Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-11 03:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

CCS injection: better handling of TLS alert protocols

Browse Source 
This is a backport of 8149c2d5cf.

In certain situations while testting for CCS injection it could have happened
that an error code was sent which was not interpreted properly by testssl.sh.
(https://tools.ietf.org/html/rfc5246#section-7.2)

This has now been fixed and thus addresses #906. Also it has been made sure
that other error codes are reported appropiately.

The case where this test failed before was a non-patched Ubuntu 12.04
with openssl/postfix on port 25.
This commit is contained in:
Dirk 2018-04-20 11:46:21 +02:00
parent ec7ef8aa3c
commit 4071f252bc
1 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
testssl.sh
View File

@ -105,7 +105,7 @@ fi
trap "cleanup" QUIT EXIT trap "cleanup" QUIT EXIT
trap "child_error" USR1 trap "child_error" USR1
readonly VERSION="2.9.5-4" readonly VERSION="2.9.5-6"
readonly SWCONTACT="dirk aet testssl dot sh" readonly SWCONTACT="dirk aet testssl dot sh"
egrep -q "dev|rc" <<< "$VERSION" && \ egrep -q "dev|rc" <<< "$VERSION" && \
SWURL="https://testssl.sh/dev/" || SWURL="https://testssl.sh/dev/" ||
@ -9483,18 +9483,34 @@ run_ccs_injection(){
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe" fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
fi fi
ret=0 ret=0
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1
elif [[ "$byte6" == "15" ]]; then
# decryption failed received # decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint" fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
ret=1 elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
# Unexpected message / Handshake failure received # Unexpected message / Handshake failure received
pr_warning "likely " pr_warning "likely "
out "not vulnerable (OK)" out "not vulnerable (OK)"
out " - alert description type: $byte6" out " - alert description type: $byte6"
fileout "ccs" "WARN" "CCS: probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint" fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then
# bad_record_mac -- this is not "not vulnerable"
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious \"bad_record_mac\" ($byte6)"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
else
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert # MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert