Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

* FIX #125

Browse Source 
* beautified some code / function names
This commit is contained in:
Dirk 2015-06-28 13:52:42 +02:00
parent 5d78c9421f
commit 93f5b8216d
1 changed files with 70 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
testssl.sh
View File

@ -341,32 +341,37 @@ pr_reverse() { [[ "$COLOR" -ne 0 ]] && out "\033[7m$1" || out "$1"; pr_off;
### colorswitcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### colorswitcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
# empty vars if we have no color: set_color_functions() {
red="" # empty vars if we have no color:
green="" red=""
brown="" green=""
blue="" brown=""
cyan="" blue=""
off="" magenta=""
bold="" cyan=""
underline="" grey=""
yellow=""
off=""
bold=""
underline=""
if [[ "$COLOR" -eq 2 ]]; then if [[ "$COLOR" -eq 2 ]]; then
red=$(tput setaf 1) red=$(tput setaf 1)
green=$(tput setaf 2) green=$(tput setaf 2)
brown=$(tput setaf 3) brown=$(tput setaf 3)
blue=$(tput setaf 4) blue=$(tput setaf 4)
magenta=$(tput setaf 5) magenta=$(tput setaf 5)
cyan=$(tput setaf 6) cyan=$(tput setaf 6)
grey=$(tput setaf 7) grey=$(tput setaf 7)
yellow=$(tput setaf 3; tput bold) yellow=$(tput setaf 3; tput bold)
off=$(tput sgr0) fi
fi
if [[ "$COLOR" -ge 1 ]]; then if [[ "$COLOR" -ge 1 ]]; then
bold=$(tput bold) bold=$(tput bold)
underline=$(tput sgr 0 1) underline=$(tput sgr 0 1)
fi off=$(tput sgr0)
fi
}
###### helper function definitions ###### ###### helper function definitions ######
@ -1220,32 +1225,30 @@ locally_supported() {
return $ret return $ret
} }
test_proto() {
run_prototest_openssl() {
local sni=$SNI local sni=$SNI
local ret local ret
[[ "$1" =~ "x-ssl3" ]] && sni="" # newer openssl throw an error if SNI is supplied with SSLv2, if ! locally_supported "$1" "$2" ; then
# SSLv3 doesn't have SNI, openssl doesn't complain yet though
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
ret=$?
# TODO (maybe): here FreeBSD9 returns always 0 --> need to read the error
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5
tmpfile_handle $FUNCNAME.txt
return $ret
}
test_proto_helper() {
if locally_supported "$1" "$2" ; then
test_proto "$1" "$2"
return $?
# 0: offered
# 1: not offered
# 5: protocol ok, but no cipher
else
return 7 return 7
else # we remove SNI for SSLv2 and v3:
[[ "$1" =~ "ssl" ]] && sni="" # newer openssl throw an error if SNI is supplied with SSLv2,
# SSLv3 doesn't have SNI (openssl doesn't complain though -- yet)
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
ret=$? #TODO (maybe): here FreeBSD9 returns always 0 --> need to read the error
[ "$VERBERR" -eq 0 ] && \
egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5
fi fi
tmpfile_handle $FUNCNAME$1.txt
return $ret
# 0: offered
# 1: not offered
# 5: protocol ok, but no cipher
# 7: no local support
} }
@ -1260,20 +1263,20 @@ run_protocols() {
using_sockets=false using_sockets=false
outln "(via native openssl)\n" outln "(via native openssl)\n"
else else
outln "(via sockets except SPDY/NPN)\n" outln "(via sockets except TLS 1.2 and SPDY/NPN)\n"
fi fi
pr_bold " SSLv2 "; pr_bold " SSLv2 ";
if $using_sockets; then if $using_sockets; then
sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native sslv2_sockets #FIXME: messages need to be moved to this higher level
else else
test_proto_helper "-ssl2" run_prototest_openssl "-ssl2"
case $? in case $? in
0) pr_redln "offered (NOT ok)" ;; 0) pr_redln "offered (NOT ok)" ;;
1) pr_greenln "not offered (OK)" ;; 1) pr_greenln "not offered (OK)" ;;
5) pr_litered "$supported_no_ciph2"; 5) pr_litered "$supported_no_ciph2";
outln " (may need further attention)" ;; # protocol ok, but no cipher outln " (may need further attention)" ;; # protocol ok, but no cipher
7) ;; # no local support 7) ;; # no local support
esac esac
fi fi
@ -1281,22 +1284,22 @@ run_protocols() {
if $using_sockets; then if $using_sockets; then
tls_sockets "00" "$TLS_CIPHER" tls_sockets "00" "$TLS_CIPHER"
else else
test_proto_helper "-ssl3" run_prototest_openssl "-ssl3"
fi fi
case $? in case $? in
0) pr_literedln "offered (NOT ok)" ;; 0) pr_literedln "offered (NOT ok)" ;;
1) pr_greenln "not offered (OK)" ;; 1) pr_greenln "not offered (OK)" ;;
2) pr_magentaln "#FIXME: downgraded. still missing a test case here" ;; 2) pr_magentaln "#FIXME: downgraded. still missing a test case here" ;;
5) pr_litered "$supported_no_ciph2"; 5) pr_litered "$supported_no_ciph2";
outln "(may need debugging)" ;; # protocol ok, but no cipher outln "(may need debugging)" ;; # protocol ok, but no cipher
7) ;; # no local support 7) ;; # no local support
esac esac
pr_bold " TLS 1 "; pr_bold " TLS 1 ";
if $using_sockets; then if $using_sockets; then
tls_sockets "01" "$TLS_CIPHER" tls_sockets "01" "$TLS_CIPHER"
else else
test_proto_helper "-tls1" run_prototest_openssl "-tls1"
fi fi
case $? in case $? in
0) outln "offered" ;; # nothing wrong with it -- per se 0) outln "offered" ;; # nothing wrong with it -- per se
@ -1312,7 +1315,7 @@ run_protocols() {
if $using_sockets; then if $using_sockets; then
tls_sockets "02" "$TLS_CIPHER" tls_sockets "02" "$TLS_CIPHER"
else else
test_proto_helper "-tls1_1" run_prototest_openssl "-tls1_1"
fi fi
case $? in case $? in
0) outln "offered" ;; # nothing wrong with it 0) outln "offered" ;; # nothing wrong with it
@ -1325,10 +1328,10 @@ run_protocols() {
esac esac
pr_bold " TLS 1.2 "; pr_bold " TLS 1.2 ";
if $using_sockets && [[ $EXPERIMENTAL == "yes" ]]; then # IIS servers do have a problem here with our handshake if $using_sockets && [[ $EXPERIMENTAL == "yes" ]]; then #TODO: IIS servers do have a problem here with our handshake
tls_sockets "03" "$TLS12_CIPHER" tls_sockets "03" "$TLS12_CIPHER"
else else
test_proto_helper "-tls1_2" run_prototest_openssl "-tls1_2"
fi fi
case $? in case $? in
0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good! 0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good!
@ -1595,14 +1598,13 @@ tls_time() {
if [ -n "$STARTTLS" ] ; then if [ -n "$STARTTLS" ] ; then
pr_bold " TLS timestamp"; outln " (not yet implemented for STARTTLS) " pr_bold " TLS timestamp"; outln " (not yet implemented for STARTTLS) "
else else
tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 tls_sockets "01" "$TLS_CIPHER" # try first TLS 1.0 (mostfrequently used protocol)
[[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2 [[ -z "$TLS_TIME" ]] && tls_sockets "03" "$TLS12_CIPHER" # TLS 1.2
[[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1 [[ -z "$TLS_TIME" ]] && tls_sockets "02" "$TLS_CIPHER" # TLS 1.1
[[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3 [[ -z "$TLS_TIME" ]] && tls_sockets "00" "$TLS_CIPHER" # SSL 3
# TODO: maybe too much tests -- timing !
if [[ -n "$TLS_TIME" ]]; then # nothing returned a time! if [[ -n "$TLS_TIME" ]]; then # nothing returned a time!
difftime=$(($TLS_TIME - $TLS_NOW)) difftime=$(($TLS_TIME - $TLS_NOW)) # TLS_NOW is being set in tls_sockets()
if [[ "${#difftime}" -gt 5 ]]; then if [[ "${#difftime}" -gt 5 ]]; then
# openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint # openssl >= 1.0.1f fills this field with random values! --> good for possible fingerprint
pr_bold " TLS timestamp" ; outln " random values, no fingerprinting possible " pr_bold " TLS timestamp" ; outln " random values, no fingerprinting possible "
@ -1684,7 +1686,6 @@ server_defaults() {
fi fi
fi fi
outln " bit" outln " bit"
#FIXME: google seems to have EC keys which displays as 256 Bit
pr_bold " Signature Algorithm " pr_bold " Signature Algorithm "
algo=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u ) algo=$($OPENSSL x509 -in $HOSTCERT -noout -text | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u )
@ -2215,6 +2216,7 @@ sslv2_sockets() {
# ARG1: TLS version low byte (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2) # ARG1: TLS version low byte (00: SSLv3, 01: TLS 1.0, 02: TLS 1.1, 03: TLS 1.2)
# ARG2: CIPHER_SUITES string # ARG2: CIPHER_SUITES string
socksend_tls_clienthello() { socksend_tls_clienthello() {
#FIXME: redo this with all extensions!
local tls_low_byte="$1" local tls_low_byte="$1"
local tls_low_byte1="01" # the first TLS version number is always 0301 -- except: SSLv3 local tls_low_byte1="01" # the first TLS version number is always 0301 -- except: SSLv3
local servername_hexstr len_servername len_servername_hex local servername_hexstr len_servername len_servername_hex
@ -2992,8 +2994,7 @@ logjam() {
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $ret return $ret
} }
# FIXME: perfect candidate for replacement by sockets,so is freak # TODO: perfect candidate for replacement by sockets, so is freak
@ -3858,9 +3859,7 @@ parse_opt_equal_sign() {
} }
parse_cmd_line() {
# Parses options
startup() {
# Set defaults if only an URI was specified, maybe ToDo: use "="-option, then: ${i#*=} i.e. substring removal # Set defaults if only an URI was specified, maybe ToDo: use "="-option, then: ${i#*=} i.e. substring removal
[[ "$#" -eq 1 ]] && set_scanning_defaults [[ "$#" -eq 1 ]] && set_scanning_defaults
@ -4137,7 +4136,8 @@ lets_roll() {
get_install_dir get_install_dir
initialize_globals initialize_globals
startup "$@" parse_cmd_line "$@"
set_color_functions
find_openssl_binary find_openssl_binary
mybanner mybanner
openssl_age openssl_age
@ -4160,7 +4160,7 @@ else
if [[ -n "$CMDLINE_IP" ]]; then if [[ -n "$CMDLINE_IP" ]]; then
[[ "$CMDLINE_IP" == "one" ]] && \ [[ "$CMDLINE_IP" == "one" ]] && \
CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }') CMDLINE_IP=$(echo -n "$IPADDRs" | awk '{ print $1 }')
NODEIP="$CMDLINE_IP" # specific ip address for NODE was supplied NODEIP="$CMDLINE_IP" # specific ip address for NODE was supplied
lets_roll "${STARTTLS_PROTOCOL}" lets_roll "${STARTTLS_PROTOCOL}"
ret=$? ret=$?
else # no --ip was supplied else # no --ip was supplied
@ -4187,4 +4187,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.292 2015/06/24 09:06:35 dirkw Exp $ # $Id: testssl.sh,v 1.295 2015/06/28 11:52:41 dirkw Exp $