diff --git a/testssl.sh b/testssl.sh index c770026..209c0e5 100755 --- a/testssl.sh +++ b/testssl.sh @@ -606,8 +606,8 @@ tmln_fixme() { tmln_warning "Fixme: $1"; } pr_fixme() { pr_warning "Fixme: $1"; } prln_fixme() { prln_warning "Fixme: $1"; } -pr_url() { tm_out "$1"; html_out "$1"; } -pr_boldurl() { tm_bold "$1"; html_out "$1"; } +pr_url() { tm_out "$1"; html_out "$1"; } +pr_boldurl() { tm_bold "$1"; html_out "$1"; } ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html @@ -1283,9 +1283,9 @@ f5_port_decode() { if [[ ${#tmp} -eq 4 ]]; then : elif [[ ${#tmp} -eq 3 ]]; then # fill it up with leading zeros if needed - tmp=0{$tmp} + tmp=0${tmp} elif [[ ${#tmp} -eq 2 ]]; then - tmp=00{$tmp} + tmp=00${tmp} fi echo $((16#${tmp:2:2}${tmp:0:2})) # reverse order and convert it from hex to dec } @@ -1396,6 +1396,7 @@ tmpfile_handle() { mv $savefile "$TEMPDIR/$NODEIP.$1" 2>/dev/null [[ $ERRFILE =~ dev.null ]] && return 0 || \ mv $ERRFILE "$TEMPDIR/$NODEIP.${1//.txt/}.errorlog" 2>/dev/null + return 0 } # arg1: line with comment sign, tabs and so on @@ -1412,7 +1413,6 @@ http_get() { local node="" query="" local dl="$2" local useragent="$UA_STD" - local proxy_arg="" local jsonID="http_get" "$SNEAKY" && useragent="$UA_SNEAKY" @@ -1531,7 +1531,7 @@ check_revocation_crl() { # -crl_download could be more elegant but is supported from 1.0.2 onwards only $OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE if [[ $? -ne 0 ]]; then - pr_warning "conversion of "$tmpfile" failed" + pr_warning "conversion of \"$tmpfile\" failed" fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed" return 1 fi @@ -2041,7 +2041,7 @@ match_ipv4_httpheader() { run_http_date() { - local now difftime + local difftime local spaces=" " jsonID="HTTP_clock_skew" @@ -2074,7 +2074,7 @@ run_http_date() { fi debugme tm_out ", epoch: $HTTP_TIME" outln - match_ipv4_httpheader + match_ipv4_httpheader "$1" return 0 } @@ -2208,7 +2208,7 @@ run_hpkp() { local spaces=" " local spaces_indented=" " local certificate_found=false - local i + local -i i nrsaved local first_hpkp_header local spki local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt" @@ -2312,7 +2312,7 @@ run_hpkp() { rm $TEMPDIR/level0.crt 2>/dev/null printf ""> "$TEMPDIR/intermediate.hashes" - if [[ nrsaved -ge 2 ]]; then + if [[ $nrsaved -ge 2 ]]; then for cert_fname in $TEMPDIR/level?.crt; do hpkp_spki_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout 2>/dev/null | grep -v PUBLIC | $OPENSSL base64 -d 2>/dev/null | $OPENSSL dgst -sha256 -binary 2>/dev/null | $OPENSSL enc -base64 2>/dev/null)" @@ -3593,7 +3593,7 @@ run_allciphers() { local n auth mac export hexc sslv2_ciphers="" s local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported local -i i end_of_bundle bundle bundle_size num_bundles mod_check - local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 + local -a ciphers_found ciphers_found2 hexcode2 ciph2 rfc_ciph2 local -i -a index local proto protos_to_try local dhlen available ciphers_to_test tls13_ciphers_to_test supported_sslv2_ciphers @@ -3701,7 +3701,6 @@ run_allciphers() { if "${ossl_supported[i]}"; then [[ "${sslvers[i]}" == "SSLv2" ]] && continue ciphers_found2[nr_ossl_ciphers]=false - sslvers2[nr_ossl_ciphers]="${sslvers[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}" index[nr_ossl_ciphers]=$i nr_ossl_ciphers+=1 @@ -3780,7 +3779,6 @@ run_allciphers() { if ! "${ciphers_found[i]}"; then [[ "${sslvers[i]}" == "SSLv2" ]] && continue ciphers_found2[nr_nonossl_ciphers]=false - sslvers2[nr_nonossl_ciphers]="${sslvers[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}" index[nr_nonossl_ciphers]=$i @@ -4173,7 +4171,7 @@ create_client_simulation_tls_clienthello() { local tls_handshake_ascii="$1" local -i len offset tls_handshake_ascii_len len_all len_clienthello local -i len_extensions len_extension - local content_type tls_version_reclayer handshake_msg_type tls_clientversion + local tls_content_type tls_version_reclayer handshake_msg_type tls_clientversion local tls_random tls_sid tls_cipher_suites tls_compression_methods local tls_extensions="" extension_type len_extensions_hex local len_servername hexdump_format_str servername_hexstr @@ -4441,6 +4439,7 @@ run_client_simulation() { local minEcdsaBits=() local curves=() local requiresSha2=() + local current=() local i=0 local name tls proto cipher temp what_dh bits curve supported_curves local has_dh_bits using_sockets=true @@ -4504,7 +4503,7 @@ run_client_simulation() { MAX_OSSL_FAIL=100 fi for name in "${short[@]}"; do - if ${current[i]} || "$ALL_CLIENTS" ; then + if "${current[i]}" || "$ALL_CLIENTS" ; then # for ANY we test this service or if the service we determined from STARTTLS matches if [[ "${service[i]}" == "ANY" ]] || [[ "${service[i]}" =~ $client_service ]]; then out " $(printf -- "%-29s" "${names[i]}")" @@ -5304,8 +5303,6 @@ run_cipherlists() { local sslv2_null_ciphers="" local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff" local sslv2_anon_ciphers="" - local adh_ciphers="00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, 00,18, 00,1b, 00,1a, 00,19, 00,17, 00,ff" - local sslv2_adh_ciphers="" # ~ grep -i EXP etc/cipher-mapping.txt local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" local sslv2_exp_ciphers="04,00,80, 02,00,80" @@ -5360,7 +5357,7 @@ run_cipherlists() { ret=$((ret + $?)) sub_cipherlists '3DES:!aNULL:!ADH' "" " Triple DES Ciphers (Medium) " 0 "3DES" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$cve" "$cwe2" ret=$((ret + $?)) - sub_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM'\ + sub_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM' \ "" " High encryption (AES+Camellia, no AEAD) " 1 "HIGH" "$high_ciphers" "" ret=$((ret + $?)) sub_cipherlists 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM' 'ALL' \ @@ -5649,7 +5646,10 @@ sub_session_resumption() { else $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") $tmpfile 2>$ERRFILE ret2=$? - debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" + if [[ $DEBUG -ge 2 ]]; then + echo -n "$ret1, $ret2, " + [[ -s "$sess_data" ]] && echo "not empty" || echo "empty" + fi # now get the line and compare the numbers read" and "written" as a second criteria. rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line=($rw_line) @@ -6063,7 +6063,7 @@ check_tls12_pref() { cipher_pref_check() { - local p proto proto_hex npn_protos + local p proto proto_hex local tested_cipher cipher order rfc_ciph rfc_order local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA" local -i i nr_ciphers nr_nonossl_ciphers num_bundles mod_check bundle_size bundle end_of_bundle success @@ -8657,7 +8657,6 @@ run_pfs() { npn_pre(){ if [[ -n "$PROXY" ]]; then - [[ -n "$1" ]] && pr_warning "$1" pr_warning "not tested as proxies do not support proxying it" fileout "NPN" "WARN" "not tested as proxies do not support proxying it" return 1 @@ -8672,7 +8671,6 @@ npn_pre(){ alpn_pre(){ if [[ -n "$PROXY" ]]; then - [[ -n "$1" ]] && pr_warning " $1 " pr_warning "not tested as proxies do not support proxying it" fileout "ALPN" "WARN" "not tested as proxies do not support proxying it" return 1 @@ -12579,7 +12577,7 @@ run_ccs_injection(){ elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then pr_warning "test failed " - out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}" + out "no proper TLS repy (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}" fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint" ret=1 elif [[ "$byte6" == "15" ]]; then @@ -13572,7 +13570,7 @@ run_logjam() { local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0 len_dh_p=0 local addtl_warning="" hexc local -i ret=0 subret=0 - local server_key_exchange ephemeral_pub key_bitstring="" + local server_key_exchange key_bitstring="" local dh_p="" local spaces=" " local vuln_exportdh_ciphers=false @@ -14213,7 +14211,7 @@ run_rc4() { local n auth mac export hexc sslv2_ciphers_hex="" sslv2_ciphers_ossl="" s local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported local -i i - local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 + local -a ciphers_found ciphers_found2 hexcode2 ciph2 rfc_ciph2 local -i -a index local dhlen available="" ciphers_to_test supported_sslv2_ciphers proto local has_dh_bits="$HAS_DH_BITS" rc4_detected="" @@ -14321,7 +14319,6 @@ run_rc4() { for (( i=0; i < nr_ciphers; i++ )); do if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then ciphers_found2[nr_ossl_ciphers]=false - sslvers2[nr_ossl_ciphers]="${sslvers[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}" index[nr_ossl_ciphers]=$i nr_ossl_ciphers+=1 @@ -14361,7 +14358,6 @@ run_rc4() { for (( i=0; i < nr_ciphers; i++ )); do if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then ciphers_found2[nr_nonossl_ciphers]=false - sslvers2[nr_nonossl_ciphers]="${sslvers[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}" index[nr_nonossl_ciphers]=$i