From 701545dbb6beb289b94f971108ff937e3b4a47e7 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 13 Jun 2016 15:35:56 +0200 Subject: [PATCH 01/10] Allow the file output feature and mass_test feature to work together --- testssl.sh | 45 ++++++++++++++++----------------------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8fc1ccb..9588cc7 100755 --- a/testssl.sh +++ b/testssl.sh @@ -149,6 +149,7 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used +APPEND=false # append file in stead of overwriting HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) @@ -453,12 +454,17 @@ strip_quote() { } fileout_header() { - "$do_json" && printf "[\n" > "$JSONFILE" - "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + if [[ $APPEND ]]; then + "$do_json" && [[ ! -f "$JSONFILE" ]] && printf "[\n" > "$JSONFILE" + "$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + else + "$do_json" && printf "[\n" > "$JSONFILE" + "$do_csv" && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" + fi } fileout_footer() { - "$do_json" && printf "]\n" >> "$JSONFILE" + "$do_json" && [[ -f "$JSONFILE" ]] && printf "]\n" >> "$JSONFILE" } fileout() { # ID, SEVERITY, FINDING @@ -6237,7 +6243,7 @@ cleanup () { [[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR"; fi outln - fileout_footer + [[ $APPEND ]] || fileout_footer } fatal() { @@ -6858,30 +6864,6 @@ mx_all_ips() { return $ret } -run_mass_testing_parallel() { - local cmdline="" - local global_cmdline=${CMDLINE%%--file*} - - if [[ ! -r "$FNAME" ]] && $IKNOW_FNAME; then - fatal "Can't read file \"$FNAME\"" "-1" - fi - pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln - outln "(output is in ....\n)" - while read cmdline; do - cmdline=$(filter_input "$cmdline") - [[ -z "$cmdline" ]] && continue - [[ "$cmdline" == "EOF" ]] && break - cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" - draw_line "=" $((TERM_DWITH / 2)); outln; - determine_logfile - outln "$cmdline" - $cmdline >$LOGFILE & - sleep $PARALLEL_SLEEP - done < "$FNAME" - return $? -} - - run_mass_testing() { local cmdline="" local global_cmdline=${CMDLINE%%--file*} @@ -6891,15 +6873,17 @@ run_mass_testing() { fi pr_reverse "====== Running in file batch mode with file=\"$FNAME\" ======"; outln "\n" + APPEND=false # Make sure we close out our files while read cmdline; do cmdline=$(filter_input "$cmdline") [[ -z "$cmdline" ]] && continue [[ "$cmdline" == "EOF" ]] && break - cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" + cmdline="$0 $global_cmdline --warnings=batch -q --append $cmdline" draw_line "=" $((TERM_DWITH / 2)); outln; outln "$cmdline" $cmdline done < "${FNAME}" + fileout_footer return $? } @@ -7272,6 +7256,9 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift do_csv=true ;; + --append) + APPEND=true + ;; --openssl|--openssl=*) OPENSSL=$(parse_opt_equal_sign "$1" "$2") [[ $? -eq 0 ]] && shift From 3b1d8b6253f81fe2dd1269030d63da4503650e1c Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Tue, 14 Jun 2016 10:36:57 +0200 Subject: [PATCH 02/10] Need to deal with the comma correctly if we are appending to a file --- testssl.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9588cc7..e99d6b0 100755 --- a/testssl.sh +++ b/testssl.sh @@ -455,7 +455,11 @@ strip_quote() { fileout_header() { if [[ $APPEND ]]; then - "$do_json" && [[ ! -f "$JSONFILE" ]] && printf "[\n" > "$JSONFILE" + if [[ -f "$JSONFILE" ]]; then + FIRST_FINDING=false # We need to insert a comma, because there is file content already + else + "$do_json" && printf "[\n" > "$JSONFILE" + fi "$do_csv" && [[ ! -f "CSVFILE" ]] && echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\"" > "$CSVFILE" else "$do_json" && printf "[\n" > "$JSONFILE" @@ -471,9 +475,8 @@ fileout() { # ID, SEVERITY, FINDING local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") if "$do_json"; then - "$FIRST_FINDING" || echo "," >> $JSONFILE - echo -e " - { + "$FIRST_FINDING" || echo -n "," >> $JSONFILE + echo -e " { \"id\" : \"$1\", \"ip\" : \"$NODE/$NODEIP\", \"port\" : \"$PORT\", From 48d5e5a7a13e501b0bdca95bb76dc84c1dcd1ad5 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Fri, 3 Jun 2016 19:06:35 +0200 Subject: [PATCH 03/10] Drop remaining '\c's in printf(1) arguments. --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..7e96b77 100755 --- a/testssl.sh +++ b/testssl.sh @@ -357,7 +357,7 @@ pr_svrty_criticalln(){ pr_svrty_critical "$1"; outln; } # color=1 functions -pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m\c"; } +pr_off() { [[ "$COLOR" -ne 0 ]] && out "\033[m"; } pr_bold() { [[ "$COLOR" -ne 0 ]] && out "\033[1m$1" || out "$1"; pr_off; } pr_boldln() { pr_bold "$1" ; outln; } pr_italic() { [[ "$COLOR" -ne 0 ]] && out "\033[3m$1" || out "$1"; pr_off; } @@ -4841,7 +4841,7 @@ tls_sockets() { # mainly adapted from https://gist.github.com/takeshixx/10107280 run_heartbleed(){ [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln - pr_bold " Heartbleed\c"; out " (CVE-2014-0160) " + pr_bold " Heartbleed"; out " (CVE-2014-0160) " [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then @@ -5255,7 +5255,7 @@ run_crime() { # $OPENSSL s_client -host $NODE -port $PORT -nextprotoneg $NPN_PROTOs $SNI /dev/null >$TMPFILE # if [[ $? -eq 0 ]]; then # echo -# pr_bold "CRIME Vulnerability, SPDY \c" ; outln "(CVE-2012-4929): \c" +# pr_bold "CRIME Vulnerability, SPDY " ; outln "(CVE-2012-4929): " # STR=$(grep Compression $TMPFILE ) # if echo $STR | grep -q NONE >/dev/null; then From 0fd261eb6c8285c2bdbb412fab395d121243e157 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Mon, 20 Jun 2016 21:51:40 +0200 Subject: [PATCH 04/10] Refactor date parsing. Makes testssl.sh work on NetBSD too. Introduce a parse_date() function to handle all date parsing. Check for the following date(1) variants: GNU: accepts "-d date-to-parse". FreeBSD/OS X: accepts "-j -f input-format" everything else: accepts "-j date-to-parse" usage: parse-date date output-format input-format Tested on NetBSD, OS X 10.11 and Debian jessie. --- testssl.sh | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7e96b77..76afa65 100755 --- a/testssl.sh +++ b/testssl.sh @@ -109,9 +109,13 @@ else readonly REL_DATE=$(tail -5 "$0" | awk '/dirkw Exp/ { print $5 }') fi readonly SYSTEM=$(uname -s) -date --help >/dev/null 2>&1 && \ +date -d @735275209 >/dev/null 2>&1 && \ readonly HAS_GNUDATE=true || \ readonly HAS_GNUDATE=false +# FreeBSD and OS X date(1) accept "-f inputformat" +date -j -f '%s' 1234567 >/dev/null 2>&1 && \ + readonly HAS_FREEBSDDATE=true || \ + readonly HAS_FREEBSDDATE=false echo A | sed -E 's/A//' >/dev/null 2>&1 && \ readonly HAS_SED_E=true || \ readonly HAS_SED_E=false @@ -609,6 +613,20 @@ wait_kill(){ return 3 # means killed } +# parse_date date format input-format +if "$HAS_GNUDATE"; then # Linux and NetBSD + parse_date() { + LC_ALL=C date -d "$1" "$2" + } +elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X + parse_date() { + LC_ALL=C date -j -f "$3" "$2" "$1" + } +else + parse_date() { + LC_ALL=C date -j "$2" "$1" + } +fi ###### check code starts here ###### @@ -830,11 +848,7 @@ run_http_date() { out "not tested as we're not targeting HTTP" else if [[ -n "$HTTP_TIME" ]]; then - if "$HAS_GNUDATE"; then - HTTP_TIME=$(date --date="$HTTP_TIME" "+%s") - else - HTTP_TIME=$(LC_ALL=C date -j -f "%a, %d %b %Y %T %Z" "$HTTP_TIME" "+%s" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise - fi + HTTP_TIME=$(parse_date "$HTTP_TIME" "+%s" "%a, %d %b %Y %T %Z" 2>>$ERRFILE) # the trailing \r confuses BSD flavors otherwise difftime=$((HTTP_TIME - $NOW_TIME)) [[ $difftime != "-"* ]] && [[ $difftime != "0" ]] && difftime="+$difftime" @@ -3511,15 +3525,9 @@ certificate_info() { out "$indent"; pr_bold " Certificate Expiration " - if "$HAS_GNUDATE"; then - enddate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") - startdate=$(date --date="$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") - days2expire=$(( $(date --date="$enddate" "+%s") - $(date "+%s") )) # in seconds - else - enddate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z") - startdate=$(LC_ALL=C date -j -f "%b %d %T %Y %Z" "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M") - LC_ALL=C days2expire=$(( $(date -j -f "%F %H:%M %z" "$enddate" "+%s") - $(date "+%s") )) # in seconds - fi + enddate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -enddate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M %z" "%b %d %T %Y %Z") + startdate=$(parse_date "$($OPENSSL x509 -in $HOSTCERT -noout -startdate 2>>$ERRFILE | cut -d= -f 2)" +"%F %H:%M" "%b %d %T %Y %Z") + days2expire=$(( $(parse_date "$enddate" "+%s" "%F %H:%M %z") - $(LC_ALL=C date "+%s") )) # in seconds days2expire=$((days2expire / 3600 / 24 )) if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then # we take the half of the thresholds for LE certificates @@ -4481,11 +4489,7 @@ parse_tls_serverhello() { echo " tls_sid_len: 0x$tls_sid_len_hex / = $((tls_sid_len/2))" fi echo -n " tls_hello_time: 0x$tls_hello_time " - if "$HAS_GNUDATE"; then - date --date="@$TLS_TIME" "+%Y-%m-%d %r" - else - LC_ALL=C date -j -f %s "$TLS_TIME" "+%Y-%m-%d %r" - fi + parse_date "$TLS_TIME" "+%Y-%m-%d %r" "%s" echo " tls_cipher_suite: 0x$tls_cipher_suite" echo -n " tls_compression_method: 0x$tls_compression_method " case $tls_compression_method in @@ -6154,6 +6158,7 @@ COLORBLIND: $COLORBLIND TERM_DWITH: $TERM_DWITH INTERACTIVE: $INTERACTIVE HAS_GNUDATE: $HAS_GNUDATE +HAS_FREEBSDDATE: $HAS_FREEBSDDATE HAS_SED_E: $HAS_SED_E SHOW_EACH_C: $SHOW_EACH_C From f8579ee2f7e52649b3a4c144ef78b2c4c3295f54 Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 08:57:39 +0200 Subject: [PATCH 05/10] Fix HSTS/HPKP includeSubDomains and preload being broken in file output. --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index cb8147e..61e7790 100755 --- a/testssl.sh +++ b/testssl.sh @@ -855,19 +855,19 @@ run_http_date() { includeSubDomains() { if grep -aiqw includeSubDomains "$1"; then pr_done_good ", includeSubDomains" - return 1 + return 0 else pr_litecyan ", just this domain" - return 0 + return -1 fi } preload() { if grep -aiqw preload "$1"; then pr_done_good ", preload" - return 1 - else return 0 + else + return -1 fi } From 18c5f273c3334c9869abf87b3a6ae6618ebf7b7a Mon Sep 17 00:00:00 2001 From: Florian Schuetz Date: Tue, 21 Jun 2016 21:24:24 +0200 Subject: [PATCH 06/10] HSTS: check if max-age is present and nonzero --- testssl.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 61e7790..e7ca22c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -885,9 +885,18 @@ run_hsts() { if [[ $? -eq 0 ]]; then grep -aciw '^Strict-Transport-Security' $HEADERFILE | egrep -waq "1" || out "(two HSTS header, using 1st one) " hsts_age_sec=$(sed -e 's/[^0-9]*//g' $TMPFILE | head -1) -#FIXME: test for number! - hsts_age_days=$(( hsts_age_sec / 86400)) - if [[ $hsts_age_days -gt $HSTS_MIN ]]; then + if [[ -n $hsts_age_sec ]]; then + hsts_age_days=$(( hsts_age_sec / 86400)) + else + hsts_age_days=-1 + fi + if [[ $hsts_age_days -eq -1 ]]; then + pr_svrty_medium "HSTS max-age is required but missing. Setting 15552000 s (180 days) or more is recommended" + fileout "hsts_time" "MEDIUM" "HSTS max-age missing. 15552000 s (180 days) or more recommnded" + elif [[ $hsts_age_days -eq 0 ]]; then + pr_svrty_medium "HSTS max-age is set to 0. HSTS is disabled" + fileout "hsts_time" "MEDIUM" "HSTS max-age set to 0. HSTS is disabled" + elif [[ $hsts_age_days -gt $HSTS_MIN ]]; then pr_done_good "$hsts_age_days days" ; out "=$hsts_age_sec s" fileout "hsts_time" "OK" "HSTS timeout $hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN days" else From 6efc3e90f52e5926b0853d3b2fb221b631dcf452 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 11:04:58 +0200 Subject: [PATCH 07/10] includes IPv6 check and is ready for other uname's --- utils/make-openssl.sh | 98 +++++++++++++++++++++++++++---------------- 1 file changed, 63 insertions(+), 35 deletions(-) diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index b24d4e6..7883e39 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -13,7 +13,7 @@ sleep 3 STDOPTIONS="--prefix=/usr/ --openssldir=/etc/ssl -DOPENSSL_USE_BUILD_DATE enable-zlib \ enable-ssl2 enable-ssl3 enable-ssl-trace enable-rc5 enable-rc2 \ enable-gost enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ -enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake -DTEMP_GOST_TLS" +enable-seed enable-camellia enable-idea enable-rfc3779 experimental-jpake" clean() { case $NOCLEAN in @@ -42,48 +42,76 @@ makeall() { copyfiles() { echo; apps/openssl version -a; echo - cp -p apps/openssl ../openssl.$(uname).$(uname -m).$1 - echo + if grep static <<< "$1"; then + cp -p apps/openssl ../openssl.$(uname).$(uname -m) + else + cp -p apps/openssl ../openssl.$(uname).$(uname -m).krb5 + fi return $? } -case $(uname -m) in - "i686") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l - echo - echo "------------ all ok ------------" +testv6_patch() { + if grep -q 'ending bracket for IPv6' apps/s_socket.c; then + STDOPTIONS += "-DOPENSSL_USE_IPV6" + else echo - ;; - "x86_64") clean - if [[ "$1" = krb ]]; then - name2add=krb - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT - else - name2add=static - ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static - fi - [ $? -ne 0 ] && error "configuring" - makeall && copyfiles "$name2add" - [ $? -ne 0 ] && error "copying files" - apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" + echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff" + echo "or press any key to ignore" echo - echo "------------ all ok ------------" - echo + read a + fi +} + + +testv6_patch + + +case $(uname) in + Linux|FreeBSD) + case $(uname -m) in + "i686") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS no-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + "x86_64") clean + if [[ "$1" = krb ]]; then + name2add=krb + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT + else + name2add=static + ./config $STDOPTIONS enable-ec_nistp_64_gcc_128 -static + fi + [ $? -ne 0 ] && error "configuring" + makeall && copyfiles "$name2add" + [ $? -ne 0 ] && error "copying files" + apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l + echo + echo "------------ all ok ------------" + echo + ;; + *) echo " Sorry, don't know this architecture $(uname -m)" + exit 1 + ;; + esac ;; - *) echo " Sorry, don't know this architecture $(uname -m)" - exit 1 + Darwin) + ;; esac + # vim:tw=90:ts=5:sw=5 # $Id: make-openssl.sh,v 1.14 2015/07/20 19:40:54 dirkw Exp $ From 6eedd5747f7ac86672a671b4998731b055937842 Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 11:13:11 +0200 Subject: [PATCH 08/10] wrong language fix ;-) --- utils/make-openssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index 7883e39..094e559 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -52,7 +52,7 @@ copyfiles() { testv6_patch() { if grep -q 'ending bracket for IPv6' apps/s_socket.c; then - STDOPTIONS += "-DOPENSSL_USE_IPV6" + STDOPTIONS="$STDOPTIONS -DOPENSSL_USE_IPV6" else echo echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" From ef237039031c9f5155ed1dc374cc86953379644d Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 12:04:45 +0200 Subject: [PATCH 09/10] fix for #389 --- testssl.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/testssl.sh b/testssl.sh index e7ca22c..8e37eef 100755 --- a/testssl.sh +++ b/testssl.sh @@ -858,7 +858,7 @@ includeSubDomains() { return 0 else pr_litecyan ", just this domain" - return -1 + return 1 fi } @@ -867,7 +867,7 @@ preload() { pr_done_good ", preload" return 0 else - return -1 + return 1 fi } @@ -5774,7 +5774,7 @@ run_lucky13() { # in a nutshell: don't offer CBC suites (again). MAC as a fix for padding oracles is not enough. Best: TLS v1.2+ AES GCM echo "FIXME" fileout "lucky13" "WARN" "LUCKY13 (CVE-2013-0169) : No tested. Not implemented. #FIXME" - return -1 + return 1 } @@ -7496,4 +7496,4 @@ fi exit $? -# $Id: testssl.sh,v 1.502 2016/06/15 19:31:09 dirkw Exp $ +# $Id: testssl.sh,v 1.503 2016/06/23 10:04:44 dirkw Exp $ From 68353db42b072eb6e0672b08dd232e7c73a2478f Mon Sep 17 00:00:00 2001 From: Dirk Date: Thu, 23 Jun 2016 14:33:26 +0200 Subject: [PATCH 10/10] polishing #382 --- testssl.sh | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index 7785e5e..ffeb15f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -153,7 +153,7 @@ WIDE=${WIDE:-false} # whether to display for some options th LOGFILE=${LOGFILE:-""} # logfile if used JSONFILE=${JSONFILE:-""} # jsonfile if used CSVFILE=${CSVFILE:-""} # csvfile if used -APPEND=false # append file in stead of overwriting +APPEND=${APPEND:-false} # append to csv/json file instead of overwriting it HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes UNBRACKTD_IPV6=${UNBRACKTD_IPV6:-false} # some versions of OpenSSL (like Gentoo) don't support [bracketed] IPv6 addresses SERVER_SIZE_LIMIT_BUG=false # Some servers have either a ClientHello total size limit or cipher limit of ~128 ciphers (e.g. old ASAs) @@ -458,7 +458,7 @@ strip_quote() { } fileout_header() { - if [[ $APPEND ]]; then + if "$APPEND"; then if [[ -f "$JSONFILE" ]]; then FIRST_FINDING=false # We need to insert a comma, because there is file content already else @@ -6106,11 +6106,12 @@ output options (can also be preset via environment variables): file output options (can also be preset via environment variables): --log, --logging logs stdout to in current working directory - --logfile logs stdout to if file is a dir or to specified file - --json additional output of findings to JSON file in cwd (experimental) - --jsonfile additional output to JSON and output JSON to the specified file (experimental) - --csv additional output of findings to CSV file in cwd (experimental) - --csvfile set output to CSV and output CSV to the specified file (experimental) + --logfile logs stdout to if file is a dir or to specified log file + --json additional output of findings to JSON file in cwd + --jsonfile additional output to JSON and output JSON to the specified file + --csv additional output of findings to CSV file in cwd + --csvfile set output to CSV and output CSV to the specified file + --append if or exists rather append then overwrite All options requiring a value can also be called with '=' e.g. testssl.sh -t=smtp --wide --openssl=/usr/bin/openssl . @@ -6263,7 +6264,7 @@ cleanup () { [[ -d "$TEMPDIR" ]] && rm -rf "$TEMPDIR"; fi outln - [[ $APPEND ]] || fileout_footer + "$APPEND" || fileout_footer } fatal() { @@ -6884,6 +6885,33 @@ mx_all_ips() { return $ret } + +run_mass_testing_parallel() { + local cmdline="" + local global_cmdline=${CMDLINE%%--file*} + + if [[ ! -r "$FNAME" ]] && $IKNOW_FNAME; then + fatal "Can't read file \"$FNAME\"" "-1" + fi + pr_reverse "====== Running in parallel file batch mode with file=\"$FNAME\" ======"; outln + outln "(output is in ....\n)" +#FIXME: once this function is being called we need a handler which does the right thing +# ==> not overwrite + while read cmdline; do + cmdline=$(filter_input "$cmdline") + [[ -z "$cmdline" ]] && continue + [[ "$cmdline" == "EOF" ]] && break + cmdline="$0 $global_cmdline --warnings=batch -q $cmdline" + draw_line "=" $((TERM_DWITH / 2)); outln; + determine_logfile + outln "$cmdline" + $cmdline >$LOGFILE & + sleep $PARALLEL_SLEEP + done < "$FNAME" + return $? +} + + run_mass_testing() { local cmdline="" local global_cmdline=${CMDLINE%%--file*} @@ -7491,4 +7519,4 @@ fi exit $? -# $Id: testssl.sh,v 1.503 2016/06/23 10:04:44 dirkw Exp $ +# $Id: testssl.sh,v 1.505 2016/06/23 12:33:25 dirkw Exp $