diff --git a/testssl.sh b/testssl.sh index 6984516..519baea 100755 --- a/testssl.sh +++ b/testssl.sh @@ -109,9 +109,13 @@ else readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }') fi readonly SYSTEM=$(uname -s) -date --help >/dev/null 2>&1 && \ +date -d @735275209 >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false +# FreeBSD and OS X date(1) accept "-f inputformat" +date -j -f '%s' 1234567 >/dev/null 2>&1 && \ + readonly HAS_FREEBSDDATE=true || \ + readonly HAS_FREEBSDDATE=false echo A | sed -E 's/A//' >/dev/null 2>&1 && \ readonly HAS_SED_E=true || \ readonly HAS_SED_E=false @@ -121,9 +125,9 @@ tty -s && \ readonly INTERACTIVE=false if ! tput cols &>/dev/null || ! $INTERACTIVE; then # Prevent tput errors if running non interactive - TERM_DWITH=${COLUMNS:-80} + TERM_WIDTH=${COLUMNS:-80} else - TERM_DWITH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes + TERM_WIDTH=${COLUMNS:-$(tput cols)} # for custom line wrapping and dashes fi TERM_CURRPOS=0 # custom line wrapping needs alter the current horizontal cursor pos @@ -149,6 +153,7 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used +APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) @@ -358,7 +363,7 @@ pr_svrty_criticalln(){ pr_svrty_critical "$1"; outln; } # color=1 functions -pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; } +pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } @@ -454,21 +459,29 @@ strip_quote() { } fileout_header() { - "$do_json" && printf "[\n" > "$JSONFILE" - "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + if "$APPEND"; then + if [[ -f "$JSONFILE" ]]; then + FIRST_FINDING=false # We need to insert a comma, because there is file content already + else + "$do_json" && printf "[\n" > "$JSONFILE" + fi + "$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + else + "$do_json" && printf "[\n" > "$JSONFILE" + "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + fi } fileout_footer() { - "$do_json" && printf "]\n" >> "$JSONFILE" + "$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE" } fileout() { # ID, SEVERITY, FINDING local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") if "$do_json"; then - "$FIRST_FINDING" || echo "," >> $JSONFILE - echo -e " - { + "$FIRST_FINDING" || echo -n "," >> $JSONFILE + echo -e " { \"id\" : \"$1\", \"ip\" : \"$NODE/$NODEIP\", \"port\" : \"$PORT\", @@ -610,6 +623,20 @@ wait_kill(){ return 3 # means killed } +# parse_date date format input-format +if "$HAS_GNUDATE"; then # Linux and NetBSD + parse_date() { + LC_ALL=C date -d "$1" "$2" + } +elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X + parse_date() { + LC_ALL=C date -j -f "$3" "$2" "$1" + } +else + parse_date() { + LC_ALL=C date -j "$2" "$1" + } +fi ###### check code starts here ###### @@ -831,11 +858,7 @@ run_http_date() { out "not tested as we're not targeting HTTP" else if [[ -n "$HTTP_TIME" ]]; then - if "$HAS_GNUDATE"; then - HTTP_TIME=$(date --date="$HTTP_TIME" "+%s") - else - HTTP_TIME=$(LC_ALL=C date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise - fi + HTTP_TIME=$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise difftime=$((HTTP_TIME - $NOW_TIME)) [[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime" @@ -856,19 +879,19 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then pr_done_good ", includeSubDomains" - return 1 + return 0 else pr_litecyan ", just this domain" - return 0 + return 1 fi } preload() { if grep -aiqw preload "$1"; then pr_done_good ", preload" - return 1 - else return 0 + else + return 1 fi } @@ -886,9 +909,18 @@ run_hsts() { if [[ $? -eq 0 ]]; then grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) " hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1) -#FIXME: test for number! - hsts_age_days=$(( hsts_age_sec / 86400)) - if [[ $hsts_age_days -gt $HSTS_MIN ]]; then + if [[ -n $hsts_age_sec ]]; then + hsts_age_days=$(( hsts_age_sec / 86400)) + else + hsts_age_days=-1 + fi + if [[ $hsts_age_days -eq -1 ]]; then + pr_svrty_medium "HSTS max-age is required but missing. Setting 15552000 s (180 days) or more is recommended" + fileout "hsts_time" "MEDIUM" "HSTS max-age missing. 15552000 s (180 days) or more recommnded" + elif [[ $hsts_age_days -eq 0 ]]; then + pr_svrty_medium "HSTS max-age is set to 0. HSTS is disabled" + fileout "hsts_time" "MEDIUM" "HSTS max-age set to 0. HSTS is disabled" + elif [[ $hsts_age_days -gt $HSTS_MIN ]]; then pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else @@ -1967,6 +1999,13 @@ run_client_simulation() { local handshakebytes=() local lowest_protocol=() local highest_protocol=() + local service=() + local minDhBits=() + local maxDhBits=() + local minRsaBits=() + local maxRsaBits=() + local minEcdsaBits=() + local requiresSha2=() local i=0 local name tls proto cipher local using_sockets=true @@ -1982,7 +2021,6 @@ run_client_simulation() { # Get handshakes from external file . "client-simulation-data.sh" - # FIXME: At a certain time we should put the following to an external file outln pr_headlineln " Running browser simulations (experimental) " @@ -2014,8 +2052,9 @@ run_client_simulation() { else #FIXME: awk proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') - if [[ "$proto" == TLSv1.2 || "$proto" == TLSv1 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then - # OpenSSL reports TLS1.2/TLSv1 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... + [[ "$proto" == TLSv1 ]] && proto="TLSv1.0" + if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then + # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... for tls in ${tlsvers[i]}; do $OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE debugme echo "$OPENSSL s_client $tls -no_ssl2 -no_ssl3 -cipher ${ciphers[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} >$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") - startdate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") - LC_ALL=C days2expire=$(( $(date -j -f "%F %H:%M %z" "$enddate" "+%s") - $(date "+%s") )) # in seconds - fi + enddate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z" "%b %d %T %Y %Z") + startdate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z") + days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") )) # in seconds days2expire=$((days2expire / 3600 / 24 )) if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then # we take the half of the thresholds for LE certificates @@ -4351,10 +4384,14 @@ parse_tls_serverhello() { echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE fi echo "===============================================================================" >> $TMPFILE - if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then - echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + if [[ -n "$MAPPING_FILE_RFC" ]]; then + if [[ "${tls_cipher_suite:0:2}" == "00" ]]; then + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:2:2}"))" >> $TMPFILE + else + echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + fi else - echo "Cipher : $(strip_spaces $(show_rfc_style "x${tls_cipher_suite:0:4}"))" >> $TMPFILE + echo "Cipher : $($OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL' | grep -i " 0x${tls_cipher_suite:0:2},0x${tls_cipher_suite:2:2} " | awk '{ print $3 }')" >> $TMPFILE fi echo "===============================================================================" >> $TMPFILE @@ -4365,11 +4402,7 @@ parse_tls_serverhello() { echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))" fi echo -n " tls_hello_time: 0x$tls_hello_time " - if "$HAS_GNUDATE"; then - date --date="@$TLS_TIME" "+%Y-%m-%d %r" - else - LC_ALL=C date -j -f %s "$TLS_TIME" "+%Y-%m-%d %r" - fi + parse_date "$TLS_TIME" "+%Y-%m-%d %r" "%s" echo " tls_cipher_suite: 0x$tls_cipher_suite" echo -n " tls_compression_method: 0x$tls_compression_method " case $tls_compression_method in @@ -4726,7 +4759,7 @@ tls_sockets() { # mainly adapted from https://gist.github.com/takeshixx/10107280 run_heartbleed(){ [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln - pr_bold " Heartbleed\c"; out " (CVE-2014-0160) " + pr_bold " Heartbleed"; out " (CVE-2014-0160) " [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then @@ -5140,7 +5173,7 @@ run_crime() { # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI /dev/null >$TMPFILE # if [[ $? -eq 0 ]]; then # echo -# pr_bold "CRIME Vulnerability, SPDY \c" ; outln "(CVE-2012-4929): \c" +# pr_bold "CRIME Vulnerability, SPDY " ; outln "(CVE-2012-4929): " # STR=$(grep Compression $TMPFILE ) # if echo $STR | grep -q NONE >/dev/null; then @@ -5650,7 +5683,7 @@ run_lucky13() { # in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM echo "FIXME" fileout "lucky13" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME" - return -1 + return 1 } @@ -5969,11 +6002,12 @@ output options (can also be preset via environment variables): file output options (can also be preset via environment variables): --log, --logging logs stdout to in current working directory - --logfile logs stdout to if file is a dir or to specified file - --json additional output of findings to JSON file in cwd (experimental) - --jsonfile additional output to JSON and output JSON to the specified file (experimental) - --csv additional output of findings to CSV file in cwd (experimental) - --csvfile set output to CSV and output CSV to the specified file (experimental) + --logfile logs stdout to if file is a dir or to specified log file + --json additional output of findings to JSON file in cwd + --jsonfile additional output to JSON and output JSON to the specified file + --csv additional output of findings to CSV file in cwd + --csvfile set output to CSV and output CSV to the specified file + --append if or exists rather append then overwrite All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -6036,9 +6070,10 @@ MAPPING_FILE_RFC: $MAPPING_FILE_RFC CAPATH: $CAPATH COLOR: $COLOR COLORBLIND: $COLORBLIND -TERM_DWITH: $TERM_DWITH +TERM_WIDTH: $TERM_WIDTH INTERACTIVE: $INTERACTIVE HAS_GNUDATE: $HAS_GNUDATE +HAS_FREEBSDDATE: $HAS_FREEBSDDATE HAS_SED_E: $HAS_SED_E SHOW_EACH_C: $SHOW_EACH_C @@ -6125,7 +6160,7 @@ cleanup () { [[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR"; fi outln - fileout_footer + "$APPEND" || fileout_footer } fatal() { @@ -6192,7 +6227,6 @@ ignore_no_or_lame() { } # arg1: URI -# arg2: protocol parse_hn_port() { local tmp_port @@ -6225,13 +6259,27 @@ parse_hn_port() { debugme echo $NODE:$PORT SNI="-servername $NODE" - # now do logging if instructed + URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port + URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / + [[ -z "$URL_PATH" ]] && URL_PATH="/" + debugme echo $URL_PATH + return 0 # NODE, URL_PATH, PORT is set now +} + + +# now do logging if instructed +# arg1: for testing mx records name we put a name of logfile in here, otherwise we get strange file names +prepare_logging() { + local fname_prefix="$1" + + [[ -z "$fname_prefix" ]] && fname_prefix="$NODE" + if "$do_logging"; then if [[ -z "$LOGFILE" ]]; then - LOGFILE=$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".log) elif [[ -d "$LOGFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - LOGFILE=$LOGFILE/$NODE-$(date +"%Y%m%d-%H%M".log) + LOGFILE=$LOGFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".log) else : # just for clarity: a log file was specified, no need to do anything else fi @@ -6245,32 +6293,26 @@ parse_hn_port() { if "$do_json"; then if [[ -z "$JSONFILE" ]]; then - JSONFILE=$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json) elif [[ -d "$JSONFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - JSONFILE=$JSONFILE/$NODE-$(date +"%Y%m%d-%H%M".json) + JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json) fi fi - if "$do_csv"; then if [[ -z "$CSVFILE" ]]; then - CSVFILE=$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv) elif [[ -d "$CSVFILE" ]]; then # actually we were instructed to place all files in a DIR instead of the current working dir - CSVFILE=$CSVFILE/$NODE-$(date +"%Y%m%d-%H%M".csv) + CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv) fi fi - fileout_header # write out any CSV/JSON header line - URL_PATH=$(echo "$1" | sed 's/https:\/\///' | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port - URL_PATH=$(echo "$URL_PATH" | sed 's/\/\//\//g') # we rather want // -> / - [[ -z "$URL_PATH" ]] && URL_PATH="/" - debugme echo $URL_PATH - return 0 # NODE, URL_PATH, PORT is set now + return 0 } - + # args: string containing ip addresses filter_ip6_address() { local a @@ -6706,7 +6748,7 @@ draw_line() { } -mx_all_ips() { +run_mx_all_ips() { local mxs mx local mxport local -i ret=0 @@ -6716,12 +6758,17 @@ mx_all_ips() { # test first higher priority servers mxs=$(get_mx_record "$1" | sort -n | sed -e 's/^.* //' -e 's/\.$//' | tr '\n' ' ') mxport=${2:-25} + if [[ -n "$LOGFILE" ]]; then + prepare_logging + else + prepare_logging "mx-$1" + fi if [[ -n "$mxs" ]] && [[ "$mxs" != ' ' ]]; then [[ $mxport == "465" ]] && \ STARTTLS_PROTOCOL="" # no starttls for Port 465, on all other ports we speak starttls pr_bold "Testing now all MX records (on port $mxport): "; outln "$mxs" for mx in $mxs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln parse_hn_port "$mx:$mxport" determine_ip_addresses || continue @@ -6737,7 +6784,7 @@ mx_all_ips() { fi ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs" else @@ -6746,6 +6793,7 @@ mx_all_ips() { return $ret } + run_mass_testing_parallel() { local cmdline="" local global_cmdline=${CMDLINE%%--file*} @@ -6755,12 +6803,14 @@ run_mass_testing_parallel() { fi pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln outln "(output is in ....\n)" +#FIXME: once this function is being called we need a handler which does the right thing +# ==> not overwrite while read cmdline; do cmdline=$(filter_input "$cmdline") [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + draw_line "=" $((TERM_WIDTH / 2)); outln; determine_logfile outln "$cmdline" $cmdline >$LOGFILE & @@ -6779,15 +6829,17 @@ run_mass_testing() { fi pr_reverse "====== Running in file batch mode with file=\"$FNAME\" ======"; outln "\n" + APPEND=false # Make sure we close out our files while read cmdline; do cmdline=$(filter_input "$cmdline") [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break - cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; + cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline" + draw_line "=" $((TERM_WIDTH / 2)); outln; outln "$cmdline" $cmdline done < "${FNAME}" + fileout_footer return $? } @@ -7160,6 +7212,9 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift do_csv=true ;; + --append) + APPEND=true + ;; --openssl|--openssl=*) OPENSSL=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift @@ -7335,10 +7390,11 @@ fi if $do_mx_all_ips; then query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified [[ $? -eq 1 ]] && set_scanning_defaults - mx_all_ips "${URI}" $PORT + run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code ret=$? else parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now + prepare_logging if ! determine_ip_addresses && [[ -z "$CMDLINE_IP" ]]; then fatal "No IP address could be determined" fi @@ -7352,13 +7408,13 @@ else if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs" for ip in $IPADDRs; do - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln NODEIP="$ip" lets_roll "${STARTTLS_PROTOCOL}" ret=$(($? + ret)) done - draw_line "-" $((TERM_DWITH * 2 / 3)) + draw_line "-" $((TERM_WIDTH * 2 / 3)) outln pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs" else # we need just one ip4v to check @@ -7372,4 +7428,4 @@ fi exit $? -# $Id: testssl.sh,v 1.502 2016/06/15 19:31:09 dirkw Exp $ +# $Id: testssl.sh,v 1.507 2016/06/24 17:00:58 dirkw Exp $ diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index b24d4e6..094e559 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -13,7 +13,7 @@ sleep 3 STDOPTIONS="--prefix=/usr/ --openssldir=/etc/ssl -DOPENSSL_USE_BUILD_DATE enable-zlib \ enable-ssl2 enable-ssl3 enable-ssl-trace enable-rc5 enable-rc2 \ enable-gost enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ -enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake -DTEMP_GOST_TLS" +enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake" clean() { case $NOCLEAN in @@ -42,48 +42,76 @@ makeall() { copyfiles() { echo; apps/openssl version -a; echo - cp -p apps/openssl ../openssl.$(uname).$(uname -m).$1 - echo + if grep static <<< "$1"; then + cp -p apps/openssl ../openssl.$(uname).$(uname -m) + else + cp -p apps/openssl ../openssl.$(uname).$(uname -m).krb5 + fi return $? } -case $(uname -m) in - "i686") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l - echo - echo "------------ all ok ------------" +testv6_patch() { + if grep -q 'ending bracket for IPv6' apps/s_socket.c; then + STDOPTIONS="$STDOPTIONS -DOPENSSL_USE_IPV6" + else echo - ;; - "x86_64") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" + echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff" + echo "or press any key to ignore" echo - echo "------------ all ok ------------" - echo + read a + fi +} + + +testv6_patch + + +case $(uname) in + Linux|FreeBSD) + case $(uname -m) in + "i686") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + "x86_64") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + *) echo " Sorry, don't know this architecture $(uname -m)" + exit 1 + ;; + esac ;; - *) echo " Sorry, don't know this architecture $(uname -m)" - exit 1 + Darwin) + ;; esac + # vim:tw=90:ts=5:sw=5 # $Id: make-openssl.sh,v 1.14 2015/07/20 19:40:54 dirkw Exp $