From e121f944e929f76d5cfe074de61945be923ce669 Mon Sep 17 00:00:00 2001 From: Dirk Date: Tue, 23 Jun 2015 21:54:47 +0200 Subject: [PATCH] * FIX: added missed downgrade (ret=2) in socket protcol check * resorted helper functions to top * cleanups (ok, renamed some functions) --- testssl.sh | 150 +++++++++++++++++++++++------------------------------ 1 file changed, 64 insertions(+), 86 deletions(-) diff --git a/testssl.sh b/testssl.sh index a4c8c29..24e620a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -375,6 +375,28 @@ debugme() { [[ $DEBUG -ge 2 ]] && "$@" } +hex2dec() { + /usr/bin/printf -- "%d" 0x"$1" + #echo $((16#$1)) +} + +dec2hex() { + /usr/bin/printf -- "%x" "$1" + #echo $((0x$1)) +} + +# trim spaces for BSD and old sed +count_lines() { + echo "$1" | wc -l | sed 's/ //g' +} +count_words() { + echo "$1" | wc -w | sed 's/ //g' +} + +newline_to_spaces() { + echo "$1" | tr '\n' ' ' | sed 's/ $//' +} + tmpfile_handle() { if [[ "$DEBUG" -eq 0 ]] ; then rm $TMPFILE @@ -383,30 +405,6 @@ tmpfile_handle() { fi } - -# whether it is ok to offer/not to offer enc/cipher/version -ok(){ - if [ "$2" -eq 1 ] ; then - case $1 in - 1) pr_redln "offered (NOT ok)" ;; # 1 1 - 0) pr_greenln "not offered (OK)" ;; # 0 1 - esac - else - case $1 in - 7) pr_brownln "not offered" ;; # 7 0 - 6) pr_literedln "offered (NOT ok)" ;; # 6 0 - 5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # 5 5 - 4) pr_litegreenln "offered (OK)" ;; # 4 0 - 3) pr_brownln "offered" ;; # 3 0 - 2) outln "offered" ;; # 2 0 - 1) pr_greenln "offered (OK)" ;; # 1 0 - 0) pr_boldln "not offered" ;; # 0 0 - esac - fi - return $2 -} - - # ARG1= pid which is in the backgnd and we wait for ($2 seconds) wait_kill(){ pid=$1 @@ -686,7 +684,7 @@ hpkp() { pr_litered "One key is not sufficent, " fi hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE) -#FIXME: test for bumber! +#FIXME: test for number! hpkp_age_days=$((hpkp_age_sec / 86400)) if [ $hpkp_age_days -ge $HPKP_MIN ]; then pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s" @@ -893,7 +891,6 @@ more_flags() { # exchange the line feeds between the two lines only: #pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g' #pr_litecyanln "<-- double" -#FIXME: https://report-uri.io has double here #fi done # now the same with other flags @@ -908,7 +905,7 @@ more_flags() { fi done fi -#FIXME: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" +#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" tmpfile_handle $FUNCNAME.txt return $ret @@ -1223,25 +1220,25 @@ locally_supported() { return $ret } -testversion() { +test_proto() { local sni=$SNI - [ "x$1" = "x-ssl2" ] && sni="" # newer openssl throw an error if SNI with SSLv2 + local ret + [[ "$1" =~ "x-ssl3" ]] && sni="" # newer openssl throw an error if SNI is supplied with SSLv2, + # SSLv3 doesn't have SNI, openssl doesn't complain yet though $OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE need to read the error +# TODO (maybe): here FreeBSD9 returns always 0 --> need to read the error [ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error" + grep -aq "no cipher list" $TMPFILE && ret=5 - if grep -aq "no cipher list" $TMPFILE ; then - ret=5 - fi tmpfile_handle $FUNCNAME.txt return $ret } -testprotohelper() { +test_proto_helper() { if locally_supported "$1" "$2" ; then - testversion "$1" "$2" + test_proto "$1" "$2" return $? # 0: offered # 1: not offered @@ -1252,39 +1249,39 @@ testprotohelper() { } -runprotocols() { - local using_sockets=0 +run_protocols() { + local using_sockets=true local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)" local supported_no_ciph2="supported but couldn't detect a cipher" pr_blue "--> Testing protocols "; if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then - using_sockets=1 + using_sockets=false outln "(via native openssl)\n" else - outln "(via sockets for SSLv2, SSLv3)\n" + outln "(via sockets except SPDY/NPN)\n" fi pr_bold " SSLv2 "; - if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then - testprotohelper "-ssl2" + if $using_sockets; then + sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native + else + test_proto_helper "-ssl2" case $? in 0) pr_redln "offered (NOT ok)" ;; 1) pr_greenln "not offered (OK)" ;; 5) pr_litered "$supported_no_ciph2"; - outln "(may need debugging)" ;; # protocol ok, but no cipher + outln " (may need further attention)" ;; # protocol ok, but no cipher 7) ;; # no local support esac - else - sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native fi pr_bold " SSLv3 "; - if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then - testprotohelper "-ssl3" - else + if $using_sockets; then tls_sockets "00" "$TLS_CIPHER" + else + test_proto_helper "-ssl3" fi case $? in 0) pr_literedln "offered (NOT ok)" ;; @@ -1296,44 +1293,49 @@ runprotocols() { esac pr_bold " TLS 1 "; - if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then - testprotohelper "-tls1" - else - echo -n "(socket:) " + if $using_sockets; then tls_sockets "01" "$TLS_CIPHER" + else + test_proto_helper "-tls1" fi case $? in 0) outln "offered" ;; # nothing wrong with it -- per se 1) outln "not offered" ;; # neither good or bad - 2) pr_magentaln "downgraded. still missing a testcase here" ;; + 2) pr_brown "not offered (NOT ok)" + [ $DEBUG -eq 1 ] && out " -- downgraded" + outln ;; 5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher 7) ;; # no local support esac pr_bold " TLS 1.1 "; - if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then - testprotohelper "-tls1_1" - else - echo -n "(socket:) " + if $using_sockets; then tls_sockets "02" "$TLS_CIPHER" + else + test_proto_helper "-tls1_1" fi case $? in 0) outln "offered" ;; # nothing wrong with it 1) outln "not offered" ;; # neither good or bad + 2) out "not offered" + [ $DEBUG -eq 1 ] && out " -- downgraded" + outln ;; 5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher 7) ;; # no local support esac pr_bold " TLS 1.2 "; - if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then - testprotohelper "-tls1_2" - else - echo -n "(socket:) " + if $using_sockets; then tls_sockets "03" "$TLS12_CIPHER" + else + test_proto_helper "-tls1_2" fi case $? in 0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good! 1) pr_brownln "not offered (NOT ok)" ;; # no GCM, penalty + 2) pr_brown "not offered (NOT ok)" + [ $DEBUG -eq 1 ] && out " -- downgraded" + outln ;; 5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher 7) ;; # no local support esac @@ -1987,16 +1989,6 @@ code2network() { NW_STR=$(echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t') } -hex2dec() { - /usr/bin/printf -- "%d" 0x"$1" - #echo $((16#$1)) -} - -dec2hex() { - /usr/bin/printf -- "%x" "$1" - #echo $((0x$1)) -} - len2twobytes() { len_arg1=$(echo ${#1}) [[ $len_arg1 -le 2 ]] && LEN_STR=$(printf "00, %02s \n" $1) @@ -2835,14 +2827,6 @@ EOF return $ret } -# trim spaces for BSD and old sed -count_lines() { - echo "$1" | wc -l | sed 's/ //g' -} -count_words() { - echo "$1" | wc -w | sed 's/ //g' -} - ### two helper functions for vulnerabilities follow count_ciphers() { echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g' @@ -2852,7 +2836,6 @@ actually_supported_ciphers() { $OPENSSL ciphers "$1" } - # Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3 ssl_poodle() { local ret @@ -3573,11 +3556,6 @@ parse_hn_port() { return 0 # NODE, URL_PATH, PORT is set now } -newline_to_spaces() { - echo "$1" | tr '\n' ' ' | sed 's/ $//' -} - - # now get all IP addresses determine_ip_addresses() { local ip4="" @@ -4097,7 +4075,7 @@ lets_roll() { ${do_tls_sockets} && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; } ${do_test_just_one} && test_just_one ${single_cipher} - ${do_protocols} && { runprotocols; ret=$(($? + ret)); } + ${do_protocols} && { run_protocols; ret=$(($? + ret)); } ${do_spdy} && { spdy; ret=$(($? + ret)); } ${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); } ${do_pfs} && { pfs; ret=$(($? + ret)); } @@ -4201,4 +4179,4 @@ fi exit $ret -# $Id: testssl.sh,v 1.290 2015/06/23 10:58:39 dirkw Exp $ +# $Id: testssl.sh,v 1.291 2015/06/23 19:54:46 dirkw Exp $