Merge branch '2.9dev' into run_server_preference_sockets

This commit is contained in:
David Cooper 2016-12-29 11:54:00 -05:00
commit 2350eaa9f5
1 changed files with 54 additions and 20 deletions

View File

@ -2350,8 +2350,8 @@ run_allciphers() {
pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength " pr_headlineln " Testing $nr_ciphers_tested via OpenSSL and sockets against the server, ordered by encryption strength "
else else
pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength " pr_headlineln " Testing all $nr_ciphers_tested locally available ciphers against the server, ordered by encryption strength "
outln
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
outln
if ! "$HAS_DH_BITS"; then if ! "$HAS_DH_BITS"; then
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "."
pr_warningln " Your $OPENSSL cannot show DH/ECDH bits" pr_warningln " Your $OPENSSL cannot show DH/ECDH bits"
@ -2526,8 +2526,8 @@ run_cipher_per_proto() {
pr_headlineln " Testing per protocol via OpenSSL and sockets against the server, ordered by encryption strength " pr_headlineln " Testing per protocol via OpenSSL and sockets against the server, ordered by encryption strength "
else else
pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength " pr_headlineln " Testing all locally available ciphers per protocol against the server, ordered by encryption strength "
outln
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl"
outln
if ! "$HAS_DH_BITS"; then if ! "$HAS_DH_BITS"; then
[[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "."
pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)"
@ -8917,16 +8917,24 @@ run_freak() {
run_logjam() { run_logjam() {
local -i sclient_success=0 local -i sclient_success=0
local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA" local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA"
local -i nr_supported_ciphers=0 local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11"
local addtl_warning="" local -i i nr_supported_ciphers=0
local addtl_warning="" hexc
local cve="CVE-2015-4000" local cve="CVE-2015-4000"
local cwe="CWE-310" local cwe="CWE-310"
local hint="" local hint=""
local using_sockets=true
"$SSL_NATIVE" && using_sockets=false
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LOGJAM vulnerability " && outln
pr_bold " LOGJAM"; out " ($cve), experimental " pr_bold " LOGJAM"; out " ($cve), experimental "
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list)) if "$using_sockets"; then
nr_supported_ciphers=$(count_words "$exportdhe_cipher_list_hex")
else
nr_supported_ciphers=$(count_ciphers $(actually_supported_ciphers $exportdhe_cipher_list))
fi
case $nr_supported_ciphers in case $nr_supported_ciphers in
0) 0)
@ -8938,16 +8946,22 @@ run_logjam() {
3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;; 3) addtl_warning=" (tested w/ $nr_supported_ciphers/4 ciphers)" ;;
4) ;; 4) ;;
esac esac
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null if "$using_sockets"; then
sclient_connect_successful $? $TMPFILE tls_sockets "03" "$exportdhe_cipher_list_hex"
sclient_success=$? sclient_success=$?
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" [[ $sclient_success -eq 2 ]] && sclient_success=0
else
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE
sclient_success=$?
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
fi
addtl_warning="$addtl_warning, common primes not checked." addtl_warning="$addtl_warning, common primes not checked."
if "$HAS_DH_BITS"; then if "$HAS_DH_BITS" || ( ! "$SSL_NATIVE" && ! "$FAST" && [[ $TLS_NR_CIPHERS -ne 0 ]] ); then
if ! "$do_allciphers" && ! "$do_cipher_per_proto" && "$HAS_DH_BITS"; then if ! "$do_allciphers" && ! "$do_cipher_per_proto"; then
addtl_warning="$addtl_warning \"$PROG_NAME -E/-e\" spots candidates" addtl_warning="$addtl_warning \"$PROG_NAME -E/-e\" spots candidates"
else else
"$HAS_DH_BITS" && addtl_warning="$addtl_warning See below for any DH ciphers + bit size" addtl_warning="$addtl_warning See below for any DH ciphers + bit size"
fi fi
fi fi
@ -8960,13 +8974,25 @@ run_logjam() {
fi fi
outln outln
debugme echo $(actually_supported_ciphers $exportdhe_cipher_list) if [[ $DEBUG -ge 2 ]]; then
if "$using_sockets"; then
for hexc in $(sed 's/, / /g' <<< "$exportdhe_cipher_list_hex"); do
hexc="0x${hexc:0:2},0x${hexc:3:2}"
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
[[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break
done
[[ $i -eq $TLS_NR_CIPHERS ]] && out "$hexc " || out "${TLS_CIPHER_OSSL_NAME[i]} "
done
outln
else
echo $(actually_supported_ciphers $exportdhe_cipher_list)
fi
fi
debugme echo $nr_supported_ciphers debugme echo $nr_supported_ciphers
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $sclient_success return $sclient_success
} }
# TODO: perfect candidate for replacement by sockets, so is freak
run_drown() { run_drown() {
@ -9521,8 +9547,14 @@ get_install_dir() {
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt" [[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
fi fi
[[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && unset ADD_RFC_STR && pr_warningln "\nNo cipher mapping file in \$TESTSSL_INSTALL_DIR/etc/ found" if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] ; then
debugme echo "$CIPHERS_BY_STRENGTH_FILE" unset ADD_RFC_STR
pr_warningln "\nNo cipher mapping file found "
debugme echo "$CIPHERS_BY_STRENGTH_FILE"
pr_warningln "Please note from 2.9dev on testssl.sh needs some files in \$TESTSSL_INSTALL_DIR/etc to function correctly"
ignore_no_or_lame "Type \"yes\" to ignore "
[[ $? -ne 0 ]] && exit -2
fi
} }
@ -9660,13 +9692,15 @@ check4openssl_oldfarts() {
;; ;;
esac esac
if [[ $OSSL_VER_MAJOR -lt 1 ]]; then ## mm: Patch for libressl if [[ $OSSL_VER_MAJOR -lt 1 ]]; then ## mm: Patch for libressl
pr_magentaln " Your \"$OPENSSL\" is way too old (<version 1.0) !" pr_warningln " Your \"$OPENSSL\" is way too old (<version 1.0) !"
case $SYSTEM in case $SYSTEM in
*BSD|Darwin) *BSD|Darwin)
outln " Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from github.com/PeterMosmans/openssl" ;; outln " Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from github.com/PeterMosmans/openssl"
*) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl" ;; fileout "too_old_openssl" "WARN" "Your $OPENSSL $OSSL_VER version is way too old. Please use binary provided in \$INSTALLDIR/bin/ or from ports/brew or compile from github.com/PeterMosmans/openssl ." ;;
*) outln " Update openssl binaries or compile from github.com/PeterMosmans/openssl"
fileout "too_old_openssl" "WARN" "Update openssl binaries or compile from github.com/PeterMosmans/openssl .";;
esac esac
ignore_no_or_lame " Type \"yes\" to accept some false negatives or positives " ignore_no_or_lame " Type \"yes\" to accept false negatives or positives "
[[ $? -ne 0 ]] && exit -2 [[ $? -ne 0 ]] && exit -2
fi fi
outln outln