Extra client side warning led to a non-valid JSON pretty output. This fixes
this bug by adding an extra object. The objects are named "clientProblem${NUMBER}".
By "extra client side" I mean extra warnings which are not happening during regular
tests -- those are no extra ones and should just warn with ``fileout()`` instead
of ``fileout_insert_warning()``.

Also some ``fileout arg1 WARN`` were patched: WARN is not a finding. It is just
a report that either on the client side something doesn't work as expected or
the server could not be checked during a particular test. WARNING doesn't
exist at all, WARn should be used instead.

Some lines where a warning output to JSON or CSV was missing, was added.
This commit is contained in:
Dirk 2017-08-28 18:25:45 +02:00
parent 6776a66603
commit 16dae3511e

View File

@ -267,6 +267,7 @@ OSSL_VER="" # openssl version, will be auto-determin
OSSL_VER_MAJOR=0 OSSL_VER_MAJOR=0
OSSL_VER_MINOR=0 OSSL_VER_MINOR=0
OSSL_VER_APPENDIX="none" OSSL_VER_APPENDIX="none"
CLIENT_PROB_NO=1
HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables HAS_DH_BITS=${HAS_DH_BITS:-false} # initialize openssl variables
HAS_SSL2=false HAS_SSL2=false
HAS_SSL3=false HAS_SSL3=false
@ -772,6 +773,22 @@ fileout_footer() {
return 0 return 0
} }
fileout_insert_warning() {
# See #815. Make sure we don't mess up the JSON PRETTY format if we complain with a client side warning.
# This should only be called if an *extra* warning will be printed (previously: 'fileout <extra_warning_ID> "WARN" '
# arg1: json identifier, arg2: normally "WARN", arg3: finding
if "$do_pretty_json"; then
echo -e " \"clientProblem${CLIENT_PROB_NO}\" : [" >>"$JSONFILE"
CLIENT_PROB_NO=$((CLIENT_PROB_NO + 1))
FIRST_FINDING=true # make sure we don't have a comma here
fi
fileout "$1" "$2" "$3"
if "$do_pretty_json"; then
echo -e "\n ]," >>"$JSONFILE"
fi
}
# ID, SEVERITY, FINDING, CVE, CWE, HINT # ID, SEVERITY, FINDING, CVE, CWE, HINT
fileout() { fileout() {
local severity="$2" local severity="$2"
@ -1991,7 +2008,7 @@ run_server_banner() {
# https://support.microsoft.com/en-us/kb/245030 # https://support.microsoft.com/en-us/kb/245030
else else
outln "(no \"Server\" line in header, interesting!)" outln "(no \"Server\" line in header, interesting!)"
fileout "serverbanner" "WARN" "No Server banner in header, interesting!" fileout "serverbanner" "INFO" "No Server banner in header, interesting!"
fi fi
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
@ -2057,7 +2074,7 @@ run_application_banner() {
emphasize_stuff_in_headers "$line" emphasize_stuff_in_headers "$line"
app_banners="${app_banners}${line}" app_banners="${app_banners}${line}"
done < "$TMPFILE" done < "$TMPFILE"
fileout "app_banner" "WARN" "Application Banners found: $app_banners" fileout "app_banner" "INFO" "Application Banners found: $app_banners"
fi fi
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 0 return 0
@ -2103,7 +2120,7 @@ run_cookie_flags() { # ARG1: Path
if [[ $nr_cookies -eq $nr_secure ]]; then if [[ $nr_cookies -eq $nr_secure ]]; then
fileout "cookie_secure" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as secure" fileout "cookie_secure" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as secure"
else else
fileout "cookie_secure" "WARN" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as secure" fileout "cookie_secure" "INFO" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as secure"
fi fi
nr_httponly=$(grep -cai httponly $TMPFILE) nr_httponly=$(grep -cai httponly $TMPFILE)
case $nr_httponly in case $nr_httponly in
@ -2114,7 +2131,7 @@ run_cookie_flags() { # ARG1: Path
if [[ $nr_cookies -eq $nr_httponly ]]; then if [[ $nr_cookies -eq $nr_httponly ]]; then
fileout "cookie_httponly" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_" fileout "cookie_httponly" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_"
else else
fileout "cookie_httponly" "WARN" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_" fileout "cookie_httponly" "INFO" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_"
fi fi
out "$msg302" out "$msg302"
else else
@ -2167,7 +2184,7 @@ run_more_flags() {
fi fi
pr_litecyan "$f2t" pr_litecyan "$f2t"
outln "$HEADERVALUE" # shouldn't be that long outln "$HEADERVALUE" # shouldn't be that long
fileout "$f2t" "WARN" "$f2t: $HEADERVALUE" fileout "$f2t" "INFO" "$f2t: $HEADERVALUE"
fi fi
done done
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" or Access-Control-Allow-Origin: * #TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" or Access-Control-Allow-Origin: *
@ -3625,7 +3642,7 @@ run_client_simulation() {
else else
pr_headline " Running client simulations via openssl " pr_headline " Running client simulations via openssl "
prln_warning " Depending on your openssl client you may get false results" prln_warning " Depending on your openssl client you may get false results"
fileout "client_simulation" "WARNING" "Depending on your openssl client you may encounter false results" fileout_insert_warning "client_simulation" "WARN" "Depending on your openssl client you will encounter false results"
fi fi
outln outln
@ -3934,7 +3951,8 @@ run_protocols() {
outln "(may need debugging)" outln "(may need debugging)"
add_tls_offered "ssl3" add_tls_offered "ssl3"
;; ;;
7) fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support" 7) prln_warning "SSLv3 seems locally not supported"
fileout "sslv3" "WARN" "SSLv3 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -3975,10 +3993,11 @@ run_protocols() {
fi fi
;; ;;
5) outln "$supported_no_ciph1" # protocol ok, but no cipher 5) outln "$supported_no_ciph1" # protocol ok, but no cipher
fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1" fileout "tls1" "INFO" "TLSv1.0 is $supported_no_ciph1"
add_tls_offered "tls1" add_tls_offered "tls1"
;; ;;
7) fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support" 7) prln_warning "TLSv1.0 seems locally not supported"
fileout "tlsv1" "WARN" "TLSv1.0 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -4022,10 +4041,11 @@ run_protocols() {
fi fi
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1" fileout "tls1_1" "INFO" "TLSv1.1 is $supported_no_ciph1"
add_tls_offered "tls1_1" add_tls_offered "tls1_1"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support" 7) prln_warning "TLSv1.1 seems locally not supported"
fileout "tls1_1" "WARN" "TLSv1.1 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
@ -4080,10 +4100,11 @@ run_protocols() {
fi fi
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1" fileout "tls1_2" "INFO" "TLSv1.2 is $supported_no_ciph1"
add_tls_offered "tls1_2" add_tls_offered "tls1_2"
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support" 7) prln_warning "TLSv1.2 seems locally not supported"
fileout "tls1_2" "WARN" "TLSv1.2 is not tested due to lack of local support"
;; # no local support ;; # no local support
esac esac
debugme echo "PROTOS_OFFERED: $PROTOS_OFFERED" debugme echo "PROTOS_OFFERED: $PROTOS_OFFERED"
@ -4978,8 +4999,10 @@ get_host_cert() {
awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT
return 0 return 0
else else
[[ -z "$1" ]] && prln_warning "could not retrieve host certificate!" if [[ -z "$1" ]]; then
#fileout "host_certificate" "WARN" "Could not retrieve host certificate!" prln_warning "could not retrieve host certificate!"
fileout_insert_warning "host_certificate" "WARN" "Could not retrieve host certificate!"
fi
return 1 return 1
fi fi
#tmpfile_handle $FUNCNAME.txt #tmpfile_handle $FUNCNAME.txt
@ -5032,7 +5055,7 @@ determine_trust() {
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \ [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)" addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)"
fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning" fileout_insert_warning "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
fi fi
debugme tmln_out debugme tmln_out
@ -10334,7 +10357,7 @@ run_logjam() {
if [[ ! -s "$common_primes_file" ]]; then if [[ ! -s "$common_primes_file" ]]; then
prln_local_problem "couldn't read common primes file $common_primes_file" prln_local_problem "couldn't read common primes file $common_primes_file"
out "${spaces}" out "${spaces}"
fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" fileout_insert_warning "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file"
ret=7 ret=7
else else
dh_p="$(toupper "$dh_p")" dh_p="$(toupper "$dh_p")"
@ -11101,7 +11124,7 @@ old_fart() {
out "Get precompiled bins or compile " out "Get precompiled bins or compile "
pr_url "https://github.com/PeterMosmans/openssl" pr_url "https://github.com/PeterMosmans/openssl"
outln "." outln "."
fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." fileout_insert_warning "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ."
fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn't make much sense to proceed." -5 fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn't make much sense to proceed." -5
} }
@ -11313,6 +11336,7 @@ find_openssl_binary() {
return 0 return 0
} }
check4openssl_oldfarts() { check4openssl_oldfarts() {
case "$OSSL_VER" in case "$OSSL_VER" in
0.9.7*|0.9.6*|0.9.5*) 0.9.7*|0.9.6*|0.9.5*)
@ -11331,10 +11355,10 @@ check4openssl_oldfarts() {
*BSD|Darwin) *BSD|Darwin)
out " Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from " out " Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from "
pr_url "github.com/PeterMosmans/openssl"; outln "." pr_url "github.com/PeterMosmans/openssl"; outln "."
fileout "too_old_openssl" "WARN" "Your $OPENSSL $OSSL_VER version is way too old. Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from github.com/PeterMosmans/openssl ." ;; fileout_insert_warning "too_old_openssl" "WARN" "Your $OPENSSL $OSSL_VER version is way too old. Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from github.com/PeterMosmans/openssl ." ;;
*) out " Update openssl binaries or compile from " *) out " Update openssl binaries or compile from "
pr_url "https://github.com/PeterMosmans/openssl"; outln "." pr_url "https://github.com/PeterMosmans/openssl"; outln "."
fileout "too_old_openssl" "WARN" "Update openssl binaries or compile from https://github.com/PeterMosmans/openssl .";; fileout_insert_warning "too_old_openssl" "WARN" "Update openssl binaries or compile from https://github.com/PeterMosmans/openssl .";;
esac esac
ignore_no_or_lame " Type \"yes\" to accept false negatives or positives" "yes" ignore_no_or_lame " Type \"yes\" to accept false negatives or positives" "yes"
[[ $? -ne 0 ]] && exit -2 [[ $? -ne 0 ]] && exit -2
@ -11708,10 +11732,12 @@ initialize_engine(){
if ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then if ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then
outln outln
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
return 1 return 1
elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then
outln outln
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
return 1 return 1
else # we have engine support else # we have engine support
if [[ -n "$OPENSSL_CONF" ]]; then if [[ -n "$OPENSSL_CONF" ]]; then