Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.9dev' into generate_html

Browse Source 
Conflicts:
	testssl.sh
This commit is contained in:
David Cooper 2017-02-24 11:07:00 -05:00
commit 51fb93908b
1 changed files with 62 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
testssl.sh
View File

@ -244,7 +244,6 @@ PROXY=""
PROXYIP=""
PROXYPORT=""
VULN_COUNT=0
IPS=""
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
URI=""
CERT_FINGERPRINT_SHA2=""
@ -269,10 +268,6 @@ END_TIME=0
TLS_LOW_BYTE=""
HEX_CIPHER=""
# The various hexdump commands we need to replace xxd (BSD compatibility)
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
SERVER_COUNTER=0 # Counter for multiple servers
#################### SEVERITY ####################
@ -1103,7 +1098,7 @@ out_row_aligned_max_width() {
local spaces="$2"
local -i max_width="$3"
local print_function="$4"
local -i i len cut_point
local -i i len
local cr=$'\n'
local line entry first=true last=false
@ -1908,86 +1903,86 @@ emphasize_stuff_in_headers(){
len=${#text}
while [[ $len -gt 0 ]]; do
if [[ -z "$(tr -d '0-9' <<< "${text:0:1}")" ]]; then
out_term "$brown${text:0:1}$off"
out_term "${brown}${text:0:1}${off}"
out_html "<span style=\"color:olive;\">${text:0:1}</span>"
text="${text:1}"
len=$len-1
elif [[ $len -ge 31 ]] && [[ "${text:0:31}" == "MicrosoftSharePointTeamServices" ]]; then
out_term "$yellow${text:0:31}$off"
out_term "${yellow}${text:0:31}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:31}</span>"
text="${text:31}"
len=$len-31
elif [[ $len -ge 24 ]] && [[ "${text:0:24}" == "Red Hat Enterprise Linux" ]]; then
out_term "$yellow${text:0:24}$off"
out_term "${yellow}${text:0:24}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:24}</span>"
text="${text:24}"
len=$len-24
elif [[ $len -ge 16 ]] && [[ "${text:0:16}" == "X-AspNet-Version" ]]; then
out_term "$yellow${text:0:16}$off"
out_term "${yellow}${text:0:16}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:16}</span>"
text="${text:16}"
len=$len-16
elif [[ $len -ge 15 ]] && [[ "${text:0:15}" == "X-UA-Compatible" ]]; then
out_term "$yellow${text:0:15}$off"
out_term "${yellow}${text:0:15}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:15}</span>"
text="${text:15}"
len=$len-15
elif [[ $len -ge 14 ]] && ( [[ "${text:0:14}" == "Liferay-Portal" ]] || [[ "${text:0:14}" == "X-Cache-Lookup" ]] || \
[[ "${text:0:14}" == "X-Cache-Status" ]] ) ; then
out_term "$yellow${text:0:14}$off"
out_term "${yellow}${text:0:14}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:14}</span>"
text="${text:14}"
len=$len-14
elif [[ $len -ge 13 ]] && [[ "${text:0:13}" == "X-OWA-Version" ]]; then
out_term "$yellow${text:0:13}$off"
out_term "${yellow}${text:0:13}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:13}</span>"
text="${text:13}"
len=$len-13
elif [[ $len -ge 12 ]] && [[ "${text:0:12}" == "X-Powered-By" ]]; then
out_term "$yellow${text:0:12}$off"
out_term "${yellow}${text:0:12}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:12}</span>"
text="${text:12}"
len=$len-12
elif [[ $len -ge 11 ]] && [[ "${text:0:11}" == "X-Forwarded" ]]; then
out_term "$yellow${text:0:11}$off"
out_term "${yellow}${text:0:11}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:11}</span>"
text="${text:11}"
len=$len-11
elif [[ $len -ge 9 ]] && ( [[ "${text:0:9}" == "X-Varnish" ]] || [[ "${text:0:9}" == "X-Version" ]] ); then
out_term "$yellow${text:0:9}$off"
out_term "${yellow}${text:0:9}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:9}</span>"
text="${text:9}"
len=$len-9
elif [[ $len -ge 8 ]] && [[ "${text:0:8}" == "X-Server" ]]; then
out_term "$yellow${text:0:8}$off"
out_term "${yellow}${text:0:8}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:8}</span>"
text="${text:8}"
len=$len-8
elif [[ $len -ge 7 ]] && ( [[ "${text:0:7}" == "squeeze" ]] || [[ "${text:0:7}" == "Red Hat" ]] || \
[[ "${text:0:7}" == "X-Cache" ]] || [[ "${text:0:7}" == "X-Squid" ]] ) ; then
out_term "$yellow${text:0:7}$off"
out_term "${yellow}${text:0:7}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:7}</span>"
text="${text:7}"
len=$len-7
elif [[ $len -ge 6 ]] && ( [[ "${text:0:6}" == "Debian" ]] || [[ "${text:0:6}" == "Ubuntu" ]] || \
[[ "${text:0:6}" == "ubuntu" ]] || [[ "${text:0:6}" == "jessie" ]] || \
[[ "${text:0:6}" == "wheezy" ]] || [[ "${text:0:6}" == "CentOS" ]] ) ; then
out_term "$yellow${text:0:6}$off"
out_term "${yellow}${text:0:6}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:6}</span>"
text="${text:6}"
len=$len-6
elif [[ $len -ge 5 ]] && ( [[ "${text:0:5}" == "Win32" ]] || [[ "${text:0:5}" == "Win64" ]] || [[ "${text:0:5}" == "lenny" ]] ); then
out_term "$yellow${text:0:5}$off"
out_term "${yellow}${text:0:5}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:5}</span>"
text="${text:5}"
len=$len-5
elif [[ $len -ge 4 ]] && [[ "${text:0:4}" == "SUSE" ]]; then
out_term "$yellow${text:0:4}$off"
out_term "${yellow}${text:0:4}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:4}</span>"
text="${text:4}"
len=$len-4
elif [[ $len -ge 3 ]] && [[ "${text:0:3}" == "Via" ]]; then
out_term "$yellow${text:0:3}$off"
out_term "${yellow}${text:0:3}${off}"
out_html "<span style=\"color:olive;font-weight:bold;\">${text:0:3}</span>"
text="${text:3}"
len=$len-3
@ -2100,7 +2095,7 @@ run_application_banner() {
run_cookie_flags() { # ARG1: Path
local -i nr_cookies
local nr_httponly nr_secure
local -i nr_httponly nr_secure
local negative_word
local msg302="" msg302_=""
@ -2135,7 +2130,7 @@ run_cookie_flags() { # ARG1: Path
[123456789]) pr_done_good "$nr_secure/$nr_cookies";;
esac
out " secure, "
if [[ $nr_cookies == $nr_secure ]]; then
if [[ $nr_cookies -eq $nr_secure ]]; then
fileout "cookie_secure" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as secure"
else
fileout "cookie_secure" "WARN" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as secure"
@ -2146,7 +2141,7 @@ run_cookie_flags() { # ARG1: Path
[123456789]) pr_done_good "$nr_httponly/$nr_cookies";;
esac
out " HttpOnly"
if [[ $nr_cookies == $nr_httponly ]]; then
if [[ $nr_cookies -eq $nr_httponly ]]; then
fileout "cookie_httponly" "OK" "All $nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_"
else
fileout "cookie_httponly" "WARN" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_"
@ -2166,8 +2161,7 @@ run_cookie_flags() { # ARG1: Path
run_more_flags() {
local good_flags2test="X-Frame-Options X-XSS-Protection X-Content-Type-Options Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP Content-Security-Policy-Report-Only"
local other_flags2test="Access-Control-Allow-Origin Upgrade X-Served-By X-UA-Compatible"
local egrep_pattern=""
local f2t result_str
local f2t
local first=true
local spaces=" "
@ -2626,7 +2620,7 @@ test_just_one(){
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${normalized_hexcode[i]}" ]]; then
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -2647,7 +2641,7 @@ test_just_one(){
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${ciph[i]}" ]]; then
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -2860,7 +2854,7 @@ run_allciphers() {
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${normalized_hexcode[i]}" ]]; then
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -2873,7 +2867,7 @@ run_allciphers() {
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ "${ciph[i]}" ]]; then
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -3112,7 +3106,7 @@ run_cipher_per_proto() {
[[ "${hexc:2:2}" == "13" ]] && nr_ciphers+=1
elif [[ "$proto_text" == "TLS 1.2" ]]; then
[[ "${hexc:2:2}" != "13" ]] && nr_ciphers+=1
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA256" ]] && [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA384" ]] && \
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM" ]] && [[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM_8" ]]; then
nr_ciphers+=1
fi
@ -3134,7 +3128,7 @@ run_cipher_per_proto() {
if [[ "$proto_text" == "TLS 1.2" ]] || \
( [[ "${ciph[nr_ciphers]}" != *"-SHA256" ]] && [[ "${ciph[nr_ciphers]}" != *"-SHA384" ]] && \
[[ "${ciph[nr_ciphers]}" != *"-CCM" ]] && [[ "${ciph[nr_ciphers]}" != *"-CCM8" ]] && \
[[ ! "${ciph[nr_ciphers]}" =~ "-CHACHA20-POLY1305" ]] ); then
[[ ! "${ciph[nr_ciphers]}" =~ -CHACHA20-POLY1305 ]] ); then
ciphers_found[nr_ciphers]=false
if [[ ${#hexc} -eq 9 ]]; then
if [[ "${hexc:2:2}" == "00" ]]; then
@ -3158,7 +3152,7 @@ run_cipher_per_proto() {
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "$supported_sslv2_ciphers" =~ "${normalized_hexcode[i]}" ]]; then
if [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -3171,7 +3165,7 @@ run_cipher_per_proto() {
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in $TMPFILE | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)"
for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "$supported_sslv2_ciphers" =~ "${ciph[i]}" ]]; then
if [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
ciphers_found[i]=true
"$SHOW_SIGALGO" && sigalg[i]="$s"
fi
@ -3447,7 +3441,7 @@ client_simulation_sockets() {
debugme echo "sending client hello..."
code2network "${data}"
fd_socket 5 || return 6
data=$(echo $NW_STR)
data="$NW_STR"
[[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null &
sleep $USLEEP_SND
@ -4791,7 +4785,7 @@ run_std_cipherlists() {
std_cipherlists 'aNULL' " Anonymous NULL Ciphers " 1 "aNULL" "$anon_ciphers" "$sslv2_anon_ciphers"
std_cipherlists 'ADH' " Anonymous DH Ciphers " 1 "ADH" "$adh_ciphers" "$sslv2_adh_ciphers"
std_cipherlists 'EXPORT40' " 40 Bit encryption " 1 "EXPORT40" "$exp40_ciphers" "$sslv2_exp40_ciphers"
std_cipherlists 'EXPORT56' " 56 Bit encryption " 1 "EXPORT56" "$exp56_ciphers" "$sslv2_exp56_ciphers"
std_cipherlists 'EXPORT56' " 56 Bit export ciphers " 1 "EXPORT56" "$exp56_ciphers" "$sslv2_exp56_ciphers"
std_cipherlists 'EXPORT' " Export Ciphers (general) " 1 "EXPORT" "$exp_ciphers" "$sslv2_exp_ciphers"
std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1 "LOW" "$low_ciphers" "$sslv2_low_ciphers"
std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1 "DES" "$des_ciphers" "$sslv2_des_ciphers"
@ -5034,7 +5028,7 @@ run_server_preference() {
# now reversed offline via tac, see https://github.com/thomassa/testssl.sh/commit/7a4106e839b8c3033259d66697893765fc468393 :
local list_reverse="AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:RC4-SHA:DES-CBC-SHA:RC4-MD5:DES-CBC3-SHA"
local has_cipher_order=true
local isok addcmd="" addcmd2="" sni=""
local addcmd="" addcmd2="" sni=""
local using_sockets=true
"$SSL_NATIVE" && using_sockets=false
@ -5471,8 +5465,8 @@ cipher_pref_check() {
[[ "${hexc:2:2}" == "13" ]] && nr_nonossl_ciphers+=1
elif [[ "$p" == "tls1_2" ]]; then
[[ "${hexc:2:2}" != "13" ]] && nr_nonossl_ciphers+=1
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA256" ]] && \
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA384" ]] && \
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM" ]] && \
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM_8" ]]; then
nr_nonossl_ciphers+=1
@ -5543,8 +5537,8 @@ cipher_pref_check() {
[[ "${hexc:2:2}" == "13" ]] && nr_ciphers+=1
elif [[ "$p" == "tls1_2" ]]; then
[[ "${hexc:2:2}" != "13" ]] && nr_ciphers+=1
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA256" ]] && \
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA384" ]] && \
elif [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && \
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]] && \
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM" ]] && \
[[ "${TLS_CIPHER_RFC_NAME[i]}" != *"_CCM_8" ]]; then
nr_ciphers+=1
@ -5868,7 +5862,7 @@ determine_tls_extensions() {
alpn_extn_len_hex=$(printf "%04x" $alpn_extn_len)
tls_extensions+=", 00,10,${alpn_extn_len_hex:0:2},${alpn_extn_len_hex:2:2},${alpn_list_len_hex:0:2},${alpn_list_len_hex:2:2}$alpn"
fi
if [[ ! "$TLS_EXTENSIONS" =~ "encrypt-then-mac" ]]; then
if [[ ! "$TLS_EXTENSIONS" =~ encrypt-then-mac ]]; then
tls_sockets "03" "$cbc_cipher_list_hex, 00,ff" "all" "$tls_extensions"
success=$?
fi
@ -5894,7 +5888,7 @@ determine_tls_extensions() {
elif [[ ! "$OPTIMAL_PROTO" =~ ssl ]]; then
addcmd="$SNI"
fi
if [[ ! "$TLS_EXTENSIONS" =~ "encrypt-then-mac" ]]; then
if [[ ! "$TLS_EXTENSIONS" =~ encrypt-then-mac ]]; then
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $addcmd $OPTIMAL_PROTO -tlsextdebug $params -cipher $cbc_cipher_list </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE
success=$?
@ -6220,7 +6214,7 @@ must_staple() {
# The TLS Feature is a SEQUENCE of INTEGER. Get the length of the SEQUENCE
extn_len=2*$(hex2dec "${extn:2:2}")
# If the extension include the status_request (5), then it supports must staple.
if [[ "${extn:4:extn_len}" =~ "020105" ]]; then
if [[ "${extn:4:extn_len}" =~ 020105 ]]; then
supported=true
fi
fi
@ -7048,8 +7042,8 @@ run_pfs() {
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
pfs_cipher="${TLS_CIPHER_RFC_NAME[i]}"
if ( [[ "$pfs_cipher" == "TLS_DHE_"* ]] || [[ "$pfs_cipher" == "TLS_ECDHE_"* ]] ) && \
[[ ! "$pfs_cipher" =~ "NULL" ]] && [[ ! "$pfs_cipher" =~ "DES" ]] && [[ ! "$pfs_cipher" =~ "RC4" ]] && \
[[ ! "$pfs_cipher" =~ "PSK" ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
[[ ! "$pfs_cipher" =~ NULL ]] && [[ ! "$pfs_cipher" =~ DES ]] && [[ ! "$pfs_cipher" =~ RC4 ]] && \
[[ ! "$pfs_cipher" =~ PSK ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
hexc="${TLS_CIPHER_HEXCODE[i]}"
pfs_hex_cipher_list+=", ${hexc:2:2},${hexc:7:2}"
ciph[nr_supported_ciphers]="${TLS_CIPHER_OSSL_NAME[i]}"
@ -7310,7 +7304,7 @@ run_pfs() {
[[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break
temp=$(awk -F': ' '/^Server Temp Key/ { print $2 }' "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt")
curve_found="$(awk -F', ' '{ print $2 }' <<< $temp)"
[[ ! "$curve_found" =~ "ffdhe" ]] && break
[[ ! "$curve_found" =~ ffdhe ]] && break
for (( i=0; i < nr_curves; i++ )); do
! "${supported_curve[i]}" && [[ "${ffdhe_groups_output[i]}" == "$curve_found" ]] && break
done
@ -7744,7 +7738,7 @@ close_socket(){
# first: helper function for protocol checks
code2network() {
# arg1: formatted string here in the code
NW_STR=$(echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t')
NW_STR=$(sed -e 's/,/\\\x/g' <<< "$1" | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t')
#TODO: just echo, no additional global var
}
@ -8858,7 +8852,7 @@ parse_tls_serverhello() {
# Now parse the server key exchange message
if [[ $tls_serverkeyexchange_ascii_len -ne 0 ]]; then
if [[ $rfc_cipher_suite =~ "TLS_ECDHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_ECDH_anon" ]] || \
if [[ $rfc_cipher_suite =~ TLS_ECDHE_ ]] || [[ $rfc_cipher_suite =~ TLS_ECDH_anon ]] || \
[[ $rfc_cipher_suite == ECDHE* ]] || [[ $rfc_cipher_suite == AECDH* ]]; then
if [[ $tls_serverkeyexchange_ascii_len -lt 6 ]]; then
debugme echo "Malformed ServerKeyExchange Handshake message in ServerHello."
@ -8910,7 +8904,7 @@ parse_tls_serverhello() {
debugme echo "dh_bits: $named_curve_str, $dh_bits bits"
echo "Server Temp Key: $named_curve_str, $dh_bits bits" >> $TMPFILE
fi
elif [[ $rfc_cipher_suite =~ "TLS_DHE_" ]] || [[ $rfc_cipher_suite =~ "TLS_DH_anon" ]] || \
elif [[ $rfc_cipher_suite =~ TLS_DHE_ ]] || [[ $rfc_cipher_suite =~ TLS_DH_anon ]] || \
[[ $rfc_cipher_suite == "DHE-"* ]] || [[ $rfc_cipher_suite == "EDH-"* ]] || \
[[ $rfc_cipher_suite == "EXP1024-DHE-"* ]]; then
# For DH ephemeral keys the first field is p, and the length of
@ -8960,7 +8954,7 @@ parse_tls_serverhello() {
*) named_curve=0; named_curve_str="" ;;
esac
[[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str=""
if [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ "BEGIN" ]]; then
if [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then
ephemeral_param="$($OPENSSL pkey -pubin -text -noout <<< "$key_bitstring" | grep -A 1000 "prime:")"
rfc7919_param="$($OPENSSL pkey -text -noout <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -A 1000 "prime:")"
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
@ -9007,7 +9001,8 @@ sslv2_sockets() {
code2network "$cipher_suites" # convert CIPHER_SUITES
cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next
len_ciph_suites_byte=$(echo ${#cipher_suites})
len_ciph_suites_byte=${#cipher_suites}
let "len_ciph_suites_byte += 2"
len_ciph_suites=$(printf "%02x\n" $(($len_ciph_suites_byte / 4 )))
len_client_hello=$(printf "%02x\n" $((0x$len_ciph_suites + 0x19)))
@ -9088,8 +9083,7 @@ socksend_tls_clienthello() {
code2network "$(tolower "$2")" # convert CIPHER_SUITES
cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next
len_ciph_suites_byte=$(echo ${#cipher_suites})
len_ciph_suites_byte=${#cipher_suites}
let "len_ciph_suites_byte += 2"
# we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4:
@ -9323,7 +9317,7 @@ socksend_tls_clienthello() {
fd_socket 5 || return 6
code2network "$TLS_CLIENT_HELLO$all_extensions"
data=$(echo $NW_STR)
data="$NW_STR"
[[ "$DEBUG" -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null &
sleep $USLEEP_SND
@ -10659,7 +10653,7 @@ run_beast(){
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
hexc="${TLS_CIPHER_HEXCODE[i]}"
if [[ ${#hexc} -eq 9 ]] && [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ CBC ]] && \
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA256" ]] && [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ "SHA384" ]]; then
[[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA256 ]] && [[ ! "${TLS_CIPHER_RFC_NAME[i]}" =~ SHA384 ]]; then
cbc_cipher_list_hex+=", ${hexc:2:2},${hexc:7:2}"
ciph[nr_ciphers]="${TLS_CIPHER_OSSL_NAME[i]}"
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
@ -10982,7 +10976,7 @@ run_rc4() {
# get a list of all the cipher suites to test
if "$using_sockets" || [[ $OSSL_VER_MAJOR -lt 1 ]]; then
for (( i=0; i < TLS_NR_CIPHERS; i++ )); do
if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ "RC4" ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
if [[ "${TLS_CIPHER_RFC_NAME[i]}" =~ RC4 ]] && ( "$using_sockets" || "${TLS_CIPHER_OSSL_SUPPORTED[i]}" ); then
hexc="$(tolower "${TLS_CIPHER_HEXCODE[i]}")"
ciph[nr_ciphers]="${TLS_CIPHER_OSSL_NAME[i]}"
rfc_ciph[nr_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
@ -11015,7 +11009,7 @@ run_rc4() {
done
else
while read hexc n ciph[nr_ciphers] sslvers[nr_ciphers] kx[nr_ciphers] auth enc[nr_ciphers] mac export2[nr_ciphers]; do
if [[ "${ciph[nr_ciphers]}" =~ "RC4" ]]; then
if [[ "${ciph[nr_ciphers]}" =~ RC4 ]]; then
ciphers_found[nr_ciphers]=false
if [[ ${#hexc} -eq 9 ]]; then
if [[ "${hexc:2:2}" == "00" ]]; then
@ -11334,12 +11328,12 @@ find_openssl_binary() {
# http://www.openssl.org/news/openssl-notes.html
OSSL_VER=$($OPENSSL version 2>/dev/null | awk -F' ' '{ print $2 }')
OSSL_VER_MAJOR=$(echo "$OSSL_VER" | sed 's/\..*$//')
OSSL_VER_MINOR=$(echo "$OSSL_VER" | sed -e 's/^.\.//' | tr -d '[a-zA-Z]-')
OSSL_VER_APPENDIX=$(echo "$OSSL_VER" | tr -d '0-9.')
OSSL_VER_MAJOR=$(sed 's/\..*$//' <<< "$OSSL_VER")
OSSL_VER_MINOR=$(sed -e 's/^.\.//' <<< "$OSSL_VER" | tr -d '[a-zA-Z]-')
OSSL_VER_APPENDIX=$(tr -d '0-9.' "$OSSL_VER")
OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //')
OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
echo $OSSL_BUILD_DATE | grep -q "not available" && OSSL_BUILD_DATE=""
grep -q "not available" <<< "$OSSL_BUILD_DATE" && OSSL_BUILD_DATE=""
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
@ -11813,7 +11807,7 @@ ignore_no_or_lame() {
pr_warning_term "$1 --> "
read a
if [[ "$a" == "$(tolower "$2")" ]]; then
$ok_arg return 0
return 0
else
return 1
fi
@ -12122,13 +12116,13 @@ get_mx_record() {
check_resolver_bins
# we need tha last two columns here!
if which host &> /dev/null; then
mxs=$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')
mxs="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
elif which dig &> /dev/null; then
mxs=$(dig +short -t MX "$1" 2>/dev/null | awk '/^[0-9]/')
mxs="$(dig +short -t MX "$1" 2>/dev/null | awk '/^[0-9]/')"
elif which drill &> /dev/null; then
mxs=$(drill mx $1 | | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')
mxs="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
elif which nslookup &> /dev/null; then
mxs=$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')
mxs="$(nslookup -type=MX "$1" 2>/dev/null | awk '/mail exchanger/ { print $(NF-1), $NF }')"
else
fatal "No dig, host, drill or nslookup" -3
fi