mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 04:49:44 +01:00
Merge pull request #1898 from PeterDaveHello/FixIndentation
Fix indentation in testssl.sh
This commit is contained in:
commit
893bb98a61
132
testssl.sh
132
testssl.sh
@ -1633,7 +1633,7 @@ out_row_aligned_max_width_by_entry() {
|
|||||||
fi
|
fi
|
||||||
out " "
|
out " "
|
||||||
prev_entry="$entry"
|
prev_entry="$entry"
|
||||||
done <<< "$resp"
|
done <<< "$resp"
|
||||||
}
|
}
|
||||||
|
|
||||||
print_fixed_width() {
|
print_fixed_width() {
|
||||||
@ -6808,7 +6808,7 @@ run_server_preference() {
|
|||||||
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
( [[ $proto_ossl != tls1_3 ]] && ! "$has_cipher_order" ]] ) || \
|
||||||
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
( [[ $proto_ossl == tls1_3 ]] && ! "$has_tls13_cipher_order" ]] ); then
|
||||||
if [[ $proto_ossl == ssl2 ]]; then
|
if [[ $proto_ossl == ssl2 ]]; then
|
||||||
outln " (listed by strength)"
|
outln " (listed by strength)"
|
||||||
elif [[ $proto_ossl == tls1_3 ]]; then
|
elif [[ $proto_ossl == tls1_3 ]]; then
|
||||||
outln " (no server order, thus listed by strength)"
|
outln " (no server order, thus listed by strength)"
|
||||||
else
|
else
|
||||||
@ -6939,12 +6939,12 @@ cipher_pref_check() {
|
|||||||
while true; do
|
while true; do
|
||||||
if [[ $proto != tls1_3 ]]; then
|
if [[ $proto != tls1_3 ]]; then
|
||||||
if [[ -n "$ciphers_found" ]]; then
|
if [[ -n "$ciphers_found" ]]; then
|
||||||
ciphers_to_test=""
|
ciphers_to_test=""
|
||||||
for cipher in $ciphers_found; do
|
for cipher in $ciphers_found; do
|
||||||
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
|
[[ ! "$tested_cipher:" =~ :-$cipher: ]] && ciphers_to_test+=":$cipher"
|
||||||
done
|
done
|
||||||
[[ -z "$ciphers_to_test" ]] && break
|
[[ -z "$ciphers_to_test" ]] && break
|
||||||
ciphers_to_test="-cipher ${ciphers_to_test:1}"
|
ciphers_to_test="-cipher ${ciphers_to_test:1}"
|
||||||
else
|
else
|
||||||
ciphers_to_test="-cipher ALL:COMPLEMENTOFALL${tested_cipher}"
|
ciphers_to_test="-cipher ALL:COMPLEMENTOFALL${tested_cipher}"
|
||||||
fi
|
fi
|
||||||
@ -14166,10 +14166,10 @@ parse_tls_serverhello() {
|
|||||||
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:6:2}")
|
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:6:2}")
|
||||||
offset=$((len1+8))
|
offset=$((len1+8))
|
||||||
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
|
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
|
||||||
# The SignatureAndHashAlgorithm won't be present in an anonymous
|
# The SignatureAndHashAlgorithm won't be present in an anonymous
|
||||||
# key exhange.
|
# key exhange.
|
||||||
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
|
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
|
||||||
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
|
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -14239,9 +14239,9 @@ parse_tls_serverhello() {
|
|||||||
rfc7919_param="${rfc7919_param%,}"
|
rfc7919_param="${rfc7919_param%,}"
|
||||||
[[ "$ephemeral_param" =~ $rfc7919_param ]] || named_curve_str=""
|
[[ "$ephemeral_param" =~ $rfc7919_param ]] || named_curve_str=""
|
||||||
else
|
else
|
||||||
ephemeral_param="$(grep -EA 1000 "prime:|P:" <<< "$ephemeral_param")"
|
ephemeral_param="$(grep -EA 1000 "prime:|P:" <<< "$ephemeral_param")"
|
||||||
rfc7919_param="$($OPENSSL pkey -text_pub -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|P:")"
|
rfc7919_param="$($OPENSSL pkey -text_pub -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|P:")"
|
||||||
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
|
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -14266,8 +14266,8 @@ parse_tls_serverhello() {
|
|||||||
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:offset:4}")
|
len1=2*$(hex2dec "${tls_serverkeyexchange_ascii:offset:4}")
|
||||||
offset+=$((len1+4))
|
offset+=$((len1+4))
|
||||||
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
|
if [[ $tls_serverkeyexchange_ascii_len -ge $((offset+4)) ]]; then
|
||||||
# The SignatureAndHashAlgorithm won't be present in an anonymous
|
# The SignatureAndHashAlgorithm won't be present in an anonymous
|
||||||
# key exhange.
|
# key exhange.
|
||||||
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
|
peering_signing_digest="${tls_serverkeyexchange_ascii:offset:2}"
|
||||||
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
|
peer_signature_type="${tls_serverkeyexchange_ascii:$((offset+2)):2}"
|
||||||
fi
|
fi
|
||||||
@ -14320,53 +14320,53 @@ parse_tls_serverhello() {
|
|||||||
|
|
||||||
# ASCII-HEX encoded session ticket
|
# ASCII-HEX encoded session ticket
|
||||||
parse_tls13_new_session_ticket() {
|
parse_tls13_new_session_ticket() {
|
||||||
local tls_version="$1"
|
local tls_version="$1"
|
||||||
local new_session_ticket="$2"
|
local new_session_ticket="$2"
|
||||||
local -i len ticket_lifetime ticket_age_add min_len remainder
|
local -i len ticket_lifetime ticket_age_add min_len remainder
|
||||||
local ticket_nonce ticket extensions
|
local ticket_nonce ticket extensions
|
||||||
local has_nonce=true
|
local has_nonce=true
|
||||||
|
|
||||||
[[ "${new_session_ticket:0:2}" == 04 ]] || return 7
|
[[ "${new_session_ticket:0:2}" == 04 ]] || return 7
|
||||||
# Prior to draft 21 the NewSessionTicket did not include a ticket_nonce.
|
# Prior to draft 21 the NewSessionTicket did not include a ticket_nonce.
|
||||||
[[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -le 20 ]] && has_nonce=false
|
[[ "${tls_version:0:2}" == 7F ]] && [[ 0x${tls_version:2:2} -le 20 ]] && has_nonce=false
|
||||||
|
|
||||||
# Set min_len to the minimum length that a session ticket can be.
|
# Set min_len to the minimum length that a session ticket can be.
|
||||||
min_len=28
|
min_len=28
|
||||||
"$has_nonce" || min_len=$((min_len-2))
|
"$has_nonce" || min_len=$((min_len-2))
|
||||||
|
|
||||||
remainder=$((2*0x${new_session_ticket:2:6}))
|
remainder=$((2*0x${new_session_ticket:2:6}))
|
||||||
[[ $remainder -ge $min_len ]] || return 7
|
[[ $remainder -ge $min_len ]] || return 7
|
||||||
[[ ${#new_session_ticket} -ge $((remainder + 8)) ]] || return 7
|
[[ ${#new_session_ticket} -ge $((remainder + 8)) ]] || return 7
|
||||||
|
|
||||||
ticket_lifetime=0x${new_session_ticket:8:8}
|
ticket_lifetime=0x${new_session_ticket:8:8}
|
||||||
ticket_age_add=0x${new_session_ticket:16:8}
|
ticket_age_add=0x${new_session_ticket:16:8}
|
||||||
new_session_ticket="${new_session_ticket:24}"
|
new_session_ticket="${new_session_ticket:24}"
|
||||||
remainder=$((remainder-16))
|
remainder=$((remainder-16))
|
||||||
|
|
||||||
if "$has_nonce"; then
|
if "$has_nonce"; then
|
||||||
len=$((2*0x${new_session_ticket:0:2}))
|
len=$((2*0x${new_session_ticket:0:2}))
|
||||||
new_session_ticket="${new_session_ticket:2}"
|
new_session_ticket="${new_session_ticket:2}"
|
||||||
[[ $remainder -ge $((len + 12)) ]] || return 7
|
[[ $remainder -ge $((len + 12)) ]] || return 7
|
||||||
ticket_nonce="${new_session_ticket:0:len}"
|
ticket_nonce="${new_session_ticket:0:len}"
|
||||||
new_session_ticket="${new_session_ticket:len}"
|
new_session_ticket="${new_session_ticket:len}"
|
||||||
remainder=$((remainder-len-2))
|
remainder=$((remainder-len-2))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
len=$((2*0x${new_session_ticket:0:4}))
|
len=$((2*0x${new_session_ticket:0:4}))
|
||||||
new_session_ticket="${new_session_ticket:4}"
|
new_session_ticket="${new_session_ticket:4}"
|
||||||
[[ $remainder -ge $((len + 8)) ]] || return 7
|
[[ $remainder -ge $((len + 8)) ]] || return 7
|
||||||
ticket="${new_session_ticket:0:len}"
|
ticket="${new_session_ticket:0:len}"
|
||||||
new_session_ticket="${new_session_ticket:len}"
|
new_session_ticket="${new_session_ticket:len}"
|
||||||
remainder=$((remainder-len-4))
|
remainder=$((remainder-len-4))
|
||||||
|
|
||||||
len=$((2*0x${new_session_ticket:0:4}))
|
len=$((2*0x${new_session_ticket:0:4}))
|
||||||
new_session_ticket="${new_session_ticket:4}"
|
new_session_ticket="${new_session_ticket:4}"
|
||||||
[[ $remainder -eq $((len + 4)) ]] || return 7
|
[[ $remainder -eq $((len + 4)) ]] || return 7
|
||||||
extensions="${new_session_ticket:0:len}"
|
extensions="${new_session_ticket:0:len}"
|
||||||
|
|
||||||
echo " TLS session ticket lifetime hint: $ticket_lifetime (seconds)" > $TMPFILE
|
echo " TLS session ticket lifetime hint: $ticket_lifetime (seconds)" > $TMPFILE
|
||||||
tmpfile_handle ${FUNCNAME[0]}.txt $TMPFILE
|
tmpfile_handle ${FUNCNAME[0]}.txt $TMPFILE
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
#arg1 (optional): list of ciphers suites or empty
|
#arg1 (optional): list of ciphers suites or empty
|
||||||
@ -16915,7 +16915,7 @@ run_freak() {
|
|||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for FREAK attack " && outln
|
||||||
pr_bold " FREAK"; out " ($cve) "
|
pr_bold " FREAK"; out " ($cve) "
|
||||||
|
|
||||||
if "$TLS13_ONLY"; then
|
if "$TLS13_ONLY"; then
|
||||||
pr_svrty_best "not vulnerable (OK)"
|
pr_svrty_best "not vulnerable (OK)"
|
||||||
[[ $DEBUG -ge 1 ]] && out ", TLS 1.3 only server"
|
[[ $DEBUG -ge 1 ]] && out ", TLS 1.3 only server"
|
||||||
outln
|
outln
|
||||||
@ -17786,9 +17786,9 @@ run_winshock() {
|
|||||||
for tls_ext in $TLS_EXTENSIONS; do
|
for tls_ext in $TLS_EXTENSIONS; do
|
||||||
# We use the whole array, got to be careful when the array becomes bigger (unintented match)
|
# We use the whole array, got to be careful when the array becomes bigger (unintented match)
|
||||||
if [[ ${forbidden_tls_ext[@]} =~ $tls_ext ]]; then
|
if [[ ${forbidden_tls_ext[@]} =~ $tls_ext ]]; then
|
||||||
pr_svrty_best "not vulnerable (OK)"; outln " - TLS extension $tls_ext detected"
|
pr_svrty_best "not vulnerable (OK)"; outln " - TLS extension $tls_ext detected"
|
||||||
fileout "$jsonID" "OK" "not vulnerable - TLS extension $tls_ext detected" "$cve" "$cwe"
|
fileout "$jsonID" "OK" "not vulnerable - TLS extension $tls_ext detected" "$cve" "$cwe"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -20484,11 +20484,11 @@ extract_calist() {
|
|||||||
type=$(hex2dec "${certreq:0:4}")
|
type=$(hex2dec "${certreq:0:4}")
|
||||||
len=2*$(hex2dec "${certreq:4:4}")
|
len=2*$(hex2dec "${certreq:4:4}")
|
||||||
if [[ $type -eq 47 ]]; then
|
if [[ $type -eq 47 ]]; then
|
||||||
# This is the certificate_authorities extension
|
# This is the certificate_authorities extension
|
||||||
calist="${certreq:8:len}"
|
calist="${certreq:8:len}"
|
||||||
len=2*$(hex2dec "${calist:0:4}")
|
len=2*$(hex2dec "${calist:0:4}")
|
||||||
calist="${calist:4:len}"
|
calist="${calist:4:len}"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
certreq="${certreq:$((len+8))}"
|
certreq="${certreq:$((len+8))}"
|
||||||
done
|
done
|
||||||
@ -22774,7 +22774,7 @@ lets_roll() {
|
|||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
|
"$do_cipherlists" && { run_cipherlists; ret=$(($? + ret)); stopwatch run_cipherlists; }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
"$do_server_preference" && { run_server_preference; ret=$(($? + ret)); stopwatch run_server_preference; }
|
||||||
|
|
||||||
fileout_section_header $section_number true && ((section_number++))
|
fileout_section_header $section_number true && ((section_number++))
|
||||||
|
Loading…
Reference in New Issue
Block a user