Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'drwetter/2.9dev' into 2.9dev

Browse Source
This commit is contained in:
AlGreed 2017-03-18 09:41:50 +01:00
commit 3437f36f48
1 changed files with 23 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
testssl.sh
View File

@ -209,7 +209,6 @@ GOST_STATUS_PROBLEM=false
DETECTED_TLS_VERSION="" DETECTED_TLS_VERSION=""
PATTERN2SHOW="" PATTERN2SHOW=""
SOCK_REPLY_FILE="" SOCK_REPLY_FILE=""
HEXC=""
NW_STR="" NW_STR=""
LEN_STR="" LEN_STR=""
SNI="" SNI=""
@ -297,14 +296,14 @@ set_severity_level() {
show_finding() { show_finding() {
local severity=$1 local severity=$1
([[ "$severity" == "DEBUG" ]]) || ( [[ "$severity" == "DEBUG" ]] ) ||
([[ "$severity" == "WARN" ]]) || ( [[ "$severity" == "WARN" ]] ) ||
([[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]]) || ( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
([[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]]) || ( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
([[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]]) || ( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
([[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]]) || ( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
([[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]]) || ( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
([[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]]) ( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
} }
@ -838,7 +837,7 @@ fileout_json_finding() {
} }
is_json_format() { is_json_format() {
([[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json")) ( [[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json") )
} }
################# JSON FILE FORMATING END #################### ################# JSON FILE FORMATING END ####################
@ -2022,30 +2021,19 @@ run_more_flags() {
} }
# #1: string with 2 opensssl codes, HEXC= same in NSS/ssllabs terminology # #1: string with 2 opensssl codes, output is same in NSS/ssllabs terminology
normalize_ciphercode() { normalize_ciphercode() {
part1=$(echo "$1" | awk -F',' '{ print $1 }') if [[ "${1:2:2}" == "00" ]]; then
part2=$(echo "$1" | awk -F',' '{ print $2 }') out "$(tolower "x${1:7:2}")"
part3=$(echo "$1" | awk -F',' '{ print $3 }')
if [[ "$part1" == "0x00" ]]; then # leading 0x00
HEXC=$part2
else else
#part2=$(echo $part2 | sed 's/0x//g') out "$(tolower "x${1:2:2}${1:7:2}${1:12:2}")"
part2=${part2//0x/}
if [[ -n "$part3" ]]; then # a SSLv2 cipher has three parts
#part3=$(echo $part3 | sed 's/0x//g')
part3=${part3//0x/}
fi
HEXC="$part1$part2$part3"
fi fi
#TODO: we should just echo this and avoid the global var HEXC
HEXC=$(tolower "$HEXC"| sed 's/0x/x/') # strip leading 0
return 0 return 0
} }
prettyprint_local() { prettyprint_local() {
local arg local arg
local hexcode dash ciph sslvers kx auth enc mac export local hexc hexcode dash ciph sslvers kx auth enc mac export
local re='^[0-9A-Fa-f]+$' local re='^[0-9A-Fa-f]+$'
if [[ "$1" == 0x* ]] || [[ "$1" == 0X* ]]; then if [[ "$1" == 0x* ]] || [[ "$1" == 0X* ]]; then
@ -2066,19 +2054,19 @@ prettyprint_local() {
if [[ -z "$1" ]]; then if [[ -z "$1" ]]; then
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode hexc="$(normalize_ciphercode $hexcode)"
neat_list "$HEXC" "$ciph" "$kx" "$enc" neat_list "$hexc" "$ciph" "$kx" "$enc"
outln outln
done done
else else
#for arg in $(echo $@ | sed 's/,/ /g'); do #for arg in $(echo $@ | sed 's/,/ /g'); do
for arg in ${*//,/ /}; do for arg in ${*//,/ /}; do
$OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0 $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE | while read hexcode dash ciph sslvers kx auth enc mac export ; do # -V doesn't work with openssl < 1.0
normalize_ciphercode $hexcode hexc="$(normalize_ciphercode $hexcode)"
# for numbers we don't do word matching: # for numbers we don't do word matching:
[[ $arg =~ $re ]] && \ [[ $arg =~ $re ]] && \
neat_list "$HEXC" "$ciph" "$kx" "$enc" | grep -ai "$arg" || \ neat_list "$hexc" "$ciph" "$kx" "$enc" | grep -ai "$arg" || \
neat_list "$HEXC" "$ciph" "$kx" "$enc" | grep -wai "$arg" neat_list "$hexc" "$ciph" "$kx" "$enc" | grep -wai "$arg"
done done
done done
fi fi
@ -2418,16 +2406,16 @@ test_just_one(){
done done
else else
while read hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do while read hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
normalize_ciphercode $hexc hexc="$(normalize_ciphercode $hexc)"
# is argument a number? # is argument a number?
if [[ $arg =~ $re ]]; then if [[ $arg =~ $re ]]; then
neat_list "$HEXC" "${ciph[nr_ciphers]}" "${kx[nr_ciphers]}" "${enc[nr_ciphers]}" | grep -qai "$arg" neat_list "$hexc" "${ciph[nr_ciphers]}" "${kx[nr_ciphers]}" "${enc[nr_ciphers]}" | grep -qai "$arg"
else else
neat_list "$HEXC" "${ciph[nr_ciphers]}" "${kx[nr_ciphers]}" "${enc[nr_ciphers]}" | grep -qwai "$arg" neat_list "$hexc" "${ciph[nr_ciphers]}" "${kx[nr_ciphers]}" "${enc[nr_ciphers]}" | grep -qwai "$arg"
fi fi
if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it: if [[ $? -eq 0 ]]; then # string matches, so we can ssl to it:
ciphers_found[nr_ciphers]=false ciphers_found[nr_ciphers]=false
normalized_hexcode[nr_ciphers]="$HEXC" normalized_hexcode[nr_ciphers]="$hexc"
sigalg[nr_ciphers]="" sigalg[nr_ciphers]=""
ossl_supported[nr_ciphers]=true ossl_supported[nr_ciphers]=true
nr_ciphers+=1 nr_ciphers+=1