From 35833c1979f882450283f7ff12e2a4c1ceededcd Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 4 May 2020 23:03:01 +0200 Subject: [PATCH] Fix STARTTLS pretests, improve XMPP handshakes (backport) There was a empty variable in determine_optimal_proto() which prevented to save STARTTLS_OPTIMAL_PROTO. This is fixed. The buffers and return codes for XMPP in starttls_io() were under not every circumstances correct. This fixes those cases and making that in general more robust (hopefully). --- testssl.sh | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/testssl.sh b/testssl.sh index 3171d1a..97cf46a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3,7 +3,7 @@ # vim:ts=5:sw=5:expandtab # we have a spaces softtab, that ensures readability with other editors too -# testssl.sh is a program for spotting weak SSL/TLS encryption, ciphers, version and some +# testssl.sh is a program for spotting weak SSL/TLS encryption, ciphers, protocols and some # vulnerabilities or features. It may or may be not distributed by your distribution. # The upstream versions are available (please leave the links intact): # @@ -4866,8 +4866,9 @@ run_prototest_openssl() { # arg1: protocol # arg2: available (yes) or not (no) add_tls_offered() { + # the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2 if [[ "$PROTOS_OFFERED" =~ $1: ]]; then - # the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2 + # we got that protcol already : else PROTOS_OFFERED+="${1}:$2 " @@ -10031,12 +10032,13 @@ run_alpn() { return $ret } -# arg1: string to send -# arg2: possible success strings a egrep pattern, needed! -# arg3: wait in seconds +# arg1: send string +# arg2: success string: an egrep pattern +# arg3: number of loops we should read from the buffer (optional, otherwise STARTTLS_SLEEP) starttls_io() { - local waitsleep=$STARTTLS_SLEEP + local nr_waits=$STARTTLS_SLEEP local buffer="" + local -i i [[ -n "$3" ]] && waitsleep=$3 [[ -z "$2" ]] && echo "FIXME $((LINENO))" @@ -10044,27 +10046,31 @@ starttls_io() { # If there's a sending part it's IO. Postgres sends via socket and replies via # strings "S". So there's no I part of IO ;-) if [[ -n "$1" ]]; then - debugme echo -en "C: \"$1\"" + debugme echo -en "C: $1" echo -en "$1" >&5 fi + if [[ "$2" == JUSTSEND ]]; then + debugme echo -e "\n (only sent)\n" + dd of=/dev/null bs=512 count=1 <&5 2>/dev/null & + return 0 + fi # This seems a bit dangerous but works. No blockings yet. "if=nonblock" doesn't work on BSDs buffer="$(dd bs=512 count=1 <&5 2>/dev/null)" - [[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer - for ((i=1; i < $waitsleep; i++ )); do + for ((i=1; i < $nr_waits; i++ )); do + [[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer if [[ "$buffer" =~ $2 ]]; then debugme echo " ---> reply matched \"$2\"" # the fd sometimes still seem to contain chars which confuses the following TLS handshake, trying to empty: - dd of=/dev/null bs=512 count=1 <&5 2>/dev/null + # dd of=/dev/null bs=512 count=1 <&5 2>/dev/null return 0 else # no match yet, more reading from fd helps. buffer+=$(dd bs=512 count=1 <&5 2>/dev/null) fi - sleep 0.5 done - return 0 + return 1 } @@ -18356,7 +18362,7 @@ determine_optimal_proto() { $OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg $STARTTLS $SNI") $TMPFILE 2>>$ERRFILE if sclient_auth $? $TMPFILE; then all_failed=false - add_tls_offered "${proto/-/}" yes + add_tls_offered "${STARTTLS_OPTIMAL_PROTO/-/}" yes break fi done