mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 17:20:57 +01:00
Undo changed behavior for CCS
This commit is contained in:
parent
d9578bb975
commit
a2f968d4ad
76
testssl.sh
76
testssl.sh
@ -251,6 +251,10 @@ FIRST_FINDING=true # Is this the first finding we are outpu
|
|||||||
TLS_LOW_BYTE=""
|
TLS_LOW_BYTE=""
|
||||||
HEX_CIPHER=""
|
HEX_CIPHER=""
|
||||||
|
|
||||||
|
# The various hexdump commands we need to replace xxd (BSD compatibility)
|
||||||
|
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
|
||||||
|
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
###### some hexbytes for bash network sockets follow ######
|
###### some hexbytes for bash network sockets follow ######
|
||||||
@ -1970,7 +1974,7 @@ client_simulation_sockets() {
|
|||||||
printf -- "$data" >&5 2>/dev/null &
|
printf -- "$data" >&5 2>/dev/null &
|
||||||
sleep $USLEEP_SND
|
sleep $USLEEP_SND
|
||||||
|
|
||||||
sockread 32768
|
sockread_serverhello 32768
|
||||||
TLS_NOW=$(LC_ALL=C date "+%s")
|
TLS_NOW=$(LC_ALL=C date "+%s")
|
||||||
debugme outln "reading server hello..."
|
debugme outln "reading server hello..."
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
@ -5288,7 +5292,8 @@ socksend_sslv2_clienthello() {
|
|||||||
sleep $USLEEP_SND
|
sleep $USLEEP_SND
|
||||||
}
|
}
|
||||||
|
|
||||||
sockread() {
|
# for SSLv2 to TLS 1.2:
|
||||||
|
sockread_serverhello() {
|
||||||
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
|
||||||
|
|
||||||
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
|
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
|
||||||
@ -5643,7 +5648,7 @@ sslv2_sockets() {
|
|||||||
debugme outln "sending client hello... "
|
debugme outln "sending client hello... "
|
||||||
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
socksend_sslv2_clienthello "$SSLv2_CLIENT_HELLO"
|
||||||
|
|
||||||
sockread 32768
|
sockread_serverhello 32768
|
||||||
debugme outln "reading server hello... "
|
debugme outln "reading server hello... "
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
hexdump -C "$SOCK_REPLY_FILE" | head -6
|
||||||
@ -5894,7 +5899,7 @@ tls_sockets() {
|
|||||||
|
|
||||||
# if sending didn't succeed we don't bother
|
# if sending didn't succeed we don't bother
|
||||||
if [[ $ret -eq 0 ]]; then
|
if [[ $ret -eq 0 ]]; then
|
||||||
sockread 32768
|
sockread_serverhello 32768
|
||||||
TLS_NOW=$(LC_ALL=C date "+%s")
|
TLS_NOW=$(LC_ALL=C date "+%s")
|
||||||
debugme outln "reading server hello..."
|
debugme outln "reading server hello..."
|
||||||
if [[ "$DEBUG" -ge 4 ]]; then
|
if [[ "$DEBUG" -ge 4 ]]; then
|
||||||
@ -5941,7 +5946,7 @@ tls_sockets() {
|
|||||||
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
# mainly adapted from https://gist.github.com/takeshixx/10107280
|
||||||
run_heartbleed(){
|
run_heartbleed(){
|
||||||
local tls_proto_offered tls_hexcode heartbleed_payload client_hello
|
local tls_proto_offered tls_hexcode heartbleed_payload client_hello
|
||||||
local -i retval ret lines_returned
|
local -i retval ret lines_returned bytes_returned
|
||||||
|
|
||||||
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
|
||||||
pr_bold " Heartbleed"; out " (CVE-2014-0160) "
|
pr_bold " Heartbleed"; out " (CVE-2014-0160) "
|
||||||
@ -6024,7 +6029,7 @@ run_heartbleed(){
|
|||||||
socksend "$client_hello" 1
|
socksend "$client_hello" 1
|
||||||
|
|
||||||
debugme outln "\nreading server hello"
|
debugme outln "\nreading server hello"
|
||||||
sockread 32768
|
sockread_serverhello 32768
|
||||||
if [[ $DEBUG -ge 4 ]]; then
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
outln "[...]"
|
outln "[...]"
|
||||||
@ -6033,12 +6038,14 @@ run_heartbleed(){
|
|||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
socksend "$heartbleed_payload" 1
|
socksend "$heartbleed_payload" 1
|
||||||
sockread 16384 $HEARTBLEED_MAX_WAITSOCK
|
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln "\nheartbleed reply: "
|
outln "\nheartbleed reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
|
bytes_returned="$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')"
|
||||||
|
[[ $bytes_returned -gt 160 ]] && outln "[...]"
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -6077,9 +6084,8 @@ ok_ids(){
|
|||||||
|
|
||||||
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
||||||
run_ccs_injection(){
|
run_ccs_injection(){
|
||||||
local tls_proto_offered tls_hexcode ccs_message close_message client_hello
|
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
|
||||||
local reply=""
|
local -i retval ret lines
|
||||||
local -i retval ret
|
|
||||||
|
|
||||||
# see https://www.openssl.org/news/secadv_20140605.txt
|
# see https://www.openssl.org/news/secadv_20140605.txt
|
||||||
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
|
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
|
||||||
@ -6101,7 +6107,6 @@ run_ccs_injection(){
|
|||||||
#FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly
|
#FIXME: for SSLv3 only we need to set tls_hexcode and the record layer TLS version correctly
|
||||||
esac
|
esac
|
||||||
ccs_message=", x14, $tls_hexcode ,x00, x01, x01"
|
ccs_message=", x14, $tls_hexcode ,x00, x01, x01"
|
||||||
close_message=", x15, $tls_hexcode ,x00, x02, x01, x00"
|
|
||||||
|
|
||||||
client_hello="
|
client_hello="
|
||||||
# TLS header (5 bytes)
|
# TLS header (5 bytes)
|
||||||
@ -6141,7 +6146,7 @@ run_ccs_injection(){
|
|||||||
socksend "$client_hello" 1
|
socksend "$client_hello" 1
|
||||||
|
|
||||||
debugme outln "\nreading server hello"
|
debugme outln "\nreading server hello"
|
||||||
sockread 32768
|
sockread_serverhello 32768
|
||||||
if [[ $DEBUG -ge 4 ]]; then
|
if [[ $DEBUG -ge 4 ]]; then
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
outln "[...]"
|
outln "[...]"
|
||||||
@ -6149,47 +6154,40 @@ run_ccs_injection(){
|
|||||||
fi
|
fi
|
||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
# ... and then send a change cipher spec message
|
# ... and then send the a change cipher spec message
|
||||||
socksend "$ccs_message" 1 || ok_ids
|
socksend "$ccs_message" 1 || ok_ids
|
||||||
sockread 2048 $CCS_MAX_WAITSOCK
|
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
if [[ $retval -eq 3 ]]; then
|
|
||||||
outln "\n1st reply: (timed out)"
|
|
||||||
else
|
|
||||||
outln "\n1st reply: "
|
outln "\n1st reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
fi
|
# ok: 15 | 0301 | 02 | 02 | 0a
|
||||||
|
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
|
||||||
|
# or just timed out
|
||||||
outln
|
outln
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -s "$SOCK_REPLY_FILE" ]]; then
|
|
||||||
reply=$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")
|
|
||||||
fi
|
|
||||||
# if the server responded with a fatal alert, then it is not vulnerable
|
|
||||||
if [[ "$reply" =~ 15030[0-9]000202[0-9a0f][0-9a-f] ]]; then
|
|
||||||
pr_done_best "not vulnerable (OK)"
|
|
||||||
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK)"
|
|
||||||
ret=0
|
|
||||||
else
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
|
||||||
outln "payload #2 with TLS version $tls_hexcode:"
|
outln "payload #2 with TLS version $tls_hexcode:"
|
||||||
fi
|
fi
|
||||||
rm "$SOCK_REPLY_FILE"
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
# Send a close notify warning message
|
socksend "$ccs_message" 2 || ok_ids
|
||||||
socksend "$close_message" 2 || ok_ids
|
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
||||||
sockread 2048 $CCS_MAX_WAITSOCK
|
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln "\n2nd reply: "
|
outln "\n2nd reply: "
|
||||||
printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
|
printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
|
||||||
|
# not ok: 15 | 0301 | 02 | 02 | 15
|
||||||
|
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
||||||
|
# ok: 0a or nothing: ==> RST
|
||||||
outln
|
outln
|
||||||
fi
|
fi
|
||||||
|
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
|
||||||
|
rm "$SOCK_REPLY_FILE"
|
||||||
|
|
||||||
# if the server sends a non-empty response to the close notify,
|
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
|
||||||
# then it may be vulnerable.
|
lines=$(echo "$sockreply" | "${HEXDUMP[@]}" | count_lines )
|
||||||
if [[ ! -s "$SOCK_REPLY_FILE" ]]; then
|
debugme echo "lines: $lines, byte6: $byte6"
|
||||||
|
|
||||||
|
if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then
|
||||||
pr_done_best "not vulnerable (OK)"
|
pr_done_best "not vulnerable (OK)"
|
||||||
if [[ $retval -eq 3 ]]; then
|
if [[ $retval -eq 3 ]]; then
|
||||||
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)"
|
fileout "ccs" "OK" "CCS (CVE-2014-0224): not vulnerable (OK) (timed out)"
|
||||||
@ -6199,13 +6197,15 @@ run_ccs_injection(){
|
|||||||
ret=0
|
ret=0
|
||||||
else
|
else
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
|
if [[ $retval -eq 3 ]]; then
|
||||||
|
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok) (timed out)"
|
||||||
|
else
|
||||||
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
|
fileout "ccs" "NOT ok" "CCS (CVE-2014-0224): VULNERABLE (NOT ok)"
|
||||||
|
fi
|
||||||
ret=1
|
ret=1
|
||||||
fi
|
fi
|
||||||
[[ $retval -eq 3 ]] && out " (timed out)"
|
[[ $retval -eq 3 ]] && out " (timed out)"
|
||||||
fi
|
|
||||||
outln
|
outln
|
||||||
rm "$SOCK_REPLY_FILE"
|
|
||||||
|
|
||||||
close_socket
|
close_socket
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
|
Loading…
Reference in New Issue
Block a user