- FIX #119 (sed -E fails for old sed versions)

- std_cipherlists tuned
- fix for selfsigned certs (missed sometimes because of trailing space)
This commit is contained in:
Dirk 2015-06-17 11:33:29 +02:00
parent 06899f3cbf
commit 59299ce9e1

View File

@ -79,6 +79,9 @@ readonly SYSTEM=$(uname -s)
date --help >/dev/null 2>&1 && \ date --help >/dev/null 2>&1 && \
readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=true || \
readonly HAS_GNUDATE=false readonly HAS_GNUDATE=false
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
readonly HAS_SED_E=true || \
readonly HAS_SED_E=false
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS. readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
@ -592,7 +595,7 @@ hsts() {
pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s" pr_litegreen "$hsts_age_days days" ; out "=$hsts_age_sec s"
else else
out "$hsts_age_sec s = " out "$hsts_age_sec s = "
pr_brown "$hsts_age_days days, <$HSTS_MIN is not good enough" pr_brown "$hsts_age_days days, <$HSTS_MIN days is too short"
fi fi
includeSubDomains "$TMPFILE" includeSubDomains "$TMPFILE"
preload "$TMPFILE" preload "$TMPFILE"
@ -907,19 +910,26 @@ std_cipherlists() {
$OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null $OPENSSL s_client -cipher "$1" $STARTTLS -connect $NODEIP:$PORT $SNI 2>$TMPFILE >/dev/null </dev/null
ret=$? ret=$?
[[ $DEBUG -ge 2 ]] && cat $TMPFILE [[ $DEBUG -ge 2 ]] && cat $TMPFILE
out " " # in order to be in the same row as server preferences
case $3 in case $3 in
0) # ok to offer 0) # ok to offer
[[ $ret -eq 0 ]] && \ [[ $ret -eq 0 ]] && \
pr_greenln "offered (OK)" || \ pr_greenln "offered (OK)" || \
pr_boldln "not offered" ;; pr_brownln "not offered (NOT ok)" ;;
2) # not really bad 1) # the ugly ones
[[ $ret -eq 0 ]] && \
outln "offered" || \
pr_greenln "not offered (OK)" ;;
*) # the ugly rest
[[ $ret -eq 0 ]] && \ [[ $ret -eq 0 ]] && \
pr_redln "offered (NOT ok)" || \ pr_redln "offered (NOT ok)" || \
pr_greenln "not offered (OK)" ;; pr_greenln "not offered (OK)" ;;
2) # bad but not worst
[[ $ret -eq 0 ]] && \
pr_literedln "offered (NOT ok)" || \
pr_litegreenln "not offered (OK)" ;;
3) # not totally bad
[[ $ret -eq 0 ]] && \
pr_brownln "offered (NOT ok)" || \
outln "not offered (OK)" ;;
*) # we shouldn't reach this
pr_litemagenta "? (please report this)" ;;
esac esac
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
else else
@ -936,7 +946,11 @@ std_cipherlists() {
# ARG2: sleep # ARG2: sleep
socksend() { socksend() {
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
if $HAS_SED_E; then
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
else
data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
fi
[[ $DEBUG -ge 4 ]] && echo "\"$data\"" [[ $DEBUG -ge 4 ]] && echo "\"$data\""
printf -- "$data" >&5 2>/dev/null & printf -- "$data" >&5 2>/dev/null &
sleep $2 sleep $2
@ -1240,9 +1254,10 @@ runprotocols() {
return 0 return 0
} }
#TODO: work with a fixed list here
run_std_cipherlists() { run_std_cipherlists() {
outln outln
pr_blue "--> Testing standard cipher lists"; outln "\n" pr_blue "--> Testing ~standard cipher lists"; outln "\n"
# see ciphers(1ssl) # see ciphers(1ssl)
std_cipherlists NULL:eNULL " Null Ciphers " 1 std_cipherlists NULL:eNULL " Null Ciphers " 1
std_cipherlists aNULL " Anonymous NULL Ciphers " 1 std_cipherlists aNULL " Anonymous NULL Ciphers " 1
@ -1250,11 +1265,11 @@ run_std_cipherlists() {
std_cipherlists EXPORT40 " 40 Bit encryption " 1 std_cipherlists EXPORT40 " 40 Bit encryption " 1
std_cipherlists EXPORT56 " 56 Bit encryption " 1 std_cipherlists EXPORT56 " 56 Bit encryption " 1
std_cipherlists EXPORT " Export Ciphers (general) " 1 std_cipherlists EXPORT " Export Ciphers (general) " 1
std_cipherlists LOW " Low (<=64 Bit) " 1 std_cipherlists 'LOW:!ADH' " Low (<=64 Bit) " 1
std_cipherlists DES " DES Ciphers " 1 std_cipherlists 'DES:!ADH:!EXPORT:!aNULL' " DES Ciphers " 1
std_cipherlists 3DES " Triple DES Ciphers " 2 std_cipherlists 'MEDIUM:!NULL:!aNULL:!SSLv2' " Medium grade encryption " 2
std_cipherlists "MEDIUM:!NULL:!aNULL:!SSLv2" " Medium grade encryption " 2 std_cipherlists '3DES:!ADH:!aNULL' " Triple DES Ciphers " 3
std_cipherlists "HIGH:!NULL:!aNULL" " High grade encryption " 0 std_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:' " High grade encryption " 0
return 0 return 0
} }
@ -1661,11 +1676,11 @@ server_defaults() {
else else
issuer_c="" # CACert would have 'issuer= ' here otherwise issuer_c="" # CACert would have 'issuer= ' here otherwise
fi fi
if [ "$issuer_o" == "issuer=" ] || [ "$issuer" == "$CN" ] ; then if [ "$issuer_o" == "issuer=" ] || [ "$issuer_o" == "issuer= " ] || [ "$issuer" == "$CN" ] ; then
pr_redln "selfsigned (not OK)" pr_redln "selfsigned (not OK)"
else else
[ "$issuer_c" == "" ] && \ [ "$issuer_c" == "" ] && \
outln "$underline$issuer$off ($underline$issuer_o$off" || \ outln "$underline$issuer$off ($underline$issuer_o$off)" || \
outln "$underline$issuer$off ($underline$issuer_o$off from $underline$issuer_c$off)" outln "$underline$issuer$off ($underline$issuer_o$off from $underline$issuer_c$off)"
fi fi
@ -2283,7 +2298,11 @@ heartbleed(){
# determine TLS versions available: # determine TLS versions available:
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT -tlsextdebug &>$TMPFILE </dev/null
if $HAS_SED_E; then
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g') tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
else
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
fi
case $tls_proto_offered in case $tls_proto_offered in
12) tls_hexcode="x03, x03" ;; 12) tls_hexcode="x03, x03" ;;
11) tls_hexcode="x03, x02" ;; 11) tls_hexcode="x03, x02" ;;
@ -2397,8 +2416,11 @@ ccs_injection(){
fi fi
$OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null $OPENSSL s_client $STARTTLS -connect $NODEIP:$PORT &>$TMPFILE </dev/null
if $HAS_SED_E; then
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g') tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -E 's/[^[:digit:]]//g')
#tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed 's/^.*Protocol//') else
tls_proto_offered=$(grep -aw Protocol $TMPFILE | sed -r 's/[^[:digit:]]//g')
fi
case $tls_proto_offered in case $tls_proto_offered in
12) tls_hexcode="x03, x03" ;; 12) tls_hexcode="x03, x03" ;;
11) tls_hexcode="x03, x02" ;; 11) tls_hexcode="x03, x02" ;;
@ -2681,6 +2703,14 @@ EOF
return $ret return $ret
} }
# trim spaces for BSD and old sed
count_lines() {
echo "$1" | wc -l | sed 's/ //g'
}
count_words() {
echo "$1" | wc -w | sed 's/ //g'
}
### two helper functions for vulnerabilities follow ### two helper functions for vulnerabilities follow
count_ciphers() { count_ciphers() {
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g' echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
@ -3274,6 +3304,7 @@ ECHO: $ECHO
COLOR: $COLOR COLOR: $COLOR
TERM_DWITH: $TERM_DWITH TERM_DWITH: $TERM_DWITH
HAS_GNUDATE: $HAS_GNUDATE HAS_GNUDATE: $HAS_GNUDATE
HAS_SED_E: $HAS_SED_E
SHOW_LOC_CIPH: $SHOW_LOC_CIPH SHOW_LOC_CIPH: $SHOW_LOC_CIPH
SHOW_EACH_C: $SHOW_EACH_C SHOW_EACH_C: $SHOW_EACH_C
@ -4029,6 +4060,6 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.278 2015/06/16 21:00:46 dirkw Exp $ # $Id: testssl.sh,v 1.279 2015/06/17 09:33:28 dirkw Exp $
# vim:ts=5:sw=5 # vim:ts=5:sw=5
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab