Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Final check to make sure fileout and pr*warning correlates

Browse Source 
Made sure that if fileout has a WARN or DEBUG flag it is
consistent with pr*warning. FIX #518
This commit is contained in:
Dirk 2017-10-31 12:23:16 +01:00
parent 2aeabd19b2
commit 9b7000e87e
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
testssl.sh
View File

@ -1576,7 +1576,7 @@ run_http_header() {
;; ;;
*) *)
pr_warning ". Oh, didn't expect \"$HTTP_STATUS_CODE$msg_thereafter\"" pr_warning ". Oh, didn't expect \"$HTTP_STATUS_CODE$msg_thereafter\""
fileout "HTTP_STATUS_CODE" "DEBUG" "$HTTP_STATUS_CODE$msg_thereafter (\"$URL_PATH\" tested) -- Oops, didn't expect a \"$HTTP_STATUS_CODE$msg_thereafter\"" fileout "HTTP_STATUS_CODE" "WARN" "$HTTP_STATUS_CODE$msg_thereafter (\"$URL_PATH\" tested) -- Oops, didn't expect a \"$HTTP_STATUS_CODE$msg_thereafter\""
;; ;;
esac esac
outln outln
@ -5454,7 +5454,7 @@ determine_trust() {
done done
num_ca_bundles=$((i - 1)) num_ca_bundles=$((i - 1))
debugme tm_out " " debugme tm_out " "
if $all_ok; then if "$all_ok"; then
# all stores ok # all stores ok
pr_done_good "Ok "; pr_warning "$addtl_warning" pr_done_good "Ok "; pr_warning "$addtl_warning"
# we did to stdout the warning above already, so we could stay here with INFO: # we did to stdout the warning above already, so we could stay here with INFO:
@ -5462,7 +5462,7 @@ determine_trust() {
else else
# at least one failed # at least one failed
pr_svrty_critical "NOT ok" pr_svrty_critical "NOT ok"
if ! $some_ok; then if ! "$some_ok"; then
# all failed (we assume with the same issue), we're displaying the reason # all failed (we assume with the same issue), we're displaying the reason
out " " out " "
code="$(verify_retcode_helper "${verify_retcode[1]}")" code="$(verify_retcode_helper "${verify_retcode[1]}")"
@ -5474,7 +5474,7 @@ determine_trust() {
fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning" fileout "${json_prefix}chain_of_trust" "CRITICAL" "All certificate trust checks failed: $code. $addtl_warning"
else else
# is one ok and the others not ==> display the culprit store # is one ok and the others not ==> display the culprit store
if $some_ok ; then if "$some_ok"; then
pr_svrty_critical ":" pr_svrty_critical ":"
for ((i=1;i<=num_ca_bundles;i++)); do for ((i=1;i<=num_ca_bundles;i++)); do
if ${trust[i]}; then if ${trust[i]}; then
@ -5534,7 +5534,7 @@ tls_time() {
debugme tm_out "$TLS_TIME" debugme tm_out "$TLS_TIME"
outln outln
else else
prln_warning "SSLv3 through TLS 1.2 didn't return a timestamp" outln "SSLv3 through TLS 1.2 didn't return a timestamp"
fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2" fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2"
fi fi
TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets() TLS_DIFFTIME_SET=false # reset the switch to save calls to date and friend in tls_sockets()
@ -10228,12 +10228,12 @@ run_ccs_injection(){
elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then elif [[ "$byte6" == [0-9a-f][0-9a-f] ]] && [[ "${tls_hello_ascii:2:2}" != "03" ]]; then
pr_warning "test failed" pr_warning "test failed"
out ", probably read buffer too small (${tls_hello_ascii:0:14})" out ", probably read buffer too small (${tls_hello_ascii:0:14})"
fileout "ccs" "WARN" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint" fileout "ccs" "DEBUG" "CCS: test failed, probably read buffer too small (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=7 ret=7
else else
pr_warning "test failed " pr_warning "test failed "
out "around line $LINENO (debug info: ${tls_hello_ascii:0:12},$byte6)" out "around line $LINENO (debug info: ${tls_hello_ascii:0:12},$byte6)"
fileout "ccs" "WARN" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:12},$byte6)" "$cve" "$cwe" "$hint" fileout "ccs" "DEBUG" "CCS: test failed, around line $LINENO, debug info (${tls_hello_ascii:0:12},$byte6)" "$cve" "$cwe" "$hint"
ret=7 ret=7
fi fi
outln outln
@ -10469,7 +10469,7 @@ run_ticketbleed() {
ret=7 ret=7
pr_warning "test failed" pr_warning "test failed"
out " around line $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})" out " around line $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})"
fileout "ticketbleed" "WARN" "Ticketbleed: test failed, around $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})" "$cve" "$cwe" fileout "ticketbleed" "DEBUG" "Ticketbleed: test failed, around $LINENO (debug info: ${tls_hello_ascii:0:2}, ${tls_hello_ascii:2:10})" "$cve" "$cwe"
break break
fi fi
debugme echo "sending close_notify..." debugme echo "sending close_notify..."
@ -10506,7 +10506,7 @@ run_ticketbleed() {
pr_warning "test failed, non reproducible results!" pr_warning "test failed, non reproducible results!"
out " Please run again w \"--debug=2\" (# of faked TLS SIDs detected: $nr_sid_detected)" out " Please run again w \"--debug=2\" (# of faked TLS SIDs detected: $nr_sid_detected)"
fi fi
fileout "ticketbleed" "WARN" "Ticketbleed: # of TLS Session IDs detected: $nr_sid_detected, ${sid_detected[1]},${sid_detected[2]},${sid_detected[3]}" "$cve" "$cwe" fileout "ticketbleed" "DEBUG" "Ticketbleed: # of TLS Session IDs detected: $nr_sid_detected, ${sid_detected[1]},${sid_detected[2]},${sid_detected[3]}" "$cve" "$cwe"
ret=7 ret=7
fi fi
fi fi
@ -10738,7 +10738,7 @@ run_breach() {
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
pr_bold " BREACH"; out " ($cve) " pr_bold " BREACH"; out " ($cve) "
if "$CLIENT_AUTH"; then if "$CLIENT_AUTH"; then
prln_warning "cannot be tested (server side requires x509 authentication)" outln "cannot be tested (server side requires x509 authentication)"
fileout "breach" "INFO" "BREACH: cannot be tested (server side requires x509 authentication)" "$cve" "$cwe" fileout "breach" "INFO" "BREACH: cannot be tested (server side requires x509 authentication)" "$cve" "$cwe"
return 7 return 7
fi fi