mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-11 11:10:57 +01:00
Merge branch 'drwetter/2.9dev' into 2.9dev
This commit is contained in:
commit
ddf53e9ae5
361
testssl.sh
361
testssl.sh
@ -79,16 +79,20 @@
|
|||||||
# debugging help:
|
# debugging help:
|
||||||
readonly PS4='|${LINENO}> \011${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
readonly PS4='|${LINENO}> \011${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
|
|
||||||
|
# see stackoverflow.com/questions/5014823/how-to-profile-a-bash-shell-script-slow-startup#20855353
|
||||||
|
# how to paste both in order to do performance analysis
|
||||||
DEBUGTIME=${DEBUGTIME:-false}
|
DEBUGTIME=${DEBUGTIME:-false}
|
||||||
|
DEBUG_ALLINONE=${DEBUG_ALLINONE:-false} # true: do debugging in one sceen
|
||||||
if grep -q xtrace <<< "$SHELLOPTS"; then
|
if grep -q xtrace <<< "$SHELLOPTS"; then
|
||||||
if "$DEBUGTIME" ; then
|
if "$DEBUGTIME" ; then
|
||||||
# separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis
|
# separate debugging, doesn't mess up the screen, $DEBUGTIME determines whether we also do performance analysis
|
||||||
exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time)
|
exec 42>&2 2> >(tee /tmp/testssl-$$.log | sed -u 's/^.*$/now/' | date -f - +%s.%N >/tmp/testssl-$$.time)
|
||||||
# for pasting both togher see https://stackoverflow.com/questions/5014823/how-to-profile-a-bash-shell-script-slow-startup#20855353
|
|
||||||
else
|
|
||||||
exec 42>| /tmp/testssl-$$.log
|
|
||||||
BASH_XTRACEFD=42
|
BASH_XTRACEFD=42
|
||||||
|
else
|
||||||
|
if ! "$DEBUG_ALLINONE"; then
|
||||||
|
exec 42>| /tmp/testssl-$$.log
|
||||||
|
BASH_XTRACEFD=42
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -173,12 +177,15 @@ LOGFILE=${LOGFILE:-""} # logfile if used
|
|||||||
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
JSONFILE=${JSONFILE:-""} # jsonfile if used
|
||||||
CSVFILE=${CSVFILE:-""} # csvfile if used
|
CSVFILE=${CSVFILE:-""} # csvfile if used
|
||||||
HTMLFILE=${HTMLFILE:-""} # HTML if used
|
HTMLFILE=${HTMLFILE:-""} # HTML if used
|
||||||
HTMLHEADER=true # include HTML headers and footers in HTML file, if one is being created
|
FIRST_FINDING=true # Is this the first finding we are outputting to file?
|
||||||
|
JSONHEADER=true # include JSON headers and footers in HTML file, if one is being created
|
||||||
|
CSVHEADER=true # same for CSV
|
||||||
|
HTMLHEADER=true # same for HTML
|
||||||
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it
|
||||||
GIVE_HINTS=false # give an addtional info to findings
|
GIVE_HINTS=false # give an addtional info to findings
|
||||||
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
|
||||||
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses
|
||||||
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs)
|
SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or a 128 cipher limit (e.g. old ASAs)
|
||||||
|
|
||||||
# tuning vars, can not be set by a cmd line switch
|
# tuning vars, can not be set by a cmd line switch
|
||||||
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
EXPERIMENTAL=${EXPERIMENTAL:-false}
|
||||||
@ -277,7 +284,6 @@ HTTP_TIME=""
|
|||||||
GET_REQ11=""
|
GET_REQ11=""
|
||||||
readonly UA_STD="TLS tester from $SWURL"
|
readonly UA_STD="TLS tester from $SWURL"
|
||||||
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
|
readonly UA_SNEAKY="Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0"
|
||||||
FIRST_FINDING=true # Is this the first finding we are outputting to file?
|
|
||||||
START_TIME=0 # time in epoch when the action started
|
START_TIME=0 # time in epoch when the action started
|
||||||
END_TIME=0 # .. ended
|
END_TIME=0 # .. ended
|
||||||
SCAN_TIME=0 # diff of both: total scan time
|
SCAN_TIME=0 # diff of both: total scan time
|
||||||
@ -806,30 +812,12 @@ strip_quote() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#################### JSON FILE FORMATING ####################
|
#################### JSON FILE FORMATING ####################
|
||||||
fileout_pretty_json_header() {
|
|
||||||
target="$NODE"
|
|
||||||
$do_mx_all_ips && target="$URI"
|
|
||||||
|
|
||||||
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
|
||||||
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
|
||||||
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
|
||||||
\"openssl\" : \"$OSSL_VER from $OSSL_BUILD_DATE\",
|
|
||||||
\"target host\" : \"$target\",
|
|
||||||
\"port\" : \"$PORT\",
|
|
||||||
\"startTime\" : \"$START_TIME\",
|
|
||||||
\"scanResult\" : ["
|
|
||||||
}
|
|
||||||
|
|
||||||
fileout_pretty_json_footer() {
|
fileout_pretty_json_footer() {
|
||||||
echo -e " ],
|
echo -e " ],
|
||||||
\"scanTime\" : \"$SCAN_TIME\"\n}"
|
\"scanTime\" : \"$SCAN_TIME\"\n}"
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_json_header() {
|
|
||||||
"$do_json" && printf "[\n" > "$JSONFILE"
|
|
||||||
"$do_pretty_json" && (printf "{\n%s\n" "$(fileout_pretty_json_header)") > "$JSONFILE"
|
|
||||||
}
|
|
||||||
|
|
||||||
fileout_json_footer() {
|
fileout_json_footer() {
|
||||||
"$do_json" && printf "]\n" >> "$JSONFILE"
|
"$do_json" && printf "]\n" >> "$JSONFILE"
|
||||||
"$do_pretty_json" && (printf "$(fileout_pretty_json_footer)") >> "$JSONFILE"
|
"$do_pretty_json" && (printf "$(fileout_pretty_json_footer)") >> "$JSONFILE"
|
||||||
@ -850,15 +838,15 @@ fileout_json_section() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_section_header(){
|
fileout_section_header() {
|
||||||
local str=""
|
local str=""
|
||||||
$2 && str="$(fileout_section_footer false)"
|
"$2" && str="$(fileout_section_footer false)"
|
||||||
"$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE"
|
"$do_pretty_json" && FIRST_FINDING=true && (printf "%s%s\n" "$str" "$(fileout_json_section "$1")") >> "$JSONFILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_section_footer() { # IS_THE_LAST_ONE
|
fileout_section_footer() {
|
||||||
"$do_pretty_json" && printf "\n ]" >> "$JSONFILE"
|
"$do_pretty_json" && printf "\n ]" >> "$JSONFILE"
|
||||||
"$do_pretty_json" && $1 && echo -e "\n }" >> "$JSONFILE"
|
"$do_pretty_json" && "$1" && echo -e "\n }" >> "$JSONFILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_json_print_parameter() {
|
fileout_json_print_parameter() {
|
||||||
@ -866,34 +854,30 @@ fileout_json_print_parameter() {
|
|||||||
local filler="$2"
|
local filler="$2"
|
||||||
local value="$3"
|
local value="$3"
|
||||||
local not_last="$4"
|
local not_last="$4"
|
||||||
|
local spaces=""
|
||||||
|
|
||||||
local shift=""
|
"$do_json" && \
|
||||||
|
spaces=" " || \
|
||||||
if "$do_json"; then
|
spaces=" "
|
||||||
shift=" "
|
|
||||||
else
|
|
||||||
shift=" "
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ ! -z "$value" ]]; then
|
if [[ ! -z "$value" ]]; then
|
||||||
printf "%s%s%s%s" "$shift" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
|
printf "%s%s%s%s" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
|
||||||
"$not_last" && printf ",\n" >> "$JSONFILE"
|
"$not_last" && printf ",\n" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_json_finding() {
|
fileout_json_finding() {
|
||||||
if "$do_json"; then
|
if "$do_json"; then
|
||||||
"$FIRST_FINDING" || echo -n "," >> "$JSONFILE"
|
"$FIRST_FINDING" || echo -n "," >> "$JSONFILE"
|
||||||
echo -e " {" >> "$JSONFILE"
|
echo -e " {" >> "$JSONFILE"
|
||||||
fileout_json_print_parameter "id" " " "$1" true
|
fileout_json_print_parameter "id" " " "$1" true
|
||||||
fileout_json_print_parameter "ip" " " "$NODE/$NODEIP" true
|
fileout_json_print_parameter "ip" " " "$NODE/$NODEIP" true
|
||||||
fileout_json_print_parameter "port" " " "$PORT" true
|
fileout_json_print_parameter "port" " " "$PORT" true
|
||||||
fileout_json_print_parameter "severity" " " "$2" true
|
fileout_json_print_parameter "severity" " " "$2" true
|
||||||
fileout_json_print_parameter "cve" " " "$cve" true
|
fileout_json_print_parameter "cve" " " "$cve" true
|
||||||
fileout_json_print_parameter "cwe" " " "$cwe" true
|
fileout_json_print_parameter "cwe" " " "$cwe" true
|
||||||
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
||||||
fileout_json_print_parameter "finding" " " "$finding" false
|
fileout_json_print_parameter "finding" " " "$finding" false
|
||||||
echo -e "\n }" >> "$JSONFILE"
|
echo -e "\n }" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
if "$do_pretty_json"; then
|
if "$do_pretty_json"; then
|
||||||
if [[ "$1" == "service" ]]; then
|
if [[ "$1" == "service" ]]; then
|
||||||
@ -904,70 +888,144 @@ fileout_json_finding() {
|
|||||||
\"service\" : \"$finding\",
|
\"service\" : \"$finding\",
|
||||||
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
|
\"ip\" : \"$NODEIP\"," >> "$JSONFILE"
|
||||||
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
$do_mx_all_ips && echo -e " \"hostname\" : \"$NODE\"," >> "$JSONFILE"
|
||||||
else
|
else
|
||||||
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
("$FIRST_FINDING" && echo -n " {" >> "$JSONFILE") || echo -n ",{" >> "$JSONFILE"
|
||||||
echo -e -n "\n" >> "$JSONFILE"
|
echo -e -n "\n" >> "$JSONFILE"
|
||||||
fileout_json_print_parameter "id" " " "$1" true
|
fileout_json_print_parameter "id" " " "$1" true
|
||||||
fileout_json_print_parameter "severity" " " "$2" true
|
fileout_json_print_parameter "severity" " " "$2" true
|
||||||
fileout_json_print_parameter "cve" " " "$cve" true
|
fileout_json_print_parameter "cve" " " "$cve" true
|
||||||
fileout_json_print_parameter "cwe" " " "$cwe" true
|
fileout_json_print_parameter "cwe" " " "$cwe" true
|
||||||
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
"$GIVE_HINTS" && fileout_json_print_parameter "hint" " " "$hint" true
|
||||||
fileout_json_print_parameter "finding" " " "$finding" false
|
fileout_json_print_parameter "finding" " " "$finding" false
|
||||||
echo -e -n "\n }" >> "$JSONFILE"
|
echo -e -n "\n }" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
is_json_format() {
|
|
||||||
( [[ -f "$JSONFILE" ]] && ("$do_json" || "$do_pretty_json") )
|
|
||||||
}
|
|
||||||
|
|
||||||
##################### FILE FORMATING #########################
|
##################### FILE FORMATING #########################
|
||||||
|
|
||||||
fileout_header() {
|
fileout_pretty_json_banner() {
|
||||||
if "$APPEND"; then
|
echo -e " \"Invocation\" : \"$PROG_NAME $CMDLINE\",
|
||||||
if [[ -f "$JSONFILE" ]]; then
|
\"at\" : \"$HNAME:$OPENSSL_LOCATION\",
|
||||||
FIRST_FINDING=false # We need to insert a comma, because there is file content already
|
\"version\" : \"$VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\",
|
||||||
else
|
\"openssl\" : \"$OSSL_VER from $OSSL_BUILD_DATE\",
|
||||||
fileout_json_header
|
\"target host\" : \"$target\",
|
||||||
|
\"port\" : \"$PORT\",
|
||||||
|
\"startTime\" : \"$START_TIME\",
|
||||||
|
\"scanResult\" : ["
|
||||||
|
}
|
||||||
|
|
||||||
|
fileout_banner() {
|
||||||
|
local target="$NODE"
|
||||||
|
$do_mx_all_ips && target="$URI"
|
||||||
|
|
||||||
|
#if ! "$APPEND"; then
|
||||||
|
# if "$CSVHEADER"; then
|
||||||
|
# :
|
||||||
|
# fi
|
||||||
|
if "$JSONHEADER"; then
|
||||||
|
# "$do_json" && # here we maybe should add a banner, too
|
||||||
|
"$do_pretty_json" && (printf "%s\n" "$(fileout_pretty_json_banner)") >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
if "$do_csv"; then
|
#fi
|
||||||
if [[ -f "$CSVFILE" ]]; then
|
|
||||||
# add lf, just for overview
|
|
||||||
echo >> "$CSVFILE"
|
|
||||||
else
|
|
||||||
# create file, with headline
|
|
||||||
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
fileout_json_header
|
|
||||||
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout_footer() {
|
fileout_footer() {
|
||||||
is_json_format && fileout_json_footer
|
if "$JSONHEADER"; then
|
||||||
|
fileout_json_footer
|
||||||
|
fi
|
||||||
|
# CSV: no footer
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
fileout() { # ID, SEVERITY, FINDING, CVE, CWE, HINT
|
# ID, SEVERITY, FINDING, CVE, CWE, HINT
|
||||||
|
fileout() {
|
||||||
local severity="$2"
|
local severity="$2"
|
||||||
local cwe="$5"
|
local cwe="$5"
|
||||||
local hint="$6"
|
local hint="$6"
|
||||||
|
|
||||||
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
|
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
|
||||||
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
||||||
|
[[ -f "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
|
||||||
is_json_format && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
|
"$do_csv" && \
|
||||||
|
|
||||||
# does the following do any sanitization?
|
|
||||||
if "$do_csv"; then
|
|
||||||
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
|
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
|
||||||
fi
|
"$FIRST_FINDING" && FIRST_FINDING=false
|
||||||
"$FIRST_FINDING" && FIRST_FINDING=false
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
json_header() {
|
||||||
|
local fname_prefix
|
||||||
|
|
||||||
|
# Similar to HTML: Don't create headers and footers in the following scenarios:
|
||||||
|
# * no JSON/CSV output is being created.
|
||||||
|
# * mass testing is being performed and each test will have its own file.
|
||||||
|
# * this is an individual test within a mass test and all output is being placed in a single file.
|
||||||
|
|
||||||
|
if ( ! "$do_json" && ! "$do_pretty_json" ) || \
|
||||||
|
( "$do_mass_testing" && ( [[ -z "$JSONFILE" ]] || [[ -d "$JSONFILE" ]] ) ) || \
|
||||||
|
( "$APPEND" && [[ -n "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] ); then
|
||||||
|
JSONHEADER=false
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
if "$do_display_only"; then
|
||||||
|
fname_prefix="local-ciphers"
|
||||||
|
elif "$do_mass_testing"; then
|
||||||
|
:
|
||||||
|
elif "$do_mx_all_ips"; then
|
||||||
|
fname_prefix="mx-$URI"
|
||||||
|
else
|
||||||
|
( [[ -z "$JSONFILE" ]] || [[ -d "$JSONFILE" ]] ) && parse_hn_port "${URI}"
|
||||||
|
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
||||||
|
fname_prefix="${NODE}"_p"${PORT}"
|
||||||
|
fi
|
||||||
|
if [[ -n "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]]; then
|
||||||
|
rm -f "$JSONFILE"
|
||||||
|
elif [[ -z "$JSONFILE" ]]; then
|
||||||
|
JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
||||||
|
else
|
||||||
|
JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
||||||
|
fi
|
||||||
|
"$do_json" && printf "[\n" > "$JSONFILE"
|
||||||
|
"$do_pretty_json" && printf "{\n" > "$JSONFILE"
|
||||||
|
#FIRST_FINDING=false
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
csv_header() {
|
||||||
|
local fname_prefix
|
||||||
|
|
||||||
|
# CSV similar:
|
||||||
|
if ! "$do_csv" || \
|
||||||
|
( "$do_mass_testing" && ( [[ -z "$CSVFILE" ]] || [[ -d "$CSVFILE" ]] ) ) || \
|
||||||
|
( "$APPEND" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] ); then
|
||||||
|
CSVHEADER=false
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
if "$do_display_only"; then
|
||||||
|
fname_prefix="local-ciphers"
|
||||||
|
elif "$do_mass_testing"; then
|
||||||
|
:
|
||||||
|
elif "$do_mx_all_ips"; then
|
||||||
|
fname_prefix="mx-$URI"
|
||||||
|
else
|
||||||
|
( [[ -z "$CSVFILE" ]] || [[ -d "$CSVFILE" ]] ) && parse_hn_port "${URI}"
|
||||||
|
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
||||||
|
fname_prefix="${NODE}"_p"${PORT}"
|
||||||
|
fi
|
||||||
|
if [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]]; then
|
||||||
|
rm -f "$CSVFILE"
|
||||||
|
elif [[ -z "$CSVFILE" ]]; then
|
||||||
|
CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
||||||
|
else
|
||||||
|
CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
||||||
|
fi
|
||||||
|
"$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
################# JSON FILE FORMATING END. HTML START ####################
|
################# JSON FILE FORMATING END. HTML START ####################
|
||||||
|
|
||||||
html_header() {
|
html_header() {
|
||||||
@ -980,8 +1038,8 @@ html_header() {
|
|||||||
if ! "$do_html" || \
|
if ! "$do_html" || \
|
||||||
( "$do_mass_testing" && ( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) ) || \
|
( "$do_mass_testing" && ( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) ) || \
|
||||||
( "$APPEND" && [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] ); then
|
( "$APPEND" && [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] ); then
|
||||||
HTMLHEADER=false
|
HTMLHEADER=false
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$do_display_only"; then
|
if "$do_display_only"; then
|
||||||
@ -991,7 +1049,8 @@ html_header() {
|
|||||||
elif "$do_mx_all_ips"; then
|
elif "$do_mx_all_ips"; then
|
||||||
fname_prefix="mx-$URI"
|
fname_prefix="mx-$URI"
|
||||||
else
|
else
|
||||||
( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
|
( [[ -z "$HTMLFILE" ]] || [[ -d "$HTMLFILE" ]] ) && parse_hn_port "${URI}"
|
||||||
|
# NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now --> wrong place
|
||||||
fname_prefix="${NODE}"_p"${PORT}"
|
fname_prefix="${NODE}"_p"${PORT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3624,7 +3683,8 @@ run_client_simulation() {
|
|||||||
what_dh=$(awk -F',' '{ print $1 }' <<< $temp)
|
what_dh=$(awk -F',' '{ print $1 }' <<< $temp)
|
||||||
bits=$(awk -F',' '{ print $3 }' <<< $temp)
|
bits=$(awk -F',' '{ print $3 }' <<< $temp)
|
||||||
grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
grep -q bits <<< $bits || bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
||||||
bits="${bits/ bits/}"
|
bits="${bits/bits/}"
|
||||||
|
bits="${bits// /}"
|
||||||
if [[ "$what_dh" == "DH" ]]; then
|
if [[ "$what_dh" == "DH" ]]; then
|
||||||
[[ ${minDhBits[i]} -ne -1 ]] && [[ $bits -lt ${minDhBits[i]} ]] && sclient_success=1
|
[[ ${minDhBits[i]} -ne -1 ]] && [[ $bits -lt ${minDhBits[i]} ]] && sclient_success=1
|
||||||
[[ ${maxDhBits[i]} -ne -1 ]] && [[ $bits -gt ${maxDhBits[i]} ]] && sclient_success=1
|
[[ ${maxDhBits[i]} -ne -1 ]] && [[ $bits -gt ${maxDhBits[i]} ]] && sclient_success=1
|
||||||
@ -4234,7 +4294,8 @@ read_dhbits_from_file() {
|
|||||||
else
|
else
|
||||||
bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
bits=$(awk -F',' '{ print $2 }' <<< $temp)
|
||||||
fi
|
fi
|
||||||
bits="${bits/ bits/}"
|
bits="${bits/bits/}"
|
||||||
|
bits="${bits// /}"
|
||||||
|
|
||||||
if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then
|
if [[ "$what_dh" == "X25519" ]] || [[ "$what_dh" == "X448" ]]; then
|
||||||
curve="$what_dh"
|
curve="$what_dh"
|
||||||
@ -10725,7 +10786,7 @@ file output options (can also be preset via environment variables):
|
|||||||
--htmlfile <htmlfile> additional output as HTML to the specifed file
|
--htmlfile <htmlfile> additional output as HTML to the specifed file
|
||||||
--hints additional hints to findings
|
--hints additional hints to findings
|
||||||
--severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
|
--severity <severity> severities with lower level will be filtered for CSV+JSON, possible values <LOW|MEDIUM|HIGH|CRITICAL>
|
||||||
--append if <logfile>, <csvfile> or <jsonfile> exists rather append then overwrite
|
--append if <logfile>, <csvfile>, <jsonfile> or <htmlfile> exists rather append then overwrite. Omits any header
|
||||||
|
|
||||||
|
|
||||||
Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
Options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl <URI>.
|
||||||
@ -10926,10 +10987,10 @@ cleanup () {
|
|||||||
[[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR";
|
[[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR";
|
||||||
fi
|
fi
|
||||||
outln
|
outln
|
||||||
"$APPEND" || fileout_footer
|
|
||||||
html_footer
|
html_footer
|
||||||
|
fileout_footer
|
||||||
# debugging off, see above
|
# debugging off, see above
|
||||||
grep -q xtrace <<< "$SHELLOPTS" && exec 2>&42 42>&-
|
grep -q xtrace <<< "$SHELLOPTS" && ! "$DEBUG_ALLINONE" && exec 2>&42 42>&-
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal() {
|
fatal() {
|
||||||
@ -11064,35 +11125,18 @@ prepare_logging() {
|
|||||||
else
|
else
|
||||||
: # just for clarity: a log file was specified, no need to do anything else
|
: # just for clarity: a log file was specified, no need to do anything else
|
||||||
fi
|
fi
|
||||||
[[ -e $LOGFILE ]] && fatal "\"$LOGFILE\" exists. Either use \"--append\" or (re)move it" 1
|
|
||||||
>$LOGFILE
|
if ! "$APPEND"; then
|
||||||
|
[[ -e $LOGFILE ]] && fatal "\"$LOGFILE\" exists. Either use \"--append\" or (re)move it" 1
|
||||||
|
else
|
||||||
|
>$LOGFILE
|
||||||
|
fi
|
||||||
tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE}
|
tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE}
|
||||||
tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE}
|
tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE}
|
||||||
tmln_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE" >>${LOGFILE}
|
tmln_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE" >>${LOGFILE}
|
||||||
tmln_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n" >>${LOGFILE}
|
tmln_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n" >>${LOGFILE}
|
||||||
exec > >(tee -a ${LOGFILE})
|
exec > >(tee -a ${LOGFILE})
|
||||||
# not decided yet. Maybe good to have a separate file or none at all
|
|
||||||
#exec 2> >(tee -a ${LOGFILE} >&2)
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if "$do_json" || "$do_pretty_json"; then
|
|
||||||
if [[ -z "$JSONFILE" ]]; then
|
|
||||||
JSONFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
|
||||||
elif [[ -d "$JSONFILE" ]]; then
|
|
||||||
# actually we were instructed to place all files in a DIR instead of the current working dir
|
|
||||||
JSONFILE=$JSONFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".json)
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if "$do_csv"; then
|
|
||||||
if [[ -z "$CSVFILE" ]]; then
|
|
||||||
CSVFILE=$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
|
||||||
elif [[ -d "$CSVFILE" ]]; then
|
|
||||||
# actually we were instructed to place all files in a DIR instead of the current working dir
|
|
||||||
CSVFILE=$CSVFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".csv)
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fileout_header # write out any CSV/JSON header line
|
|
||||||
return 0
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -11744,7 +11788,6 @@ run_mass_testing() {
|
|||||||
outln "$cmdline"
|
outln "$cmdline"
|
||||||
$cmdline
|
$cmdline
|
||||||
done < "${FNAME}"
|
done < "${FNAME}"
|
||||||
fileout_footer
|
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -12161,7 +12204,7 @@ parse_cmd_line() {
|
|||||||
do_html=true
|
do_html=true
|
||||||
;; # DEFINITION of HTMLFILE is not arg specified: automagically in parse_hn_port()
|
;; # DEFINITION of HTMLFILE is not arg specified: automagically in parse_hn_port()
|
||||||
# following does the same but we can specify a file location additionally
|
# following does the same but we can specify a file location additionally
|
||||||
--htmlfile)
|
--htmlfile|--htmlfile=*)
|
||||||
HTMLFILE=$(parse_opt_equal_sign "$1" "$2")
|
HTMLFILE=$(parse_opt_equal_sign "$1" "$2")
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
do_html=true
|
do_html=true
|
||||||
@ -12371,9 +12414,14 @@ lets_roll() {
|
|||||||
|
|
||||||
################# main #################
|
################# main #################
|
||||||
|
|
||||||
|
ret=0
|
||||||
|
ip=""
|
||||||
|
|
||||||
lets_roll init
|
lets_roll init
|
||||||
initialize_globals
|
initialize_globals
|
||||||
parse_cmd_line "$@"
|
parse_cmd_line "$@"
|
||||||
|
json_header
|
||||||
|
csv_header
|
||||||
html_header
|
html_header
|
||||||
get_install_dir
|
get_install_dir
|
||||||
set_color_functions
|
set_color_functions
|
||||||
@ -12386,10 +12434,6 @@ check_proxy
|
|||||||
check4openssl_oldfarts
|
check4openssl_oldfarts
|
||||||
check_bsd_mount
|
check_bsd_mount
|
||||||
|
|
||||||
# TODO: it is ugly to have those two vars here --> main()
|
|
||||||
ret=0
|
|
||||||
ip=""
|
|
||||||
|
|
||||||
if $do_display_only; then
|
if $do_display_only; then
|
||||||
prettyprint_local "$PATTERN2SHOW"
|
prettyprint_local "$PATTERN2SHOW"
|
||||||
exit $?
|
exit $?
|
||||||
@ -12402,41 +12446,44 @@ if $do_mass_testing; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
html_banner
|
html_banner
|
||||||
|
fileout_banner
|
||||||
|
|
||||||
#TODO: there shouldn't be the need for a special case for --mx, only the ip adresses we would need upfront and the do-parser
|
#TODO: there shouldn't be the need for a special case for --mx, only the ip adresses we would need upfront and the do-parser
|
||||||
if $do_mx_all_ips; then
|
if $do_mx_all_ips; then
|
||||||
query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified
|
query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified
|
||||||
[[ $? -eq 1 ]] && set_scanning_defaults
|
[[ $? -eq 1 ]] && set_scanning_defaults
|
||||||
run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code
|
run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
|
||||||
|
prepare_logging
|
||||||
|
if ! determine_ip_addresses; then
|
||||||
|
fatal "No IP address could be determined" 2
|
||||||
|
fi
|
||||||
|
if [[ -n "$CMDLINE_IP" ]]; then
|
||||||
|
# we just test the one supplied
|
||||||
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
ret=$?
|
ret=$?
|
||||||
else
|
else # no --ip was supplied
|
||||||
[[ -z "$NODE" ]] && parse_hn_port "${URI}" # NODE, URL_PATH, PORT, IPADDR and IP46ADDR is set now
|
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
||||||
prepare_logging
|
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
||||||
if ! determine_ip_addresses; then
|
for ip in $IPADDRs; do
|
||||||
fatal "No IP address could be determined" 2
|
|
||||||
fi
|
|
||||||
if [[ -n "$CMDLINE_IP" ]]; then
|
|
||||||
# we just test the one supplied
|
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
|
||||||
ret=$?
|
|
||||||
else # no --ip was supplied
|
|
||||||
if [[ $(count_words "$(echo -n "$IPADDRs")") -gt 1 ]]; then # we have more than one ipv4 address to check
|
|
||||||
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
|
|
||||||
for ip in $IPADDRs; do
|
|
||||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
|
||||||
outln
|
|
||||||
NODEIP="$ip"
|
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
|
||||||
ret=$(($? + ret))
|
|
||||||
done
|
|
||||||
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
outln
|
outln
|
||||||
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
NODEIP="$ip"
|
||||||
else # we need just one ip4v to check
|
|
||||||
NODEIP="$IPADDRs"
|
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
ret=$?
|
ret=$(($? + ret))
|
||||||
fi
|
done
|
||||||
|
draw_line "-" $((TERM_WIDTH * 2 / 3))
|
||||||
|
outln
|
||||||
|
pr_bold "Done testing now all IP addresses (on port $PORT): "; outln "$IPADDRs"
|
||||||
|
else # we need just one ip4v to check
|
||||||
|
NODEIP="$IPADDRs"
|
||||||
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
|
ret=$?
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit $?
|
exit $?
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user