From 01997b8b818d4b8b73154d462f368f14737b2a4f Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 29 Nov 2016 11:58:49 -0500 Subject: [PATCH 1/3] run_rc4() sockets implementation This PR implements `run_rc4()` in a similar manner to `run_allciphers()` and `run_cipher_per_proto()` (in PR #541). The change doesn't seem to have much of an impact on speed, but when sockets are used it can detect ciphers that aren't locally supported by OpenSSL. --- testssl.sh | 232 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 196 insertions(+), 36 deletions(-) diff --git a/testssl.sh b/testssl.sh index 884c143..223ab64 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8822,12 +8822,19 @@ run_lucky13() { # http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html run_rc4() { local -i rc4_offered=0 - local -i sclient_success - local hexcode dash rc4_cipher sslvers kx auth enc mac export - local rc4_ciphers_list="ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:DHE-DSS-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RSA-PSK-RC4-SHA:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5" - local rc4_ssl2_ciphers_list="RC4-MD5:RC4-64-MD5:EXP-RC4-MD5" - local rc4_detected="" - local available="" + local -i nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 ret + local n auth mac export hexc sslv2_ciphers_hex="" sslv2_ciphers_ossl="" s + local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported + local -i i + local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 + local -i -a index + local dhlen available="" ciphers_to_test supported_sslv2_ciphers addcmd="" + local has_dh_bits="$HAS_DH_BITS" rc4_detected="" + local using_sockets=true + + "$SSL_NATIVE" && using_sockets=false + "$FAST" && using_sockets=false + [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then outln @@ -8838,62 +8845,215 @@ run_rc4() { fi pr_bold " RC4"; out " (CVE-2013-2566, CVE-2015-2808) " - $OPENSSL s_client -cipher $rc4_ciphers_list $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE >$ERRFILE) fi - if [[ $sclient_success -eq 0 ]]; then + + if "$using_sockets" && [[ -n "$sslv2_ciphers_hex" ]]; then + sslv2_sockets "${sslv2_ciphers_hex:2}" "true" + if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then + supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" + "$WIDE" && "$SHOW_SIGALGO" && s="$($OPENSSL x509 -noout -text -in "$HOSTCERT" | awk -F':' '/Signature Algorithm/ { print $2 }' | head -1)" + for (( i=0 ; i$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE - else - $OPENSSL s_client -cipher $rc4_cipher $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $TMPFILE 2>$ERRFILE - fi - sclient_connect_successful $? $TMPFILE - sclient_success=$? # here we may have a fp with openssl < 1.0, TBC - if [[ $sclient_success -ne 0 ]] && ! "$SHOW_EACH_C"; then + for (( i=0 ; i Date: Tue, 6 Dec 2016 17:18:18 -0500 Subject: [PATCH 2/3] Fix bug in reading of cipher mapping file When the cipher-mapping.txt file is read, the contents of the "Mac=..." column is placed in `TLS_CIPHER_EXPORT` rather than the contents of the "export" column. This PR fixes that. --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 883c267..ef9c747 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9405,7 +9405,7 @@ maketempf() { } prepare_debug() { - local hexc ossl_ciph ossl_supported_tls="" ossl_supported_sslv2="" + local hexc mac ossl_ciph ossl_supported_tls="" ossl_supported_sslv2="" if [[ $DEBUG -ne 0 ]]; then cat >$TEMPDIR/environment.txt << EOF @@ -9484,7 +9484,7 @@ EOF if [[ -e $CIPHERS_BY_STRENGTH_FILE ]]; then "$HAS_SSL2" && ossl_supported_sslv2="$($OPENSSL ciphers -ssl2 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" ossl_supported_tls="$($OPENSSL ciphers -tls1 -V 'ALL:COMPLEMENTOFALL:@STRENGTH' 2>$ERRFILE)" - while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do + while read hexc n TLS_CIPHER_OSSL_NAME[TLS_NR_CIPHERS] TLS_CIPHER_RFC_NAME[TLS_NR_CIPHERS] TLS_CIPHER_SSLVERS[TLS_NR_CIPHERS] TLS_CIPHER_KX[TLS_NR_CIPHERS] TLS_CIPHER_AUTH[TLS_NR_CIPHERS] TLS_CIPHER_ENC[TLS_NR_CIPHERS] mac TLS_CIPHER_EXPORT[TLS_NR_CIPHERS]; do TLS_CIPHER_HEXCODE[TLS_NR_CIPHERS]="$hexc" TLS_CIPHER_OSSL_SUPPORTED[TLS_NR_CIPHERS]=false if [[ ${#hexc} -eq 9 ]]; then From d14b24e832e3ee011777dfa0055f30ccafc9374a Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 11 Dec 2016 18:15:36 +0100 Subject: [PATCH 3/3] regression fix #290, see #549 --- testssl.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7ee8573..9daa3fc 100755 --- a/testssl.sh +++ b/testssl.sh @@ -9922,7 +9922,7 @@ get_local_aaaa() { local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution - ip6=$(grep -wh "$NODE" $etchosts 2>/dev/null | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }') + ip6=$(grep -wh "$1" $etchosts 2>/dev/null | grep ':' | egrep -v '^#|\.local' | egrep "[[:space:]]$1" | awk '{ print $1 }') if is_ipv6addr "$ip6"; then echo "$ip6" else @@ -9935,7 +9935,7 @@ get_local_a() { local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution - ip4=$(grep -wh "$1[^\.]" $etchosts 2>/dev/null | egrep -v ':|^#' | egrep "[[:space:]]$1" | awk '{ print $1 }') + ip4=$(grep -wh "$1" $etchosts 2>/dev/null | egrep -v ':|^#|\.local' | egrep "[[:space:]]$1" | awk '{ print $1 }') if is_ipv4addr "$ip4"; then echo "$ip4" else