Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #633 from k0ste/2.9dev_newfeature

Browse Source 
DNS CAA: drill query support.
This commit is contained in:
Dirk Wetter 2017-02-15 14:01:36 +01:00 committed by GitHub
commit 502601c95e
1 changed files with 44 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
testssl.sh
View File

@ -1080,7 +1080,7 @@ filter_input() {
# dl's any URL (argv1) via HTTP 1.1 GET from port 80, arg2: file to store http body # dl's any URL (argv1) via HTTP 1.1 GET from port 80, arg2: file to store http body
# proxy is not honored (see cmd line switches) # proxy is not honored (see cmd line switches)
http_get() { http_get() {
local proto z local proto z
local node="" query="" local node="" query=""
local dl="$2" local dl="$2"
local useragent="$UA_STD" local useragent="$UA_STD"
@ -4608,40 +4608,40 @@ run_std_cipherlists() {
pr_ecdh_curve_quality() { pr_ecdh_curve_quality() {
curve="$1" curve="$1"
local -i bits=0 local -i bits=0
case "$curve" in case "$curve" in
"sect163k1") bits=163 ;; "sect163k1") bits=163 ;;
"sect163r1") bits=162 ;; "sect163r1") bits=162 ;;
"sect163r2") bits=163 ;; "sect163r2") bits=163 ;;
"sect193r1") bits=193 ;; "sect193r1") bits=193 ;;
"sect193r2") bits=193 ;; "sect193r2") bits=193 ;;
"sect233k1") bits=232 ;; "sect233k1") bits=232 ;;
"sect233r1") bits=233 ;; "sect233r1") bits=233 ;;
"sect239k1") bits=238 ;; "sect239k1") bits=238 ;;
"sect283k1") bits=281 ;; "sect283k1") bits=281 ;;
"sect283r1") bits=282 ;; "sect283r1") bits=282 ;;
"sect409k1") bits=407 ;; "sect409k1") bits=407 ;;
"sect409r1") bits=409 ;; "sect409r1") bits=409 ;;
"sect571k1") bits=570 ;; "sect571k1") bits=570 ;;
"sect571r1") bits=570 ;; "sect571r1") bits=570 ;;
"secp160k1") bits=161 ;; "secp160k1") bits=161 ;;
"secp160r1") bits=161 ;; "secp160r1") bits=161 ;;
"secp160r2") bits=161 ;; "secp160r2") bits=161 ;;
"secp192k1") bits=192 ;; "secp192k1") bits=192 ;;
"prime192v1") bits=192 ;; "prime192v1") bits=192 ;;
"secp224k1") bits=225 ;; "secp224k1") bits=225 ;;
"secp224r1") bits=224 ;; "secp224r1") bits=224 ;;
"secp256k1") bits=256 ;; "secp256k1") bits=256 ;;
"prime256v1") bits=256 ;; "prime256v1") bits=256 ;;
"secp384r1") bits=384 ;; "secp384r1") bits=384 ;;
"secp521r1") bits=521 ;; "secp521r1") bits=521 ;;
"brainpoolP256r1") bits=256 ;; "brainpoolP256r1") bits=256 ;;
"brainpoolP384r1") bits=384 ;; "brainpoolP384r1") bits=384 ;;
"brainpoolP512r1") bits=512 ;; "brainpoolP512r1") bits=512 ;;
"X25519") bits=253 ;; "X25519") bits=253 ;;
"X448") bits=448 ;; "X448") bits=448 ;;
esac esac
if [[ "$bits" -le 80 ]]; then # has that ever existed? if [[ "$bits" -le 80 ]]; then # has that ever existed?
pr_svrty_critical "$curve" pr_svrty_critical "$curve"
elif [[ "$bits" -le 108 ]]; then # has that ever existed? elif [[ "$bits" -le 108 ]]; then # has that ever existed?
@ -7632,7 +7632,7 @@ get_dh_ephemeralkey() {
len1="82$(printf "%04x" $((dh_param_len/2)))" len1="82$(printf "%04x" $((dh_param_len/2)))"
fi fi
dh_param="30${len1}${dh_p}${dh_g}" dh_param="30${len1}${dh_p}${dh_g}"
# Make a SEQUENCE of the paramters SEQUENCE and the OID # Make a SEQUENCE of the paramters SEQUENCE and the OID
dh_param_len=22+${#dh_param} dh_param_len=22+${#dh_param}
if [[ $dh_param_len -lt 256 ]]; then if [[ $dh_param_len -lt 256 ]]; then
@ -9988,7 +9988,7 @@ run_logjam() {
local cve="CVE-2015-4000" local cve="CVE-2015-4000"
local cwe="CWE-310" local cwe="CWE-310"
local hint="" local hint=""
local server_key_exchange ephemeral_pub key_bitstring="" local server_key_exchange ephemeral_pub key_bitstring=""
local dh_p="" local dh_p=""
local spaces=" " local spaces=" "
local vuln_exportdh_ciphers=false local vuln_exportdh_ciphers=false
@ -10463,7 +10463,7 @@ run_beast(){
fi fi
fi fi
outln "${sigalg[i]}" outln "${sigalg[i]}"
fi fi
done done
fi fi
@ -11660,7 +11660,7 @@ get_aaaa_record() {
# RFC6844: DNS Certification Authority Authorization (CAA) Resource Record # RFC6844: DNS Certification Authority Authorization (CAA) Resource Record
# arg1: domain to check for # arg1: domain to check for
get_caa_rr_record() { get_caa_rr_record() {
local raw_caa="" local raw_caa=""
local caa_flag local caa_flag
local -i len_caa_property local -i len_caa_property
local caa_property_name local caa_property_name
@ -11669,7 +11669,7 @@ get_caa_rr_record() {
# if there's a type257 record there are two output formats here, mostly depending on age of distribution # if there's a type257 record there are two output formats here, mostly depending on age of distribution
# rougly that's the difference between text and binary format # rougly that's the difference between text and binary format
# 1) 'google.com has CAA record 0 issue "symantec.com"' # 1) 'google.com has CAA record 0 issue "symantec.com"'
# 2) 'google.com has TYPE257 record \# 19 0005697373756573796D616E7465632E636F6D' # 2) 'google.com has TYPE257 record \# 19 0005697373756573796D616E7465632E636F6D'
# for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property # for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep caa_flag, caa_property
# caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3 # caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
@ -11677,6 +11677,9 @@ get_caa_rr_record() {
if which dig &> /dev/null; then if which dig &> /dev/null; then
raw_caa="$(dig $1 type257 +short)" raw_caa="$(dig $1 type257 +short)"
# empty if no CAA record # empty if no CAA record
elif which drill &> /dev/null; then
a="$1"
raw_caa="$(drill $a type257 | awk '/'"^${a}"'.*CAA/ { print $5,$6,$7 }')"
elif which host &> /dev/null; then elif which host &> /dev/null; then
raw_caa="$(host -t type257 $1)" raw_caa="$(host -t type257 $1)"
if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then
@ -11685,14 +11688,14 @@ get_caa_rr_record() {
elif which nslookup &> /dev/null; then elif which nslookup &> /dev/null; then
raw_caa="$(nslookup -type=type257 $1 | grep -w rdata_257)" raw_caa="$(nslookup -type=type257 $1 | grep -w rdata_257)"
if [[ -n "$raw_caa" ]]; then if [[ -n "$raw_caa" ]]; then
raw_caa="$(sed 's/^.*rdata_257 = //' <<< "$raw_caa")" raw_caa="$(sed 's/^.*rdata_257 = //' <<< "$raw_caa")"
fi fi
else else
return 1 return 1
# No dig, host, or nslookup --> complaint was elsewhere already and except for one which has drill only we don't get here # No dig, drill, host, or nslookup --> complaint was elsewhere already
fi fi
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
debugme echo $raw_caa debugme echo $raw_caa
# '# 19' for google.com is the tag length probably --> we use this also to identify the binary format # '# 19' for google.com is the tag length probably --> we use this also to identify the binary format
if [[ "$raw_caa" =~ \#\ [0-9][0-9]\ [A-F0-9]+$ ]]; then if [[ "$raw_caa" =~ \#\ [0-9][0-9]\ [A-F0-9]+$ ]]; then
@ -11719,7 +11722,6 @@ get_caa_rr_record() {
# to do: # to do:
# 4: check whether $1 is a CNAME and take this # 4: check whether $1 is a CNAME and take this
# 5: query with drill
return 0 return 0
} }