mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-09-17 09:22:54 +02:00
Formatting, early exit when HTTPS RR retruned in clear text
This commit is contained in:
Dirk
115
testssl.sh
115
testssl.sh
@ -2527,7 +2527,7 @@ service_detection() {
|
|||||||
dns_https_rr
|
dns_https_rr
|
||||||
fi
|
fi
|
||||||
pr_bold " Service detected"
|
pr_bold " Service detected"
|
||||||
out ": $CORRECT_SPACES $SERVICE"
|
out ": $CORRECT_SPACES $SERVICE"
|
||||||
fileout "${jsonID}" "INFO" "$SERVICE"
|
fileout "${jsonID}" "INFO" "$SERVICE"
|
||||||
;;
|
;;
|
||||||
IMAP|POP|SMTP|NNTP|MongoDB)
|
IMAP|POP|SMTP|NNTP|MongoDB)
|
||||||
@ -22366,7 +22366,8 @@ get_caa_rrecord() {
|
|||||||
|
|
||||||
# Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records).
|
# Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records).
|
||||||
# https://www.rfc-editor.org/rfc/rfc9460.html
|
# https://www.rfc-editor.org/rfc/rfc9460.html
|
||||||
# arg1: domain to check for
|
# arg1: domain to check for
|
||||||
|
# returns: string for record
|
||||||
#
|
#
|
||||||
get_https_rrecord() {
|
get_https_rrecord() {
|
||||||
local raw_https=""
|
local raw_https=""
|
||||||
@ -22408,7 +22409,13 @@ get_https_rrecord() {
|
|||||||
text_httpsrr=$(nslookup -type=HTTPS $1 | awk '/'"^${1}"'.*rdata_65// { print substr($0,index($0,$4)) }')
|
text_httpsrr=$(nslookup -type=HTTPS $1 | awk '/'"^${1}"'.*rdata_65// { print substr($0,index($0,$4)) }')
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ -n "$text_httpsrr" ]]; then
|
||||||
|
safe_echo "$text_httpsrr"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
# Now we need to try parsing the raw output
|
# Now we need to try parsing the raw output
|
||||||
|
# Format probably: https://www.rfc-editor.org/rfc/rfc3597 (plus updates)
|
||||||
|
|
||||||
# If there's a type65 record there are 2x3 output formats, mostly depending on age of distribution
|
# If there's a type65 record there are 2x3 output formats, mostly depending on age of distribution
|
||||||
# -- roughly that's the difference between text and binary format -- and the type of DNS client
|
# -- roughly that's the difference between text and binary format -- and the type of DNS client
|
||||||
@ -22425,38 +22432,28 @@ get_https_rrecord() {
|
|||||||
# 1) dev.testssl.sh rdata_65 = 1 . alpn="h2"
|
# 1) dev.testssl.sh rdata_65 = 1 . alpn="h2"
|
||||||
# 2) dev.testssl.sh rdata_65 = \# 10 00010000010003026832
|
# 2) dev.testssl.sh rdata_65 = \# 10 00010000010003026832
|
||||||
|
|
||||||
# we normalize the output during the following so that's e.g. 1 . alpn="h2"
|
if "$HAS_DIG"; then
|
||||||
|
raw_https="$(dig $DIG_R +short +search +timeout=3 +tries=3 $noidnout type65 "$1" 2>/dev/null)"
|
||||||
# https://datatracker.ietf.org/doc/rfc9460/?include_text=1
|
# empty if there's no such record
|
||||||
|
elif "$HAS_DRILL"; then
|
||||||
#set -x
|
raw_https="$(drill $1 type65 | grep -v '^;;' | awk '/'"^${1}"'.*TYPE65/ { print substr($0,index($0,$5)) }' )" # from 5th field onwards
|
||||||
if [[ -n "$text_httpsrr" ]]; then
|
# empty if there's no such record
|
||||||
safe_echo "$text_httpsrr"
|
elif "$HAS_HOST"; then
|
||||||
else
|
raw_https="$(host -t type65 $1)"
|
||||||
if "$HAS_DIG"; then
|
if [[ "$raw_https" =~ "has no HTTPS|has no TYPE65" ]]; then
|
||||||
raw_https="$(dig $DIG_R +short +search +timeout=3 +tries=3 $noidnout type65 "$1" 2>/dev/null)"
|
raw_https=""
|
||||||
# empty if there's no such record
|
|
||||||
elif "$HAS_DRILL"; then
|
|
||||||
raw_https="$(drill $1 type65 | grep -v '^;;' | awk '/'"^${1}"'.*TYPE65/ { print substr($0,index($0,$5)) }' )" # from 5th field onwards
|
|
||||||
# empty if there's no such record
|
|
||||||
elif "$HAS_HOST"; then
|
|
||||||
raw_https="$(host -t type65 $1)"
|
|
||||||
if [[ "$raw_https" =~ "has no HTTPS|has no TYPE65" ]]; then
|
|
||||||
raw_https=""
|
|
||||||
else
|
|
||||||
raw_https="${raw_https/$1 has HTTPS record /}"
|
|
||||||
raw_https="${raw_https/$1 has TYPE65 record /}"
|
|
||||||
fi
|
|
||||||
elif "$HAS_NSLOOKUP"; then
|
|
||||||
raw_https="$(strip_lf "$(nslookup -type=type65 $1 | awk '/'"^${1}"'.*rdata_65/ { print substr($0,index($0,$4)) }' )")"
|
|
||||||
# empty if there's no such record
|
|
||||||
else
|
else
|
||||||
return 1
|
raw_https="${raw_https/$1 has HTTPS record /}"
|
||||||
# No dig, drill, host, or nslookup --> complaint was elsewhere already
|
raw_https="${raw_https/$1 has TYPE65 record /}"
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
elif "$HAS_NSLOOKUP"; then
|
||||||
|
raw_https="$(strip_lf "$(nslookup -type=type65 $1 | awk '/'"^${1}"'.*rdata_65/ { print substr($0,index($0,$4)) }' )")"
|
||||||
# Format probably: https://www.rfc-editor.org/rfc/rfc3597 (plus updates)
|
# empty if there's no such record
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
# No dig, drill, host, or nslookup --> complaint was elsewhere already
|
||||||
|
fi
|
||||||
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
|
|
||||||
# dig +short +search +timeout=3 +tries=3 +noidnout type65 dev.testssl.sh
|
# dig +short +search +timeout=3 +tries=3 +noidnout type65 dev.testssl.sh
|
||||||
# 1 . alpn="h2" port=443 ipv6hint=2a01:238:4308:a920:1000:0:b:1337
|
# 1 . alpn="h2" port=443 ipv6hint=2a01:238:4308:a920:1000:0:b:1337
|
||||||
@ -22474,39 +22471,39 @@ get_https_rrecord() {
|
|||||||
# 733A7CFAAEA5E4DD9CA43D4C24199E330004000100010012636C6F75 64666C6172652D6563682E636F6D0000000600202606470030310000 00000000AC43CDE72606470030360000000000006815229A
|
# 733A7CFAAEA5E4DD9CA43D4C24199E330004000100010012636C6F75 64666C6172652D6563682E636F6D0000000600202606470030310000 00000000AC43CDE72606470030360000000000006815229A
|
||||||
# | cloudflare-ech.com | IPv6#1 #IPv6#2
|
# | cloudflare-ech.com | IPv6#1 #IPv6#2
|
||||||
|
|
||||||
if [[ -z "$raw_https" ]]; then
|
if [[ -z "$raw_https" ]]; then
|
||||||
return 1
|
return 1
|
||||||
elif [[ "$raw_https" =~ \#\ [0-9][0-9] ]]; then
|
elif [[ "$raw_https" =~ \#\ [0-9][0-9] ]]; then
|
||||||
while read hash len line ;do
|
while read hash len line ;do
|
||||||
# \# 10 00010000010003026832
|
# \# 10 00010000010003026832
|
||||||
if [[ "${line:0:4}" == 0001 ]]; then # marker to proceed, belongs to SvcPriority, see rfc9460, 2.1
|
if [[ "${line:0:4}" == 0001 ]]; then # marker to proceed, belongs to SvcPriority, see rfc9460, 2.1
|
||||||
svc_priority=$(printf "%0d" "$((10#${line:2:2}))") # 1 is most often, (probably not needed) type casting. 0 is alias
|
svc_priority=$(printf "%0d" "$((10#${line:2:2}))") # 1 is most often, (probably not needed) type casting. 0 is alias
|
||||||
if [[ ${line:8:2} != 01 ]]; then # Then comes SvcParamKeys, see rfc 14.3.2 which should be alpn=-1
|
if [[ ${line:8:2} != 01 ]]; then # Then comes SvcParamKeys, see rfc 14.3.2 which should be alpn=-1
|
||||||
continue # If the first element is not alpn, next iteration of loop will fail.
|
continue # If the first element is not alpn, next iteration of loop will fail.
|
||||||
fi # Should we care as SvcParamKey!=alpn doesn't seems not very common?
|
fi # Should we care as SvcParamKey!=alpn doesn't seems not very common?
|
||||||
|
|
||||||
xlen_https_property=${line:12:2} # length of alpn entries
|
xlen_https_property=${line:12:2} # length of alpn entries
|
||||||
https_property_value=${line:16:4}
|
https_property_value=${line:16:4}
|
||||||
https_property_name=$(hex2ascii $https_property_value)
|
https_property_name=$(hex2ascii $https_property_value)
|
||||||
if [[ $xlen_https_property != 03 ]]; then # 06 would be another entry
|
if [[ $xlen_https_property != 03 ]]; then # 06 would be another entry
|
||||||
https_property_value=${line:22:4} #FIXME: we can't cope with three entries yet
|
https_property_value=${line:22:4} #FIXME: we can't cope with three entries yet
|
||||||
https_property_name="${https_property_name},$(hex2ascii $https_property_value)"
|
https_property_name="${https_property_name},$(hex2ascii $https_property_value)"
|
||||||
fi
|
fi
|
||||||
echo $https_property_name
|
echo $https_property_name
|
||||||
|
|
||||||
# len_https_property=$((len_https_property*2)) # =>word! Now get name from 4th and value from 4th+len position...
|
# len_https_property=$((len_https_property*2)) # =>word! Now get name from 4th and value from 4th+len position...
|
||||||
# line="${line/ /}" # especially with iodefs there's a blank in the string which we just skip
|
# line="${line/ /}" # especially with iodefs there's a blank in the string which we just skip
|
||||||
# https_property_name="$(hex2ascii ${line:4:$len_https_property})"
|
# https_property_name="$(hex2ascii ${line:4:$len_https_property})"
|
||||||
# https_property_value="$(hex2ascii "${line:$((4+len_https_property)):100}")"
|
# https_property_value="$(hex2ascii "${line:$((4+len_https_property)):100}")"
|
||||||
else
|
else
|
||||||
outln "please report unknown HTTPS RR $line with flag @ $NODE"
|
out "please report unknown HTTPS RR $line with flag @ $NODE"
|
||||||
return 7
|
return 7
|
||||||
fi
|
fi
|
||||||
done <<< "$raw_https"
|
done <<< "$raw_https"
|
||||||
else
|
else
|
||||||
safe_echo "$raw_https"
|
safe_echo "$raw_https"
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#set +x
|
#set +x
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
@ -23343,7 +23340,7 @@ dns_https_rr () {
|
|||||||
else
|
else
|
||||||
https_rr="$(get_https_rrecord $NODE)"
|
https_rr="$(get_https_rrecord $NODE)"
|
||||||
if [[ -n "$https_rr" ]]; then
|
if [[ -n "$https_rr" ]]; then
|
||||||
pr_svrty_good "yes" ; out " "
|
pr_svrty_good "yes" ; out ": "
|
||||||
prln_italic "$(out_row_aligned_max_width "$https_rr" "$indent " $TERM_WIDTH)"
|
prln_italic "$(out_row_aligned_max_width "$https_rr" "$indent " $TERM_WIDTH)"
|
||||||
fileout "${jsonID}" "OK" "$https_rr"
|
fileout "${jsonID}" "OK" "$https_rr"
|
||||||
else
|
else
|
||||||
|
|||||||
Reference in New Issue
Block a user