Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

- made CCS I more robust, FIX #313

Browse Source 
- removed cats ;-) FIX #352
This commit is contained in:
Dirk 2017-02-14 21:56:31 +01:00
parent 422171a0fa
commit 4b193119b3
1 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
testssl.sh
View File

@ -9273,7 +9273,7 @@ ok_ids(){
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets #FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
run_ccs_injection(){ run_ccs_injection(){
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
local -i retval ret lines_returned local -i retval ret
local tls_hello_ascii="" local tls_hello_ascii=""
local cve="CVE-2014-0224" local cve="CVE-2014-0224"
local cwe="CWE-310" local cwe="CWE-310"
@ -9342,13 +9342,12 @@ run_ccs_injection(){
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
outln "[...]" outln "[...]"
outln "\npayload #1 with TLS version $tls_hexcode:" out "\nsending payload #1 with TLS version $tls_hexcode: "
fi fi
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
# ... and then send the a change cipher spec message # ... and then send the a change cipher spec message
socksend "$ccs_message" 1 || ok_ids socksend "$ccs_message" 1 || ok_ids
sockread_serverhello 2048 $CCS_MAX_WAITSOCK sockread_serverhello 4096 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\n1st reply: " outln "\n1st reply: "
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
@ -9356,43 +9355,40 @@ run_ccs_injection(){
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a) # ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
# or just timed out # or just timed out
outln outln
outln "payload #2 with TLS version $tls_hexcode:" out "sending payload #2 with TLS version $tls_hexcode: "
fi fi
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids socksend "$ccs_message" 2 || ok_ids
sockread_serverhello 2048 $CCS_MAX_WAITSOCK sockread_serverhello 4096 $CCS_MAX_WAITSOCK
retval=$? retval=$?
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
debugme echo "tls_content_type: ${tls_hello_ascii:0:2}" byte6="${tls_hello_ascii:12:2}"
debugme echo "tls_protocol: ${tls_hello_ascii:2:4}" debugme echo "tls_content_type: ${tls_hello_ascii:0:2} | tls_protocol: ${tls_hello_ascii:2:4} | byte6: $byte6"
lines_returned=$(count_lines "$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE")")
debugme echo "lines new: $lines_returned, byte6: ${tls_hello_ascii:12:2}"
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\n2nd reply: " outln "\n2nd reply: "
hexdump -C "$SOCK_REPLY_FILE" hexdump -C "$SOCK_REPLY_FILE"
outln outln
fi fi
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
debugme echo "lines: $lines_returned, byte6: $byte6"
# not ok: 15 | 0301 | 02 | 02 | 15 # not ok: 15 | 0301 | 02 | 02 | 15
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21) # ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# #
# ok: 0a or nothing: ==> RST # ok: 0a or nothing: ==> RST
if [[ "$byte6" == "0a" ]] || [[ "$lines_returned" -gt 1 ]]; then if [[ -z "${tls_hello_ascii:0:12}" ]]; then
# empty reply
pr_done_best "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
### what?
fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe" fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe"
else else
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe" fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
fi fi
ret=0 ret=0
else elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
if [[ $retval -eq 3 ]]; then if [[ $retval -eq 3 ]]; then
fileout "ccs" "CRITICAL" "CCS: VULNERABLE (timed out)" "$cve" "$cwe" "$hint" fileout "ccs" "CRITICAL" "CCS: VULNERABLE (timed out)" "$cve" "$cwe" "$hint"
@ -9400,8 +9396,17 @@ run_ccs_injection(){
fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint" fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint"
fi fi
ret=1 ret=1
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
pr_warning "test failed"
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
fileout "ccs" "WARN" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=7
else
pr_warning "test failed "
out "around line $LINENO (debug info: ${tls_hello_ascii:0:14})"
fileout "ccs" "WARN" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=7
fi fi
[[ $retval -eq 3 ]] && out ", timed out"
outln outln
TMPFILE="$SOCK_REPLY_FILE" TMPFILE="$SOCK_REPLY_FILE"