Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 10:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move more towards a common socksend* function

Browse Source 
This commit chamges a few functions / calls so that
the hexbyte syntax with leading x was changed to
one without. The calls then need to change from
socksend --> socksend_clienthello .

The goal is basically to remove socksend() at
some point. Also socksend_clienthello()'s use
of NW_STR should be reconsidered.

This PR removes also some blanks, at the right
hand side of some double square brackets and
at some empty lines
This commit is contained in:
Dirk Wetter 2020-03-06 21:31:23 +01:00
parent 0d8abd131e
commit 6a7bf1674c
1 changed files with 76 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
testssl.sh
View File

@ -10300,8 +10300,8 @@ starttls_nntp_dialog() {
starttls_postgres_dialog() { starttls_postgres_dialog() {
debugme echo "=== starting postgres STARTTLS dialog ===" debugme echo "=== starting postgres STARTTLS dialog ==="
local init_tls=", x00, x00 ,x00 ,x08 ,x04 ,xD2 ,x16 ,x2F" local init_tls=", 00, 00 ,00 ,08 ,04 ,D2 ,16 ,2F"
socksend "${init_tls}" 0 && debugme echo "initiated STARTTLS" && socksend_clienthello "${init_tls}" 0 && debugme echo "initiated STARTTLS" &&
starttls_io "" S 1 && debugme echo "received ack (="S") for STARTTLS" starttls_io "" S 1 && debugme echo "received ack (="S") for STARTTLS"
local ret=$? local ret=$?
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ===" debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
@ -10311,14 +10311,14 @@ starttls_postgres_dialog() {
starttls_mysql_dialog() { starttls_mysql_dialog() {
debugme echo "=== starting mysql STARTTLS dialog ===" debugme echo "=== starting mysql STARTTLS dialog ==="
local login_request=" local login_request="
, x20, x00, x00, x01, # payload_length, sequence_id , 20, 00, 00, 01, # payload_length, sequence_id
x85, xae, xff, x00, # capability flags, CLIENT_SSL always set 85, ae, ff, 00, # capability flags, CLIENT_SSL always set
x00, x00, x00, x01, # max-packet size 00, 00, 00, 01, # max-packet size
x21, # character set 21, # character set
x00, x00, x00, x00, x00, x00, x00, x00, # string[23] reserved (all [0]) 00, 00, 00, 00, 00, 00, 00, 00, # string[23] reserved (all [0])
x00, x00, x00, x00, x00, x00, x00, x00, 00, 00, 00, 00, 00, 00, 00, 00,
x00, x00, x00, x00, x00, x00, x00" 00, 00, 00, 00, 00, 00, 00"
socksend "${login_request}" 0 socksend_clienthello "${login_request}" 0
starttls_just_read 1 && debugme echo "read succeeded" starttls_just_read 1 && debugme echo "read succeeded"
# 1 is the timeout value which only MySQL needs. Note, there seems no response whether STARTTLS # 1 is the timeout value which only MySQL needs. Note, there seems no response whether STARTTLS
# succeeded. We could try harder, see https://github.com/openssl/openssl/blob/master/apps/s_client.c # succeeded. We could try harder, see https://github.com/openssl/openssl/blob/master/apps/s_client.c
@ -10453,9 +10453,9 @@ send_close_notify() {
debugme echo "sending close_notify..." debugme echo "sending close_notify..."
if [[ $detected_tlsversion == 0300 ]]; then if [[ $detected_tlsversion == 0300 ]]; then
socksend ",x15, x03, x00, x00, x02, x02, x00" 0 socksend_clienthello ",15, 03, 00, 00, 02, 02, 00" 0
else else
socksend ",x15, x03, x01, x00, x02, x02, x00" 0 socksend_clienthello ",15, 03, 01, 00, 02, 02, 00" 0
fi fi
} }
@ -10467,13 +10467,13 @@ send_close_notify() {
code2network() { code2network() {
local temp="" line="" local temp="" line=""
NW_STR=$(while read -r line; do NW_STR="$(while read -r line; do
[[ -z "$line" ]] && continue # blank line [[ -z "$line" ]] && continue # blank line
temp="${line%%\#*}" # remove comments temp="${line%%\#*}" # remove comments
temp="${temp//,/\\\x}" # comma to \x temp="${temp//,/\\\x}" # comma to \x
temp="${temp//[\t ]/}" # blank and tabs temp="${temp//[\t ]/}" # blank and tabs
printf "%s" "$temp" printf "%s" "$temp"
done <<< "$1") done <<< "$1")"
} }
# sockets inspired by http://blog.chris007.de/?p=238 # sockets inspired by http://blog.chris007.de/?p=238
@ -10497,6 +10497,7 @@ socksend_clienthello() {
# ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma # ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma
# ARG2: seconds to sleep # ARG2: seconds to sleep
#FIXME: use socksend_clienthello instead. This will be removed soon!!
socksend() { socksend() {
local data line local data line
@ -14516,7 +14517,7 @@ resend_if_hello_retry_request() {
if [[ "$server_version" == 0304 ]] || [[ 0x$server_version -ge 0x7f16 ]]; then if [[ "$server_version" == 0304 ]] || [[ 0x$server_version -ge 0x7f16 ]]; then
# Send a dummy change cipher spec for middlebox compatibility. # Send a dummy change cipher spec for middlebox compatibility.
debugme echo -en "\nsending dummy change cipher spec... " debugme echo -en "\nsending dummy change cipher spec... "
socksend ", x14, x03, x03 ,x00, x01, x01" 0 socksend_clienthello ", 14, 03, 03 ,00, 01, 01" 0
fi fi
debugme echo -en "\nsending second client hello... " debugme echo -en "\nsending second client hello... "
second_clienthello="$(modify_clienthello "$original_clienthello" "$new_key_share" "$cookie")" second_clienthello="$(modify_clienthello "$original_clienthello" "$new_key_share" "$cookie")"
@ -14824,7 +14825,7 @@ receive_app_data() {
read -r tls_version cipher server_key server_iv server_seq client_key client_iv client_seq <<< "$APP_TRAF_KEY_INFO" read -r tls_version cipher server_key server_iv server_seq client_key client_iv client_seq <<< "$APP_TRAF_KEY_INFO"
[[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -lt 25 ]] && include_headers=false [[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -lt 25 ]] && include_headers=false
sleep $USLEEP_REC sleep $USLEEP_REC
while true; do while true; do
len=${#ciphertext} len=${#ciphertext}
@ -14906,29 +14907,30 @@ run_heartbleed(){
fi fi
if [[ 0 -eq $(has_server_protocol tls1) ]]; then if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01" tls_hexcode="03,01"
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02" tls_hexcode="03,02"
elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03" tls_hexcode="03,03"
elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00" tls_hexcode="03,00"
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;; *1.2) tls_hexcode="03,03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;; *1.1) tls_hexcode="03,02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;; TLSv1) tls_hexcode="03,01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;; SSLv3) tls_hexcode="03,00" ; add_tls_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
heartbleed_payload=", x18, $tls_hexcode, x00, x03, x01, x40, x00" # attention, this is dangerous as it relies on spaces etc. above
tls_sockets "${tls_hexcode:6:2}" "" "ephemeralkey" "" "" "false" tls_sockets "${tls_hexcode:4:2}" "" "ephemeralkey" "" "" "false"
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:" [[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
socksend "$heartbleed_payload" 1 heartbleed_payload=", 18, $tls_hexcode, 00, 03, 01, 40,00"
socksend_clienthello "$heartbleed_payload" 1
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
if [[ $? -eq 3 ]]; then if [[ $? -eq 3 ]]; then
append=", timed out" append=", timed out"
@ -15007,62 +15009,61 @@ run_ccs_injection(){
fi fi
if [[ 0 -eq $(has_server_protocol tls1) ]]; then if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01" tls_hexcode="03,01"
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02" tls_hexcode="03,02"
elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03" tls_hexcode="03,03"
elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00" tls_hexcode="03,00"
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;; *1.2) tls_hexcode="03,03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;; *1.1) tls_hexcode="03,02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;; TLSv1) tls_hexcode="03,01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;; SSLv3) tls_hexcode="03,00" ; add_tls_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
ccs_message=", x14, $tls_hexcode ,x00, x01, x01" ccs_message=", 14, $tls_hexcode ,00,01,01"
client_hello=" client_hello="
# TLS header (5 bytes) # TLS header (5 bytes)
,x16, # content type (x16 for handshake) ,16, # content type (x16 for handshake)
x03, x01, # TLS version in record layer is always TLS 1.0 (except SSLv3) 03, 01, # TLS version in record layer is always TLS 1.0 (except SSLv3)
x00, x93, # length 00, 93, # length
# Handshake header # Handshake header
x01, # type (x01 for ClientHello) 01, # type (x01 for ClientHello)
x00, x00, x8f, # length 00, 00, 8f, # length
$tls_hexcode, # TLS version $tls_hexcode, # TLS version
# Random (32 byte) # Random (32 byte)
x53, x43, x5b, x90, x9d, x9b, x72, x0b, 53, 43, 5b, 90, 9d, 9b, 72, 0b,
xbc, x0c, xbc, x2b, x92, xa8, x48, x97, bc, 0c, bc, 2b, 92, a8, 48, 97,
xcf, xbd, x39, x04, xcc, x16, x0b, x85, cf, bd, 39, 04, cc, 16, 0b, 85,
x03, x90, x9f, x77, x04, x33, xd4, xde, 03, 90, 9f, 77, 04, 33, d4, de,
x00, # session ID length 00, # session ID length
x00, x68, # cipher suites length 00, 68, # cipher suites length
# Cipher suites (51 suites) # Cipher suites (51 suites)
xc0, x13, xc0, x12, xc0, x11, xc0, x10, c0, 13, c0, 12, c0, 11, c0, 10,
xc0, x0f, xc0, x0e, xc0, x0d, xc0, x0c, c0, 0f, c0, 0e, c0, 0d, c0, 0c,
xc0, x0b, xc0, x0a, xc0, x09, xc0, x08, c0, 0b, c0, 0a, c0, 09, c0, 08,
xc0, x07, xc0, x06, xc0, x05, xc0, x04, c0, 07, c0, 06, c0, 05, c0, 04,
xc0, x03, xc0, x02, xc0, x01, x00, x39, c0, 03, c0, 02, c0, 01, 00, 39,
x00, x38, x00, x37, x00, x36, x00, x35, x00, x34, 00, 38, 00, 37, 00, 36, 00, 35, 00, 34,
x00, x33, x00, x32, x00, x31, x00, x30, 00, 33, 00, 32, 00, 31, 00, 30,
x00, x2f, x00, x16, x00, x15, x00, x14, 00, 2f, 00, 16, 00, 15, 00, 14,
x00, x13, x00, x12, x00, x11, x00, x10, 00, 13, 00, 12, 00, 11, 00, 10,
x00, x0f, x00, x0e, x00, x0d, x00, x0c, 00, 0f, 00, 0e, 00, 0d, 00, 0c,
x00, x0b, x00, x0a, x00, x09, x00, x08, 00, 0b, 00, 0a, 00, 09, 00, 08,
x00, x07, x00, x06, x00, x05, x00, x04, 00, 07, 00, 06, 00, 05, 00, 04,
x00, x03, x00, x02, x00, x01, x01, x00" 00, 03, 00, 02, 00, 01, 01, 00"
fd_socket 5 || return 1 fd_socket 5 || return 1
# we now make a standard handshake ...
debugme echo -n "sending client hello... " debugme echo -n "sending client hello... "
socksend "$client_hello" 1 socksend_clienthello "$client_hello" 1
debugme echo "reading server hello... " debugme echo "reading server hello... "
sockread_serverhello 32768 sockread_serverhello 32768
@ -15072,8 +15073,8 @@ run_ccs_injection(){
tm_out "\nsending payload #1 with TLS version $tls_hexcode: " tm_out "\nsending payload #1 with TLS version $tls_hexcode: "
fi fi
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
# ... and then send the a change cipher spec message
socksend "$ccs_message" 1 || ok_ids socksend_clienthello "$ccs_message" 1 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK sockread_serverhello 4096 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
tmln_out "\n1st reply: " tmln_out "\n1st reply: "
@ -15083,7 +15084,7 @@ run_ccs_injection(){
fi fi
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids socksend_clienthello "$ccs_message" 2 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK sockread_serverhello 4096 $CCS_MAX_WAITSOCK
retval=$? retval=$?
@ -15115,23 +15116,23 @@ run_ccs_injection(){
else else
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
fi fi
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then elif [[ "${tls_hello_ascii:0:4}" == 1503 ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed " pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}" out "no proper TLS repy (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint" fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1 ret=1
elif [[ "$byte6" == "15" ]]; then elif [[ "$byte6" == 15 ]]; then
# decryption failed received # decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint" fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then elif [[ "$byte6" == 0A ]] || [[ "$byte6" == 28 ]]; then
# Unexpected message / Handshake failure received # Unexpected message / Handshake failure received
pr_warning "likely " pr_warning "likely "
out "not vulnerable (OK)" out "not vulnerable (OK)"
out " - alert description type: $byte6" out " - alert description type: $byte6"
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint" fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then elif [[ "$byte6" == 14 ]]; then
# bad_record_mac -- this is not "not vulnerable" # bad_record_mac -- this is not "not vulnerable"
out "likely " out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
@ -15144,13 +15145,13 @@ run_ccs_injection(){
out ", suspicious error code \"$byte6\" returned. Please report" out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint" fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then elif [[ $STARTTLS_PROTOCOL == mysql ]] && [[ "${tls_hello_ascii:14:12}" == 233038533031 ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert # MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
# Error: #08S01 Bad handshake # Error: #08S01 Bad handshake
pr_svrty_best "not vulnerable (OK)" pr_svrty_best "not vulnerable (OK)"
out ", looks like MySQL community edition (yaSSL)" out ", looks like MySQL community edition (yaSSL)"
fileout "$jsonID" "OK" "not vulnerable (MySQL community edition (yaSSL) detected)" "$cve" "$cwe" fileout "$jsonID" "OK" "not vulnerable (MySQL community edition (yaSSL) detected)" "$cve" "$cwe"
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != 03 ]]; then
pr_warning "test failed" pr_warning "test failed"
out ", probably read buffer too small (${tls_hello_ascii:0:14})" out ", probably read buffer too small (${tls_hello_ascii:0:14})"
fileout "$jsonID" "DEBUG" "test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint" fileout "$jsonID" "DEBUG" "test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
@ -17765,10 +17766,10 @@ run_robot() {
$OPENSSL pkeyutl -encrypt -certin -inkey $HOSTCERT -pkeyopt rsa_padding_mode:none 2>/dev/null | \ $OPENSSL pkeyutl -encrypt -certin -inkey $HOSTCERT -pkeyopt rsa_padding_mode:none 2>/dev/null | \
hexdump -v -e '16/1 "%02x"')" hexdump -v -e '16/1 "%02x"')"
if [[ -z "$encrypted_pms" ]]; then if [[ -z "$encrypted_pms" ]]; then
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
socksend ",x15, x03, x00, x00, x02, x02, x00" 0 socksend_clienthello ",15, 03, 00, 00, 02, 02, 00" 0
else else
socksend ",x15, x03, x01, x00, x02, x02, x00" 0 socksend_clienthello ",15, 03, 01, 00, 02, 02, 00" 0
fi fi
close_socket close_socket
prln_fixme "Conversion of public key failed around line $((LINENO - 9))" prln_fixme "Conversion of public key failed around line $((LINENO - 9))"