2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-12-26 12:43:42 +01:00
Commit Graph

267 Commits

Author SHA1 Message Date
Richard Soderberg
097bd0c43b Rewrite HOST[:PORT] extraction routine (less sed, more validation).
The HOST[:PORT] extraction routine was written using several calls to
sed and a bunch of regex post-processing of the bash $@ array.

This replaces that with bash-native array commands, copying $@ into
a $PARAMS array, removing the last element into $TARGET, and then
passing the remainder to openssl s_client.

This adds validation of the TARGET to ensure that it matches what we
expect for a HOST[:PORT]; if a ':' is present, it must be preceded by a
hostname and followed by a port number, otherwise :443 is appended.

The check to ensure that HOST is not an -option is merged into this as
well, since we already test for : at the beginning of the HOST
(indicating that only a port was provided).

Additionally, this now defends against an empty string "" being passed
as the final option, which could occur if a script calling cipherscan
goes awry and starts passing empty values as the target.

top1m may see a slight speed improvement from this commit, as 4 calls to
sed are replaced with native bash functions.

Fixes one "SC2086: Double quote to prevent globbing and word splitting.":

In cipherscan line 1402:
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
                       ^-- SC2086: Double quote to prevent globbing and
                       word splitting.
2015-09-05 02:10:50 -07:00
Richard Soderberg
d81ee1c801 Refuse to proceed if no HOST[:PORT] is provided after the options.
Prior to this patch, if the user fails to provide a host:port after
specifying cipherscan options, the script runs sed on an empty variable
(failing with a syntax error) and then asttempts to cipherscan the
target ':443'.

This adds a simple test to ensure that a target was actually provided.
2015-09-05 01:35:47 -07:00
Richard Soderberg
28555b03f0 Refuse to proceed if the final argument starts with a hyphen.
This detects and prevents a specific category of user error, where an
incomplete cipherscan command line ending in an OpenSSL -option results
in cipherscan attempting to scan the target '-option:443'.
2015-09-05 01:01:19 -07:00
Julien Vehent
3f3e22b09a Merge pull request #77 from floatingatoll/bashisms
Various bash cleanups and one bugfix
2015-09-03 10:13:30 -04:00
Richard Soderberg
22adaf188a verify that the openssl binary is emitting a valid s_client -help.
This catches instances where the wrong openssl binary is selected (for
instance, if uname -s is neither Darwin nor Linux) and serves as a
simple up-front test to make sure that openssl is working before we
proceed further into the script.
2015-09-03 07:02:40 -07:00
Richard Soderberg
9a0e055628 remove crude_grep in favor of a simple =~ substring match.
The crude_grep function served only to perform a simple substring check
against the output of openssl -help. So, instead of running the command
each time, iterating its output line by line, and checking for the
substring within it, this simply caches the -help output at startup and
uses $help =~ substring to produce the same result in a single pass.
2015-09-03 06:58:05 -07:00
Richard Soderberg
f0142c323a remove one unnecessary assignment when on Darwin. 2015-09-03 06:47:47 -07:00
Richard Soderberg
5ec3184a37 call dirname $0 three fewer times by caching the unmodified value prior to readlink modifications 2015-09-03 06:40:48 -07:00
Richard Soderberg
f002b3573a fixes for "SC2004: $/${} is unnecessary on arithmetic variables."
In cipherscan line 451:
        for ((i=0; i<$certificate_count; i=i+1 )); do
                     ^-- SC2004: $/${} is unnecessary on arithmetic variables.

In cipherscan line 603:
    cipherbenchms="$((t/1000/$BENCHMARKITER))"
                             ^-- SC2004: $/${} is unnecessary on arithmetic variables.
2015-09-03 06:37:09 -07:00
Richard Soderberg
21871b5bd7 fixes for "SC2046: Quote this to prevent word splitting." and "SC2086: Double quote to prevent globbing and word splitting."
In cipherscan line 13:
REALPATH=$(dirname $0)
                   ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 15:
readlink -f $0 &>/dev/null && REALPATH=$(dirname $(readlink -f $0))
            ^-- SC2086: Double quote to prevent globbing and word splitting.
                                                 ^-- SC2046: Quote this to prevent word splitting.
                                                               ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 46:
if [[ -e $(dirname $0)/openssl.cnf ]]; then
                   ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 47:
    export OPENSSL_CONF="$(dirname $0)/openssl.cnf"
           ^-- SC2155: Declare and assign separately to avoid masking return values.
                                   ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 60:
    CACERTS="$(dirname $0)/ca-bundle.crt"
                       ^-- SC2086: Double quote to prevent globbing and word splitting.
2015-09-03 06:26:36 -07:00
Richard Soderberg
4405d3fdce remove unused variable "fallback_available" 2015-09-03 06:17:15 -07:00
Richard Soderberg
3664b1a199 fixes for "SC2145: Argument mixes string and array. Use * or separate argument."
In cipherscan line 941:
    verbose "Server supported curves: ${tmp_curves[@]}"
                                      ^-- SC2145: Argument mixes string and array. Use * or separate argument.

In cipherscan line 968:
            verbose "ephem_data: ${ephem_data[@]}"
                                 ^-- SC2145: Argument mixes string and array. Use * or separate argument.
2015-09-03 06:14:28 -07:00
Richard Soderberg
bbb3496627 trim dead trailing ; 2015-09-03 06:02:15 -07:00
Richard Soderberg
1c15af1ce3 verify the results of pushd rather than trusting it 2015-09-03 06:02:12 -07:00
Richard Soderberg
81481cd016 requote, reindent ciphers and curves to the same format 2015-09-03 06:00:38 -07:00
Richard Soderberg
10057f93dc revise whitespace layout of cipher, curve arrays to improve future diffs 2015-09-03 06:00:31 -07:00
Richard Soderberg
9e563782e2 fix syntax error in busybox check - $(( is not the same as $( (, and a subshell is unnecessary here in any case 2015-09-03 06:00:23 -07:00
Richard Soderberg
6efb1a4afb replace if [ ... ] with if [[ ... ]]
Bash implements a backwards-compatible sh syntax for [ .. ], which
handles undef variables poorly. Use [[ .. ]] instead, to take full
advantage of the Bash improvements to the comparison brackets.
2015-09-03 05:51:57 -07:00
Julien Vehent
5f43f911bd Merge pull request #70 from tomato42/python3-analyze-fix
fix analyze.py Python3 compatibility
2015-08-23 15:23:45 -04:00
Hubert Kario
a3e04d3d01 fix analyze.py Python3 compat
because subprocess returns `bytes` in Python 3
we need to interpret them to characters, which are needed by json
input and string parsing

fixes #69, #71
2015-08-23 17:31:04 +02:00
Julien Vehent
db4b16e50c Merge pull request #60 from tomato42/tls-intolerancies
TLS intolerancies
2015-07-16 10:30:27 -04:00
Hubert Kario
abe8d329a9 Big handshake intolerance report 2015-07-16 16:15:39 +02:00
Hubert Kario
5f5487307d Interpret some intolerance test results 2015-07-16 16:15:39 +02:00
Hubert Kario
5c98fe2107 do a scan with -no_tlsext openssl if possible 2015-07-16 16:15:39 +02:00
Hubert Kario
a71bfe5ebd detect some TLS intolerancies
buggy servers may choke on large ClientHello's, TLSv1.2 ClientHello's,
etc. try to detect such failures and report them

among tried connections are TLS1.2, TLS1.1, TLS1.0 and SSLv3 with
ability to downgrade to lower protocol versions as well as a size
limited client hello, both TLS1.2 and TLS1.0 version
2015-07-16 16:15:39 +02:00
Julien Vehent
0ab0575274 Merge pull request #58 from tomato42/fallback-scan
Fallback scan
2015-07-15 10:21:47 -04:00
Julien Vehent
0119b9c115 Merge pull request #59 from tomato42/parsing-fixes
Fixes for results parsing
2015-06-10 07:33:17 +02:00
Julien Vehent
90ed0bbb3e Merge pull request #62 from tomato42/python3
Python 3 compatibility
2015-06-10 07:00:21 +02:00
Julien Vehent
19983c0c2b Merge pull request #61 from tomato42/gost-support
GOST support
2015-06-10 06:39:37 +02:00
Hubert Kario
86bc8e8574 fix is_fubar key size check 2015-05-30 19:48:56 +02:00
Hubert Kario
a53a91695e make scripts python 3 compatible 2015-05-30 15:46:26 +02:00
Hubert Kario
8ea6b57f9d cipherscan - capture whole Signature Algorithm line
the GOST certificates have a signature algorithm name with spaces
2015-05-30 14:58:23 +02:00
Hubert Kario
d151705218 parse_results.py - GOST support 2015-05-30 14:58:23 +02:00
Hubert Kario
596692a18e add support for GOST cipher scanning 2015-05-30 14:58:23 +02:00
Hubert Kario
d8ebaf2d9f report summary for clients for RC4 Preferred too 2015-05-30 00:01:32 +02:00
Hubert Kario
c55d8166c5 don't limit client specific RC4 Only to servers with multiple ciphers 2015-05-30 00:01:32 +02:00
Hubert Kario
37f1d15af1 count SSLv2 IDEA as insecure 2015-05-30 00:01:32 +02:00
Hubert Kario
b673fb976a separate AES-CBC from AES-GCM 2015-05-30 00:01:32 +02:00
Hubert Kario
d773b73e45 don't divide by zero on empty results folder 2015-05-30 00:01:32 +02:00
Hubert Kario
b9b3a221ce add Firefox 35 cipher settings 2015-05-30 00:01:32 +02:00
Hubert Kario
82f643244e don't count export grade ciphers towards PFS 2015-05-30 00:01:32 +02:00
Hubert Kario
1b360153a0 sum servers that support SSL3 or TLS1 as the highest protocol 2015-05-30 00:01:32 +02:00
Hubert Kario
341f657e83 better detection for EXP and low grade ciphers in stats
EXP is self explanatory - export grade
DES-CBC3-MD5 is available only in SSLv2 - not secure
RC4-64-MD5 is also a weakened version (though not marked as export grade)
2015-05-30 00:01:32 +02:00
Hubert Kario
8bde9c4d03 do fallback scan in case of problems
It's unlikely that there are SSLv2 only servers on the 'net, all
that were detected as such and I've checked actually are intolerant
to low placement of RC4 in cipher order or intolerant to large client
hello in general. In case we detect issues with the server, switch to
reduced cipher set and run the test again that should give better results
for about 3% of hosts
2015-05-29 23:50:07 +02:00
Julien Vehent
3bc8dc5583 one big readme update 2015-04-03 10:59:22 -04:00
Julien Vehent
d4441cf2bc update sample output in readme to show curves 2015-04-03 10:42:07 -04:00
Julien Vehent
02d555bf9d update openssl binary for darwin 2015-04-03 10:41:41 -04:00
Julien Vehent
1a26e09c7b Merge pull request #54 from jvehent/jvehent-rework-tomato42-curves-tolerance-5
Jvehent rework tomato42 curves tolerance 5, closes #46
2015-04-02 09:50:46 -04:00
Julien Vehent
4a6ff56b81 Add back support for old curve json format in parse results 2015-04-02 04:39:59 -04:00
Julien Vehent
a966574edc Fix curve fallback detection 2015-04-01 14:51:01 -04:00