Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #917 from dcooper16/check_version

Browse Source 
Compare selected version against supported_versions
This commit is contained in:
Dirk Wetter 2017-12-01 21:03:52 +01:00 committed by GitHub
commit 9c8fa5419d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 68 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
testssl.sh
View File

@ -8866,14 +8866,14 @@ parse_tls_serverhello() {
# byte 37+sid-len: compression method: 00: none, 01: deflate, 64: LZS
# byte 38+39+sid-len: extension length
tls_protocol2="${tls_serverhello_ascii:0:4}"
[[ "${tls_protocol2:0:2}" == "7F" ]] && tls_protocol2="0304"
if [[ "${tls_protocol2:0:2}" != "03" ]]; then
DETECTED_TLS_VERSION="$tls_protocol2"
[[ "${DETECTED_TLS_VERSION:0:2}" == "7F" ]] && DETECTED_TLS_VERSION="0304"
if [[ "${DETECTED_TLS_VERSION:0:2}" != "03" ]]; then
debugme tmln_warning "server_version.major in ServerHello is not 03."
return 1
fi
DETECTED_TLS_VERSION="$tls_protocol2"
if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then
if [[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]]; then
tls_hello_time="${tls_serverhello_ascii:4:8}"
[[ "$TLS_DIFFTIME_SET" || "$DEBUG" ]] && TLS_TIME=$(hex2dec "$tls_hello_time")
tls_sid_len_hex="${tls_serverhello_ascii:68:2}"
@ -8889,7 +8889,7 @@ parse_tls_serverhello() {
tls_cipher_suite="${tls_serverhello_ascii:offset:4}"
if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then
if [[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]]; then
let offset=74+$tls_sid_len
tls_compression_method="${tls_serverhello_ascii:offset:2}"
let extns_offset=76+$tls_sid_len
@ -8898,8 +8898,8 @@ parse_tls_serverhello() {
fi
if [[ $tls_serverhello_ascii_len -gt $extns_offset ]] && \
( [[ "$process_full" == "all" ]] || [[ "$tls_protocol2" == "0303" ]] || \
( [[ "$process_full" == "ephemeralkey" ]] && [[ "0x${tls_protocol2:2:2}" -gt "0x03" ]] ) ); then
( [[ "$process_full" == "all" ]] || [[ "$DETECTED_TLS_VERSION" == "0303" ]] || \
( [[ "$process_full" == "ephemeralkey" ]] && [[ "0x${DETECTED_TLS_VERSION:2:2}" -gt "0x03" ]] ) ); then
if [[ $tls_serverhello_ascii_len -lt $extns_offset+4 ]]; then
debugme echo "Malformed response"
return 1
@ -9052,8 +9052,8 @@ parse_tls_serverhello() {
fi
let offset=$extns_offset+12+$i
tls_protocol2="${tls_serverhello_ascii:offset:4}"
[[ "${tls_protocol2:0:2}" == "7F" ]] && tls_protocol2="0304"
DETECTED_TLS_VERSION="$tls_protocol2"
DETECTED_TLS_VERSION="$tls_protocol2"
[[ "${DETECTED_TLS_VERSION:0:2}" == "7F" ]] && DETECTED_TLS_VERSION="0304"
;;
002C) tls_extensions+="TLS server extension \"cookie\" (id=44), len=$extension_len\n" ;;
002D) tls_extensions+="TLS server extension \"psk key exchange modes\" (id=45), len=$extension_len\n" ;;
@ -9091,10 +9091,10 @@ parse_tls_serverhello() {
done
fi
if [[ "$tls_protocol2" == "0300" ]]; then
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
echo "Protocol : SSLv3" >> $TMPFILE
else
echo "Protocol : TLSv1.$((0x$tls_protocol2-0x0301))" >> $TMPFILE
echo "Protocol : TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" >> $TMPFILE
fi
echo "===============================================================================" >> $TMPFILE
if [[ $TLS_NR_CIPHERS -ne 0 ]]; then
@ -9122,7 +9122,7 @@ parse_tls_serverhello() {
echo "${TLS13_KEY_SHARES[named_curve]}" >> $TMPFILE
fi
echo "===============================================================================" >> $TMPFILE
if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then
if [[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]]; then
case $tls_compression_method in
00) echo "Compression: NONE" >> $TMPFILE ;;
01) echo "Compression: zlib compression" >> $TMPFILE ;;
@ -9137,9 +9137,9 @@ parse_tls_serverhello() {
echo "TLS server hello message:"
if [[ $DEBUG -ge 4 ]]; then
echo " tls_protocol: 0x$tls_protocol2"
[[ "0x${tls_protocol2:2:2}" -le "0x03" ]] && echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))"
[[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]] && echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))"
fi
if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then
if [[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]]; then
echo -n " tls_hello_time: 0x$tls_hello_time "
parse_date "$TLS_TIME" "+%Y-%m-%d %r" "%s" # in debugging mode we don't mind the cycles and don't use TLS_DIFFTIME_SET
fi
@ -9158,7 +9158,7 @@ parse_tls_serverhello() {
echo " dh_bits: ECDH, $named_curve_str, $dh_bits bits"
fi
fi
if [[ "0x${tls_protocol2:2:2}" -le "0x03" ]]; then
if [[ "0x${DETECTED_TLS_VERSION:2:2}" -le "0x03" ]]; then
echo -n " tls_compression_method: 0x$tls_compression_method "
case $tls_compression_method in
00) echo "(NONE)" ;;
@ -9202,6 +9202,37 @@ parse_tls_serverhello() {
fi
fi
# If the ClientHello included a supported_versions extension, then check that the
# $DETECTED_TLS_VERSION appeared in the list offered in the ClientHello.
if [[ "${TLS_CLIENT_HELLO:0:2}" == "01" ]]; then
# get position of cipher lists (just after session id)
offset=78+2*$(hex2dec "${TLS_CLIENT_HELLO:76:2}")
# get position of compression methods
offset+=4+2*$(hex2dec "${TLS_CLIENT_HELLO:offset:4}")
# get position of extensions
extns_offset=$offset+6+2*$(hex2dec "${TLS_CLIENT_HELLO:offset:2}")
len1=${#TLS_CLIENT_HELLO}
for (( i=extns_offset; i < len1; i=i+8+extension_len )); do
extension_type="${TLS_CLIENT_HELLO:i:4}"
offset=4+$i
extension_len=2*$(hex2dec "${TLS_CLIENT_HELLO:offset:4}")
if [[ "$extension_type" == "002b" ]]; then
offset+=6
tls_protocol2="$(tolower "$tls_protocol2")"
for (( j=0; j < extension_len-2; j=j+4 )); do
[[ "${TLS_CLIENT_HELLO:offset:4}" == "$tls_protocol2" ]] && break
offset+=4
done
if [[ $j -eq $extension_len-2 ]]; then
debugme echo "The ServerHello specifies a version that wasn't offered in the ClientHello."
tmpfile_handle $FUNCNAME.txt
return 1
fi
break
fi
done
fi
# Now parse the Certificate message.
if [[ "$process_full" == "all" ]]; then
[[ -e "$HOSTCERT" ]] && rm "$HOSTCERT"
@ -9963,6 +9994,28 @@ socksend_tls_clienthello() {
printf -- "$data" >&5 2>/dev/null &
sleep $USLEEP_SND
if [[ "$tls_low_byte" -gt 0x03 ]]; then
TLS_CLIENT_HELLO="$(tolower "$NW_STR")"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x0\\/\\x00\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x1\\/\\x01\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x2\\/\\x02\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x3\\/\\x03\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x4\\/\\x04\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x5\\/\\x05\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x6\\/\\x06\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x7\\/\\x07\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x8\\/\\x08\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x9\\/\\x09\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xa\\/\\x0a\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xb\\/\\x0b\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xc\\/\\x0c\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xd\\/\\x0d\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xe\\/\\x0e\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\xf\\/\\x0f\\}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO//\\x/}"
TLS_CLIENT_HELLO="${TLS_CLIENT_HELLO:10}"
fi
return 0
}