mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
FIX #829 (OpenBSD fixes)
All three issues fixed. Terminal code were actually tow problems: Logging in from Linux with a 256 color xterm makes tput set AF from OpenBSD hiccup. And the detection of not-ncurses style underline e.g. was not working under OpenBSD. The engine fix was done by David Cooper (see #831). There's also a name of the binary now (OpenSSL/LibreSSL) for tracking the flavor used.
This commit is contained in:
parent
d3c3d65e1f
commit
695d02157a
37
testssl.sh
37
testssl.sh
@ -261,6 +261,7 @@ NW_STR=""
|
|||||||
LEN_STR=""
|
LEN_STR=""
|
||||||
SNI=""
|
SNI=""
|
||||||
POODLE="" # keep vulnerability status for TLS_FALLBACK_SCSV
|
POODLE="" # keep vulnerability status for TLS_FALLBACK_SCSV
|
||||||
|
OSSL_NAME="" # openssl name, in case of LibreSSL it's LibreSSL
|
||||||
OSSL_VER="" # openssl version, will be auto-determined
|
OSSL_VER="" # openssl version, will be auto-determined
|
||||||
OSSL_VER_MAJOR=0
|
OSSL_VER_MAJOR=0
|
||||||
OSSL_VER_MINOR=0
|
OSSL_VER_MINOR=0
|
||||||
@ -548,7 +549,14 @@ pr_boldurl() { tm_bold "$1"; html_out "<a href="$1" style=\"font-weight:bold;col
|
|||||||
set_color_functions() {
|
set_color_functions() {
|
||||||
local ncurses_tput=true
|
local ncurses_tput=true
|
||||||
|
|
||||||
# empty vars if we have COLOR=0 equals no escape code:
|
if [[ $(uname) == OpenBSD ]] && grep -q xterm-256 <<< "$TERM"; then
|
||||||
|
export TERM=xterm
|
||||||
|
# openBSD can't handle 256 colors (yet) in xterm which might lead to ugly errors
|
||||||
|
# like "tput: not enough arguments (3) for capability `AF'". Not our fault but
|
||||||
|
# before we get blamed we fix it here.
|
||||||
|
fi
|
||||||
|
|
||||||
|
# empty all vars if we have COLOR=0 equals no escape code:
|
||||||
red=""
|
red=""
|
||||||
green=""
|
green=""
|
||||||
brown=""
|
brown=""
|
||||||
@ -565,6 +573,7 @@ set_color_functions() {
|
|||||||
type -p tput &>/dev/null || return 0 # Hey wait, do we actually have tput / ncurses ?
|
type -p tput &>/dev/null || return 0 # Hey wait, do we actually have tput / ncurses ?
|
||||||
tput cols &>/dev/null || return 0 # tput under BSDs and GNUs doesn't work either (TERM undefined?)
|
tput cols &>/dev/null || return 0 # tput under BSDs and GNUs doesn't work either (TERM undefined?)
|
||||||
tput sgr0 &>/dev/null || ncurses_tput=false
|
tput sgr0 &>/dev/null || ncurses_tput=false
|
||||||
|
tput sgr 0 1 &>/dev/null || ncurses_tput=false # OpenBSD succeed the previous one but fails here
|
||||||
if [[ "$COLOR" -eq 2 ]]; then
|
if [[ "$COLOR" -eq 2 ]]; then
|
||||||
if $ncurses_tput; then
|
if $ncurses_tput; then
|
||||||
red=$(tput setaf 1)
|
red=$(tput setaf 1)
|
||||||
@ -590,7 +599,7 @@ set_color_functions() {
|
|||||||
if [[ "$COLOR" -ge 1 ]]; then
|
if [[ "$COLOR" -ge 1 ]]; then
|
||||||
if $ncurses_tput; then
|
if $ncurses_tput; then
|
||||||
bold=$(tput bold)
|
bold=$(tput bold)
|
||||||
underline=$(tput sgr 0 1)
|
underline=$(tput sgr 0 1 2>/dev/null)
|
||||||
italic=$(tput sitm)
|
italic=$(tput sitm)
|
||||||
italic_end=$(tput ritm)
|
italic_end=$(tput ritm)
|
||||||
off=$(tput sgr0)
|
off=$(tput sgr0)
|
||||||
@ -728,7 +737,7 @@ fileout_pretty_json_banner() {
|
|||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
||||||
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
||||||
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
||||||
\"openssl\" : \"$OSSL_VER from $OSSL_BUILD_DATE\",
|
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
|
||||||
\"startTime\" : \"$START_TIME\",
|
\"startTime\" : \"$START_TIME\",
|
||||||
\"scanResult\" : ["
|
\"scanResult\" : ["
|
||||||
else
|
else
|
||||||
@ -740,7 +749,7 @@ fileout_pretty_json_banner() {
|
|||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
||||||
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
||||||
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
||||||
\"openssl\" : \"$OSSL_VER from $OSSL_BUILD_DATE\",
|
\"openssl\" : \"$OSSL_NAME $OSSL_VER from $OSSL_BUILD_DATE\",
|
||||||
\"target host\" : \"$target\",
|
\"target host\" : \"$target\",
|
||||||
\"port\" : \"$PORT\",
|
\"port\" : \"$PORT\",
|
||||||
\"startTime\" : \"$START_TIME\",
|
\"startTime\" : \"$START_TIME\",
|
||||||
@ -943,7 +952,7 @@ html_banner() {
|
|||||||
html_out "## Scan started as: \"$PROG_NAME $CMDLINE\"\n"
|
html_out "## Scan started as: \"$PROG_NAME $CMDLINE\"\n"
|
||||||
html_out "## at $HNAME:$OPENSSL_LOCATION\n"
|
html_out "## at $HNAME:$OPENSSL_LOCATION\n"
|
||||||
html_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\n"
|
html_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\n"
|
||||||
html_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n\n"
|
html_out "## version openssl: \"$OSSL_NAME $OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n\n"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -11641,13 +11650,13 @@ find_openssl_binary() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# http://www.openssl.org/news/openssl-notes.html
|
# http://www.openssl.org/news/openssl-notes.html
|
||||||
|
OSSL_NAME=$($OPENSSL version 2>/dev/null | awk '{ print $1 }')
|
||||||
OSSL_VER=$($OPENSSL version 2>/dev/null | awk -F' ' '{ print $2 }')
|
OSSL_VER=$($OPENSSL version 2>/dev/null | awk -F' ' '{ print $2 }')
|
||||||
OSSL_VER_MAJOR=$(sed 's/\..*$//' <<< "$OSSL_VER")
|
OSSL_VER_MAJOR=$(sed 's/\..*$//' <<< "$OSSL_VER")
|
||||||
OSSL_VER_MINOR=$(sed -e 's/^.\.//' <<< "$OSSL_VER" | tr -d '[a-zA-Z]-')
|
OSSL_VER_MINOR=$(sed -e 's/^.\.//' <<< "$OSSL_VER" | tr -d '[a-zA-Z]-')
|
||||||
OSSL_VER_APPENDIX=$(tr -d '0-9.' <<< "$OSSL_VER")
|
OSSL_VER_APPENDIX=$(tr -d '0-9.' <<< "$OSSL_VER")
|
||||||
OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //')
|
OSSL_VER_PLATFORM=$($OPENSSL version -p 2>/dev/null | sed 's/^platform: //')
|
||||||
OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
|
OSSL_BUILD_DATE=$($OPENSSL version -a 2>/dev/null | grep '^built' | sed -e 's/built on//' -e 's/: ... //' -e 's/: //' -e 's/ UTC//' -e 's/ +0000//' -e 's/.000000000//')
|
||||||
grep -q "not available" <<< "$OSSL_BUILD_DATE" && OSSL_BUILD_DATE=""
|
|
||||||
|
|
||||||
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
# see #190, reverting logic: unless otherwise proved openssl has no dh bits
|
||||||
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
|
||||||
@ -11655,9 +11664,11 @@ find_openssl_binary() {
|
|||||||
esac
|
esac
|
||||||
# libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)
|
# libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)
|
||||||
|
|
||||||
if $OPENSSL version 2>/dev/null | grep -qi LibreSSL; then
|
if grep -qi LibreSSL <<< "$OSSL_NAME"; then
|
||||||
outln
|
if "$SSL_NATIVE"; then
|
||||||
pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
|
outln
|
||||||
|
pr_warning "LibreSSL in native ssl mode is not a good choice for testing INSECURE features!"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
initialize_engine
|
initialize_engine
|
||||||
@ -11674,7 +11685,7 @@ find_openssl_binary() {
|
|||||||
OPENSSL_LOCATION="$openssl_location"
|
OPENSSL_LOCATION="$openssl_location"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")
|
OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL')")
|
||||||
|
|
||||||
$OPENSSL s_client -ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -ssl2 -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_SSL2=true
|
HAS_SSL2=true
|
||||||
@ -12126,12 +12137,12 @@ fatal() {
|
|||||||
initialize_engine(){
|
initialize_engine(){
|
||||||
grep -q '^# testssl config file' "$OPENSSL_CONF" 2>/dev/null && return 0 # have been here already
|
grep -q '^# testssl config file' "$OPENSSL_CONF" 2>/dev/null && return 0 # have been here already
|
||||||
|
|
||||||
if ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then
|
if $OPENSSL engine gost -v 2>&1 | grep -q 'invalid command'; then
|
||||||
outln
|
outln
|
||||||
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||||
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
||||||
return 1
|
return 1
|
||||||
elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then
|
elif ! $OPENSSL engine gost -vvvv -t -c 2>/dev/null >/dev/null; then
|
||||||
outln
|
outln
|
||||||
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
|
||||||
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
|
||||||
|
Loading…
Reference in New Issue
Block a user