From 0cac6f1f911590850e90894e14b3ecd0226cfa12 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Tue, 10 Dec 2013 23:58:08 +0100 Subject: More ciphers support * generate-wireshark-cs: fix key sizes for export ciphers * notes, openssl-{connect,listen}: support more cipher suites, including NULL. --- generate-wireshark-cs | 8 ++++++-- notes.txt | 16 ++++++++-------- openssl-connect | 3 ++- openssl-listen | 4 ++++ 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/generate-wireshark-cs b/generate-wireshark-cs index 85a62fc..ca4f790 100755 --- a/generate-wireshark-cs +++ b/generate-wireshark-cs @@ -54,7 +54,10 @@ p() { esac # HACK HACK HACK - tmp=${1#*WITH_} + tmp=$1 + # prevent seeing 56-bit export cipher as 64-bit DES + tmp=${tmp/EXPORT1024_WITH_DES_CBC_/EXPORT1024_WITH_DES_56_CBC_} + tmp=${tmp#*WITH_} cipher=${tmp%%_*} tmp=${tmp/_CBC_/_} tmp=${tmp#${cipher}_} # now continue for keysize @@ -68,6 +71,7 @@ p() { NULL) keysize=0 ;; DES) keysize=64 ;; DES40) keysize=64; exp_keysize=40 ;; + DES56) keysize=64; exp_keysize=56 ;; 3DES) if [[ $keysize == EDE ]]; then keysize=192 @@ -89,7 +93,7 @@ p() { cipher=AES ;; DES|3DES|RC4|RC2|IDEA|AES256|CAMELLIA128|CAMELLIA256|NULL|IDEA) ;; - DES40) cipher=DES ;; + DES40|DES56) cipher=DES ;; SEED*) cipher=SEED ;; RC240|RC256) cipher=RC2 ;; RC440|RC4128|RC456) cipher=RC4 ;; diff --git a/notes.txt b/notes.txt index 5e0c93c..9672fd0 100644 --- a/notes.txt +++ b/notes.txt @@ -24,20 +24,20 @@ make examples/server/server -p 4433 SSLKEYLOGFILE=premaster.txt examples/client/client -l AES256-SHA -p 4433 see also cyassl-test (in this repo) for testing all supported ciphers -# Show a list of cipher suites from ClientHello and the HTTP version (or the -# number of the ClientHello if decryption failed). -/tmp/wsbuild/tshark -r cyassl-tcp.pcapng.gz -ohttp.ssl.port:4430 \ - -ossl.keylog_file:premaster.txt -ossl.psk:1a2b3c4d -Tfields -e frame.number \ - -e ssl.handshake.ciphersuite -e http.request.version \ - -Y not\ ssl.handshake.type==2 | - awk '$2~/0x/{if(n)print n;printf("%s ",$2);n=$1}$2=="HTTP/1.0"{print $2;n=""}' +# Show a list of cipher suite from ServerHello and the HTTP version (or the +# number of the ServerHello if decryption failed). +/tmp/wsbuild/tshark -r cyassl-tcp.pcapng.gz -ohttp.ssl.port:4430-4433 \ + -ossl.keylog_file:premaster.txt -ossl.psk:1a2b3c4d -Tfields \ + -e frame.number -e ssl.handshake.ciphersuite -e http.request.version \ + -Y 'ssl.handshake.type==2||ssl.record.content_type==23' | + awk '$2~/0x/{if(n)print n;printf("%s ",$2);n=$1}$2=="HTTP/1.0"{print $2;n=""}END{if(n)print n}' # create suites.txt from http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv gawk -n -F '[,"]+' '$4~/^TLS/{print int($2)*0x100+int($3), $4}' tls-parameters-4.csv > suites.txt # find which suites are not supported yet (unsupported.txt) gawk -n -vsrc=/tmp/wireshark/epan/dissectors/packet-ssl-utils.c -F'[ {,]+' 'BEGIN{while(getline openssl-supported-ciphers.txt +openssl ciphers -tls1 -V ALL:NULL | tr , \ | while read x y _ name _;do echo $((x*0x100+y)) $name;done | sort -n > openssl-supported-ciphers.txt # find which ciphers are not yet supported (unsupported-new is from above) grep -E "$(cut -d' ' -f1 unsuppported-new.txt openssl-supported-ciphers.txt | sort | uniq -d | tr '\n' '|' | sed 's/|$//')" unsuppported-new.txt -w diff --git a/openssl-connect b/openssl-connect index 23ebc47..77ba857 100755 --- a/openssl-connect +++ b/openssl-connect @@ -78,7 +78,8 @@ s_client_client_random() { # When stdin is a TTY, try all ciphers if [ -t 0 ]; then - openssl ciphers -V + # Use only SSLv3 and TLSv1 ciphers, do not use SSLv2 + openssl ciphers -V -tls1 ALL:NULL else # otherwise if not TTY, pass-through (useful for grep) cat diff --git a/openssl-listen b/openssl-listen index c6c1025..ddaf850 100755 --- a/openssl-listen +++ b/openssl-listen @@ -120,6 +120,10 @@ start_server() { "$ca_key" "$ca_crt" || return 1 fi + # Enable insecure ciphers too, this script is for generating all possible + # test samples supported by openssl. + opts+=( -cipher ALL:NULL ) + openssl s_server -accept $port \ "${opts[@]}" \ -cert "$pkdir$crtfile" -key "$pkdir$keyfile" -www "$@" & -- cgit v1.2.1