2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-16 20:03:41 +01:00

Updated cipherscan to handle environmental error conditions better:

1. If bundled openssl is a bad binary (e.g. wrong glibc), use system openssl
 2. Skip bundled openssl.cnf if it causes failures (e.g. openssl w/o GOST)
This commit is contained in:
Greg Owen 2015-07-30 11:58:43 -04:00 committed by Greg Owen - Security
parent db4b16e50c
commit b3eb0ac67b

View File

@ -42,11 +42,6 @@ if [[ "$TIMEOUTOUTPUT" =~ BusyBox ]]; then
TIMEOUTBIN="$TIMEOUTBIN -t" TIMEOUTBIN="$TIMEOUTBIN -t"
fi fi
# use custom config file to enable GOST ciphers
if [[ -e $(dirname $0)/openssl.cnf ]]; then
export OPENSSL_CONF="$(dirname $0)/openssl.cnf"
fi
# find a list of trusted CAs on the local system, or use the provided list # find a list of trusted CAs on the local system, or use the provided list
if [ -z "$CACERTS" ]; then if [ -z "$CACERTS" ]; then
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
@ -1369,8 +1364,34 @@ if [ ! -x $OPENSSLBIN ]; then
if [ "$OUTPUTFORMAT" == "terminal" ]; then if [ "$OUTPUTFORMAT" == "terminal" ]; then
echo "custom openssl not executable, falling back to system one from $OPENSSLBIN" echo "custom openssl not executable, falling back to system one from $OPENSSLBIN"
fi fi
else
tmp=$(echo "quit" | $OPENSSLBIN 2>&1)
if [ $? -ne 0 ]; then
OPENSSLBIN=$(which openssl)
if [ "$OUTPUTFORMAT" == "terminal" ]; then
echo "custom openssl fails to execute properly, falling back to system one from $OPENSSLBIN"
verbose "execution failure message: $tmp"
fi
fi
fi fi
# use custom config file to enable GOST ciphers if supported by whatever $OPENSSLBIN we ended up with
if [[ -e $(dirname $0)/openssl.cnf ]]; then
tmp=$(OPENSSL_CONF="$(dirname $0)/openssl.cnf" $OPENSSLBIN s_client -help 2>&1 | grep :error:)
if [ -z "$tmp" ]; then
export OPENSSL_CONF="$(dirname $0)/openssl.cnf"
if [ "$OUTPUTFORMAT" == "terminal" ]; then
verbose "Enabling GOST ciphers via OPENSSL_CONF"
fi
else
if [ "$OUTPUTFORMAT" == "terminal" ]; then
echo "Not enabling GOST ciphers via OPENSSL_CONF due to errors: see verbose for details"
verbose "GOST config failed: $tmp"
fi
fi
fi
if [ $TEST_CURVES == "True" ]; then if [ $TEST_CURVES == "True" ]; then
if [ ! -z "$($OPENSSLBIN s_client -curves 2>&1|head -1|grep 'unknown option')" ]; then if [ ! -z "$($OPENSSLBIN s_client -curves 2>&1|head -1|grep 'unknown option')" ]; then
echo "curves testing not available with your version of openssl, disabling it" echo "curves testing not available with your version of openssl, disabling it"