- local dns matches don't need lookup anymore over net --> saves timeouts+time

- further banner tuning + funtion mybanner, 2 addtl global vars for debugging
- cosmetic improvements
This commit is contained in:
Dirk 2015-05-31 14:40:12 +02:00
parent 77ad7c9252
commit 452fd6762a
1 changed files with 59 additions and 49 deletions

View File

@ -10,7 +10,7 @@
# Please file bugs at github! https://github.com/drwetter/testssl.sh/issues # Please file bugs at github! https://github.com/drwetter/testssl.sh/issues
VERSION="2.5dev" VERSION="2.5dev"
SWURL="https://testssl.sh" SWURL="http://dev.testssl.sh"
SWCONTACT="dirk aet testssl dot sh" SWCONTACT="dirk aet testssl dot sh"
# Main author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md # Main author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md
@ -61,6 +61,10 @@ readonly PROG_NAME=$(basename "$0")
readonly RUN_DIR=$(dirname $0) readonly RUN_DIR=$(dirname $0)
readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
which git &>/dev/null && readonly GIT_REL=$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')
readonly CVS_REL=$(tail -5 $0 | awk '/dirkw Exp/ { print $4" "$5" "$6}')
readonly CVS_REL_SHORT=$(tail -5 $0 | awk '/dirkw Exp/ { print $4 }')
# following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host> # following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
# 0 means (normally) true here. Some of the variables are also accessible with a command line switch # 0 means (normally) true here. Some of the variables are also accessible with a command line switch
@ -2721,7 +2725,7 @@ logjam() {
$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
ret=$? ret=$?
[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error" [ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
addtl_warning="$addtl_warning, precomputed primes not checked yet. \"$PROG_NAME -E\" spots candidates" addtl_warning="$addtl_warning, precomputable primes not checked yet. \"$PROG_NAME -E\" spots candidates"
if [ $ret -eq 0 ]; then if [ $ret -eq 0 ]; then
pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers" pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
else else
@ -3069,20 +3073,20 @@ EOF
mybanner() { mybanner() {
me=$(basename "$0") local nr_ciphers
osslver=$($OPENSSL version) local idtag
osslpath=$(which $OPENSSL) local bb
nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w | sed 's/ //g') nr_ciphers=$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w | sed 's/ //g')
hn=$(hostname) [ -z "$GIT_REL" ] && \
#poor man's ident (nowadays ident not neccessarily installed) idtag="$CVS_REL" || \
idtag=$(grep -a '\$Id' $0 | grep -aw "[E]xp" | sed -e 's/^# //' -e 's/\$ $/\$/') idtag="$GIT_REL -- $CVS_REL_SHORT"
which git &>/dev/null && idtag="$(git log --format='%h %ci' -1 2>/dev/null)"
[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m" [ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
bb=$(cat <<EOF bb=$(cat <<EOF
######################################################### #########################################################
$me v$VERSION ($SWURL) $PROG_NAME $VERSION $SWURL
($idtag) ($idtag)
This program is free software. Redistribution + This program is free software. Redistribution +
modification under GPLv2 is permitted. modification under GPLv2 is permitted.
@ -3093,12 +3097,11 @@ $me v$VERSION ($SWURL)
######################################################### #########################################################
EOF EOF
) )
pr_bold "$bb" pr_bold "$bb"
outln "\n" outln "\n"
outln " Using \"$osslver\" [~$nr_ciphers ciphers] on outln " Using \"$($OPENSSL version)\" [~$nr_ciphers ciphers] on"
$hn:$osslpath outln " $(hostname):$(which $OPENSSL)"
(built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n" outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
} }
@ -3112,7 +3115,8 @@ maketempf() {
if [ $DEBUG -ne 0 ]; then if [ $DEBUG -ne 0 ]; then
cat >$TEMPDIR/environment.txt << EOF cat >$TEMPDIR/environment.txt << EOF
$idtag CVS_REL: $CVS_REL
GIT_REL: $GIT_REL
PID: $$ PID: $$
bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]} bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
@ -3325,7 +3329,7 @@ parse_hn_port() {
esac esac
fi fi
${do_mx_allentries} || initialize_engine ${do_mx_all_ips} || initialize_engine
outln outln
return 0 return 0
@ -3340,32 +3344,34 @@ get_dns_entries() {
else else
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }') IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
if which host &> /dev/null && [ -z "$IP4" ] ; then if [ -z "$IP4" ]; then
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //') if which host &> /dev/null && [ -z "$IP4" ] ; then
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
return 1 if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
return 1
fi
fi
if [ -z "$IP4" ] ; then
# MSYS2 has no host or getent, so we need nslookup
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
[ -z "$IP4" ] && return 2
fi fi
fi fi
# MSYS2 has no host or getent, so we do this
if [ -z "$IP4" ] ; then
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
[ -z "$IP4" ] && return 2
fi
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use IP6=$(grep -w "$NODE" /etc/hosts | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
if [ -z "$IP6" ] ; then if [ -z "$IP6" ] ; then
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
if host -t aaaa $NODE &>/dev/null ; then if host -t aaaa $NODE &>/dev/null ; then
IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //') IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
else else
IP6="" IP6=""
fi fi
# MSYS2 has no host or getent, so we need nslookup
if [ -z "$IP6" ] ; then
IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
fi
fi fi
# MSYS2 has no host or getent, so we do this
if [ -z "$IP6" ] ; then
IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
fi
fi # test4iponly fi # test4iponly
IPADDRs="$IP4" IPADDRs="$IP4"
@ -3412,10 +3418,15 @@ datebanner() {
outln outln
} }
draw_dotted_line() {
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
}
mx_allentries() {
mx_all_ips() {
local mxs mx local mxs mx
local mxport local mxport
local ret=0
if which host &> /dev/null; then if which host &> /dev/null; then
mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//') mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
@ -3448,10 +3459,6 @@ mx_allentries() {
fi fi
} }
draw_dotted_line() {
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
}
# This initializes boolean global do_* variables, meant primarily to keep track of what to do # This initializes boolean global do_* variables, meant primarily to keep track of what to do
initialize_globals() { initialize_globals() {
@ -3466,7 +3473,7 @@ initialize_globals() {
do_logjam=false do_logjam=false
do_header=false do_header=false
do_heartbleed=false do_heartbleed=false
do_mx_allentries=false do_mx_all_ips=false
do_pfs=false do_pfs=false
do_protocols=false do_protocols=false
do_rc4=false do_rc4=false
@ -3510,7 +3517,7 @@ query_globals() {
local true_nr=0 local true_nr=0
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \ for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
do_freak do_logjam do_header do_heartbleed do_mx_allentries do_pfs do_protocols do_rc4 do_renego \ do_freak do_logjam do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \ do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
do_test_just_one do_tls_sockets; do do_test_just_one do_tls_sockets; do
[ "${!gbl}" == "true" ] && let true_nr++ [ "${!gbl}" == "true" ] && let true_nr++
@ -3523,7 +3530,7 @@ debug_globals() {
local gbl local gbl
for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \ for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_allentries do_pfs do_protocols do_rc4 do_renego \ do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \ do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
do_test_just_one do_tls_sockets; do do_test_just_one do_tls_sockets; do
printf "%-22s = %s\n" $gbl "${!gbl}" printf "%-22s = %s\n" $gbl "${!gbl}"
@ -3545,13 +3552,16 @@ startup() {
mybanner mybanner
exit 0;; exit 0;;
--mx) --mx)
do_mx_allentries=true;; do_mx_all_ips=true;;
--mx465) # doesn't work with major ISPs --mx465) # doesn't work with major ISPs
do_mx_allentries=true do_mx_all_ips=true
PORT=465 ;; PORT=465 ;;
--mx587) # doesn't work with major ISPs --mx587) # doesn't work with major ISPs
do_mx_allentries=true do_mx_all_ips=true
PORT=587 ;; PORT=587 ;;
--ip)
CMDLINE_IP=$2
shift ;;
-V|--local) # this is only displaying local, thus we don't put it in the loop -V|--local) # this is only displaying local, thus we don't put it in the loop
find_openssl_binary find_openssl_binary
mybanner mybanner
@ -3758,12 +3768,12 @@ mybanner
openssl_age openssl_age
maketempf maketempf
if ${do_mx_allentries} ; then if ${do_mx_all_ips} ; then
query_globals query_globals
# if we have just one "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified # if we have just one "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified
[ $? -eq 1 ] && set_scanning_defaults [ $? -eq 1 ] && set_scanning_defaults
initialize_engine initialize_engine
mx_allentries "${URI}" $PORT mx_all_ips "${URI}" $PORT
ret=$? ret=$?
else else
parse_hn_port "${URI}" "${STARTTLS_PROTOCOL}" parse_hn_port "${URI}" "${STARTTLS_PROTOCOL}"
@ -3773,6 +3783,6 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.265 2015/05/29 12:12:21 dirkw Exp $ # $Id: testssl.sh,v 1.267 2015/05/31 12:40:11 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab