mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-22 08:29:31 +01:00
- output polishing of run_drown() - polishing of run_logjam() - decrease severity to high for LOGJAM, see CVE rating
This commit is contained in:
parent
b1c80512e6
commit
4433345b16
58
testssl.sh
58
testssl.sh
@ -9526,6 +9526,7 @@ run_logjam() {
|
|||||||
local -i sclient_success=0
|
local -i sclient_success=0
|
||||||
local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA"
|
local exportdhe_cipher_list="EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA"
|
||||||
local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11"
|
local exportdhe_cipher_list_hex="00,63, 00,65, 00,14, 00,11"
|
||||||
|
local all_dhe_ciphers="cc,15, 00,b3, 00,91, c0,97, 00,a3, 00,9f, cc,aa, c0,a3, c0,9f, 00,6b, 00,6a, 00,39, 00,38, 00,c4, 00,c3, 00,88, 00,87, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, 00,ab, cc,ad, c0,a7, c0,43, c0,45, c0,47, c0,53, c0,57, c0,5b, c0,67, c0,6d, c0,7d, c0,81, c0,85, c0,91, 00,a2, 00,9e, c0,a2, c0,9e, 00,aa, c0,a6, 00,67, 00,40, 00,33, 00,32, 00,be, 00,bd, 00,9a, 00,99, 00,45, 00,44, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, 00,b2, 00,90, c0,96, c0,42, c0,44, c0,46, c0,52, c0,56, c0,5a, c0,66, c0,6c, c0,7c, c0,80, c0,84, c0,90, 00,66, 00,18, 00,8e, 00,16, 00,13, 00,1b, 00,8f, 00,63, 00,15, 00,12, 00,1a, 00,65, 00,14, 00,11, 00,19, 00,17, 00,b5, 00,b4, 00,2d"
|
||||||
local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0
|
local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0
|
||||||
local addtl_warning="" hexc
|
local addtl_warning="" hexc
|
||||||
local cve="CVE-2015-4000"
|
local cve="CVE-2015-4000"
|
||||||
@ -9533,6 +9534,7 @@ run_logjam() {
|
|||||||
local hint=""
|
local hint=""
|
||||||
local server_key_exchange ephemeral_pub key_bitstring="" dh_p
|
local server_key_exchange ephemeral_pub key_bitstring="" dh_p
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
local spaces=" "
|
||||||
|
|
||||||
"$SSL_NATIVE" && using_sockets=false
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
|
|
||||||
@ -9546,8 +9548,7 @@ run_logjam() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case $nr_supported_ciphers in
|
case $nr_supported_ciphers in
|
||||||
0)
|
0) local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
||||||
local_problem_ln "$OPENSSL doesn't have any DHE EXPORT ciphers configured"
|
|
||||||
fileout "logjam" "WARN" "LOGJAM: Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" "$cve" "$cwe"
|
fileout "logjam" "WARN" "LOGJAM: Not tested. $OPENSSL doesn't have any DHE EXPORT ciphers configured" "$cve" "$cwe"
|
||||||
return 3
|
return 3
|
||||||
;;
|
;;
|
||||||
@ -9565,23 +9566,14 @@ run_logjam() {
|
|||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
|
||||||
fi
|
fi
|
||||||
addtl_warning="$addtl_warning, common primes not checked."
|
|
||||||
if "$HAS_DH_BITS" || ( ! "$SSL_NATIVE" && ! "$FAST" && [[ $TLS_NR_CIPHERS -ne 0 ]] ); then
|
|
||||||
if ! "$do_allciphers" && ! "$do_cipher_per_proto"; then
|
|
||||||
addtl_warning="$addtl_warning \"$PROG_NAME -E/-e\" spots candidates"
|
|
||||||
else
|
|
||||||
addtl_warning="$addtl_warning See below for any DH ciphers + bit size"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $sclient_success -eq 0 ]]; then
|
if [[ $sclient_success -eq 0 ]]; then
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers, common primes not checked."
|
pr_svrty_high "VULNERABLE (NOT ok):"; out " uses DHE EXPORT ciphers,"
|
||||||
fileout "logjam" "CRITICAL" "LOGJAM: VULNERABLE, uses DHE EXPORT ciphers, common primes not checked." "$cve" "$cwe" "$hint"
|
fileout "logjam" "HIGH" "LOGJAM: VULNERABLE, uses DHE EXPORT ciphers" "$cve" "$cwe" "$hint"
|
||||||
else
|
else
|
||||||
pr_done_best "not vulnerable (OK)"; out "$addtl_warning"
|
pr_done_good "not vulnerable (OK):"; out " no DHE EXPORT ciphers,"; out "$addtl_warning"
|
||||||
fileout "logjam" "OK" "LOGJAM: not vulnerable $addtl_warning" "$cve" "$cwe"
|
fileout "logjam" "OK" "LOGJAM: not vulnerable (no DHE EXPORT ciphers) $addtl_warning" "$cve" "$cwe"
|
||||||
fi
|
fi
|
||||||
outln
|
|
||||||
|
|
||||||
if [[ $DEBUG -ge 2 ]]; then
|
if [[ $DEBUG -ge 2 ]]; then
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
@ -9601,7 +9593,7 @@ run_logjam() {
|
|||||||
|
|
||||||
# Try all ciphers that use an ephemeral DH key. If successful, check whether the key uses a weak prime.
|
# Try all ciphers that use an ephemeral DH key. If successful, check whether the key uses a weak prime.
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
tls_sockets "03" "cc,15, 00,b3, 00,91, c0,97, 00,a3, 00,9f, cc,aa, c0,a3, c0,9f, 00,6b, 00,6a, 00,39, 00,38, 00,c4, 00,c3, 00,88, 00,87, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, 00,ab, cc,ad, c0,a7, c0,43, c0,45, c0,47, c0,53, c0,57, c0,5b, c0,67, c0,6d, c0,7d, c0,81, c0,85, c0,91, 00,a2, 00,9e, c0,a2, c0,9e, 00,aa, c0,a6, 00,67, 00,40, 00,33, 00,32, 00,be, 00,bd, 00,9a, 00,99, 00,45, 00,44, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, 00,b2, 00,90, c0,96, c0,42, c0,44, c0,46, c0,52, c0,56, c0,5a, c0,66, c0,6c, c0,7c, c0,80, c0,84, c0,90, 00,66, 00,18, 00,8e, 00,16, 00,13, 00,1b, 00,8f, 00,63, 00,15, 00,12, 00,1a, 00,65, 00,14, 00,11, 00,19, 00,17, 00,b5, 00,b4, 00,2d" "ephemeralkey"
|
tls_sockets "03" "$all_dhe_ciphers" "ephemeralkey"
|
||||||
sclient_success=$?
|
sclient_success=$?
|
||||||
if [[ $sclient_success -eq 0 ]] || [[ $sclient_success -eq 2 ]]; then
|
if [[ $sclient_success -eq 0 ]] || [[ $sclient_success -eq 2 ]]; then
|
||||||
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt" $TMPFILE
|
||||||
@ -9625,13 +9617,45 @@ run_logjam() {
|
|||||||
dh_p="$($OPENSSL pkey -pubin -text -noout <<< "$key_bitstring" | awk '/prime:/,/generator:/' | tail -n +2 | head -n -1)"
|
dh_p="$($OPENSSL pkey -pubin -text -noout <<< "$key_bitstring" | awk '/prime:/,/generator:/' | tail -n +2 | head -n -1)"
|
||||||
dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")"
|
dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")"
|
||||||
[[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}"
|
[[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}"
|
||||||
# At this point the DH key's prime has been extracted into $dh_p. Compare is against known weak primes.
|
debugme outln "dh_p: $dh_p"
|
||||||
|
echo "$dh_p" > $TEMPDIR/dh_p.txt
|
||||||
|
common_primes_test $dh_p
|
||||||
|
else
|
||||||
|
outln " no DH key detected"
|
||||||
|
fileout "LOGJAM_common primes" "OK" "no DH key detected"
|
||||||
fi
|
fi
|
||||||
|
outln
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $sclient_success
|
return $sclient_success
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# takes one arg and compares against a predefined set in $TESTSSL_INSTALL_DIR
|
||||||
|
common_primes_test() {
|
||||||
|
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
|
||||||
|
local -i lineno_matched=0
|
||||||
|
local comment=""
|
||||||
|
|
||||||
|
if [[ ! -s "$common_primes_file" ]]; then
|
||||||
|
pr_warningln "couldn't read common primes file $common_primes_file"
|
||||||
|
fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file"
|
||||||
|
return 1
|
||||||
|
else
|
||||||
|
lineno_matched=$(grep -n "$dh_p" "$common_primes_file" 2>/dev/null)
|
||||||
|
if [[ "$lineno_matched" -ne 0 ]]; then
|
||||||
|
# get comment
|
||||||
|
comment="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')"
|
||||||
|
#FiXME: probably the high groups/bit sizes whould get a different rating, see paper
|
||||||
|
pr_svrty_high "common prime $comment detected"
|
||||||
|
fileout "LOGJAM_common primes" "HIGH" "common prime $comment detected"
|
||||||
|
else
|
||||||
|
pr_done_good " no common primes detected"
|
||||||
|
fileout "LOGJAM_common primes" "OK" "no common primes detected"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
run_drown() {
|
run_drown() {
|
||||||
local nr_ciphers_detected ret
|
local nr_ciphers_detected ret
|
||||||
|
Loading…
Reference in New Issue
Block a user