From a0dabf9acf242fea469db048d6a35676f77b4720 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 14 Feb 2018 23:15:29 +0100 Subject: [PATCH] cleaned up exit codes for error cases For recognising error conditions during run any testssl.sh run, the program returns 0 if all checks have been performed successfully and unambiguously. 1 is returned per error or unambiguous condition and per IP. E.g. ./testssl.sh --ssl-native testssl.net with two IP addresses returns 2 as each client simulation gets a "1" (ssl-native returns currently wrong results here). This fixes #986. A kind of vulnerability scoring for monitoring tools or CI will be done later separately, see #985 and #327. --- testssl.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/testssl.sh b/testssl.sh index 1920568..ecab480 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3153,7 +3153,7 @@ run_cipher_match(){ # test for all ciphers locally configured (w/o distinguishing whether they are good or bad) run_allciphers() { - local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 ret + local -i nr_ciphers_tested=0 nr_ciphers=0 nr_ossl_ciphers=0 nr_nonossl_ciphers=0 sclient_success=0 local n auth mac export hexc sslv2_ciphers="" s local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported local -i i end_of_bundle bundle bundle_size num_bundles mod_check @@ -3376,8 +3376,8 @@ run_allciphers() { else tls_sockets "$proto" "${ciphers_to_test:2}, 00,ff" "ephemeralkey" fi - ret=$? - [[ $ret -ne 0 ]] && [[ $ret -ne 2 ]] && break + sclient_success=$? + [[ $sclient_success -ne 0 ]] && [[ $sclient_success -ne 2 ]] && break cipher=$(get_cipher "$TEMPDIR/$NODEIP.parse_tls_serverhello.txt") for (( i=bundle*bundle_size; i < end_of_bundle; i++ )); do [[ "$cipher" == "${rfc_ciph2[i]}" ]] && ciphers_found2[i]=true && break @@ -3416,6 +3416,7 @@ run_allciphers() { "$using_sockets" && HAS_DH_BITS="$has_dh_bits" outln + [[ $sclient_success -ge 6 ]] && return 1 return 0 } @@ -3454,7 +3455,8 @@ run_cipher_per_proto() { neat_header echo -e " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n -tls1_3 04 TLS 1.3" | while read proto proto_hex proto_text; do pr_underline "$(printf "%s" "$proto_text")" - out " "; # for local problem if it happens + # for local problem if it happens + out " " if ! "$using_sockets" && ! locally_supported "$proto"; then continue fi @@ -3705,6 +3707,7 @@ run_cipher_per_proto() { "$using_sockets" && HAS_DH_BITS="$has_dh_bits" tmpfile_handle $FUNCNAME.txt return 0 +#FIXME: no error condition } # arg1 is an ASCII-HEX encoded SSLv3 or TLS ClientHello. @@ -3985,6 +3988,7 @@ run_client_simulation() { local has_dh_bits using_sockets=true local client_service local options + local -i ret=0 local jsonID="clientsimulation" # source the external file @@ -4015,6 +4019,7 @@ run_client_simulation() { pr_headline " Running client simulations via openssl " prln_warning " -- you shouldn't run this with \"--ssl-native\" as you will get false results" fileout "$jsonID" "WARN" "You shouldn't run this with \"--ssl-native\" as you will get false results" + ret=1 fi outln debugme echo @@ -4156,10 +4161,11 @@ run_client_simulation() { fi fi # correct service? fi #current? - i=$((i+1)) + ((i++)) done + tmpfile_handle $FUNCNAME.txt - return 0 + return $ret } # generic function whether $1 is supported by s_client ($2: string to display)