Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-11 03:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make more use of has_server_protocol()

Browse Source 
This PR makes a few changes related to add_tls_offered()/has_server_protocol().

* It changes run_beast() to check has_server_protocol() before running a test against the server when trying to determine whether the server supports SSLv3, TLSv1, TLSv1.1, and TLSv1.2.

* It has run_server_defaults() and run_beast() call add_tls_offered() whenever it detects that a protocol is offered (This makes $PROTOS_OFFERED more complete in the case that run_protocols() isn't run.) Note that in order for the results of the calls to add_tls_offered() in cipher_pref_check() not to be lost, the method of providing the input to the while loop needed to be changed.

* It changes add_tls_offered() and has_server_protocol() to use Bash string capabilities rather than grep in order to improve performance.
This commit is contained in:
David Cooper 2017-09-27 13:39:45 -04:00
parent 36236b6def
commit af15bd0f00
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
testssl.sh
View File

@ -3968,13 +3968,12 @@ run_prototest_openssl() {
# idempotent function to add SSL/TLS protocols. It should ease testing # idempotent function to add SSL/TLS protocols. It should ease testing
# PROTOS_OFFERED's content is in openssl terminology # PROTOS_OFFERED's content is in openssl terminology
add_tls_offered() { add_tls_offered() {
grep -qw "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 " [[ "$PROTOS_OFFERED" =~ "$1 " ]] || PROTOS_OFFERED+="$1 "
} }
# function which checks whether SSLv2 - TLS 1.2 is being offereed # function which checks whether SSLv2 - TLS 1.2 is being offereed
has_server_protocol() { has_server_protocol() {
[[ -z "$PROTOS_OFFERED" ]] && return 1 # if empty return 1, hinting to the caller to check at additional cost/connect if [[ "$PROTOS_OFFERED" =~ "$1 " ]]; then
if grep -qw "$1" <<< "$PROTOS_OFFERED"; then
return 0 return 0
fi fi
return 1 return 1
@ -4848,6 +4847,7 @@ run_server_preference() {
cipher[i]="" cipher[i]=""
fi fi
fi fi
[[ -n "${cipher[i]}" ]] && add_tls_offered "$proto"
i=$((i + 1)) i=$((i + 1))
done done
@ -4964,7 +4964,7 @@ cipher_pref_check() {
pr_bold " Cipher order" pr_bold " Cipher order"
tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do while read p proto_hex proto; do
order=""; ciphers_found_with_sockets=false order=""; ciphers_found_with_sockets=false
if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
@ -5135,12 +5135,13 @@ cipher_pref_check() {
fi fi
if [[ -n "$order" ]]; then if [[ -n "$order" ]]; then
add_tls_offered "$p"
outln outln
out "$(printf " %-10s " "$proto: ")" out "$(printf " %-10s " "$proto: ")"
out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)" out "$(out_row_aligned_max_width "$order" " " $TERM_WIDTH)"
fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order" fileout "order_$p" "INFO" "Default cipher order for protocol $p: $order"
fi fi
done done <<< "$(tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n")"
outln outln
outln outln
@ -10775,9 +10776,17 @@ run_beast(){
# first determine whether it's mitigated by higher protocols # first determine whether it's mitigated by higher protocols
for proto in tls1_1 tls1_2; do for proto in tls1_1 tls1_2; do
if $(has_server_protocol "$proto"); then
case $proto in
tls1_1) higher_proto_supported+=" TLSv1.1" ;;
tls1_2) higher_proto_supported+=" TLSv1.2" ;;
esac
else
$OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null $OPENSSL s_client -state -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI 2>>$ERRFILE >$TMPFILE </dev/null
if sclient_connect_successful $? $TMPFILE; then if sclient_connect_successful $? $TMPFILE; then
higher_proto_supported="$higher_proto_supported $(get_protocol $TMPFILE)" higher_proto_supported+=" $(get_protocol $TMPFILE)"
add_tls_offered "$proto"
fi
fi fi
done done
@ -10787,14 +10796,18 @@ run_beast(){
out " " out " "
continue continue
fi fi
if [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
[[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni="" [[ ! "$proto" =~ ssl ]] && sni="$SNI" || sni=""
if $(has_server_protocol "$proto"); then
sclient_success=0
elif [[ "$proto" != "ssl3" ]] || "$HAS_SSL3"; then
$OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null $OPENSSL s_client -"$proto" $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$?
else else
tls_sockets "00" "$TLS_CIPHER" tls_sockets "00" "$TLS_CIPHER"
sclient_success=$?
fi fi
if [[ $? -ne 0 ]]; then # protocol supported? if [[ $sclient_success -ne 0 ]]; then # protocol supported?
if "$continued"; then # second round: we hit TLS1 if "$continued"; then # second round: we hit TLS1
if "$HAS_SSL3" || "$using_sockets"; then if "$HAS_SSL3" || "$using_sockets"; then
prln_done_good "no SSL3 or TLS1 (OK)" prln_done_good "no SSL3 or TLS1 (OK)"
@ -10809,6 +10822,7 @@ run_beast(){
continue # protocol not supported, so we do not need to check each cipher with that protocol continue # protocol not supported, so we do not need to check each cipher with that protocol
fi fi
fi # protocol succeeded fi # protocol succeeded
add_tls_offered "$proto"
# now we test in one shot with the precompiled ciphers # now we test in one shot with the precompiled ciphers
if "$using_sockets"; then if "$using_sockets"; then