tls-map 1.3.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ac0d9c7dbfc9715ca7387df65617f1202a06ab70b72f764356e6bdb3cbeda3d
-  data.tar.gz: 37f02d9953363e4fb90e940d894b1ecdafe9bba9ae1636540f9593ee3c37b808
+  metadata.gz: 1d94873d0b6f9c1274ca7ae4b4510cbbfb5351fb71b31d5fd6b7b51a700810b5
+  data.tar.gz: c706973ad2b5b944ad41b72447ad2b5b6fd0d6cd8e7697ed2e0441598c905157
 SHA512:
-  metadata.gz: 8a514c524c42e6765e55817dea46b905fdf717e6609e0f1efc2f2555249938b750ae79325b5c2ba3cc58b645f0b378f0f3f13d877a9be37a74dff033b420edbd
-  data.tar.gz: 8691bfcdb56bbfe8daa408b290f06f1eb2e9dd2f564a9c86e59b2c64e077b037b45b27e4d4e1000fab7b6fc418064b0d4d1b66e1eb174b221b0fe8c022b72b1c
+  metadata.gz: 36abc411fbfb1139a1abce1795dc76dad40baf48a801ff52302e0f13a5e8d62f484a68e024523417f6d926b9a175043d0256b15a3840f5b1ed3e1a90d26a7f65
+  data.tar.gz: c0274a56daae44a2192e761bc782ec87ec71d2616738ed8053f8e1e2beb8a6bce7d6e95d694356f72d3ae891c69d5b210e78f9b84f2bd308016205f70b9e852d

data/LICENSE

@@ -1,5 +1,6 @@
 MIT License
 
+Copyright (c) 2021 Alexandre ZANNI
 Copyright (c) 2021 Alexandre ZANNI at SEC-IT
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

data/bin/tls-map

@@ -5,7 +5,7 @@
 require 'pp'
 # Project internal
 require 'tls_map'
-require 'tls_map/cli'
+require 'tls_map/cli/cli'
 # External
 require 'docopt'
 require 'paint'
@@ -16,23 +16,23 @@ doc = <<~DOCOPT
   TLS map #{TLSmap::VERSION}
 
   Usage:
-    tls-map search <critera> <term> [-o <output> --force -e -a] [--no-color --debug]
-    tls-map bulk <critera> <file> [-q <output> --force] [--no-color --debug]
+    tls-map search <criteria> <term> [-o <output> --force -e -a] [--no-color --debug]
+    tls-map bulk <criteria> <file> [-q <output> --force] [--no-color --debug]
     tls-map export <filename> <format> [--force] [--debug]
-    tls-map extract <filename> <format> [--no-color --debug]
-    tls-map update [--debug]
+    tls-map extract <filename> <format> [--no-color --debug [--only-weak | --hide-weak]]
+    tls-map update [--with-extended] [--debug]
     tls-map -h | --help
     tls-map --version
 
   Search options: (offline) search and translate cipher names between SSL/TLS libraries
-    <critera>               The type of term. Accepted values: codepoint, iana, openssl, gnutls, nss.
+    <criteria>              The type of term. Accepted values: codepoint, iana, openssl, gnutls, nss.
     <term>                  The cipher algorithm name.
     -o, --output <output>   Displayed fields. Accepted values: all, codepoint, iana, openssl, gnutls, nss. [default: all]
     -e, --extended          (Online) Display additional information about the cipher (requires output = all or iana)
     -a, --acronym           (Online) Display full acronym name (requires -e / --extended option)
 
   Bulk options: (offline) search and translate cipher names between SSL/TLS libraries in bulk
-    <critera>               The type of term. Accepted values: codepoint, iana, openssl, gnutls, nss.
+    <criteria>              The type of term. Accepted values: codepoint, iana, openssl, gnutls, nss.
     <file>                  File containing the cipher algorithm names, one per line.
     -q, --output2 <output>  Displayed fields. Accepted values: codepoint, iana, openssl, gnutls, nss. [default: iana]
 
@@ -43,8 +43,11 @@ doc = <<~DOCOPT
   Extract options: (offline) extract ciphers from external tools output file
     <filename>              The external tool output file
     <format>                Supported formats: sslyze, sslscan2, testssl, ssllabs-scan (check the documentation for the expected file format)
+    --only-weak             Show only ciphers with a security level equal to weak or insecure (hide secure and recommended) (work only with TLS not SSL).
+    --hide-weak             Hide ciphers with a security level equal to weak or insecure (show only secure and recommended) (work only with TLS not SSL).
 
   Update options: (online) DANGEROUS, will break database integrity, force option will be required
+    --with-extended         (Online) Also save extended information used by search --extended option.
 
   Other options:
     --force     Force parsing even if integrity check failed (DANGEROUS, may result in command execution vulnerability)
@@ -60,7 +63,7 @@ begin
   pp args if args['--debug']
   if args['search']
     cli = TLSmap::CLI.new(args['--force'])
-    res = cli.search(args['<critera>'].to_sym, args['<term>'], args['--output'].to_sym)
+    res = cli.search(args['<criteria>'].to_sym, args['<term>'], args['--output'].to_sym)
     puts Paint['No match found', :red] if res.empty?
     res.each do |k, v|
       puts "#{Paint[k, :green]}: #{Paint[v, :white]}"
@@ -71,6 +74,7 @@ begin
       ext = tmext_i.extend(res[:iana])
       dic = tmext::DICO
       sev = tmext::VULN_SEVERITY
+      sec_lvl = tmext::SECURITY_LEVEL
       ext.each do |k, v|
         case k
         when 'vulns'
@@ -81,6 +85,8 @@ begin
           end
         when 'tls_version'
           puts "#{Paint[dic[k], :magenta]}: #{Paint[v.join(', '), :white]}"
+        when 'security'
+          puts "#{Paint[dic[k], :magenta]}: #{Paint[v, sec_lvl[v][:color]]}"
         else
           print "#{Paint[dic[k], :magenta]}: #{Paint[v, :white]}"
           print " (#{tmext_i.translate_acronym(v)})" if args['--acronym'] && !tmext_i.translate_acronym(v).nil? # rubocop:disable Metrics/BlockNesting
@@ -90,10 +96,10 @@ begin
     end
   elsif args['bulk']
     cli = TLSmap::CLI.new(args['--force'])
-    res = cli.bulk_search(args['<critera>'].to_sym, args['<file>'], args['--output2'].to_sym)
+    res = cli.bulk_search(args['<criteria>'].to_sym, args['<file>'], args['--output2'].to_sym)
     puts Paint['No match found', :red] if res.empty?
     res.each do |h|
-      puts "#{Paint[h[args['--output2'].to_sym], :green]}"
+      puts Paint[h[args['--output2'].to_sym], :green]
     end
   elsif args['export']
     cli = TLSmap::CLI.new(args['--force'])
@@ -103,13 +109,26 @@ begin
     extractor = TLSmap::App::Extractor.new
     ciphers = extractor.parse(args['<format>'], args['<filename>'])
     ciphers.each do |k, v|
-      puts Paint[k, :blue] unless v.empty?
-      puts Paint[v.join("\n"), :white] unless v.empty?
+      if args['--only-weak'] || args['--hide-weak']
+        cliext = TLSmap::CLI::Extended.new
+        v.each do |alg|
+          ci = TLSmap::App::Cipher.new(:iana, alg, enhanced_data: cliext.enhanced_data)
+          puts Paint[alg, :white] if (args['--only-weak'] && !ci.should_i_use?) ||
+                                     (args['--hide-weak'] && ci.should_i_use?)
+        end
+      else
+        puts Paint[k, :blue] unless v.empty?
+        puts Paint[v.join("\n"), :white] unless v.empty?
+      end
     end
   elsif args['update']
     cli = TLSmap::CLI.new
     cli.update
-    puts 'Database updated'
+    if args['--with-extended']
+      cliext = TLSmap::CLI::Extended.new
+      cliext.update
+    end
+    puts 'Database(s) updated'
   end
 rescue Docopt::Exit => e
   puts e.message

data/lib/tls_map/app/cipher/cipher.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+# Project internal
+require 'tls_map/cli/cli'
+
+module TLSmap
+  # TLS mapping
+  class App
+    # Manipulate cipher suite information
+    class Cipher
+      # Get the hexadecimal codepoint of the cipher suite
+      # @return [String] Hexadecimal codepoint
+      attr_reader :codepoint
+
+      # Get the IANA name of the cipher suite
+      # @return [String] IANA name
+      attr_reader :iana
+
+      # Get the OpenSSL name of the cipher suite
+      # @return [String] OpenSSL name
+      attr_reader :openssl
+
+      # Get the GnuTLS name of the cipher suite
+      # @return [String] GnuTLS name
+      attr_reader :gnutls
+
+      # Get the NSS name of the cipher suite
+      # @return [String] NSS name
+      attr_reader :nss
+
+      # Get extended information
+      # @!attribute [r] extended
+      # @return [Hash]
+      # @example
+      #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_RSA_WITH_SEED_CBC_SHA')
+      #   ci.extended
+      #   # =>
+      #   # {"protocol_version"=>"TLS",
+      #   #  "kex_algorithm"=>"RSA",
+      #   #  "auth_algorithm"=>"RSA",
+      #   #  "enc_algorithm"=>"SEED CBC",
+      #   #  "hash_algorithm"=>"SHA",
+      #   #  "security"=>"weak",
+      #   #  "tls_version"=>["TLS1.0", "TLS1.1", "TLS1.2"],
+      #   #  "vulns"=>
+      #   #   [{:severity=>1, :description=>"This key exchange algorithm does not support Perfect Forward Secrecy (PFS)
+      #   #   which is recommended, so attackers cannot decrypt the complete communication stream."},
+      #   #    {:severity=>1,
+      #   #     :description=>
+      #   #      "In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC
+      #   #      encryption algorithm (see [isg.rhul.ac.uk](http://www.isg.rhul.ac.uk/tls/Lucky13.html)). Additionally,
+      #   #      the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been
+      #   #      introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should
+      #   #      be preferred over CBC."},
+      #   #    {:severity=>1, :description=>"The Secure Hash Algorithm 1 has been proven to be insecure as of 2017 (see
+      #   #      [shattered.io](https://shattered.io))."}],
+      #   #  "url"=>"https://ciphersuite.info/cs/TLS_RSA_WITH_SEED_CBC_SHA/"}
+      def extended
+        fetch_extended
+        @extended
+      end
+
+      # Initialize {TLSmap::App::Cipher} instance
+      # @param type [Symbol] Same as `criteria` from {TLSmap::App#search}
+      # @param value [String] Same as `term` from {TLSmap::App#search}
+      # @param opts [Hash] the option hash
+      # @option opts [Hash] :tls_map mapping of all TLS cipher suites returned by {App#tls_map}.
+      #   (better performance for batch usage)
+      # @option opts [Hash] :enhanced_data enhanced information of all cipher suites returned by
+      #   {Extended#enhanced_data}. (better performance for batch usage)
+      # @example
+      #   # Offline TLS data + online extended data
+      #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5')
+      #   # Online TLS data + online extended data
+      #   tm = TLSmap::App.new
+      #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', tls_map: tm.tls_map)
+      #   # Offline TLS data + online extended data but more efficient for batch requesting
+      #   tmext = TLSmap::App::Extended.new
+      #   tmext.enhance_all
+      #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', enhanced_data: tmext.enhanced_data)
+      #   # Offline TLS data + offline extended data (better performance but may be outdated)
+      #   cliext = TLSmap::CLI::Extended.new
+      #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', enhanced_data: cliext.enhanced_data)
+      def initialize(type, value, opts = {}) # rubocop:disable Metrics/MethodLength
+        res = if opts[:tls_map].nil?
+                TLSmap::CLI.new.search(type, value)
+              else
+                TLSmap::App.search(opts[:tls_map], type, value)
+              end
+        @codepoint = res[:codepoint]
+        @iana = res[:iana]
+        @openssl = res[:openssl]
+        @gnutls = res[:gnutls]
+        @nss = res[:nss]
+        @extended = opts.dig(:enhanced_data, @iana)
+      end
+
+      # Retrieve extended data by using #{App:Extended}
+      def fetch_extended
+        return unless @extended.nil?
+
+        tmext = TLSmap::App::Extended.new
+        @extended = tmext.extend(@iana)
+      end
+
+      # Is the security level defined to `weak`?
+      # @return [Boolean]
+      def weak?
+        fetch_extended
+        @extended['security'] == 'weak'
+      end
+
+      # Is the security level defined to `insecure`?
+      # @return [Boolean]
+      def insecure?
+        fetch_extended
+        @extended['security'] == 'insecure'
+      end
+
+      # Is the security level defined to `secure`?
+      # @return [Boolean]
+      def secure?
+        fetch_extended
+        @extended['security'] == 'secure'
+      end
+
+      # Is the security level defined to `recommended`?
+      # @return [Boolean]
+      def recommended?
+        fetch_extended
+        @extended['security'] == 'recommended'
+      end
+
+      # Is the security level defined to `secure` or `recommended`?
+      # It will return `false` for `weak` and `insecure` cipher suites.
+      # @return [Boolean]
+      def should_i_use?
+        recommended? || secure?
+      end
+
+      # Is the cipher suite vulnerable?
+      # @return [Boolean] `true` if one (or more) vulnerability is declared
+      def vulnerable?
+        fetch_extended
+        !@extended['vulns'].empty?
+      end
+
+      protected :fetch_extended
+    end
+  end
+end

data/lib/tls_map/{ciphersuiteinfo.rb → app/extended/ciphersuiteinfo.rb}

@@ -22,9 +22,9 @@ module TLSmap
       ROOT = 'https://ciphersuite.info/'
       # Root URL of Cipher Suite Info API
       API_ROOT = "#{ROOT}api/"
-      # URL of the data file containig vulnerabilities information
+      # URL of the data file containing vulnerabilities information
       VULN_DATA = 'https://raw.githubusercontent.com/hcrudolph/ciphersuite.info/master/directory/fixtures/00_vulnerabilities.yaml'
-      # URL of the data file containig technologies information
+      # URL of the data file containing technologies information
       TECH_DATA = 'https://raw.githubusercontent.com/hcrudolph/ciphersuite.info/master/directory/fixtures/01_technologies.yaml'
       # Hash mapping API key and display name for CLI
       DICO = {
@@ -44,26 +44,65 @@ module TLSmap
         1 => { title: 'Medium', color: 'orange' },
         2 => { title: 'High', color: :red }
       }.freeze
+      # Hash mapping the security level used by the API and color for the CLI
+      SECURITY_LEVEL = {
+        'recommended' => { color: :green },
+        'secure' => { color: :green },
+        'weak' => { color: 'orange' },
+        'insecure' => { color: :red }
+      }.freeze
 
-      include Utils
-      protected :tmpfile
+      # Get the enhanced information of all cipher suites returned by {enhance_all}.
+      # @return [Hash] Enhanced information of all cipher suites
+      attr_reader :enhanced_data
 
       # Will automatically fetch source files and parse them.
       def initialize
-        @tech_file = tmpfile('tech', TECH_DATA)
-        @vuln_file = tmpfile('vuln', VULN_DATA)
+        @tech_file = Utils.tmpfile('tech', TECH_DATA)
+        @vuln_file = Utils.tmpfile('vuln', VULN_DATA)
         @tech = parse_tech
         @vuln = parse_vuln
+        @ciphersuite_all = nil
+        @enhanced_data = nil
+      end
+
+      # Fetch all cipher suite data from ciphersuite.info and store it in the instance attribute for batch usage.
+      def fetch_ciphersuite
+        return unless @ciphersuite_all.nil?
+
+        @ciphersuite_all = JSON.parse(Net::HTTP.get(URI("#{API_ROOT}cs/")))['ciphersuites'].reduce(:merge!)
+      end
+
+      # Enhance data from ciphersuite.info for all cipher suites and store it
+      # for batch usage.
+      # The data will be available through {enhanced_data}.
+      def enhance_all
+        fetch_ciphersuite
+        out = {}
+        @ciphersuite_all.each do |k, _v|
+          out.store(k, extend(k, true))
+        end
+        @enhanced_data = out
       end
 
-      # Retrieve advanced about a cipher on Cipher Suite Info API and enhanced it
+      # Retrieve advanced information about a cipher on Cipher Suite Info API and enhanced it.
+      # Fetch only the requested cipher suite, small network footprint, ideal for low bandwidth or punctual use.
       # @param iana_name [String] IANA cipher name
-      # @return [Hash] Hash containing advanced information. The keys are the same as {DICO}. All valeus are string
+      # @param caching [Boolean] if true will fetch info for all cipher suites the 1st time and used the cached value
+      #   for further requests
+      # @return [Hash] Hash containing advanced information. The keys are the same as {DICO}. All values are string
       #   except `vulns` which is an array of hashes containing two keys: `:severity` (integer) and `:description`
       #   (string). Each hash in `vulns` correspond to a vulnerability.
-      def extend(iana_name) # rubocop:disable Metrics/MethodLength
-        obj = Net::HTTP.get(URI("#{API_ROOT}cs/#{iana_name}/"))
-        out = JSON.parse(obj)[iana_name]
+      def extend(iana_name, caching = false) # rubocop:disable Metrics/MethodLength
+        if caching
+          fetch_ciphersuite
+          out = @ciphersuite_all[iana_name]
+        else
+          obj = Net::HTTP.get(URI("#{API_ROOT}cs/#{iana_name}/"))
+          out = JSON.parse(obj)[iana_name]
+        end
+        return {} if out.nil?
+
         out.store('vulns', [])
         %w[openssl_name gnutls_name hex_byte_1 hex_byte_2].each do |key|
           out.delete(key)
@@ -117,7 +156,7 @@ module TLSmap
         nil
       end
 
-      protected :parse_tech, :parse_vuln
+      protected :parse_tech, :parse_vuln, :fetch_ciphersuite
     end
   end
 end

data/lib/tls_map/{extractor.rb → app/extractor/extractor.rb}

@@ -3,7 +3,7 @@
 # Ruby internal
 require 'json'
 # Project internal
-require 'tls_map/cli'
+require 'tls_map/cli/cli'
 # External
 require 'rexml/document'
 
@@ -80,6 +80,26 @@ module TLSmap
       def parse(tool, file)
         # Convert string to class
         @ciphers = Object.const_get("TLSmap::App::Extractor::#{normalize(tool)}").parse(file)
+      rescue StandardError
+        warn helper(tool)
+      end
+
+      # Commands for {helper}
+      CMD = {
+        'sslyze' => 'sslyze --json_out=example.org.json example.org',
+        'sslscan2' => 'sslscan2 --show-cipher-ids --xml=example.org.xml example.org',
+        'testssl' => 'testssl --jsonfile-pretty example.org.json --mapping no-openssl --cipher-per-proto example.org',
+        'ssllabs-scan' => 'ssllabs-scan --quiet example.org > example.org.json'
+      }.freeze
+
+      # Get the external tool command used to generate the expected result format
+      # @param tool [String] Possible values: `sslyze`, `sslscan2`, `testssl`, `ssllabs-scan`
+      # @return [String] external tool command used to generate the expected result format used in input of the extract
+      #   command (CLI) / {parse} method (library)
+      def helper(tool)
+        intro = 'You may not be provinding the right format.'
+        outro = 'See https://noraj.github.io/tls-map/yard/TLSmap/App/Extractor'
+        "#{intro}\nUse this command: #{CMD[tool]}\n#{outro}"
       end
 
       # Convert cmdline tool name to Class name
@@ -87,7 +107,8 @@ module TLSmap
         tool.split('-').map(&:capitalize).join
       end
 
-      protected :normalize
+      protected :normalize, :helper
+      private_constant :CMD
 
       # Parsing SSLyze
       class Sslyze
@@ -97,7 +118,7 @@ module TLSmap
           #   See {TLSmap::App::Extractor}
           # @return [Array<String>] Cipher array (IANA names)
           def parse(file)
-            data = JSON.load_file(file)
+            data = Utils.json_load_file(file)
             extract_cipher(data)
           end
 
@@ -164,7 +185,7 @@ module TLSmap
           #   See {TLSmap::App::Extractor}
           # @return [Array<String>] Cipher array (IANA names)
           def parse(file)
-            data = JSON.load_file(file)
+            data = Utils.json_load_file(file)
             extract_cipher(data)
           end
 
@@ -214,7 +235,7 @@ module TLSmap
           #   See {TLSmap::App::Extractor}
           # @return [Array<String>] Cipher array (IANA names)
           def parse(file)
-            data = JSON.load_file(file)
+            data = Utils.json_load_file(file)
             extract_cipher(data)
           end
 

data/lib/tls_map/cli/cli.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+# Ruby internal
+require 'digest'
+
+# TLS map module
+module TLSmap
+  # Offline version of {App}
+  class CLI < App
+    INTEGRITY = '42e44f89550365da2bc8d33d87f88b65d85d6474e90f9edb65e0ea6c78f61a53' # sha2-256
+
+    # Load and parse data from marshalized hash (`data/mapping.marshal`).
+    # It must match the integrity check for security purpose.
+    # @param force [Boolean] Force parsing even if integrity check failed (DANGEROUS,
+    #   may result in command execution vulnerability)
+    def initialize(force = false) # rubocop:disable Lint/MissingSuper
+      @storage_location = 'data/'
+      @database_path = absolute_db_path('mapping.marshal')
+      database_exists?
+      @tls_map = []
+      parse(force)
+    end
+
+    # Find the absolute path of the a data file from its relative location
+    # @param filename [String] file name
+    # @return [String] absolute filename of the data file
+    def absolute_db_path(filename)
+      pn = Pathname.new(__FILE__)
+      install_dir = pn.dirname.parent.parent.parent.to_s + Pathname::SEPARATOR_LIST
+      install_dir + @storage_location + filename
+    end
+
+    # Check if the TLS database DB exists
+    # @return [Boolean] `true` if the file exists
+    def database_exists?
+      exists = File.file?(@database_path)
+      raise "Database does not exist: #{@database_path}" unless exists
+
+      exists
+    end
+
+    def parse(force = false)
+      if Digest::SHA256.file(@database_path).hexdigest == INTEGRITY || force # rubocop:disable Style/GuardClause
+        @tls_map = Marshal.load(File.read(@database_path)) # rubocop:disable Security/MarshalLoad
+      else
+        raise 'Integrity check failed, maybe be due to unvalidated database after update'
+      end
+    end
+
+    def update
+      tm = TLSmap::App.new
+      tm.export(@database_path, :marshal)
+    end
+
+    protected :database_exists?, :absolute_db_path, :parse
+
+    # Offline version of {App::Extended}
+    class Extended < App::Extended
+      INTEGRITY = '6573b7208668485e6bdd4495627f5fdbdd7f80040b277603bc42f20d16a665e7' # sha2-256
+
+      # Load and parse data from marshalized hash (`data/extended.marshal`).
+      # It must match the integrity check for security purpose.
+      # @param force [Boolean] Force parsing even if integrity check failed (DANGEROUS,
+      #   may result in command execution vulnerability)
+      def initialize(force = false) # rubocop:disable Lint/MissingSuper
+        @storage_location = 'data/'
+        @extended_path = absolute_db_path('extended.marshal')
+        @enhanced_data = {}
+        extended_exists?
+        parse(force)
+      end
+
+      # Find the absolute path of the a data file from its relative location
+      # @param filename [String] file name
+      # @return [String] absolute filename of the data file
+      def absolute_db_path(filename)
+        pn = Pathname.new(__FILE__)
+        install_dir = pn.dirname.parent.parent.parent.to_s + Pathname::SEPARATOR_LIST
+        install_dir + @storage_location + filename
+      end
+
+      # Check if the extended DB exists
+      # @return [Boolean] `true` if the files exists
+      def extended_exists?
+        exists = File.file?(@extended_path)
+        raise "Database does not exist: #{@extended_path}" unless exists
+
+        exists
+      end
+
+      def parse(force = false)
+        if Digest::SHA256.file(@extended_path).hexdigest == INTEGRITY || force # rubocop:disable Style/GuardClause
+          @enhanced_data = Marshal.load(File.read(@extended_path)) # rubocop:disable Security/MarshalLoad
+        else
+          raise 'Integrity check failed, maybe be due to unvalidated database after update'
+        end
+      end
+
+      def update
+        tmext = TLSmap::App::Extended.new
+        tmext.enhance_all
+        File.write(@extended_path, Marshal.dump(tmext.enhanced_data))
+      end
+
+      # Same as {App::Extended} but loading data from offline database, so there
+      # is no caching option.
+      # @see App::Extended
+      def extend(iana_name)
+        @enhanced_data[iana_name]
+      end
+
+      protected :extended_exists?, :absolute_db_path, :parse
+      undef_method :enhance_all, :fetch_ciphersuite, :parse_tech, :parse_vuln
+    end
+  end
+end

data/lib/tls_map/utils/utils.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Ruby internal
+require 'net/http'
+require 'tempfile'
+require 'json'
+
+# TLS map module
+module TLSmap
+  # Generic utilities
+  module Utils
+    def self.tmpfile(name, url)
+      tmp = Tempfile.new(name)
+      tmp.write(Net::HTTP.get(URI(url)))
+      tmp.close
+      tmp
+    end
+
+    # bring JSON.load_file before ruby 3.0.0
+    # https://ruby-doc.org/stdlib-3.0.0/libdoc/json/rdoc/JSON.html#method-i-load_file
+    def self.json_load_file(filespec, opts = {})
+      if RUBY_VERSION < '3.0.0'
+        JSON.parse(File.read(filespec), opts)
+      else
+        JSON.load_file(filespec, opts)
+      end
+    end
+  end
+end

data/lib/tls_map/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TLSmap
-  VERSION = '1.3.0'
+  VERSION = '2.1.0'
 end

data/lib/tls_map.rb

@@ -4,26 +4,31 @@
 require 'pathname'
 # Project internal
 require 'tls_map/version'
-require 'tls_map/utils'
-require 'tls_map/iana'
-require 'tls_map/openssl'
-require 'tls_map/gnutls'
-require 'tls_map/nss'
-require 'tls_map/output'
-require 'tls_map/ciphersuiteinfo'
-require 'tls_map/extractor'
+require 'tls_map/utils/utils'
+require 'tls_map/app/iana'
+require 'tls_map/app/openssl'
+require 'tls_map/app/gnutls'
+require 'tls_map/app/nss'
+require 'tls_map/app/output'
+require 'tls_map/app/extended/ciphersuiteinfo'
+require 'tls_map/app/extractor/extractor'
+require 'tls_map/app/cipher/cipher'
 
 # TLS map module
 module TLSmap
   # TLS mapping
   class App
+    # Get the mapping of all TLS cipher suites
+    # @return [Hash] mapping of all TLS cipher suites
+    attr_reader :tls_map
+
     # Will automatically fetch source files and parse them.
     def initialize
-      @iana_file = tmpfile('iana', IANA_URL)
-      @openssl_file = tmpfile('openssl', OPENSSL_URL)
-      @openssl_file2 = tmpfile('openssl', OPENSSL_URL2)
-      @gnutls_file = tmpfile('gnutls', GNUTLS_URL)
-      @nss_file = tmpfile('nss', NSS_URL)
+      @iana_file = Utils.tmpfile('iana', IANA_URL)
+      @openssl_file = Utils.tmpfile('openssl', OPENSSL_URL)
+      @openssl_file2 = Utils.tmpfile('openssl', OPENSSL_URL2)
+      @gnutls_file = Utils.tmpfile('gnutls', GNUTLS_URL)
+      @nss_file = Utils.tmpfile('nss', NSS_URL)
 
       @tls_map = []
       parse
@@ -37,17 +42,42 @@ module TLSmap
     end
 
     # Search for corresponding cipher algorithms in other libraries
-    # @param critera [Symbol] The type of `term`.
+    # @param criteria [Symbol] The type of `term`.
     #   Accepted values: `:codepoint`, `:iana`, `:openssl`, `:gnutls`, `:nss`.
     # @param term [String] The cipher algorithm name.
     # @param output [Symbol] The corresponding type to be included in the return value.
     #   Accepted values: `:all` (default), `:codepoint`, `:iana`, `:openssl`,
     #   `:gnutls`, `:nss`.
     # @return [Hash] The corresponding type matching `term`.
-    def search(critera, term, output = :all)
+    def search(criteria, term, output = :all)
       @tls_map.each do |alg|
-        term = term.upcase if critera == :codepoint
-        next unless alg[critera] == term
+        term = term.upcase if criteria == :codepoint
+        next unless alg[criteria] == term
+        return alg if output == :all
+
+        return { output => alg[output] }
+      end
+      {}
+    end
+
+    # Stateless version of {App#search}.
+    # @param tls_map [Hash] mapping of all TLS cipher suites returned by {tls_map}.
+    # @param criteria [Symbol] Same as `criteria` from {TLSmap::App#search}
+    # @param term [String] Same as `term` from {TLSmap::App#search}
+    # @param output [Symbol] Same as `output` from {TLSmap::App#search}
+    # @see App#search
+    # @example
+    #   tm = TLSmap::App.new
+    #   TLSmap::App.search(tm.tls_map, :iana, 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256')
+    #   # => {:codepoint=>"CCA9", :iana=>"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    #         :openssl=>"ECDHE-ECDSA-CHACHA20-POLY1305", :gnutls=>"ECDHE_ECDSA_CHACHA20_POLY1305",
+    #         :nss=>"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}
+    #   # or to use with the Cipher class
+    #   ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', tm.tls_map)
+    def self.search(tls_map, criteria, term, output = :all)
+      tls_map.each do |alg|
+        term = term.upcase if criteria == :codepoint
+        next unless alg[criteria] == term
         return alg if output == :all
 
         return { output => alg[output] }
@@ -56,7 +86,7 @@ module TLSmap
     end
 
     # Search for corresponding cipher algorithms in other libraries in bulk
-    # @param critera [Symbol] The type of `term`.
+    # @param criteria [Symbol] The type of `term`.
     #   Accepted values: `:codepoint`, `:iana`, `:openssl`, `:gnutls`, `:nss`.
     # @param file [String] File containing the cipher algorithm names, one per line.
     # @param output [Symbol] The corresponding type to be included in the return value.
@@ -64,10 +94,10 @@ module TLSmap
     #   `:gnutls`, `:nss`.
     # @return [Array<Hash>] The corresponding type, same as {search} return value
     #   but one per line stored in an array.
-    def bulk_search(critera, file, output = :all)
+    def bulk_search(criteria, file, output = :all)
       res = []
       File.foreach(file) do |line|
-        res.push(search(critera, line.chomp, output))
+        res.push(search(criteria, line.chomp, output))
       end
       res
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tls-map
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-09 00:00:00.000000000 Z
+date: 2022-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docopt
@@ -52,154 +52,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.3'
-- !ruby/object:Gem::Dependency
-  name: commonmarker
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.21'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.21'
-- !ruby/object:Gem::Dependency
-  name: github-markup
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '5.12'
-- !ruby/object:Gem::Dependency
-  name: minitest-skip
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.0'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: redcarpet
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.5'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.10'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.10'
-- !ruby/object:Gem::Dependency
-  name: webrick
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-- !ruby/object:Gem::Dependency
-  name: yard
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
 description: 'CLI & library for mapping TLS cipher algorithm names: IANA, OpenSSL,
-  GnuTLS, NSS'
+  GnuTLS, NSS;get information and vulnerabilities about cipher suites;extract cipher
+  suites from external tools: SSLyze, sslscan2, testssl.sh, ssllabs-scan'
 email: alexandre.zanni@engineer.com
 executables:
 - tls-map
@@ -210,31 +65,34 @@ files:
 - LICENSE
 - bin/tls-map
 - bin/tls-map_console
+- data/extended.marshal
 - data/mapping.json
 - data/mapping.marshal
 - data/mapping.md
 - data/mapping.min.json
 - lib/tls_map.rb
-- lib/tls_map/ciphersuiteinfo.rb
-- lib/tls_map/cli.rb
-- lib/tls_map/extractor.rb
-- lib/tls_map/gnutls.rb
-- lib/tls_map/iana.rb
-- lib/tls_map/nss.rb
-- lib/tls_map/openssl.rb
-- lib/tls_map/output.rb
-- lib/tls_map/utils.rb
+- lib/tls_map/app/cipher/cipher.rb
+- lib/tls_map/app/extended/ciphersuiteinfo.rb
+- lib/tls_map/app/extractor/extractor.rb
+- lib/tls_map/app/gnutls.rb
+- lib/tls_map/app/iana.rb
+- lib/tls_map/app/nss.rb
+- lib/tls_map/app/openssl.rb
+- lib/tls_map/app/output.rb
+- lib/tls_map/cli/cli.rb
+- lib/tls_map/utils/utils.rb
 - lib/tls_map/version.rb
-homepage: https://sec-it.github.io/tls-map/
+homepage: https://noraj.github.io/tls-map/
 licenses:
 - MIT
 metadata:
   yard.run: yard
-  bug_tracker_uri: https://github.com/sec-it/tls-map/issues
-  changelog_uri: https://github.com/sec-it/tls-map/blob/master/docs/CHANGELOG.md
-  documentation_uri: https://sec-it.github.io/tls-map/yard/
-  homepage_uri: https://sec-it.github.io/tls-map/
-  source_code_uri: https://github.com/sec-it/tls-map/
+  bug_tracker_uri: https://github.com/noraj/tls-map/issues
+  changelog_uri: https://github.com/noraj/tls-map/blob/master/docs/CHANGELOG.md
+  documentation_uri: https://noraj.github.io/tls-map/yard/
+  homepage_uri: https://noraj.github.io/tls-map/
+  source_code_uri: https://github.com/noraj/tls-map/
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -246,16 +104,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.6.0
   - - "<"
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
-summary: 'CLI & library for mapping TLS cipher algorithm names: IANA, OpenSSL, GnuTLS,
-  NSS'
+summary: CLI & library for TLS cipher suites manipulation
 test_files: []

data/lib/tls_map/cli.rb

@@ -1,57 +0,0 @@
-# frozen_string_literal: true
-
-# Ruby internal
-require 'digest'
-
-# TLS map module
-module TLSmap
-  # TLS mapping
-  class CLI < App
-    INTEGRITY = '42e44f89550365da2bc8d33d87f88b65d85d6474e90f9edb65e0ea6c78f61a53' # sha2-256
-
-    # Load and parse data from marshalized hash (`data/mapping.marshal`).
-    # It must match the integrity check for security purpose.
-    # @param force [Boolean] Force parsing even if intigrity check failed (DANGEROUS,
-    #   may result in command execution vulnerability)
-    def initialize(force = false) # rubocop:disable Lint/MissingSuper
-      @storage_location = 'data/'
-      @database_name = 'mapping.marshal'
-      @database_path = absolute_db_path
-      database_exists?
-      @tls_map = []
-      parse(force)
-    end
-
-    # Find the absolute path of the DB from its relative location
-    # @return [String] absolute filename of the DB
-    def absolute_db_path
-      pn = Pathname.new(__FILE__)
-      install_dir = pn.dirname.parent.parent.to_s + Pathname::SEPARATOR_LIST
-      install_dir + @storage_location + @database_name
-    end
-
-    # Check if the password database exists
-    # @return [Boolean] `true` if the file exists
-    def database_exists?
-      exists = File.file?(@database_path)
-      raise "Database does not exist: #{@database_path}" unless exists
-
-      exists
-    end
-
-    def parse(force = false)
-      if Digest::SHA256.file(@database_path).hexdigest == INTEGRITY || force # rubocop:disable Style/GuardClause
-        @tls_map = Marshal.load(File.read(@database_path)) # rubocop:disable Security/MarshalLoad
-      else
-        raise 'Integry check failed, maybe be due to unavalidated database after update'
-      end
-    end
-
-    def update
-      tm = TLSmap::App.new
-      tm.export(@database_path, :marshal)
-    end
-
-    protected :database_exists?, :absolute_db_path, :parse
-  end
-end

data/lib/tls_map/utils.rb

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-# Ruby internal
-require 'net/http'
-require 'tempfile'
-
-# TLS map module
-module TLSmap
-  # Generic utilities
-  module Utils
-    def tmpfile(name, url)
-      tmp = Tempfile.new(name)
-      tmp.write(Net::HTTP.get(URI(url)))
-      tmp.close
-      tmp
-    end
-  end
-
-  # TLS mapping
-  class App
-    include Utils
-    protected :tmpfile
-  end
-end