Merge pull request #1421 from drwetter/fix_1418

Fix s_client capability test for LLMNR, add HAS_PKEY
This commit is contained in:
Dirk Wetter 2020-01-02 17:21:48 +01:00 committed by GitHub
commit 1bc50bb7d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 15 deletions

View File

@ -4785,7 +4785,7 @@ run_client_simulation() {
# #
locally_supported() { locally_supported() {
[[ -n "$2" ]] && out "$2 " [[ -n "$2" ]] && out "$2 "
if $OPENSSL s_client "$1" -connect x 2>&1 | grep -aq "unknown option"; then if $OPENSSL s_client "$1" -connect invalid. 2>&1 | grep -aq "unknown option"; then
prln_local_problem "$OPENSSL doesn't support \"s_client $1\"" prln_local_problem "$OPENSSL doesn't support \"s_client $1\""
return 7 return 7
fi fi
@ -4807,7 +4807,7 @@ run_prototest_openssl() {
local protos proto local protos proto
# check whether the protocol being tested is supported by $OPENSSL # check whether the protocol being tested is supported by $OPENSSL
$OPENSSL s_client "$1" -connect x 2>&1 | grep -aq "unknown option" && return 7 $OPENSSL s_client "$1" -connect invalid. 2>&1 | grep -aq "unknown option" && return 7
case "$1" in case "$1" in
-ssl2) protos="-ssl2" ;; -ssl2) protos="-ssl2" ;;
-ssl3) protos="-ssl3" ;; -ssl3) protos="-ssl3" ;;
@ -9819,7 +9819,13 @@ run_pfs() {
# this global will get the name of the group either here or in run_logjam() # this global will get the name of the group either here or in run_logjam()
key_bitstring="$(awk '/-----BEGIN PUBLIC KEY/,/-----END PUBLIC KEY/ { print $0 }' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt)" key_bitstring="$(awk '/-----BEGIN PUBLIC KEY/,/-----END PUBLIC KEY/ { print $0 }' $TEMPDIR/$NODEIP.parse_tls_serverhello.txt)"
get_common_prime "$jsonID" "$key_bitstring" "" get_common_prime "$jsonID" "$key_bitstring" ""
[[ $? -eq 0 ]] && curves_offered="$DH_GROUP_OFFERED" && len_dh_p=$DH_GROUP_LEN_P case $? in
0) curves_offered="$DH_GROUP_OFFERED"
len_dh_p=$DH_GROUP_LEN_P ;;
2) pr_bold " DH or FF group offered : "
prln_local_problem "Your $OPENSSL does not support the pkey utility."
fileout "$jsonID" "WARN" "$OPENSSL does not support the pkey utility."
esac
else else
curves_offered="$DH_GROUP_OFFERED" curves_offered="$DH_GROUP_OFFERED"
len_dh_p=$DH_GROUP_LEN_P len_dh_p=$DH_GROUP_LEN_P
@ -15041,7 +15047,7 @@ run_freak() {
# Sets the global DH_GROUP_OFFERED, start value: "", after this function: # Sets the global DH_GROUP_OFFERED, start value: "", after this function:
# DH_GROUP_OFFERED="" # DH_GROUP_OFFERED=""
# DH_GROUP_OFFERED="<name of group>" # DH_GROUP_OFFERED="<name of group>"
# return: 1: common primes file problem, 0: went w/o error # return: 1: common primes file problem, 2: no pkey support, 0: went w/o error
get_common_prime() { get_common_prime() {
local jsonID2="$1" local jsonID2="$1"
local key_bitstring="$2" local key_bitstring="$2"
@ -15051,6 +15057,7 @@ get_common_prime() {
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt" local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
local -i lineno_matched=0 local -i lineno_matched=0
"$HAS_PKEY" || return 2
dh_p="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | awk '/prime:/,/generator:/' | grep -Ev "prime|generator")" dh_p="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | awk '/prime:/,/generator:/' | grep -Ev "prime|generator")"
dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")" dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")"
[[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}" [[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}"
@ -16821,13 +16828,15 @@ find_openssl_binary() {
$OPENSSL ciphers -s 2>&1 | grep -aq "unknown option" || \ $OPENSSL ciphers -s 2>&1 | grep -aq "unknown option" || \
OSSL_CIPHERS_S="-s" OSSL_CIPHERS_S="-s"
$OPENSSL s_client -ssl2 -connect x 2>&1 | grep -aq "unknown option" || \ # This and all other occurences we do a little trick using "invalid." to avoid plain and
# link level DNS lookups. See issue #1418 and https://tools.ietf.org/html/rfc6761#section-6.4
$OPENSSL s_client -ssl2 -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_SSL2=true HAS_SSL2=true
$OPENSSL s_client -ssl3 -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ssl3 -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_SSL3=true HAS_SSL3=true
$OPENSSL s_client -tls1_3 -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -tls1_3 -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_TLS13=true HAS_TLS13=true
$OPENSSL genpkey -algorithm X448 -out - 2>&1 | grep -aq "not found" || \ $OPENSSL genpkey -algorithm X448 -out - 2>&1 | grep -aq "not found" || \
@ -16836,25 +16845,25 @@ find_openssl_binary() {
$OPENSSL genpkey -algorithm X25519 -out - 2>&1 | grep -aq "not found" || \ $OPENSSL genpkey -algorithm X25519 -out - 2>&1 | grep -aq "not found" || \
HAS_X25519=true HAS_X25519=true
$OPENSSL s_client -no_ssl2 -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -no_ssl2 -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_NO_SSL2=true HAS_NO_SSL2=true
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -noservername -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_NOSERVERNAME=true HAS_NOSERVERNAME=true
$OPENSSL s_client -ciphersuites -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -ciphersuites -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_CIPHERSUITES=true HAS_CIPHERSUITES=true
$OPENSSL s_client -comp -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -comp -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_COMP=true HAS_COMP=true
$OPENSSL s_client -no_comp -connect x 2>&1 | grep -aq "unknown option" || \ $OPENSSL s_client -no_comp -connect invalid. 2>&1 | grep -aq "unknown option" || \
HAS_NO_COMP=true HAS_NO_COMP=true
OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')") OPENSSL_NR_CIPHERS=$(count_ciphers "$(actually_supported_osslciphers 'ALL:COMPLEMENTOFALL' 'ALL')")
for curve in "${curves_ossl[@]}"; do for curve in "${curves_ossl[@]}"; do
$OPENSSL s_client -curves $curve -connect x 2>&1 | grep -Eiaq "Error with command|unknown option" $OPENSSL s_client -curves $curve -connect invalid. 2>&1 | grep -Eiaq "Error with command|unknown option"
[[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve " [[ $? -ne 0 ]] && OSSL_SUPPORTED_CURVES+=" $curve "
done done
@ -16864,6 +16873,8 @@ find_openssl_binary() {
$OPENSSL pkeyutl 2>&1 | grep -q Error || \ $OPENSSL pkeyutl 2>&1 | grep -q Error || \
HAS_PKUTIL=true HAS_PKUTIL=true
# For the following we feel safe enough to query the s_client help functions.
# That was not good enough for the previous lookups
$OPENSSL s_client -help 2>$s_client_has $OPENSSL s_client -help 2>$s_client_has
$OPENSSL s_client -starttls foo 2>$s_client_starttls_has $OPENSSL s_client -starttls foo 2>$s_client_starttls_has
@ -16898,7 +16909,7 @@ find_openssl_binary() {
grep -q 'irc' $s_client_starttls_has && \ grep -q 'irc' $s_client_starttls_has && \
HAS_IRC=true HAS_IRC=true
$OPENSSL enc -chacha20 -K "12345678901234567890123456789012" -iv "01000000123456789012345678901234" > /dev/null 2> /dev/null <<< "test" $OPENSSL enc -chacha20 -K 12345678901234567890123456789012 -iv 01000000123456789012345678901234 > /dev/null 2> /dev/null <<< "test"
[[ $? -eq 0 ]] && HAS_CHACHA20=true [[ $? -eq 0 ]] && HAS_CHACHA20=true
$OPENSSL enc -aes-128-gcm -K 0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 > /dev/null 2> /dev/null <<< "test" $OPENSSL enc -aes-128-gcm -K 0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 > /dev/null 2> /dev/null <<< "test"
@ -18248,7 +18259,7 @@ determine_optimal_proto() {
elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then elif "$all_failed" && ! "$ALL_FAILED_SOCKETS"; then
if ! "$HAS_TLS13" && "$TLS13_ONLY"; then if ! "$HAS_TLS13" && "$TLS13_ONLY"; then
pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>" pr_magenta " $NODE:$PORT appears to support TLS 1.3 ONLY. You better use --openssl=<path_to_openssl_supporting_TLS_1.3>"
if ! "$OSSL_SHORTCUT" || [[ ! -x /usr/bin/openssl ]] || /usr/bin/openssl s_client -tls1_3 -connect x 2>&1 | grep -aq "unknown option"; then if ! "$OSSL_SHORTCUT" || [[ ! -x /usr/bin/openssl ]] || /usr/bin/openssl s_client -tls1_3 -connect invalid. 2>&1 | grep -aq "unknown option"; then
outln outln
ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes" ignore_no_or_lame " Type \"yes\" to proceed and accept all scan problems" "yes"
[[ $? -ne 0 ]] && exit $ERR_CLUELESS [[ $? -ne 0 ]] && exit $ERR_CLUELESS