2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00
Commit Graph

313 Commits

Author SHA1 Message Date
Julien Vehent
5284dda0fb Enable SNI by default only if target is a fqdn and -servername not supplied 2015-09-18 15:45:10 -04:00
Julien Vehent
72e2b4f6e9 Enable Server Name Indication by default 2015-09-18 15:45:08 -04:00
Julien Vehent
901e3cbdfc Merge pull request #89 from jvehent/output20150918
A few fixes to the terminal output
2015-09-18 15:42:26 -04:00
Julien Vehent
5526c58ffb Merge pull request #82 from floatingatoll/various_fixes
Various fixes
2015-09-18 15:41:44 -04:00
Richard Soderberg
179cbe8db1 refuse to permit --allciphers and --json together 2015-09-18 11:56:28 -07:00
Richard Soderberg
8f3341a165 openssl fallback and version warnings should go to STDERR 2015-09-18 11:53:18 -07:00
Julien Vehent
f11a0e3594 Revert "When in JSON mode, run curve and tolerance tests"
This reverts commit 3dd0f58f4c.
2015-09-18 14:50:03 -04:00
Julien Vehent
5d5568f03a use colors instead of ok/ko 2015-09-18 14:50:00 -04:00
Julien Vehent
8a03b8d4e7 fix pubkey quality test 2015-09-18 14:49:51 -04:00
Richard Soderberg
ce2f97f05c Replace instances of [[ $ == "" ]] with [[ -z "" ]]. 2015-09-18 11:41:20 -07:00
Richard Soderberg
236b0b8cfe Fixes instances of "SC2128: Expanding an array without an index only gives the first element.".
In cipherscan line 851:
        local selected=($result)
                        ^-- SC2128: Expanding an array without an index only gives the first element.

In cipherscan line 852:
        if [[ $selected == "$prefered" ]]; then
              ^-- SC2128: Expanding an array without an index only gives the first element.
2015-09-18 11:40:14 -07:00
Richard Soderberg
b2521c8e42 Fixes instances of "SC2053: Quote the rhs of == in [[ ]] to prevent glob matching."
In cipherscan line 469:
            if [[ ${known_certs[$cksum]} == $cert ]]; then
                                            ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.

In cipherscan line 852:
        if [[ $selected == $prefered ]]; then
                           ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.

In cipherscan line 915:
                if [[ "$cname" == ${curves[$id]} ]]; then
                                  ^-- SC2053: Quote the rhs of == in [[ ]] to prevent glob matching.
2015-09-18 11:40:14 -07:00
Richard Soderberg
24268e063e Fixes one instance of "SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate."
In cipherscan line 427:
    local sslcommand=$@
                     ^-- SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
2015-09-18 11:40:14 -07:00
Richard Soderberg
bc79c51065 Fixes instances of SC2086, SC2046 errors regarding unquoted variables.
In cipherscan line 294:
    echo $identifier
         ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 587:
                current_curves="$(get_curve_name $(echo $pfs|cut -d ',' -f2))"
                                                 ^-- SC2046: Quote this to prevent word splitting.

In cipherscan line 603:
        debug Connection $i
                         ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 715:
            echo $header
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 719:
            echo $result|grep -v '(NONE)'
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 897:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 910:
                cname="$(get_curve_name ${ephem_data[1]})"
                                        ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 953:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 967:
                local cname="$(get_curve_name ${ephem_data[1]})"
                                              ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 1017:
        local tmp=$(echo Q | $sslcommand -curves $test_curves 2>/dev/null)
                                                 ^-- SC2086: Double quote to prevent globbing and word splitting.

In cipherscan line 1030:
                local cname="$(get_curve_name ${ephem_data[1]})"
                                              ^-- SC2086: Double quote to prevent globbing and word splitting.
2015-09-18 11:40:14 -07:00
Richard Soderberg
c103805a38 Replace instances of [[ $ != "" ]] with [[ -n "" ]]. 2015-09-18 11:40:11 -07:00
Richard Soderberg
5c09af67fd Remove one unnecessary string-to-array-to-string from get_curve_name(). 2015-09-18 11:35:03 -07:00
Richard Soderberg
9ea1749f6c Pre-cache the cipher array-to-string result to do one less join. 2015-09-18 11:35:02 -07:00
Richard Soderberg
d2e1784eb8 Simplify test_serverside_ordering() to use half as many assignments. 2015-09-18 11:34:25 -07:00
Richard Soderberg
b91b153bbd Replace instances of string-ish [[ -lt ]] with arithmetic (( < )). 2015-09-18 11:34:25 -07:00
Richard Soderberg
34ae0ccab9 Replace instances of string-ish [[ -ne ]] with arithmetic (( != )). 2015-09-18 11:34:25 -07:00
Richard Soderberg
3d3789828b Replace instances of string-ish [[ -gt ]] with arithmetic (( > )). 2015-09-18 11:34:25 -07:00
Richard Soderberg
9c63841e46 Replace instances of string-ish [[ -eq ]] with arithmetic (( == )). 2015-09-18 11:34:25 -07:00
Richard Soderberg
90ac19cfe8 Replace an instance of string-ish [[ $? -gt 0 ]] with arithmetic (( $? != 0 )).
This more accurately reflects that "non-zero exit status indicates
failure"; while > 0 will no doubt work as well, != 0 avoids the question
of whether $? is signed or unsigned in bash and more accurately
represents the documentation ("non-zero", != 0).
2015-09-18 11:34:25 -07:00
Richard Soderberg
871ad92ae2 Simplify signature algorithm extraction to use a capturing regex and string substitution. 2015-09-18 11:34:25 -07:00
Richard Soderberg
2764a16693 Replace OLDIFS/IFS joins with join_array_by_char(), avoiding $(...) subshell slowdown. 2015-09-18 11:34:25 -07:00
Richard Soderberg
487f7cb6a4 Replace an echo | awk printf with builtin printf. 2015-09-18 11:34:25 -07:00
Richard Soderberg
a342ff7579 Assign r=pass/fail once only, rather than twice for fail->pass. 2015-09-18 11:34:25 -07:00
Richard Soderberg
9e3154389e Replace unnecessary test of command; if $? with if command. 2015-09-18 11:34:25 -07:00
Richard Soderberg
fc71ed7204 Replace |sort|uniq with more efficient |sort -u. 2015-09-18 11:34:25 -07:00
Richard Soderberg
644c1aa83a Replace numeric ALLCIPHERS comparison with simpler -n test. 2015-09-18 11:34:24 -07:00
Julien Vehent
3dd0f58f4c When in JSON mode, run curve and tolerance tests 2015-09-18 13:05:49 -04:00
Julien Vehent
55918f3afb Add OK/KO flags in terminal output 2015-09-18 13:05:49 -04:00
Julien Vehent
249b3be23d Rephrase TLS tolerance output in terminal 2015-09-18 12:35:17 -04:00
Julien Vehent
0de6abab61 Merge pull request #81 from floatingatoll/argparse_fixes
Argparse fixes
2015-09-18 09:35:42 -04:00
Julien Vehent
5e2b12d940 Merge pull request #80 from floatingatoll/cacerts_logic
Replace CACERTS env logic with --cafile parameter.
2015-09-18 09:35:06 -04:00
Julien Vehent
b951fd5588 Merge pull request #79 from floatingatoll/autodetection-perf
separate darwin and non-darwin OS autodetection, add NOAUTODETECT support for top1m performance
2015-09-18 09:32:33 -04:00
Julien Vehent
9dace07f4d Merge pull request #76 from floatingatoll/curves-by-default
enable curves by default
2015-09-18 09:29:18 -04:00
Julien Vehent
3770389b5c Merge pull request #68 from kenoh/master
Fix: incorrect list + string concatenation (issue #64)
2015-09-18 09:27:41 -04:00
Richard Soderberg
4b87301eb4 separate darwin and non-darwin OS autodetection, add NOAUTODETECT support for top1m performance
This patch implements two structural changes.

First, OS-level detection routines are broken out into a case statement.

Darwin doesn't need to test for readlink/timeout nor Busybox, so this
noticeably improves performance over multiple runs on Darwin.

Linux suffers no additional penalty, since we already ran if $(uname)
every time anyways, and continues to use the more complex
timeout/gtimeout/busybox logic at the (preexisting, unaffected) cost to
performance over multiple runs.

Second, if NOAUTODETECT is set, then the script assumes (and verifies)
that you're providing TIMEOUTBIN and OPENSSLBIN values. If both of those
values are executable files, then the script will proceed, else it will
abort. In this scenario, readlink is unnecessary and is thus unused.

The combination of these two changes will improve performance over
multiple runs both on Darwin and when NOAUTODETECT is set for top1m.
2015-09-05 05:04:37 -07:00
Richard Soderberg
12ede64882 bash4 version check failure should go to STDERR. 2015-09-05 05:04:04 -07:00
Richard Soderberg
6adda69af5 Revise CACERTS autodetection logic, ensure that CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override.
This takes advantage of the new --cafile logic to avoid running CACERTS
autodetection when a file is provided on the command line.

It then ensures the readability of that file, whether provided or
autodetected.

This also adds an undocumented CAPATH environment variable alternative
to --capath, to go along with the existing undocumented CACERTS
environment variable alternative to --cafile, to provide legacy support
for preexisting users.
2015-09-05 04:59:17 -07:00
Richard Soderberg
5dc692566a Refuse to accept both --cafile and --capath.
Prior to this commit, the code accepts both the --cafile and the
--capath options, as that's how it's always behaved. This patch corrects
that, refusing to proceed if the options are provided.

Technically, openssl permits the use of both the -CAfile and -CApath
options. However, cipherscan itself can only make use of one of the two
options, and does not currently support "one or both" scenarios.

So this patch ensures that users are not caught unaware when they
specify --capath and --cafile and the script refuses to honor the
latter.
2015-09-05 04:45:28 -07:00
Richard Soderberg
097bd0c43b Rewrite HOST[:PORT] extraction routine (less sed, more validation).
The HOST[:PORT] extraction routine was written using several calls to
sed and a bunch of regex post-processing of the bash $@ array.

This replaces that with bash-native array commands, copying $@ into
a $PARAMS array, removing the last element into $TARGET, and then
passing the remainder to openssl s_client.

This adds validation of the TARGET to ensure that it matches what we
expect for a HOST[:PORT]; if a ':' is present, it must be preceded by a
hostname and followed by a port number, otherwise :443 is appended.

The check to ensure that HOST is not an -option is merged into this as
well, since we already test for : at the beginning of the HOST
(indicating that only a port was provided).

Additionally, this now defends against an empty string "" being passed
as the final option, which could occur if a script calling cipherscan
goes awry and starts passing empty values as the target.

top1m may see a slight speed improvement from this commit, as 4 calls to
sed are replaced with native bash functions.

Fixes one "SC2086: Double quote to prevent globbing and word splitting.":

In cipherscan line 1402:
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
                       ^-- SC2086: Double quote to prevent globbing and
                       word splitting.
2015-09-05 02:10:50 -07:00
Richard Soderberg
d81ee1c801 Refuse to proceed if no HOST[:PORT] is provided after the options.
Prior to this patch, if the user fails to provide a host:port after
specifying cipherscan options, the script runs sed on an empty variable
(failing with a syntax error) and then asttempts to cipherscan the
target ':443'.

This adds a simple test to ensure that a target was actually provided.
2015-09-05 01:35:47 -07:00
Richard Soderberg
28555b03f0 Refuse to proceed if the final argument starts with a hyphen.
This detects and prevents a specific category of user error, where an
incomplete cipherscan command line ending in an OpenSSL -option results
in cipherscan attempting to scan the target '-option:443'.
2015-09-05 01:01:19 -07:00
Richard Soderberg
e35a6155bc Add --cafile <filename.crt>, alongside --capath <dirpath/>.
For unknown reasons, while we previously supported --capath we did not
support --cafile. This forces the --cafile autodetection logic to run
every time, unnecessarily, when we have a specific file in mind to use.

This patch relocates the -CAfile autodetection logic to run *only if*
the --cafile parameter is not provided. If it is not provided, the
autodetection logic occurs precisely as before.

This patch declines to address what happens if both --capath and
--cafile are passed. The previous logic already ensured that the CA file
was *always* set, and then only sometimes was the CA path set. The new
logic maintains that behavior precisely, reserving logic flow changes
for a separate commit.
2015-09-05 00:22:40 -07:00
Richard Soderberg
0728751208 move bash4 detection as early as possible in the script to permit logic later on 2015-09-05 00:06:31 -07:00
Julien Vehent
3f3e22b09a Merge pull request #77 from floatingatoll/bashisms
Various bash cleanups and one bugfix
2015-09-03 10:13:30 -04:00
Richard Soderberg
22adaf188a verify that the openssl binary is emitting a valid s_client -help.
This catches instances where the wrong openssl binary is selected (for
instance, if uname -s is neither Darwin nor Linux) and serves as a
simple up-front test to make sure that openssl is working before we
proceed further into the script.
2015-09-03 07:02:40 -07:00
Richard Soderberg
9a0e055628 remove crude_grep in favor of a simple =~ substring match.
The crude_grep function served only to perform a simple substring check
against the output of openssl -help. So, instead of running the command
each time, iterating its output line by line, and checking for the
substring within it, this simply caches the -help output at startup and
uses $help =~ substring to produce the same result in a single pass.
2015-09-03 06:58:05 -07:00