mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-06 00:39:44 +01:00
Merge pull request #2060 from dcooper16/shellcheck
Fix some Shellcheck issues
This commit is contained in:
commit
04b7e1e7c3
220
testssl.sh
220
testssl.sh
@ -509,15 +509,15 @@ set_severity_level() {
|
|||||||
show_finding() {
|
show_finding() {
|
||||||
local severity=$1
|
local severity=$1
|
||||||
|
|
||||||
( [[ "$severity" == DEBUG ]] ) ||
|
[[ "$severity" == DEBUG ]] ||
|
||||||
( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
|
||||||
( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
|
||||||
( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
|
||||||
( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
|
||||||
( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
|
||||||
( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ||
|
( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ||
|
||||||
( [[ "$severity" == WARN ]] ) ||
|
[[ "$severity" == WARN ]] ||
|
||||||
( [[ "$severity" == FATAL ]] )
|
[[ "$severity" == FATAL ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
########### Output functions
|
########### Output functions
|
||||||
@ -1084,23 +1084,23 @@ set_key_str_score() {
|
|||||||
|
|
||||||
if [[ $type == EC || $type == EdDSA ]]; then
|
if [[ $type == EC || $type == EdDSA ]]; then
|
||||||
if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then
|
if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then
|
||||||
let KEY_EXCH_SCORE=20
|
KEY_EXCH_SCORE=20
|
||||||
elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then
|
elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then
|
||||||
let KEY_EXCH_SCORE=40
|
KEY_EXCH_SCORE=40
|
||||||
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then
|
elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then
|
||||||
let KEY_EXCH_SCORE=80
|
KEY_EXCH_SCORE=80
|
||||||
elif [[ $size -lt 225 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then
|
elif [[ $size -lt 225 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then
|
||||||
let KEY_EXCH_SCORE=90
|
KEY_EXCH_SCORE=90
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then
|
if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then
|
||||||
let KEY_EXCH_SCORE=20
|
KEY_EXCH_SCORE=20
|
||||||
elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then
|
elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then
|
||||||
let KEY_EXCH_SCORE=40
|
KEY_EXCH_SCORE=40
|
||||||
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then
|
elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then
|
||||||
let KEY_EXCH_SCORE=80
|
KEY_EXCH_SCORE=80
|
||||||
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then
|
elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then
|
||||||
let KEY_EXCH_SCORE=90
|
KEY_EXCH_SCORE=90
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
@ -1114,8 +1114,8 @@ set_ciph_str_score() {
|
|||||||
|
|
||||||
"$do_rating" || return 0
|
"$do_rating" || return 0
|
||||||
|
|
||||||
[[ $size -gt $CIPH_STR_BEST ]] && let CIPH_STR_BEST=$size
|
[[ $size -gt $CIPH_STR_BEST ]] && CIPH_STR_BEST=$size
|
||||||
[[ $size -lt $CIPH_STR_WORST ]] && let CIPH_STR_WORST=$size
|
[[ $size -lt $CIPH_STR_WORST ]] && CIPH_STR_WORST=$size
|
||||||
|
|
||||||
[[ $size -lt 112 || $size == None ]] && set_grade_cap "F" "Using cipher suites weaker than 112 bits"
|
[[ $size -lt 112 || $size == None ]] && set_grade_cap "F" "Using cipher suites weaker than 112 bits"
|
||||||
|
|
||||||
@ -1991,11 +1991,11 @@ check_revocation_ocsp() {
|
|||||||
response="$(grep -F "$HOSTCERT: " "$tmpfile")"
|
response="$(grep -F "$HOSTCERT: " "$tmpfile")"
|
||||||
response="${response#$HOSTCERT: }"
|
response="${response#$HOSTCERT: }"
|
||||||
response="${response%\.}"
|
response="${response%\.}"
|
||||||
if [[ "$response" =~ "good" ]]; then
|
if [[ "$response" =~ good ]]; then
|
||||||
out ", "
|
out ", "
|
||||||
pr_svrty_good "not revoked"
|
pr_svrty_good "not revoked"
|
||||||
fileout "$jsonID" "OK" "not revoked"
|
fileout "$jsonID" "OK" "not revoked"
|
||||||
elif [[ "$response" =~ "revoked" ]]; then
|
elif [[ "$response" =~ revoked ]]; then
|
||||||
out ", "
|
out ", "
|
||||||
pr_svrty_critical "revoked"
|
pr_svrty_critical "revoked"
|
||||||
fileout "$jsonID" "CRITICAL" "revoked"
|
fileout "$jsonID" "CRITICAL" "revoked"
|
||||||
@ -2139,14 +2139,14 @@ s_client_options() {
|
|||||||
local ciphers="notpresent" tls13_ciphers="notpresent"
|
local ciphers="notpresent" tls13_ciphers="notpresent"
|
||||||
|
|
||||||
# Extract the TLSv1.3 ciphers and the non-TLSv1.3 ciphers
|
# Extract the TLSv1.3 ciphers and the non-TLSv1.3 ciphers
|
||||||
if [[ " $options " =~ " -cipher " ]]; then
|
if [[ " $options " =~ \ -cipher\ ]]; then
|
||||||
ciphers="${options#* -cipher }"
|
ciphers="${options#* -cipher }"
|
||||||
ciphers="${ciphers%% *}"
|
ciphers="${ciphers%% *}"
|
||||||
options="${options//-cipher $ciphers/}"
|
options="${options//-cipher $ciphers/}"
|
||||||
ciphers="${ciphers##\'}"
|
ciphers="${ciphers##\'}"
|
||||||
ciphers="${ciphers%%\'}"
|
ciphers="${ciphers%%\'}"
|
||||||
fi
|
fi
|
||||||
if [[ " $options " =~ " -ciphersuites " ]]; then
|
if [[ " $options " =~ \ -ciphersuites\ ]]; then
|
||||||
tls13_ciphers="${options#* -ciphersuites }"
|
tls13_ciphers="${options#* -ciphersuites }"
|
||||||
tls13_ciphers="${tls13_ciphers%% *}"
|
tls13_ciphers="${tls13_ciphers%% *}"
|
||||||
options="${options//-ciphersuites $tls13_ciphers/}"
|
options="${options//-ciphersuites $tls13_ciphers/}"
|
||||||
@ -2163,7 +2163,7 @@ s_client_options() {
|
|||||||
# server_name extension unless the -noservername option is provided. So, if
|
# server_name extension unless the -noservername option is provided. So, if
|
||||||
# the command line doesn't include -servername and the -noservername option is
|
# the command line doesn't include -servername and the -noservername option is
|
||||||
# supported, then add -noservername to the options.
|
# supported, then add -noservername to the options.
|
||||||
"$HAS_NOSERVERNAME" && [[ ! " $options " =~ " -servername " ]] && options+=" -noservername"
|
"$HAS_NOSERVERNAME" && [[ ! " $options " =~ \ -servername\ ]] && options+=" -noservername"
|
||||||
|
|
||||||
# Newer versions of OpenSSL have dropped support for the -no_ssl2 option, so
|
# Newer versions of OpenSSL have dropped support for the -no_ssl2 option, so
|
||||||
# remove any -no_ssl2 option if the option isn't supported. (Since versions of
|
# remove any -no_ssl2 option if the option isn't supported. (Since versions of
|
||||||
@ -2176,7 +2176,7 @@ s_client_options() {
|
|||||||
# 1.1.1 compression is only offered if the "-comp" option is provided.
|
# 1.1.1 compression is only offered if the "-comp" option is provided.
|
||||||
# OpenSSL 1.0.0, 1.0.1, and 1.0.2 offer compression unless the "-no_comp" option is provided.
|
# OpenSSL 1.0.0, 1.0.1, and 1.0.2 offer compression unless the "-no_comp" option is provided.
|
||||||
# OpenSSL 0.9.8 does not support either the "-comp" or the "-no_comp" option.
|
# OpenSSL 0.9.8 does not support either the "-comp" or the "-no_comp" option.
|
||||||
if [[ " $options " =~ " -comp " ]]; then
|
if [[ " $options " =~ \ -comp\ ]]; then
|
||||||
# Compression is needed for the test. So, remove "-comp" if it isn't supported, but
|
# Compression is needed for the test. So, remove "-comp" if it isn't supported, but
|
||||||
# otherwise make no changes.
|
# otherwise make no changes.
|
||||||
! "$HAS_COMP" && options="${options//-comp/}"
|
! "$HAS_COMP" && options="${options//-comp/}"
|
||||||
@ -2225,7 +2225,7 @@ s_client_options() {
|
|||||||
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
|
# OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this
|
||||||
# (e.g. client simulations) we replace it with the name which OpenSSL understands
|
# (e.g. client simulations) we replace it with the name which OpenSSL understands
|
||||||
# This shouldn't be needed. We have this here as a last resort
|
# This shouldn't be needed. We have this here as a last resort
|
||||||
if [[ "$1" =~ " -curves " ]]; then
|
if [[ "$1" =~ \ -curves\ ]]; then
|
||||||
! "$HAS_CURVES" && options="${options// -curves / -groups }"
|
! "$HAS_CURVES" && options="${options// -curves / -groups }"
|
||||||
[[ "$1" =~ secp192r1 ]] && options="${options//secp192r1/prime192v1}"
|
[[ "$1" =~ secp192r1 ]] && options="${options//secp192r1/prime192v1}"
|
||||||
[[ "$1" =~ secp256r1 ]] && options="${options//secp256r1/prime256v1}"
|
[[ "$1" =~ secp256r1 ]] && options="${options//secp256r1/prime256v1}"
|
||||||
@ -2622,7 +2622,7 @@ run_hsts() {
|
|||||||
match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
|
match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
echo "$HEADERVALUE" >$TMPFILE
|
echo "$HEADERVALUE" >$TMPFILE
|
||||||
hsts_age_sec=$(sed -e 's/[^0-9]*//g' <<< $HEADERVALUE)
|
hsts_age_sec="${HEADERVALUE//[^0-9]/}"
|
||||||
debugme echo "hsts_age_sec: $hsts_age_sec"
|
debugme echo "hsts_age_sec: $hsts_age_sec"
|
||||||
if [[ -n $hsts_age_sec ]]; then
|
if [[ -n $hsts_age_sec ]]; then
|
||||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||||
@ -4913,7 +4913,7 @@ run_client_simulation() {
|
|||||||
# https://github.com/openssl/openssl/blob/master/apps/ecparam.c#L221 + ./ssl/t1_lib.c
|
# https://github.com/openssl/openssl/blob/master/apps/ecparam.c#L221 + ./ssl/t1_lib.c
|
||||||
[[ "$curve" =~ secp256r1 ]] && curve="${curve//secp256r1/prime256v1}"
|
[[ "$curve" =~ secp256r1 ]] && curve="${curve//secp256r1/prime256v1}"
|
||||||
[[ "$curve" =~ secp192r1 ]] && curve="${curve//secp192r1/prime192v1}"
|
[[ "$curve" =~ secp192r1 ]] && curve="${curve//secp192r1/prime192v1}"
|
||||||
[[ "$OSSL_SUPPORTED_CURVES" =~ " $curve " ]] && supported_curves+=":$curve"
|
[[ "$OSSL_SUPPORTED_CURVES" =~ \ $curve\ ]] && supported_curves+=":$curve"
|
||||||
done
|
done
|
||||||
curves[i]=""
|
curves[i]=""
|
||||||
[[ -n "$supported_curves" ]] && curves[i]="-curves ${supported_curves:1}"
|
[[ -n "$supported_curves" ]] && curves[i]="-curves ${supported_curves:1}"
|
||||||
@ -5062,7 +5062,6 @@ locally_supported() {
|
|||||||
run_prototest_openssl() {
|
run_prototest_openssl() {
|
||||||
local -i ret=0
|
local -i ret=0
|
||||||
local protos proto
|
local protos proto
|
||||||
local passed_check=false
|
|
||||||
|
|
||||||
$OPENSSL s_client "$1" 2>&1 | grep -aiq "unknown option" && return 7
|
$OPENSSL s_client "$1" 2>&1 | grep -aiq "unknown option" && return 7
|
||||||
case "$1" in
|
case "$1" in
|
||||||
@ -5894,7 +5893,7 @@ sub_cipherlists() {
|
|||||||
len=${#sslv2_cipherlist}
|
len=${#sslv2_cipherlist}
|
||||||
detected_ssl2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
detected_ssl2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
|
||||||
for (( i=0; i<len; i+=6 )); do
|
for (( i=0; i<len; i+=6 )); do
|
||||||
[[ "$detected_ssl2_ciphers" =~ "x${sslv2_cipherlist:i:6}" ]] && sclient_success=0 && break
|
[[ "$detected_ssl2_ciphers" =~ x${sslv2_cipherlist:i:6} ]] && sclient_success=0 && break
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -8235,7 +8234,7 @@ compare_server_name_to_cert() {
|
|||||||
while read cn; do
|
while read cn; do
|
||||||
# If the CN contains any characters that are not valid for a DNS name,
|
# If the CN contains any characters that are not valid for a DNS name,
|
||||||
# then assume it does not contain a DNS name.
|
# then assume it does not contain a DNS name.
|
||||||
[[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && continue
|
[[ -n "${cn//[_\.a-zA-Z0-9*\-]/}" ]] && continue
|
||||||
|
|
||||||
# Check whether the CN matches the servername
|
# Check whether the CN matches the servername
|
||||||
[[ $(toupper "$cn") == "$servername" ]] && cn_match=4 && break
|
[[ $(toupper "$cn") == "$servername" ]] && cn_match=4 && break
|
||||||
@ -8639,7 +8638,7 @@ certificate_info() {
|
|||||||
local -i lineno_matched=0
|
local -i lineno_matched=0
|
||||||
local cert_keyusage cert_ext_keyusage short_keyAlgo
|
local cert_keyusage cert_ext_keyusage short_keyAlgo
|
||||||
local outok=true
|
local outok=true
|
||||||
local days2expire secs2warn ocsp_uri crl
|
local days2expire ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
local issuer_DC issuerfinding cn_nosni=""
|
local issuer_DC issuerfinding cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert
|
||||||
@ -9168,7 +9167,7 @@ certificate_info() {
|
|||||||
if [[ $trust_sni -eq 0 ]]; then
|
if [[ $trust_sni -eq 0 ]]; then
|
||||||
pr_svrty_high "$trustfinding"
|
pr_svrty_high "$trustfinding"
|
||||||
trust_sni_finding="HIGH"
|
trust_sni_finding="HIGH"
|
||||||
elif ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then
|
elif [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]]; then
|
||||||
if [[ $SERVICE == HTTP ]] || "$ASSUME_HTTP"; then
|
if [[ $SERVICE == HTTP ]] || "$ASSUME_HTTP"; then
|
||||||
# https://bugs.chromium.org/p/chromium/issues/detail?id=308330
|
# https://bugs.chromium.org/p/chromium/issues/detail?id=308330
|
||||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
|
||||||
@ -9509,7 +9508,7 @@ certificate_info() {
|
|||||||
jsonID="DNS_CAArecord"
|
jsonID="DNS_CAArecord"
|
||||||
caa_node="$NODE"
|
caa_node="$NODE"
|
||||||
caa=""
|
caa=""
|
||||||
while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do
|
while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do
|
||||||
caa="$(get_caa_rr_record $caa_node)"
|
caa="$(get_caa_rr_record $caa_node)"
|
||||||
[[ $caa_node =~ '.'$ ]] || caa_node+="."
|
[[ $caa_node =~ '.'$ ]] || caa_node+="."
|
||||||
caa_node=${caa_node#*.}
|
caa_node=${caa_node#*.}
|
||||||
@ -9852,7 +9851,7 @@ run_server_defaults() {
|
|||||||
success[n]=0
|
success[n]=0
|
||||||
else
|
else
|
||||||
while read -r san; do
|
while read -r san; do
|
||||||
[[ -n "$san" ]] && [[ " $sans_sni " =~ " $san " ]] && success[n]=0 && break
|
[[ -n "$san" ]] && [[ " $sans_sni " =~ \ $san\ ]] && success[n]=0 && break
|
||||||
done <<< "$sans_nosni"
|
done <<< "$sans_nosni"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -10249,7 +10248,7 @@ run_fs() {
|
|||||||
fileout "$jsonID" "WARN" "tests skipped as you only have $nr_supported_ciphers FS ciphers on the client site. ($CLIENT_MIN_FS are required)"
|
fileout "$jsonID" "WARN" "tests skipped as you only have $nr_supported_ciphers FS ciphers on the client site. ($CLIENT_MIN_FS are required)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list -ciphersuites "ALL" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-cipher $fs_cipher_list -ciphersuites ALL $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>$ERRFILE </dev/null
|
||||||
sclient_connect_successful $? $TMPFILE
|
sclient_connect_successful $? $TMPFILE
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
[[ $sclient_success -eq 0 ]] && [[ $(grep -ac "BEGIN CERTIFICATE" $TMPFILE) -eq 0 ]] && sclient_success=1
|
||||||
@ -10408,7 +10407,7 @@ run_fs() {
|
|||||||
for curve in "${curves_ossl[@]}"; do
|
for curve in "${curves_ossl[@]}"; do
|
||||||
ossl_supported[nr_curves]=false
|
ossl_supported[nr_curves]=false
|
||||||
supported_curve[nr_curves]=false
|
supported_curve[nr_curves]=false
|
||||||
[[ "$OSSL_SUPPORTED_CURVES" =~ " $curve " ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1
|
[[ "$OSSL_SUPPORTED_CURVES" =~ \ $curve\ ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1
|
||||||
nr_curves+=1
|
nr_curves+=1
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -10803,7 +10802,7 @@ starttls_io() {
|
|||||||
# This seems a bit dangerous but works. No blockings yet. "if=nonblock" doesn't work on BSDs
|
# This seems a bit dangerous but works. No blockings yet. "if=nonblock" doesn't work on BSDs
|
||||||
buffer="$(dd bs=512 count=1 <&5 2>/dev/null)"
|
buffer="$(dd bs=512 count=1 <&5 2>/dev/null)"
|
||||||
|
|
||||||
for ((i=1; i < $nr_waits; i++ )); do
|
for ((i=1; i < nr_waits; i++ )); do
|
||||||
[[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer
|
[[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer
|
||||||
if [[ "$buffer" =~ $2 ]]; then
|
if [[ "$buffer" =~ $2 ]]; then
|
||||||
debugme echo " ---> reply matched \"$2\""
|
debugme echo " ---> reply matched \"$2\""
|
||||||
@ -11024,7 +11023,7 @@ starttls_postgres_dialog() {
|
|||||||
|
|
||||||
debugme echo "=== starting postgres STARTTLS dialog ==="
|
debugme echo "=== starting postgres STARTTLS dialog ==="
|
||||||
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
|
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
|
||||||
starttls_io "" S 1 && debugme echo "${debugpad}received ack (="S") for STARTTLS"
|
starttls_io "" S 1 && debugme echo "${debugpad}received ack (=\"S\") for STARTTLS"
|
||||||
ret=$?
|
ret=$?
|
||||||
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
|
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
|
||||||
return $ret
|
return $ret
|
||||||
@ -11626,7 +11625,7 @@ parse_sslv2_serverhello() {
|
|||||||
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$parse_complete" && [[ 2*$(hex2dec "$v2_hello_length") -ne ${#v2_hello_ascii}-4 ]]; then
|
if "$parse_complete" && [[ $((2*$(hex2dec "$v2_hello_length"))) -ne $((${#v2_hello_ascii}-4)) ]]; then
|
||||||
ret=7
|
ret=7
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -11947,7 +11946,7 @@ derive-handshake-traffic-keys() {
|
|||||||
fi
|
fi
|
||||||
if [[ "$cipher" == *AES_128* ]]; then
|
if [[ "$cipher" == *AES_128* ]]; then
|
||||||
key_len=16
|
key_len=16
|
||||||
elif ( [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]] ); then
|
elif [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]]; then
|
||||||
key_len=32
|
key_len=32
|
||||||
else
|
else
|
||||||
return 1
|
return 1
|
||||||
@ -12038,7 +12037,7 @@ derive-application-traffic-keys() {
|
|||||||
fi
|
fi
|
||||||
if [[ "$cipher" == *AES_128* ]]; then
|
if [[ "$cipher" == *AES_128* ]]; then
|
||||||
key_len=16
|
key_len=16
|
||||||
elif ( [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]] ); then
|
elif [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]]; then
|
||||||
key_len=32
|
key_len=32
|
||||||
else
|
else
|
||||||
return 1
|
return 1
|
||||||
@ -12907,7 +12906,7 @@ gcm() {
|
|||||||
tag[i]=0x${base_ectr:$((2*i)):2}
|
tag[i]=0x${base_ectr:$((2*i)):2}
|
||||||
done
|
done
|
||||||
|
|
||||||
if ( [[ $input_len -ne 0 ]] || [[ $aad_len -ne 0 ]] ); then
|
if [[ $input_len -ne 0 ]] || [[ $aad_len -ne 0 ]]; then
|
||||||
buf="$(printf "%016X" $aad_len)$(printf "%016X" $input_len)"
|
buf="$(printf "%016X" $aad_len)$(printf "%016X" $input_len)"
|
||||||
for (( i=0; i < 16; i++ )); do
|
for (( i=0; i < 16; i++ )); do
|
||||||
gcm_ctx_buf[i]="$(printf "%02X" $((0x${gcm_ctx_buf[i]} ^ 0x${buf:$((2*i)):2})))"
|
gcm_ctx_buf[i]="$(printf "%02X" $((0x${gcm_ctx_buf[i]} ^ 0x${buf:$((2*i)):2})))"
|
||||||
@ -13989,7 +13988,7 @@ parse_tls_serverhello() {
|
|||||||
tls_extensions_len+=$tls_encryptedextensions_ascii_len-4
|
tls_extensions_len+=$tls_encryptedextensions_ascii_len-4
|
||||||
tls_encryptedextensions_ascii_len=$tls_encryptedextensions_ascii_len/2-2
|
tls_encryptedextensions_ascii_len=$tls_encryptedextensions_ascii_len/2-2
|
||||||
offset=$((extns_offset+4))
|
offset=$((extns_offset+4))
|
||||||
tls_serverhello_ascii="${tls_serverhello_ascii:0:extns_offset}$(printf "%04X" $((0x${tls_serverhello_ascii:extns_offset:4}+$tls_encryptedextensions_ascii_len)))${tls_serverhello_ascii:offset}${tls_encryptedextensions_ascii:4}"
|
tls_serverhello_ascii="${tls_serverhello_ascii:0:extns_offset}$(printf "%04X" $((0x${tls_serverhello_ascii:extns_offset:4}+tls_encryptedextensions_ascii_len)))${tls_serverhello_ascii:offset}${tls_encryptedextensions_ascii:4}"
|
||||||
fi
|
fi
|
||||||
if [[ -n "$tls_certificate_ascii" ]]; then
|
if [[ -n "$tls_certificate_ascii" ]]; then
|
||||||
# In TLS 1.3, the Certificate message begins with a zero length certificate_request_context.
|
# In TLS 1.3, the Certificate message begins with a zero length certificate_request_context.
|
||||||
@ -14600,9 +14599,9 @@ sslv2_sockets() {
|
|||||||
local ret
|
local ret
|
||||||
local cipher_suites="$1"
|
local cipher_suites="$1"
|
||||||
local client_hello len_client_hello
|
local client_hello len_client_hello
|
||||||
local len_ciph_suites_byte len_ciph_suites
|
local len_ciph_suites
|
||||||
local server_hello sock_reply_file2 foo
|
local server_hello sock_reply_file2 foo
|
||||||
local -i response_len server_hello_len
|
local -i len_ciph_suites_byte response_len server_hello_len
|
||||||
local parse_complete=false
|
local parse_complete=false
|
||||||
|
|
||||||
# this could be empty so we use '=='
|
# this could be empty so we use '=='
|
||||||
@ -14632,7 +14631,7 @@ sslv2_sockets() {
|
|||||||
cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next
|
cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next
|
||||||
len_ciph_suites_byte=${#cipher_suites}
|
len_ciph_suites_byte=${#cipher_suites}
|
||||||
|
|
||||||
let "len_ciph_suites_byte += 2"
|
len_ciph_suites_byte+=2
|
||||||
len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 )))
|
len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 )))
|
||||||
len_client_hello=$(printf "%02x\n" $((0x$len_ciph_suites + 0x19)))
|
len_client_hello=$(printf "%02x\n" $((0x$len_ciph_suites + 0x19)))
|
||||||
|
|
||||||
@ -14773,9 +14772,9 @@ prepare_tls_clienthello() {
|
|||||||
local servername_hexstr len_servername len_servername_hex
|
local servername_hexstr len_servername len_servername_hex
|
||||||
local hexdump_format_str part1 part2
|
local hexdump_format_str part1 part2
|
||||||
local all_extensions=""
|
local all_extensions=""
|
||||||
local -i i j len_extension len_padding_extension len_all len_session_id
|
local -i i j len_ciph_suites_byte len_extension len_padding_extension len_all len_session_id
|
||||||
local len_sni_listlen len_sni_ext len_extension_hex len_padding_extension_hex
|
local len_sni_listlen len_sni_ext len_extension_hex len_padding_extension_hex
|
||||||
local cipher_suites len_ciph_suites len_ciph_suites_byte len_ciph_suites_word
|
local cipher_suites len_ciph_suites len_ciph_suites_word
|
||||||
local len_client_hello_word len_all_word
|
local len_client_hello_word len_all_word
|
||||||
local ecc_cipher_suite_found=false
|
local ecc_cipher_suite_found=false
|
||||||
local extension_signature_algorithms extension_heartbeat session_id
|
local extension_signature_algorithms extension_heartbeat session_id
|
||||||
@ -14791,7 +14790,7 @@ prepare_tls_clienthello() {
|
|||||||
|
|
||||||
cipher_suites="$2" # we don't have the leading \x here so string length is two byte less, see next
|
cipher_suites="$2" # we don't have the leading \x here so string length is two byte less, see next
|
||||||
len_ciph_suites_byte=${#cipher_suites}
|
len_ciph_suites_byte=${#cipher_suites}
|
||||||
let "len_ciph_suites_byte += 2"
|
len_ciph_suites_byte+=2
|
||||||
|
|
||||||
# we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
|
# we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
|
||||||
len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 )))
|
len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 )))
|
||||||
@ -14967,7 +14966,7 @@ prepare_tls_clienthello() {
|
|||||||
[[ $? -ne 0 ]] && return 1
|
[[ $? -ne 0 ]] && return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$SNI" ]] && [[ ! "$extra_extensions_list" =~ " 0000 " ]]; then
|
if [[ -n "$SNI" ]] && [[ ! "$extra_extensions_list" =~ \ 0000\ ]]; then
|
||||||
all_extensions="
|
all_extensions="
|
||||||
00, 00 # extension server_name
|
00, 00 # extension server_name
|
||||||
,00, $len_sni_ext # length SNI EXT
|
,00, $len_sni_ext # length SNI EXT
|
||||||
@ -14976,7 +14975,7 @@ prepare_tls_clienthello() {
|
|||||||
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9
|
||||||
,$servername_hexstr" # server_name target
|
,$servername_hexstr" # server_name target
|
||||||
fi
|
fi
|
||||||
if [[ 0x$tls_low_byte -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 002b " ]]; then
|
if [[ 0x$tls_low_byte -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 002b\ ]]; then
|
||||||
# Add supported_versions extension listing all TLS/SSL versions
|
# Add supported_versions extension listing all TLS/SSL versions
|
||||||
# from the one specified in $tls_low_byte to SSLv3.
|
# from the one specified in $tls_low_byte to SSLv3.
|
||||||
for (( i=0x$tls_low_byte; i >=0; i=i-1 )); do
|
for (( i=0x$tls_low_byte; i >=0; i=i-1 )); do
|
||||||
@ -14995,7 +14994,7 @@ prepare_tls_clienthello() {
|
|||||||
done
|
done
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
# FIXME: Adjust the lengths ("+15" and "+14") when the draft versions of TLSv1.3 are removed.
|
# FIXME: Adjust the lengths ("+15" and "+14") when the draft versions of TLSv1.3 are removed.
|
||||||
if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then
|
if [[ "$KEY_SHARE_EXTN_NR" == 33 ]]; then
|
||||||
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+15))), $(printf "%02x" $((2*0x$tls_low_byte+14)))$extension_supported_versions"
|
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+15))), $(printf "%02x" $((2*0x$tls_low_byte+14)))$extension_supported_versions"
|
||||||
else
|
else
|
||||||
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions"
|
all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions"
|
||||||
@ -15006,45 +15005,45 @@ prepare_tls_clienthello() {
|
|||||||
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
|
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
|
||||||
# least one server that will fail the connection if it is absent
|
# least one server that will fail the connection if it is absent
|
||||||
# (see https://github.com/drwetter/testssl.sh/issues/990).
|
# (see https://github.com/drwetter/testssl.sh/issues/990).
|
||||||
if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then
|
if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 002d\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extn_psk_mode"
|
all_extensions+="$extn_psk_mode"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! "$extra_extensions_list" =~ " 0023 " ]]; then
|
if [[ ! "$extra_extensions_list" =~ \ 0023\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_session_ticket"
|
all_extensions+="$extension_session_ticket"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If the ClientHello will include the ALPN extension, then don't include the NPN extension.
|
# If the ClientHello will include the ALPN extension, then don't include the NPN extension.
|
||||||
if [[ ! "$extra_extensions_list" =~ " 3374 " ]] && [[ ! "$extra_extensions_list" =~ " 0010 " ]]; then
|
if [[ ! "$extra_extensions_list" =~ \ 3374\ ]] && [[ ! "$extra_extensions_list" =~ \ 0010\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_next_protocol"
|
all_extensions+="$extension_next_protocol"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
||||||
# extension if they are offering TLS versions prior to 1.2.
|
# extension if they are offering TLS versions prior to 1.2.
|
||||||
if [[ "0x$tls_low_byte" -ge 0x03 ]] && [[ ! "$extra_extensions_list" =~ " 000d " ]]; then
|
if [[ "0x$tls_low_byte" -ge 0x03 ]] && [[ ! "$extra_extensions_list" =~ \ 000d\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_signature_algorithms"
|
all_extensions+="$extension_signature_algorithms"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$extension_supported_groups" ]] && [[ ! "$extra_extensions_list" =~ " 000a " ]]; then
|
if [[ -n "$extension_supported_groups" ]] && [[ ! "$extra_extensions_list" =~ \ 000a\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_supported_groups"
|
all_extensions+="$extension_supported_groups"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$extensions_key_share" ]] && [[ ! "$extra_extensions_list" =~ " 00$KEY_SHARE_EXTN_NR " ]]; then
|
if [[ -n "$extensions_key_share" ]] && [[ ! "$extra_extensions_list" =~ \ 00$KEY_SHARE_EXTN_NR\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extensions_key_share"
|
all_extensions+="$extensions_key_share"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ -n "$extension_supported_point_formats" ]] && [[ ! "$extra_extensions_list" =~ " 000b " ]]; then
|
if [[ -n "$extension_supported_point_formats" ]] && [[ ! "$extra_extensions_list" =~ \ 000b\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_supported_point_formats"
|
all_extensions+="$extension_supported_point_formats"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 001b " ]]; then
|
if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 001b\ ]]; then
|
||||||
# If the response needs to be decrypted, then indicate support
|
# If the response needs to be decrypted, then indicate support
|
||||||
# for ZLIB certificate compression if $OPENSSL can decompress
|
# for ZLIB certificate compression if $OPENSSL can decompress
|
||||||
# the result. If the response does not need to be decrypted,
|
# the result. If the response does not need to be decrypted,
|
||||||
@ -15068,7 +15067,7 @@ prepare_tls_clienthello() {
|
|||||||
|
|
||||||
# Make sure that a non-empty extension goes last (either heartbeat or padding).
|
# Make sure that a non-empty extension goes last (either heartbeat or padding).
|
||||||
# See PR #792 and https://www.ietf.org/mail-archive/web/tls/current/msg19720.html.
|
# See PR #792 and https://www.ietf.org/mail-archive/web/tls/current/msg19720.html.
|
||||||
if [[ ! "$extra_extensions_list" =~ " 000f " ]]; then
|
if [[ ! "$extra_extensions_list" =~ \ 000f\ ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_heartbeat"
|
all_extensions+="$extension_heartbeat"
|
||||||
fi
|
fi
|
||||||
@ -15085,7 +15084,7 @@ prepare_tls_clienthello() {
|
|||||||
len_all=$((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))
|
len_all=$((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2))
|
||||||
"$offer_compression" && len_all+=2
|
"$offer_compression" && len_all+=2
|
||||||
[[ 0x$tls_low_byte -gt 0x03 ]] && len_all+=32 # TLSv1.3 ClientHello includes a 32-byte session id
|
[[ 0x$tls_low_byte -gt 0x03 ]] && len_all+=32 # TLSv1.3 ClientHello includes a 32-byte session id
|
||||||
if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]] && [[ ! "$extra_extensions_list" =~ " 0015 " ]]; then
|
if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]] && [[ ! "$extra_extensions_list" =~ \ 0015\ ]]; then
|
||||||
if [[ $len_all -ge 508 ]]; then
|
if [[ $len_all -ge 508 ]]; then
|
||||||
len_padding_extension=1 # Final extension cannot be empty: see PR #792
|
len_padding_extension=1 # Final extension cannot be empty: see PR #792
|
||||||
else
|
else
|
||||||
@ -15099,7 +15098,7 @@ prepare_tls_clienthello() {
|
|||||||
done
|
done
|
||||||
len_extension=$len_extension+$len_padding_extension+0x4
|
len_extension=$len_extension+$len_padding_extension+0x4
|
||||||
len_extension_hex=$(printf "%02x\n" $len_extension)
|
len_extension_hex=$(printf "%02x\n" $len_extension)
|
||||||
elif [[ ! "$extra_extensions_list" =~ " 0015 " ]] && ( [[ $((len_all%256)) -eq 10 ]] || [[ $((len_all%256)) -eq 14 ]] ); then
|
elif [[ ! "$extra_extensions_list" =~ \ 0015\ ]] && ( [[ $((len_all%256)) -eq 10 ]] || [[ $((len_all%256)) -eq 14 ]] ); then
|
||||||
# Some servers fail if the length of the ClientHello is 522, 778, 1034, 1290, ... bytes.
|
# Some servers fail if the length of the ClientHello is 522, 778, 1034, 1290, ... bytes.
|
||||||
# A few servers also fail if the length is 526, 782, 1038, 1294, ... bytes.
|
# A few servers also fail if the length is 526, 782, 1038, 1294, ... bytes.
|
||||||
# So, if the ClientHello would be one of these length, add a 5-byte padding extension.
|
# So, if the ClientHello would be one of these length, add a 5-byte padding extension.
|
||||||
@ -15123,7 +15122,7 @@ prepare_tls_clienthello() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied
|
# RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied
|
||||||
if [[ "$tls_low_byte" == "00" ]]; then
|
if [[ "$tls_low_byte" == 00 ]]; then
|
||||||
len_all=$((0x$len_ciph_suites + len_session_id + 0x27))
|
len_all=$((0x$len_ciph_suites + len_session_id + 0x27))
|
||||||
else
|
else
|
||||||
len_all=$((0x$len_ciph_suites + len_session_id + 0x27 + 0x$len_extension_hex + 0x2))
|
len_all=$((0x$len_ciph_suites + len_session_id + 0x27 + 0x$len_extension_hex + 0x2))
|
||||||
@ -15749,7 +15748,7 @@ run_heartbleed(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||||
pr_bold " Heartbleed"; out " ($cve) "
|
pr_bold " Heartbleed"; out " ($cve) "
|
||||||
|
|
||||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -15859,7 +15858,7 @@ run_ccs_injection(){
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
|
||||||
pr_bold " CCS"; out " ($cve) "
|
pr_bold " CCS"; out " ($cve) "
|
||||||
|
|
||||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -17222,14 +17221,14 @@ run_freak() {
|
|||||||
|
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
for hexc in $(sed 's/, / /g' <<< "$exportrsa_tls_cipher_list_hex, $exportrsa_ssl2_cipher_list_hex"); do
|
for hexc in ${exportrsa_tls_cipher_list_hex//, / } ${exportrsa_ssl2_cipher_list_hex//, / }; do
|
||||||
if [[ ${#hexc} -eq 5 ]]; then
|
if [[ ${#hexc} -eq 5 ]]; then
|
||||||
hexc="0x${hexc:0:2},0x${hexc:3:2}"
|
hexc="0x${hexc:0:2},0x${hexc:3:2}"
|
||||||
else
|
else
|
||||||
hexc="0x${hexc:0:2},0x${hexc:3:2},0x${hexc:6:2}"
|
hexc="0x${hexc:0:2},0x${hexc:3:2},0x${hexc:6:2}"
|
||||||
fi
|
fi
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
[[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break
|
[[ "$hexc" == ${TLS_CIPHER_HEXCODE[i]} ]] && break
|
||||||
done
|
done
|
||||||
[[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} "
|
[[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} "
|
||||||
done
|
done
|
||||||
@ -17398,10 +17397,10 @@ run_logjam() {
|
|||||||
|
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
for hexc in $(sed 's/, / /g' <<< "$exportdh_cipher_list_hex"); do
|
for hexc in ${exportdh_cipher_list_hex//, / }; do
|
||||||
hexc="0x${hexc:0:2},0x${hexc:3:2}"
|
hexc="0x${hexc:0:2},0x${hexc:3:2}"
|
||||||
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
|
||||||
[[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break
|
[[ "$hexc" == ${TLS_CIPHER_HEXCODE[i]} ]] && break
|
||||||
done
|
done
|
||||||
[[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} "
|
[[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} "
|
||||||
done
|
done
|
||||||
@ -17550,7 +17549,7 @@ run_drown() {
|
|||||||
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -17955,7 +17954,7 @@ run_winshock() {
|
|||||||
outln
|
outln
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -18936,7 +18935,7 @@ run_robot() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln
|
||||||
pr_bold " ROBOT "
|
pr_bold " ROBOT "
|
||||||
|
|
||||||
if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then
|
if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then
|
||||||
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -19892,7 +19891,7 @@ prepare_arrays() {
|
|||||||
if [[ ${#hexc} -eq 9 ]]; then
|
if [[ ${#hexc} -eq 9 ]]; then
|
||||||
# >= SSLv3 ciphers
|
# >= SSLv3 ciphers
|
||||||
if [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
if [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||||
[[ ":${ossl_supported_tls}:" =~ ":${TLS_CIPHER_OSSL_NAME[i]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
[[ ":${ossl_supported_tls}:" =~ :${TLS_CIPHER_OSSL_NAME[i]}: ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
||||||
else
|
else
|
||||||
ossl_ciph="$(awk '/'"$hexc"'/ { print $3 }' <<< "$ossl_supported_tls")"
|
ossl_ciph="$(awk '/'"$hexc"'/ { print $3 }' <<< "$ossl_supported_tls")"
|
||||||
if [[ -n "$ossl_ciph" ]]; then
|
if [[ -n "$ossl_ciph" ]]; then
|
||||||
@ -19902,7 +19901,7 @@ prepare_arrays() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then
|
||||||
[[ ":${ossl_supported_sslv2}:" =~ ":${TLS_CIPHER_OSSL_NAME[i]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
[[ ":${ossl_supported_sslv2}:" =~ :${TLS_CIPHER_OSSL_NAME[i]}: ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
||||||
else
|
else
|
||||||
[[ "$ossl_supported_sslv2" =~ $hexc ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
[[ "$ossl_supported_sslv2" =~ $hexc ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true
|
||||||
fi
|
fi
|
||||||
@ -21459,7 +21458,7 @@ create_mass_testing_cmdline() {
|
|||||||
# next is the filename itself, as no '=' was supplied
|
# next is the filename itself, as no '=' was supplied
|
||||||
[[ "$cmd" == --htmlfile ]] && skip_next=true
|
[[ "$cmd" == --htmlfile ]] && skip_next=true
|
||||||
[[ "$cmd" == -oH ]] && skip_next=true
|
[[ "$cmd" == -oH ]] && skip_next=true
|
||||||
elif ( [[ "$cmd" =~ --logfile ]] || [[ "$cmd" =~ -oL ]] ); then
|
elif [[ "$cmd" =~ --logfile ]] || [[ "$cmd" =~ -oL ]]; then
|
||||||
outfile_arg="$(parse_opt_equal_sign "$cmd" "${CMDLINE_ARRAY[i+1]}")"
|
outfile_arg="$(parse_opt_equal_sign "$cmd" "${CMDLINE_ARRAY[i+1]}")"
|
||||||
MASS_TESTING_CMDLINE[nr_cmds]="--logfile-parent=$outfile_arg"
|
MASS_TESTING_CMDLINE[nr_cmds]="--logfile-parent=$outfile_arg"
|
||||||
# next is the filename itself, as no '=' was supplied
|
# next is the filename itself, as no '=' was supplied
|
||||||
@ -21897,11 +21896,12 @@ run_mass_testing_parallel() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
run_rating() {
|
run_rating() {
|
||||||
local final_score pre_cap_grade final_grade
|
local pre_cap_grade final_grade
|
||||||
local c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore
|
local -i c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore final_score
|
||||||
local c1_worst c1_best
|
local -i c1_worst c1_best
|
||||||
local c3_worst c3_best c3_worst_cb c3_best_cb
|
local -i c3_worst c3_best c3_worst_cb c3_best_cb
|
||||||
local old_ifs=$IFS sorted_reasons sorted_warnings reason_nr=0 warning_nr=0
|
local old_ifs=$IFS sorted_reasons sorted_warnings
|
||||||
|
local -i reason_nr=0 warning_nr=0
|
||||||
|
|
||||||
outln "\n";
|
outln "\n";
|
||||||
pr_headlineln " Rating (experimental) "
|
pr_headlineln " Rating (experimental) "
|
||||||
@ -21965,8 +21965,8 @@ run_rating() {
|
|||||||
c1_worst=100
|
c1_worst=100
|
||||||
fi
|
fi
|
||||||
|
|
||||||
let c1_score="($c1_best+$c1_worst)/2" # Gets the category score
|
c1_score=$(( (c1_best+c1_worst)/2 )) # Gets the category score
|
||||||
let c1_wscore=$c1_score*30/100 # Gets the weighted score for category (30%)
|
c1_wscore=$((c1_score*30/100)) # Gets the weighted score for category (30%)
|
||||||
|
|
||||||
pr_bold " Protocol Support "; out "(weighted) "; outln "$c1_score ($c1_wscore)"
|
pr_bold " Protocol Support "; out "(weighted) "; outln "$c1_score ($c1_wscore)"
|
||||||
fileout "protocol_support_score" "INFO" "$c1_score"
|
fileout "protocol_support_score" "INFO" "$c1_score"
|
||||||
@ -21979,8 +21979,8 @@ run_rating() {
|
|||||||
set_grade_cap "B" "Using a weak public key and/or ephemeral key"
|
set_grade_cap "B" "Using a weak public key and/or ephemeral key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
let c2_score=$KEY_EXCH_SCORE
|
c2_score=$KEY_EXCH_SCORE
|
||||||
let c2_wscore=$c2_score*30/100
|
c2_wscore=$((c2_score*30/100))
|
||||||
|
|
||||||
pr_bold " Key Exchange "; out " (weighted) "; outln "$c2_score ($c2_wscore)"
|
pr_bold " Key Exchange "; out " (weighted) "; outln "$c2_score ($c2_wscore)"
|
||||||
fileout "key_exchange_score" "INFO" "$c2_score"
|
fileout "key_exchange_score" "INFO" "$c2_score"
|
||||||
@ -22013,8 +22013,8 @@ run_rating() {
|
|||||||
else
|
else
|
||||||
c3_worst=0
|
c3_worst=0
|
||||||
fi
|
fi
|
||||||
let c3_score="($c3_best+$c3_worst)/2" # Gets the category score
|
c3_score=$(( (c3_best+c3_worst)/2 )) # Gets the category score
|
||||||
let c3_wscore=$c3_score*40/100 # Gets the weighted score for category (40%)
|
c3_wscore=$((c3_score*40/100)) # Gets the weighted score for category (40%)
|
||||||
|
|
||||||
pr_bold " Cipher Strength "; out " (weighted) "; outln "$c3_score ($c3_wscore)"
|
pr_bold " Cipher Strength "; out " (weighted) "; outln "$c3_score ($c3_wscore)"
|
||||||
fileout "cipher_strength_score" "INFO" "$c3_score"
|
fileout "cipher_strength_score" "INFO" "$c3_score"
|
||||||
@ -22023,9 +22023,9 @@ run_rating() {
|
|||||||
## Calculate final score and grade
|
## Calculate final score and grade
|
||||||
# If any category resulted in a score of 0, push final grade to 0
|
# If any category resulted in a score of 0, push final grade to 0
|
||||||
if [[ $c1_score -eq 0 || $c2_score -eq 0 || $c3_score -eq 0 ]]; then
|
if [[ $c1_score -eq 0 || $c2_score -eq 0 || $c3_score -eq 0 ]]; then
|
||||||
let final_score=0
|
final_score=0
|
||||||
else
|
else
|
||||||
let final_score=$c1_wscore+$c2_wscore+$c3_wscore
|
final_score=$((c1_wscore+c2_wscore+c3_wscore))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " Final Score "; outln $final_score
|
pr_bold " Final Score "; outln $final_score
|
||||||
@ -22090,7 +22090,7 @@ run_rating() {
|
|||||||
else
|
else
|
||||||
outln " $reason"
|
outln " $reason"
|
||||||
fi
|
fi
|
||||||
let reason_nr++
|
((reason_nr++))
|
||||||
fileout "grade_cap_reason_${reason_nr}" "INFO" "$reason"
|
fileout "grade_cap_reason_${reason_nr}" "INFO" "$reason"
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -22100,7 +22100,7 @@ run_rating() {
|
|||||||
else
|
else
|
||||||
prln_svrty_medium " $warning"
|
prln_svrty_medium " $warning"
|
||||||
fi
|
fi
|
||||||
let warning_nr++
|
((warning_nr++))
|
||||||
fileout "grade_cap_warning_${warning_nr}" "INFO" "$warning"
|
fileout "grade_cap_warning_${warning_nr}" "INFO" "$warning"
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -22113,18 +22113,18 @@ run_rating() {
|
|||||||
# Returns "0" if rating is enabled, and "1" if rating is disabled
|
# Returns "0" if rating is enabled, and "1" if rating is disabled
|
||||||
set_rating_state() {
|
set_rating_state() {
|
||||||
local gbl
|
local gbl
|
||||||
local nr_enabled=0
|
local -i nr_enabled=0
|
||||||
|
|
||||||
# All of these should be enabled
|
# All of these should be enabled
|
||||||
for gbl in do_protocols do_cipherlists do_fs do_server_defaults do_header \
|
for gbl in do_protocols do_cipherlists do_fs do_server_defaults do_header \
|
||||||
do_heartbleed do_ccs_injection do_ticketbleed do_robot do_renego \
|
do_heartbleed do_ccs_injection do_ticketbleed do_robot do_renego \
|
||||||
do_crime do_ssl_poodle do_tls_fallback_scsv do_drown do_beast \
|
do_crime do_ssl_poodle do_tls_fallback_scsv do_drown do_beast \
|
||||||
do_rc4 do_logjam; do
|
do_rc4 do_logjam; do
|
||||||
"${!gbl}" && let nr_enabled++
|
"${!gbl}" && ((nr_enabled++))
|
||||||
done
|
done
|
||||||
|
|
||||||
# ... at least one of these has to be set
|
# ... at least one of these has to be set
|
||||||
[[ "$do_allciphers" || "$do_cipher_per_proto" ]] && let nr_enabled++
|
[[ "$do_allciphers" || "$do_cipher_per_proto" ]] && ((nr_enabled++))
|
||||||
|
|
||||||
# ... else we can't do rating
|
# ... else we can't do rating
|
||||||
if [[ $nr_enabled -lt 18 ]]; then
|
if [[ $nr_enabled -lt 18 ]]; then
|
||||||
@ -22223,13 +22223,13 @@ set_scanning_defaults() {
|
|||||||
# returns number of $do variables set = number of run_funcs() to perform
|
# returns number of $do variables set = number of run_funcs() to perform
|
||||||
count_do_variables() {
|
count_do_variables() {
|
||||||
local gbl
|
local gbl
|
||||||
local true_nr=0
|
local -i true_nr=0
|
||||||
|
|
||||||
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \
|
for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \
|
||||||
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_starttls_injection do_grease do_robot do_renego \
|
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_starttls_injection do_grease do_robot do_renego \
|
||||||
do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv do_winshock \
|
do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv do_winshock \
|
||||||
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_rating; do
|
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_rating; do
|
||||||
"${!gbl}" && let true_nr++
|
"${!gbl}" && ((true_nr++))
|
||||||
done
|
done
|
||||||
return $true_nr
|
return $true_nr
|
||||||
}
|
}
|
||||||
@ -22473,75 +22473,75 @@ parse_cmd_line() {
|
|||||||
;;
|
;;
|
||||||
-H|--heartbleed)
|
-H|--heartbleed)
|
||||||
do_heartbleed=true
|
do_heartbleed=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-I|--ccs|--ccs[-_]injection)
|
-I|--ccs|--ccs[-_]injection)
|
||||||
do_ccs_injection=true
|
do_ccs_injection=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-T|--ticketbleed)
|
-T|--ticketbleed)
|
||||||
do_ticketbleed=true
|
do_ticketbleed=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-BB|--BB|--robot)
|
-BB|--BB|--robot)
|
||||||
do_robot=true
|
do_robot=true
|
||||||
;;
|
;;
|
||||||
-R|--renegotiation)
|
-R|--renegotiation)
|
||||||
do_renego=true
|
do_renego=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-C|--compression|--crime)
|
-C|--compression|--crime)
|
||||||
do_crime=true
|
do_crime=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-B|--breach)
|
-B|--breach)
|
||||||
do_breach=true
|
do_breach=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-O|--poodle)
|
-O|--poodle)
|
||||||
do_ssl_poodle=true
|
do_ssl_poodle=true
|
||||||
do_tls_fallback_scsv=true
|
do_tls_fallback_scsv=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-Z|--tls[_-]fallback|tls[_-]fallback[_-]scs)
|
-Z|--tls[_-]fallback|tls[_-]fallback[_-]scs)
|
||||||
do_tls_fallback_scsv=true
|
do_tls_fallback_scsv=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-W|--sweet32)
|
-W|--sweet32)
|
||||||
do_sweet32=true
|
do_sweet32=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-F|--freak)
|
-F|--freak)
|
||||||
do_freak=true
|
do_freak=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-D|--drown)
|
-D|--drown)
|
||||||
do_drown=true
|
do_drown=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-J|--logjam)
|
-J|--logjam)
|
||||||
do_logjam=true
|
do_logjam=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-A|--beast)
|
-A|--beast)
|
||||||
do_beast=true
|
do_beast=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-L|--lucky13)
|
-L|--lucky13)
|
||||||
do_lucky13=true
|
do_lucky13=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-WS|--winshock)
|
-WS|--winshock)
|
||||||
do_winshock=true
|
do_winshock=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-4|--rc4|--appelbaum)
|
-4|--rc4|--appelbaum)
|
||||||
do_rc4=true
|
do_rc4=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-SI|--SI|--starttls[-_]injection)
|
-SI|--SI|--starttls[-_]injection)
|
||||||
do_starttls_injection=true
|
do_starttls_injection=true
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
;;
|
;;
|
||||||
-f|--fs|--nsa|--forward-secrecy)
|
-f|--fs|--nsa|--forward-secrecy)
|
||||||
do_fs=true
|
do_fs=true
|
||||||
@ -22604,7 +22604,7 @@ parse_cmd_line() {
|
|||||||
FNAME="$(parse_opt_equal_sign "$1" "$2")"
|
FNAME="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
IKNOW_FNAME=true
|
IKNOW_FNAME=true
|
||||||
WARNINGS=batch # set this implicitly!
|
WARNINGS="batch" # set this implicitly!
|
||||||
do_mass_testing=true
|
do_mass_testing=true
|
||||||
;;
|
;;
|
||||||
--mode|--mode=*)
|
--mode|--mode=*)
|
||||||
@ -22935,7 +22935,7 @@ parse_cmd_line() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
if "$do_starttls_injection" && [[ "$STARTTLS_PROTOCOL" =~ smtp ]]; then
|
if "$do_starttls_injection" && [[ "$STARTTLS_PROTOCOL" =~ smtp ]]; then
|
||||||
let "VULN_COUNT++"
|
((VULN_COUNT++))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
count_do_variables
|
count_do_variables
|
||||||
|
Loading…
Reference in New Issue
Block a user