From bf78a62b2e8f98f065445ba408df021935aedacc Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Mon, 5 Nov 2018 22:02:02 +0100
Subject: [PATCH] Add SSLv2 ciphers in handshakes, housekeeping

In addition to 7d36ba9a2e742e7d6bd2ae135ad94160eaca1d8d which
added new SSLv2 ciphers to the ciphers file this commit adds those
ciphers also to those functions where needed.

Also it does some housekeeping. [[ doesn't require strings on
the right hand side to be quoted, see bash hackers wiki.
---
 testssl.sh | 60 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 28 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index c78b6c7..ec99cbc 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -422,13 +422,13 @@ SEVERITY_LEVEL=0
 set_severity_level() {
    local severity=$1
 
-   if [[ "$severity" == "LOW" ]]; then
+   if [[ "$severity" == LOW ]]; then
            SEVERITY_LEVEL=$LOW
-   elif [[ "$severity" == "MEDIUM" ]]; then
+   elif [[ "$severity" == MEDIUM ]]; then
            SEVERITY_LEVEL=$MEDIUM
-   elif [[ "$severity" == "HIGH" ]]; then
+   elif [[ "$severity" == HIGH ]]; then
            SEVERITY_LEVEL=$HIGH
-   elif [[ "$severity" == "CRITICAL" ]]; then
+   elif [[ "$severity" == CRITICAL ]]; then
            SEVERITY_LEVEL=$CRITICAL
    else
         # WARN will always be logged
@@ -440,14 +440,14 @@ set_severity_level() {
 show_finding() {
    local severity=$1
 
-   ( [[ "$severity" == "DEBUG" ]] ) ||
-   ( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
-   ( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
-   ( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
-   ( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
-   ( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
-   ( [[ "$severity" == "WARN" ]] ) ||
-   ( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
+   ( [[ "$severity" == DEBUG ]] ) ||
+   ( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
+   ( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
+   ( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
+   ( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
+   ( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
+   ( [[ "$severity" == WARN ]] ) ||
+   ( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
 }
 
 ########### Output functions
@@ -5352,21 +5352,21 @@ run_cipherlists() {
      local -i i
      local -i ret=0
      local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff"
-     local sslv2_null_ciphers=""
+     local sslv2_null_ciphers="FF,80,10, 00,00,00"
      local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff"
-     local sslv2_anon_ciphers=""
+     local sslv2_anon_ciphers="FF,80,10"
   # ~ grep -i EXP etc/cipher-mapping.txt
      local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff"
-     local sslv2_exp_ciphers="04,00,80, 02,00,80"
+     local sslv2_exp_ciphers="04,00,80, 02,00,80, 00,00,00"
   # ~ egrep -w '64|56' etc/cipher-mapping.txt | grep -v export
      local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff"
-     local sslv2_low_ciphers="08,00,80, 06,00,40"
+     local sslv2_low_ciphers="08,00,80, 06,00,40, 06,01,40, FF,80,00"
   # ~ egrep -w 128 etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|ARIA|Camellia|AES"
      local medium_ciphers="00,9a, 00,99, 00,98, 00,97, 00,96, 00,07, 00,21, 00,25, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff"
      local sslv2_medium_ciphers="01,00,80, 03,00,80, 05,00,80"
   # ~ egrep -w '3DES' etc/cipher-mapping.txt
      local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff"
-     local sslv2_tdes_ciphers="07,00,c0"
+     local sslv2_tdes_ciphers="07,00,c0, 07,01,c0"
   # ~ equivalent to 'egrep -w "GOST|128|256" etc/cipher-mapping.txt | grep -v '=None' | egrep -vw 'RC4|AEAD|IDEA|SEED|RC2'. Attention: 127 ciphers currently
      local high_ciphers="c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,65, c0,67, c0,69, c0,71, 00,80, 00,81, ff,00, ff,01, ff,02, ff,03, ff,85, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,64, c0,66, c0,68, c0,70"
      # no SSLv2 here and in strong
@@ -11706,7 +11706,7 @@ sslv2_sockets() {
      local -i response_len server_hello_len
      local parse_complete=false
 
-     if [[ "$2" == "true" ]]; then
+     if [[ "$2" == true ]]; then
           parse_complete=true
      fi
 
@@ -11722,8 +11722,12 @@ sslv2_sockets() {
           06,00,40, # 6th
           04,00,80, # 7th
           02,00,80, # 8th
-          00,00,00" # 9th
-          # FIXME: http://max.euston.net/d/tip_sslciphers.html
+          06,01,40, # 9
+          07,01,c0, # 10
+          FF,80,00, # 11
+          FF,80,10, # 12
+          00,00,00" # 13
+          # FIXME: http://max.euston.net/d/tip_sslciphers.html <-- also SSLv3 ciphers
      fi
 
      code2network "$cipher_suites" # convert CIPHER_SUITES
@@ -13788,7 +13792,7 @@ run_freak() {
      # with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers):
      local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5"
      local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
-     local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80"
+     local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80, 00,00,00"
      local detected_ssl2_ciphers
      local addtl_warning="" hexc
      local using_sockets=true
@@ -14601,7 +14605,7 @@ run_rc4() {
                     fi
                     if [[ ${#hexc} -eq 9 ]]; then
                          hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
-                         if [[ "${hexc:2:2}" == "00" ]]; then
+                         if [[ "${hexc:2:2}" == 00 ]]; then
                               normalized_hexcode[nr_ciphers]="x${hexc:7:2}"
                          else
                               normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}"
@@ -14620,7 +14624,7 @@ run_rc4() {
                if [[ "${ciph[nr_ciphers]}" =~ RC4 ]]; then
                     ciphers_found[nr_ciphers]=false
                     if [[ ${#hexc} -eq 9 ]]; then
-                         if [[ "${hexc:2:2}" == "00" ]]; then
+                         if [[ "${hexc:2:2}" == 00 ]]; then
                               normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
                          else
                               normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
@@ -14642,7 +14646,7 @@ run_rc4() {
                supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
                "$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
                for (( i=0 ; i<nr_ciphers; i++ )); do
-                    if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
+                    if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
                          ciphers_found[i]=true
                          "$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
                          rc4_offered=1
@@ -14656,7 +14660,7 @@ run_rc4() {
                supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
                "$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
                for (( i=0 ; i<nr_ciphers; i++ )); do
-                    if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
+                    if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
                          ciphers_found[i]=true
                          "$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
                          rc4_offered=1
@@ -14666,7 +14670,7 @@ run_rc4() {
      fi
 
      for (( i=0; i < nr_ciphers; i++ )); do
-          if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
+          if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
                ciphers_found2[nr_ossl_ciphers]=false
                ciph2[nr_ossl_ciphers]="${ciph[i]}"
                index[nr_ossl_ciphers]=$i
@@ -14705,7 +14709,7 @@ run_rc4() {
 
      if "$using_sockets"; then
           for (( i=0; i < nr_ciphers; i++ )); do
-               if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then
+               if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
                     ciphers_found2[nr_nonossl_ciphers]=false
                     hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
                     rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}"
@@ -16011,7 +16015,7 @@ prepare_arrays() {
                          if [[ -n "$ossl_ciph" ]]; then
                               TLS_CIPHER_OSSL_SUPPORTED[i]=true
                               [[ "$ossl_ciph" != "${TLS_CIPHER_OSSL_NAME[i]}" ]] && TLS_CIPHER_OSSL_NAME[i]="$ossl_ciph"
-                              [[ "${hexc:2:2}" == "13" ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph"
+                              [[ "${hexc:2:2}" == 13 ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph"
                          fi
                     fi
                elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then