Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1431 from drwetter/fix_1430

Browse Source 
Fixes missing display of HTTP headers under OpenBSDs
This commit is contained in:
Dirk Wetter 2020-01-08 16:50:33 +01:00 committed by GitHub
commit 427341cc9b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
testssl.sh
View File

@ -164,8 +164,7 @@ if date -d @735275209 >/dev/null 2>&1; then
HAS_GNUDATE=true HAS_GNUDATE=true
fi fi
fi fi
# FreeBSD and OS X date(1) accept "-f inputformat" # FreeBSD and OS X date(1) accept "-f inputformat", so do newer OpenBSD versions >~ 6.6.
# so newer OpenBSD versions >~ 6.6.
date -j -f '%s' 1234567 >/dev/null 2>&1 && \ date -j -f '%s' 1234567 >/dev/null 2>&1 && \
HAS_FREEBSDDATE=true HAS_FREEBSDDATE=true
@ -2147,32 +2146,27 @@ run_http_header() {
pr_bold " HTTP Status Code " pr_bold " HTTP Status Code "
[[ -z "$1" ]] && url="/" || url="$1" [[ -z "$1" ]] && url="/" || url="$1"
if [[ "$SOCKETHEADER" == true ]]; then printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE &
: wait_kill $! $HEADER_MAXSLEEP
#FIXME: would be great to complete the handshake and then e.g. tunnel HTTP over it if [[ $? -eq 0 ]]; then
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang.
# Doing it again in the foreground to get an accurate header time
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
HAD_SLEPT=0
else else
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE & # 1st GET request hung and needed to be killed. Check whether it succeeded anyway:
wait_kill $! $HEADER_MAXSLEEP if grep -Eiaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then
if [[ $? -eq 0 ]]; then # correct by seconds we slept, HAD_SLEPT comes from wait_kill()
# Issue HTTP GET again as it properly finished within $HEADER_MAXSLEEP and didn't hang. NOW_TIME=$(($(date "+%s") - HAD_SLEPT))
# Doing it again in the foreground to get an accurate header time
printf "$GET_REQ11" | $OPENSSL s_client $(s_client_options "$OPTIMAL_PROTO $BUGS -quiet -ign_eof -connect $NODEIP:$PORT $PROXY $SNI") >$HEADERFILE 2>$ERRFILE
NOW_TIME=$(date "+%s")
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE)
HAD_SLEPT=0
else else
# 1st GET request hung and needed to be killed. Check whether it succeeded anyway: prln_warning " likely HTTP header requests failed (#lines: $(wc -l $HEADERFILE | awk '{ print $1 }'))"
if grep -Eiaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then [[ "$DEBUG" -lt 1 ]] & outln "Rerun with DEBUG>=1 and inspect $HEADERFILE\n"
# correct by seconds we slept, HAD_SLEPT comes from wait_kill() fileout "HTTP_status_code" "WARN" "HTTP header request failed"
NOW_TIME=$(($(date "+%s") - HAD_SLEPT)) debugme cat $HEADERFILE
HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) ((NR_HEADER_FAIL++))
else
prln_warning " likely HTTP header requests failed (#lines: $(wc -l $HEADERFILE | awk '{ print $1 }'))"
[[ "$DEBUG" -lt 1 ]] & outln "Rerun with DEBUG>=1 and inspect $HEADERFILE\n"
fileout "HTTP_status_code" "WARN" "HTTP header request failed"
debugme cat $HEADERFILE
((NR_HEADER_FAIL++))
fi
fi fi
fi fi
if [[ ! -s $HEADERFILE ]]; then if [[ ! -s $HEADERFILE ]]; then
@ -2318,10 +2312,10 @@ run_http_date() {
if [[ -n "$HTTP_TIME" ]]; then if [[ -n "$HTTP_TIME" ]]; then
HTTP_TIME="$(strip_lf "$HTTP_TIME")" HTTP_TIME="$(strip_lf "$HTTP_TIME")"
if "$HAS_OPENBSDDATE"; then if "$HAS_OPENBSDDATE"; then
# we can't normalize the date under OpenBSD thus no subtraction is possible # We won't normalize the date under an OpenBSD thus no subtraction is feasible
outln "remote: $HTTP_TIME" outln "remote: $HTTP_TIME"
out "${spaces}local: $(date)" out "${spaces}local: $(date -z GMT)"
fileout "$jsonID" "INFO" "$HTTP_TIME - $(date)" fileout "$jsonID" "INFO" "$HTTP_TIME - $(date -z GMT)"
else else
HTTP_TIME="$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE)" HTTP_TIME="$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE)"
difftime=$((HTTP_TIME - NOW_TIME)) difftime=$((HTTP_TIME - NOW_TIME))
@ -2357,12 +2351,12 @@ match_httpheader_key() {
local first=$4 local first=$4
local -i nr=0 local -i nr=0
nr=$(grep -Eaicw "^ *$key:" $HEADERFILE) nr=$(grep -Eaic "^ *$key:" $HEADERFILE)
if [[ $nr -eq 0 ]]; then if [[ $nr -eq 0 ]]; then
HEADERVALUE="" HEADERVALUE=""
return 0 return 0
elif [[ $nr -eq 1 ]]; then elif [[ $nr -eq 1 ]]; then
HEADERVALUE="$(grep -Eiaw "^ *$key:" $HEADERFILE)" HEADERVALUE="$(grep -Eia "^ *$key:" $HEADERFILE)"
HEADERVALUE="${HEADERVALUE#*:}" # remove leading part=key to colon HEADERVALUE="${HEADERVALUE#*:}" # remove leading part=key to colon
HEADERVALUE="$(strip_lf "$HEADERVALUE")" HEADERVALUE="$(strip_lf "$HEADERVALUE")"
HEADERVALUE="$(strip_leading_space "$HEADERVALUE")" HEADERVALUE="$(strip_leading_space "$HEADERVALUE")"
@ -2375,7 +2369,7 @@ match_httpheader_key() {
pr_svrty_medium " ${nr}x" pr_svrty_medium " ${nr}x"
outln " -- checking first one only" outln " -- checking first one only"
out "$spaces" out "$spaces"
HEADERVALUE="$(fgrep -Faiw "$key:" $HEADERFILE | head -1)" HEADERVALUE="$(fgrep -Fai "$key:" $HEADERFILE | head -1)"
HEADERVALUE="${HEADERVALUE#*:}" HEADERVALUE="${HEADERVALUE#*:}"
HEADERVALUE="$(strip_lf "$HEADERVALUE")" HEADERVALUE="$(strip_lf "$HEADERVALUE")"
HEADERVALUE="$(strip_leading_space "$HEADERVALUE")" HEADERVALUE="$(strip_leading_space "$HEADERVALUE")"
@ -2482,27 +2476,27 @@ run_hpkp() {
pr_bold " Public Key Pinning " pr_bold " Public Key Pinning "
grep -aiw '^Public-Key-Pins' $HEADERFILE >$TMPFILE # TMPFILE includes report-only grep -aiw '^Public-Key-Pins' $HEADERFILE >$TMPFILE # TMPFILE includes report-only
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
if [[ $(grep -aciw '^Public-Key-Pins:' $TMPFILE) -gt 1 ]]; then if [[ $(grep -aci '^Public-Key-Pins:' $TMPFILE) -gt 1 ]]; then
pr_svrty_medium "Misconfiguration, multiple Public-Key-Pins headers" pr_svrty_medium "Misconfiguration, multiple Public-Key-Pins headers"
outln ", taking first line" outln ", taking first line"
fileout "HPKP_error" "MEDIUM" "multiple Public-Key-Pins in header" fileout "HPKP_error" "MEDIUM" "multiple Public-Key-Pins in header"
first_hpkp_header="$(grep -aiw '^Public-Key-Pins:' $TMPFILE | head -1)" first_hpkp_header="$(grep -ai '^Public-Key-Pins:' $TMPFILE | head -1)"
# we only evaluate the keys here, unless they a not present # we only evaluate the keys here, unless they a not present
out "$spaces " out "$spaces "
elif [[ $(grep -aciw '^Public-Key-Pins-Report-Only:' $TMPFILE) -gt 1 ]]; then elif [[ $(grep -aci '^Public-Key-Pins-Report-Only:' $TMPFILE) -gt 1 ]]; then
outln "Multiple HPKP headers (Report-Only), taking first line" outln "Multiple HPKP headers (Report-Only), taking first line"
fileout "HPKP_notice" "INFO" "multiple Public-Key-Pins-Report-Only in header" fileout "HPKP_notice" "INFO" "multiple Public-Key-Pins-Report-Only in header"
first_hpkp_header="$(grep -aiw '^Public-Key-Pins-Report-Only:' $TMPFILE | head -1)" first_hpkp_header="$(grep -ai '^Public-Key-Pins-Report-Only:' $TMPFILE | head -1)"
out "$spaces " out "$spaces "
elif [[ $(grep -Eaciw '^Public-Key-Pins:|^Public-Key-Pins-Report-Only:' $TMPFILE) -eq 2 ]]; then elif [[ $(grep -Eaci '^Public-Key-Pins:|^Public-Key-Pins-Report-Only:' $TMPFILE) -eq 2 ]]; then
outln "Public-Key-Pins + Public-Key-Pins-Report-Only detected. Continue with first one" outln "Public-Key-Pins + Public-Key-Pins-Report-Only detected. Continue with first one"
first_hpkp_header="$(grep -aiw '^Public-Key-Pins:' $TMPFILE)" first_hpkp_header="$(grep -ai '^Public-Key-Pins:' $TMPFILE)"
out "$spaces " out "$spaces "
elif [[ $(grep -aciw '^Public-Key-Pins:' $TMPFILE) -eq 1 ]]; then elif [[ $(grep -aci '^Public-Key-Pins:' $TMPFILE) -eq 1 ]]; then
first_hpkp_header="$(grep -aiw '^Public-Key-Pins:' $TMPFILE)" first_hpkp_header="$(grep -ai '^Public-Key-Pins:' $TMPFILE)"
else else
outln "Public-Key-Pins-Only detected" outln "Public-Key-Pins-Only detected"
first_hpkp_header="$(grep -aiw '^Public-Key-Pins-Report-Only:' $TMPFILE)" first_hpkp_header="$(grep -ai '^Public-Key-Pins-Report-Only:' $TMPFILE)"
out "$spaces " out "$spaces "
fileout "HPKP_SPKIs" "INFO" "Only Public-Key-Pins-Report-Only" fileout "HPKP_SPKIs" "INFO" "Only Public-Key-Pins-Report-Only"
fi fi