Check for pkey support
Similar to the recently added HAS_PKUTIL (f829878a43
), this PR adds HAS_PKEY, which indicates whether OpenSSL has the pkey utility. HAS_PKEY is then checked before attempting to do something that requires the pkey utility.
This commit is contained in:
parent
69956016b3
commit
cea570836f
19
testssl.sh
19
testssl.sh
|
@ -276,6 +276,7 @@ HAS_SSL2=false
|
||||||
HAS_SSL3=false
|
HAS_SSL3=false
|
||||||
HAS_TLS13=false
|
HAS_TLS13=false
|
||||||
HAS_PKUTIL=false
|
HAS_PKUTIL=false
|
||||||
|
HAS_PKEY=false
|
||||||
HAS_NO_SSL2=false
|
HAS_NO_SSL2=false
|
||||||
HAS_NOSERVERNAME=false
|
HAS_NOSERVERNAME=false
|
||||||
HAS_ALPN=false
|
HAS_ALPN=false
|
||||||
|
@ -8120,6 +8121,8 @@ get_pub_key_size() {
|
||||||
local pubkey pubkeybits
|
local pubkey pubkeybits
|
||||||
local -i i len1 len
|
local -i i len1 len
|
||||||
|
|
||||||
|
"$HAS_PKEY" || return 1
|
||||||
|
|
||||||
# OpenSSL displays the number of bits for RSA and ECC
|
# OpenSSL displays the number of bits for RSA and ECC
|
||||||
pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//')
|
pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | grep -aw "Public-Key:" | sed -e 's/.*(//' -e 's/)//')
|
||||||
if [[ -n $pubkeybits ]]; then
|
if [[ -n $pubkeybits ]]; then
|
||||||
|
@ -8222,6 +8225,8 @@ get_dh_ephemeralkey() {
|
||||||
local dh_p dh_g dh_y dh_param len1 key_bitstring
|
local dh_p dh_g dh_y dh_param len1 key_bitstring
|
||||||
local -i i dh_p_len dh_g_len dh_y_len dh_param_len
|
local -i i dh_p_len dh_g_len dh_y_len dh_param_len
|
||||||
|
|
||||||
|
"$HAS_PKEY" || return 1
|
||||||
|
|
||||||
tls_serverkeyexchange_ascii_len=${#tls_serverkeyexchange_ascii}
|
tls_serverkeyexchange_ascii_len=${#tls_serverkeyexchange_ascii}
|
||||||
dh_p_len=2*$(hex2dec "${tls_serverkeyexchange_ascii:0:4}")
|
dh_p_len=2*$(hex2dec "${tls_serverkeyexchange_ascii:0:4}")
|
||||||
offset=4+$dh_p_len
|
offset=4+$dh_p_len
|
||||||
|
@ -9100,7 +9105,10 @@ parse_tls_serverhello() {
|
||||||
*) named_curve_str="" ; named_curve_oid="" ;;
|
*) named_curve_str="" ; named_curve_oid="" ;;
|
||||||
esac
|
esac
|
||||||
let offset=$extns_offset+20+$i
|
let offset=$extns_offset+20+$i
|
||||||
if [[ $named_curve -eq 29 ]]; then
|
if ! "$HAS_PKEY"; then
|
||||||
|
# The key can't be extracted without the pkey utility.
|
||||||
|
key_bitstring=""
|
||||||
|
elif [[ $named_curve -eq 29 ]]; then
|
||||||
key_bitstring="302a300506032b656e032100${tls_serverhello_ascii:offset:msg_len}"
|
key_bitstring="302a300506032b656e032100${tls_serverhello_ascii:offset:msg_len}"
|
||||||
elif [[ $named_curve -eq 30 ]]; then
|
elif [[ $named_curve -eq 30 ]]; then
|
||||||
key_bitstring="3042300506032b656f033900${tls_serverhello_ascii:offset:msg_len}"
|
key_bitstring="3042300506032b656f033900${tls_serverhello_ascii:offset:msg_len}"
|
||||||
|
@ -9566,7 +9574,7 @@ parse_tls_serverhello() {
|
||||||
*) named_curve=0; named_curve_str="" ;;
|
*) named_curve=0; named_curve_str="" ;;
|
||||||
esac
|
esac
|
||||||
[[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str=""
|
[[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str=""
|
||||||
if [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then
|
if "$HAS_PKEY" && [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then
|
||||||
ephemeral_param="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | grep -A 1000 "prime:")"
|
ephemeral_param="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | grep -A 1000 "prime:")"
|
||||||
rfc7919_param="$($OPENSSL pkey -text -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -A 1000 "prime:")"
|
rfc7919_param="$($OPENSSL pkey -text -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -A 1000 "prime:")"
|
||||||
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
|
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
|
||||||
|
@ -12884,6 +12892,10 @@ run_robot() {
|
||||||
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
|
prln_local_problem "Your $OPENSSL does not support the pkeyutl utility."
|
||||||
fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkeyutl utility."
|
fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkeyutl utility."
|
||||||
return 7
|
return 7
|
||||||
|
elif ! "$HAS_PKEY"; then
|
||||||
|
prln_local_problem "Your $OPENSSL does not support the pkey utility."
|
||||||
|
fileout "ROBOT" "WARN" "Your $OPENSSL does not support the pkey utility."
|
||||||
|
return 7
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
|
if [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
|
||||||
|
@ -13288,6 +13300,9 @@ find_openssl_binary() {
|
||||||
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \
|
$OPENSSL s_client -noservername -connect x 2>&1 | grep -aq "unknown option" || \
|
||||||
HAS_NOSERVERNAME=true
|
HAS_NOSERVERNAME=true
|
||||||
|
|
||||||
|
$OPENSSL pkey -help 2>&1 | grep -q Error || \
|
||||||
|
HAS_PKEY=true
|
||||||
|
|
||||||
$OPENSSL pkeyutl 2>&1 | grep -q Error || \
|
$OPENSSL pkeyutl 2>&1 | grep -q Error || \
|
||||||
HAS_PKUTIL=true
|
HAS_PKUTIL=true
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue