Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Follow https://github.com/Tripwire/OpenSSL-CCS-Inject-Test

Browse Source 
Attempt to rewrite `run_ccs_injection()` to follow the logic from https://github.com/Tripwire/OpenSSL-CCS-Inject-Test.
This commit is contained in:
David Cooper 2016-08-30 11:38:43 -04:00 committed by GitHub
parent 9bcf232f0f
commit 1b548cee10
1 changed files with 47 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
testssl.sh
View File

@ -6066,8 +6066,9 @@ ok_ids(){
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets #FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
run_ccs_injection(){ run_ccs_injection(){
local tls_proto_offered tls_hexcode ccs_message client_hello byte6="" local tls_proto_offered tls_hexcode ccs_message close_message client_hello
local -i retval ret lines local reply=""
local -i retval ret
# see https://www.openssl.org/news/secadv_20140605.txt # see https://www.openssl.org/news/secadv_20140605.txt
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607 # mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
@ -6089,6 +6090,7 @@ run_ccs_injection(){
#FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly #FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly
esac esac
ccs_message=", x14, $tls_hexcode ,x00, x01, x01" ccs_message=", x14, $tls_hexcode ,x00, x01, x01"
close_message=", x15, $tls_hexcode ,x00, x02, x01, x00"
client_hello=" client_hello="
# TLS header (5 bytes) # TLS header (5 bytes)
@ -6136,58 +6138,63 @@ run_ccs_injection(){
fi fi
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
# ... and then send the a change cipher spec message # ... and then send a change cipher spec message
socksend "$ccs_message" 1 || ok_ids socksend "$ccs_message" 1 || ok_ids
sockread 2048 $CCS_MAX_WAITSOCK sockread 2048 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\n1st reply: " if [[ $retval -eq 3 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20 outln "\n1st reply: (timed out)"
# ok: 15 | 0301 | 02 | 02 | 0a else
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a) outln "\n1st reply: "
# or just timed out hexdump -C "$SOCK_REPLY_FILE" | head -20
outln fi
outln "payload #2 with TLS version $tls_hexcode:"
fi
rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids
sockread 2048 $CCS_MAX_WAITSOCK
retval=$?
if [[ $DEBUG -ge 3 ]]; then
outln "\n2nd reply: "
printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
# not ok: 15 | 0301 | 02 | 02 | 15
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# ok: 0a or nothing: ==> RST
outln outln
fi fi
if [[ -s "$SOCK_REPLY_FILE" ]]; then if [[ -s "$SOCK_REPLY_FILE" ]]; then
byte6=$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE" | sed 's/^..........//') reply=$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")
lines=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | count_lines )
debugme echo "lines: $lines, byte6: $byte6"
fi fi
rm "$SOCK_REPLY_FILE" # if the server responded with a fatal alert, then it is not vulnerable
if [[ "$byte6" == "" ]] || [[ "$lines" -gt 1 ]]; then if [[ "$reply" =~ 15030[0-9]000202[0-9a0f][0-9a-f] ]]; then
pr_done_best "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
if [[ $retval -eq 3 ]]; then fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK)"
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)"
else
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK)"
fi
ret=0 ret=0
else else
pr_svrty_critical "VULNERABLE (NOT ok)" if [[ $DEBUG -ge 3 ]]; then
if [[ $retval -eq 3 ]]; then outln "payload #2 with TLS version $tls_hexcode:"
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)"
else
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
fi fi
ret=1 rm "$SOCK_REPLY_FILE"
# Send a close notify warning message
socksend "$close_message" 2 || ok_ids
sockread 2048 $CCS_MAX_WAITSOCK
retval=$?
if [[ $DEBUG -ge 3 ]]; then
outln "\n2nd reply: "
printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
outln
fi
# if the server sends a non-empty response to the close notify,
# then it may be vulnerable.
if [[ ! -s "$SOCK_REPLY_FILE" ]]; then
pr_done_best "not vulnerable (OK)"
if [[ $retval -eq 3 ]]; then
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)"
else
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK)"
fi
ret=0
else
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
ret=1
fi
[[ $retval -eq 3 ]] && out " (timed out)"
fi fi
[[ $retval -eq 3 ]] && out " (timed out)"
outln outln
rm "$SOCK_REPLY_FILE"
close_socket close_socket
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt