From 846dbad3d237c3a179090a98bf0de1148657820b Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 13 Mar 2015 14:26:02 -0500 Subject: [PATCH 1/3] Fix missing single quote --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 0b02f67..2762276 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1139,7 +1139,7 @@ server_defaults() { SAN=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | \ sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g' -e 's/othername://g') # ^^^ CACert - [ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g) && outln " subjectAltName (SAN) $SAN" + [ x"$SAN" != "x" ] && SAN=$(echo "$SAN" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') && outln " subjectAltName (SAN) $SAN" # replace line feed by " " out " Issuer " From f530eaf5fcbe378ff554e223a6499ce45fabedb0 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 13 Mar 2015 14:54:36 -0500 Subject: [PATCH 2/3] Replace expr with $(( )) https://github.com/koalaman/shellcheck/wiki/SC2003 --- testssl.sh | 96 +++++++++++++++++++++++++++--------------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/testssl.sh b/testssl.sh index 2762276..b62b164 100755 --- a/testssl.sh +++ b/testssl.sh @@ -274,7 +274,7 @@ wait_kill(){ return 0 # didn't reach maxsleep yet fi sleep 1 - maxsleep=$(expr $maxsleep - 1) + maxsleep=$(($maxsleep - 1)) test $maxsleep -eq 0 && break done # needs to be killed: kill $pid >&2 2>/dev/null @@ -686,7 +686,7 @@ std_cipherlists() { # ARG2: sleep socksend() { # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do - data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\\/g' | tr -d '\n') + data=$(echo "$1" | sed -e 's/# .*$//g' -e 's/ //g' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') [[ $DEBUG -ge 4 ]] && echo "\"$data\"" printf -- "$data" >&5 2>/dev/null & sleep $2 @@ -707,7 +707,7 @@ sockread() { kill $pid >&2 2>/dev/null fi sleep 1 - maxsleep=$(expr $maxsleep - 1) + maxsleep=$(($maxsleep - 1)) test $maxsleep -eq 0 && break done #FIXME: cleanup, we have extra function for this now @@ -1024,7 +1024,7 @@ server_preference() { proto[i]="" cipher[i]="" fi - i=$(expr $i + 1) + i=$(($i + 1)) done if spdy_pre ; then # is NPN/SPDY supported and is this no STARTTLS? @@ -1163,10 +1163,10 @@ server_defaults() { if ! echo $expire | grep -qw not; then pr_red "expired!" else - SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2) # low threshold first + SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2)) # low threshold first expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN) if echo "$expire" | grep -qw not; then - SECS2WARN=$(expr 24 \* 60 \* 60 \* $DAYS2WARN2) + SECS2WARN=$((24 * 60 * 60 * $DAYS2WARN2)) expire=$($OPENSSL x509 -in $HOSTCERT -checkend $SECS2WARN) if echo "$expire" | grep -qw not; then pr_litegreen ">= $DAYS2WARN1 days" @@ -1216,7 +1216,7 @@ server_defaults() { #remotetime=$(grep -w "Start Time" $TMPFILE | sed 's/[A-Za-z:() ]//g') #if [ ! -z "$remotetime" ]; then # remotetime_stdformat=$(date --date="@$remotetime" "+%Y-%m-%d %r") - # difftime=$(expr $localtime - $remotetime) + # difftime=$(($localtime - $remotetime)) # [ $difftime -gt 0 ] && difftime="+"$difftime # difftime=$difftime" s" # outln " remotetime? : $remotetime ($difftime) = $remotetime_stdformat" @@ -2171,10 +2171,10 @@ crime() { # STR=$(grep Compression $TMPFILE ) # if echo $STR | grep -q NONE >/dev/null; then # pr_green "not vulnerable (OK)" -# ret=$(expr $ret + 0) +# ret=$(($ret + 0)) # else # pr_red "VULNERABLE (NOT ok)" -# ret=$(expr $ret + 1) +# ret=$(($ret + 1)) # fi # fi # fi @@ -2393,27 +2393,27 @@ starttls() { # of the cmdline e.g. with getopts. STARTTLS="-starttls $protocol" export STARTTLS - runprotocols ; ret=$(expr $? + $ret) - run_std_cipherlists ; ret=$(expr $? + $ret) - server_preference ; ret=$(expr $? + $ret) - server_defaults ; ret=$(expr $? + $ret) + runprotocols ; ret=$(($? + $ret)) + run_std_cipherlists ; ret=$(($? + $ret)) + server_preference ; ret=$(($? + $ret)) + server_defaults ; ret=$(($? + $ret)) outln; pr_blue "--> Testing specific vulnerabilities" ; outln "\n" #FIXME: heartbleed + CCS won't work this way yet -# heartbleed ; ret=$(expr $? + $ret) -# ccs_injection ; ret=$(expr $? + $ret) - renego ; ret=$(expr $? + $ret) - crime ; ret=$(expr $? + $ret) - ssl_poodle ; ret=$(expr $? + $ret) - freak ; ret=$(expr $? + $ret) - beast ; ret=$(expr $? + $ret) +# heartbleed ; ret=$(($? + $ret)) +# ccs_injection ; ret=$(($? + $ret)) + renego ; ret=$(($? + $ret)) + crime ; ret=$(($? + $ret)) + ssl_poodle ; ret=$(($? + $ret)) + freak ; ret=$(($? + $ret)) + beast ; ret=$(($? + $ret)) - rc4 ; ret=$(expr $? + $ret) - pfs ; ret=$(expr $? + $ret) + rc4 ; ret=$(($? + $ret)) + pfs ; ret=$(($? + $ret)) outln - #cipher_per_proto ; ret=$(expr $? + $ret) - allciphers ; ret=$(expr $? + $ret) + #cipher_per_proto ; ret=$(($? + $ret)) + allciphers ; ret=$(($? + $ret)) fi ;; *) pr_litemagentaln "momentarily only ftp, smtp, pop3, imap, xmpp and telnet, ldap allowed" >&2 @@ -2846,7 +2846,7 @@ case "$1" in maketempf parse_hn_port "$2" runprotocols ; ret=$? - spdy ; ret=$(expr $? + $ret) + spdy ; ret=$(($? + $ret)) exit $ret ;; -f|--ciphers) maketempf @@ -2903,7 +2903,7 @@ case "$1" in breach "$URL_PATH" ret=$? fi - ret=$(expr $? + $ret) + ret=$(($? + $ret)) exit $ret ;; -O|--ssl_poodle|poodle) maketempf @@ -2941,11 +2941,11 @@ case "$1" in hpkp "$URL_PATH" ret=$? serverbanner "$URL_PATH" - ret=$(expr $? + $ret) + ret=$(($? + $ret)) applicationbanner "$URL_PATH" - ret=$(expr $? + $ret) + ret=$(($? + $ret)) cookieflags "$URL_PATH" - ret=$(expr $? + $ret) + ret=$(($? + $ret)) else pr_litemagentaln " Wrong usage: You're not targetting a HTTP service" ret=2 @@ -2958,34 +2958,34 @@ case "$1" in outln runprotocols ; ret=$? - spdy ; ret=$(expr $? + $ret) - run_std_cipherlists ; ret=$(expr $? + $ret) - server_preference ; ret=$(expr $? + $ret) - server_defaults ; ret=$(expr $? + $ret) + spdy ; ret=$(($? + $ret)) + run_std_cipherlists ; ret=$(($? + $ret)) + server_preference ; ret=$(($? + $ret)) + server_defaults ; ret=$(($? + $ret)) if [[ $SERVICE == "HTTP" ]]; then outln; pr_blue "--> Testing HTTP Header response" outln "\n" - hsts "$URL_PATH" ; ret=$(expr $? + $ret) - hpkp "$URL_PATH" ; ret=$(expr $? + $ret) - serverbanner "$URL_PATH" ; ret=$(expr $? + $ret) - applicationbanner "$URL_PATH" ; ret=$(expr $? + $ret) - cookieflags "$URL_PATH" ; ret=$(expr $? + $ret) + hsts "$URL_PATH" ; ret=$(($? + $ret)) + hpkp "$URL_PATH" ; ret=$(($? + $ret)) + serverbanner "$URL_PATH" ; ret=$(($? + $ret)) + applicationbanner "$URL_PATH" ; ret=$(($? + $ret)) + cookieflags "$URL_PATH" ; ret=$(($? + $ret)) fi outln; pr_blue "--> Testing specific vulnerabilities" outln "\n" - heartbleed ; ret=$(expr $? + $ret) - ccs_injection ; ret=$(expr $? + $ret) - renego ; ret=$(expr $? + $ret) - crime ; ret=$(expr $? + $ret) - [[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(expr $? + $ret) - ssl_poodle ; ret=$(expr $? + $ret) - freak ; ret=$(expr $? + $ret) - beast ; ret=$(expr $? + $ret) + heartbleed ; ret=$(($? + $ret)) + ccs_injection ; ret=$(($? + $ret)) + renego ; ret=$(($? + $ret)) + crime ; ret=$(($? + $ret)) + [[ $SERVICE == "HTTP" ]] && breach "$URL_PATH" ; ret=$(($? + $ret)) + ssl_poodle ; ret=$(($? + $ret)) + freak ; ret=$(($? + $ret)) + beast ; ret=$(($? + $ret)) - rc4 ; ret=$(expr $? + $ret) - pfs ; ret=$(expr $? + $ret) + rc4 ; ret=$(($? + $ret)) + pfs ; ret=$(($? + $ret)) exit $ret ;; esac From 6747974bc34a72b4a6947ab837baa9ea74994f9c Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 13 Mar 2015 14:56:30 -0500 Subject: [PATCH 3/3] Revert to 2>&1 > /dev/null order because it isn't behaving correctly. --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index b62b164..1972aaa 100755 --- a/testssl.sh +++ b/testssl.sh @@ -270,7 +270,7 @@ wait_kill(){ pid=$1 maxsleep=$2 while true; do - if ! ps $pid >/dev/null 2>&1; then + if ! ps $pid 2>&1 >/dev/null ; then return 0 # didn't reach maxsleep yet fi sleep 1 @@ -702,7 +702,7 @@ sockread() { pid=$! while true; do - if ! ps $pid >/dev/null 2>&1; then + if ! ps $pid 2>&1 >/dev/null ; then break # didn't reach maxsleep yet kill $pid >&2 2>/dev/null fi @@ -712,7 +712,7 @@ sockread() { done #FIXME: cleanup, we have extra function for this now - if ps $pid >/dev/null 2&>1; then + if ps $pid 2&>1 >/dev/null ; then # time's up and dd is still alive --> timeout kill $pid wait $pid 2>/dev/null @@ -1460,7 +1460,7 @@ sockread_serverhello() { [[ $maxsleep -le 0 ]] && break done - if ps $pid >/dev/null 2>&1; then + if ps $pid 2>&1 >/dev/null ; then # time's up and dd is still alive --> timeout kill $pid >&2 2>/dev/null wait $pid 2>/dev/null