@@ -803,6 +803,10 @@ count_ciphers() {
803803 echo $(wc -w <<< "${1//:/ }")
804804}
805805
806+ count_chars() {
807+ echo $(wc -c <<< "$1")
808+ }
809+
806810newline_to_spaces() {
807811 tr '\n' ' ' <<< "$1" | sed 's/ $//'
808812}
@@ -14274,19 +14278,18 @@ parse_tls13_new_session_ticket() {
1427414278# 1,4,6,7: see return value of parse_sslv2_serverhello()
1427514279sslv2_sockets() {
1427614280 local ret
14277- local client_hello cipher_suites len_client_hello
14281+ local cipher_suites="$1"
14282+ local client_hello len_client_hello
1427814283 local len_ciph_suites_byte len_ciph_suites
1427914284 local server_hello sock_reply_file2
1428014285 local -i response_len server_hello_len
1428114286 local parse_complete=false
1428214287
14283- # this could be empty so swe use '=='
14288+ # this could be empty so we use '=='
1428414289 if [[ "$2" == true ]]; then
1428514290 parse_complete=true
1428614291 fi
14287- if [[ -n "$1" ]]; then
14288- cipher_suites="$1"
14289- else
14292+ if [[ -z "$cipher_suites" ]]; then
1429014293 cipher_suites="
1429114294 05,00,80, # 1st cipher 9 cipher specs, only classical V2 ciphers are used here, see FIXME below
1429214295 03,00,80, # 2nd there are v3 in v2!!! : https://tools.ietf.org/html/rfc6101#appendix-E
@@ -14330,22 +14333,24 @@ sslv2_sockets() {
1433014333
1433114334 sockread_serverhello 32768
1433214335 if "$parse_complete"; then
14333- server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
14334- server_hello_len=2+$(hex2dec "${server_hello:1:3}")
14335- response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')
14336- for (( 1; response_len < server_hello_len; 1 )); do
14337- sock_reply_file2=${SOCK_REPLY_FILE}.2
14338- mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
14336+ if [[ -s "$SOCK_REPLY_FILE" ]]; then
14337+ server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
14338+ server_hello_len=$((2 + $(hex2dec "${server_hello:1:3}") ))
14339+ response_len=$(count_chars "$SOCK_REPLY_FILE")
14340+ for (( 1; response_len < server_hello_len; 1 )); do
14341+ sock_reply_file2=${SOCK_REPLY_FILE}.2
14342+ mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
1433914343
14340- debugme echo -n "requesting more server hello data... "
14341- socksend "" $USLEEP_SND
14342- sockread_serverhello 32768
14344+ debugme echo -n "requesting more server hello data... "
14345+ socksend "" $USLEEP_SND
14346+ sockread_serverhello 32768
1434314347
14344- [[ ! -s "$SOCK_REPLY_FILE" ]] && break
14345- cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
14346- mv "$sock_reply_file2" "$SOCK_REPLY_FILE"
14347- response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')
14348- done
14348+ [[ ! -s "$SOCK_REPLY_FILE" ]] && break
14349+ cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
14350+ mv "$sock_reply_file2" "$SOCK_REPLY_FILE"
14351+ response_len=$(count_chars "$SOCK_REPLY_FILE")
14352+ done
14353+ fi
1434914354 fi
1435014355 debugme echo "reading server hello... "
1435114356 if [[ "$DEBUG" -ge 4 ]]; then
@@ -14361,6 +14366,7 @@ sslv2_sockets() {
1436114366 return $ret
1436214367}
1436314368
14369+
1436414370# arg1: supported groups extension
1436514371# arg2: "all" - process full response (including Certificate and certificate_status handshake messages)
1436614372# "ephemeralkey" - extract the server's ephemeral key (if any)
@@ -16823,7 +16829,6 @@ run_freak() {
1682316829 else
1682416830 nr_supported_ciphers=$(count_ciphers $(actually_supported_osslciphers $exportrsa_cipher_list))
1682516831 fi
16826- #echo "========= ${PIPESTATUS[*]}
1682716832
1682816833 case $nr_supported_ciphers in
1682916834 0) prln_local_problem "$OPENSSL doesn't have any EXPORT RSA ciphers configured"
@@ -16841,7 +16846,9 @@ run_freak() {
1684116846 tls_sockets "03" "$exportrsa_tls_cipher_list_hex, 00,ff"
1684216847 sclient_success=$?
1684316848 [[ $sclient_success -eq 2 ]] && sclient_success=0
16844- if [[ $sclient_success -ne 0 ]]; then
16849+
16850+ # TLS handshake failed with ciphers above. Now we check SSLv2 -- unless we know it's not available
16851+ if [[ $sclient_success -ne 0 ]] && [[ $(has_server_protocol ssl2) -ne 1 ]]; then
1684516852 sslv2_sockets "$exportrsa_ssl2_cipher_list_hex" "true"
1684616853 if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
1684716854 exportrsa_ssl2_cipher_list_hex="$(strip_spaces "${exportrsa_ssl2_cipher_list_hex//,/}")"
@@ -17863,7 +17870,8 @@ run_rc4() {
1786317870 return 0
1786417871 fi
1786517872
17866- # get a list of all the cipher suites to test
17873+ # Get a list of all the cipher suites to test. #FIXME: This is rather ineffective as RC4 ciphers won't change.
17874+ # We should instead build a fixed list here like @ other functions
1786717875 if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then
1786817876 for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
1786917877 if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
@@ -17918,7 +17926,7 @@ run_rc4() {
1791817926 done < <($OPENSSL ciphers $OSSL_CIPHERS_S -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>>$ERRFILE)
1791917927 fi
1792017928
17921- if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then
17929+ if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]] ; then
1792217930 sslv2_sockets "${sslv2_ciphers_hex:2}" "true"
1792317931 if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
1792417932 supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
@@ -17931,7 +17939,7 @@ run_rc4() {
1793117939 fi
1793217940 done
1793317941 fi
17934- elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]]; then
17942+ elif "$HAS_SSL2" && [[ -n "$sslv2_ciphers_ossl" ]] && [[ $(has_server_protocol ssl2) -ne 1 ]] ; then
1793517943 $OPENSSL s_client -cipher "${sslv2_ciphers_ossl:1}" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
1793617944 sclient_connect_successful $? "$TMPFILE"
1793717945 if [[ $? -eq 0 ]]; then
0 commit comments