Merge branch '2.9dev' into run_crime_sockets
This commit is contained in:
commit
92d1daa976
52
testssl.sh
52
testssl.sh
|
@ -6097,11 +6097,12 @@ run_server_defaults() {
|
||||||
done
|
done
|
||||||
|
|
||||||
determine_tls_extensions
|
determine_tls_extensions
|
||||||
|
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != "-ssl2" ]]; then
|
||||||
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
|
||||||
>$ERRFILE
|
>$ERRFILE
|
||||||
|
|
||||||
[[ -z "$sessticket_str" ]] && sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
|
[[ -z "$sessticket_str" ]] && sessticket_str=$(grep -aw "session ticket" $TMPFILE | grep -a lifetime)
|
||||||
|
fi
|
||||||
|
|
||||||
outln
|
outln
|
||||||
pr_headlineln " Testing server defaults (Server Hello) "
|
pr_headlineln " Testing server defaults (Server Hello) "
|
||||||
|
@ -7063,6 +7064,7 @@ parse_sslv2_serverhello() {
|
||||||
"$parse_complete" && echo "======================================" > $TMPFILE
|
"$parse_complete" && echo "======================================" > $TMPFILE
|
||||||
|
|
||||||
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
v2_hello_ascii=$(hexdump -v -e '16/1 "%02X"' $1)
|
||||||
|
v2_hello_ascii="${v2_hello_ascii%%[!0-9A-F]*}"
|
||||||
[[ "$DEBUG" -ge 5 ]] && echo "$v2_hello_ascii"
|
[[ "$DEBUG" -ge 5 ]] && echo "$v2_hello_ascii"
|
||||||
if [[ -z "$v2_hello_ascii" ]]; then
|
if [[ -z "$v2_hello_ascii" ]]; then
|
||||||
ret=0 # 1 line without any blanks: no server hello received
|
ret=0 # 1 line without any blanks: no server hello received
|
||||||
|
@ -7094,6 +7096,10 @@ parse_sslv2_serverhello() {
|
||||||
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
echo "SSLv2 certificate length: 0x$v2_hello_cert_length"
|
||||||
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if "$parse_complete" && [[ 2*$(hex2dec "$v2_hello_length") -ne ${#v2_hello_ascii}-4 ]]; then
|
||||||
|
ret=7
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
"$parse_complete" || return $ret
|
"$parse_complete" || return $ret
|
||||||
|
@ -7105,7 +7111,11 @@ parse_sslv2_serverhello() {
|
||||||
if [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
|
if [[ "$v2_cert_type" == "01" ]] && [[ "$v2_hello_cert_length" != "00" ]]; then
|
||||||
tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
|
tmp_der_certfile=$(mktemp $TEMPDIR/der_cert.XXXXXX) || return $ret
|
||||||
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
|
asciihex_to_binary_file "${v2_hello_ascii:26:certificate_len}" "$tmp_der_certfile"
|
||||||
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT
|
$OPENSSL x509 -inform DER -in $tmp_der_certfile -outform PEM -out $HOSTCERT 2>$ERRFILE
|
||||||
|
if [[ $? -ne 0 ]]; then
|
||||||
|
debugme echo "Malformed certificate in ServerHello."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
rm $tmp_der_certfile
|
rm $tmp_der_certfile
|
||||||
get_pub_key_size
|
get_pub_key_size
|
||||||
echo "======================================" >> $TMPFILE
|
echo "======================================" >> $TMPFILE
|
||||||
|
@ -8100,6 +8110,13 @@ sslv2_sockets() {
|
||||||
local ret
|
local ret
|
||||||
local client_hello cipher_suites len_client_hello
|
local client_hello cipher_suites len_client_hello
|
||||||
local len_ciph_suites_byte len_ciph_suites
|
local len_ciph_suites_byte len_ciph_suites
|
||||||
|
local server_hello sock_reply_file2
|
||||||
|
local -i response_len server_hello_len
|
||||||
|
local parse_complete=false
|
||||||
|
|
||||||
|
if [[ "$2" == "true" ]]; then
|
||||||
|
parse_complete=true
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -n "$1" ]]; then
|
if [[ -n "$1" ]]; then
|
||||||
cipher_suites="$1"
|
cipher_suites="$1"
|
||||||
|
@ -8140,13 +8157,31 @@ sslv2_sockets() {
|
||||||
socksend_sslv2_clienthello "$client_hello"
|
socksend_sslv2_clienthello "$client_hello"
|
||||||
|
|
||||||
sockread_serverhello 32768
|
sockread_serverhello 32768
|
||||||
|
if "$parse_complete"; then
|
||||||
|
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
|
server_hello_len=2+$(hex2dec "${server_hello:1:3}")
|
||||||
|
response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')
|
||||||
|
for (( 1; response_len < server_hello_len; 1 )); do
|
||||||
|
sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
|
||||||
|
mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
|
||||||
|
|
||||||
|
debugme echo "requesting more server hello data..."
|
||||||
|
socksend "" $USLEEP_SND
|
||||||
|
sockread_serverhello 32768
|
||||||
|
|
||||||
|
[[ ! -s "$SOCK_REPLY_FILE" ]] && break
|
||||||
|
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
|
||||||
|
mv "$sock_reply_file2" "$SOCK_REPLY_FILE"
|
||||||
|
response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')
|
||||||
|
done
|
||||||
|
fi
|
||||||
debugme outln "reading server hello... "
|
debugme outln "reading server hello... "
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
|
|
||||||
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "$2"
|
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "$parse_complete"
|
||||||
ret=$?
|
ret=$?
|
||||||
|
|
||||||
close_socket
|
close_socket
|
||||||
|
@ -9930,6 +9965,16 @@ get_install_dir() {
|
||||||
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# still no cipher mapping file (and realpath is not present):
|
||||||
|
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] && which readlink &>/dev/null ; then
|
||||||
|
readlink -f ls &>/dev/null && \
|
||||||
|
TESTSSL_INSTALL_DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]})) || \
|
||||||
|
TESTSSL_INSTALL_DIR=$(dirname $(readlink ${BASH_SOURCE[0]}))
|
||||||
|
# not sure whether Darwin has -f
|
||||||
|
CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt"
|
||||||
|
[[ -r "$TESTSSL_INSTALL_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/cipher-mapping.txt"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] ; then
|
if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]] ; then
|
||||||
unset ADD_RFC_STR
|
unset ADD_RFC_STR
|
||||||
debugme echo "$CIPHERS_BY_STRENGTH_FILE"
|
debugme echo "$CIPHERS_BY_STRENGTH_FILE"
|
||||||
|
@ -11742,4 +11787,3 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue