"
protocols_csv="$joined_array" protocols_csv="$joined_array"
@ -1024,12 +1062,12 @@ display_results_in_json() {
echo -n "\"protocols\":[\"${cipher_arr[1]//,/\",\"}\"]," echo -n "\"protocols\":[\"${cipher_arr[1]//,/\",\"}\"],"
echo -n "\"pubkey\":[\"${cipher_arr[2]//,/\",\"}\"]," echo -n "\"pubkey\":[\"${cipher_arr[2]//,/\",\"}\"],"
echo -n "\"sigalg\":[\"${cipher_arr[3]//,/\",\"}\"]," echo -n "\"sigalg\":[\"${cipher_arr[3]//,/\",\"}\"],"
echo -n "\"trusted\":\"${cipher_arr[4]//,/\",\"}\"," echo -n "\"trusted\":[\"${cipher_arr[4]//,/\",\"}\"],"
if [[ -n $CAPATH ]]; then if [[ -n $CAPATH ]]; then
echo -n "\"certificates\":[${ciphercertificates[$ctr]}]," echo -n "\"certificates\":[${ciphercertificates[$ctr]}],"
fi fi
echo -n "\"ticket_hint\":[\"${cipher_arr[5]//,/\",\"}\"]," echo -n "\"ticket_hint\":[\"${cipher_arr[5]//,/\",\"}\"],"
echo -n "\"ocsp_stapling\":\"${cipher_arr[6]}\"," echo -n "\"ocsp_stapling\":[\"${cipher_arr[6]//,/\",\"}\"],"
echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]" echo -n "\"pfs\":[\"${cipher_arr[7]//\;/\",\"}\"]"
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
echo -n "," echo -n ","