From d858edca1b17f1cb1b77bed5bcd2ef4d5e675b32 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 7 Jun 2016 23:06:58 +0200 Subject: [PATCH] - filled PROTOS_OFFERED w sense - minor fixes for fileout - introduced "fixme()" --- testssl.sh | 66 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 21 deletions(-) diff --git a/testssl.sh b/testssl.sh index 6ad7746..0be8cf8 100755 --- a/testssl.sh +++ b/testssl.sh @@ -324,14 +324,14 @@ pr_liteblueln() { pr_liteblue "$1"; outln; } pr_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out "\033[1;32m$1" || out "\033[1;34m$1" ) || out "$1"; pr_off; } # used for head lines of single tests pr_blueln() { pr_blue "$1"; outln; } -pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # litemagentai | local problem: one test cannot be done -pr_warningln() { pr_warning "$1"; outln; } -pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # Fatal error: quitting because of this! +pr_warning() { [[ "$COLOR" -eq 2 ]] && out "\033[0;35m$1" || pr_underline "$1"; pr_off; } # some local problem: one test cannot be done +pr_warningln() { pr_warning "$1"; outln; } # litemagenya +pr_magenta() { [[ "$COLOR" -eq 2 ]] && out "\033[1;35m$1" || pr_underline "$1"; pr_off; } # fatal error: quitting because of this! pr_magentaln() { pr_magenta "$1"; outln; } -pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used +pr_litecyan() { [[ "$COLOR" -eq 2 ]] && out "\033[0;36m$1" || out "$1"; pr_off; } # not yet used pr_litecyanln() { pr_litecyan "$1"; outln; } -pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint +pr_cyan() { [[ "$COLOR" -eq 2 ]] && out "\033[1;36m$1" || out "$1"; pr_off; } # additional hint pr_cyanln() { pr_cyan "$1"; outln; } pr_litegreyln() { pr_litegrey "$1"; outln; } @@ -375,8 +375,11 @@ pr_headlineln() { pr_headline "$1" ; outln; } pr_squoted() { out "'$1'"; } pr_dquoted() { out "\"$1\""; } -local_problem_ln() { pr_warningln "Local problem: $1"; } local_problem() { pr_warning "Local problem: $1"; } +local_problem_ln() { pr_warningln "Local problem: $1"; } + +fixme() { pr_warning "fixme: $1"; } +fixme() { pr_warningln "fixme: $1"; } ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html @@ -642,17 +645,17 @@ runs_HTTP() { *) if $CLIENT_AUTH; then out "certificate based authentication => skipping all HTTP checks" echo "certificate based authentication => skipping all HTTP checks" >$TMPFILE - fileout "client_auth" "WARN" "certificate based authentication => skipping all HTTP checks" + fileout "client_auth" "INFO" "certificate based authentication => skipping all HTTP checks" else out " Couldn't determine what's running on port $PORT" if $ASSUMING_HTTP; then SERVICE=HTTP out " -- ASSUMING_HTTP set though" - fileout "service" "WARN" "Couldn't determine service, --ASSUMING_HTTP set" + fileout "service" "DEBUG" "Couldn't determine service, --ASSUMING_HTTP set" ret=0 else out ", assuming no HTTP service => skipping all HTTP checks" - fileout "service" "WARN" "Couldn't determine service, skipping all HTTP checks" + fileout "service" "DEBUG" "Couldn't determine service, skipping all HTTP checks" ret=1 fi fi @@ -1011,7 +1014,7 @@ run_hpkp() { out "\n$spaces" pr_svrty_high " No matching key for pins found " out "(CAs pinned? -- not checked for yet)" - fileout "hpkp_keymatch" "WARN" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" + fileout "hpkp_keymatch" "DEBUG" "The TLS key does not match any key pinned in the HPKP header. If you pinned a CA key you can ignore this" fi else out "--" @@ -2217,6 +2220,12 @@ run_prototest_openssl() { # 7: no local support } +# idempotent function to add SSL/TLS protocols. It should ease testing +# PROTOS_OFFERED's content is in openssl terminology +add_tls_offered() { + grep -w "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 " +} + # the protocol check needs to be revamped. It sucks, see above run_protocols() { @@ -2256,6 +2265,7 @@ run_protocols() { 0) pr_svrty_criticalln "offered (NOT ok)" fileout "sslv2" "NOT ok" "SSLv2 is offered (NOT ok)" + add_tls_offered "ssl2" ;; 1) pr_done_bestln "not offered (OK)" @@ -2264,6 +2274,7 @@ run_protocols() { 5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2"; fileout "sslv2" "WARN" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" + add_tls_offered "ssl2" ;; 7) fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support" @@ -2281,6 +2292,7 @@ run_protocols() { 0) pr_svrty_highln "offered (NOT ok)" fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)" + add_tls_offered "ssl3" ;; 1) pr_done_bestln "not offered (OK)" @@ -2294,7 +2306,8 @@ run_protocols() { fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" pr_svrty_high "$supported_no_ciph2" outln "(may need debugging)" - ;; # protocol ok, but no cipher + add_tls_offered "ssl3" + ;; 7) fileout "sslv3" "INFO" "SSLv3 is not tested due to lack of local support" ;; # no local support @@ -2310,6 +2323,7 @@ run_protocols() { 0) outln "offered" fileout "tls1" "INFO" "TLSv1.0 is offered" + add_tls_offered "tls1" ;; # nothing wrong with it -- per se 1) outln "not offered" @@ -2320,10 +2334,12 @@ run_protocols() { [[ $DEBUG -eq 1 ]] && out " -- downgraded" outln fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL" + add_tls_offered "tls1" ;; 5) outln "$supported_no_ciph1" # protocol ok, but no cipher fileout "tls1" "WARN" "TLSv1.0 is $supported_no_ciph1" + add_tls_offered "tls1" ;; 7) fileout "tlsv1" "INFO" "TLSv1.0 is not tested due to lack of local support" @@ -2340,6 +2356,7 @@ run_protocols() { 0) outln "offered" fileout "tls1_1" "INFO" "TLSv1.1 is offered" + add_tls_offered "tls1_1" ;; # nothing wrong with it 1) outln "not offered" @@ -2354,6 +2371,7 @@ run_protocols() { 5) outln "$supported_no_ciph1" fileout "tls1_1" "WARN" "TLSv1.1 is $supported_no_ciph1" + add_tls_offered "tls1_1" ;; # protocol ok, but no cipher 7) fileout "tls1_1" "INFO" "TLSv1.1 is not tested due to lack of local support" @@ -2370,6 +2388,7 @@ run_protocols() { 0) pr_done_bestln "offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" + add_tls_offered "tls1_2" ;; # GCM cipher in TLS 1.2: very good! 1) pr_svrty_mediumln "not offered" @@ -2384,11 +2403,13 @@ run_protocols() { 5) outln "$supported_no_ciph1" fileout "tls1_2" "WARN" "TLSv1.2 is $supported_no_ciph1" + add_tls_offered "tls1_2" ;; # protocol ok, but no cipher 7) fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support" ;; # no local support esac + return 0 } @@ -2735,7 +2756,7 @@ check_tls12_pref() { order="$cipher" tested_cipher="-$cipher" else - pr_warningln "fixme: something weird happened around line $((LINENO - 6))" + fixmeln "something weird happened around line $((LINENO - 6))" return 1 fi while true; do @@ -2755,6 +2776,8 @@ check_tls12_pref() { # second cipher set didn't succeed: we can just output everything out " $order" fi + + tmpfile_handle $FUNCNAME.txt return 0 } @@ -2790,7 +2813,7 @@ cipher_pref_check() { # thus we reduce the number of ciphers we throw at the server and put later everything together # see #189 # so far, this was only observed in TLS 1.2 - check_tls12_pref "$cipher" + order=$(check_tls12_pref "$cipher") else out " $cipher" # this is the first cipher for protocol while true; do @@ -2827,7 +2850,7 @@ cipher_pref_check() { order+=" $cipher" done outln - [[ -z $order ]] || fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p:order" + [[ -n $order ]] && fileout "order_spdy_$p" "INFO" "Default cipher order for SPDY protocol $p: $order" done fi @@ -4482,6 +4505,7 @@ sslv2_sockets() { [[ "$DEBUG" -ge 2 ]] && out " ($lines lines) " if [[ "$lines" -gt 1 ]]; then nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) + add_tls_offered "ssl2" if [[ 0 -eq "$nr_ciphers_detected" ]]; then pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; fileout "sslv2" "NOT ok" "SSLv2 offered (NOT ok), vulnerable to CVE-2015-3197" @@ -5428,11 +5452,11 @@ run_drown() { parse_sslv2_serverhello "$SOCK_REPLY_FILE" case $? in 7) # strange reply, couldn't convert the cipher spec length to a hex number - pr_cyan "strange v2 reply " + fixme "strange v2 reply " outln " (rerun with DEBUG >=2)" [[ $DEBUG -ge 3 ]] && hexdump -C "$SOCK_REPLY_FILE" | head -1 ret=7 - fileout "DROWN" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" + fileout "drown" "MINOR_ERROR" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" ;; 3) # vulnerable lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>/dev/null)") @@ -5441,16 +5465,16 @@ run_drown() { nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) if [[ 0 -eq "$nr_ciphers_detected" ]]; then pr_svrty_highln "CVE-2015-3197: SSLv2 supported but couldn't detect a cipher (NOT ok)"; - fileout "DROWN" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher" + fileout "drown" "NOT ok" "SSLv2 offered (NOT ok), CVE-2015-3197: but could not detect a cipher" else pr_svrty_criticalln "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; - fileout "DROWN" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers" + fileout "drown" "NOT ok" "vulnerable (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers" fi fi ret=1 ;; *) pr_done_bestln "not vulnerable on this port (OK)" - fileout "DROWN" "OK" "not vulnerable to DROWN" + fileout "drown" "OK" "not vulnerable to DROWN" outln "$spaces make sure you don't use this certificate elsewhere with SSLv2 enabled services" if [[ "$DEBUG" -ge 1 ]] || "$SHOW_CENSYS_LINK"; then # not advertising it as it after 5 tries and account is needed @@ -5725,7 +5749,7 @@ run_tls_truncation() { old_fart() { outln "Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." - fileout "old_fart" "WARN" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." + fileout "old_fart" "ERROR" "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed. Get precompiled bins or compile https://github.com/PeterMosmans/openssl ." fatal "Your $OPENSSL $OSSL_VER version is an old fart... . It doesn\'t make much sense to proceed." -2 } @@ -7354,4 +7378,4 @@ fi exit $? -# $Id: testssl.sh,v 1.495 2016/06/07 11:02:57 dirkw Exp $ +# $Id: testssl.sh,v 1.496 2016/06/07 21:06:57 dirkw Exp $