Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-01 06:19:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add SSLv2 ciphers in handshakes, housekeeping

Browse Source 
In addition to 7d36ba9a2e which
added new SSLv2 ciphers to the ciphers file this commit adds those
ciphers also to those functions where needed.

Also it does some housekeeping. [[ doesn't require strings on
the right hand side to be quoted, see bash hackers wiki.
This commit is contained in:
Dirk 2018-11-05 22:02:02 +01:00
parent de684885fe
commit bf78a62b2e
1 changed files with 32 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
testssl.sh
View File

@ -422,13 +422,13 @@ SEVERITY_LEVEL=0
set_severity_level() { set_severity_level() {
local severity=$1 local severity=$1
if [[ "$severity" == "LOW" ]]; then if [[ "$severity" == LOW ]]; then
SEVERITY_LEVEL=$LOW SEVERITY_LEVEL=$LOW
elif [[ "$severity" == "MEDIUM" ]]; then elif [[ "$severity" == MEDIUM ]]; then
SEVERITY_LEVEL=$MEDIUM SEVERITY_LEVEL=$MEDIUM
elif [[ "$severity" == "HIGH" ]]; then elif [[ "$severity" == HIGH ]]; then
SEVERITY_LEVEL=$HIGH SEVERITY_LEVEL=$HIGH
elif [[ "$severity" == "CRITICAL" ]]; then elif [[ "$severity" == CRITICAL ]]; then
SEVERITY_LEVEL=$CRITICAL SEVERITY_LEVEL=$CRITICAL
else else
# WARN will always be logged # WARN will always be logged
@ -440,14 +440,14 @@ set_severity_level() {
show_finding() { show_finding() {
local severity=$1 local severity=$1
( [[ "$severity" == "DEBUG" ]] ) || ( [[ "$severity" == DEBUG ]] ) ||
( [[ "$severity" == "INFO" ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) || ( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) ||
( [[ "$severity" == "OK" ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) || ( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) ||
( [[ "$severity" == "LOW" ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) || ( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) ||
( [[ "$severity" == "MEDIUM" ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) || ( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) ||
( [[ "$severity" == "HIGH" ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) || ( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) ||
( [[ "$severity" == "WARN" ]] ) || ( [[ "$severity" == WARN ]] ) ||
( [[ "$severity" == "CRITICAL" ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) ( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] )
} }
########### Output functions ########### Output functions
@ -5352,21 +5352,21 @@ run_cipherlists() {
local -i i local -i i
local -i ret=0 local -i ret=0
local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff" local null_ciphers="c0,10, c0,06, c0,15, c0,0b, c0,01, c0,3b, c0,3a, c0,39, 00,b9, 00,b8, 00,b5, 00,b4, 00,2e, 00,2d, 00,b1, 00,b0, 00,2c, 00,3b, 00,02, 00,01, 00,82, 00,83, ff,87, 00,ff"
local sslv2_null_ciphers="" local sslv2_null_ciphers="FF,80,10, 00,00,00"
local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff" local anon_ciphers="c0,19, 00,a7, 00,6d, 00,3a, 00,c5, 00,89, c0,47, c0,5b, c0,85, c0,18, 00,a6, 00,6c, 00,34, 00,bf, 00,9b, 00,46, c0,46, c0,5a, c0,84, c0,16, 00,18, c0,17, 00,1b, 00,1a, 00,19, 00,17, c0,15, 00,ff"
local sslv2_anon_ciphers="" local sslv2_anon_ciphers="FF,80,10"
# ~ grep -i EXP etc/cipher-mapping.txt # ~ grep -i EXP etc/cipher-mapping.txt
local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff" local exp_ciphers="00,63, 00,62, 00,61, 00,65, 00,64, 00,60, 00,14, 00,11, 00,19, 00,08, 00,06, 00,27, 00,26, 00,2a, 00,29, 00,0b, 00,0e, 00,17, 00,03, 00,28, 00,2b, 00,ff"
local sslv2_exp_ciphers="04,00,80, 02,00,80" local sslv2_exp_ciphers="04,00,80, 02,00,80, 00,00,00"
# ~ egrep -w '64|56' etc/cipher-mapping.txt | grep -v export # ~ egrep -w '64|56' etc/cipher-mapping.txt | grep -v export
local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff" local low_ciphers="00,15, 00,12, 00,0f, 00,0c, 00,09, 00,1e, 00,22, fe,fe, ff,e1, 00,ff"
local sslv2_low_ciphers="08,00,80, 06,00,40" local sslv2_low_ciphers="08,00,80, 06,00,40, 06,01,40, FF,80,00"
# ~ egrep -w 128 etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|ARIA|Camellia|AES" # ~ egrep -w 128 etc/cipher-mapping.txt | egrep -v "Au=None|AEAD|ARIA|Camellia|AES"
local medium_ciphers="00,9a, 00,99, 00,98, 00,97, 00,96, 00,07, 00,21, 00,25, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff" local medium_ciphers="00,9a, 00,99, 00,98, 00,97, 00,96, 00,07, 00,21, 00,25, c0,11, c0,07, 00,66, c0,0c, c0,02, 00,05, 00,04, 00,92, 00,8a, 00,20, 00,24, c0,33, 00,8e, 00,ff"
local sslv2_medium_ciphers="01,00,80, 03,00,80, 05,00,80" local sslv2_medium_ciphers="01,00,80, 03,00,80, 05,00,80"
# ~ egrep -w '3DES' etc/cipher-mapping.txt # ~ egrep -w '3DES' etc/cipher-mapping.txt
local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff" local tdes_ciphers="c0,12, c0,08, c0,1c, c0,1b, c0,1a, 00,16, 00,13, 00,10, 00,0d, c0,0d, c0,03, 00,0a, 00,93, 00,8b, 00,1f, 00,23, c0,34, 00,8f, fe,ff, ff,e0, 00,ff"
local sslv2_tdes_ciphers="07,00,c0" local sslv2_tdes_ciphers="07,00,c0, 07,01,c0"
# ~ equivalent to 'egrep -w "GOST|128|256" etc/cipher-mapping.txt | grep -v '=None' | egrep -vw 'RC4|AEAD|IDEA|SEED|RC2'. Attention: 127 ciphers currently # ~ equivalent to 'egrep -w "GOST|128|256" etc/cipher-mapping.txt | grep -v '=None' | egrep -vw 'RC4|AEAD|IDEA|SEED|RC2'. Attention: 127 ciphers currently
local high_ciphers="c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,65, c0,67, c0,69, c0,71, 00,80, 00,81, ff,00, ff,01, ff,02, ff,03, ff,85, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,64, c0,66, c0,68, c0,70" local high_ciphers="c0,28, c0,24, c0,14, c0,0a, c0,22, c0,21, c0,20, 00,b7, 00,b3, 00,91, c0,9b, c0,99, c0,97, 00,af, c0,95, 00,6b, 00,6a, 00,69, 00,68, 00,39, 00,38, 00,37, 00,36, c0,77, c0,73, 00,c4, 00,c3, 00,c2, 00,c1, 00,88, 00,87, 00,86, 00,85, c0,2a, c0,26, c0,0f, c0,05, c0,79, c0,75, 00,3d, 00,35, 00,c0, c0,38, c0,36, 00,84, 00,95, 00,8d, c0,3d, c0,3f, c0,41, c0,43, c0,45, c0,49, c0,4b, c0,4d, c0,4f, c0,65, c0,67, c0,69, c0,71, 00,80, 00,81, ff,00, ff,01, ff,02, ff,03, ff,85, c0,27, c0,23, c0,13, c0,09, c0,1f, c0,1e, c0,1d, 00,67, 00,40, 00,3f, 00,3e, 00,33, 00,32, 00,31, 00,30, c0,76, c0,72, 00,be, 00,bd, 00,bc, 00,bb, 00,45, 00,44, 00,43, 00,42, c0,29, c0,25, c0,0e, c0,04, c0,78, c0,74, 00,3c, 00,2f, 00,ba, c0,37, c0,35, 00,b6, 00,b2, 00,90, 00,41, c0,9a, c0,98, c0,96, 00,ae, c0,94, 00,94, 00,8c, c0,3c, c0,3e, c0,40, c0,42, c0,44, c0,48, c0,4a, c0,4c, c0,4e, c0,64, c0,66, c0,68, c0,70"
# no SSLv2 here and in strong # no SSLv2 here and in strong
@ -11706,7 +11706,7 @@ sslv2_sockets() {
local -i response_len server_hello_len local -i response_len server_hello_len
local parse_complete=false local parse_complete=false
if [[ "$2" == "true" ]]; then if [[ "$2" == true ]]; then
parse_complete=true parse_complete=true
fi fi
@ -11722,8 +11722,12 @@ sslv2_sockets() {
06,00,40, # 6th 06,00,40, # 6th
04,00,80, # 7th 04,00,80, # 7th
02,00,80, # 8th 02,00,80, # 8th
00,00,00" # 9th 06,01,40, # 9
# FIXME: http://max.euston.net/d/tip_sslciphers.html 07,01,c0, # 10
FF,80,00, # 11
FF,80,10, # 12
00,00,00" # 13
# FIXME: http://max.euston.net/d/tip_sslciphers.html <-- also SSLv3 ciphers
fi fi
code2network "$cipher_suites" # convert CIPHER_SUITES code2network "$cipher_suites" # convert CIPHER_SUITES
@ -13788,7 +13792,7 @@ run_freak() {
# with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers): # with correct build it should list these 9 ciphers (plus the two latter as SSLv2 ciphers):
local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5" local exportrsa_cipher_list="EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-DH-RSA-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5"
local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03" local exportrsa_tls_cipher_list_hex="00,62, 00,61, 00,64, 00,60, 00,14, 00,0E, 00,08, 00,06, 00,03"
local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80" local exportrsa_ssl2_cipher_list_hex="04,00,80, 02,00,80, 00,00,00"
local detected_ssl2_ciphers local detected_ssl2_ciphers
local addtl_warning="" hexc local addtl_warning="" hexc
local using_sockets=true local using_sockets=true
@ -14601,7 +14605,7 @@ run_rc4() {
fi fi
if [[ ${#hexc} -eq 9 ]]; then if [[ ${#hexc} -eq 9 ]]; then
hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}" hexcode[nr_ciphers]="${hexc:2:2},${hexc:7:2}"
if [[ "${hexc:2:2}" == "00" ]]; then if [[ "${hexc:2:2}" == 00 ]]; then
normalized_hexcode[nr_ciphers]="x${hexc:7:2}" normalized_hexcode[nr_ciphers]="x${hexc:7:2}"
else else
normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}" normalized_hexcode[nr_ciphers]="x${hexc:2:2}${hexc:7:2}"
@ -14620,7 +14624,7 @@ run_rc4() {
if [[ "${ciph[nr_ciphers]}" =~ RC4 ]]; then if [[ "${ciph[nr_ciphers]}" =~ RC4 ]]; then
ciphers_found[nr_ciphers]=false ciphers_found[nr_ciphers]=false
if [[ ${#hexc} -eq 9 ]]; then if [[ ${#hexc} -eq 9 ]]; then
if [[ "${hexc:2:2}" == "00" ]]; then if [[ "${hexc:2:2}" == 00 ]]; then
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")" normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:7:2}")"
else else
normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")" normalized_hexcode[nr_ciphers]="$(tolower "x${hexc:2:2}${hexc:7:2}")"
@ -14642,7 +14646,7 @@ run_rc4() {
supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" supported_sslv2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")"
"$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")" "$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$HOSTCERT")"
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${normalized_hexcode[i]} ]]; then
ciphers_found[i]=true ciphers_found[i]=true
"$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s" "$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
rc4_offered=1 rc4_offered=1
@ -14656,7 +14660,7 @@ run_rc4() {
supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)" supported_sslv2_ciphers="$(grep -A 4 "Ciphers common between both SSL endpoints:" $TMPFILE)"
"$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")" "$WIDE" && "$SHOW_SIGALGO" && s="$(read_sigalg_from_file "$TMPFILE")"
for (( i=0 ; i<nr_ciphers; i++ )); do for (( i=0 ; i<nr_ciphers; i++ )); do
if [[ "${sslvers[i]}" == "SSLv2" ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then if [[ "${sslvers[i]}" == SSLv2 ]] && [[ "$supported_sslv2_ciphers" =~ ${ciph[i]} ]]; then
ciphers_found[i]=true ciphers_found[i]=true
"$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s" "$WIDE" && "$SHOW_SIGALGO" && sigalg[i]="$s"
rc4_offered=1 rc4_offered=1
@ -14666,7 +14670,7 @@ run_rc4() {
fi fi
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then if "${ossl_supported[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
ciphers_found2[nr_ossl_ciphers]=false ciphers_found2[nr_ossl_ciphers]=false
ciph2[nr_ossl_ciphers]="${ciph[i]}" ciph2[nr_ossl_ciphers]="${ciph[i]}"
index[nr_ossl_ciphers]=$i index[nr_ossl_ciphers]=$i
@ -14705,7 +14709,7 @@ run_rc4() {
if "$using_sockets"; then if "$using_sockets"; then
for (( i=0; i < nr_ciphers; i++ )); do for (( i=0; i < nr_ciphers; i++ )); do
if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != "SSLv2" ]]; then if ! "${ciphers_found[i]}" && [[ "${sslvers[i]}" != SSLv2 ]]; then
ciphers_found2[nr_nonossl_ciphers]=false ciphers_found2[nr_nonossl_ciphers]=false
hexcode2[nr_nonossl_ciphers]="${hexcode[i]}" hexcode2[nr_nonossl_ciphers]="${hexcode[i]}"
rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}" rfc_ciph2[nr_nonossl_ciphers]="${rfc_ciph[i]}"
@ -16011,7 +16015,7 @@ prepare_arrays() {
if [[ -n "$ossl_ciph" ]]; then if [[ -n "$ossl_ciph" ]]; then
TLS_CIPHER_OSSL_SUPPORTED[i]=true TLS_CIPHER_OSSL_SUPPORTED[i]=true
[[ "$ossl_ciph" != "${TLS_CIPHER_OSSL_NAME[i]}" ]] && TLS_CIPHER_OSSL_NAME[i]="$ossl_ciph" [[ "$ossl_ciph" != "${TLS_CIPHER_OSSL_NAME[i]}" ]] && TLS_CIPHER_OSSL_NAME[i]="$ossl_ciph"
[[ "${hexc:2:2}" == "13" ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph" [[ "${hexc:2:2}" == 13 ]] && TLS13_OSSL_CIPHERS+=":$ossl_ciph"
fi fi
fi fi
elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then