Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1696 from dcooper16/fewer_external_function_calls

Browse Source 
Use fewer external function calls
This commit is contained in:
Dirk Wetter 2020-08-07 13:17:38 +02:00 committed by GitHub
commit 186dcfa735
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
testssl.sh
View File

@ -124,7 +124,7 @@ trap "child_error" USR1
# #
declare -r VERSION="3.1dev" declare -r VERSION="3.1dev"
declare -r SWCONTACT="dirk aet testssl dot sh" declare -r SWCONTACT="dirk aet testssl dot sh"
grep -E -q "dev|rc|beta" <<< "$VERSION" && \ [[ "$VERSION" =~ dev|rc|beta ]] && \
SWURL="https://testssl.sh/dev/" || SWURL="https://testssl.sh/dev/" ||
SWURL="https://testssl.sh/" SWURL="https://testssl.sh/"
if git log &>/dev/null; then if git log &>/dev/null; then
@ -843,24 +843,35 @@ is_ipv4addr() {
local ipv4address="$octet\\.$octet\\.$octet\\.$octet" local ipv4address="$octet\\.$octet\\.$octet\\.$octet"
[[ -z "$1" ]] && return 1 [[ -z "$1" ]] && return 1
# more than numbers, important for hosts like AAA.BBB.CCC.DDD.in-addr.arpa.DOMAIN.TLS
[[ -n $(tr -d '0-9\.' <<< "$1") ]] && return 1
grep -Eq "$ipv4address" <<< "$1" && \ # Check that $1 contains an IPv4 address and nothing else
[[ "$1" =~ $ipv4address ]] && [[ "$1" == $BASH_REMATCH ]] && \
return 0 || \ return 0 || \
return 1 return 1
} }
# a bit easier # See RFC 4291, Section 2.2
is_ipv6addr() { is_ipv6addr() {
local ipv6seg="[0-9A-Fa-f]{1,4}"
local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])"
local ipv4address="$octet\\.$octet\\.$octet\\.$octet"
local ipv6address
ipv6address="($ipv6seg:){7}(:|$ipv6seg)"
ipv6address+="|($ipv6seg:){6}(:|:$ipv6seg|$ipv4address)"
ipv6address+="|($ipv6seg:){5}(:|(:$ipv6seg){1,2}|:$ipv4address)"
ipv6address+="|($ipv6seg:){4}(:|(:$ipv6seg){1,3}|:($ipv6seg:){0,1}$ipv4address)"
ipv6address+="|($ipv6seg:){3}(:|(:$ipv6seg){1,4}|:($ipv6seg:){0,2}$ipv4address)"
ipv6address+="|($ipv6seg:){2}(:|(:$ipv6seg){1,5}|:($ipv6seg:){0,3}$ipv4address)"
ipv6address+="|($ipv6seg:){1}(:|(:$ipv6seg){1,6}|:($ipv6seg:){0,4}$ipv4address)"
ipv6address+="|:((:$ipv6seg){1,7}|:($ipv6seg:){0,5}$ipv4address)"
[[ -z "$1" ]] && return 1 [[ -z "$1" ]] && return 1
# less than 2x ":"
[[ $(count_lines "$(tr ':' '\n' <<< "$1")") -le 1 ]] && \ # Check that $1 contains an IPv4 address and nothing else
[[ "$1" =~ $ipv6address ]] && [[ "$1" == $BASH_REMATCH ]] && \
return 0 || \
return 1 return 1
# check which chars allowed:
[[ -n "$(tr -d '0-9:a-fA-F ' <<< "$1" | sed -e '/^$/d')" ]] && \
return 1
return 0
} }
###### END universal helper function definitions ###### ###### END universal helper function definitions ######
@ -2379,12 +2390,11 @@ run_http_header() {
match_ipv4_httpheader() { match_ipv4_httpheader() {
local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])" local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])"
local ipv4address="$octet\\.$octet\\.$octet\\.$octet" local ipv4address="$octet\\.$octet\\.$octet\\.$octet"
local whitelisted_header="pagespeed|page-speed|^Content-Security-Policy|^MicrosoftSharePointTeamServices|^X-OWA-Version|^Location|^Server: PRTG" local excluded_header="pagespeed|page-speed|^Content-Security-Policy|^MicrosoftSharePointTeamServices|^X-OWA-Version|^Location|^Server: "
local your_ip_msg="(check if it's your IP address or e.g. a cluster IP)" local your_ip_msg="(check if it's your IP address or e.g. a cluster IP)"
local result local headers result
local first=true local first=true
local spaces=" " local spaces=" "
local count
local jsonID="ipv4_in_header" local jsonID="ipv4_in_header"
local cwe="CWE-212" local cwe="CWE-212"
local cve="" local cve=""
@ -2393,27 +2403,24 @@ match_ipv4_httpheader() {
run_http_header "$1" || return 1 run_http_header "$1" || return 1
fi fi
# Whitelist some headers as they are mistakenly identified as ipv4 address. Issues #158, #323. # Exclude some headers as they are mistakenly identified as ipv4 address. Issues #158, #323.
# Also facebook used to have a CSP rule for 127.0.0.1 # Also facebook used to have a CSP rule for 127.0.0.1
if grep -Evai "$whitelisted_header" $HEADERFILE | grep -Eiq "$ipv4address"; then headers="$(grep -Evai "$excluded_header" $HEADERFILE)"
if [[ "$headers" =~ $ipv4address ]]; then
pr_bold " IPv4 address in header " pr_bold " IPv4 address in header "
count=0
while read line; do while read line; do
result="$(grep -E "$ipv4address" <<< "$line")" [[ "$line" =~ $ipv4address ]] || continue
result=$(strip_lf "$result") result=$(strip_lf "$line")
if [[ -n "$result" ]]; then if ! $first; then
if ! $first; then out "$spaces"
out "$spaces" your_ip_msg=""
your_ip_msg="" else
else first=false
first=false
fi
pr_svrty_medium "$result"
outln "\n$spaces$your_ip_msg"
fileout "$jsonID" "MEDIUM" "$result $your_ip_msg" "$cve" "$cwe"
fi fi
count=$count+1 pr_svrty_medium "$result"
done < $HEADERFILE outln "\n$spaces$your_ip_msg"
fileout "$jsonID" "MEDIUM" "$result $your_ip_msg" "$cve" "$cwe"
done <<< "$headers"
fi fi
} }
@ -8437,7 +8444,7 @@ certificate_info() {
fileout "${jsonID}${json_postfix}" "OK" "DSA with SHA256" fileout "${jsonID}${json_postfix}" "OK" "DSA with SHA256"
;; ;;
rsassaPss) rsassaPss)
cert_sig_hash_algo="$(grep -A 1 "Signature Algorithm" <<< "$cert_txt" | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')" cert_sig_hash_algo="$(awk '/Signature Algorithm/ { getline; print $0; exit }' <<< "$cert_txt" | sed 's/^.*Hash Algorithm: //')"
case $cert_sig_hash_algo in case $cert_sig_hash_algo in
sha1) sha1)
prln_svrty_medium "RSASSA-PSS with SHA1" prln_svrty_medium "RSASSA-PSS with SHA1"
@ -11221,7 +11228,7 @@ hmac() {
else else
output="$(asciihex_to_binary "$text" | $OPENSSL dgst "$hash_fn" -mac HMAC -macopt hexkey:"$key" 2>/dev/null)" output="$(asciihex_to_binary "$text" | $OPENSSL dgst "$hash_fn" -mac HMAC -macopt hexkey:"$key" 2>/dev/null)"
ret=$? ret=$?
tm_out "$(awk '/=/ { print $2 }' <<< "$output")" tm_out "${output#*= }"
fi fi
return $ret return $ret
} }
@ -11246,7 +11253,7 @@ hmac-transcript() {
$OPENSSL dgst "$hash_fn" -binary 2>/dev/null | \ $OPENSSL dgst "$hash_fn" -binary 2>/dev/null | \
$OPENSSL dgst "$hash_fn" -mac HMAC -macopt hexkey:"$key" 2>/dev/null)" $OPENSSL dgst "$hash_fn" -mac HMAC -macopt hexkey:"$key" 2>/dev/null)"
ret=$? ret=$?
tm_out "$(toupper "$(awk '/=/ { print $2 }' <<< "$output")")" tm_out "$(toupper "${output#*= }")"
fi fi
return $ret return $ret
} }
@ -11336,7 +11343,8 @@ derive-secret() {
*) return 7 *) return 7
esac esac
hash_messages="$(asciihex_to_binary "$messages" | $OPENSSL dgst "$hash_fn" 2>/dev/null | awk '/=/ { print $2 }')" hash_messages="$(asciihex_to_binary "$messages" | $OPENSSL dgst "$hash_fn" 2>/dev/null)"
hash_messages="${hash_messages#*= }"
hkdf-expand-label "$hash_fn" "$secret" "$label" "$hash_messages" "$hash_len" hkdf-expand-label "$hash_fn" "$secret" "$label" "$hash_messages" "$hash_len"
return $? return $?
} }
@ -11380,7 +11388,8 @@ create-initial-transcript() {
else else
return 1 return 1
fi fi
hash_clienthello1="$(asciihex_to_binary "$clienthello1" | $OPENSSL dgst "$hash_fn" 2>/dev/null | awk '/=/ { print $2 }')" hash_clienthello1="$(asciihex_to_binary "$clienthello1" | $OPENSSL dgst "$hash_fn" 2>/dev/null)"
hash_clienthello1="${hash_clienthello1#*= }"
msg_transcript="FE0000$(printf "%02x" $((${#hash_clienthello1}/2)))$hash_clienthello1$hrr$clienthello2$serverhello" msg_transcript="FE0000$(printf "%02x" $((${#hash_clienthello1}/2)))$hash_clienthello1$hrr$clienthello2$serverhello"
else else
msg_transcript="$clienthello2$serverhello" msg_transcript="$clienthello2$serverhello"