Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1109 from dcooper16/shellcheck

Browse Source 
Fix some shellcheck issues
This commit is contained in:
Dirk Wetter 2018-08-30 23:07:31 +02:00 committed by GitHub
commit a3d8143043
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
testssl.sh
View File

@ -606,8 +606,8 @@ tmln_fixme() { tmln_warning "Fixme: $1"; }
pr_fixme() { pr_warning "Fixme: $1"; } pr_fixme() { pr_warning "Fixme: $1"; }
prln_fixme() { prln_warning "Fixme: $1"; } prln_fixme() { prln_warning "Fixme: $1"; }
pr_url() { tm_out "$1"; html_out "<a href="$1" style=\"color:black;text-decoration:none;\">$1</a>"; } pr_url() { tm_out "$1"; html_out "<a href=\"$1\" style=\"color:black;text-decoration:none;\">$1</a>"; }
pr_boldurl() { tm_bold "$1"; html_out "<a href="$1" style=\"font-weight:bold;color:black;text-decoration:none;\">$1</a>"; } pr_boldurl() { tm_bold "$1"; html_out "<a href=\"$1\" style=\"font-weight:bold;color:black;text-decoration:none;\">$1</a>"; }
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
@ -1283,9 +1283,9 @@ f5_port_decode() {
if [[ ${#tmp} -eq 4 ]]; then if [[ ${#tmp} -eq 4 ]]; then
: :
elif [[ ${#tmp} -eq 3 ]]; then # fill it up with leading zeros if needed elif [[ ${#tmp} -eq 3 ]]; then # fill it up with leading zeros if needed
tmp=0{$tmp} tmp=0${tmp}
elif [[ ${#tmp} -eq 2 ]]; then elif [[ ${#tmp} -eq 2 ]]; then
tmp=00{$tmp} tmp=00${tmp}
fi fi
echo $((16#${tmp:2:2}${tmp:0:2})) # reverse order and convert it from hex to dec echo $((16#${tmp:2:2}${tmp:0:2})) # reverse order and convert it from hex to dec
} }
@ -1396,6 +1396,7 @@ tmpfile_handle() {
mv $savefile "$TEMPDIR/$NODEIP.$1" 2>/dev/null mv $savefile "$TEMPDIR/$NODEIP.$1" 2>/dev/null
[[ $ERRFILE =~ dev.null ]] && return 0 || \ [[ $ERRFILE =~ dev.null ]] && return 0 || \
mv $ERRFILE "$TEMPDIR/$NODEIP.${1//.txt/}.errorlog" 2>/dev/null mv $ERRFILE "$TEMPDIR/$NODEIP.${1//.txt/}.errorlog" 2>/dev/null
return 0
} }
# arg1: line with comment sign, tabs and so on # arg1: line with comment sign, tabs and so on
@ -1412,7 +1413,6 @@ http_get() {
local node="" query="" local node="" query=""
local dl="$2" local dl="$2"
local useragent="$UA_STD" local useragent="$UA_STD"
local proxy_arg=""
local jsonID="http_get" local jsonID="http_get"
"$SNEAKY" && useragent="$UA_SNEAKY" "$SNEAKY" && useragent="$UA_SNEAKY"
@ -1531,7 +1531,7 @@ check_revocation_crl() {
# -crl_download could be more elegant but is supported from 1.0.2 onwards only # -crl_download could be more elegant but is supported from 1.0.2 onwards only
$OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE $OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
pr_warning "conversion of "$tmpfile" failed" pr_warning "conversion of \"$tmpfile\" failed"
fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed" fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed"
return 1 return 1
fi fi
@ -2041,7 +2041,7 @@ match_ipv4_httpheader() {
run_http_date() { run_http_date() {
local now difftime local difftime
local spaces=" " local spaces=" "
jsonID="HTTP_clock_skew" jsonID="HTTP_clock_skew"
@ -2074,7 +2074,7 @@ run_http_date() {
fi fi
debugme tm_out ", epoch: $HTTP_TIME" debugme tm_out ", epoch: $HTTP_TIME"
outln outln
match_ipv4_httpheader match_ipv4_httpheader "$1"
return 0 return 0
} }
@ -2208,7 +2208,7 @@ run_hpkp() {
local spaces=" " local spaces=" "
local spaces_indented=" " local spaces_indented=" "
local certificate_found=false local certificate_found=false
local i local -i i nrsaved
local first_hpkp_header local first_hpkp_header
local spki local spki
local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt" local ca_hashes="$TESTSSL_INSTALL_DIR/etc/ca_hashes.txt"
@ -2312,7 +2312,7 @@ run_hpkp() {
rm $TEMPDIR/level0.crt 2>/dev/null rm $TEMPDIR/level0.crt 2>/dev/null
printf ""> "$TEMPDIR/intermediate.hashes" printf ""> "$TEMPDIR/intermediate.hashes"
if [[ nrsaved -ge 2 ]]; then if [[ $nrsaved -ge 2 ]]; then
for cert_fname in $TEMPDIR/level?.crt; do for cert_fname in $TEMPDIR/level?.crt; do
hpkp_spki_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout 2>/dev/null | grep -v PUBLIC | $OPENSSL base64 -d 2>/dev/null | hpkp_spki_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout 2>/dev/null | grep -v PUBLIC | $OPENSSL base64 -d 2>/dev/null |
$OPENSSL dgst -sha256 -binary 2>/dev/null | $OPENSSL enc -base64 2>/dev/null)" $OPENSSL dgst -sha256 -binary 2>/dev/null | $OPENSSL enc -base64 2>/dev/null)"
@ -3593,7 +3593,7 @@ run_allciphers() {
local n auth mac export hexc sslv2_ciphers="" s local n auth mac export hexc sslv2_ciphers="" s
local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported
local -i i end_of_bundle bundle bundle_size num_bundles mod_check local -i i end_of_bundle bundle bundle_size num_bundles mod_check
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 rfc_ciph2
local -i -a index local -i -a index
local proto protos_to_try local proto protos_to_try
local dhlen available ciphers_to_test tls13_ciphers_to_test supported_sslv2_ciphers local dhlen available ciphers_to_test tls13_ciphers_to_test supported_sslv2_ciphers
@ -3701,7 +3701,6 @@ run_allciphers() {
if "${ossl_supported[i]}"; then if "${ossl_supported[i]}"; then
[[ "${sslvers[i]}" == "SSLv2" ]] && continue [[ "${sslvers[i]}" == "SSLv2" ]] && continue
ciphers_found2[nr_ossl_ciphers]=false ciphers_found2[nr_ossl_ciphers]=false
sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
ciph2[nr_ossl_ciphers]="${ciph[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}"
index[nr_ossl_ciphers]=$i index[nr_ossl_ciphers]=$i
nr_ossl_ciphers+=1 nr_ossl_ciphers+=1
@ -3780,7 +3779,6 @@ run_allciphers() {
if ! "${ciphers_found[i]}"; then if ! "${ciphers_found[i]}"; then
[[ "${sslvers[i]}" == "SSLv2" ]] && continue [[ "${sslvers[i]}" == "SSLv2" ]] && continue
ciphers_found2[nr_nonossl_ciphers]=false ciphers_found2[nr_nonossl_ciphers]=false
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}" rfc_ciph2[nr_nonossl_ciphers]="${TLS_CIPHER_RFC_NAME[i]}"
index[nr_nonossl_ciphers]=$i index[nr_nonossl_ciphers]=$i
@ -4173,7 +4171,7 @@ create_client_simulation_tls_clienthello() {
local tls_handshake_ascii="$1" local tls_handshake_ascii="$1"
local -i len offset tls_handshake_ascii_len len_all len_clienthello local -i len offset tls_handshake_ascii_len len_all len_clienthello
local -i len_extensions len_extension local -i len_extensions len_extension
local content_type tls_version_reclayer handshake_msg_type tls_clientversion local tls_content_type tls_version_reclayer handshake_msg_type tls_clientversion
local tls_random tls_sid tls_cipher_suites tls_compression_methods local tls_random tls_sid tls_cipher_suites tls_compression_methods
local tls_extensions="" extension_type len_extensions_hex local tls_extensions="" extension_type len_extensions_hex
local len_servername hexdump_format_str servername_hexstr local len_servername hexdump_format_str servername_hexstr
@ -4441,6 +4439,7 @@ run_client_simulation() {
local minEcdsaBits=() local minEcdsaBits=()
local curves=() local curves=()
local requiresSha2=() local requiresSha2=()
local current=()
local i=0 local i=0
local name tls proto cipher temp what_dh bits curve supported_curves local name tls proto cipher temp what_dh bits curve supported_curves
local has_dh_bits using_sockets=true local has_dh_bits using_sockets=true
@ -4504,7 +4503,7 @@ run_client_simulation() {
MAX_OSSL_FAIL=100 MAX_OSSL_FAIL=100
fi fi
for name in "${short[@]}"; do for name in "${short[@]}"; do
if ${current[i]} || "$ALL_CLIENTS" ; then if "${current[i]}" || "$ALL_CLIENTS" ; then
# for ANY we test this service or if the service we determined from STARTTLS matches # for ANY we test this service or if the service we determined from STARTTLS matches
if [[ "${service[i]}" == "ANY" ]] || [[ "${service[i]}" =~ $client_service ]]; then if [[ "${service[i]}" == "ANY" ]] || [[ "${service[i]}" =~ $client_service ]]; then
out " $(printf -- "%-29s" "${names[i]}")" out " $(printf -- "%-29s" "${names[i]}")"
@ -5304,8 +5303,6 @@ run_cipherlists() {
local sslv2_null_ciphers="" local sslv2_null_ciphers=""
local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff" local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff"
local sslv2_anon_ciphers="" local sslv2_anon_ciphers=""
local adh_ciphers="00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, 00,18, 00,1b, 00,1a, 00,19, 00,17, 00,ff"
local sslv2_adh_ciphers=""
# ~ grep -i EXP etc/cipher-mapping.txt # ~ grep -i EXP etc/cipher-mapping.txt
local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff"
local sslv2_exp_ciphers="04,00,80, 02,00,80" local sslv2_exp_ciphers="04,00,80, 02,00,80"
@ -5360,7 +5357,7 @@ run_cipherlists() {
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists '3DES:!aNULL:!ADH' "" " Triple DES Ciphers (Medium) " 0 "3DES" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$cve" "$cwe2" sub_cipherlists '3DES:!aNULL:!ADH' "" " Triple DES Ciphers (Medium) " 0 "3DES" "$tdes_ciphers" "$sslv2_tdes_ciphers" "$cve" "$cwe2"
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM'\ sub_cipherlists 'HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM' \
"" " High encryption (AES+Camellia, no AEAD) " 1 "HIGH" "$high_ciphers" "" "" " High encryption (AES+Camellia, no AEAD) " 1 "HIGH" "$high_ciphers" ""
ret=$((ret + $?)) ret=$((ret + $?))
sub_cipherlists 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM' 'ALL' \ sub_cipherlists 'AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM' 'ALL' \
@ -5649,7 +5646,10 @@ sub_session_resumption() {
else else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE $OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_in $sess_data") </dev/null >$tmpfile 2>$ERRFILE
ret2=$? ret2=$?
debugme echo "$ret1, $ret2, [[ -s "$sess_data" ]]" if [[ $DEBUG -ge 2 ]]; then
echo -n "$ret1, $ret2, "
[[ -s "$sess_data" ]] && echo "not empty" || echo "empty"
fi
# now get the line and compare the numbers read" and "written" as a second criteria. # now get the line and compare the numbers read" and "written" as a second criteria.
rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )" rw_line="$(awk '/^SSL handshake has read/ { print $5" "$(NF-1) }' "$tmpfile" )"
rw_line=($rw_line) rw_line=($rw_line)
@ -6063,7 +6063,7 @@ check_tls12_pref() {
cipher_pref_check() { cipher_pref_check() {
local p proto proto_hex npn_protos local p proto proto_hex
local tested_cipher cipher order rfc_ciph rfc_order local tested_cipher cipher order rfc_ciph rfc_order
local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA" local overflow_probe_cipherlist="ALL:-ECDHE-RSA-AES256-GCM-SHA384:-AES128-SHA:-DES-CBC3-SHA"
local -i i nr_ciphers nr_nonossl_ciphers num_bundles mod_check bundle_size bundle end_of_bundle success local -i i nr_ciphers nr_nonossl_ciphers num_bundles mod_check bundle_size bundle end_of_bundle success
@ -8657,7 +8657,6 @@ run_pfs() {
npn_pre(){ npn_pre(){
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
[[ -n "$1" ]] && pr_warning "$1"
pr_warning "not tested as proxies do not support proxying it" pr_warning "not tested as proxies do not support proxying it"
fileout "NPN" "WARN" "not tested as proxies do not support proxying it" fileout "NPN" "WARN" "not tested as proxies do not support proxying it"
return 1 return 1
@ -8672,7 +8671,6 @@ npn_pre(){
alpn_pre(){ alpn_pre(){
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
[[ -n "$1" ]] && pr_warning " $1 "
pr_warning "not tested as proxies do not support proxying it" pr_warning "not tested as proxies do not support proxying it"
fileout "ALPN" "WARN" "not tested as proxies do not support proxying it" fileout "ALPN" "WARN" "not tested as proxies do not support proxying it"
return 1 return 1
@ -12579,7 +12577,7 @@ run_ccs_injection(){
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed " pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}" out "no proper TLS repy (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint" fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1 ret=1
elif [[ "$byte6" == "15" ]]; then elif [[ "$byte6" == "15" ]]; then
@ -13572,7 +13570,7 @@ run_logjam() {
local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0 len_dh_p=0 local -i i nr_supported_ciphers=0 server_key_exchange_len=0 ephemeral_pub_len=0 len_dh_p=0
local addtl_warning="" hexc local addtl_warning="" hexc
local -i ret=0 subret=0 local -i ret=0 subret=0
local server_key_exchange ephemeral_pub key_bitstring="" local server_key_exchange key_bitstring=""
local dh_p="" local dh_p=""
local spaces=" " local spaces=" "
local vuln_exportdh_ciphers=false local vuln_exportdh_ciphers=false
@ -14213,7 +14211,7 @@ run_rc4() {
local n auth mac export hexc sslv2_ciphers_hex="" sslv2_ciphers_ossl="" s local n auth mac export hexc sslv2_ciphers_hex="" sslv2_ciphers_ossl="" s
local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported local -a normalized_hexcode hexcode ciph sslvers kx enc export2 sigalg ossl_supported
local -i i local -i i
local -a ciphers_found ciphers_found2 hexcode2 ciph2 sslvers2 rfc_ciph2 local -a ciphers_found ciphers_found2 hexcode2 ciph2 rfc_ciph2
local -i -a index local -i -a index
local dhlen available="" ciphers_to_test supported_sslv2_ciphers proto local dhlen available="" ciphers_to_test supported_sslv2_ciphers proto
local has_dh_bits="$HAS_DH_BITS" rc4_detected="" local has_dh_bits="$HAS_DH_BITS" rc4_detected=""
@ -14321,7 +14319,6 @@ run_rc4() {
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
ciphers_found2[nr_ossl_ciphers]=false ciphers_found2[nr_ossl_ciphers]=false
sslvers2[nr_ossl_ciphers]="${sslvers[i]}"
ciph2[nr_ossl_ciphers]="${ciph[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}"
index[nr_ossl_ciphers]=$i index[nr_ossl_ciphers]=$i
nr_ossl_ciphers+=1 nr_ossl_ciphers+=1
@ -14361,7 +14358,6 @@ run_rc4() {
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
ciphers_found2[nr_nonossl_ciphers]=false ciphers_found2[nr_nonossl_ciphers]=false
sslvers2[nr_nonossl_ciphers]="${sslvers[i]}"
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}" rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}"
index[nr_nonossl_ciphers]=$i index[nr_nonossl_ciphers]=$i