2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-25 07:23:41 +01:00

Pre-cache the cipher array-to-string result to do one less join.

This commit is contained in:
Richard Soderberg 2015-09-05 04:04:46 -07:00
parent d2e1784eb8
commit 9ea1749f6c

View File

@ -104,6 +104,18 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
fi fi
join_array_by_char() {
# Two or less parameters (join + 0 or 1 value), then no need to set IFS because no join occurs.
if (( $# >= 3 )); then
# Three or more parameters (join + 2 values), then we need to set IFS for the join.
local IFS=$1
fi
# Discard the join string (usually ':', could be others).
shift
# Store the joined string in the result.
joined_array="$*"
}
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
# (probably a result of a workaround for the bug in Apple implementation of ECDSA) # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -135,6 +147,9 @@ SHORTCIPHERSUITE=(
'RC4-SHA' 'RC4-SHA'
'RC4-MD5' 'RC4-MD5'
) )
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}"
SHORTCIPHERSUITESTRING="$joined_array"
# as some servers are intolerant to large client hello's (or ones that have # as some servers are intolerant to large client hello's (or ones that have
# RC4 ciphers below position 64), use the following for cipher testing in case # RC4 ciphers below position 64), use the following for cipher testing in case
# of problems # of problems
@ -173,18 +188,8 @@ FALLBACKCIPHERSUITE=(
'EXP-RC2-CBC-MD5' 'EXP-RC2-CBC-MD5'
'EXP-RC4-MD5' 'EXP-RC4-MD5'
) )
join_array_by_char ':' "${FALLBACKCIPHERSUITE[@]}"
join_array_by_char() { FALLBACKCIPHERSUITESTRING="$joined_array"
# Two or less parameters (join + 0 or 1 value), then no need to set IFS because no join occurs.
if (( $# >= 3 )); then
# Three or more parameters (join + 2 values), then we need to set IFS for the join.
local IFS=$1
fi
# Discard the join string (usually ':', could be others).
shift
# Store the joined string in the result.
joined_array="$*"
}
DEBUG=0 DEBUG=0
VERBOSE=0 VERBOSE=0
@ -353,6 +358,9 @@ check_option_support() {
[[ $OPENSSLBINHELP =~ "$1" ]] [[ $OPENSSLBINHELP =~ "$1" ]]
} }
# We stop processing certificates on each connection once any of them produces a set of valid certificates.
current_sigalg="None"
parse_openssl_output() { parse_openssl_output() {
# clear variables in case matching doesn't hit them # clear variables in case matching doesn't hit them
current_ocspstaple="False" current_ocspstaple="False"
@ -362,7 +370,6 @@ parse_openssl_output() {
current_tickethint="None" current_tickethint="None"
current_pubkey=0 current_pubkey=0
current_trusted="False" current_trusted="False"
current_sigalg="None"
certs_found=0 certs_found=0
current_raw_certificates=() current_raw_certificates=()
@ -427,7 +434,7 @@ parse_openssl_output() {
fi fi
# extract certificates # extract certificates
if [[ $line =~ -----BEGIN\ CERTIFICATE----- ]]; then if [[ $current_sigalg == 'None' && $line =~ -----BEGIN\ CERTIFICATE----- ]]; then
current_raw_certificates[$certs_found]="$line"$'\n' current_raw_certificates[$certs_found]="$line"$'\n'
while read data; do while read data; do
current_raw_certificates[$certs_found]+="$data"$'\n' current_raw_certificates[$certs_found]+="$data"$'\n'
@ -1136,8 +1143,7 @@ test_tls_tolerance() {
# #
# try a smaller, but still v2 compatible Client Hello # try a smaller, but still v2 compatible Client Hello
# #
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}" local ciphers="$SHORTCIPHERSUITESTRING"
local ciphers="$joined_array"
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client" local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
if [[ -n "$CAPATH" ]]; then if [[ -n "$CAPATH" ]]; then
@ -1208,8 +1214,7 @@ test_tls_tolerance() {
# #
# use v3 format TLSv1.2 hello, small cipher list # use v3 format TLSv1.2 hello, small cipher list
# #
join_array_by_char ':' "${SHORTCIPHERSUITE[@]}" local ciphers="$SHORTCIPHERSUITESTRING"
local ciphers="$joined_array"
local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client" local sslcommand="$TIMEOUTBIN $TIMEOUT $OPENSSLBIN s_client"
if [[ -n "$CAPATH" ]]; then if [[ -n "$CAPATH" ]]; then
@ -1471,8 +1476,7 @@ if (( ${#cipherspref[@]} == 0 )) || [[ ${pref[1]} == "SSLv2" ]]; then
cipherspref=() cipherspref=()
ciphercertificates=() ciphercertificates=()
results=() results=()
join_array_by_char ':' "${FALLBACKCIPHERSUITE[@]}" get_cipher_pref "$FALLBACKCIPHERSUITESTRING"
get_cipher_pref "$joined_array"
fi fi
test_tls_tolerance test_tls_tolerance