Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 10:40:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move more towards a common socksend* function

Browse Source 
This commit chamges a few functions / calls so that
the hexbyte syntax with leading x was changed to
one without. The calls then need to change from
socksend --> socksend_clienthello .

The goal is basically to remove socksend() at
some point. Also socksend_clienthello()'s use
of NW_STR should be reconsidered.

This PR removes also some blanks, at the right
hand side of some double square brackets and
at some empty lines
This commit is contained in:
Dirk Wetter 2020-03-06 21:31:23 +01:00
parent 0d8abd131e
commit 6a7bf1674c
1 changed files with 76 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
testssl.sh
View File

@ -10300,8 +10300,8 @@ starttls_nntp_dialog() {
starttls_postgres_dialog() {
debugme echo "=== starting postgres STARTTLS dialog ==="
local init_tls=", x00, x00 ,x00 ,x08 ,x04 ,xD2 ,x16 ,x2F"
socksend "${init_tls}" 0 && debugme echo "initiated STARTTLS" &&
local init_tls=", 00, 00 ,00 ,08 ,04 ,D2 ,16 ,2F"
socksend_clienthello "${init_tls}" 0 && debugme echo "initiated STARTTLS" &&
starttls_io "" S 1 && debugme echo "received ack (="S") for STARTTLS"
local ret=$?
debugme echo "=== finished postgres STARTTLS dialog with ${ret} ==="
@ -10311,14 +10311,14 @@ starttls_postgres_dialog() {
starttls_mysql_dialog() {
debugme echo "=== starting mysql STARTTLS dialog ==="
local login_request="
, x20, x00, x00, x01, # payload_length, sequence_id
x85, xae, xff, x00, # capability flags, CLIENT_SSL always set
x00, x00, x00, x01, # max-packet size
x21, # character set
x00, x00, x00, x00, x00, x00, x00, x00, # string[23] reserved (all [0])
x00, x00, x00, x00, x00, x00, x00, x00,
x00, x00, x00, x00, x00, x00, x00"
socksend "${login_request}" 0
, 20, 00, 00, 01, # payload_length, sequence_id
85, ae, ff, 00, # capability flags, CLIENT_SSL always set
00, 00, 00, 01, # max-packet size
21, # character set
00, 00, 00, 00, 00, 00, 00, 00, # string[23] reserved (all [0])
00, 00, 00, 00, 00, 00, 00, 00,
00, 00, 00, 00, 00, 00, 00"
socksend_clienthello "${login_request}" 0
starttls_just_read 1 && debugme echo "read succeeded"
# 1 is the timeout value which only MySQL needs. Note, there seems no response whether STARTTLS
# succeeded. We could try harder, see https://github.com/openssl/openssl/blob/master/apps/s_client.c
@ -10453,9 +10453,9 @@ send_close_notify() {
debugme echo "sending close_notify..."
if [[ $detected_tlsversion == 0300 ]]; then
socksend ",x15, x03, x00, x00, x02, x02, x00" 0
socksend_clienthello ",15, 03, 00, 00, 02, 02, 00" 0
else
socksend ",x15, x03, x01, x00, x02, x02, x00" 0
socksend_clienthello ",15, 03, 01, 00, 02, 02, 00" 0
fi
}
@ -10467,13 +10467,13 @@ send_close_notify() {
code2network() {
local temp="" line=""
NW_STR=$(while read -r line; do
NW_STR="$(while read -r line; do
[[ -z "$line" ]] && continue # blank line
temp="${line%%\#*}" # remove comments
temp="${temp//,/\\\x}" # comma to \x
temp="${temp//[\t ]/}" # blank and tabs
printf "%s" "$temp"
done <<< "$1")
done <<< "$1")"
}
# sockets inspired by http://blog.chris007.de/?p=238
@ -10497,6 +10497,7 @@ socksend_clienthello() {
# ARG1: hexbytes -- preceeded by x -- separated by commas, with a leading comma
# ARG2: seconds to sleep
#FIXME: use socksend_clienthello instead. This will be removed soon!!
socksend() {
local data line
@ -14516,7 +14517,7 @@ resend_if_hello_retry_request() {
if [[ "$server_version" == 0304 ]] || [[ 0x$server_version -ge 0x7f16 ]]; then
# Send a dummy change cipher spec for middlebox compatibility.
debugme echo -en "\nsending dummy change cipher spec... "
socksend ", x14, x03, x03 ,x00, x01, x01" 0
socksend_clienthello ", 14, 03, 03 ,00, 01, 01" 0
fi
debugme echo -en "\nsending second client hello... "
second_clienthello="$(modify_clienthello "$original_clienthello" "$new_key_share" "$cookie")"
@ -14906,29 +14907,30 @@ run_heartbleed(){
fi
if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01"
tls_hexcode="03,01"
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02"
tls_hexcode="03,02"
elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03"
tls_hexcode="03,03"
elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00"
tls_hexcode="03,00"
else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
*1.2) tls_hexcode="03,03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="03,02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="03,01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="03,00" ; add_tls_offered ssl3 yes ;;
esac
fi
debugme echo "using protocol $tls_hexcode"
heartbleed_payload=", x18, $tls_hexcode, x00, x03, x01, x40, x00"
tls_sockets "${tls_hexcode:6:2}" "" "ephemeralkey" "" "" "false"
# attention, this is dangerous as it relies on spaces etc. above
tls_sockets "${tls_hexcode:4:2}" "" "ephemeralkey" "" "" "false"
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
socksend "$heartbleed_payload" 1
heartbleed_payload=", 18, $tls_hexcode, 00, 03, 01, 40,00"
socksend_clienthello "$heartbleed_payload" 1
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
if [[ $? -eq 3 ]]; then
append=", timed out"
@ -15007,62 +15009,61 @@ run_ccs_injection(){
fi
if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01"
tls_hexcode="03,01"
elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02"
tls_hexcode="03,02"
elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03"
tls_hexcode="03,03"
elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00"
tls_hexcode="03,00"
else # no protocol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY") >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
*1.2) tls_hexcode="03,03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="03,02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="03,01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="03,00" ; add_tls_offered ssl3 yes ;;
esac
fi
debugme echo "using protocol $tls_hexcode"
ccs_message=", x14, $tls_hexcode ,x00, x01, x01"
ccs_message=", 14, $tls_hexcode ,00,01,01"
client_hello="
# TLS header (5 bytes)
,x16, # content type (x16 for handshake)
x03, x01, # TLS version in record layer is always TLS 1.0 (except SSLv3)
x00, x93, # length
,16, # content type (x16 for handshake)
03, 01, # TLS version in record layer is always TLS 1.0 (except SSLv3)
00, 93, # length
# Handshake header
x01, # type (x01 for ClientHello)
x00, x00, x8f, # length
$tls_hexcode, # TLS version
01, # type (x01 for ClientHello)
00, 00, 8f, # length
$tls_hexcode, # TLS version
# Random (32 byte)
x53, x43, x5b, x90, x9d, x9b, x72, x0b,
xbc, x0c, xbc, x2b, x92, xa8, x48, x97,
xcf, xbd, x39, x04, xcc, x16, x0b, x85,
x03, x90, x9f, x77, x04, x33, xd4, xde,
x00, # session ID length
x00, x68, # cipher suites length
53, 43, 5b, 90, 9d, 9b, 72, 0b,
bc, 0c, bc, 2b, 92, a8, 48, 97,
cf, bd, 39, 04, cc, 16, 0b, 85,
03, 90, 9f, 77, 04, 33, d4, de,
00, # session ID length
00, 68, # cipher suites length
# Cipher suites (51 suites)
xc0, x13, xc0, x12, xc0, x11, xc0, x10,
xc0, x0f, xc0, x0e, xc0, x0d, xc0, x0c,
xc0, x0b, xc0, x0a, xc0, x09, xc0, x08,
xc0, x07, xc0, x06, xc0, x05, xc0, x04,
xc0, x03, xc0, x02, xc0, x01, x00, x39,
x00, x38, x00, x37, x00, x36, x00, x35, x00, x34,
x00, x33, x00, x32, x00, x31, x00, x30,
x00, x2f, x00, x16, x00, x15, x00, x14,
x00, x13, x00, x12, x00, x11, x00, x10,
x00, x0f, x00, x0e, x00, x0d, x00, x0c,
x00, x0b, x00, x0a, x00, x09, x00, x08,
x00, x07, x00, x06, x00, x05, x00, x04,
x00, x03, x00, x02, x00, x01, x01, x00"
c0, 13, c0, 12, c0, 11, c0, 10,
c0, 0f, c0, 0e, c0, 0d, c0, 0c,
c0, 0b, c0, 0a, c0, 09, c0, 08,
c0, 07, c0, 06, c0, 05, c0, 04,
c0, 03, c0, 02, c0, 01, 00, 39,
00, 38, 00, 37, 00, 36, 00, 35, 00, 34,
00, 33, 00, 32, 00, 31, 00, 30,
00, 2f, 00, 16, 00, 15, 00, 14,
00, 13, 00, 12, 00, 11, 00, 10,
00, 0f, 00, 0e, 00, 0d, 00, 0c,
00, 0b, 00, 0a, 00, 09, 00, 08,
00, 07, 00, 06, 00, 05, 00, 04,
00, 03, 00, 02, 00, 01, 01, 00"
fd_socket 5 || return 1
# we now make a standard handshake ...
debugme echo -n "sending client hello... "
socksend "$client_hello" 1
socksend_clienthello "$client_hello" 1
debugme echo "reading server hello... "
sockread_serverhello 32768
@ -15072,8 +15073,8 @@ run_ccs_injection(){
tm_out "\nsending payload #1 with TLS version $tls_hexcode: "
fi
rm "$SOCK_REPLY_FILE"
# ... and then send the a change cipher spec message
socksend "$ccs_message" 1 || ok_ids
socksend_clienthello "$ccs_message" 1 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then
tmln_out "\n1st reply: "
@ -15083,7 +15084,7 @@ run_ccs_injection(){
fi
rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids
socksend_clienthello "$ccs_message" 2 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
retval=$?
@ -15115,23 +15116,23 @@ run_ccs_injection(){
else
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
fi
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
elif [[ "${tls_hello_ascii:0:4}" == 1503 ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1
elif [[ "$byte6" == "15" ]]; then
elif [[ "$byte6" == 15 ]]; then
# decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
elif [[ "$byte6" == 0A ]] || [[ "$byte6" == 28 ]]; then
# Unexpected message / Handshake failure received
pr_warning "likely "
out "not vulnerable (OK)"
out " - alert description type: $byte6"
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then
elif [[ "$byte6" == 14 ]]; then
# bad_record_mac -- this is not "not vulnerable"
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
@ -15144,13 +15145,13 @@ run_ccs_injection(){
out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
elif [[ $STARTTLS_PROTOCOL == mysql ]] && [[ "${tls_hello_ascii:14:12}" == 233038533031 ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
# Error: #08S01 Bad handshake
pr_svrty_best "not vulnerable (OK)"
out ", looks like MySQL community edition (yaSSL)"
fileout "$jsonID" "OK" "not vulnerable (MySQL community edition (yaSSL) detected)" "$cve" "$cwe"
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != 03 ]]; then
pr_warning "test failed"
out ", probably read buffer too small (${tls_hello_ascii:0:14})"
fileout "$jsonID" "DEBUG" "test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
@ -17765,10 +17766,10 @@ run_robot() {
$OPENSSL pkeyutl -encrypt -certin -inkey $HOSTCERT -pkeyopt rsa_padding_mode:none 2>/dev/null | \
hexdump -v -e '16/1 "%02x"')"
if [[ -z "$encrypted_pms" ]]; then
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
socksend ",x15, x03, x00, x00, x02, x02, x00" 0
if [[ "$DETECTED_TLS_VERSION" == 0300 ]]; then
socksend_clienthello ",15, 03, 00, 00, 02, 02, 00" 0
else
socksend ",x15, x03, x01, x00, x02, x02, x00" 0
socksend_clienthello ",15, 03, 01, 00, 02, 02, 00" 0
fi
close_socket
prln_fixme "Conversion of public key failed around line $((LINENO - 9))"