Fix indentation in testssl.sh

This commit is contained in:
Peter Dave Hello 2021-05-30 01:09:45 +08:00
parent d41ea6c814
commit 413f7ce9a4

View File

@ -1633,7 +1633,7 @@ out_row_aligned_max_width_by_entry() {
fi fi
out " " out " "
prev_entry="$entry" prev_entry="$entry"
done <<< "$resp" done <<< "$resp"
} }
print_fixed_width() { print_fixed_width() {
@ -6808,7 +6808,7 @@ run_server_preference() {
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \ ( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then ( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
if [[ $proto_ossl == ssl2 ]]; then if [[ $proto_ossl == ssl2 ]]; then
outln " (listed by strength)" outln " (listed by strength)"
elif [[ $proto_ossl == tls1_3 ]]; then elif [[ $proto_ossl == tls1_3 ]]; then
outln " (no server order, thus listed by strength)" outln " (no server order, thus listed by strength)"
else else
@ -6939,12 +6939,12 @@ cipher_pref_check() {
while true; do while true; do
if [[ $proto != tls1_3 ]]; then if [[ $proto != tls1_3 ]]; then
if [[ -n "$ciphers_found" ]]; then if [[ -n "$ciphers_found" ]]; then
ciphers_to_test="" ciphers_to_test=""
for cipher in $ciphers_found; do for cipher in $ciphers_found; do
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher" [[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
done done
[[ -z "$ciphers_to_test" ]] && break [[ -z "$ciphers_to_test" ]] && break
ciphers_to_test="-cipher ${ciphers_to_test:1}" ciphers_to_test="-cipher ${ciphers_to_test:1}"
else else
ciphers_to_test="-cipher ALL:COMPLEMENTOFALL${tested_cipher}" ciphers_to_test="-cipher ALL:COMPLEMENTOFALL${tested_cipher}"
fi fi
@ -14166,10 +14166,10 @@ parse_tls_serverhello() {
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:6:2}") len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:6:2}")
offset=$((len1+8)) offset=$((len1+8))
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
# The SignatureAndHashAlgorithm won't be present in an anonymous # The SignatureAndHashAlgorithm won't be present in an anonymous
# key exhange. # key exhange.
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}" peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}" peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
fi fi
fi fi
fi fi
@ -14239,9 +14239,9 @@ parse_tls_serverhello() {
rfc7919_param="${rfc7919_param%,}" rfc7919_param="${rfc7919_param%,}"
[[ "$ephemeral_param" =~ $rfc7919_param ]] || named_curve_str="" [[ "$ephemeral_param" =~ $rfc7919_param ]] || named_curve_str=""
else else
ephemeral_param="$(grep -EA 1000 "prime:|P:" <<< "$ephemeral_param")" ephemeral_param="$(grep -EA 1000 "prime:|P:" <<< "$ephemeral_param")"
rfc7919_param="$($OPENSSL pkey -text_pub -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|P:")" rfc7919_param="$($OPENSSL pkey -text_pub -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|P:")"
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str="" [[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
fi fi
fi fi
@ -14266,8 +14266,8 @@ parse_tls_serverhello() {
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:offset:4}") len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:offset:4}")
offset+=$((len1+4)) offset+=$((len1+4))
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
# The SignatureAndHashAlgorithm won't be present in an anonymous # The SignatureAndHashAlgorithm won't be present in an anonymous
# key exhange. # key exhange.
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}" peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}" peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
fi fi
@ -14320,53 +14320,53 @@ parse_tls_serverhello() {
# ASCII-HEX encoded session ticket # ASCII-HEX encoded session ticket
parse_tls13_new_session_ticket() { parse_tls13_new_session_ticket() {
local tls_version="$1" local tls_version="$1"
local new_session_ticket="$2" local new_session_ticket="$2"
local -i len ticket_lifetime ticket_age_add min_len remainder local -i len ticket_lifetime ticket_age_add min_len remainder
local ticket_nonce ticket extensions local ticket_nonce ticket extensions
local has_nonce=true local has_nonce=true
[[ "${new_session_ticket:0:2}" == 04 ]] || return 7 [[ "${new_session_ticket:0:2}" == 04 ]] || return 7
# Prior to draft 21 the NewSessionTicket did not include a ticket_nonce. # Prior to draft 21 the NewSessionTicket did not include a ticket_nonce.
[[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -le 20 ]] && has_nonce=false [[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -le 20 ]] && has_nonce=false
# Set min_len to the minimum length that a session ticket can be. # Set min_len to the minimum length that a session ticket can be.
min_len=28 min_len=28
"$has_nonce" || min_len=$((min_len-2)) "$has_nonce" || min_len=$((min_len-2))
remainder=$((2*0x${new_session_ticket:2:6})) remainder=$((2*0x${new_session_ticket:2:6}))
[[ $remainder -ge $min_len ]] || return 7 [[ $remainder -ge $min_len ]] || return 7
[[ ${#new_session_ticket} -ge $((remainder + 8)) ]] || return 7 [[ ${#new_session_ticket} -ge $((remainder + 8)) ]] || return 7
ticket_lifetime=0x${new_session_ticket:8:8} ticket_lifetime=0x${new_session_ticket:8:8}
ticket_age_add=0x${new_session_ticket:16:8} ticket_age_add=0x${new_session_ticket:16:8}
new_session_ticket="${new_session_ticket:24}" new_session_ticket="${new_session_ticket:24}"
remainder=$((remainder-16)) remainder=$((remainder-16))
if "$has_nonce"; then if "$has_nonce"; then
len=$((2*0x${new_session_ticket:0:2})) len=$((2*0x${new_session_ticket:0:2}))
new_session_ticket="${new_session_ticket:2}" new_session_ticket="${new_session_ticket:2}"
[[ $remainder -ge $((len + 12)) ]] || return 7 [[ $remainder -ge $((len + 12)) ]] || return 7
ticket_nonce="${new_session_ticket:0:len}" ticket_nonce="${new_session_ticket:0:len}"
new_session_ticket="${new_session_ticket:len}" new_session_ticket="${new_session_ticket:len}"
remainder=$((remainder-len-2)) remainder=$((remainder-len-2))
fi fi
len=$((2*0x${new_session_ticket:0:4})) len=$((2*0x${new_session_ticket:0:4}))
new_session_ticket="${new_session_ticket:4}" new_session_ticket="${new_session_ticket:4}"
[[ $remainder -ge $((len + 8)) ]] || return 7 [[ $remainder -ge $((len + 8)) ]] || return 7
ticket="${new_session_ticket:0:len}" ticket="${new_session_ticket:0:len}"
new_session_ticket="${new_session_ticket:len}" new_session_ticket="${new_session_ticket:len}"
remainder=$((remainder-len-4)) remainder=$((remainder-len-4))
len=$((2*0x${new_session_ticket:0:4})) len=$((2*0x${new_session_ticket:0:4}))
new_session_ticket="${new_session_ticket:4}" new_session_ticket="${new_session_ticket:4}"
[[ $remainder -eq $((len + 4)) ]] || return 7 [[ $remainder -eq $((len + 4)) ]] || return 7
extensions="${new_session_ticket:0:len}" extensions="${new_session_ticket:0:len}"
echo " TLS session ticket lifetime hint: $ticket_lifetime (seconds)" > $TMPFILE echo " TLS session ticket lifetime hint: $ticket_lifetime (seconds)" > $TMPFILE
tmpfile_handle ${FUNCNAME[0]}.txt $TMPFILE tmpfile_handle ${FUNCNAME[0]}.txt $TMPFILE
return 0 return 0
} }
#arg1 (optional): list of ciphers suites or empty #arg1 (optional): list of ciphers suites or empty
@ -16915,7 +16915,7 @@ run_freak() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln
pr_bold " FREAK"; out " ($cve) " pr_bold " FREAK"; out " ($cve) "
if "$TLS13_ONLY"; then if "$TLS13_ONLY"; then
pr_svrty_best "not vulnerable (OK)" pr_svrty_best "not vulnerable (OK)"
[[ $DEBUG -ge 1 ]] && out ", TLS 1.3 only server" [[ $DEBUG -ge 1 ]] && out ", TLS 1.3 only server"
outln outln
@ -17786,9 +17786,9 @@ run_winshock() {
for tls_ext in $TLS_EXTENSIONS; do for tls_ext in $TLS_EXTENSIONS; do
# We use the whole array, got to be careful when the array becomes bigger (unintented match) # We use the whole array, got to be careful when the array becomes bigger (unintented match)
if [[ ${forbidden_tls_ext[@]} =~ $tls_ext ]]; then if [[ ${forbidden_tls_ext[@]} =~ $tls_ext ]]; then
pr_svrty_best "not vulnerable (OK)"; outln " - TLS extension $tls_ext detected" pr_svrty_best "not vulnerable (OK)"; outln " - TLS extension $tls_ext detected"
fileout "$jsonID" "OK" "not vulnerable - TLS extension $tls_ext detected" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable - TLS extension $tls_ext detected" "$cve" "$cwe"
return 0 return 0
fi fi
done done
fi fi
@ -20484,11 +20484,11 @@ extract_calist() {
type=$(hex2dec "${certreq:0:4}") type=$(hex2dec "${certreq:0:4}")
len=2*$(hex2dec "${certreq:4:4}") len=2*$(hex2dec "${certreq:4:4}")
if [[ $type -eq 47 ]]; then if [[ $type -eq 47 ]]; then
# This is the certificate_authorities extension # This is the certificate_authorities extension
calist="${certreq:8:len}" calist="${certreq:8:len}"
len=2*$(hex2dec "${calist:0:4}") len=2*$(hex2dec "${calist:0:4}")
calist="${calist:4:len}" calist="${calist:4:len}"
break break
fi fi
certreq="${certreq:$((len+8))}" certreq="${certreq:$((len+8))}"
done done
@ -22774,7 +22774,7 @@ lets_roll() {
fileout_section_header $section_number true && ((section_number++)) fileout_section_header $section_number true && ((section_number++))
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; } "$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
fileout_section_header $section_number true && ((section_number++)) fileout_section_header $section_number true && ((section_number++))
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; } "$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
fileout_section_header $section_number true && ((section_number++)) fileout_section_header $section_number true && ((section_number++))