generate_ciphers_hash

#!/usr/bin/perl -an
#?
#? NAME
#?      generate_ciphers_hash
#? SYNOPSIS
#?      generate_ciphers_hash  files
#    Recommended Usage
#?      generate_ciphers_hash /usr/local/include/openssl/{ssl2,ssl3,tls1}.h \
#?           IANA_tls-parameters.txt GnuTLS.txt result_from_openssl.txt \
#?           t.o-saft.txt
#?
#       generate_ciphers_hash /usr/local/include/openssl/{ssl2,ssl3,tls1}.h \
#            gen_IANA.csv gen_GnuTLS.txt gen_o-saft.txt gen_Schannel.csv \
#            gen_openssl-1.0.1h-V.txt gen_PolarSSL.html
#?
#? DESCRIPTION
#?      Convert various cipher definitions to perlish hash.
#?           our %ciphers = (
#?           'hex-ID' => [qw(version security Enc bits Mac ... )],
#?            ...
#?
#?      Generates following perl hashes:
#?           our %ciphers_desc
#?           our %ciphers
#?           our %cipher_names
#?           our %cipher_alias
#?
#?      Note that we also get the ciphers which are disabled,  somehow, using
#?      #if .. #endif  or alike.
#?
#?      openssl ciphers are detected using:
#?          /usr/local/bin/openssl ciphers ALL:eNULL:NULL:COMPLEMENTOFALL -V
#?      and from sources:
#?          include/openssl/{ssl2,ssl3,tls1}.h
#?      All 1.0.x versions are supported, the latest is recommended.
#?      Script supports at least 1.0.1h.
#?
#?      IANA definitions are from (as September 2013):
#?          http://www.iana.org/assignments/tls-parameters/tls-parameters.txt
#?
#?      GnuTLS definitions are from (as November 2013):
#?          http://www.gnutls.org/manual/gnutls.html#index-ciphersuites
#?
#?      As the openssl and IANA files are in disjunct formats, we can process
#?      both simultaneously.
#?
#?      IANA files in txt or csv format are treated equal. There will be no
#?      checks for duplicates or mismatches between these two files.
#?
#?      Additional informations are retrived from 'openssl ciphers -v'.
#?
#? OPTIONS
#?      --auto   try to load files automatically
#?               use --try-auto to see what can be loaded automatically
#?      --try    show which files can be loaded automatically
#?
#? EXAMPLE
#?      Extracted entries from 'openssl ciphers' look like:
#?          EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512)   Au=RSA  Enc=RC2(40)   Mac=MD5  export
#?
#?      Extracted entries from 'openssl ciphers -V' look like: 
#?          0x00,0x06 - EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
#?
#?      Extracted entries from openssl's *.h look like:
#?          #define SSL3_CK_RSA_RC4_40_MD5                   0x03000003
#?          #define SSL3_TXT_RSA_RC4_40_MD5                 "EXP-RC4-MD5"
#?          #define TLS1_CK_RSA_WITH_AES_256_SHA256          0x0300003D
#?          #define TLS1_TXT_RSA_WITH_AES_256_SHA256        "AES256-SHA256"
#?
#?      Extracted entries from IANA's tls-parameter.txt look like:
#?          0xC0,0x0D   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA   Y      [RFC4492]
#?
#?      Extracted entries from GnuTLS look like:
#?          TLS_DHE_DSS_AES_256_GCM_SHA384     0x00A3   TLS1.2
#?
#?      Extracted entries from PolarSSL look like:
#?          <td>TLS-RSA-WITH-AES-128-CBC-SHA</td>
#?          <td>AES128-SHA</td>
#?          <td>{0x00,0x2F}</td>
#?
#?      Extracted entries from Schannel-cipherSuite.csv look like:
#?          TLS_RSA_WITH_RC4_128_MD5 ,No ,TLS-1.2 TLS-1.1 TLS-1.0 SSL-3.0 ,RSA ,RC4 ,MD5
#
# Known Duplicates
#       openssl/ssl/ssl3.h
#           #define SSL3_CK_FZA_DMS_RC4_SHA                  0x0300001E
#           #define SSL3_CK_KRB5_DES_64_CBC_SHA              0x0300001E
#?
#? AUTHOR
#?      14. Januar 2014 Achim Hoffmann (at) sicsec de
#?
# -----------------------------------------------------------------------------

####
#    fehlt noch: t.NSS_cipher.list.txt
####

####
#  File from POLARSSL and NSS, cyaSSL, openssl-0.9.7 and opennsl-0.9.2
#    t.ciphersuites_PolarSSL.html
#    https://support.ca.com/cadocs/0/CA%20XCOM%20Data%20Transport%20for%20z%20OS%2012%200-ENU/Bookshelf_Files/HTML/XCOM--Administration%20Guide/How_to_use_the_System_SSL_Configuration_Parameters.html
####

# -------------------------------------------------------- initialization
BEGIN {
  $SID = '@(#) %M% %I% %E% %U%';
  $currentfile = "--undef--";
  $currentline = 0; # line per file
  $exe = '/usr/local/bin/openssl';
  $t12 = ":" . `$exe ciphers TLSv1.2`;      chomp $t12; $t12 .= ":";
  $low = ":" . `$exe ciphers LOW`;          chomp $low; $low .= ":";
  $med = ":" . `$exe ciphers MEDIUM`;       chomp $med; $med .= ":";
  $hig = ":" . `$exe ciphers HIGH`;         chomp $hig; $hig .= ":";
  $exp = ":" . `$exe ciphers EXPORT`;       chomp $exp; $exp .= ":";
  $nul = ":" . `$exe ciphers NULL:aNULL`;   chomp $nul; $nul .= ":";
  # enclose lists in : which is used as start and stop marker in match 
  %data = (
    'cipher.txt'=> { 'cnt' => 0,  'src' => "", },
    'iana.csv'  => { 'cnt' => 0,  'src' => "http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv", },
    'iana.txt'  => { 'cnt' => 0,  'src' => "http://www.iana.org/assignments/tls-parameters/tls-parameters.txt", },
    'gnutls.txt'=> { 'cnt' => 0,  'src' => "http://www.gnutls.org/manual/gnutls.html#index-ciphersuites", },
    'openssl.h' => { 'cnt' => 0,  'src' => "..../openssl/ssl/{ssl2,ssl3,tls1}.h", },
    'openssl'   => { 'cnt' => 0,  'src' => "openssl ciphers", },
    'o-saft.txt'=> { 'cnt' => 0,  'src' => "manual crafted data from o-saft.pl < 14.06", },
    'polarssl'  => { 'cnt' => 0,  'src' => "https://polarssl.org/supported-ssl-ciphersuites", },
    'schannel'  => { 'cnt' => 0,  'src' => "http://msdn.microsoft.com/en-us/library/aa374757%28VS.85%29.aspx", },
  # all following are ...
  # '0x' => 'ssl' => "", 'cst' => "", 'rfc' => "", 'dtl' => "", 'txt' => "", 'sec' => "", 'SEC' => "",
  );

  # check for command line options
  $try = "";
  $try = "echo " if (grep(/(:?--?(:?n|try))/, @ARGV) > 0);
  if (grep(/(:?--auto)/, @ARGV) > 0) {
    print "# fetching data ...\n";
    $inc = "/usr/local/include/openssl";
    $data{'cipher.txt'}{'dat'} = "";
    $data{'iana.csv'}  {'dat'} = `$try curl -s $data{'iana.csv'}->{'src'}`;
    $data{'iana.txt'}  {'dat'} = `$try curl -s $data{'iana.txt'}->{'src'}` ;
    $data{'gnutls.txt'}{'dat'} = `$try curl -s $data{'gnutls.txt'}->{'src'}` ;
    $data{'openssl.h'} {'dat'} = `$try cat $inc/ssl2.h $inc/ssl3.h $inc/tls1.h`;
    $data{'openssl'}   {'dat'} = `$try $exe ciphers -v ALL:NULL:aNULL:EXP:LOW`;
    $data{'o-saft.txt'}{'dat'} = `$try cat o-saft_ciphers.txt`;
    $data{'polarssl'}  {'dat'} = `$try curl -s $data{'polarssl'}->{'src'}`;
    $data{'schannel'}  {'dat'} = `$try curl -s $data{'schannel'}->{'src'}`;
  # ToDo: use of above data not yet implemented
  }
  if (grep(/(:?--?try)/, @ARGV) > 0) {
    print "# $_ :\n$data{$_}{'dat'}\n" foreach (keys %data);
  }
  $arg = join(" ", @ARGV);
} # BEGIN

# -------------------------------------------------------- functions
sub warn_version($$$$$$){printf STDERR "# **WARNING %s: %s: %-6s from openssl/*.h ne %s %s; ignored (%s)\n", @_; }
sub warn_value($$$$$$) { printf STDERR "# **WARNING %s: %s: %-6s value mismatch: computed '%-7s ne manual setting '%-7s; %s\n", $_[0], $_[1], $_[2], $_[3]."'", $_[4]."'", $_[5]; }
sub warn_other($$$$$$) { printf STDERR "# **WARNING %s: %s: %-6s missing value for '%-7s set to '%-7s ; (%s)\n", $_[0], $_[1], $_[2], $_[3]."'", $_[4]."'", $_[5]; }
sub _dbx { print STDERR "#dbx# ", join(" ", @_); }
sub dups {
  my ($src, $file, $nr, $line, $hex) = @_;
  print "### **WARNING: '$src:' duplicate hex constant $hex; ignore second\n";
  my $dup = 'd-' . $src;
  my $cnt = $data{$dup}->{cnt};
  $data{$dup}->{$cnt}->{ctx} = $src;       # remember current context
  $data{$dup}->{$cnt}->{src} = "$nr $file";# remember line number and file
  $data{$dup}->{$cnt}->{dat} = $line;
  $data{$dup}->{$cnt}->{hex} = $hex;
  $data{$src}->{dup}++;
}
sub set_osaft_data($$$) {
  # check if vakue is set in $yeast_pl and copy to $data if unset there
  # warn if $data is already set
  my $key = shift;
  my $hex = shift;
  my $cst = shift;
  my $n   = "<<?>>";
  %warn_text = (
    'aut'   => "Auth",
    'bit'   => "Bits",
    'cst'   => "Suite Name",
    'dtl'   => "DTLS",
    'enc'   => "Enc ",
    'key'   => "Keyx",
    'mac'   => "MAC ",
    'rfc'   => "RFC ",
    'sec'   => "Sec.",
    'ssl'   => "SSL ",
    'tag'   => "Tag ",
    'score' => "Score",
  );
#  return if (($data{$hex}{$key} == $yeast_pl{$cst}{$key}) && ($data{$hex}{$key} ne $n));
#_dbx "$hex $key - $data{$hex}{$key}\n";
#_dbx "$data{$hex}{$key} = $yeast_pl{$cst}{$key}\n" if $key eq 'tag';
  if (($yeast_pl{$cst}{$key} ne "") && ($data{$hex}{$key} ne $yeast_pl{$cst}{$key})) {
     # O-Saft has a value and is different to rest of collected data
     if(($data{$hex}{$key} ne "") && ($data{$hex}{$key} ne $n)) {
          # data already there, warn but don't change
          if ($key eq 'sec') {
              warn_value("009", $hex, $warn_text{$key}, $data{$hex}{$key}, $yeast_pl{$cst}{$key}, "overwriting ($cst)");
              $data{$hex}{$key} = $yeast_pl{$cst}{$key};
          } else {
              warn_value("008", $hex, $warn_text{$key}, $data{$hex}{$key}, $yeast_pl{$cst}{$key}, "2nd ignored ($cst)");
          }
     } else {
          $data{$hex}{$key} = $yeast_pl{$cst}{$key};
     }
  }
} # set_osaft_data

# -------------------------------------------------------- main
if ($currentfile ne $ARGV) { # new file, reset counter
   $currentfile = $ARGV;
   $currentline = 0;
}
$currentline++;
s/\r$//;                     # if we get DOS files

m/(0x..,\s*0x..)\s+(TLS_)/&&do{    # ------------- IANA tls-parameter.txt
  #    0x00,0x00   TLS_NULL_WITH_NULL_NULL                                          Y       [RFC5246]
  #    0x00,0x1C-1D Reserved to avoid conflicts with SSLv3                                  [RFC5246]
  #    0x00,0x5D-5F Unassigned
  #    0x01-BF,*   Unassigned

  # simple:
  # curl -s http://www.iana.org/assignments/tls-parameters/tls-parameters.txt \
  #  | awk '/0x.* TLS_/{ print $1":","\""$2"\","}' | sed -e 's/,0x//' -e 's/0x/0x0300/'

  $src = 'iana.txt';
  $hex = $F[0]; $hex =~ s/,0x//; $hex =~ s/0x/0x0300/; # only have SSLv3 and TLSv1.x
  $cst = $F[1]; $cst =~ s/^TLS_//;
  $dtl = $F[2];
  $rfc = $F[3]; $rfc =~ s/\]/,/g; $rfc =~ s/[RFCrf c\[\]]//g; chomp $rfc;
  if (grep(/^$hex$/, @{$data{$src}{hex}})>0) {
     dups($src, $ARGV, $currentline, "@F", $hex);
     next;
  }
  push(@{$data{$src}{hex}}, $hex);
  $data{$hex}{cst}[1] = $cst;
# $data{$hex}{ssl} = ""; # version
  $data{$hex}{dtl} = $dtl;
  $data{$hex}{rfc} = $rfc;
  if ($cst =~ m/NULL_WITH_NULL_NULL/) { # mismatch of constants in SSLv2 and SSLv3
     $hex = "0x02ff0810";
     #push(@{$data{$src}{hex}}, $hex);
     $data{$hex}{cst}[1] = $cst;
     $data{$hex}{dtl} = $dtl;
     $data{$hex}{rfc} = $rfc;
     $data{$hex}{txt} = "additional key for SSLv2 added";
  }
  if ($cst =~ m/EMPTY_RENEGOTIATION_INFO_SCSV/) {  # additional "dummy" key added
     $hex = "0x03005600";
     #push(@{$data{$src}{hex}}, $hex);
     $data{$hex}{cst}[1] = $cst;
     $data{$hex}{dtl} = $dtl;
     $data{$hex}{rfc} = $rfc;
     $data{$hex}{txt} = "additional 'dummy' key added";
  }
  $data{$src}{cnt}++;
  next;
};


m/"(0x..,\s*0x[^"]*)",(.*)/&&do{   # ------------- IANA tls-parameter-4.csv
  # "0x00,0x00",TLS_NULL_WITH_NULL_NULL,Y,[RFC5246]
  # "0x00,0x47-4F","Reserved to avoid conflicts with          "
  # "0xC0,0xAC-FF",Unassigned,, 
  # "0xC1-FD,*",Unassigned,, 

  $src = 'iana.csv';
  next if (length($1)!=9);  # skip reserved for now
  $cst = $2;
  $hex = $1;   $hex =~ s/,0x//; $hex =~ s/0x/0x0300/; # only have SSLv3 and TLSv1.x
 ($cst, $dtl, $rfc) = split(",",$cst);
  $cst =~ s/^TLS_//;
  $rfc =~ s/\]/,/g; $rfc =~ s/[RFCrfc \[\]]//g; chomp $rfc;
  if (grep(/^$hex$/, @{$data{$src}{hex}})>0) {
     dups($src, $ARGV, $currentline, "@F", $hex);
     next;
  }
  push(@{$data{$src}{hex}}, $hex);
  $data{$hex}{cst}[1] = $cst;
# $data{$hex}{ssl} = ""; # version
  $data{$hex}{dtl} = $dtl;
  $data{$hex}{rfc} = $rfc;
  if ($cst =~ m/NULL_WITH_NULL_NULL/) { # mismatch of constants in SSLv2 and SSLv3
     $hex = "0x02ff0810";
     #push(@{$data{$src}{hex}}, $hex);
     $data{$hex}{cst}[1] = $cst;
     $data{$hex}{dtl} = $dtl;
     $data{$hex}{rfc} = $rfc;
     $data{$hex}{txt} = "additional key for SSLv2 added";
  }
  if ($cst =~ m/EMPTY_RENEGOTIATION_INFO_SCSV/) {  # additional "dummy" key added
     $hex = "0x03005600";
     #push(@{$data{$src}{hex}}, $hex);
     $data{$hex}{cst}[1] = $cst;
     $data{$hex}{dtl} = $dtl;
     $data{$hex}{rfc} = $rfc;
     $data{$hex}{txt} = "additional 'dummy' key added";
  }
  $data{$src}{cnt}++;
  next;
};


# following match conflict with GNUTLS and Schannel below
m/(SSL2|SSL3|TLS1)_(CK|TXT)/&&do{  # ------------- openssl/ssl/*.h
  # #define SSL2_CK_NULL_WITH_MD5     0x02000000 /* v3 */   # ==> $idx=0
  # #define SSL2_TXT_NULL_WITH_MD5    "NULL-MD5"            # ==> $idx=1

  # must be stored in private hash because various lines from the file
  # are merged using the constant name

  $src = "openssl.h";
  $ssl = $1; $ssl =~ s/(.)$/v$1/;
  $ssl =~ s/[.]//;
  $ssl =~ s/^TLSv?1$/TLSv10/;
  $idx = 1;
  $idx = 0 if ($F[1] =~ /^...._CK/);
  $cst = $F[1];
  $cst =~ s/^...._(CK|TXT)_//;
  $txt = $F[2];
  $txt =~ s/["']//g; # feed stupid editors '"
  if (m/FZA_DMS_RC4_SHA/) {                     # duplicate definition, still present in ssl3.h but encapsulated in #if 0
     # #define SSL3_CK_FZA_DMS_RC4_SHA   "0x0300001E"
     # #define SSL3_TXT_FZA_DMS_RC4_SHA	 "FZA-RC4-SHA"
     print STDERR "# **WARNING 001: $txt: duplicate value (in ssl*h) '$txt' changed to '0x0300001e' ($cst)'\n";
     print if m/0x0300001e/;
     $txt =~ s/0300001E/0300001e/;              # we use lowercase e so that there are two perl hash entries
  }
  if ($idx == 0) { # _CK_
     $hex = $txt;
     $opensslh{$cst}{hex} = $hex;
     if (grep(/^$hex$/, @{$data{$src}{hex}})>0) {
        dups($src, $ARGV, $currentline, "@F", $hex);
        next;
     }
     push(@{$data{$src}{hex}}, $hex);
     $data{$hex}{cst}[0] = $cst;
  }
  if ($idx == 1) { # _TXT_
     # need to use private hash, as index is the constant name
     $ssl = "TLSv12"  if ($t12 =~ m/:$txt:/);
     $opensslh{$cst}{ssl} = $ssl;
     $opensslh{$cst}{txt} = $txt;
     $sec = "<<?>>";  # undefined
     $sec = "HIGH"      if ($hig =~ m/:$txt:/);
     $sec = "MEDIUM"    if ($med =~ m/:$txt:/);
     $sec = "LOW"       if ($low =~ m/:$txt:/);
     $opensslh{$cst}{SEC} = $sec;
     $sec = "WEAK"      if ($txt =~ m/EXP/);            # all EXPORT are weak
     $sec = "weak"      if ($txt =~ m/NULL/);           # anything with NULL encryption or Auth is weak
     $sec = "weak"      if ($txt =~ m/ADH|DH_anon/);    # anything with anon is weak
     if ($sec eq "_") { # no match so far
        $sec = "low"    if ($txt =~ m/CBC-/);           # DES considered low
        $sec = "medium" if ($txt =~ m/DH-...-SEED-SHA/);#  according DHE-*-SEED-SHA
        $sec = "high"   if ($txt =~ m/3DES|CBC3/);      # anything 3DES considered high
        $sec = "high"   if ($txt =~ m/AES(128|256)/);   # any AES* considered high
        $sec = "high"   if ($txt =~ m/CAMELLIA/);       # any CAMELLIA* considered high
        $sec = "weak"   if ($txt =~ m/[_-]RC4[_-]/);    # all RC4 since November 2013
       #$sec = "high"   if ($txt =~ m/RC4-SHA/);        # 
     }
     $opensslh{$cst}{sec} = $sec;
  }
  $data{$src}{cnt}++;
  next;
};


m/^[A-Z][A-Z0-9-]+/&&do{           # ------------- openssl ciphers -v
  $src = "openssl";
  #% /opt/tools/openssl/1.0.1f/apps/openssl ciphers -v :ALL:NULL
  # DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
  # EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512)   Au=RSA  Enc=RC2(40)   Mac=MD5  export
  # ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1

  # must be stored in private hash because we don not get a hex constant
  # merged will be done at END{}

 ($cst, $ssl, $key, $aut, $enc, $mac, $tag) = split(/\s+/);
  #next if(...); # no next here as GnuTLS has the same line format
  if ($mac ne "") { # line from 'openssl ciphers -v'
     ($enc, $bit) = split(/\(/,$enc);
     $ssl =~ s/[.]//;
     $enc =~ s/^([^=]*=)//;
     $mac =~ s/^([^=]*=)//;
     $aut =~ s/^([^=]*=)//;
     $key =~ s/^([^=]*=)//;
     $bit =~ s/[)]//g;
     $bit = "0" if ($enc =~ m/None/);
     $data{$src}{cnt}++;
     $opensslv{$cst}{ssl} = $ssl;
     $opensslv{$cst}{enc} = $enc;
     $opensslv{$cst}{bit} = $bit;
     $opensslv{$cst}{mac} = $mac;
     $opensslv{$cst}{key} = $key;
     $opensslv{$cst}{aut} = $aut;
     $opensslv{$cst}{tag} = $tag;
     next;
  }
};


m/^\s+'[A-Z][A-Z0-9-]+'/&&do{      # ------------- O-Saft
  $src = "o-saft.txt";
  # data structure as used in O-Saft until version 14.1.14
  #  'DHE-RSA-AES256-GCM'    => [qw( high TLSv12 AESGCM 256 AEAD RSA   DH         11 :)],
  #  #(array fields)#  0     1  2       3   4       5    6   7    8     9         10  11
  #  'ADH-SEED-SHA'          => [qw(MEDIUM SSLv3 SEED   128 SHA1 None  DH         11 "")],
  #  'ECDH-ECDSA-DES-CBC3-SHA'=>[qw(  HIGH SSLv3 3DES   168 SHA1 ECDSA ECDH/ECDSA 11 :)], # (from openssl-1.0.0d)

  # must be stored in private hash because we don not get a hex constant
  # merge will be done at END{}

  #next if(...); # no next here as GnuTLS has the same line format
  $txt = "@F";
  $txt =~ s/(-\?-)/<<?>>/g;    # replace old by new text for "unknown"
  $txt =~ s/'=>/' =>/g;        # add missing space
  $txt =~ s/>\[/> [/g;         # add missing space
  $txt =~ s/qw\(([^\s])/qw( $1/g; # add missing space ;) 
  @f = split(/\s+/,$txt);
  $cst = $f[0]; $cst =~ s/'//g; # remove '
  if ($#f > 9) { # line from 'o-saft.pl'
     $ssl = $f[4]; $ssl =~ s/[.]//;
     $tag = $f[11];
     $tag =~ s/:?[)\]\s*,]//g;
     $bit = "0" if ($enc =~ m/None/);
     $data{$src}{cnt}++;
     $opensslh{$cst}{ssl} = $ssl;
     $yeast_pl{$cst}{sec} = $f[3];
     $yeast_pl{$cst}{enc} = $f[5];
     $yeast_pl{$cst}{bit} = $f[6];
     $yeast_pl{$cst}{mac} = $f[7];
     $yeast_pl{$cst}{aut} = $f[8];
     $yeast_pl{$cst}{key} = $f[9];
     $yeast_pl{$cst}{score} = $f[10];
     $yeast_pl{$cst}{tag} = $tag;
     next;
  }
};


m/^\s+'(0x[A-Fa-f0-9-]+)'\s*=>\s*\[qw.([^\s]+).*/&&do{ # O-Saft cipher_names
  $hex = $1;
  $cst = $2;
  print STDERR "# **WARNING 007: $hex: O-Saft.txt '$hex' alreday set\n" if ($yeast_pl{$cst}{hex} ne "");
  $x{$hex} = $cst;
  $z{$cst} = $hex;
  $yeast_pl{$cst}{hex} = $hex;
# ToDo:
#_dbx "$hex  = $cst\n";
##  if (${$data{$hex}{cst}}[0] eq "") {
##_dbx "$hex  = $cst\n";
##    ${$data{$hex}{cst}}[0] = $cst;
##  }
  next;
};


# following match conflict with Schannel below
m/^\s*(SSL|TLS)_/&&do{             # ------------- GnuTLS-ciphersuites.txt
  # TLS_RSA_NULL_MD5    0x0001  SSL3.0
  # TLS_DHE_DSS_AES_256_GCM_SHA384     0x00A3   TLS1.2

  $src = "gnutls.txt";
 ($cst, $hex, $ssl) = split(/\s+/);
  $cst =~ s/^(TLS|SSL)_//;
  next if ($hex!~m/^0x/);      # avoid match in other files
  next if ($ssl!~m/^(SSL|TLS)/);  # ''
  $hex =~ s/0x/0x0300/;        # only have SSLv3 and TLSv1.x
  $ssl =~ s/SSL2(.*)/SSLv2/;
  $ssl =~ s/SSL3(.*)/SSLv3/;
  $ssl =~ s/TLS1(.*)/TLSv1$1/;
  $ssl =~ s/[.]//;
  if (grep(/^$hex$/, @{$data{$src}{hex}})>0) {
      dups($src, $ARGV, $currentline, "@F", $hex);
      next;
  }
  push(@{$data{$src}{hex}}, $hex);
  $data{$hex}{cst}[3] = $cst;
  $data{$hex}{ssl} = $ssl;
  $data{$src}{cnt}++;
  next;
};
#print "$hex $src ". join(" ",@{$data{'gnutls.txt'}{hex}}) ."\n";
$src = '-undef-';


m/^\s*<td>([^<]*)<\td>\s*$/&&do{   # ------------- PolarSSL-ciphersuites.html
  #  <td>TLS-RSA-WITH-AES-128-CBC-SHA</td>
  #  <td>AES128-SHA</td>
  #  <td>{0x00,0x2F}</td>
  $src = "polarssl";
# $data{$hex}{cst}[4] = $cst;
};


m/^\s*(SSL_CK|TLS)_/&&do{          # ------------- Schannel-cipherSuite.csv
  # TLS_RSA_WITH_AES_128_CBC_SHA256 ,Yes ,TLS-1.2 ,RSA ,AES ,SHA256
  $src = "schannel";
# $data{$hex}{cst}[5] = $cst;
};


# -------------------------------------------------------- generation
END {
  ($s,$m,$h,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();
  $mon++; $year+=1900 if ($year > 99);
  print "# ", "="x77, "{\n";
  print "# generated by %M% %I%, $mday.$mon.$year $h:$m\n";
  print "#    $arg \n\n";
  print <<'EoT';
our %ciphers_desc   = ( # description of following %ciphers table
    'head'      => [qw(version openssl sec enc  bits mac auth keyx score DTLS score tags)],
                        # abbreviations used by openssl:
                        # SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
                        # Kx=  key exchange (DH is diffie-hellman)
                        # Au=  authentication
                        # Enc= encryption with bit size
                        # Mac= mac encryption algorithm
    'text'      => [ # full description of each column in 'ciphers' below
        'SSL Version',  # collected from various inputs
        'Security',     # LOW, MEDIUM, HIGH as reported by openssl 1.0.1f
                        # WEAK as reported by openssl 1.0.1f as EXPORT
        'O-Saft Sec.',  # adaption to openssl's security
                        # weak unqualified by openssl or know vulnerable
                        # Note: weak includes NONE (no security at all)

                        # following informations as reported by openssl 1.0.1f
        'SSL/TLS',      # Protocol Version:
                        # SSLv2, SSLv3, TLSv1, TLSv11, TLSv12, TLSv13, DTLS0.9, DTLS1.0, PCT
                        # Note: all SSLv3 are also TLSv1, TLSv11, TLSv12
                        # (cross-checked with sslaudit.ini)
        'Encryption Algorithm', # None, AES, AESCCM, AESGCM, CAMELLIA, DES, 3DES, FZA, IDEA, RC4, RC2, SEED, ...
        'Key Size',     # in bits
        'MAC Algorithm',# AEAD, MD5, SHA1, SHA256, SHA384
        'Authentication',   # None, ECDH, ECDSA, DSS, KRB5, PSK, RSA
        'Key Exchange', # DH, ECDH, ECDH/ECDSA, ECDH/RSA, KRB5, PSK, RSA, SRP
                        # last column is a : separated list (only export from openssl)
                        # different versions of openssl report  ECDH or ECDH/ECDSA

                        # additional informations
        'DTLS',         # Y or N describing if cipher is valid for DTLS1.x
        'score',        # score value as defined in sslaudit.ini (0, 20, 80, 100)
                        # additionally following sores are used:
                        #   2: have been 20 in sslaudit.ini
                        #   1: assumed weak security
                        #  11: unknown, assumed weak security
                        #  81: unknown, assumed MEDIUM security
                        #  91: unknown, assumed HIGH security
        'tags',         # export  as reported by openssl 0.9.8 .. 1.0.1h
                        # OSX     on Mac OS X only
                        # :    (colon) is empty marker (need for other tools
        ],
); # %ciphers_desc

EoT
  $l = "#!#---------------+-------+-------+-------+-------+-----+-------+-------+----------+----+-----+-----+";
  $h = "#!#  hex ID => [   version o-saft  openssl enc     bits  mac     auth    keyx       DTLS score tags ],";
  print <<EoT;
our %ciphers = (
    $l
    $h
    $l
EoT
  $n = "<<?>>";
  foreach $hex (sort keys %x) { 
     #dbx just a check# print "$hex = $x{$hex}   -- $data{$hex}{cst}[0]\n";
#_dbx "$hex exists\n" if defined $data{$hex};
    $cst = $x{$hex};
    if (defined $data{$hex}) {
#print STDERR join(" ", %{$data{$hex}}) . "\n";
# ToDo   _dbx "$hex $cst exists $data{$hex}{cst}[0].\n";
    } else {
# ToDo   _dbx "$hex $cst does not exists in \$data\n";
    }
  }
  foreach $hex (sort keys %data) { 
     next if ($hex!~m/^0x/);
     foreach $c (@{$data{$hex}{cst}}) {  # find data from openssl and merge
         next if ($opensslh{$c}{hex} ne $hex);
         # data from openssl/*.h is index by constant name
         $data{$hex}{sec} = $opensslh{$c}{sec};
         $data{$hex}{SEC} = $opensslh{$c}{SEC};
         $data{$hex}{txt} = $opensslh{$c}{txt};
         # data from 'openssl ciphers' is index by suite name
         $t = $opensslh{$c}{txt};
         $data{$hex}{bit} = $opensslv{$t}{bit};
         $data{$hex}{enc} = $opensslv{$t}{enc};
         $data{$hex}{mac} = $opensslv{$t}{mac};
         $data{$hex}{key} = $opensslv{$t}{key};
         $data{$hex}{aut} = $opensslv{$t}{aut};
         $data{$hex}{tag} = $opensslv{$t}{tag};
         $opensslv{$t}{done} = 1;
         if (defined $opensslh{$c}{ssl}) {
            if ($data{$hex}{ssl} ne "") {
               # lazy check: SSLv3 and TLSv1.0 are the same
               warn_version("006", $hex, $opensslh{$c}{ssl}, "IANA $data{$hex}{ssl}", "", $c) if (($data{$hex}{ssl} ne $opensslh{$c}{ssl}) and ($data{$hex}{ssl} ne "SSLv3"));
            } else {
               $data{$hex}{ssl} = $opensslh{$c}{ssl};
            }
            if (defined $opensslv{$t}{ssl}) {
               warn_version("005", $hex, $opensslh{$c}{ssl}, "openssl ciphers $opensslv{$t}{ssl}", "", $c) if (($opensslh{$c}{ssl} ne $opensslv{$t}{ssl}) and ($opensslv{$t}{ssl} ne "SSLv3"));
            }
         }
         $data{$hex}{tag} .= "," . $opensslv{$t}{tag} if (($data{$hex}{tag} ne "") && ($opensslv{$t}{tag} !~ m/$data{$hex}{tag}/));
         # data from old O-Saft
         if (($yeast_pl{$t}{enc} ne "") && ($data{$hex}{enc} !~ m/$yeast_pl{$t}{enc}/i)) {
             if(($data{$hex}{enc} ne "") && ($data{$hex}{enc} ne $n)) {
                 warn_value("004", $hex, "Enc ",  $data{$hex}{enc}, $yeast_pl{$t}{enc}, "ignored ($c)");
             } else {
                 $data{$hex}{enc} = $yeast_pl{$t}{enc};
             }
         }
         #set_osaft_data('enc',   $hex, $t);
         set_osaft_data('ssl',   $hex, $t);
         set_osaft_data('sec',   $hex, $t);
         set_osaft_data('bit',   $hex, $t);
         set_osaft_data('mac',   $hex, $t);
         set_osaft_data('aut',   $hex, $t);
         set_osaft_data('key',   $hex, $t);
         set_osaft_data('tag',   $hex, $t);
         set_osaft_data('score', $hex, $t);
         $yeast_pl{$t}{done} = 1;
         # cleanup
         if ($data{$hex}{dtl} !~ /[YN]/) {
             warn_other("003", $hex, $data{$hex}{ssl}, "DTLS", "n", $data{$hex}{txt});
             $data{$hex}{dtl} = "n";
         }

     }
     if ($hex =~ m/030000(00|FF)$/) { # *00 and *FF aka SSL3_CK_SCSV is not a cipher, just a marker
        $data{$hex}{ssl} = "-";
        $data{$hex}{sec} = "-";
        $data{$hex}{SEC} = "-";
        $data{$hex}{enc} = "-";
        $data{$hex}{bit} = "0";
        $data{$hex}{mac} = "-";
        $data{$hex}{aut} = "-";
        $data{$hex}{key} = "-";
        $data{$hex}{score} = "99";
        $data{$hex}{tag} = ""; # Signaling Cipher Suite Value
     }
# ToDo: hier  0x03000000 mit Werten von 0x02ff0810 fuellen
         # adjust security
         if ($data{$hex}{sec} eq $n) {
             $data{$hex}{sec} = "HIGH"   if ($data{$hex}{bit} > 167);
             $data{$hex}{sec} = "MEDIUM" if ($data{$hex}{bit} < 168);
             $data{$hex}{sec} = "LOW"    if ($data{$hex}{bit} < 128);
             $data{$hex}{sec} = "WEAK"   if ($data{$hex}{bit} <  56);
         }
     printf"   '%s' => [qw(%-7s %-7s %-7s %-8s %4s %-7s %-7s %-10s %4s %4s %s)], # %s\n", $hex,
         $data{$hex}{ssl}||$n,$data{$hex}{sec}||$n,$data{$hex}{SEC}||$n,
         $data{$hex}{enc}||$n,$data{$hex}{bit}||0 ,$data{$hex}{mac}||$n,
         $data{$hex}{aut}||$n,$data{$hex}{key}||$n,$data{$hex}{dtl}||$n,
         $data{$hex}{score}||"0",$data{$hex}{tag}||":", $data{$hex}{txt};
    $data{'hex'}->{cnt}++;
  }
  foreach $cst (sort keys %y) { 
# _dbx " y= $cst\n" if $yeast_pl{$cst}{done} != 1;
    next if $yeast_pl{$cst}{done} == 1;
# _dbx " z= $z{$cst}\n" if $yeast_pl{$cst}{done} != 1;
if (0 == 1) {
         set_osaft_data('ssl',   $hex, $t);
         set_osaft_data('sec',   $hex, $t);
         set_osaft_data('bit',   $hex, $t);
         set_osaft_data('mac',   $hex, $t);
         set_osaft_data('aut',   $hex, $t);
         set_osaft_data('key',   $hex, $t);
         set_osaft_data('tag',   $hex, $t);
         set_osaft_data('score', $hex, $t);
}
  }

  print "    $l\n   #cipher hex  = $data{'hex'}{cnt}\n); # %ciphers\n\n";

#  $data{'cipher name'}->{cnt}++;

  print <<'EoT';
# each function returns a spcific value (column) from the %cipher table
# see %ciphers_desc about description of the columns
sub get_cipher_ssl($)  { my $c=shift; return $ciphers{$c}[0] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_ooo($)  { my $c=shift; return $ciphers{$c}[1] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_sec($)  { my $c=shift; return $ciphers{$c}[2] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_enc($)  { my $c=shift; return $ciphers{$c}[3] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_bits($) { my $c=shift; return $ciphers{$c}[4] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_mac($)  { my $c=shift; return $ciphers{$c}[5] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_auth($) { my $c=shift; return $ciphers{$c}[6] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_keyx($) { my $c=shift; return $ciphers{$c}[7] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_dtls($) { my $c=shift; return $ciphers{$c}[8] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_score($){ my $c=shift; return $ciphers{$c}[9] || "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_tags($) { my $c=shift; return $ciphers{$c}[10]|| "" if (grep(/^$c/, %ciphers)>0); return ""; }
sub get_cipher_desc($) { my $c=shift; my @c = @{$ciphers{$c}}; shift @c; return @c if (grep(/^ $c/, %ciphers)>0); return ""; }
sub get_cipher_hex($)  {
    # find hex key for cipher in %cipher_names or %cipher_alias
    my $c = shift;
    my $k = "";
    foreach $k (keys %cipher_names) { # database up to VERSION 14.07.14
        return $k if (($cipher_names{$k}[0] eq $c) or ($cipher_names{$k}[1] eq $c));
    }
    foreach $k (keys %cipher_alias) { # not yet found, check for alias
        return $k if ($cipher_alias{$k}[0] eq $c);
    }
    return "";
} # get_cipher_hex

EoT

  print <<EoT;
our %cipher_names = (
    # NOTE: all prefixes SSL2_, SSL3_, TLS1_, TLS_ have been removed from contstant names
    # this is a generated list, please use 'o-saft.pl +list-names' for pretty printing
EoT
  $n = "openssl, IANA, GnuTLS, Schannel, PolarSSL";
  if ($pretty_print) {
      printf"    #!#------------+%s+%s+\n","-"x31,"-"x50;
      printf"    #!#  hex ID => [%-31s %s ],\n","(openssl) cipher suite name,","(constant names) $n, RFCs";
      printf"    #!#------------+%s+%s+\n","-"x31,"-"x50;
  } else {
      print "    #!#  hex ID => [(openssl) cipher suite name, (constant names) $n, RFCs]\n";
  }
  foreach $hex (sort keys %data) {
     next if ($hex!~m/^0x/);
     my $i = 0;
     $data{$hex}{cst}[$i++] = '"' . $_ . '"' foreach (@{$data{$hex}{cst}}); # enclose in double quotes
     $data{$hex}{rfc} =~ s/[, ]$//g; # remove trailing chars
     $n = '"' . $data{$hex}{txt} . '"';
     if ($pretty_print) {
       printf"   '%s' => [%-32s", $hex,"$n,";
       printf"%-40s", "$_," foreach (@{$data{$hex}{cst}}); # same as before but pretty printed
     } else {
       printf"   '%s'=>[%s", $hex,"$n,";
       printf"%s,", $data{$hex}{cst}[$_] foreach (0..2); # perl is clever enough for trailing , in array
       printf'"%s",', $data{$hex}{rfc};
     }
     printf"],\n";
  }
  printf"    #!#------------+%s+%s+\n","-"x31,"-"x50 if ($pretty_print);
  print "); # %cipher_names\n\n";

  print <<'EoT';
sub get_cipher_suitename($)     { return $cipher_names{$h}[0]; } # i.g. openssl
sub get_cipher_cst_openssl($)   { return $cipher_names{$h}[1]; } # i.g. openssl.h
sub get_cipher_cst_iana($)      { return $cipher_names{$h}[2]; }
sub get_cipher_cst_gnutls($)    { return $cipher_names{$h}[3]; }
sub get_cipher_cst_schannel($)  { return $cipher_names{$h}[4]; }
sub get_cipher_cst_polarssl($)  { return $cipher_names{$h}[5]; }
sub get_cipher_cst_rfc($)       { return $cipher_names{$h}[6]; }
EoT

  print "# found data:\n";
  foreach $c (sort keys %data) {
      next if ($c =~ m/^0x/);
      print "#   $c\t= $data{$c}{cnt}\n";
  }
  print "# **WARNING: missung IANA       data; expect data from: $data{'iana.txt'}->{src}\n"   if (0==$data{'iana.txt'}->{cnt});
  print "# **WARNING: missung openssl.h  data; expect data from: $data{'openssl.h'}->{src}\n"  if (0==$data{'openssl.h'}->{cnt});
  print "# **WARNING: missung openssl    data; expect data from: $data{'openssl'}->{src}\n"    if (0==$data{'openssl'}->{cnt});
  print "# **WARNING: missung old O-Saft data; expect data from: $data{'o-saft.txt'}->{src}\n" if (0==$data{'o-saft.txt'}->{cnt});
  print "# **WARNING: missung GnuTLS     data; expect data from: $data{'gnutls.txt'}->{src}\n" if (0==$data{'gnutls.txt'}->{cnt});
  print "# ", "="x77, "}\n";
} # END