diff --git a/testssl.sh b/testssl.sh index 7092405..917fc2a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -509,15 +509,15 @@ set_severity_level() { show_finding() { local severity=$1 - ( [[ "$severity" == DEBUG ]] ) || + [[ "$severity" == DEBUG ]] || ( [[ "$severity" == INFO ]] && [[ $SEVERITY_LEVEL -le $INFO ]] ) || ( [[ "$severity" == OK ]] && [[ $SEVERITY_LEVEL -le $OK ]] ) || ( [[ "$severity" == LOW ]] && [[ $SEVERITY_LEVEL -le $LOW ]] ) || ( [[ "$severity" == MEDIUM ]] && [[ $SEVERITY_LEVEL -le $MEDIUM ]] ) || ( [[ "$severity" == HIGH ]] && [[ $SEVERITY_LEVEL -le $HIGH ]] ) || ( [[ "$severity" == CRITICAL ]] && [[ $SEVERITY_LEVEL -le $CRITICAL ]] ) || - ( [[ "$severity" == WARN ]] ) || - ( [[ "$severity" == FATAL ]] ) + [[ "$severity" == WARN ]] || + [[ "$severity" == FATAL ]] } ########### Output functions @@ -1084,23 +1084,23 @@ set_key_str_score() { if [[ $type == EC || $type == EdDSA ]]; then if [[ $size -lt 110 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then - let KEY_EXCH_SCORE=20 + KEY_EXCH_SCORE=20 elif [[ $size -lt 123 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then - let KEY_EXCH_SCORE=40 + KEY_EXCH_SCORE=40 elif [[ $size -lt 163 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then - let KEY_EXCH_SCORE=80 + KEY_EXCH_SCORE=80 elif [[ $size -lt 225 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then - let KEY_EXCH_SCORE=90 + KEY_EXCH_SCORE=90 fi else if [[ $size -lt 512 ]] && [[ $KEY_EXCH_SCORE -ge 20 ]]; then - let KEY_EXCH_SCORE=20 + KEY_EXCH_SCORE=20 elif [[ $size -lt 1024 ]] && [[ $KEY_EXCH_SCORE -ge 40 ]]; then - let KEY_EXCH_SCORE=40 + KEY_EXCH_SCORE=40 elif [[ $size -lt 2048 ]] && [[ $KEY_EXCH_SCORE -ge 80 ]]; then - let KEY_EXCH_SCORE=80 + KEY_EXCH_SCORE=80 elif [[ $size -lt 4096 ]] && [[ $KEY_EXCH_SCORE -ge 90 ]]; then - let KEY_EXCH_SCORE=90 + KEY_EXCH_SCORE=90 fi fi return 0 @@ -1114,8 +1114,8 @@ set_ciph_str_score() { "$do_rating" || return 0 - [[ $size -gt $CIPH_STR_BEST ]] && let CIPH_STR_BEST=$size - [[ $size -lt $CIPH_STR_WORST ]] && let CIPH_STR_WORST=$size + [[ $size -gt $CIPH_STR_BEST ]] && CIPH_STR_BEST=$size + [[ $size -lt $CIPH_STR_WORST ]] && CIPH_STR_WORST=$size [[ $size -lt 112 || $size == None ]] && set_grade_cap "F" "Using cipher suites weaker than 112 bits" @@ -1991,11 +1991,11 @@ check_revocation_ocsp() { response="$(grep -F "$HOSTCERT: " "$tmpfile")" response="${response#$HOSTCERT: }" response="${response%\.}" - if [[ "$response" =~ "good" ]]; then + if [[ "$response" =~ good ]]; then out ", " pr_svrty_good "not revoked" fileout "$jsonID" "OK" "not revoked" - elif [[ "$response" =~ "revoked" ]]; then + elif [[ "$response" =~ revoked ]]; then out ", " pr_svrty_critical "revoked" fileout "$jsonID" "CRITICAL" "revoked" @@ -2139,14 +2139,14 @@ s_client_options() { local ciphers="notpresent" tls13_ciphers="notpresent" # Extract the TLSv1.3 ciphers and the non-TLSv1.3 ciphers - if [[ " $options " =~ " -cipher " ]]; then + if [[ " $options " =~ \ -cipher\ ]]; then ciphers="${options#* -cipher }" ciphers="${ciphers%% *}" options="${options//-cipher $ciphers/}" ciphers="${ciphers##\'}" ciphers="${ciphers%%\'}" fi - if [[ " $options " =~ " -ciphersuites " ]]; then + if [[ " $options " =~ \ -ciphersuites\ ]]; then tls13_ciphers="${options#* -ciphersuites }" tls13_ciphers="${tls13_ciphers%% *}" options="${options//-ciphersuites $tls13_ciphers/}" @@ -2163,7 +2163,7 @@ s_client_options() { # server_name extension unless the -noservername option is provided. So, if # the command line doesn't include -servername and the -noservername option is # supported, then add -noservername to the options. - "$HAS_NOSERVERNAME" && [[ ! " $options " =~ " -servername " ]] && options+=" -noservername" + "$HAS_NOSERVERNAME" && [[ ! " $options " =~ \ -servername\ ]] && options+=" -noservername" # Newer versions of OpenSSL have dropped support for the -no_ssl2 option, so # remove any -no_ssl2 option if the option isn't supported. (Since versions of @@ -2176,7 +2176,7 @@ s_client_options() { # 1.1.1 compression is only offered if the "-comp" option is provided. # OpenSSL 1.0.0, 1.0.1, and 1.0.2 offer compression unless the "-no_comp" option is provided. # OpenSSL 0.9.8 does not support either the "-comp" or the "-no_comp" option. - if [[ " $options " =~ " -comp " ]]; then + if [[ " $options " =~ \ -comp\ ]]; then # Compression is needed for the test. So, remove "-comp" if it isn't supported, but # otherwise make no changes. ! "$HAS_COMP" && options="${options//-comp/}" @@ -2225,7 +2225,7 @@ s_client_options() { # OpenSSL's name for secp256r1 is prime256v1. So whenever we encounter this # (e.g. client simulations) we replace it with the name which OpenSSL understands # This shouldn't be needed. We have this here as a last resort - if [[ "$1" =~ " -curves " ]]; then + if [[ "$1" =~ \ -curves\ ]]; then ! "$HAS_CURVES" && options="${options// -curves / -groups }" [[ "$1" =~ secp192r1 ]] && options="${options//secp192r1/prime192v1}" [[ "$1" =~ secp256r1 ]] && options="${options//secp256r1/prime256v1}" @@ -2622,7 +2622,7 @@ run_hsts() { match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true" if [[ $? -ne 0 ]]; then echo "$HEADERVALUE" >$TMPFILE - hsts_age_sec=$(sed -e 's/[^0-9]*//g' <<< $HEADERVALUE) + hsts_age_sec="${HEADERVALUE//[^0-9]/}" debugme echo "hsts_age_sec: $hsts_age_sec" if [[ -n $hsts_age_sec ]]; then hsts_age_days=$(( hsts_age_sec / 86400)) @@ -4913,7 +4913,7 @@ run_client_simulation() { # https://github.com/openssl/openssl/blob/master/apps/ecparam.c#L221 + ./ssl/t1_lib.c [[ "$curve" =~ secp256r1 ]] && curve="${curve//secp256r1/prime256v1}" [[ "$curve" =~ secp192r1 ]] && curve="${curve//secp192r1/prime192v1}" - [[ "$OSSL_SUPPORTED_CURVES" =~ " $curve " ]] && supported_curves+=":$curve" + [[ "$OSSL_SUPPORTED_CURVES" =~ \ $curve\ ]] && supported_curves+=":$curve" done curves[i]="" [[ -n "$supported_curves" ]] && curves[i]="-curves ${supported_curves:1}" @@ -5062,7 +5062,6 @@ locally_supported() { run_prototest_openssl() { local -i ret=0 local protos proto - local passed_check=false $OPENSSL s_client "$1" 2>&1 | grep -aiq "unknown option" && return 7 case "$1" in @@ -5894,7 +5893,7 @@ sub_cipherlists() { len=${#sslv2_cipherlist} detected_ssl2_ciphers="$(grep "Supported cipher: " "$TEMPDIR/$NODEIP.parse_sslv2_serverhello.txt")" for (( i=0; i$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE reply matched \"$2\"" @@ -11024,7 +11023,7 @@ starttls_postgres_dialog() { debugme echo "=== starting postgres STARTTLS dialog ===" socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" && - starttls_io "" S 1 && debugme echo "${debugpad}received ack (="S") for STARTTLS" + starttls_io "" S 1 && debugme echo "${debugpad}received ack (=\"S\") for STARTTLS" ret=$? debugme echo "=== finished postgres STARTTLS dialog with ${ret} ===" return $ret @@ -11626,7 +11625,7 @@ parse_sslv2_serverhello() { echo "SSLv2 cipher spec length: 0x$v2_hello_cipherspec_length" fi - if "$parse_complete" && [[ 2*$(hex2dec "$v2_hello_length") -ne ${#v2_hello_ascii}-4 ]]; then + if "$parse_complete" && [[ $((2*$(hex2dec "$v2_hello_length"))) -ne $((${#v2_hello_ascii}-4)) ]]; then ret=7 fi fi @@ -11947,7 +11946,7 @@ derive-handshake-traffic-keys() { fi if [[ "$cipher" == *AES_128* ]]; then key_len=16 - elif ( [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]] ); then + elif [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]]; then key_len=32 else return 1 @@ -12038,7 +12037,7 @@ derive-application-traffic-keys() { fi if [[ "$cipher" == *AES_128* ]]; then key_len=16 - elif ( [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]] ); then + elif [[ "$cipher" == *AES_256* ]] || [[ "$cipher" == *CHACHA20_POLY1305* ]]; then key_len=32 else return 1 @@ -12907,7 +12906,7 @@ gcm() { tag[i]=0x${base_ectr:$((2*i)):2} done - if ( [[ $input_len -ne 0 ]] || [[ $aad_len -ne 0 ]] ); then + if [[ $input_len -ne 0 ]] || [[ $aad_len -ne 0 ]]; then buf="$(printf "%016X" $aad_len)$(printf "%016X" $input_len)" for (( i=0; i < 16; i++ )); do gcm_ctx_buf[i]="$(printf "%02X" $((0x${gcm_ctx_buf[i]} ^ 0x${buf:$((2*i)):2})))" @@ -13989,7 +13988,7 @@ parse_tls_serverhello() { tls_extensions_len+=$tls_encryptedextensions_ascii_len-4 tls_encryptedextensions_ascii_len=$tls_encryptedextensions_ascii_len/2-2 offset=$((extns_offset+4)) - tls_serverhello_ascii="${tls_serverhello_ascii:0:extns_offset}$(printf "%04X" $((0x${tls_serverhello_ascii:extns_offset:4}+$tls_encryptedextensions_ascii_len)))${tls_serverhello_ascii:offset}${tls_encryptedextensions_ascii:4}" + tls_serverhello_ascii="${tls_serverhello_ascii:0:extns_offset}$(printf "%04X" $((0x${tls_serverhello_ascii:extns_offset:4}+tls_encryptedextensions_ascii_len)))${tls_serverhello_ascii:offset}${tls_encryptedextensions_ascii:4}" fi if [[ -n "$tls_certificate_ascii" ]]; then # In TLS 1.3, the Certificate message begins with a zero length certificate_request_context. @@ -14600,9 +14599,9 @@ sslv2_sockets() { local ret local cipher_suites="$1" local client_hello len_client_hello - local len_ciph_suites_byte len_ciph_suites + local len_ciph_suites local server_hello sock_reply_file2 foo - local -i response_len server_hello_len + local -i len_ciph_suites_byte response_len server_hello_len local parse_complete=false # this could be empty so we use '==' @@ -14632,7 +14631,7 @@ sslv2_sockets() { cipher_suites="$NW_STR" # we don't have the leading \x here so string length is two byte less, see next len_ciph_suites_byte=${#cipher_suites} - let "len_ciph_suites_byte += 2" + len_ciph_suites_byte+=2 len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 ))) len_client_hello=$(printf "%02x\n" $((0x$len_ciph_suites + 0x19))) @@ -14773,9 +14772,9 @@ prepare_tls_clienthello() { local servername_hexstr len_servername len_servername_hex local hexdump_format_str part1 part2 local all_extensions="" - local -i i j len_extension len_padding_extension len_all len_session_id + local -i i j len_ciph_suites_byte len_extension len_padding_extension len_all len_session_id local len_sni_listlen len_sni_ext len_extension_hex len_padding_extension_hex - local cipher_suites len_ciph_suites len_ciph_suites_byte len_ciph_suites_word + local cipher_suites len_ciph_suites len_ciph_suites_word local len_client_hello_word len_all_word local ecc_cipher_suite_found=false local extension_signature_algorithms extension_heartbeat session_id @@ -14791,7 +14790,7 @@ prepare_tls_clienthello() { cipher_suites="$2" # we don't have the leading \x here so string length is two byte less, see next len_ciph_suites_byte=${#cipher_suites} - let "len_ciph_suites_byte += 2" + len_ciph_suites_byte+=2 # we have additional 2 chars \x in each 2 byte string and 2 byte ciphers, so we need to divide by 4: len_ciph_suites=$(printf "%02x\n" $(( len_ciph_suites_byte / 4 ))) @@ -14967,7 +14966,7 @@ prepare_tls_clienthello() { [[ $? -ne 0 ]] && return 1 fi - if [[ -n "$SNI" ]] && [[ ! "$extra_extensions_list" =~ " 0000 " ]]; then + if [[ -n "$SNI" ]] && [[ ! "$extra_extensions_list" =~ \ 0000\ ]]; then all_extensions=" 00, 00 # extension server_name ,00, $len_sni_ext # length SNI EXT @@ -14976,7 +14975,7 @@ prepare_tls_clienthello() { ,00, $len_servername_hex # server_name length. We assume len(hostname) < FF - 9 ,$servername_hexstr" # server_name target fi - if [[ 0x$tls_low_byte -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 002b " ]]; then + if [[ 0x$tls_low_byte -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 002b\ ]]; then # Add supported_versions extension listing all TLS/SSL versions # from the one specified in $tls_low_byte to SSLv3. for (( i=0x$tls_low_byte; i >=0; i=i-1 )); do @@ -14995,7 +14994,7 @@ prepare_tls_clienthello() { done [[ -n "$all_extensions" ]] && all_extensions+="," # FIXME: Adjust the lengths ("+15" and "+14") when the draft versions of TLSv1.3 are removed. - if [[ "$KEY_SHARE_EXTN_NR" == "33" ]]; then + if [[ "$KEY_SHARE_EXTN_NR" == 33 ]]; then all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+15))), $(printf "%02x" $((2*0x$tls_low_byte+14)))$extension_supported_versions" else all_extensions+="00, 2b, 00, $(printf "%02x" $((2*0x$tls_low_byte+11))), $(printf "%02x" $((2*0x$tls_low_byte+10)))$extension_supported_versions" @@ -15006,45 +15005,45 @@ prepare_tls_clienthello() { # OpenSSL, Firefox, and Chrome include it in TLS 1.3 ClientHello messages, and there is at # least one server that will fail the connection if it is absent # (see https://github.com/drwetter/testssl.sh/issues/990). - if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 002d " ]]; then + if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 002d\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extn_psk_mode" fi - if [[ ! "$extra_extensions_list" =~ " 0023 " ]]; then + if [[ ! "$extra_extensions_list" =~ \ 0023\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_session_ticket" fi # If the ClientHello will include the ALPN extension, then don't include the NPN extension. - if [[ ! "$extra_extensions_list" =~ " 3374 " ]] && [[ ! "$extra_extensions_list" =~ " 0010 " ]]; then + if [[ ! "$extra_extensions_list" =~ \ 3374\ ]] && [[ ! "$extra_extensions_list" =~ \ 0010\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_next_protocol" fi # RFC 5246 says that clients MUST NOT offer the signature algorithms # extension if they are offering TLS versions prior to 1.2. - if [[ "0x$tls_low_byte" -ge 0x03 ]] && [[ ! "$extra_extensions_list" =~ " 000d " ]]; then + if [[ "0x$tls_low_byte" -ge 0x03 ]] && [[ ! "$extra_extensions_list" =~ \ 000d\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_signature_algorithms" fi - if [[ -n "$extension_supported_groups" ]] && [[ ! "$extra_extensions_list" =~ " 000a " ]]; then + if [[ -n "$extension_supported_groups" ]] && [[ ! "$extra_extensions_list" =~ \ 000a\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_supported_groups" fi - if [[ -n "$extensions_key_share" ]] && [[ ! "$extra_extensions_list" =~ " 00$KEY_SHARE_EXTN_NR " ]]; then + if [[ -n "$extensions_key_share" ]] && [[ ! "$extra_extensions_list" =~ \ 00$KEY_SHARE_EXTN_NR\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extensions_key_share" fi - if [[ -n "$extension_supported_point_formats" ]] && [[ ! "$extra_extensions_list" =~ " 000b " ]]; then + if [[ -n "$extension_supported_point_formats" ]] && [[ ! "$extra_extensions_list" =~ \ 000b\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_supported_point_formats" fi - if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ " 001b " ]]; then + if [[ "0x$tls_low_byte" -ge 0x04 ]] && [[ ! "$extra_extensions_list" =~ \ 001b\ ]]; then # If the response needs to be decrypted, then indicate support # for ZLIB certificate compression if $OPENSSL can decompress # the result. If the response does not need to be decrypted, @@ -15068,7 +15067,7 @@ prepare_tls_clienthello() { # Make sure that a non-empty extension goes last (either heartbeat or padding). # See PR #792 and https://www.ietf.org/mail-archive/web/tls/current/msg19720.html. - if [[ ! "$extra_extensions_list" =~ " 000f " ]]; then + if [[ ! "$extra_extensions_list" =~ \ 000f\ ]]; then [[ -n "$all_extensions" ]] && all_extensions+="," all_extensions+="$extension_heartbeat" fi @@ -15085,7 +15084,7 @@ prepare_tls_clienthello() { len_all=$((0x$len_ciph_suites + 0x2b + 0x$len_extension_hex + 0x2)) "$offer_compression" && len_all+=2 [[ 0x$tls_low_byte -gt 0x03 ]] && len_all+=32 # TLSv1.3 ClientHello includes a 32-byte session id - if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]] && [[ ! "$extra_extensions_list" =~ " 0015 " ]]; then + if [[ $len_all -ge 256 ]] && [[ $len_all -le 511 ]] && [[ ! "$extra_extensions_list" =~ \ 0015\ ]]; then if [[ $len_all -ge 508 ]]; then len_padding_extension=1 # Final extension cannot be empty: see PR #792 else @@ -15099,7 +15098,7 @@ prepare_tls_clienthello() { done len_extension=$len_extension+$len_padding_extension+0x4 len_extension_hex=$(printf "%02x\n" $len_extension) - elif [[ ! "$extra_extensions_list" =~ " 0015 " ]] && ( [[ $((len_all%256)) -eq 10 ]] || [[ $((len_all%256)) -eq 14 ]] ); then + elif [[ ! "$extra_extensions_list" =~ \ 0015\ ]] && ( [[ $((len_all%256)) -eq 10 ]] || [[ $((len_all%256)) -eq 14 ]] ); then # Some servers fail if the length of the ClientHello is 522, 778, 1034, 1290, ... bytes. # A few servers also fail if the length is 526, 782, 1038, 1294, ... bytes. # So, if the ClientHello would be one of these length, add a 5-byte padding extension. @@ -15123,7 +15122,7 @@ prepare_tls_clienthello() { fi # RFC 3546 doesn't specify SSLv3 to have SNI, openssl just ignores the switch if supplied - if [[ "$tls_low_byte" == "00" ]]; then + if [[ "$tls_low_byte" == 00 ]]; then len_all=$((0x$len_ciph_suites + len_session_id + 0x27)) else len_all=$((0x$len_ciph_suites + len_session_id + 0x27 + 0x$len_extension_hex + 0x2)) @@ -15749,7 +15748,7 @@ run_heartbleed(){ [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln pr_bold " Heartbleed"; out " ($cve) " - if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then + if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" return 1 fi @@ -15859,7 +15858,7 @@ run_ccs_injection(){ [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln pr_bold " CCS"; out " ($cve) " - if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then + if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" return 1 fi @@ -17222,14 +17221,14 @@ run_freak() { if [[ $DEBUG -ge 2 ]]; then if "$using_sockets"; then - for hexc in $(sed 's/, / /g' <<< "$exportrsa_tls_cipher_list_hex, $exportrsa_ssl2_cipher_list_hex"); do + for hexc in ${exportrsa_tls_cipher_list_hex//, / } ${exportrsa_ssl2_cipher_list_hex//, / }; do if [[ ${#hexc} -eq 5 ]]; then hexc="0x${hexc:0:2},0x${hexc:3:2}" else hexc="0x${hexc:0:2},0x${hexc:3:2},0x${hexc:6:2}" fi for (( i=0; i < TLS_NR_CIPHERS; i++ )); do - [[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break + [[ "$hexc" == ${TLS_CIPHER_HEXCODE[i]} ]] && break done [[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} " done @@ -17398,10 +17397,10 @@ run_logjam() { if [[ $DEBUG -ge 2 ]]; then if "$using_sockets"; then - for hexc in $(sed 's/, / /g' <<< "$exportdh_cipher_list_hex"); do + for hexc in ${exportdh_cipher_list_hex//, / }; do hexc="0x${hexc:0:2},0x${hexc:3:2}" for (( i=0; i < TLS_NR_CIPHERS; i++ )); do - [[ "$hexc" == "${TLS_CIPHER_HEXCODE[i]}" ]] && break + [[ "$hexc" == ${TLS_CIPHER_HEXCODE[i]} ]] && break done [[ $i -eq $TLS_NR_CIPHERS ]] && tm_out "$hexc " || tm_out "${TLS_CIPHER_OSSL_NAME[i]} " done @@ -17550,7 +17549,7 @@ run_drown() { cert_fingerprint_sha2=${cert_fingerprint_sha2/SHA256 /} fi - if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then + if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" return 1 fi @@ -17955,7 +17954,7 @@ run_winshock() { outln return 0 fi - if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then + if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" return 1 fi @@ -18936,7 +18935,7 @@ run_robot() { [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for Return of Bleichenbacher's Oracle Threat (ROBOT) vulnerability " && outln pr_bold " ROBOT " - if ( [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]] ); then + if [[ "$STARTTLS_PROTOCOL" =~ ldap ]] || [[ "$STARTTLS_PROTOCOL" =~ irc ]]; then prln_local_problem "STARTTLS/$STARTTLS_PROTOCOL and --ssl-native collide here" return 1 fi @@ -19892,7 +19891,7 @@ prepare_arrays() { if [[ ${#hexc} -eq 9 ]]; then # >= SSLv3 ciphers if [[ $OSSL_VER_MAJOR -lt 1 ]]; then - [[ ":${ossl_supported_tls}:" =~ ":${TLS_CIPHER_OSSL_NAME[i]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true + [[ ":${ossl_supported_tls}:" =~ :${TLS_CIPHER_OSSL_NAME[i]}: ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true else ossl_ciph="$(awk '/'"$hexc"'/ { print $3 }' <<< "$ossl_supported_tls")" if [[ -n "$ossl_ciph" ]]; then @@ -19902,7 +19901,7 @@ prepare_arrays() { fi fi elif [[ $OSSL_VER_MAJOR -lt 1 ]]; then - [[ ":${ossl_supported_sslv2}:" =~ ":${TLS_CIPHER_OSSL_NAME[i]}:" ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true + [[ ":${ossl_supported_sslv2}:" =~ :${TLS_CIPHER_OSSL_NAME[i]}: ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true else [[ "$ossl_supported_sslv2" =~ $hexc ]] && TLS_CIPHER_OSSL_SUPPORTED[i]=true fi @@ -21459,7 +21458,7 @@ create_mass_testing_cmdline() { # next is the filename itself, as no '=' was supplied [[ "$cmd" == --htmlfile ]] && skip_next=true [[ "$cmd" == -oH ]] && skip_next=true - elif ( [[ "$cmd" =~ --logfile ]] || [[ "$cmd" =~ -oL ]] ); then + elif [[ "$cmd" =~ --logfile ]] || [[ "$cmd" =~ -oL ]]; then outfile_arg="$(parse_opt_equal_sign "$cmd" "${CMDLINE_ARRAY[i+1]}")" MASS_TESTING_CMDLINE[nr_cmds]="--logfile-parent=$outfile_arg" # next is the filename itself, as no '=' was supplied @@ -21897,11 +21896,12 @@ run_mass_testing_parallel() { } run_rating() { - local final_score pre_cap_grade final_grade - local c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore - local c1_worst c1_best - local c3_worst c3_best c3_worst_cb c3_best_cb - local old_ifs=$IFS sorted_reasons sorted_warnings reason_nr=0 warning_nr=0 + local pre_cap_grade final_grade + local -i c1_score c2_score c3_score c1_wscore c2_wscore c3_wscore final_score + local -i c1_worst c1_best + local -i c3_worst c3_best c3_worst_cb c3_best_cb + local old_ifs=$IFS sorted_reasons sorted_warnings + local -i reason_nr=0 warning_nr=0 outln "\n"; pr_headlineln " Rating (experimental) " @@ -21965,8 +21965,8 @@ run_rating() { c1_worst=100 fi - let c1_score="($c1_best+$c1_worst)/2" # Gets the category score - let c1_wscore=$c1_score*30/100 # Gets the weighted score for category (30%) + c1_score=$(( (c1_best+c1_worst)/2 )) # Gets the category score + c1_wscore=$((c1_score*30/100)) # Gets the weighted score for category (30%) pr_bold " Protocol Support "; out "(weighted) "; outln "$c1_score ($c1_wscore)" fileout "protocol_support_score" "INFO" "$c1_score" @@ -21979,8 +21979,8 @@ run_rating() { set_grade_cap "B" "Using a weak public key and/or ephemeral key" fi - let c2_score=$KEY_EXCH_SCORE - let c2_wscore=$c2_score*30/100 + c2_score=$KEY_EXCH_SCORE + c2_wscore=$((c2_score*30/100)) pr_bold " Key Exchange "; out " (weighted) "; outln "$c2_score ($c2_wscore)" fileout "key_exchange_score" "INFO" "$c2_score" @@ -22013,8 +22013,8 @@ run_rating() { else c3_worst=0 fi - let c3_score="($c3_best+$c3_worst)/2" # Gets the category score - let c3_wscore=$c3_score*40/100 # Gets the weighted score for category (40%) + c3_score=$(( (c3_best+c3_worst)/2 )) # Gets the category score + c3_wscore=$((c3_score*40/100)) # Gets the weighted score for category (40%) pr_bold " Cipher Strength "; out " (weighted) "; outln "$c3_score ($c3_wscore)" fileout "cipher_strength_score" "INFO" "$c3_score" @@ -22023,9 +22023,9 @@ run_rating() { ## Calculate final score and grade # If any category resulted in a score of 0, push final grade to 0 if [[ $c1_score -eq 0 || $c2_score -eq 0 || $c3_score -eq 0 ]]; then - let final_score=0 + final_score=0 else - let final_score=$c1_wscore+$c2_wscore+$c3_wscore + final_score=$((c1_wscore+c2_wscore+c3_wscore)) fi pr_bold " Final Score "; outln $final_score @@ -22090,7 +22090,7 @@ run_rating() { else outln " $reason" fi - let reason_nr++ + ((reason_nr++)) fileout "grade_cap_reason_${reason_nr}" "INFO" "$reason" done @@ -22100,7 +22100,7 @@ run_rating() { else prln_svrty_medium " $warning" fi - let warning_nr++ + ((warning_nr++)) fileout "grade_cap_warning_${warning_nr}" "INFO" "$warning" done @@ -22113,18 +22113,18 @@ run_rating() { # Returns "0" if rating is enabled, and "1" if rating is disabled set_rating_state() { local gbl - local nr_enabled=0 + local -i nr_enabled=0 # All of these should be enabled for gbl in do_protocols do_cipherlists do_fs do_server_defaults do_header \ do_heartbleed do_ccs_injection do_ticketbleed do_robot do_renego \ do_crime do_ssl_poodle do_tls_fallback_scsv do_drown do_beast \ do_rc4 do_logjam; do - "${!gbl}" && let nr_enabled++ + "${!gbl}" && ((nr_enabled++)) done # ... at least one of these has to be set - [[ "$do_allciphers" || "$do_cipher_per_proto" ]] && let nr_enabled++ + [[ "$do_allciphers" || "$do_cipher_per_proto" ]] && ((nr_enabled++)) # ... else we can't do rating if [[ $nr_enabled -lt 18 ]]; then @@ -22223,13 +22223,13 @@ set_scanning_defaults() { # returns number of $do variables set = number of run_funcs() to perform count_do_variables() { local gbl - local true_nr=0 + local -i true_nr=0 for gbl in do_allciphers do_vulnerabilities do_beast do_lucky13 do_breach do_ccs_injection do_ticketbleed do_cipher_per_proto do_crime \ do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_fs do_protocols do_rc4 do_starttls_injection do_grease do_robot do_renego \ do_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv do_winshock \ do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only do_rating; do - "${!gbl}" && let true_nr++ + "${!gbl}" && ((true_nr++)) done return $true_nr } @@ -22473,75 +22473,75 @@ parse_cmd_line() { ;; -H|--heartbleed) do_heartbleed=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -I|--ccs|--ccs[-_]injection) do_ccs_injection=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -T|--ticketbleed) do_ticketbleed=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -BB|--BB|--robot) do_robot=true ;; -R|--renegotiation) do_renego=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -C|--compression|--crime) do_crime=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -B|--breach) do_breach=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -O|--poodle) do_ssl_poodle=true do_tls_fallback_scsv=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -Z|--tls[_-]fallback|tls[_-]fallback[_-]scs) do_tls_fallback_scsv=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -W|--sweet32) do_sweet32=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -F|--freak) do_freak=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -D|--drown) do_drown=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -J|--logjam) do_logjam=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -A|--beast) do_beast=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -L|--lucky13) do_lucky13=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -WS|--winshock) do_winshock=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -4|--rc4|--appelbaum) do_rc4=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -SI|--SI|--starttls[-_]injection) do_starttls_injection=true - let "VULN_COUNT++" + ((VULN_COUNT++)) ;; -f|--fs|--nsa|--forward-secrecy) do_fs=true @@ -22604,7 +22604,7 @@ parse_cmd_line() { FNAME="$(parse_opt_equal_sign "$1" "$2")" [[ $? -eq 0 ]] && shift IKNOW_FNAME=true - WARNINGS=batch # set this implicitly! + WARNINGS="batch" # set this implicitly! do_mass_testing=true ;; --mode|--mode=*) @@ -22935,7 +22935,7 @@ parse_cmd_line() { done if "$do_starttls_injection" && [[ "$STARTTLS_PROTOCOL" =~ smtp ]]; then - let "VULN_COUNT++" + ((VULN_COUNT++)) fi count_do_variables