From d7a745866771ec6dd8035a238657e74e57330e4c Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Fri, 18 Sep 2015 16:38:41 -0700 Subject: [PATCH] Add handling of TLS-dependent pubkey sizes. As with previous commits, this adds reporting for TLS-dependent pubkey sizes. --- cipherscan | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/cipherscan b/cipherscan index b2b99dc..fe289f9 100755 --- a/cipherscan +++ b/cipherscan @@ -515,6 +515,7 @@ test_cipher_on_target() { declare -A tickethints=() declare -A ocspstaples=() declare -A trusteds=() + declare -A pubkeys=() for tls_version in "${TLS_VERSIONS_TO_TEST[@]}"; do # sslv2 client hello doesn't support SNI extension # in SSLv3 mode OpenSSL just ignores the setting so it's ok @@ -628,7 +629,7 @@ test_cipher_on_target() { cipher=$current_cipher [[ -z $current_pfs ]] && current_pfs="None" pfses[$current_protocol]="$current_pfs" - pubkey=$current_pubkey + pubkeys[$current_protocol]="$current_pubkey" sigalgs[$current_protocol]="$current_sigalg" trusteds[$current_protocol]=$current_trusted tickethints[$current_protocol]=$current_tickethint @@ -734,6 +735,24 @@ test_cipher_on_target() { trusted="${trusteds[@]}" fi + # Flatten the pubkeys list to a single item if every entry is the same. + if (( ${#pubkeys[*]} > 1 )); then + local pubkeys_values=() + for each_protocol in "${protocols[@]}"; do + pubkeys_values+=("${pubkeys[$each_protocol]}") + done + if [[ $OUTPUTFORMAT == 'json' ]]; then + # Don't deduplicate for JSON. + join_array_by_char ',' "${pubkeys_values[@]}" + else + flatten_or_join_array_by_char ',' "${pubkeys_values[@]}" + fi + pubkey="$joined_array" + else + # Just extract the one value that's present and use it. + pubkey="${pubkeys[@]}" + fi + # Pre-join this, since we use it in a couple of places below. join_array_by_char ',' "${protocols[@]}" protocols_csv="$joined_array"