2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-04 15:03:41 +01:00

Improve output of curves

This commit is contained in:
Julien Vehent 2015-04-01 11:18:31 -04:00
parent cc014f085d
commit c90e5c59d7

View File

@ -62,6 +62,7 @@ TIMEOUT=30
CAPATH="" CAPATH=""
SAVECRT="" SAVECRT=""
TEST_CURVES="False" TEST_CURVES="False"
has_curves="False"
unset known_certs unset known_certs
declare -A known_certs declare -A known_certs
unset cert_checksums unset cert_checksums
@ -446,23 +447,24 @@ test_cipher_on_target() {
# if cipher contains NONE, the cipher wasn't accepted # if cipher contains NONE, the cipher wasn't accepted
elif [ "$cipher" == '(NONE) ' ]; then elif [ "$cipher" == '(NONE) ' ]; then
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $curves_ordering" result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $current_curves $curves_ordering"
verbose "handshake failed, server returned ciphersuite '$result'" verbose "handshake failed, server returned ciphersuite '$result'"
return 1 return 1
# the connection succeeded # the connection succeeded
else else
current_curves="None"
# if pfs uses ECDH, test supported curves # if pfs uses ECDH, test supported curves
if [[ $pfs =~ ECDH ]]; then if [[ $pfs =~ ECDH ]]; then
has_curves="True"
if [ $TEST_CURVES == "True" ]; then if [ $TEST_CURVES == "True" ]; then
test_ecc_curves test_ecc_curves
pfs=$current_curves
else else
# resolve the openssl curve to the proper IANA name # resolve the openssl curve to the proper IANA name
pfs="$(get_curve_name $(echo $pfs|cut -d ',' -f2))" current_curves="$(get_curve_name $(echo $pfs|cut -d ',' -f2))"
fi fi
fi fi
result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $curves_ordering" result="$cipher $protocols $pubkey $sigalg $trusted $tickethint $ocspstaple $pfs $current_curves $curves_ordering"
verbose "handshake succeeded, server returned ciphersuite '$result'" verbose "handshake succeeded, server returned ciphersuite '$result'"
return 0 return 0
fi fi
@ -523,6 +525,7 @@ display_results_in_terminal() {
local trusted local trusted
local tickethint local tickethint
local ocspstaple local ocspstaple
local curvesordering
local different=False local different=False
echo "Target: $TARGET"; echo echo "Target: $TARGET"; echo
for cipher in "${cipherspref[@]}"; do for cipher in "${cipherspref[@]}"; do
@ -541,6 +544,9 @@ display_results_in_terminal() {
trusted="${cipher_data[4]}" trusted="${cipher_data[4]}"
tickethint="${cipher_data[5]}" tickethint="${cipher_data[5]}"
ocspstaple="${cipher_data[6]}" ocspstaple="${cipher_data[6]}"
if [[ $TEST_CURVES == "True" && "${cipher_data[9]}" != "" ]]; then
curvesordering="${cipher_data[9]}"
fi
else else
if [ "$pubkey" != "${cipher_data[2]}" ]; then if [ "$pubkey" != "${cipher_data[2]}" ]; then
different=True different=True
@ -557,6 +563,12 @@ display_results_in_terminal() {
if [ "$ocspstaple" != "${cipher_data[6]}" ]; then if [ "$ocspstaple" != "${cipher_data[6]}" ]; then
different=True different=True
fi fi
if [[ "$curvesordering" == "" && "${cipher_data[9]}" != "" ]]; then
curvesordering="${cipher_data[9]}"
fi
if [[ "$curvesordering" != "" && "$curvesordering" != "${cipher_data[9]}" ]]; then
different=True
fi
fi fi
results=("${results[@]}" "$r") results=("${results[@]}" "$r")
ctr=$((ctr+1)) ctr=$((ctr+1))
@ -564,14 +576,17 @@ display_results_in_terminal() {
header="prio ciphersuite protocols" header="prio ciphersuite protocols"
if [ $different == "True" ]; then if [ $different == "True" ]; then
header="$header pubkey_size signature_algoritm trusted ticket_hint ocsp_staple" header+=" pubkey_size signature_algoritm trusted ticket_hint ocsp_staple"
fi fi
header="$header pfs" header+=" pfs"
if [ $TEST_CURVES == "True" ]; then if [ $has_curves == "True" ]; then
header="$header curves_ordering" header+=" curves"
if [[ $TEST_CURVES == "True" && $different == "True" ]]; then
header+=" curves_ordering"
fi
fi fi
if [ $DOBENCHMARK -eq 1 ]; then if [ $DOBENCHMARK -eq 1 ]; then
header="$header avg_handshake_microsec" header+=" avg_handshake_microsec"
fi fi
ctr=0 ctr=0
for result in "${results[@]}"; do for result in "${results[@]}"; do
@ -583,7 +598,7 @@ display_results_in_terminal() {
echo $result|grep -v '(NONE)' echo $result|grep -v '(NONE)'
else else
# prints priority, ciphersuite, protocols and pfs # prints priority, ciphersuite, protocols and pfs
awk '!/(NONE)/{print $1 " " $2 " " $3 " " $9}' <<<"$result" awk '!/(NONE)/{print $1 " " $2 " " $3 " " $9 " " $10}' <<<"$result"
fi fi
done|column -t done|column -t
echo echo
@ -601,9 +616,12 @@ display_results_in_terminal() {
echo "OCSP stapling: not supported" echo "OCSP stapling: not supported"
fi fi
if [[ $serverside == "True" ]]; then if [[ $serverside == "True" ]]; then
echo "Server side cipher ordering" echo "Cipher ordering: server"
else else
echo "Client side cipher ordering" echo "Cipher ordering: client"
fi
if [ $TEST_CURVES == "True" ]; then
echo "Curves ordering: $curvesordering"
fi fi
} }
@ -629,10 +647,10 @@ display_results_in_json() {
echo -n "\"pfs\":\"$pfs\"" echo -n "\"pfs\":\"$pfs\""
if [[ "${cipher_arr[0]}" =~ ECDH ]]; then if [[ "${cipher_arr[0]}" =~ ECDH ]]; then
echo -n "," echo -n ","
echo -n "\"elliptic_curves\":[\"${pfs//,/\",\"}\"]" echo -n "\"curves\":[\"${cipher_arr[8]//,/\",\"}\"]"
if [ $TEST_CURVES == "True" ]; then if [ $TEST_CURVES == "True" ]; then
echo -n "," echo -n ","
echo -n "\"curves_ordering\":\"${cipher_arr[8]}\"" echo -n "\"curves_ordering\":\"${cipher_arr[9]}\""
fi fi
fi fi
echo -n "}" echo -n "}"