mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-22 02:21:40 +01:00
Fixed most warnings from Shellcheck scans. (#197)
This commit is contained in:
parent
38f9c21760
commit
953683a762
@ -34,10 +34,10 @@
|
|||||||
PLATFORM="$(uname -s)"
|
PLATFORM="$(uname -s)"
|
||||||
|
|
||||||
# This script is intended for use on Cygwin only.
|
# This script is intended for use on Cygwin only.
|
||||||
case "$PLATFORM" in
|
case "${PLATFORM}" in
|
||||||
CYGWIN*) ;;
|
CYGWIN*) ;;
|
||||||
*)
|
*)
|
||||||
echo "Platform not supported ($PLATFORM). This must be run in Cygwin only."
|
echo "Platform not supported (${PLATFORM}). This must be run in Cygwin only."
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -78,13 +78,14 @@ git checkout src/ssh_audit/globals.py 2> /dev/null
|
|||||||
|
|
||||||
# Update the man page.
|
# Update the man page.
|
||||||
./update_windows_man_page.sh
|
./update_windows_man_page.sh
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} != 0 ]]; then
|
||||||
echo "Failed to run ./update_windows_man_page.sh"
|
echo "Failed to run ./update_windows_man_page.sh"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Do all operations from this point from the main source directory.
|
# Do all operations from this point from the main source directory.
|
||||||
pushd src/ssh_audit > /dev/null
|
pushd src/ssh_audit || exit > /dev/null
|
||||||
|
|
||||||
# Delete the existing VERSION variable and add the value that the user entered, above.
|
# Delete the existing VERSION variable and add the value that the user entered, above.
|
||||||
sed -i '/^VERSION/d' globals.py
|
sed -i '/^VERSION/d' globals.py
|
||||||
@ -109,8 +110,9 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Ensure that the version string doesn't have '-dev' in it.
|
# Ensure that the version string doesn't have '-dev' in it.
|
||||||
X=`dist/ssh-audit.exe | grep -E 'ssh-audit.exe v.+\-dev'` > /dev/null
|
dist/ssh-audit.exe | grep -E 'ssh-audit.exe v.+\-dev' > /dev/null
|
||||||
if [[ $? == 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} == 0 ]]; then
|
||||||
echo -e "\nError: executable's version number includes '-dev'."
|
echo -e "\nError: executable's version number includes '-dev'."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -121,5 +123,5 @@ rm -rf build/ ssh-audit.spec ssh-audit.py
|
|||||||
# Reset the changes we made to globals.py.
|
# Reset the changes we made to globals.py.
|
||||||
git checkout globals.py 2> /dev/null
|
git checkout globals.py 2> /dev/null
|
||||||
|
|
||||||
popd > /dev/null
|
popd || exit > /dev/null
|
||||||
exit 0
|
exit 0
|
||||||
|
277
docker_test.sh
277
docker_test.sh
@ -28,8 +28,8 @@ IMAGE_NAME=positronsecurity/ssh-audit-test-framework
|
|||||||
|
|
||||||
# Terminal colors.
|
# Terminal colors.
|
||||||
CLR="\033[0m"
|
CLR="\033[0m"
|
||||||
RED="\033[0;31m"
|
#RED="\033[0;31m"
|
||||||
YELLOW="\033[0;33m"
|
#YELLOW="\033[0;33m"
|
||||||
GREEN="\033[0;32m"
|
GREEN="\033[0;32m"
|
||||||
REDB="\033[1;31m" # Red + bold
|
REDB="\033[1;31m" # Red + bold
|
||||||
YELLOWB="\033[1;33m" # Yellow + bold
|
YELLOWB="\033[1;33m" # Yellow + bold
|
||||||
@ -38,7 +38,7 @@ GREENB="\033[1;32m" # Green + bold
|
|||||||
# Program return values.
|
# Program return values.
|
||||||
PROGRAM_RETVAL_FAILURE=3
|
PROGRAM_RETVAL_FAILURE=3
|
||||||
PROGRAM_RETVAL_WARNING=2
|
PROGRAM_RETVAL_WARNING=2
|
||||||
PROGRAM_RETVAL_CONNECTION_ERROR=1
|
#PROGRAM_RETVAL_CONNECTION_ERROR=1
|
||||||
PROGRAM_RETVAL_GOOD=0
|
PROGRAM_RETVAL_GOOD=0
|
||||||
|
|
||||||
|
|
||||||
@ -58,21 +58,21 @@ check_if_docker_image_exists() {
|
|||||||
# Uncompresses and compiles the specified version of Dropbear.
|
# Uncompresses and compiles the specified version of Dropbear.
|
||||||
compile_dropbear() {
|
compile_dropbear() {
|
||||||
version=$1
|
version=$1
|
||||||
compile 'Dropbear' "$version"
|
compile "Dropbear" "$version"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Uncompresses and compiles the specified version of OpenSSH.
|
# Uncompresses and compiles the specified version of OpenSSH.
|
||||||
compile_openssh() {
|
compile_openssh() {
|
||||||
version=$1
|
version=$1
|
||||||
compile 'OpenSSH' "$version"
|
compile "OpenSSH" "$version"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Uncompresses and compiles the specified version of TinySSH.
|
# Uncompresses and compiles the specified version of TinySSH.
|
||||||
compile_tinyssh() {
|
compile_tinyssh() {
|
||||||
version=$1
|
version=$1
|
||||||
compile 'TinySSH' "$version"
|
compile "TinySSH" "$version"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -84,31 +84,31 @@ compile() {
|
|||||||
uncompress_options=
|
uncompress_options=
|
||||||
source_dir=
|
source_dir=
|
||||||
server_executable=
|
server_executable=
|
||||||
if [[ $project == 'OpenSSH' ]]; then
|
if [[ $project == "OpenSSH" ]]; then
|
||||||
tarball="openssh-${version}.tar.gz"
|
tarball="openssh-${version}.tar.gz"
|
||||||
uncompress_options="xzf"
|
uncompress_options="xzf"
|
||||||
source_dir="openssh-${version}"
|
source_dir="openssh-${version}"
|
||||||
server_executable=sshd
|
server_executable=sshd
|
||||||
elif [[ $project == 'Dropbear' ]]; then
|
elif [[ $project == "Dropbear" ]]; then
|
||||||
tarball="dropbear-${version}.tar.bz2"
|
tarball="dropbear-${version}.tar.bz2"
|
||||||
uncompress_options="xjf"
|
uncompress_options="xjf"
|
||||||
source_dir="dropbear-${version}"
|
source_dir="dropbear-${version}"
|
||||||
server_executable=dropbear
|
server_executable=dropbear
|
||||||
elif [[ $project == 'TinySSH' ]]; then
|
elif [[ $project == "TinySSH" ]]; then
|
||||||
tarball="${version}.tar.gz"
|
tarball="${version}.tar.gz"
|
||||||
uncompress_options="xzf"
|
uncompress_options="xzf"
|
||||||
source_dir="tinyssh-${version}"
|
source_dir="tinyssh-${version}"
|
||||||
server_executable='build/bin/tinysshd'
|
server_executable="build/bin/tinysshd"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Uncompressing ${project} ${version}..."
|
echo "Uncompressing ${project} ${version}..."
|
||||||
tar $uncompress_options "$tarball"
|
tar $uncompress_options "$tarball"
|
||||||
|
|
||||||
echo "Compiling ${project} ${version}..."
|
echo "Compiling ${project} ${version}..."
|
||||||
pushd "$source_dir" > /dev/null
|
pushd "$source_dir" || exit > /dev/null
|
||||||
|
|
||||||
# TinySSH has no configure script... only a Makefile.
|
# TinySSH has no configure script... only a Makefile.
|
||||||
if [[ $project == 'TinySSH' ]]; then
|
if [[ $project == "TinySSH" ]]; then
|
||||||
make -j 10
|
make -j 10
|
||||||
else
|
else
|
||||||
./configure && make -j 10
|
./configure && make -j 10
|
||||||
@ -120,7 +120,7 @@ compile() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo -e "\n${GREEN}Successfully built ${project} ${version}${CLR}\n"
|
echo -e "\n${GREEN}Successfully built ${project} ${version}${CLR}\n"
|
||||||
popd > /dev/null
|
popd || exit > /dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -130,11 +130,11 @@ create_docker_image() {
|
|||||||
TMP_DIR=$(mktemp -d /tmp/sshaudit-docker-XXXXXXXXXX)
|
TMP_DIR=$(mktemp -d /tmp/sshaudit-docker-XXXXXXXXXX)
|
||||||
|
|
||||||
# Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory.
|
# Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory.
|
||||||
find test/docker/ -maxdepth 1 -type f -exec cp -t "$TMP_DIR" '{}' +
|
find test/docker/ -maxdepth 1 -type f -exec cp -t "$TMP_DIR" "{}" +
|
||||||
|
|
||||||
# Make the temp directory our working directory for the duration of the build
|
# Make the temp directory our working directory for the duration of the build
|
||||||
# process.
|
# process.
|
||||||
pushd "$TMP_DIR" > /dev/null
|
pushd "$TMP_DIR" || exit > /dev/null
|
||||||
|
|
||||||
# Get the release keys.
|
# Get the release keys.
|
||||||
get_dropbear_release_key
|
get_dropbear_release_key
|
||||||
@ -143,22 +143,22 @@ create_docker_image() {
|
|||||||
|
|
||||||
# Aside from checking the GPG signatures, we also compare against this known-good
|
# Aside from checking the GPG signatures, we also compare against this known-good
|
||||||
# SHA-256 hash just in case.
|
# SHA-256 hash just in case.
|
||||||
get_openssh '4.0p1' '5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b'
|
get_openssh "4.0p1" "5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b"
|
||||||
get_openssh '5.6p1' '538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b'
|
get_openssh "5.6p1" "538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b"
|
||||||
get_openssh '8.0p1' 'bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68'
|
get_openssh "8.0p1" "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
|
||||||
get_dropbear '2019.78' '525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4'
|
get_dropbear "2019.78" "525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4"
|
||||||
get_tinyssh '20190101' '554a9a94e53b370f0cd0c5fbbd322c34d1f695cbcea6a6a32dcb8c9f595b3fea'
|
get_tinyssh "20190101" "554a9a94e53b370f0cd0c5fbbd322c34d1f695cbcea6a6a32dcb8c9f595b3fea"
|
||||||
|
|
||||||
# Compile the versions of OpenSSH.
|
# Compile the versions of OpenSSH.
|
||||||
compile_openssh '4.0p1'
|
compile_openssh "4.0p1"
|
||||||
compile_openssh '5.6p1'
|
compile_openssh "5.6p1"
|
||||||
compile_openssh '8.0p1'
|
compile_openssh "8.0p1"
|
||||||
|
|
||||||
# Compile the versions of Dropbear.
|
# Compile the versions of Dropbear.
|
||||||
compile_dropbear '2019.78'
|
compile_dropbear "2019.78"
|
||||||
|
|
||||||
# Compile the versions of TinySSH.
|
# Compile the versions of TinySSH.
|
||||||
compile_tinyssh '20190101'
|
compile_tinyssh "20190101"
|
||||||
|
|
||||||
|
|
||||||
# Rename the default config files so we know they are our originals.
|
# Rename the default config files so we know they are our originals.
|
||||||
@ -175,7 +175,7 @@ create_docker_image() {
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Test 1: Basic test.
|
# Test 1: Basic test.
|
||||||
create_openssh_config '4.0p1' 'test1' "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
|
create_openssh_config "4.0p1" "test1" "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -183,19 +183,19 @@ create_docker_image() {
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Test 1: Basic test.
|
# Test 1: Basic test.
|
||||||
create_openssh_config '5.6p1' 'test1' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
|
create_openssh_config "5.6p1" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
|
||||||
|
|
||||||
# Test 2: RSA 1024 host key with RSA 1024 certificate.
|
# Test 2: RSA 1024 host key with RSA 1024 certificate.
|
||||||
create_openssh_config '5.6p1' 'test2' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_1024.pub"
|
create_openssh_config "5.6p1" "test2" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_1024.pub"
|
||||||
|
|
||||||
# Test 3: RSA 1024 host key with RSA 3072 certificate.
|
# Test 3: RSA 1024 host key with RSA 3072 certificate.
|
||||||
create_openssh_config '5.6p1' 'test3' "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_3072.pub"
|
create_openssh_config "5.6p1" "test3" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_3072.pub"
|
||||||
|
|
||||||
# Test 4: RSA 3072 host key with RSA 1024 certificate.
|
# Test 4: RSA 3072 host key with RSA 1024 certificate.
|
||||||
create_openssh_config '5.6p1' 'test4' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_1024.pub"
|
create_openssh_config "5.6p1" "test4" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_1024.pub"
|
||||||
|
|
||||||
# Test 5: RSA 3072 host key with RSA 3072 certificate.
|
# Test 5: RSA 3072 host key with RSA 3072 certificate.
|
||||||
create_openssh_config '5.6p1' 'test5' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_3072.pub"
|
create_openssh_config "5.6p1" "test5" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_3072.pub"
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -203,19 +203,19 @@ create_docker_image() {
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Test 1: Basic test.
|
# Test 1: Basic test.
|
||||||
create_openssh_config '8.0p1' 'test1' "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key"
|
create_openssh_config "8.0p" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key"
|
||||||
|
|
||||||
# Test 2: ED25519 certificate test.
|
# Test 2: ED25519 certificate test.
|
||||||
create_openssh_config '8.0p1' 'test2' "HostKey /etc/ssh/ssh_host_ed25519_key\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|
create_openssh_config "8.0p1" "test2" "HostKey /etc/ssh/ssh_host_ed25519_key\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|
||||||
|
|
||||||
# Test 3: Hardened installation test.
|
# Test 3: Hardened installation test.
|
||||||
create_openssh_config '8.0p1' 'test3' "HostKey /etc/ssh/ssh_host_ed25519_key\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com"
|
create_openssh_config "8.0p1" "test3" "HostKey /etc/ssh/ssh_host_ed25519_key\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com"
|
||||||
|
|
||||||
|
|
||||||
# Now build the docker image!
|
# Now build the docker image!
|
||||||
docker build --tag "$IMAGE_NAME:$IMAGE_VERSION" .
|
docker build --tag "$IMAGE_NAME:$IMAGE_VERSION" .
|
||||||
|
|
||||||
popd > /dev/null
|
popd || exit > /dev/null
|
||||||
rm -rf -- "$TMP_DIR"
|
rm -rf -- "$TMP_DIR"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -233,19 +233,19 @@ create_openssh_config() {
|
|||||||
|
|
||||||
# Downloads the Dropbear release key and adds it to the local keyring.
|
# Downloads the Dropbear release key and adds it to the local keyring.
|
||||||
get_dropbear_release_key() {
|
get_dropbear_release_key() {
|
||||||
get_release_key 'Dropbear' 'https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc' 'F29C6773' 'F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773'
|
get_release_key "Dropbear" "https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc" "F29C6773" "F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Downloads the OpenSSH release key and adds it to the local keyring.
|
# Downloads the OpenSSH release key and adds it to the local keyring.
|
||||||
get_openssh_release_key() {
|
get_openssh_release_key() {
|
||||||
get_release_key 'OpenSSH' 'https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc' '6D920D30' '59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30'
|
get_release_key "OpenSSH" "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc" "6D920D30" "59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Downloads the TinySSH release key and adds it to the local keyring.
|
# Downloads the TinySSH release key and adds it to the local keyring.
|
||||||
get_tinyssh_release_key() {
|
get_tinyssh_release_key() {
|
||||||
get_release_key 'TinySSH' '' '96939FF9' 'AADF 2EDF 5529 F170 2772 C8A2 DEC4 D246 931E F49B'
|
get_release_key "TinySSH" "" "96939FF9" "AADF 2EDF 5529 F170 2772 C8A2 DEC4 D246 931E F49B"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -256,7 +256,7 @@ get_release_key() {
|
|||||||
release_key_fingerprint_expected=$4
|
release_key_fingerprint_expected=$4
|
||||||
|
|
||||||
# The TinySSH release key isn't on any website, apparently.
|
# The TinySSH release key isn't on any website, apparently.
|
||||||
if [[ $project == 'TinySSH' ]]; then
|
if [[ $project == "TinySSH" ]]; then
|
||||||
gpg --keyserver keys.gnupg.net --recv-key "$key_id"
|
gpg --keyserver keys.gnupg.net --recv-key "$key_id"
|
||||||
else
|
else
|
||||||
echo -e "\nGetting ${project} release key...\n"
|
echo -e "\nGetting ${project} release key...\n"
|
||||||
@ -268,7 +268,8 @@ get_release_key() {
|
|||||||
rm key.asc
|
rm key.asc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local release_key_fingerprint_actual=$(gpg --fingerprint "$key_id")
|
local release_key_fingerprint_actual
|
||||||
|
release_key_fingerprint_actual=$(gpg --fingerprint "$key_id")
|
||||||
if [[ $release_key_fingerprint_actual != *"$release_key_fingerprint_expected"* ]]; then
|
if [[ $release_key_fingerprint_actual != *"$release_key_fingerprint_expected"* ]]; then
|
||||||
echo -e "\n${REDB}Error: ${project} release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}"
|
echo -e "\n${REDB}Error: ${project} release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected\n\tActual: $release_key_fingerprint_actual\n\nTerminating.${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
@ -281,7 +282,7 @@ get_release_key() {
|
|||||||
get_dropbear() {
|
get_dropbear() {
|
||||||
version=$1
|
version=$1
|
||||||
tarball_checksum_expected=$2
|
tarball_checksum_expected=$2
|
||||||
get_source 'Dropbear' "$version" "$tarball_checksum_expected"
|
get_source "Dropbear" "$version" "$tarball_checksum_expected"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -289,7 +290,7 @@ get_dropbear() {
|
|||||||
get_openssh() {
|
get_openssh() {
|
||||||
version=$1
|
version=$1
|
||||||
tarball_checksum_expected=$2
|
tarball_checksum_expected=$2
|
||||||
get_source 'OpenSSH' "$version" "$tarball_checksum_expected"
|
get_source "OpenSSH" "$version" "$tarball_checksum_expected"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -297,7 +298,7 @@ get_openssh() {
|
|||||||
get_tinyssh() {
|
get_tinyssh() {
|
||||||
version=$1
|
version=$1
|
||||||
tarball_checksum_expected=$2
|
tarball_checksum_expected=$2
|
||||||
get_source 'TinySSH' "$version" "$tarball_checksum_expected"
|
get_source "TinySSH" "$version" "$tarball_checksum_expected"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -311,20 +312,20 @@ get_source() {
|
|||||||
tarball=
|
tarball=
|
||||||
sig=
|
sig=
|
||||||
signer=
|
signer=
|
||||||
if [[ $project == 'OpenSSH' ]]; then
|
if [[ $project == "OpenSSH" ]]; then
|
||||||
base_url_source='https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/'
|
base_url_source="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
|
||||||
base_url_sig=$base_url_source
|
base_url_sig=$base_url_source
|
||||||
tarball="openssh-${version}.tar.gz"
|
tarball="openssh-${version}.tar.gz"
|
||||||
sig="${tarball}.asc"
|
sig="${tarball}.asc"
|
||||||
signer="Damien Miller "
|
signer="Damien Miller "
|
||||||
elif [[ $project == 'Dropbear' ]]; then
|
elif [[ $project == "Dropbear" ]]; then
|
||||||
base_url_source='https://matt.ucc.asn.au/dropbear/releases/'
|
base_url_source="https://matt.ucc.asn.au/dropbear/releases/"
|
||||||
base_url_sig=$base_url_source
|
base_url_sig=$base_url_source
|
||||||
tarball="dropbear-${version}.tar.bz2"
|
tarball="dropbear-${version}.tar.bz2"
|
||||||
sig="${tarball}.asc"
|
sig="${tarball}.asc"
|
||||||
signer="Dropbear SSH Release Signing <matt@ucc.asn.au>"
|
signer="Dropbear SSH Release Signing <matt@ucc.asn.au>"
|
||||||
elif [[ $project == 'TinySSH' ]]; then
|
elif [[ $project == "TinySSH" ]]; then
|
||||||
base_url_source='https://github.com/janmojzis/tinyssh/archive/'
|
base_url_source="https://github.com/janmojzis/tinyssh/archive/"
|
||||||
base_url_sig="https://github.com/janmojzis/tinyssh/releases/download/${version}/"
|
base_url_sig="https://github.com/janmojzis/tinyssh/releases/download/${version}/"
|
||||||
tarball="${version}.tar.gz"
|
tarball="${version}.tar.gz"
|
||||||
sig="${tarball}.asc"
|
sig="${tarball}.asc"
|
||||||
@ -339,12 +340,14 @@ get_source() {
|
|||||||
|
|
||||||
|
|
||||||
# Older OpenSSH releases were .sigs.
|
# Older OpenSSH releases were .sigs.
|
||||||
if [[ ($project == 'OpenSSH') && (! -f $sig) ]]; then
|
if [[ ($project == "OpenSSH") && (! -f $sig) ]]; then
|
||||||
wget "${base_url_sig}openssh-${version}.tar.gz.sig"
|
wget "${base_url_sig}openssh-${version}.tar.gz.sig"
|
||||||
sig=openssh-${version}.tar.gz.sig
|
sig=openssh-${version}.tar.gz.sig
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local gpg_verify=$(gpg --verify "${sig}" "${tarball}" 2>&1)
|
local gpg_verify
|
||||||
|
gpg_verify=$(gpg --verify "${sig}" "${tarball}" 2>&1)
|
||||||
|
retval=$?
|
||||||
if [[ $gpg_verify != *"Good signature from \"${signer}"* ]]; then
|
if [[ $gpg_verify != *"Good signature from \"${signer}"* ]]; then
|
||||||
echo -e "\n\n${REDB}Error: ${project} signature invalid!\n$gpg_verify\n\nTerminating.${CLR}"
|
echo -e "\n\n${REDB}Error: ${project} signature invalid!\n$gpg_verify\n\nTerminating.${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
@ -352,14 +355,15 @@ get_source() {
|
|||||||
|
|
||||||
# Check GPG's return value. 0 denotes a valid signature, and 1 is returned
|
# Check GPG's return value. 0 denotes a valid signature, and 1 is returned
|
||||||
# on invalid signatures.
|
# on invalid signatures.
|
||||||
if [[ $? != 0 ]]; then
|
if [[ ${retval} != 0 ]]; then
|
||||||
echo -e "\n\n${REDB}Error: ${project} signature invalid! Verification returned code: $?\n\nTerminating.${CLR}"
|
echo -e "\n\n${REDB}Error: ${project} signature invalid! Verification returned code: $?\n\nTerminating.${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo -e "${GREEN}Signature on ${project} sources verified.${CLR}\n"
|
echo -e "${GREEN}Signature on ${project} sources verified.${CLR}\n"
|
||||||
|
|
||||||
local checksum_actual=$(sha256sum "${tarball}" | cut -f1 -d" ")
|
local checksum_actual
|
||||||
|
checksum_actual=$(sha256sum "${tarball}" | cut -f1 -d" ")
|
||||||
if [[ $checksum_actual != "$tarball_checksum_expected" ]]; then
|
if [[ $checksum_actual != "$tarball_checksum_expected" ]]; then
|
||||||
echo -e "${REDB}Error: ${project} checksum is invalid!\n Expected: ${tarball_checksum_expected}\n Actual: ${checksum_actual}\n\n Terminating.${CLR}"
|
echo -e "${REDB}Error: ${project} checksum is invalid!\n Expected: ${tarball_checksum_expected}\n Actual: ${checksum_actual}\n\n Terminating.${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
@ -369,11 +373,12 @@ get_source() {
|
|||||||
|
|
||||||
# Pulls the defined image from Dockerhub.
|
# Pulls the defined image from Dockerhub.
|
||||||
pull_docker_image() {
|
pull_docker_image() {
|
||||||
docker pull "$IMAGE_NAME:$IMAGE_VERSION"
|
docker pull "${IMAGE_NAME}:${IMAGE_VERSION}"
|
||||||
if [[ $? == 0 ]]; then
|
retval=$?
|
||||||
echo -e "${GREEN}Successfully downloaded image $IMAGE_NAME:$IMAGE_VERSION from Dockerhub.${CLR}\n"
|
if [[ ${retval} == 0 ]]; then
|
||||||
|
echo -e "${GREEN}Successfully downloaded image ${IMAGE_NAME}:${IMAGE_VERSION} from Dockerhub.${CLR}\n"
|
||||||
else
|
else
|
||||||
echo -e "${REDB}Failed to pull image $IMAGE_NAME:$IMAGE_VERSION from Dockerhub! Error code: $?${CLR}\n"
|
echo -e "${REDB}Failed to pull image ${IMAGE_NAME}:${IMAGE_VERSION} from Dockerhub! Error code: ${retval}${CLR}\n"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -387,7 +392,7 @@ run_dropbear_test() {
|
|||||||
options=$3
|
options=$3
|
||||||
expected_retval=$4
|
expected_retval=$4
|
||||||
|
|
||||||
run_test 'Dropbear' $dropbear_version $test_number "$options" $expected_retval
|
run_test "Dropbear" "${dropbear_version}" "${test_number}" "${options}" "${expected_retval}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -398,7 +403,7 @@ run_openssh_test() {
|
|||||||
test_number=$2
|
test_number=$2
|
||||||
expected_retval=$3
|
expected_retval=$3
|
||||||
|
|
||||||
run_test 'OpenSSH' $openssh_version $test_number '' $expected_retval
|
run_test "OpenSSH" "${openssh_version}" "${test_number}" "" "${expected_retval}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -409,7 +414,7 @@ run_tinyssh_test() {
|
|||||||
test_number=$2
|
test_number=$2
|
||||||
expected_retval=$3
|
expected_retval=$3
|
||||||
|
|
||||||
run_test 'TinySSH' $tinyssh_version $test_number '' $expected_retval
|
run_test "TinySSH" "${tinyssh_version}" "${test_number}" "" "${expected_retval}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -427,7 +432,7 @@ run_test() {
|
|||||||
expected_result_stdout=
|
expected_result_stdout=
|
||||||
expected_result_json=
|
expected_result_json=
|
||||||
test_name=
|
test_name=
|
||||||
if [[ $server_type == 'OpenSSH' ]]; then
|
if [[ $server_type == "OpenSSH" ]]; then
|
||||||
server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}"
|
server_exec="/openssh/sshd-${version} -D -f /etc/ssh/sshd_config-${version}_${test_number}"
|
||||||
test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
|
test_result_stdout="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.txt"
|
||||||
test_result_json="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.json"
|
test_result_json="${TEST_RESULT_DIR}/openssh_${version}_${test_number}.json"
|
||||||
@ -435,14 +440,14 @@ run_test() {
|
|||||||
expected_result_json="test/docker/expected_results/openssh_${version}_${test_number}.json"
|
expected_result_json="test/docker/expected_results/openssh_${version}_${test_number}.json"
|
||||||
test_name="OpenSSH ${version} ${test_number}"
|
test_name="OpenSSH ${version} ${test_number}"
|
||||||
options=
|
options=
|
||||||
elif [[ $server_type == 'Dropbear' ]]; then
|
elif [[ $server_type == "Dropbear" ]]; then
|
||||||
server_exec="/dropbear/dropbear-${version} -F ${options}"
|
server_exec="/dropbear/dropbear-${version} -F ${options}"
|
||||||
test_result_stdout="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
|
test_result_stdout="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.txt"
|
||||||
test_result_json="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.json"
|
test_result_json="${TEST_RESULT_DIR}/dropbear_${version}_${test_number}.json"
|
||||||
expected_result_stdout="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
|
expected_result_stdout="test/docker/expected_results/dropbear_${version}_${test_number}.txt"
|
||||||
expected_result_json="test/docker/expected_results/dropbear_${version}_${test_number}.json"
|
expected_result_json="test/docker/expected_results/dropbear_${version}_${test_number}.json"
|
||||||
test_name="Dropbear ${version} ${test_number}"
|
test_name="Dropbear ${version} ${test_number}"
|
||||||
elif [[ $server_type == 'TinySSH' ]]; then
|
elif [[ $server_type == "TinySSH" ]]; then
|
||||||
server_exec="/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
|
server_exec="/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
|
||||||
test_result_stdout="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
|
test_result_stdout="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.txt"
|
||||||
test_result_json="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.json"
|
test_result_json="${TEST_RESULT_DIR}/tinyssh_${version}_${test_number}.json"
|
||||||
@ -451,10 +456,11 @@ run_test() {
|
|||||||
test_name="TinySSH ${version} ${test_number}"
|
test_name="TinySSH ${version} ${test_number}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cid=$(docker run -d -p 2222:22 "$IMAGE_NAME:$IMAGE_VERSION" ${server_exec})
|
cid=$(docker run -d -p 2222:22 "${IMAGE_NAME}:${IMAGE_VERSION}" ${server_exec})
|
||||||
|
retval=$?
|
||||||
#echo "Running: docker run -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
|
#echo "Running: docker run -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
|
||||||
if [[ $? != 0 ]]; then
|
if [[ ${retval} != 0 ]]; then
|
||||||
echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
|
echo -e "${REDB}Failed to run docker image! (exit code: ${retval})${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -467,8 +473,8 @@ run_test() {
|
|||||||
echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
|
echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat ${test_result_stdout}
|
cat "${test_result_stdout}"
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -481,21 +487,22 @@ run_test() {
|
|||||||
echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
|
echo -e "\n${REDB}This failure cannot be automatically fixed; this script must be manually updated with the new expected return value.${CLR}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat ${test_result_json}
|
cat "${test_result_json}"
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: ${retval})${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# TinySSH outputs a random string in each banner, which breaks our test. So
|
# TinySSH outputs a random string in each banner, which breaks our test. So
|
||||||
# we need to filter out the banner part of the output so we get stable, repeatable
|
# we need to filter out the banner part of the output so we get stable, repeatable
|
||||||
# results.
|
# results.
|
||||||
if [[ $server_type == 'TinySSH' ]]; then
|
if [[ $server_type == "TinySSH" ]]; then
|
||||||
grep -v "(gen) banner: " "${test_result_stdout}" > "${test_result_stdout}.tmp"
|
grep -v "(gen) banner: " "${test_result_stdout}" > "${test_result_stdout}.tmp"
|
||||||
mv "${test_result_stdout}.tmp" "${test_result_stdout}"
|
mv "${test_result_stdout}.tmp" "${test_result_stdout}"
|
||||||
cat "${test_result_json}" | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > "${test_result_json}.tmp"
|
cat "${test_result_json}" | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > "${test_result_json}.tmp"
|
||||||
@ -503,7 +510,8 @@ run_test() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
|
diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
|
||||||
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
||||||
if [[ $accept == 1 ]]; then
|
if [[ $accept == 1 ]]; then
|
||||||
@ -518,7 +526,8 @@ run_test() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
diff=$(diff -u "${expected_result_json}" "${test_result_json}")
|
diff=$(diff -u "${expected_result_json}" "${test_result_json}")
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
|
||||||
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
||||||
if [[ $accept == 1 ]]; then
|
if [[ $accept == 1 ]]; then
|
||||||
@ -562,15 +571,15 @@ run_custom_policy_test() {
|
|||||||
|
|
||||||
version=
|
version=
|
||||||
config=
|
config=
|
||||||
if [[ ${config_number} == 'config1' ]]; then
|
if [[ ${config_number} == "config1" ]]; then
|
||||||
version='5.6p1'
|
version="5.6p1"
|
||||||
config='sshd_config-5.6p1_test1'
|
config="sshd_config-5.6p1_test1"
|
||||||
elif [[ ${config_number} == 'config2' ]]; then
|
elif [[ ${config_number} == "config2" ]]; then
|
||||||
version='8.0p1'
|
version="8.0p1"
|
||||||
config='sshd_config-8.0p1_test1'
|
config="sshd_config-8.0p1_test1"
|
||||||
elif [[ ${config_number} == 'config3' ]]; then
|
elif [[ ${config_number} == "config3" ]]; then
|
||||||
version='5.6p1'
|
version="5.6p1"
|
||||||
config='sshd_config-5.6p1_test4'
|
config="sshd_config-5.6p1_test4"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
|
server_exec="/openssh/sshd-${version} -D -f /etc/ssh/${config}"
|
||||||
@ -595,9 +604,10 @@ run_policy_test() {
|
|||||||
|
|
||||||
|
|
||||||
#echo "Running: docker run -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
|
#echo "Running: docker run -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
|
||||||
cid=$(docker run -d -p 2222:22 "$IMAGE_NAME:$IMAGE_VERSION" ${server_exec})
|
cid=$(docker run -d -p 2222:22 "${IMAGE_NAME}:${IMAGE_VERSION}" ${server_exec})
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
echo -e "${REDB}Failed to run docker image! (exit code: $?)${CLR}"
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
echo -e "${REDB}Failed to run docker image! (exit code: ${retval})${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -612,7 +622,7 @@ run_policy_test() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
cat "${test_result_stdout}"
|
cat "${test_result_stdout}"
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -627,18 +637,20 @@ run_policy_test() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
cat "${test_result_json}"
|
cat "${test_result_json}"
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
docker container stop -t 0 $cid > /dev/null
|
docker container stop -t 0 "${cid}" > /dev/null
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: $?)${CLR}"
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
echo -e "${REDB}Failed to stop docker container ${cid}! (exit code: ${retval})${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
|
diff=$(diff -u "${expected_result_stdout}" "${test_result_stdout}")
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
|
||||||
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
||||||
if [[ $accept == 1 ]]; then
|
if [[ $accept == 1 ]]; then
|
||||||
@ -652,7 +664,8 @@ run_policy_test() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
diff=$(diff -u "${expected_result_json}" "${test_result_json}")
|
diff=$(diff -u "${expected_result_json}" "${test_result_json}")
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
|
||||||
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
# If the user wants to update the tests, then overwrite the expected results with the actual results.
|
||||||
if [[ $accept == 1 ]]; then
|
if [[ $accept == 1 ]]; then
|
||||||
@ -671,8 +684,9 @@ run_policy_test() {
|
|||||||
|
|
||||||
# First check if docker is functional.
|
# First check if docker is functional.
|
||||||
docker version > /dev/null
|
docker version > /dev/null
|
||||||
if [[ $? != 0 ]]; then
|
retval=$?
|
||||||
echo -e "${REDB}Error: 'docker version' command failed (error code: $?). Is docker installed and functioning?${CLR}"
|
if [[ ${retval} != 0 ]]; then
|
||||||
|
echo -e "${REDB}Error: 'docker version' command failed (error code: ${retval}). Is docker installed and functioning?${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -680,7 +694,8 @@ fi
|
|||||||
# Check if the docker image is the most up-to-date version.
|
# Check if the docker image is the most up-to-date version.
|
||||||
docker_image_exists=0
|
docker_image_exists=0
|
||||||
check_if_docker_image_exists
|
check_if_docker_image_exists
|
||||||
if [[ $? == 0 ]]; then
|
retval=$?
|
||||||
|
if [[ ${retval} == 0 ]]; then
|
||||||
docker_image_exists=1
|
docker_image_exists=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -688,11 +703,11 @@ fi
|
|||||||
# Check if the user specified --create to build a new image.
|
# Check if the user specified --create to build a new image.
|
||||||
if [[ ($# == 1) && ($1 == "--create") ]]; then
|
if [[ ($# == 1) && ($1 == "--create") ]]; then
|
||||||
# Ensure that the image name doesn't already exist before building.
|
# Ensure that the image name doesn't already exist before building.
|
||||||
if [[ $docker_image_exists == 1 ]]; then
|
if [[ ${docker_image_exists} == 1 ]]; then
|
||||||
echo -e "${REDB}Error: --create specified, but $IMAGE_NAME:$IMAGE_VERSION already exists!${CLR}"
|
echo -e "${REDB}Error: --create specified, but ${IMAGE_NAME}:${IMAGE_VERSION} already exists!${CLR}"
|
||||||
exit 1
|
exit 1
|
||||||
else
|
else
|
||||||
echo -e "\nCreating docker image $IMAGE_NAME:$IMAGE_VERSION..."
|
echo -e "\nCreating docker image ${IMAGE_NAME}:${IMAGE_VERSION}..."
|
||||||
create_docker_image
|
create_docker_image
|
||||||
echo -e "\n${GREEN}Done creating docker image!${CLR}"
|
echo -e "\n${GREEN}Done creating docker image!${CLR}"
|
||||||
exit 0
|
exit 0
|
||||||
@ -708,8 +723,8 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
# If we weren't explicitly told to create a new image, and it doesn't exist, then pull it from Dockerhub.
|
# If we weren't explicitly told to create a new image, and it doesn't exist, then pull it from Dockerhub.
|
||||||
if [[ $docker_image_exists == 0 ]]; then
|
if [[ ${docker_image_exists} == 0 ]]; then
|
||||||
echo -e "\nPulling docker image $IMAGE_NAME:$IMAGE_VERSION..."
|
echo -e "\nPulling docker image ${IMAGE_NAME}:${IMAGE_VERSION}..."
|
||||||
pull_docker_image
|
pull_docker_image
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -721,64 +736,64 @@ TEST_RESULT_DIR=$(mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX)
|
|||||||
|
|
||||||
# Now run all the tests.
|
# Now run all the tests.
|
||||||
echo -e "\nRunning tests..."
|
echo -e "\nRunning tests..."
|
||||||
run_openssh_test '4.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "4.0p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
echo
|
echo
|
||||||
run_openssh_test '5.6p1' 'test1' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "5.6p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '5.6p1' 'test2' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "5.6p1" "test2" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '5.6p1' 'test3' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "5.6p1" "test3" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '5.6p1' 'test4' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "5.6p1" "test4" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '5.6p1' 'test5' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "5.6p1" "test5" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
echo
|
echo
|
||||||
run_openssh_test '8.0p1' 'test1' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "8.0p1" "test1" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '8.0p1' 'test2' $PROGRAM_RETVAL_FAILURE
|
run_openssh_test "8.0p1" "test2" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_openssh_test '8.0p1' 'test3' $PROGRAM_RETVAL_GOOD
|
run_openssh_test "8.0p1" "test3" "${PROGRAM_RETVAL_GOOD}"
|
||||||
echo
|
echo
|
||||||
run_dropbear_test '2019.78' 'test1' '-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key' 3
|
run_dropbear_test "2019.78" "test1" "-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key" 3
|
||||||
echo
|
echo
|
||||||
run_tinyssh_test '20190101' 'test1' $PROGRAM_RETVAL_WARNING
|
run_tinyssh_test "20190101" "test1" "${PROGRAM_RETVAL_WARNING}"
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
run_custom_policy_test 'config1' 'test1' $PROGRAM_RETVAL_GOOD
|
run_custom_policy_test "config1" "test1" "${PROGRAM_RETVAL_GOOD}"
|
||||||
run_custom_policy_test 'config1' 'test2' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config1" "test2" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_custom_policy_test 'config1' 'test3' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config1" "test3" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_custom_policy_test 'config1' 'test4' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config1" "test4" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_custom_policy_test 'config1' 'test5' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config1" "test5" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
run_custom_policy_test 'config2' 'test6' $PROGRAM_RETVAL_GOOD
|
run_custom_policy_test "config2" "test6" "${PROGRAM_RETVAL_GOOD}"
|
||||||
|
|
||||||
# Passing test with host key certificate and CA key certificates.
|
# Passing test with host key certificate and CA key certificates.
|
||||||
run_custom_policy_test 'config3' 'test7' $PROGRAM_RETVAL_GOOD
|
run_custom_policy_test "config3" "test7" "${PROGRAM_RETVAL_GOOD}"
|
||||||
|
|
||||||
# Failing test with host key certificate and non-compliant CA key length.
|
# Failing test with host key certificate and non-compliant CA key length.
|
||||||
run_custom_policy_test 'config3' 'test8' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config3" "test8" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Failing test with non-compliant host key certificate and CA key certificate.
|
# Failing test with non-compliant host key certificate and CA key certificate.
|
||||||
run_custom_policy_test 'config3' 'test9' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config3" "test9" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
|
# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
|
||||||
run_custom_policy_test 'config3' 'test10' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config3" "test10" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Passing test with host key size check.
|
# Passing test with host key size check.
|
||||||
run_custom_policy_test 'config2' 'test11' $PROGRAM_RETVAL_GOOD
|
run_custom_policy_test "config2" "test11" "${PROGRAM_RETVAL_GOOD}"
|
||||||
|
|
||||||
# Failing test with non-compliant host key size check.
|
# Failing test with non-compliant host key size check.
|
||||||
run_custom_policy_test 'config2' 'test12' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config2" "test12" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Passing test with DH modulus test.
|
# Passing test with DH modulus test.
|
||||||
run_custom_policy_test 'config2' 'test13' $PROGRAM_RETVAL_GOOD
|
run_custom_policy_test "config2" "test13" "${PROGRAM_RETVAL_GOOD}"
|
||||||
|
|
||||||
# Failing test with DH modulus test.
|
# Failing test with DH modulus test.
|
||||||
run_custom_policy_test 'config2' 'test14' $PROGRAM_RETVAL_FAILURE
|
run_custom_policy_test "config2" "test14" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Failing test for built-in OpenSSH 8.0p1 server policy (RSA host key size is 3072 instead of 4096).
|
# Failing test for built-in OpenSSH 8.0p1 server policy (RSA host key size is 3072 instead of 4096).
|
||||||
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 3)" "8.0p1" "test1" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -o MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" $PROGRAM_RETVAL_FAILURE
|
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 3)" "8.0p1" "test1" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -o MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
# Failing test for built-in OpenSSH 8.0p1 server policy (MACs not hardened).
|
# Failing test for built-in OpenSSH 8.0p1 server policy (MACs not hardened).
|
||||||
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 3)" "8.0p1" "test2" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" $PROGRAM_RETVAL_FAILURE
|
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 3)" "8.0p1" "test2" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" "${PROGRAM_RETVAL_FAILURE}"
|
||||||
|
|
||||||
|
|
||||||
if [[ $num_failures == 0 ]]; then
|
if [[ $num_failures == 0 ]]; then
|
||||||
echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n"
|
echo -e "\n${GREENB}ALL TESTS PASS!${CLR}\n"
|
||||||
rm -rf -- "$TEST_RESULT_DIR"
|
rm -rf -- "${TEST_RESULT_DIR}"
|
||||||
else
|
else
|
||||||
echo -e "\n${REDB}${num_failures} TESTS FAILED!${CLR}\n"
|
echo -e "\n${REDB}${num_failures} TESTS FAILED!${CLR}\n"
|
||||||
fi
|
fi
|
||||||
|
@ -55,10 +55,10 @@ usage() {
|
|||||||
PLATFORM="$(uname -s)"
|
PLATFORM="$(uname -s)"
|
||||||
|
|
||||||
# This script is intended for use on Linux and Cygwin only.
|
# This script is intended for use on Linux and Cygwin only.
|
||||||
case "$PLATFORM" in
|
case "${PLATFORM}" in
|
||||||
Linux | CYGWIN*) ;;
|
Linux | CYGWIN*) ;;
|
||||||
*)
|
*)
|
||||||
echo "Platform not supported: $PLATFORM"
|
echo "Platform not supported: ${PLATFORM}"
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -67,12 +67,12 @@ MAN_PAGE=./ssh-audit.1
|
|||||||
GLOBALS_PY=./src/ssh_audit/globals.py
|
GLOBALS_PY=./src/ssh_audit/globals.py
|
||||||
|
|
||||||
while getopts "m: g: h" OPTION; do
|
while getopts "m: g: h" OPTION; do
|
||||||
case "$OPTION" in
|
case "${OPTION}" in
|
||||||
m)
|
m)
|
||||||
MAN_PAGE="$OPTARG"
|
MAN_PAGE="${OPTARG}"
|
||||||
;;
|
;;
|
||||||
g)
|
g)
|
||||||
GLOBALS_PY="$OPTARG"
|
GLOBALS_PY="${OPTARG}"
|
||||||
;;
|
;;
|
||||||
h)
|
h)
|
||||||
usage
|
usage
|
||||||
@ -88,10 +88,10 @@ done
|
|||||||
|
|
||||||
# Check that the specified files exist.
|
# Check that the specified files exist.
|
||||||
[[ -f "$MAN_PAGE" ]] || { echo >&2 "man page file not found: $MAN_PAGE"; exit 1; }
|
[[ -f "$MAN_PAGE" ]] || { echo >&2 "man page file not found: $MAN_PAGE"; exit 1; }
|
||||||
[[ -f "$GLOBALS_PY" ]] || { echo >&2 "globals.py file not found: $GLOBALS_PY"; exit 1; }
|
[[ -f "${GLOBALS_PY}" ]] || { echo >&2 "globals.py file not found: ${GLOBALS_PY}"; exit 1; }
|
||||||
|
|
||||||
# Check that the 'ul' (do underlining) binary exists.
|
# Check that the 'ul' (do underlining) binary exists.
|
||||||
if [[ "$PLATFORM" == "Linux" ]]; then
|
if [[ "${PLATFORM}" == "Linux" ]]; then
|
||||||
command -v ul >/dev/null 2>&1 || { echo >&2 "ul not found."; exit 1; }
|
command -v ul >/dev/null 2>&1 || { echo >&2 "ul not found."; exit 1; }
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -99,10 +99,10 @@ fi
|
|||||||
command -v sed >/dev/null 2>&1 || { echo >&2 "sed not found."; exit 1; }
|
command -v sed >/dev/null 2>&1 || { echo >&2 "sed not found."; exit 1; }
|
||||||
|
|
||||||
# Reset the globals.py file, in case it was modified from a prior run.
|
# Reset the globals.py file, in case it was modified from a prior run.
|
||||||
git checkout $GLOBALS_PY > /dev/null 2>&1
|
git checkout "${GLOBALS_PY}" > /dev/null 2>&1
|
||||||
|
|
||||||
# Remove the Windows man page placeholder from 'globals.py'.
|
# Remove the Windows man page placeholder from 'globals.py'.
|
||||||
sed -i '/^WINDOWS_MAN_PAGE/d' "$GLOBALS_PY"
|
sed -i '/^WINDOWS_MAN_PAGE/d' "${GLOBALS_PY}"
|
||||||
|
|
||||||
echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}..."
|
echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}..."
|
||||||
|
|
||||||
@ -116,15 +116,15 @@ echo "Processing man page at ${MAN_PAGE} and placing output into ${GLOBALS_PY}..
|
|||||||
# escape sequence. Not required under Cygwin because man outputs ANSI escape
|
# escape sequence. Not required under Cygwin because man outputs ANSI escape
|
||||||
# codes automatically.
|
# codes automatically.
|
||||||
|
|
||||||
echo WINDOWS_MAN_PAGE = '"""' >> "$GLOBALS_PY"
|
echo WINDOWS_MAN_PAGE = '"""' >> "${GLOBALS_PY}"
|
||||||
|
|
||||||
if [[ "$PLATFORM" == CYGWIN* ]]; then
|
if [[ "${PLATFORM}" == CYGWIN* ]]; then
|
||||||
MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "$MAN_PAGE" | sed $'s/\u2010/-/g' >> "$GLOBALS_PY"
|
MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "${MAN_PAGE}" | sed $'s/\u2010/-/g' >> "${GLOBALS_PY}"
|
||||||
else
|
else
|
||||||
MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "$MAN_PAGE" | ul | sed $'s/\u2010/-/g' >> "$GLOBALS_PY"
|
MANWIDTH=80 MAN_KEEP_FORMATTING=1 man "${MAN_PAGE}" | ul | sed $'s/\u2010/-/g' >> "${GLOBALS_PY}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo '"""' >> "$GLOBALS_PY"
|
echo '"""' >> "${GLOBALS_PY}"
|
||||||
|
|
||||||
echo "Done."
|
echo "Done."
|
||||||
exit 0
|
exit 0
|
||||||
|
Loading…
Reference in New Issue
Block a user