#!/bin/bash
# Quick 'n' dirty generator for extending wireshark cipher suites
# Author: Peter Wu <lekensteyn@gmail.com>

set -u

warn() {
	local cb= ce=

	# add color only if printing to terminal
	if [ -t 2 ]; then
		cb='\e[1;91m' # bright red
		ce='\e[m'
	fi

	printf "$cb%s$ce\n" "$*" >&2
}

p() {
	local tmp kex sig keysize exp_keysize=0 dig diglen mode us_export blocksize hexid
	[ $# -gt 0 ] || return
	num=$(($2*0x100 + $3))
	hexid=000$(echo "obase=16;$num" | bc)
	hexid=0x${hexid: -4}

	# ignore TLS_NULL_WITH_NULL_NULL and TLS_EMPTY_RENEGOTIATION_INFO_SCSV
	case $hexid in
	0x0000|0x00FF) return ;;
	esac

	tmp=${1%%_WITH_*}
	tmp=${tmp%_EXPORT}
	tmp=${tmp#TLS_}
	case $tmp in
	RSA)		kex=RSA ;;
	DH_*|DHE_*)	kex=DH ;;
	ECDH_*|ECDHE_*)	kex=DH ;;
	*)
		warn "Unknown kex in $hexid $1 (tmp=$tmp)"
		return
		;;
	esac

	tmp=${1%%_WITH_*}
	tmp=${tmp%_EXPORT}
	tmp=${tmp#TLS_}
	tmp=${tmp#EC}
	tmp=${tmp#DH_}
	tmp=${tmp#DHE_}
	case $tmp in
	RSA|DSS)	sig=$tmp ;;
	ECDSA)		sig=DSS ;;
	anon)		sig=NONE ;;
	*)
		warn "Unknown sig in $hexid $1 (tmp=$tmp)"
		return
		;;
	esac

	# HACK HACK HACK
	tmp=${1#*WITH_}
	cipher=${tmp%%_*}
	tmp=${tmp/_CBC_/_}
	tmp=${tmp#${cipher}_} # now continue for keysize
	keysize=${tmp%%_*}
	[[ $keysize != [0-9]* ]] || cipher=$cipher$keysize
	case $cipher in
	RC[24]40)	keysize=128; exp_keysize=40 ;;
	*128|*256) ;;
	SEED|IDEA)	keysize=128 ;;
	NULL)	keysize=0 ;;
	DES)	keysize=64 ;;
	DES40)	keysize=64; exp_keysize=40 ;;
	3DES)
		if [[ $keysize == EDE ]]; then
			keysize=192
		else
			warn "Invalid keysize in $hexid $1 (cipher=$cipher, keysize=$keysize)"
			#return
		fi
		;;
	*)
		warn "Invalid keysize in $hexid $1 (cipher=$cipher, keysize=$keysize)"
		return
		;;
	esac
	# assume same size for actual and algorithm key size
	[ $exp_keysize -gt 0 ] || exp_keysize=$keysize

	case $cipher in
	AES128)
		cipher=AES
		;;
	DES|3DES|RC4|RC2|IDEA|AES256|CAMELLIA128|CAMELLIA256|NULL|IDEA) ;;
	DES40)	cipher=DES ;;
	SEED*)	cipher=SEED ;;
	RC240)	cipher=RC2 ;;
	RC440|RC4128)	cipher=RC4 ;;
	*)
		warn "Unknown cipher $cipher in $hexid $1"
		return
		;;
	esac

	# GCM's IV size is always 4 regardless of underlying block cipher
	[[ $1 == *_GCM_* ]] && blocksize=4 ||
	case $cipher in
	AES|AES256|CAMELLIA128|CAMELLIA256|SEED)
		blocksize=16 ;;
	DES|3DES|IDEA)
		blocksize=8 ;;
	RC2)
		blocksize=8 ;;
	RC4|NULL)
		blocksize=1 ;;
	*)
		warn "Unknown cipher $cipher in $hexid $1"
		return
		;;
	esac

	dig=${1##*_}
	case $dig in
	MD5)	diglen=16 ;;
	SHA)	diglen=20 ;;
	SHA256)	diglen=32 ;;
	SHA384) diglen=48 ;;
	*)
		warn "Unknown dig in $hexid $1 (dig=$dig)"
		return
		;;
	esac

	us_export=0
	if [[ $1 == *_EXPORT_* ]]; then
		us_export=1
		[ $exp_keysize -lt $keysize ] || \
		warn "Export cipher, actual keysize may not be accurate: $hexid $1"
	fi

	[[ $1 == *_GCM_* ]] && mode=GCM ||
	case $cipher in
	AES|AES256|DES|3DES|CAMELLIA128|CAMELLIA256|SEED|IDEA|RC2)
		mode=CBC ;;
	RC4|NULL)
		mode=STREAM ;;
	*)
		warn "Unknown mode in $hexid $1 (cipher=$cipher)"
		return
		;;
	esac

cat <<EOF
    {$num,KEX_$kex,SIG_$sig,ENC_$cipher,$blocksize,$keysize,$exp_keysize,DIG_$dig, SSL_CIPHER_MODE_$mode},   /* $1 */
EOF
}

# expects a line like:
#  CipherSuite TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         = { 0x00,0x41 };
sed 's/CipherSuite//;s/,/ /g' | grep -v '^[ \t]*$' | tr -d '={};' | while read name n1 n2 rem; do
	# for <number> <name>, like suites.txt
	if [ -z "$n2$rem" ] && [[ $name =~ ^[0-9]+|0[Xx][0-9a-fA-F]$ ]]; then
		p "$n1" 0 "$name"
		continue
	fi

	if [ -n "$rem" ]; then
		warn "Error! Invalid line: $name $n1 $n2 $rem"
		continue
	fi
	p "$name" "$n1" "$n2"
done
exit

# from http://tools.ietf.org/html/rfc5932, Proposed Cipher Suites

p TLS_RSA_WITH_CAMELLIA_128_CBC_SHA         0x00 0x41
p TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA      0x00 0x42
p TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA      0x00 0x43
p TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA     0x00 0x44
p TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA     0x00 0x45
p TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA     0x00 0x46
p 
p TLS_RSA_WITH_CAMELLIA_256_CBC_SHA         0x00 0x84
p TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA      0x00 0x85
p TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA      0x00 0x86
p TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA     0x00 0x87
p TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA     0x00 0x88
p TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA     0x00 0x89
p 
p 
p TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256      0x00 0xBA
p TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256   0x00 0xBB
p TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256   0x00 0xBC
p TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256  0x00 0xBD
p TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256  0x00 0xBE
p TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256  0x00 0xBF
p 
p TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256      0x00 0xC0
p TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256   0x00 0xC1
p TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256   0x00 0xC2
p TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256  0x00 0xC3
p TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256  0x00 0xC4
p TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256  0x00 0xC5