Merge pull request #112 from AntonioMeireles/cosmetics_1

trim all whitespace at EOL, plus spelling typos fixes.
This commit is contained in:
Dirk Wetter 2015-05-29 22:42:51 +02:00
commit d066e0868a

View File

@ -3,7 +3,7 @@
[ -z "$BASH_VERSINFO" ] && echo "\n$(tput setaf 5) Please make sure you're using bash! Bye...$(tput sgr0)\n" && exit 1 [ -z "$BASH_VERSINFO" ] && echo "\n$(tput setaf 5) Please make sure you're using bash! Bye...$(tput sgr0)\n" && exit 1
# #
# testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some # testssl.sh is a program for spotting weak SSL encryption, ciphers, version and some
# vulnerablities or features # vulnerabilities or features
# #
# Devel version is available from https://github.com/drwetter/testssl.sh # Devel version is available from https://github.com/drwetter/testssl.sh
# Stable version from https://testssl.sh # Stable version from https://testssl.sh
@ -35,7 +35,7 @@ SWCONTACT="dirk aet testssl dot sh"
# The socket checks in bash may sound cool and unique -- they are -- but probably you # The socket checks in bash may sound cool and unique -- they are -- but probably you
# can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket # can achieve e.g. the same result with my favorite interactive shell: zsh (zmodload zsh/net/socket
# -- checkout zsh/net/tcp too!) /bin/bash is way more often used within Linux and it's perfect # -- checkout zsh/net/tcp too!) /bin/bash is way more often used within Linux and it's perfect
# for cross plattform support, see MacOS X and also under Windows the MSYS2 extention. # for cross platform support, see MacOS X and also under Windows the MSYS2 extension.
# Cross-platform is one of the three ideas of this script. Second: Ease of installation. # Cross-platform is one of the three ideas of this script. Second: Ease of installation.
# No compiling, install gems, go to CPAN, use pip etc. Third: Easy to use and to interpret # No compiling, install gems, go to CPAN, use pip etc. Third: Easy to use and to interpret
# the result. # the result.
@ -52,7 +52,7 @@ SWCONTACT="dirk aet testssl dot sh"
# #
# Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities) # Note that for "standard" openssl binaries a lot of features (ciphers, protocols, vulnerabilities)
# are disabled as they'll impact security otherwise. For security testing though we need # are disabled as they'll impact security otherwise. For security testing though we need
# all b0rken features. testssl.sh will over time replace those checks with bash sockets -- # all broken features. testssl.sh will over time replace those checks with bash sockets --
# however it's still recommended to use the supplied binaries or cook your own, see # however it's still recommended to use the supplied binaries or cook your own, see
# https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md # https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
# Don't worry if feature X is not available you'll get a warning about this missing feature! # Don't worry if feature X is not available you'll get a warning about this missing feature!
@ -95,7 +95,7 @@ readonly DAYS2WARN2=30 # days to warn before cert expires, threshold 2
# more global vars, here just declared # more global vars, here just declared
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS. readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future costum line wrapping TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
readonly SYSTEM=$(uname -s) # OS readonly SYSTEM=$(uname -s) # OS
if date --help >/dev/null 2>&1; then if date --help >/dev/null 2>&1; then
@ -122,7 +122,7 @@ LEN_STR=""
SNI="" SNI=""
IP4="" IP4=""
IP6="" IP6=""
OSSL_VER="" # openssl version, will be autodetermined OSSL_VER="" # openssl version, will be auto-determined
OSSL_VER_MAJOR=0 OSSL_VER_MAJOR=0
OSSL_VER_MINOR=0 OSSL_VER_MINOR=0
OSSL_VER_APPENDIX="none" OSSL_VER_APPENDIX="none"
@ -134,7 +134,8 @@ IPS=""
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP? SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
URI="" URI=""
STARTTLS_PROTOCOL="" STARTTLS_PROTOCOL=""
OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise some handshakes will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892 OPTIMAL_PROTO="" # we need this for IIS6 (sigh) and OpenSSL 1.02, otherwise some handshakes
# will fail, see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892
TLS_TIME="" TLS_TIME=""
TLS_NOW="" TLS_NOW=""
@ -157,9 +158,9 @@ readonly PS4='${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
trap "cleanup" QUIT EXIT trap "cleanup" QUIT EXIT
# The various hexdump commands we need to replace xxd (BSD compatability)) # The various hexdump commands we need to replace xxd (BSD compatibility))
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyse the reply HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]' HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
@ -566,7 +567,7 @@ hpkp() {
egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" || out "(two HPKP headers, using 1st one) " egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" || out "(two HPKP headers, using 1st one) "
# dirty trick so that grep -c really counts occurances and not lines w/ occurances: # dirty trick so that grep -c really counts occurrences and not lines w/ occurrences:
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -ac pin-sha) hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -ac pin-sha)
if [ $hpkp_nr_keys -eq 1 ]; then if [ $hpkp_nr_keys -eq 1 ]; then
pr_litered "One key is not sufficent, " pr_litered "One key is not sufficent, "
@ -866,7 +867,7 @@ std_cipherlists() {
# sockets inspired by http://blog.chris007.de/?p=238 # sockets inspired by http://blog.chris007.de/?p=238
# ARG1: hexbyte with a leading comma (!!), seperated by commas # ARG1: hexbyte with a leading comma (!!), separated by commas
# ARG2: sleep # ARG2: sleep
socksend() { socksend() {
# the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do # the following works under BSD and Linux, which is quite tricky. So don't mess with it unless you're really sure what you do
@ -1458,7 +1459,7 @@ server_defaults() {
# HTTP date: # HTTP date:
out " HTTP clock skew: " out " HTTP clock skew: "
if [[ $SERVICE != "HTTP" ]] ; then if [[ $SERVICE != "HTTP" ]] ; then
out "not tested as we're not tagetting HTTP" out "not tested as we're not targeting HTTP"
else else
printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODEIP:$PORT $SNI &>$TMPFILE printf "$GET_REQ11" | $OPENSSL s_client $OPTIMAL_PROTO -ign_eof -connect $NODEIP:$PORT $SNI &>$TMPFILE
now=$(date "+%s") now=$(date "+%s")
@ -1713,7 +1714,7 @@ pfs() {
pr_litegreen " PFS ciphers (OK): " pr_litegreen " PFS ciphers (OK): "
else else
pr_litegreen " PFS is offered (OK) " pr_litegreen " PFS is offered (OK) "
outln "Cipher follow (Client/browser support is here escpecially important) \n" outln "Cipher follow (Client/browser support is here specially important) \n"
neat_header neat_header
fi fi
while read hexcode dash pfs_cipher sslvers kx auth enc mac; do while read hexcode dash pfs_cipher sslvers kx auth enc mac; do
@ -1811,7 +1812,7 @@ fd_socket() {
if ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging if ! exec 5<>/dev/tcp/$NODEIP/$PORT; then # 2>/dev/null removes an error message, but disables debugging
outln outln
pr_magenta "Unable to open a socket to $NODEIP:$PORT. " pr_magenta "Unable to open a socket to $NODEIP:$PORT. "
# It can last ~2 minutes but for for those rare occasions we don't do a tiemout handler here, KISS # It can last ~2 minutes but for for those rare occasions we don't do a timeout handler here, KISS
return 6 return 6
fi fi
return 0 return 0
@ -2561,7 +2562,7 @@ crime() {
} }
# BREACH is a HTTP-level compression & an attack which works against any cipher suite and is agnostic # BREACH is a HTTP-level compression & an attack which works against any cipher suite and is agnostic
# to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referers are the important thing here! # to the version of TLS/SSL, more: http://www.breachattack.com/ . Foreign referrers are the important thing here!
breach() { breach() {
[[ $SERVICE != "HTTP" ]] && return 7 [[ $SERVICE != "HTTP" ]] && return 7
@ -2639,7 +2640,7 @@ ssl_poodle() {
return $ret return $ret
} }
# for appliance which use padding, no fallack needed # for appliance which use padding, no fallback needed
tls_poodle() { tls_poodle() {
pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental " pr_bold " POODLE, SSL"; out " CVE-2014-8730), experimental "
#FIXME #FIXME
@ -3336,7 +3337,7 @@ get_dns_entries() {
IP4=$NODE IP4=$NODE
SNI="" # override Server Name Indication as we test the IP only SNI="" # override Server Name Indication as we test the IP only
else else
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resulution # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }') IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
if which host &> /dev/null && [ -z "$IP4" ] ; then if which host &> /dev/null && [ -z "$IP4" ] ; then
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //') IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
@ -3451,7 +3452,7 @@ draw_dotted_line() {
} }
# This intializes boolean global do_* variables, meant primarily to keep track of what to do # This initializes boolean global do_* variables, meant primarily to keep track of what to do
initialize_globals() { initialize_globals() {
do_allciphers=false do_allciphers=false
do_vulnerabilities=false do_vulnerabilities=false