Merge branch 'master' into remove_sockread

Conflicts:
	testssl.sh
This commit is contained in:
David Cooper 2016-09-06 11:38:54 -04:00
commit 3b3d16849d
1 changed files with 85 additions and 51 deletions

View File

@ -4187,7 +4187,11 @@ certificate_info() {
out "$indent" ; pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
case $cert_sig_algo in case $cert_sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_svrty_mediumln "SHA1 with RSA" pr_svrty_medium "SHA1 with RSA"
if [[ "$SERVICE" == HTTP ]]; then
out " -- besides: users will receive a strong browser warning"
fi
outln
fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)"
;; ;;
sha224WithRSAEncryption) sha224WithRSAEncryption)
@ -6008,8 +6012,12 @@ tls_sockets() {
# mainly adapted from https://gist.github.com/takeshixx/10107280 # mainly adapted from https://gist.github.com/takeshixx/10107280
run_heartbleed(){ run_heartbleed(){
local tls_proto_offered tls_hexcode heartbleed_payload client_hello local tls_proto_offered tls_hexcode
local -i retval ret lines_returned bytes_returned local heartbleed_payload client_hello
local -i n ret lines_returned
local -i hb_rounds=3
local append=""
local found_500_oops=false
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
pr_bold " Heartbleed"; out " (CVE-2014-0160) " pr_bold " Heartbleed"; out " (CVE-2014-0160) "
@ -6017,8 +6025,8 @@ run_heartbleed(){
[[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions
if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then
pr_done_best "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
outln " (no heartbeat extension)" outln ", no heartbeat extension"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (no heartbeat extension)" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK), no heartbeat extension"
return 0 return 0
fi fi
@ -6086,56 +6094,82 @@ run_heartbleed(){
# extension: heartbeat # extension: heartbeat
x00, x0f, x00, x01, x01" x00, x0f, x00, x01, x01"
fd_socket 5 || return 6 for (( n=1; n <= hb_rounds; n++)); do
fd_socket 5 || return 6
debugme out "\nsending client hello (TLS version $tls_hexcode)"
debugme outln " ($n of $hb_rounds)"
socksend "$client_hello" 1
debugme outln "\nsending client hello (TLS version $tls_hexcode)" debugme outln "\nreading server hello"
socksend "$client_hello" 1 sockread_serverhello 32768
if [[ $DEBUG -ge 4 ]]; then
debugme outln "\nreading server hello" hexdump -C "$SOCK_REPLY_FILE" | head -20
sockread_serverhello 32768 outln "[...]"
if [[ $DEBUG -ge 4 ]]; then outln "\nsending payload with TLS version $tls_hexcode:"
hexdump -C "$SOCK_REPLY_FILE" | head -20 fi
outln "[...]" rm "$SOCK_REPLY_FILE"
outln "\nsending payload with TLS version $tls_hexcode:"
fi socksend "$heartbleed_payload" 1
rm "$SOCK_REPLY_FILE" sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
[[ $? -eq 3 ]] && append=", timed out"
socksend "$heartbleed_payload" 1
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g')
retval=$? if [[ $DEBUG -ge 3 ]]; then
outln "\nheartbleed reply: "
if [[ $DEBUG -ge 3 ]]; then hexdump -C "$SOCK_REPLY_FILE" | head -20
outln "\nheartbleed reply: " [[ $lines_returned -gt 20 ]] && outln "[...]"
hexdump -C "$SOCK_REPLY_FILE" | head -20 outln
bytes_returned="$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')" fi
[[ $bytes_returned -gt 320 ]] && outln "[...]"
outln if [[ $lines_returned -gt 1 ]]; then
fi if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
# check possibility of weird vsftpd reply, see #426
lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g') saved_sockreply[n]="$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")"
rm "$SOCK_REPLY_FILE" [[ $n -eq 1 ]] && grep -q '500 OOPS' "$SOCK_REPLY_FILE" && found_500_oops=true
if [[ $lines_returned -gt 1 ]]; then rm "$SOCK_REPLY_FILE"
pr_svrty_critical "VULNERABLE (NOT ok)" #debugme out "${saved_sockreply[n]}"
if [[ $retval -eq 3 ]]; then #TMPFILE="${saved_sockreply[n]}"
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok) (timed out)" close_socket
else #tmpfile_handle "$FUNCNAME,$n.txt"
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)" else
rm "$SOCK_REPLY_FILE"
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append"
ret=1
break
fi
else
rm "$SOCK_REPLY_FILE"
pr_done_best "not vulnerable (OK)"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append"
ret=0
break
fi
done
if [[ $n -gt 1 ]]; then
# more than one round of heartbleed checks --> vsftpd probably.
# This is the robust approach. According to a few tests it could also suffice # to check for "500 OOPS" only.
# Checking for the same socket reply DOES NOT suffice -- server can be idle and return the same memory
if [[ "${saved_sockreply[1]}" == "${saved_sockreply[2]}" ]] && [[ "${saved_sockreply[2]}" == "${saved_sockreply[3]}" ]] \
&& "$found_500_oops"; then
pr_done_best "not vulnerable (OK)$append"
[[ $DEBUG -ge 1 ]] && out ", successful weeded out vsftpd false positive"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append"
else
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
[[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm"
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append"
fi fi
ret=1
else else
pr_done_best "not vulnerable (OK)" # for the repeated tries we did that already
if [[ $retval -eq 3 ]]; then #TMPFILE="$SOCKREPLY"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (timed out)" close_socket 2>/dev/null
else #tmpfile_handle $FUNCNAME.txt
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)"
fi
ret=0
fi fi
[[ $retval -eq 3 ]] && out " (timed out)" outln "$append"
outln
close_socket
tmpfile_handle $FUNCNAME.txt
return $ret return $ret
} }
@ -8751,4 +8785,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.537 2016/09/01 17:09:11 dirkw Exp $ # $Id: testssl.sh,v 1.540 2016/09/06 06:32:04 dirkw Exp $