Fix comments in run_logjam, replace awk by bash internal match expr

``run_logjam()`` contained in certain cases additional quotes
and a typo where only the word comment ended up in JSON/CSV.

Instead of ``$(awk '/Master-Key: / { print $2 }' "$2")`` the
admittedly performance sensitive function ``sclient_connect_successful()``
contains now a bash internal match according to #997 . First
tests didn't show much benefit (only default run with mostly
sockets was tested).

Unit tests showed no problems so far, but coverage is low.
This commit is contained in:
Dirk 2018-03-28 19:46:55 +02:00
parent 1924c9a0a6
commit 6b8f6f82c3
1 changed files with 13 additions and 7 deletions

View File

@ -6163,8 +6163,14 @@ tls_time() {
# returns 0 if connect was successful, 1 if not # returns 0 if connect was successful, 1 if not
# #
sclient_connect_successful() { sclient_connect_successful() {
local server_hello="$(cat "$2")"
local re='Master-Key: ([^\
]*)'
[[ $1 -eq 0 ]] && return 0 [[ $1 -eq 0 ]] && return 0
[[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]] && return 0 if [[ "$server_hello" =~ $re ]]; then
[[ -n "${BASH_REMATCH[1]}" ]] && return 0
fi
# further check like ~ fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1' not done. # further check like ~ fgrep 'Cipher is (NONE)' "$2" &> /dev/null && return 1' not done.
# what's left now is: master key empty and Session-ID not empty # what's left now is: master key empty and Session-ID not empty
# ==> probably client-based auth with x509 certificate. We handle that at other places # ==> probably client-based auth with x509 certificate. We handle that at other places
@ -13216,7 +13222,7 @@ run_logjam() {
fileout "$jsonID2" "MEDIUM" "$comment" "$cve" "$cwe" fileout "$jsonID2" "MEDIUM" "$comment" "$cve" "$cwe"
elif [[ $len_dh_p -le 2048 ]]; then elif [[ $len_dh_p -le 2048 ]]; then
pr_svrty_low "common prime with $len_dh_p bits detected: "; pr_italic "$comment" pr_svrty_low "common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID_common primes" "LOW" "$comment" "$cve" "$cwe" fileout "$jsonID2" "LOW" "$comment" "$cve" "$cwe"
else else
out "common prime with $len_dh_p bits detected: "; pr_italic "$comment" out "common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID2" "INFO" "$comment" "$cve" "$cwe" fileout "$jsonID2" "INFO" "$comment" "$cve" "$cwe"
@ -13232,19 +13238,19 @@ run_logjam() {
# now size matters -- i.e. the bit size ;-) # now size matters -- i.e. the bit size ;-)
if [[ $len_dh_p -le 512 ]]; then if [[ $len_dh_p -le 512 ]]; then
pr_svrty_critical "VULNERABLE (NOT ok):" ; out " uses common prime "; pr_italic "$comment"; out " ($len_dh_p bits)" pr_svrty_critical "VULNERABLE (NOT ok):" ; out " uses common prime "; pr_italic "$comment"; out " ($len_dh_p bits)"
fileout "$jsonID2" "CRITICAL" "\"$comment\"" "$cve" "$cwe" fileout "$jsonID2" "CRITICAL" "$comment" "$cve" "$cwe"
elif [[ $len_dh_p -le 1024 ]]; then elif [[ $len_dh_p -le 1024 ]]; then
pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime "; pr_italic "$comment"; out " detected ($len_dh_p bits)" pr_svrty_high "VULNERABLE (NOT ok):"; out " common prime "; pr_italic "$comment"; out " detected ($len_dh_p bits)"
fileout "$jsonID2" "HIGH" "\"comment\"" "$cve" "$cwe" fileout "$jsonID2" "HIGH" "$comment" "$cve" "$cwe"
elif [[ $len_dh_p -le 1536 ]]; then elif [[ $len_dh_p -le 1536 ]]; then
pr_svrty_medium "Common prime with $len_dh_p bits detected: "; pr_italic "$comment" pr_svrty_medium "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID2" "MEDIUM" "\"$comment\"" "$cve" "$cwe" fileout "$jsonID2" "MEDIUM" "$comment" "$cve" "$cwe"
elif [[ $len_dh_p -le 2048 ]]; then elif [[ $len_dh_p -le 2048 ]]; then
pr_svrty_low "Common prime with $len_dh_p bits detected: "; pr_italic "$comment" pr_svrty_low "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID2" "LOW" "\"$comment\"" "$cve" "$cwe" fileout "$jsonID2" "LOW" "$comment" "$cve" "$cwe"
else else
out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment" out "Common prime with $len_dh_p bits detected: "; pr_italic "$comment"
fileout "$jsonID2" "INFO" "common prime \"$comment\" detected" "$cve" "$cwe" fileout "$jsonID2" "INFO" "$comment" "$cve" "$cwe"
fi fi
if ! "$openssl_no_expdhciphers"; then if ! "$openssl_no_expdhciphers"; then
outln "," outln ","