Merge branch '2.9dev' into client_sim_ssl2_server

Conflicts:
	testssl.sh
This commit is contained in:
David Cooper 2017-07-27 09:26:03 -04:00
commit d81c740ca6
3 changed files with 69 additions and 65 deletions

View File

@ -325,7 +325,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
.IP "" 0 .IP "" 0
. .
.P .P
\fB\-\-show\-each\fR This is an option for all wide modes \-\- i\.e\. per switch or the each cipher test: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\. \fB\-\-show\-each\fR This is an option for all wide modes only: it displays all ciphers tested \-\- not only succeeded ones\. \fBSHOW_EACH_C\fR is your friend if you prefer to set this via the shell environment\.
. .
.P .P
\fB\-\-color <0|1|2>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. Setting the environment varable \fBCOLOR\fR achives the same result\. \fB\-\-color <0|1|2>\fR It determines the use of colors on the screen: \fB2\fR is the default and makes use of ANSI and termcap escape codes on your terminal\. \fB1\fR just uses non\-colored mark\-up like bold, italics, underline, reverse\. \fB0\fR means no mark\-up at all = no escape codes\. Setting the environment varable \fBCOLOR\fR achives the same result\.
@ -340,7 +340,7 @@ Security headers (X\-Frame\-Options, X\-XSS\-Protection, \.\.\., CSP headers)
screen output normal but leaves useful debug output in \fB/tmp/testssl\.XXXXXX/\fR \. The info about the exact directory is included in the screen output\. screen output normal but leaves useful debug output in \fB/tmp/testssl\.XXXXXX/\fR \. The info about the exact directory is included in the screen output\.
. .
.IP "2." 4 .IP "2." 4
list more what\'s going on, e\.g\. lists some errors of connections and general debug statements list more what\'s going on, status (high level) and connection errors, a few general debug output
. .
.IP "3." 4 .IP "3." 4
even slightly more info: hexdumps + other info even slightly more info: hexdumps + other info

View File

@ -222,7 +222,7 @@ The same can be achived by setting the environment variable `WARNINGS`.
* `no-rfc`: don't display the RFC cipher suite name, display OpenSSL names only. * `no-rfc`: don't display the RFC cipher suite name, display OpenSSL names only.
`--show-each` This is an option for all wide modes -- i.e. per switch or the each cipher test: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment. `--show-each` This is an option for all wide modes only: it displays all ciphers tested -- not only succeeded ones. `SHOW_EACH_C` is your friend if you prefer to set this via the shell environment.
`--color <0|1|2>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. Setting the environment varable `COLOR` achives the same result. `--color <0|1|2>` It determines the use of colors on the screen: `2` is the default and makes use of ANSI and termcap escape codes on your terminal. `1` just uses non-colored mark-up like bold, italics, underline, reverse. `0` means no mark-up at all = no escape codes. Setting the environment varable `COLOR` achives the same result.
@ -233,7 +233,7 @@ The same can be achived by setting the environment variable `WARNINGS`.
`--debug <0-6>` This gives you additional output on the screen (2-6), only useful for debugging. `DEBUG` is the according enviroment variable which you can use. There are six levels (0 is the default, thus it has no effect): `--debug <0-6>` This gives you additional output on the screen (2-6), only useful for debugging. `DEBUG` is the according enviroment variable which you can use. There are six levels (0 is the default, thus it has no effect):
1. screen output normal but leaves useful debug output in __/tmp/testssl.XXXXXX/__ . The info about the exact directory is included in the screen output. 1. screen output normal but leaves useful debug output in __/tmp/testssl.XXXXXX/__ . The info about the exact directory is included in the screen output.
2. list more what's going on, e.g. lists some errors of connections and general debug statements 2. list more what's going on, status (high level) and connection errors, a few general debug output
3. even slightly more info: hexdumps + other info 3. even slightly more info: hexdumps + other info
4. display bytes sent via sockets 4. display bytes sent via sockets
5. display bytes received via sockets 5. display bytes received via sockets

View File

@ -2139,7 +2139,7 @@ run_more_flags() {
pr_bold " Security headers " pr_bold " Security headers "
for f2t in $good_flags2test; do for f2t in $good_flags2test; do
debugme echo "---> $f2t" [[ "$DEBUG" -ge 5 ]] && echo "testing \"$f2t\""
detect_header "$f2t" "$f2t" "$spaces" detect_header "$f2t" "$f2t" "$spaces"
if [[ $? -ge 1 ]]; then if [[ $? -ge 1 ]]; then
if ! "$first"; then if ! "$first"; then
@ -2155,7 +2155,7 @@ run_more_flags() {
done done
for f2t in $other_flags2test; do for f2t in $other_flags2test; do
debugme echo "---> $f2t" [[ "$DEBUG" -ge 5 ]] && echo "testing \"$f2t\""
detect_header "$f2t" "$f2t" "$spaces" detect_header "$f2t" "$f2t" "$spaces"
if [[ $? -ge 1 ]]; then if [[ $? -ge 1 ]]; then
if ! "$first"; then if ! "$first"; then
@ -2377,7 +2377,7 @@ socksend() {
else else
data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n') data=$(sed -e 's/# .*$//g' -e 's/ //g' <<< "$1" | sed -r 's/^[[:space:]]+//; s/[[:space:]]+$//; /^$/d' | sed 's/,/\\/g' | tr -d '\n')
fi fi
[[ $DEBUG -ge 4 ]] && echo "\"$data\"" [[ $DEBUG -ge 4 ]] && echo -e "\n\"$data\""
printf -- "$data" >&5 2>/dev/null & printf -- "$data" >&5 2>/dev/null &
sleep $2 sleep $2
} }
@ -3438,7 +3438,7 @@ client_simulation_sockets() {
local -i len i ret=0 local -i len i ret=0
local -i save=0 local -i save=0
local lines clienthello data="" local lines clienthello data=""
local cipher_list_2send local cipher_list_2send=""
local sock_reply_file2 sock_reply_file3 local sock_reply_file2 sock_reply_file3
local tls_hello_ascii next_packet hello_done=0 local tls_hello_ascii next_packet hello_done=0
local -i sid_len offset1 offset2 local -i sid_len offset1 offset2
@ -3463,15 +3463,20 @@ client_simulation_sockets() {
offset2=182+$sid_len offset2=182+$sid_len
len=4*$(hex2dec "${data:offset1:2}${data:offset2:2}")-2 len=4*$(hex2dec "${data:offset1:2}${data:offset2:2}")-2
offset1=186+$sid_len offset1=186+$sid_len
code2network "$(tolower "${data:offset1:len}")" # convert CIPHER_SUITES to a "standardized" format
else else
# Extact list of cipher suites from SSLv2 ClientHello # Extact list of cipher suites from SSLv2 ClientHello
offset1=46 len=2*$(hex2dec "${clienthello:12:2}")
len=4*$(hex2dec "${data:26:2}")-2 for (( i=22; i < 22+len; i=i+6 )); do
offset1=$i+2
offset2=$i+4
[[ "${clienthello:i:2}" == "00" ]] && cipher_list_2send+=", ${clienthello:offset1:2},${clienthello:offset2:2}"
done
code2network "$(tolower "${cipher_list_2send:2}")" # convert CIPHER_SUITES to a "standardized" format
fi fi
code2network "$(tolower "${data:offset1:len}")" # convert CIPHER_SUITES to a "standardized" format
cipher_list_2send="$NW_STR" cipher_list_2send="$NW_STR"
debugme echo "sending client hello..." debugme echo -e "\nsending client hello... "
code2network "${data}" code2network "${data}"
data="$NW_STR" data="$NW_STR"
fd_socket 5 || return 6 fd_socket 5 || return 6
@ -3492,7 +3497,7 @@ client_simulation_sockets() {
sock_reply_file2=${SOCK_REPLY_FILE}.2 sock_reply_file2=${SOCK_REPLY_FILE}.2
mv "$SOCK_REPLY_FILE" "$sock_reply_file2" mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
debugme echo "requesting more server hello data..." debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread_serverhello 32768
@ -3518,12 +3523,11 @@ client_simulation_sockets() {
fi fi
done done
debugme tmln_out "reading server hello..." debugme echo "reading server hello..."
if [[ "$DEBUG" -ge 4 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
hexdump -C $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6
echo echo
fi fi
if [[ "${tls_hello_ascii:0:1}" == "8" ]]; then if [[ "${tls_hello_ascii:0:1}" == "8" ]]; then
parse_sslv2_serverhello "$SOCK_REPLY_FILE" "false" parse_sslv2_serverhello "$SOCK_REPLY_FILE" "false"
if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then if [[ $? -eq 3 ]] && [[ "$V2_HELLO_CIPHERSPEC_LENGTH" -ne 0 ]]; then
@ -3546,9 +3550,11 @@ client_simulation_sockets() {
fi fi
fi fi
if [[ $DEBUG -ge 2 ]]; then
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)") lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)")
debugme tm_out " (returned $lines lines) " tm_out " ($lines lines returned) "
fi
# determine the return value for higher level, so that they can tell what the result is # determine the return value for higher level, so that they can tell what the result is
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then
@ -3780,7 +3786,7 @@ run_prototest_openssl() {
$OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
ret=$? ret=$?
[[ $DEBUG -eq 2 ]] && egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if ! locally_supported "$1" "$2" ; then if ! locally_supported "$1" "$2" ; then
ret=7 ret=7
else # we remove SNI for SSLv2 and v3: else # we remove SNI for SSLv2 and v3:
@ -3789,7 +3795,7 @@ run_prototest_openssl() {
$OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $sni >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $sni >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
ret=$? ret=$?
[[ $DEBUG -eq 2 ]] && egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" debugme egrep "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too) grep -aq "no cipher list" $TMPFILE && ret=5 # <--- important indicator for SSL2 (maybe others, too)
fi fi
tmpfile_handle $FUNCNAME$1.txt tmpfile_handle $FUNCNAME$1.txt
@ -3953,7 +3959,7 @@ run_protocols() {
;; ;;
2) pr_svrty_medium "not offered" 2) pr_svrty_medium "not offered"
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
[[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL" fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
@ -3997,7 +4003,7 @@ run_protocols() {
;; ;;
2) out "not offered" 2) out "not offered"
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to a weaker protocol" fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to a weaker protocol"
elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then
@ -4049,7 +4055,7 @@ run_protocols() {
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
fi fi
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol" fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then
@ -7695,7 +7701,7 @@ parse_tls_serverhello() {
DETECTED_TLS_VERSION="" DETECTED_TLS_VERSION=""
[[ -n "$tls_hello_ascii" ]] && echo "CONNECTED(00000003)" > $TMPFILE [[ -n "$tls_hello_ascii" ]] && echo "CONNECTED(00000003)" > $TMPFILE
[[ "$DEBUG" -eq 5 ]] && echo $tls_hello_ascii # one line without any blanks [[ "$DEBUG" -ge 5 ]] && echo $tls_hello_ascii # one line without any blanks
# Client messages, including handshake messages, are carried by the record layer. # Client messages, including handshake messages, are carried by the record layer.
# First, extract the handshake and alert messages. # First, extract the handshake and alert messages.
@ -7705,7 +7711,7 @@ parse_tls_serverhello() {
# byte 3+4: fragment length # byte 3+4: fragment length
# bytes 5...: message fragment # bytes 5...: message fragment
tls_hello_ascii_len=${#tls_hello_ascii} tls_hello_ascii_len=${#tls_hello_ascii}
if [[ $DEBUG -ge 2 ]] && [[ $tls_hello_ascii_len -gt 0 ]]; then if [[ $DEBUG -ge 3 ]] && [[ $tls_hello_ascii_len -gt 0 ]]; then
echo "TLS message fragments:" echo "TLS message fragments:"
fi fi
for (( i=0; i<tls_hello_ascii_len; i=i+msg_len )); do for (( i=0; i<tls_hello_ascii_len; i=i+msg_len )); do
@ -7778,9 +7784,7 @@ parse_tls_serverhello() {
for (( i=0; i+3 < tls_alert_ascii_len; i=i+4 )); do for (( i=0; i+3 < tls_alert_ascii_len; i=i+4 )); do
tls_err_level=${tls_alert_ascii:i:2} # 1: warning, 2: fatal tls_err_level=${tls_alert_ascii:i:2} # 1: warning, 2: fatal
j=$i+2 j=$i+2
tls_err_descr=${tls_alert_ascii:j:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, tls_err_descr=${tls_alert_ascii:j:2}
# 113/0x71: bad_certificate_status_response, #114/0x72: bad_certificate_hash_value
debugme tm_out " tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})" debugme tm_out " tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})"
case $tls_err_descr in case $tls_err_descr in
00) tls_alert_descrip="close notify" ;; 00) tls_alert_descrip="close notify" ;;
@ -7820,22 +7824,19 @@ parse_tls_serverhello() {
78) tls_alert_descrip="no application protocol" ;; 78) tls_alert_descrip="no application protocol" ;;
*) tls_alert_descrip="$(hex2dec "$tls_err_descr")";; *) tls_alert_descrip="$(hex2dec "$tls_err_descr")";;
esac esac
case $tls_err_level in
01) echo -n "warning " >> $TMPFILE ;;
02) echo -n "fatal " >> $TMPFILE ;;
esac
echo "alert $tls_alert_descrip" >> $TMPFILE
echo "===============================================================================" >> $TMPFILE
if [[ $DEBUG -ge 2 ]]; then if [[ $DEBUG -ge 2 ]]; then
tmln_out " ($tls_alert_descrip)" tmln_out " ($tls_alert_descrip)"
tm_out " tls_err_level: ${tls_err_level}" tm_out " tls_err_level: ${tls_err_level}"
case $tls_err_level in
01) tmln_out " (warning)" ;;
02) tmln_out " (fatal)" ;;
*) tmln_out ;;
esac
tmln_out
fi fi
case $tls_err_level in
01) echo -n "warning " >> $TMPFILE
debugme tmln_out " (warning)" ;;
02) echo -n "fatal " >> $TMPFILE
debugme tmln_out " (fatal)" ;;
esac
echo "alert $tls_alert_descrip" >> $TMPFILE
echo "===============================================================================" >> $TMPFILE
if [[ "$tls_err_level" != "01" ]] && [[ "$tls_err_level" != "02" ]]; then if [[ "$tls_err_level" != "01" ]] && [[ "$tls_err_level" != "02" ]]; then
debugme tmln_warning "Unexpected AlertLevel (0x$tls_err_level)." debugme tmln_warning "Unexpected AlertLevel (0x$tls_err_level)."
return 1 return 1
@ -8492,7 +8493,7 @@ sslv2_sockets() {
# https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/ (client) # https://idea.popcount.org/2012-06-16-dissecting-ssl-handshake/ (client)
fd_socket 5 || return 6 fd_socket 5 || return 6
debugme tmln_out "sending client hello... " debugme echo -n "sending client hello... "
socksend_sslv2_clienthello "$client_hello" socksend_sslv2_clienthello "$client_hello"
sockread_serverhello 32768 sockread_serverhello 32768
@ -8504,7 +8505,7 @@ sslv2_sockets() {
sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
mv "$SOCK_REPLY_FILE" "$sock_reply_file2" mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
debugme echo "requesting more server hello data..." debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread_serverhello 32768
@ -8514,7 +8515,7 @@ sslv2_sockets() {
response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }') response_len=$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')
done done
fi fi
debugme tmln_out "reading server hello... " debugme echo "reading server hello... "
if [[ "$DEBUG" -ge 4 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -6 hexdump -C "$SOCK_REPLY_FILE" | head -6
tmln_out tmln_out
@ -8833,7 +8834,7 @@ tls_sockets() {
code2network "$(tolower "$cipher_list_2send")" # convert CIPHER_SUITES to a "standardized" format code2network "$(tolower "$cipher_list_2send")" # convert CIPHER_SUITES to a "standardized" format
cipher_list_2send="$NW_STR" cipher_list_2send="$NW_STR"
debugme echo "sending client hello..." debugme echo -en "\nsending client hello... "
socksend_tls_clienthello "$tls_low_byte" "$cipher_list_2send" "$4" "$offer_compression" socksend_tls_clienthello "$tls_low_byte" "$cipher_list_2send" "$4" "$offer_compression"
ret=$? # 6 means opening socket didn't succeed, e.g. timeout ret=$? # 6 means opening socket didn't succeed, e.g. timeout
@ -8857,7 +8858,7 @@ tls_sockets() {
sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 sock_reply_file2=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
mv "$SOCK_REPLY_FILE" "$sock_reply_file2" mv "$SOCK_REPLY_FILE" "$sock_reply_file2"
debugme echo "requesting more server hello data..." debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread_serverhello 32768
@ -8885,7 +8886,7 @@ tls_sockets() {
fi fi
done done
debugme tmln_out "reading server hello..." debugme echo "reading server hello..."
if [[ "$DEBUG" -ge 4 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
hexdump -C $SOCK_REPLY_FILE | head -6 hexdump -C $SOCK_REPLY_FILE | head -6
echo echo
@ -8903,9 +8904,11 @@ tls_sockets() {
fi fi
fi fi
if [[ $DEBUG -ge 2 ]]; then
# see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL
lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)") lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)")
debugme tm_out " (returned $lines lines) " tm_out " ($lines lines returned) "
fi
# determine the return value for higher level, so that they can tell what the result is # determine the return value for higher level, so that they can tell what the result is
if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then
@ -8914,11 +8917,11 @@ tls_sockets() {
if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then if [[ 03$tls_low_byte -eq $DETECTED_TLS_VERSION ]]; then
ret=0 # protocol available, TLS version returned equal to the one send ret=0 # protocol available, TLS version returned equal to the one send
else else
[[ $DEBUG -ge 2 ]] && echo -n "protocol send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION" debugme echo -n "protocol send: 0x03$tls_low_byte, returned: 0x$DETECTED_TLS_VERSION"
ret=2 # protocol NOT available, server downgraded to $DETECTED_TLS_VERSION ret=2 # protocol NOT available, server downgraded to $DETECTED_TLS_VERSION
fi fi
fi fi
debugme tmln_out debugme echo
else else
debugme echo "stuck on sending: $ret" debugme echo "stuck on sending: $ret"
fi fi
@ -8940,7 +8943,6 @@ run_heartbleed(){
local tls_proto_offered tls_hexcode local tls_proto_offered tls_hexcode
local heartbleed_payload client_hello local heartbleed_payload client_hello
local -i n ret lines_returned local -i n ret lines_returned
local -i hb_rounds=3
local append="" local append=""
local tls_hello_ascii="" local tls_hello_ascii=""
local cve="CVE-2014-0160" local cve="CVE-2014-0160"
@ -9028,11 +9030,10 @@ run_heartbleed(){
x00, x0f, x00, x01, x01" x00, x0f, x00, x01, x01"
fd_socket 5 || return 6 fd_socket 5 || return 6
debugme tm_out "\nsending client hello (TLS version $tls_hexcode)" debugme echo -en "\nsending client hello... "
debugme tmln_out " ($n of $hb_rounds)"
socksend "$client_hello" 1 socksend "$client_hello" 1
debugme tmln_out "\nreading server hello" debugme echo "reading server hello... "
sockread_serverhello 32768 sockread_serverhello 32768
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
@ -9172,10 +9173,10 @@ run_ccs_injection(){
fd_socket 5 || return 6 fd_socket 5 || return 6
# we now make a standard handshake ... # we now make a standard handshake ...
debugme tm_out "\nsending client hello, " debugme echo -n "sending client hello... "
socksend "$client_hello" 1 socksend "$client_hello" 1
debugme tmln_out "\nreading server hello" debugme echo "reading server hello... "
sockread_serverhello 32768 sockread_serverhello 32768
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
@ -9330,7 +9331,7 @@ run_ticketbleed() {
SSLv3) tls_hexcode="x03, x00" ;; SSLv3) tls_hexcode="x03, x00" ;;
esac esac
fi fi
debugme echo -e "\nusing protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
session_tckt_tls="$(get_session_ticket_tls)" session_tckt_tls="$(get_session_ticket_tls)"
if [[ "$session_tckt_tls" == "," ]]; then if [[ "$session_tckt_tls" == "," ]]; then
@ -9349,7 +9350,7 @@ run_ticketbleed() {
len_handshake_ssl_layer="$(( len_handshake_record_layer + 4 ))" len_handshake_ssl_layer="$(( len_handshake_record_layer + 4 ))"
xlen_handshake_ssl_layer="$(dec04hex "$len_handshake_ssl_layer")" xlen_handshake_ssl_layer="$(dec04hex "$len_handshake_ssl_layer")"
if [[ "$DEBUG" -ge 2 ]]; then if [[ "$DEBUG" -ge 4 ]]; then
echo "len_tckt_tls (hex): $len_tckt_tls ($xlen_tckt_tls)" echo "len_tckt_tls (hex): $len_tckt_tls ($xlen_tckt_tls)"
echo "sid: $sid" echo "sid: $sid"
echo "len_sid (hex) $len_sid ($xlen_sid)" echo "len_sid (hex) $len_sid ($xlen_sid)"
@ -9439,10 +9440,10 @@ run_ticketbleed() {
# we do 3 client hellos, and see whether different memmory is returned # we do 3 client hellos, and see whether different memmory is returned
for i in 1 2 3; do for i in 1 2 3; do
fd_socket 5 || return 6 fd_socket 5 || return 6
debugme tmln_out "\nsending client hello " debugme echo -n "sending client hello... "
socksend "$client_hello" 0 socksend "$client_hello" 0
debugme tmln_out "\nreading server hello (ticketbleed reply)" debugme echo "reading server hello (ticketbleed reply)... "
if "$FAST_SOCKET"; then if "$FAST_SOCKET"; then
tls_hello_ascii=$(sockread_fast 32768) tls_hello_ascii=$(sockread_fast 32768)
else else
@ -9477,7 +9478,7 @@ run_ticketbleed() {
sid_input=$(sed -e 's/x//g' -e 's/,//g' <<< "$sid") sid_input=$(sed -e 's/x//g' -e 's/,//g' <<< "$sid")
sid_detected[i]="${tls_hello_ascii:88:32}" sid_detected[i]="${tls_hello_ascii:88:32}"
memory[i]="${tls_hello_ascii:$((88+ len_sid*2)):$((32 - len_sid*2))}" memory[i]="${tls_hello_ascii:$((88+ len_sid*2)):$((32 - len_sid*2))}"
if [[ "$DEBUG" -ge 2 ]]; then if [[ "$DEBUG" -ge 3 ]]; then
echo echo
echo "TLS version, record layer: ${tls_hello_ascii:18:4}" echo "TLS version, record layer: ${tls_hello_ascii:18:4}"
echo "Session ID: ${sid_detected[i]}" echo "Session ID: ${sid_detected[i]}"
@ -10072,7 +10073,7 @@ run_freak() {
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI $addcmd >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY $SNI $addcmd >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
sclient_success=$? sclient_success=$?
[[ $DEBUG -eq 2 ]] && egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error" debugme egrep -a "error|failure" $ERRFILE | egrep -av "unable to get local|verify error"
if [[ $sclient_success -ne 0 ]] && "$HAS_SSL2"; then if [[ $sclient_success -ne 0 ]] && "$HAS_SSL2"; then
$OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -cipher $exportrsa_cipher_list -connect $NODEIP:$PORT $PROXY -ssl2 >$TMPFILE 2>$ERRFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
@ -10417,7 +10418,7 @@ run_beast(){
outln outln
pr_headlineln " Testing for BEAST vulnerability " pr_headlineln " Testing for BEAST vulnerability "
fi fi
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln outln
fi fi
pr_bold " BEAST"; out " ($cve) " pr_bold " BEAST"; out " ($cve) "
@ -10674,6 +10675,9 @@ run_lucky13() {
local hint="" local hint=""
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LUCKY13 vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LUCKY13 vulnerability " && outln
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
outln
fi
pr_bold " LUCKY13"; out " ($cve) " pr_bold " LUCKY13"; out " ($cve) "
"$SSL_NATIVE" && using_sockets=false "$SSL_NATIVE" && using_sockets=false
@ -10741,7 +10745,7 @@ run_rc4() {
outln outln
pr_headlineln " Checking for vulnerable RC4 Ciphers " pr_headlineln " Checking for vulnerable RC4 Ciphers "
fi fi
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln outln
fi fi
pr_bold " RC4"; out " ($cve) " pr_bold " RC4"; out " ($cve) "