mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
* FIX: added missed downgrade (ret=2) in socket protcol check
* resorted helper functions to top * cleanups (ok, renamed some functions)
This commit is contained in:
parent
b575710634
commit
e121f944e9
150
testssl.sh
150
testssl.sh
@ -375,6 +375,28 @@ debugme() {
|
|||||||
[[ $DEBUG -ge 2 ]] && "$@"
|
[[ $DEBUG -ge 2 ]] && "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
hex2dec() {
|
||||||
|
/usr/bin/printf -- "%d" 0x"$1"
|
||||||
|
#echo $((16#$1))
|
||||||
|
}
|
||||||
|
|
||||||
|
dec2hex() {
|
||||||
|
/usr/bin/printf -- "%x" "$1"
|
||||||
|
#echo $((0x$1))
|
||||||
|
}
|
||||||
|
|
||||||
|
# trim spaces for BSD and old sed
|
||||||
|
count_lines() {
|
||||||
|
echo "$1" | wc -l | sed 's/ //g'
|
||||||
|
}
|
||||||
|
count_words() {
|
||||||
|
echo "$1" | wc -w | sed 's/ //g'
|
||||||
|
}
|
||||||
|
|
||||||
|
newline_to_spaces() {
|
||||||
|
echo "$1" | tr '\n' ' ' | sed 's/ $//'
|
||||||
|
}
|
||||||
|
|
||||||
tmpfile_handle() {
|
tmpfile_handle() {
|
||||||
if [[ "$DEBUG" -eq 0 ]] ; then
|
if [[ "$DEBUG" -eq 0 ]] ; then
|
||||||
rm $TMPFILE
|
rm $TMPFILE
|
||||||
@ -383,30 +405,6 @@ tmpfile_handle() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# whether it is ok to offer/not to offer enc/cipher/version
|
|
||||||
ok(){
|
|
||||||
if [ "$2" -eq 1 ] ; then
|
|
||||||
case $1 in
|
|
||||||
1) pr_redln "offered (NOT ok)" ;; # 1 1
|
|
||||||
0) pr_greenln "not offered (OK)" ;; # 0 1
|
|
||||||
esac
|
|
||||||
else
|
|
||||||
case $1 in
|
|
||||||
7) pr_brownln "not offered" ;; # 7 0
|
|
||||||
6) pr_literedln "offered (NOT ok)" ;; # 6 0
|
|
||||||
5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # 5 5
|
|
||||||
4) pr_litegreenln "offered (OK)" ;; # 4 0
|
|
||||||
3) pr_brownln "offered" ;; # 3 0
|
|
||||||
2) outln "offered" ;; # 2 0
|
|
||||||
1) pr_greenln "offered (OK)" ;; # 1 0
|
|
||||||
0) pr_boldln "not offered" ;; # 0 0
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
return $2
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# ARG1= pid which is in the backgnd and we wait for ($2 seconds)
|
# ARG1= pid which is in the backgnd and we wait for ($2 seconds)
|
||||||
wait_kill(){
|
wait_kill(){
|
||||||
pid=$1
|
pid=$1
|
||||||
@ -686,7 +684,7 @@ hpkp() {
|
|||||||
pr_litered "One key is not sufficent, "
|
pr_litered "One key is not sufficent, "
|
||||||
fi
|
fi
|
||||||
hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE)
|
hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE)
|
||||||
#FIXME: test for bumber!
|
#FIXME: test for number!
|
||||||
hpkp_age_days=$((hpkp_age_sec / 86400))
|
hpkp_age_days=$((hpkp_age_sec / 86400))
|
||||||
if [ $hpkp_age_days -ge $HPKP_MIN ]; then
|
if [ $hpkp_age_days -ge $HPKP_MIN ]; then
|
||||||
pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
|
||||||
@ -893,7 +891,6 @@ more_flags() {
|
|||||||
# exchange the line feeds between the two lines only:
|
# exchange the line feeds between the two lines only:
|
||||||
#pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
#pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
||||||
#pr_litecyanln "<-- double"
|
#pr_litecyanln "<-- double"
|
||||||
#FIXME: https://report-uri.io has double here
|
|
||||||
#fi
|
#fi
|
||||||
done
|
done
|
||||||
# now the same with other flags
|
# now the same with other flags
|
||||||
@ -908,7 +905,7 @@ more_flags() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#FIXME: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
||||||
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
@ -1223,25 +1220,25 @@ locally_supported() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
testversion() {
|
test_proto() {
|
||||||
local sni=$SNI
|
local sni=$SNI
|
||||||
[ "x$1" = "x-ssl2" ] && sni="" # newer openssl throw an error if SNI with SSLv2
|
local ret
|
||||||
|
|
||||||
|
[[ "$1" =~ "x-ssl3" ]] && sni="" # newer openssl throw an error if SNI is supplied with SSLv2,
|
||||||
|
# SSLv3 doesn't have SNI, openssl doesn't complain yet though
|
||||||
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
|
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
|
||||||
ret=$?
|
ret=$?
|
||||||
# FIXME: here FreeBSD9 returns always 0 --> need to read the error
|
# TODO (maybe): here FreeBSD9 returns always 0 --> need to read the error
|
||||||
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
|
||||||
|
grep -aq "no cipher list" $TMPFILE && ret=5
|
||||||
|
|
||||||
if grep -aq "no cipher list" $TMPFILE ; then
|
|
||||||
ret=5
|
|
||||||
fi
|
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.txt
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
testprotohelper() {
|
test_proto_helper() {
|
||||||
if locally_supported "$1" "$2" ; then
|
if locally_supported "$1" "$2" ; then
|
||||||
testversion "$1" "$2"
|
test_proto "$1" "$2"
|
||||||
return $?
|
return $?
|
||||||
# 0: offered
|
# 0: offered
|
||||||
# 1: not offered
|
# 1: not offered
|
||||||
@ -1252,39 +1249,39 @@ testprotohelper() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
runprotocols() {
|
run_protocols() {
|
||||||
local using_sockets=0
|
local using_sockets=true
|
||||||
local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)"
|
local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)"
|
||||||
local supported_no_ciph2="supported but couldn't detect a cipher"
|
local supported_no_ciph2="supported but couldn't detect a cipher"
|
||||||
|
|
||||||
pr_blue "--> Testing protocols ";
|
pr_blue "--> Testing protocols ";
|
||||||
|
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
|
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
|
||||||
using_sockets=1
|
using_sockets=false
|
||||||
outln "(via native openssl)\n"
|
outln "(via native openssl)\n"
|
||||||
else
|
else
|
||||||
outln "(via sockets for SSLv2, SSLv3)\n"
|
outln "(via sockets except SPDY/NPN)\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSLv2 ";
|
pr_bold " SSLv2 ";
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
|
if $using_sockets; then
|
||||||
testprotohelper "-ssl2"
|
sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native
|
||||||
|
else
|
||||||
|
test_proto_helper "-ssl2"
|
||||||
case $? in
|
case $? in
|
||||||
0) pr_redln "offered (NOT ok)" ;;
|
0) pr_redln "offered (NOT ok)" ;;
|
||||||
1) pr_greenln "not offered (OK)" ;;
|
1) pr_greenln "not offered (OK)" ;;
|
||||||
5) pr_litered "$supported_no_ciph2";
|
5) pr_litered "$supported_no_ciph2";
|
||||||
outln "(may need debugging)" ;; # protocol ok, but no cipher
|
outln " (may need further attention)" ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
else
|
|
||||||
sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pr_bold " SSLv3 ";
|
pr_bold " SSLv3 ";
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
|
if $using_sockets; then
|
||||||
testprotohelper "-ssl3"
|
|
||||||
else
|
|
||||||
tls_sockets "00" "$TLS_CIPHER"
|
tls_sockets "00" "$TLS_CIPHER"
|
||||||
|
else
|
||||||
|
test_proto_helper "-ssl3"
|
||||||
fi
|
fi
|
||||||
case $? in
|
case $? in
|
||||||
0) pr_literedln "offered (NOT ok)" ;;
|
0) pr_literedln "offered (NOT ok)" ;;
|
||||||
@ -1296,44 +1293,49 @@ runprotocols() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1 ";
|
pr_bold " TLS 1 ";
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
|
if $using_sockets; then
|
||||||
testprotohelper "-tls1"
|
|
||||||
else
|
|
||||||
echo -n "(socket:) "
|
|
||||||
tls_sockets "01" "$TLS_CIPHER"
|
tls_sockets "01" "$TLS_CIPHER"
|
||||||
|
else
|
||||||
|
test_proto_helper "-tls1"
|
||||||
fi
|
fi
|
||||||
case $? in
|
case $? in
|
||||||
0) outln "offered" ;; # nothing wrong with it -- per se
|
0) outln "offered" ;; # nothing wrong with it -- per se
|
||||||
1) outln "not offered" ;; # neither good or bad
|
1) outln "not offered" ;; # neither good or bad
|
||||||
2) pr_magentaln "downgraded. still missing a testcase here" ;;
|
2) pr_brown "not offered (NOT ok)"
|
||||||
|
[ $DEBUG -eq 1 ] && out " -- downgraded"
|
||||||
|
outln ;;
|
||||||
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1.1 ";
|
pr_bold " TLS 1.1 ";
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
|
if $using_sockets; then
|
||||||
testprotohelper "-tls1_1"
|
|
||||||
else
|
|
||||||
echo -n "(socket:) "
|
|
||||||
tls_sockets "02" "$TLS_CIPHER"
|
tls_sockets "02" "$TLS_CIPHER"
|
||||||
|
else
|
||||||
|
test_proto_helper "-tls1_1"
|
||||||
fi
|
fi
|
||||||
case $? in
|
case $? in
|
||||||
0) outln "offered" ;; # nothing wrong with it
|
0) outln "offered" ;; # nothing wrong with it
|
||||||
1) outln "not offered" ;; # neither good or bad
|
1) outln "not offered" ;; # neither good or bad
|
||||||
|
2) out "not offered"
|
||||||
|
[ $DEBUG -eq 1 ] && out " -- downgraded"
|
||||||
|
outln ;;
|
||||||
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
|
|
||||||
pr_bold " TLS 1.2 ";
|
pr_bold " TLS 1.2 ";
|
||||||
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
|
if $using_sockets; then
|
||||||
testprotohelper "-tls1_2"
|
|
||||||
else
|
|
||||||
echo -n "(socket:) "
|
|
||||||
tls_sockets "03" "$TLS12_CIPHER"
|
tls_sockets "03" "$TLS12_CIPHER"
|
||||||
|
else
|
||||||
|
test_proto_helper "-tls1_2"
|
||||||
fi
|
fi
|
||||||
case $? in
|
case $? in
|
||||||
0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good!
|
0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good!
|
||||||
1) pr_brownln "not offered (NOT ok)" ;; # no GCM, penalty
|
1) pr_brownln "not offered (NOT ok)" ;; # no GCM, penalty
|
||||||
|
2) pr_brown "not offered (NOT ok)"
|
||||||
|
[ $DEBUG -eq 1 ] && out " -- downgraded"
|
||||||
|
outln ;;
|
||||||
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
|
||||||
7) ;; # no local support
|
7) ;; # no local support
|
||||||
esac
|
esac
|
||||||
@ -1987,16 +1989,6 @@ code2network() {
|
|||||||
NW_STR=$(echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t')
|
NW_STR=$(echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t')
|
||||||
}
|
}
|
||||||
|
|
||||||
hex2dec() {
|
|
||||||
/usr/bin/printf -- "%d" 0x"$1"
|
|
||||||
#echo $((16#$1))
|
|
||||||
}
|
|
||||||
|
|
||||||
dec2hex() {
|
|
||||||
/usr/bin/printf -- "%x" "$1"
|
|
||||||
#echo $((0x$1))
|
|
||||||
}
|
|
||||||
|
|
||||||
len2twobytes() {
|
len2twobytes() {
|
||||||
len_arg1=$(echo ${#1})
|
len_arg1=$(echo ${#1})
|
||||||
[[ $len_arg1 -le 2 ]] && LEN_STR=$(printf "00, %02s \n" $1)
|
[[ $len_arg1 -le 2 ]] && LEN_STR=$(printf "00, %02s \n" $1)
|
||||||
@ -2835,14 +2827,6 @@ EOF
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# trim spaces for BSD and old sed
|
|
||||||
count_lines() {
|
|
||||||
echo "$1" | wc -l | sed 's/ //g'
|
|
||||||
}
|
|
||||||
count_words() {
|
|
||||||
echo "$1" | wc -w | sed 's/ //g'
|
|
||||||
}
|
|
||||||
|
|
||||||
### two helper functions for vulnerabilities follow
|
### two helper functions for vulnerabilities follow
|
||||||
count_ciphers() {
|
count_ciphers() {
|
||||||
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
|
||||||
@ -2852,7 +2836,6 @@ actually_supported_ciphers() {
|
|||||||
$OPENSSL ciphers "$1"
|
$OPENSSL ciphers "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
|
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
|
||||||
ssl_poodle() {
|
ssl_poodle() {
|
||||||
local ret
|
local ret
|
||||||
@ -3573,11 +3556,6 @@ parse_hn_port() {
|
|||||||
return 0 # NODE, URL_PATH, PORT is set now
|
return 0 # NODE, URL_PATH, PORT is set now
|
||||||
}
|
}
|
||||||
|
|
||||||
newline_to_spaces() {
|
|
||||||
echo "$1" | tr '\n' ' ' | sed 's/ $//'
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# now get all IP addresses
|
# now get all IP addresses
|
||||||
determine_ip_addresses() {
|
determine_ip_addresses() {
|
||||||
local ip4=""
|
local ip4=""
|
||||||
@ -4097,7 +4075,7 @@ lets_roll() {
|
|||||||
${do_tls_sockets} && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
|
${do_tls_sockets} && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
|
||||||
|
|
||||||
${do_test_just_one} && test_just_one ${single_cipher}
|
${do_test_just_one} && test_just_one ${single_cipher}
|
||||||
${do_protocols} && { runprotocols; ret=$(($? + ret)); }
|
${do_protocols} && { run_protocols; ret=$(($? + ret)); }
|
||||||
${do_spdy} && { spdy; ret=$(($? + ret)); }
|
${do_spdy} && { spdy; ret=$(($? + ret)); }
|
||||||
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
|
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
|
||||||
${do_pfs} && { pfs; ret=$(($? + ret)); }
|
${do_pfs} && { pfs; ret=$(($? + ret)); }
|
||||||
@ -4201,4 +4179,4 @@ fi
|
|||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.290 2015/06/23 10:58:39 dirkw Exp $
|
# $Id: testssl.sh,v 1.291 2015/06/23 19:54:46 dirkw Exp $
|
||||||
|
Loading…
Reference in New Issue
Block a user