- centralized some HAS_* vars from s_client

2025-01-03 23:39:45 +01:00 · 2016-09-21 21:42:45 +02:00 · 2016-09-21 21:42:45 +02:00 · 802a6da92c
commit 802a6da92c
parent 9afbba1e04
1 changed files with 44 additions and 16 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -218,6 +218,9 @@ HAS_SSL3=false
 HAS_NO_SSL2=false
 HAS_ALPN=false
 HAS_SPDY=false
+HAS_FALLBACK_SCSV=false
+HAS_PROXY=false
+HAS_XMPP=false
 ADD_RFC_STR="rfc"                       # display RFC ciphernames
 PORT=443                                # unless otherwise auto-determined, see below
 NODE=""
@ -1800,7 +1803,8 @@ run_cipher_per_proto() {
          has_server_protocol "${proto:1}" || continue
          
          # The OpenSSL ciphers function, prior to version 1.1.0, could only understand -ssl2, -ssl3, and -tls1.
-          if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]]; then
+          if [[ "$proto" == "-ssl2" ]] || [[ "$proto" == "-ssl3" ]] || \
+               [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0"* ]] || [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.1"* ]]; then
               ossl_ciphers_proto="$proto"
          else
               ossl_ciphers_proto="-tls1"
@ -3823,7 +3827,9 @@ determine_trust() {
     # and the output should should be indented by two more spaces.
     [[ -n $json_prefix ]] && spaces="                                "

-     if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]]; then
+     if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && \
+          [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]] && \
+          [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.1" ]]; then
          addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
          fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
     fi
@ -6499,8 +6505,7 @@ run_crime() {
 #         return $ret
 #    esac

-#    $OPENSSL s_client -help 2>&1 | grep -qw nextprotoneg
-#    if [[ $? -eq 0 ]]; then
+#    if "$HAS_NPN"; then
 #         $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs  $SNI </dev/null 2>/dev/null >$TMPFILE
 #         if [[ $? -eq 0 ]]; then
 #              echo
@ -6629,7 +6634,7 @@ run_tls_fallback_scsv() {
     # the countermeasure to protect against protocol downgrade attacks.

     # First check we have support for TLS_FALLBACK_SCSV in our local OpenSSL
-     if ! $OPENSSL s_client -help 2>&1 | grep -q "\-fallback_scsv"; then
+     if ! "$HAS_FALLBACK_SCSV"; then
          local_problem_ln "$OPENSSL lacks TLS_FALLBACK_SCSV support"
          return 4
     fi
@ -7195,6 +7200,8 @@ test_openssl_suffix() {


 find_openssl_binary() {
+     local s_client_has=$TEMPDIR/s_client_has.txt
+
     # 0. check environment variable whether it's executable
     if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then
          pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary."
@ -7226,7 +7233,7 @@ find_openssl_binary() {

     # see #190, reverting logic: unless otherwise proved openssl has no dh bits
     case "$OSSL_VER_MAJOR.$OSSL_VER_MINOR" in
-          1.0.2|1.1.0) HAS_DH_BITS=true ;;
+          1.0.2|1.1.0|1.1.1) HAS_DH_BITS=true ;;
     esac
     # libressl does not have "Server Temp Key" (SSL_get_server_tmp_key)

@ -7235,6 +7242,8 @@ find_openssl_binary() {
          pr_warning "Please note: LibreSSL is not a good choice for testing INSECURE features!"
     fi

+     initialize_engine
+
     OPENSSL_NR_CIPHERS=$(count_ciphers "$($OPENSSL ciphers 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>/dev/null)")

     $OPENSSL s_client -ssl2 2>&1 | grep -aq "unknown option" || \
@ -7246,12 +7255,23 @@ find_openssl_binary() {
     $OPENSSL s_client -no_ssl2 2>&1 | grep -aq "unknown option" || \
          HAS_NO_SSL2=true

-     $OPENSSL s_client -help 2>&1 | grep -qw '\-alpn' && \
+     $OPENSSL s_client -help 2>$s_client_has
+
+     grep -qw '\-alpn' $s_client_has && \
          HAS_ALPN=true

-     $OPENSSL s_client -help 2>&1 | grep -qw '\-nextprotoneg' && \
+     grep -qw '\-nextprotoneg' $s_client_has && \
          HAS_SPDY=true

+     grep -qw '\-fallback_scsv' $s_client_has && \
+          HAS_FALLBACK_SCSV=true
+
+     grep -q '\-proxy' $s_client_has && \
+          HAS_PROXY=true
+
+     grep -q '\-xmpp' $s_client_has && \
+          HAS_XMPP=true
+
     return 0
 }

@ -7401,10 +7421,13 @@ maketempf() {
          ERRFILE=$TEMPDIR/errorfile.txt || exit -6
     fi
     HOSTCERT=$TEMPDIR/host_certificate.txt
-     initialize_engine
+}
+
+prepare_debug() {
     if [[ $DEBUG -ne 0 ]]; then
          cat >$TEMPDIR/environment.txt << EOF

+
 CVS_REL: $CVS_REL
 GIT_REL: $GIT_REL

@ -7432,6 +7455,9 @@ HAS_SSL3: $HAS_SSL3
 HAS_NO_SSL2: $HAS_NO_SSL2
 HAS_SPDY: $HAS_SPDY
 HAS_ALPN: $HAS_ALPN
+HAS_FALLBACK_SCSV: $HAS_FALLBACK_SCSV
+HAS_PROXY: $HAS_PROXY
+HAS_XMPP: $HAS_XMPP

 PATH: $PATH
 PROG_NAME: $PROG_NAME
@ -7468,11 +7494,11 @@ CCS_MAX_WAITSOCK: $CCS_MAX_WAITSOCK
 USLEEP_SND $USLEEP_SND
 USLEEP_REC $USLEEP_REC

-
 EOF
          which locale &>/dev/null && locale >>$TEMPDIR/environment.txt || echo "locale doesn't exist" >>$TEMPDIR/environment.txt
          $OPENSSL ciphers -V 'ALL:COMPLEMENTOFALL'  &>$TEMPDIR/all_local_ciphers.txt
     fi
+     # see also $TEMPDIR/s_client_has.txt from find_openssl_binary
 }


@ -7920,8 +7946,8 @@ get_mx_record() {
 #
 check_proxy() {
     if [[ -n "$PROXY" ]]; then
-          if ! $OPENSSL s_client -help 2>&1 | grep -qw proxy; then
-               fatal "Your $OPENSSL is too old to support the \"--proxy\" option" -5
+          if ! "$HAS_PROXY"; then
+               fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5
          fi
          PROXYNODE=${PROXY%:*}
          PROXYPORT=${PROXY#*:}
@ -8064,7 +8090,7 @@ determine_service() {
                         # for XMPP, openssl has a problem using -connect $NODEIP:$PORT. thus we use -connect $NODE:$PORT instead!
                         NODEIP="$NODE"
                         if [[ -n "$XMPP_HOST" ]]; then
-                              if ! $OPENSSL s_client --help 2>&1 | grep -q xmpphost; then
+                              if ! "$HAS_XMPP"; then
                                   fatal "Your $OPENSSL does not support the \"-xmpphost\" option" -5
                              fi
                              STARTTLS="$STARTTLS -xmpphost $XMPP_HOST"         # it's a hack -- instead of changing calls all over the place
@ -8350,8 +8376,9 @@ parse_cmd_line() {
                    help 0
                    ;;
               -b|--banner|-v|--version)
-                    find_openssl_binary
                    maketempf
+                    find_openssl_binary
+                    prepare_debug
                    mybanner
                    exit 0
                    ;;
@ -8754,8 +8781,9 @@ get_install_dir
 initialize_globals
 parse_cmd_line "$@"
 set_color_functions
-find_openssl_binary
 maketempf
+find_openssl_binary
+prepare_debug
 mybanner
 check_proxy
 check4openssl_oldfarts
@ -8817,4 +8845,4 @@ fi
 exit $?


-#  $Id: testssl.sh,v 1.543 2016/09/10 17:37:58 dirkw Exp $
+#  $Id: testssl.sh,v 1.545 2016/09/21 19:42:44 dirkw Exp $