remove some redundant quotes
This commit is contained in:
parent
1769378139
commit
5b05f144b3
96
testssl.sh
96
testssl.sh
|
@ -6822,7 +6822,7 @@ determine_tls_extensions() {
|
||||||
local cbc_cipher_list_hex="c0,28, c0,24, c0,14, c0,0a, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, 00,84, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,27, c0,23, c0,13, c0,09, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, 00,96, 00,41, 00,07, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,12, c0,08, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, fe,ff, ff,e0, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,62, 00,09, fe,fe, ff,e1, 00,14, 00,11, 00,08, 00,06, 00,0b, 00,0e"
|
local cbc_cipher_list_hex="c0,28, c0,24, c0,14, c0,0a, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, 00,84, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,27, c0,23, c0,13, c0,09, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,9a, 00,99, 00,98, 00,97, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, 00,96, 00,41, 00,07, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,12, c0,08, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, fe,ff, ff,e0, 00,63, 00,15, 00,12, 00,0f, 00,0c, 00,62, 00,09, fe,fe, ff,e1, 00,14, 00,11, 00,08, 00,06, 00,0b, 00,0e"
|
||||||
local using_sockets=true
|
local using_sockets=true
|
||||||
|
|
||||||
[[ "$OPTIMAL_PROTO" == "-ssl2" ]] && return 0
|
[[ "$OPTIMAL_PROTO" == -ssl2 ]] && return 0
|
||||||
"$SSL_NATIVE" && using_sockets=false
|
"$SSL_NATIVE" && using_sockets=false
|
||||||
|
|
||||||
if "$using_sockets"; then
|
if "$using_sockets"; then
|
||||||
|
@ -6888,7 +6888,7 @@ extract_certificates() {
|
||||||
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
|
||||||
savedir=$(pwd); cd $TEMPDIR
|
savedir=$(pwd); cd $TEMPDIR
|
||||||
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
|
||||||
if [[ "$version" == "ssl2" ]]; then
|
if [[ "$version" == ssl2 ]]; then
|
||||||
awk -v n=-1 '/Server certificate/ {start=1}
|
awk -v n=-1 '/Server certificate/ {start=1}
|
||||||
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
||||||
inc { print > ("level" n ".crt") }
|
inc { print > ("level" n ".crt") }
|
||||||
|
@ -6946,7 +6946,7 @@ extract_stapled_ocsp() {
|
||||||
local response="$(cat $TMPFILE)"
|
local response="$(cat $TMPFILE)"
|
||||||
local ocsp tmp
|
local ocsp tmp
|
||||||
local -i ocsp_len
|
local -i ocsp_len
|
||||||
|
|
||||||
STAPLED_OCSP_RESPONSE=""
|
STAPLED_OCSP_RESPONSE=""
|
||||||
if [[ "$response" =~ "CertificateStatus" ]]; then
|
if [[ "$response" =~ "CertificateStatus" ]]; then
|
||||||
# This is OpenSSL 1.1.0 or 1.1.1 and the response
|
# This is OpenSSL 1.1.0 or 1.1.1 and the response
|
||||||
|
@ -8614,7 +8614,7 @@ run_server_defaults() {
|
||||||
ct[i]="$(certificate_transparency "${previous_hostcert_txt[i]}" "${ocsp_response[i]}" "$certs_found" "${cipher[i]}" "${sni_used[i]}" "${tls_version[i]}")"
|
ct[i]="$(certificate_transparency "${previous_hostcert_txt[i]}" "${ocsp_response[i]}" "$certs_found" "${cipher[i]}" "${sni_used[i]}" "${tls_version[i]}")"
|
||||||
# If certificate_transparency() called tls_sockets() and found a "signed certificate timestamps" extension,
|
# If certificate_transparency() called tls_sockets() and found a "signed certificate timestamps" extension,
|
||||||
# then add it to $TLS_EXTENSIONS, since it may not have been found by determine_tls_extensions().
|
# then add it to $TLS_EXTENSIONS, since it may not have been found by determine_tls_extensions().
|
||||||
[[ $certs_found -gt 1 ]] && [[ "${ct[i]}" == "TLS extension" ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
[[ $certs_found -gt 1 ]] && [[ "${ct[i]}" == TLS\ extension ]] && extract_new_tls_extensions "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt"
|
||||||
done
|
done
|
||||||
|
|
||||||
outln
|
outln
|
||||||
|
@ -10826,24 +10826,24 @@ check_tls_serverhellodone() {
|
||||||
[[ $remaining -lt 10 ]] && return 1
|
[[ $remaining -lt 10 ]] && return 1
|
||||||
|
|
||||||
tls_content_type="${tls_hello_ascii:i:2}"
|
tls_content_type="${tls_hello_ascii:i:2}"
|
||||||
[[ "$tls_content_type" != "14" ]] && [[ "$tls_content_type" != "15" ]] && \
|
[[ "$tls_content_type" != 14 ]] && [[ "$tls_content_type" != 15 ]] && \
|
||||||
[[ "$tls_content_type" != "16" ]] && [[ "$tls_content_type" != "17" ]] && return 2
|
[[ "$tls_content_type" != 16 ]] && [[ "$tls_content_type" != 17 ]] && return 2
|
||||||
i=$i+2
|
i=$i+2
|
||||||
tls_protocol="${tls_hello_ascii:i:4}"
|
tls_protocol="${tls_hello_ascii:i:4}"
|
||||||
[[ -z "$DETECTED_TLS_VERSION" ]] && DETECTED_TLS_VERSION="$tls_protocol"
|
[[ -z "$DETECTED_TLS_VERSION" ]] && DETECTED_TLS_VERSION="$tls_protocol"
|
||||||
[[ "${tls_protocol:0:2}" != "03" ]] && return 2
|
[[ "${tls_protocol:0:2}" != 03 ]] && return 2
|
||||||
i=$i+4
|
i=$i+4
|
||||||
msg_len=2*$(hex2dec "${tls_hello_ascii:i:4}")
|
msg_len=2*$(hex2dec "${tls_hello_ascii:i:4}")
|
||||||
i=$i+4
|
i=$i+4
|
||||||
remaining=$tls_hello_ascii_len-$i
|
remaining=$tls_hello_ascii_len-$i
|
||||||
[[ $msg_len -gt $remaining ]] && return 1
|
[[ $msg_len -gt $remaining ]] && return 1
|
||||||
|
|
||||||
if [[ "$tls_content_type" == "16" ]]; then
|
if [[ "$tls_content_type" == 16 ]]; then
|
||||||
tls_handshake_ascii+="${tls_hello_ascii:i:msg_len}"
|
tls_handshake_ascii+="${tls_hello_ascii:i:msg_len}"
|
||||||
tls_handshake_ascii_len=${#tls_handshake_ascii}
|
tls_handshake_ascii_len=${#tls_handshake_ascii}
|
||||||
decrypted_response+="$tls_content_type$tls_protocol$(printf "%04X" $((msg_len/2)))${tls_hello_ascii:i:msg_len}"
|
decrypted_response+="$tls_content_type$tls_protocol$(printf "%04X" $((msg_len/2)))${tls_hello_ascii:i:msg_len}"
|
||||||
# the ServerHello MUST be the first handshake message
|
# the ServerHello MUST be the first handshake message
|
||||||
[[ $tls_handshake_ascii_len -ge 2 ]] && [[ "${tls_handshake_ascii:0:2}" != "02" ]] && return 2
|
[[ $tls_handshake_ascii_len -ge 2 ]] && [[ "${tls_handshake_ascii:0:2}" != 02 ]] && return 2
|
||||||
if [[ $tls_handshake_ascii_len -ge 12 ]]; then
|
if [[ $tls_handshake_ascii_len -ge 12 ]]; then
|
||||||
DETECTED_TLS_VERSION="${tls_handshake_ascii:8:4}"
|
DETECTED_TLS_VERSION="${tls_handshake_ascii:8:4}"
|
||||||
|
|
||||||
|
@ -10851,7 +10851,7 @@ check_tls_serverhellodone() {
|
||||||
# there is a supported_versions extension that specifies the actual version. So,
|
# there is a supported_versions extension that specifies the actual version. So,
|
||||||
# if the version field specifies TLSv1.2, then check to see if there is a
|
# if the version field specifies TLSv1.2, then check to see if there is a
|
||||||
# supported_versions extension.
|
# supported_versions extension.
|
||||||
if [[ "$DETECTED_TLS_VERSION" == "0303" ]]; then
|
if [[ "$DETECTED_TLS_VERSION" == 0303 ]]; then
|
||||||
tls_serverhello_ascii_len=2*$(hex2dec "${tls_handshake_ascii:2:6}")
|
tls_serverhello_ascii_len=2*$(hex2dec "${tls_handshake_ascii:2:6}")
|
||||||
sid_len=2*$(hex2dec "${tls_handshake_ascii:76:2}")
|
sid_len=2*$(hex2dec "${tls_handshake_ascii:76:2}")
|
||||||
if [[ $tls_serverhello_ascii_len -gt 76+$sid_len ]]; then
|
if [[ $tls_serverhello_ascii_len -gt 76+$sid_len ]]; then
|
||||||
|
@ -10866,7 +10866,7 @@ check_tls_serverhellodone() {
|
||||||
offset=92+$sid_len+$j
|
offset=92+$sid_len+$j
|
||||||
extension_len=2*$(hex2dec "${tls_handshake_ascii:offset:4}")
|
extension_len=2*$(hex2dec "${tls_handshake_ascii:offset:4}")
|
||||||
[[ $extension_len -gt $tls_extensions_len-$j-8 ]] && return 2
|
[[ $extension_len -gt $tls_extensions_len-$j-8 ]] && return 2
|
||||||
if [[ "$extension_type" == "002B" ]]; then # supported_versions
|
if [[ "$extension_type" == 002B ]]; then # supported_versions
|
||||||
[[ $extension_len -ne 4 ]] && return 2
|
[[ $extension_len -ne 4 ]] && return 2
|
||||||
offset=96+$sid_len+$j
|
offset=96+$sid_len+$j
|
||||||
DETECTED_TLS_VERSION="${tls_handshake_ascii:offset:4}"
|
DETECTED_TLS_VERSION="${tls_handshake_ascii:offset:4}"
|
||||||
|
@ -10875,7 +10875,7 @@ check_tls_serverhellodone() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# A version of {0x7F, xx} represents an implementation of a draft version of TLS 1.3
|
# A version of {0x7F, xx} represents an implementation of a draft version of TLS 1.3
|
||||||
[[ "${DETECTED_TLS_VERSION:0:2}" == "7F" ]] && DETECTED_TLS_VERSION="0304"
|
[[ "${DETECTED_TLS_VERSION:0:2}" == 7F ]] && DETECTED_TLS_VERSION=0304
|
||||||
if [[ 0x$DETECTED_TLS_VERSION -ge 0x0304 ]] && [[ "$process_full" == ephemeralkey ]]; then
|
if [[ 0x$DETECTED_TLS_VERSION -ge 0x0304 ]] && [[ "$process_full" == ephemeralkey ]]; then
|
||||||
tls_serverhello_ascii_len=2*$(hex2dec "${tls_handshake_ascii:2:6}")
|
tls_serverhello_ascii_len=2*$(hex2dec "${tls_handshake_ascii:2:6}")
|
||||||
if [[ $tls_handshake_ascii_len -ge $tls_serverhello_ascii_len+8 ]]; then
|
if [[ $tls_handshake_ascii_len -ge $tls_serverhello_ascii_len+8 ]]; then
|
||||||
|
@ -10884,10 +10884,10 @@ check_tls_serverhellodone() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
elif [[ "$tls_content_type" == "15" ]]; then # TLS ALERT
|
elif [[ "$tls_content_type" == 15 ]]; then # TLS ALERT
|
||||||
tls_alert_ascii+="${tls_hello_ascii:i:msg_len}"
|
tls_alert_ascii+="${tls_hello_ascii:i:msg_len}"
|
||||||
decrypted_response+="$tls_content_type$tls_protocol$(printf "%04X" $((msg_len/2)))${tls_hello_ascii:i:msg_len}"
|
decrypted_response+="$tls_content_type$tls_protocol$(printf "%04X" $((msg_len/2)))${tls_hello_ascii:i:msg_len}"
|
||||||
elif [[ "$tls_content_type" == "17" ]] && [[ -n "$key_and_iv" ]]; then # encrypted data
|
elif [[ "$tls_content_type" == 17 ]] && [[ -n "$key_and_iv" ]]; then # encrypted data
|
||||||
nonce="$(get-nonce "$iv" "$seq_num")"
|
nonce="$(get-nonce "$iv" "$seq_num")"
|
||||||
[[ $? -ne 0 ]] && return 2
|
[[ $? -ne 0 ]] && return 2
|
||||||
plaintext="$(sym-decrypt "$cipher" "$key" "$nonce" "${tls_hello_ascii:i:msg_len}")"
|
plaintext="$(sym-decrypt "$cipher" "$key" "$nonce" "${tls_hello_ascii:i:msg_len}")"
|
||||||
|
@ -10896,14 +10896,14 @@ check_tls_serverhellodone() {
|
||||||
|
|
||||||
# Remove zeros from end of plaintext, if any
|
# Remove zeros from end of plaintext, if any
|
||||||
plaintext_len=${#plaintext}-2
|
plaintext_len=${#plaintext}-2
|
||||||
while [[ "${plaintext:plaintext_len:2}" == "00" ]]; do
|
while [[ "${plaintext:plaintext_len:2}" == 00 ]]; do
|
||||||
plaintext_len=$plaintext_len-2
|
plaintext_len=$plaintext_len-2
|
||||||
done
|
done
|
||||||
tls_content_type="${plaintext:plaintext_len:2}"
|
tls_content_type="${plaintext:plaintext_len:2}"
|
||||||
decrypted_response+="${tls_content_type}0301$(printf "%04X" $((plaintext_len/2)))${plaintext:0:plaintext_len}"
|
decrypted_response+="${tls_content_type}0301$(printf "%04X" $((plaintext_len/2)))${plaintext:0:plaintext_len}"
|
||||||
if [[ "$tls_content_type" == "16" ]]; then
|
if [[ "$tls_content_type" == 16 ]]; then
|
||||||
tls_handshake_ascii+="${plaintext:0:plaintext_len}"
|
tls_handshake_ascii+="${plaintext:0:plaintext_len}"
|
||||||
elif [[ "$tls_content_type" == "15" ]]; then
|
elif [[ "$tls_content_type" == 15 ]]; then
|
||||||
tls_alert_ascii+="${plaintext:0:plaintext_len}"
|
tls_alert_ascii+="${plaintext:0:plaintext_len}"
|
||||||
else
|
else
|
||||||
return 2
|
return 2
|
||||||
|
@ -10934,13 +10934,13 @@ check_tls_serverhellodone() {
|
||||||
|
|
||||||
# For SSLv3 - TLS1.2 look for a ServerHelloDone message.
|
# For SSLv3 - TLS1.2 look for a ServerHelloDone message.
|
||||||
# For TLS 1.3 look for a Finished message.
|
# For TLS 1.3 look for a Finished message.
|
||||||
[[ $tls_msg_type == "0E" ]] && tm_out "" && return 0
|
[[ $tls_msg_type == 0E ]] && tm_out "" && return 0
|
||||||
[[ $tls_msg_type == "14" ]] && tm_out "$decrypted_response" && return 0
|
[[ $tls_msg_type == 14 ]] && tm_out "$decrypted_response" && return 0
|
||||||
done
|
done
|
||||||
# If the response is TLSv1.3 and the full response is to be processed, but the
|
# If the response is TLSv1.3 and the full response is to be processed, but the
|
||||||
# key and IV have not been provided to decrypt the response, then return 3 if
|
# key and IV have not been provided to decrypt the response, then return 3 if
|
||||||
# the entire ServerHello has been received.
|
# the entire ServerHello has been received.
|
||||||
if [[ "$DETECTED_TLS_VERSION" == "0304" ]] && [[ "$process_full" =~ all ]] && \
|
if [[ "$DETECTED_TLS_VERSION" == 0304 ]] && [[ "$process_full" =~ all ]] && \
|
||||||
[[ -z "$key_and_iv" ]] && [[ $tls_handshake_ascii_len -gt 0 ]]; then
|
[[ -z "$key_and_iv" ]] && [[ $tls_handshake_ascii_len -gt 0 ]]; then
|
||||||
return 3
|
return 3
|
||||||
fi
|
fi
|
||||||
|
@ -11094,7 +11094,7 @@ parse_tls_serverhello() {
|
||||||
debugme tmln_warning "Content type other than alert, handshake, change cipher spec, or application data detected."
|
debugme tmln_warning "Content type other than alert, handshake, change cipher spec, or application data detected."
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 8
|
return 8
|
||||||
elif [[ "${tls_protocol:0:2}" != "03" ]]; then
|
elif [[ "${tls_protocol:0:2}" != 03 ]]; then
|
||||||
debugme tmln_warning "Protocol record_version.major is not 03."
|
debugme tmln_warning "Protocol record_version.major is not 03."
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
|
@ -11113,9 +11113,9 @@ parse_tls_serverhello() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $tls_content_type == "16" ]]; then
|
if [[ $tls_content_type == 16 ]]; then
|
||||||
tls_handshake_ascii="$tls_handshake_ascii${tls_hello_ascii:i:msg_len}"
|
tls_handshake_ascii="$tls_handshake_ascii${tls_hello_ascii:i:msg_len}"
|
||||||
elif [[ $tls_content_type == "15" ]]; then # TLS ALERT
|
elif [[ $tls_content_type == 15 ]]; then # TLS ALERT
|
||||||
tls_alert_ascii="$tls_alert_ascii${tls_hello_ascii:i:msg_len}"
|
tls_alert_ascii="$tls_alert_ascii${tls_hello_ascii:i:msg_len}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -11151,11 +11151,11 @@ parse_tls_serverhello() {
|
||||||
echo "===============================================================================" >> $TMPFILE
|
echo "===============================================================================" >> $TMPFILE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$tls_err_level" != "01" ]] && [[ "$tls_err_level" != "02" ]]; then
|
if [[ "$tls_err_level" != 01 ]] && [[ "$tls_err_level" != 02 ]]; then
|
||||||
debugme tmln_warning "Unexpected AlertLevel (0x$tls_err_level)."
|
debugme tmln_warning "Unexpected AlertLevel (0x$tls_err_level)."
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
elif [[ "$tls_err_level" == "02" ]]; then
|
elif [[ "$tls_err_level" == 02 ]]; then
|
||||||
# Fatal alert
|
# Fatal alert
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
|
@ -11227,7 +11227,7 @@ parse_tls_serverhello() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$tls_msg_type" == "02" ]]; then
|
if [[ "$tls_msg_type" == 02 ]]; then
|
||||||
if [[ -n "$tls_serverhello_ascii" ]]; then
|
if [[ -n "$tls_serverhello_ascii" ]]; then
|
||||||
debugme tmln_warning "Response contained more than one ServerHello handshake message."
|
debugme tmln_warning "Response contained more than one ServerHello handshake message."
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
|
@ -11235,7 +11235,7 @@ parse_tls_serverhello() {
|
||||||
fi
|
fi
|
||||||
tls_serverhello_ascii="${tls_handshake_ascii:i:msg_len}"
|
tls_serverhello_ascii="${tls_handshake_ascii:i:msg_len}"
|
||||||
tls_serverhello_ascii_len=$msg_len
|
tls_serverhello_ascii_len=$msg_len
|
||||||
elif [[ "$process_full" =~ all ]] && [[ "$tls_msg_type" == "08" ]]; then
|
elif [[ "$process_full" =~ all ]] && [[ "$tls_msg_type" == 08 ]]; then
|
||||||
# Add excrypted extensions (now decrypted) to end of extensions in SeverHello
|
# Add excrypted extensions (now decrypted) to end of extensions in SeverHello
|
||||||
tls_encryptedextensions_ascii="${tls_handshake_ascii:i:msg_len}"
|
tls_encryptedextensions_ascii="${tls_handshake_ascii:i:msg_len}"
|
||||||
tls_encryptedextensions_ascii_len=$msg_len
|
tls_encryptedextensions_ascii_len=$msg_len
|
||||||
|
@ -11280,7 +11280,7 @@ parse_tls_serverhello() {
|
||||||
debugme echo "Malformed response"
|
debugme echo "Malformed response"
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
elif [[ "${tls_handshake_ascii:0:2}" != "02" ]]; then
|
elif [[ "${tls_handshake_ascii:0:2}" != 02 ]]; then
|
||||||
# the ServerHello MUST be the first handshake message
|
# the ServerHello MUST be the first handshake message
|
||||||
DETECTED_TLS_VERSION="reply contained no ServerHello"
|
DETECTED_TLS_VERSION="reply contained no ServerHello"
|
||||||
debugme tmln_warning "The first handshake protocol message is not a ServerHello."
|
debugme tmln_warning "The first handshake protocol message is not a ServerHello."
|
||||||
|
@ -11303,8 +11303,8 @@ parse_tls_serverhello() {
|
||||||
# byte 38+39+sid-len: extension length
|
# byte 38+39+sid-len: extension length
|
||||||
tls_protocol2="${tls_serverhello_ascii:0:4}"
|
tls_protocol2="${tls_serverhello_ascii:0:4}"
|
||||||
DETECTED_TLS_VERSION="$tls_protocol2"
|
DETECTED_TLS_VERSION="$tls_protocol2"
|
||||||
[[ "${DETECTED_TLS_VERSION:0:2}" == "7F" ]] && DETECTED_TLS_VERSION="0304"
|
[[ "${DETECTED_TLS_VERSION:0:2}" == 7F ]] && DETECTED_TLS_VERSION="0304"
|
||||||
if [[ "${DETECTED_TLS_VERSION:0:2}" != "03" ]]; then
|
if [[ "${DETECTED_TLS_VERSION:0:2}" != 03 ]]; then
|
||||||
debugme tmln_warning "server_version.major in ServerHello is not 03."
|
debugme tmln_warning "server_version.major in ServerHello is not 03."
|
||||||
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
[[ $DEBUG -ge 1 ]] && tmpfile_handle ${FUNCNAME[0]}.txt
|
||||||
return 1
|
return 1
|
||||||
|
@ -11472,7 +11472,7 @@ parse_tls_serverhello() {
|
||||||
else
|
else
|
||||||
tls_extensions+="TLS server extension \"unrecognized extension\""
|
tls_extensions+="TLS server extension \"unrecognized extension\""
|
||||||
fi
|
fi
|
||||||
if [[ "$extension_type" == "0028" ]]; then
|
if [[ "$extension_type" == 0028 ]]; then
|
||||||
tls_extensions+=" (id=40), len=$extension_len\n"
|
tls_extensions+=" (id=40), len=$extension_len\n"
|
||||||
else
|
else
|
||||||
tls_extensions+=" (id=51), len=$extension_len\n"
|
tls_extensions+=" (id=51), len=$extension_len\n"
|
||||||
|
@ -12295,27 +12295,27 @@ prepare_tls_clienthello() {
|
||||||
part1="0x${cipher_suites:$i:2}"
|
part1="0x${cipher_suites:$i:2}"
|
||||||
part2="0x${cipher_suites:$j:2}"
|
part2="0x${cipher_suites:$j:2}"
|
||||||
if [[ "$part1" == "0xc0" ]]; then
|
if [[ "$part1" == "0xc0" ]]; then
|
||||||
if [[ "$part2" -ge "0x01" ]] && [[ "$part2" -le "0x19" ]]; then
|
if [[ "$part2" -ge 0x01 ]] && [[ "$part2" -le 0x19 ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x23" ]] && [[ "$part2" -le "0x3b" ]]; then
|
elif [[ "$part2" -ge 0x23 ]] && [[ "$part2" -le 0x3b ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x48" ]] && [[ "$part2" -le "0x4f" ]]; then
|
elif [[ "$part2" -ge 0x48 ]] && [[ "$part2" -le 0x4f ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x5c" ]] && [[ "$part2" -le "0x63" ]]; then
|
elif [[ "$part2" -ge 0x5c ]] && [[ "$part2" -le 0x63 ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x70" ]] && [[ "$part2" -le "0x79" ]]; then
|
elif [[ "$part2" -ge 0x70 ]] && [[ "$part2" -le 0x79 ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x86" ]] && [[ "$part2" -le "0x8d" ]]; then
|
elif [[ "$part2" -ge 0x86 ]] && [[ "$part2" -le 0x8d ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0x9a" ]] && [[ "$part2" -le "0x9b" ]]; then
|
elif [[ "$part2" -ge 0x9a ]] && [[ "$part2" -le 0x9b ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
elif [[ "$part2" -ge "0xac" ]] && [[ "$part2" -le "0xaf" ]]; then
|
elif [[ "$part2" -ge 0xac ]] && [[ "$part2" -le 0xaf ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
fi
|
fi
|
||||||
elif [[ "$part1" == "0xcc" ]]; then
|
elif [[ "$part1" == 0xcc ]]; then
|
||||||
if [[ "$part2" == "0xa8" ]] || [[ "$part2" == "0xa9" ]] || \
|
if [[ "$part2" == 0xa8 ]] || [[ "$part2" == 0xa9 ]] || \
|
||||||
[[ "$part2" == "0xac" ]] || [[ "$part2" == "0x13" ]] || \
|
[[ "$part2" == 0xac ]] || [[ "$part2" == 0x13 ]] || \
|
||||||
[[ "$part2" == "0x14" ]]; then
|
[[ "$part2" == 0x14 ]]; then
|
||||||
ecc_cipher_suite_found=true && break
|
ecc_cipher_suite_found=true && break
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -12378,7 +12378,7 @@ prepare_tls_clienthello() {
|
||||||
elif [[ 0x$tls_low_byte -gt 0x03 ]]; then
|
elif [[ 0x$tls_low_byte -gt 0x03 ]]; then
|
||||||
# Supported Groups Extension
|
# Supported Groups Extension
|
||||||
if [[ ! "$process_full" =~ all ]] || \
|
if [[ ! "$process_full" =~ all ]] || \
|
||||||
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
|
[[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.1* ]]; then
|
||||||
extension_supported_groups="
|
extension_supported_groups="
|
||||||
00,0a, # Type: Supported Groups, see RFC 8446
|
00,0a, # Type: Supported Groups, see RFC 8446
|
||||||
00,10, 00,0e, # lengths
|
00,10, 00,0e, # lengths
|
||||||
|
@ -12387,7 +12387,7 @@ prepare_tls_clienthello() {
|
||||||
# OpenSSL prior to 1.1.1 does not support X448, so list it as the least
|
# OpenSSL prior to 1.1.1 does not support X448, so list it as the least
|
||||||
# preferred option if the response needs to be decrypted, and do not
|
# preferred option if the response needs to be decrypted, and do not
|
||||||
# list it at all if the response MUST be decrypted.
|
# list it at all if the response MUST be decrypted.
|
||||||
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] && [[ "$process_full" == all+ ]]; then
|
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == 1.1.0* ]] && [[ "$process_full" == all+ ]]; then
|
||||||
extension_supported_groups="
|
extension_supported_groups="
|
||||||
00,0a, # Type: Supported Groups, see RFC 8446
|
00,0a, # Type: Supported Groups, see RFC 8446
|
||||||
00,0e, 00,0c, # lengths
|
00,0e, 00,0c, # lengths
|
||||||
|
@ -12469,7 +12469,7 @@ prepare_tls_clienthello() {
|
||||||
# FIXME: The ClientHello currently advertises support for various
|
# FIXME: The ClientHello currently advertises support for various
|
||||||
# draft versions of TLSv1.3. Eventually it should only adversize
|
# draft versions of TLSv1.3. Eventually it should only adversize
|
||||||
# support for the final version (0304).
|
# support for the final version (0304).
|
||||||
if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then
|
if [[ "$KEY_SHARE_EXTN_NR" == 33 ]]; then
|
||||||
extension_supported_versions+=", 03, 04, 7f, 1c, 7f, 1b, 7f, 1a, 7f, 19, 7f, 18, 7f, 17"
|
extension_supported_versions+=", 03, 04, 7f, 1c, 7f, 1b, 7f, 1a, 7f, 19, 7f, 18, 7f, 17"
|
||||||
else
|
else
|
||||||
extension_supported_versions+=", 7f, 16, 7f, 15, 7f, 14, 7f, 13, 7f, 12"
|
extension_supported_versions+=", 7f, 16, 7f, 15, 7f, 14, 7f, 13, 7f, 12"
|
||||||
|
@ -12491,7 +12491,7 @@ prepare_tls_clienthello() {
|
||||||
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
|
# OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at
|
||||||
# least one server that will fail the connection if it is absent
|
# least one server that will fail the connection if it is absent
|
||||||
# (see https://github.com/drwetter/testssl.sh/issues/990).
|
# (see https://github.com/drwetter/testssl.sh/issues/990).
|
||||||
if [[ "0x$tls_low_byte" -ge "0x04" ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then
|
if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extn_psk_mode"
|
all_extensions+="$extn_psk_mode"
|
||||||
fi
|
fi
|
||||||
|
@ -12509,7 +12509,7 @@ prepare_tls_clienthello() {
|
||||||
|
|
||||||
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
# RFC 5246 says that clients MUST NOT offer the signature algorithms
|
||||||
# extension if they are offering TLS versions prior to 1.2.
|
# extension if they are offering TLS versions prior to 1.2.
|
||||||
if [[ "0x$tls_low_byte" -ge "0x03" ]] && [[ ! "$extra_extensions_list" =~ " 000d " ]]; then
|
if [[ "0x$tls_low_byte" -ge 0x03 ]] && [[ ! "$extra_extensions_list" =~ " 000d " ]]; then
|
||||||
[[ -n "$all_extensions" ]] && all_extensions+=","
|
[[ -n "$all_extensions" ]] && all_extensions+=","
|
||||||
all_extensions+="$extension_signature_algorithms"
|
all_extensions+="$extension_signature_algorithms"
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue