* FIX: added missed downgrade (ret=2) in socket protcol check

* resorted helper functions to top
* cleanups (ok, renamed some functions)
This commit is contained in:
Dirk 2015-06-23 21:54:47 +02:00
parent b575710634
commit e121f944e9
1 changed files with 64 additions and 86 deletions

View File

@ -375,6 +375,28 @@ debugme() {
[[ $DEBUG -ge 2 ]] && "$@"
}
hex2dec() {
/usr/bin/printf -- "%d" 0x"$1"
#echo $((16#$1))
}
dec2hex() {
/usr/bin/printf -- "%x" "$1"
#echo $((0x$1))
}
# trim spaces for BSD and old sed
count_lines() {
echo "$1" | wc -l | sed 's/ //g'
}
count_words() {
echo "$1" | wc -w | sed 's/ //g'
}
newline_to_spaces() {
echo "$1" | tr '\n' ' ' | sed 's/ $//'
}
tmpfile_handle() {
if [[ "$DEBUG" -eq 0 ]] ; then
rm $TMPFILE
@ -383,30 +405,6 @@ tmpfile_handle() {
fi
}
# whether it is ok to offer/not to offer enc/cipher/version
ok(){
if [ "$2" -eq 1 ] ; then
case $1 in
1) pr_redln "offered (NOT ok)" ;; # 1 1
0) pr_greenln "not offered (OK)" ;; # 0 1
esac
else
case $1 in
7) pr_brownln "not offered" ;; # 7 0
6) pr_literedln "offered (NOT ok)" ;; # 6 0
5) pr_litered "supported but couldn't detect a cipher"; outln "(may need debugging)" ;; # 5 5
4) pr_litegreenln "offered (OK)" ;; # 4 0
3) pr_brownln "offered" ;; # 3 0
2) outln "offered" ;; # 2 0
1) pr_greenln "offered (OK)" ;; # 1 0
0) pr_boldln "not offered" ;; # 0 0
esac
fi
return $2
}
# ARG1= pid which is in the backgnd and we wait for ($2 seconds)
wait_kill(){
pid=$1
@ -686,7 +684,7 @@ hpkp() {
pr_litered "One key is not sufficent, "
fi
hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE)
#FIXME: test for bumber!
#FIXME: test for number!
hpkp_age_days=$((hpkp_age_sec / 86400))
if [ $hpkp_age_days -ge $HPKP_MIN ]; then
pr_litegreen "$hpkp_age_days days" ; out "=$hpkp_age_sec s"
@ -893,7 +891,6 @@ more_flags() {
# exchange the line feeds between the two lines only:
#pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
#pr_litecyanln "<-- double"
#FIXME: https://report-uri.io has double here
#fi
done
# now the same with other flags
@ -908,7 +905,7 @@ more_flags() {
fi
done
fi
#FIXME: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
tmpfile_handle $FUNCNAME.txt
return $ret
@ -1223,25 +1220,25 @@ locally_supported() {
return $ret
}
testversion() {
test_proto() {
local sni=$SNI
[ "x$1" = "x-ssl2" ] && sni="" # newer openssl throw an error if SNI with SSLv2
local ret
[[ "$1" =~ "x-ssl3" ]] && sni="" # newer openssl throw an error if SNI is supplied with SSLv2,
# SSLv3 doesn't have SNI, openssl doesn't complain yet though
$OPENSSL s_client -state $1 $STARTTLS -connect $NODEIP:$PORT $sni &>$TMPFILE </dev/null
ret=$?
# FIXME: here FreeBSD9 returns always 0 --> need to read the error
# TODO (maybe): here FreeBSD9 returns always 0 --> need to read the error
[ "$VERBERR" -eq 0 ] && egrep "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
grep -aq "no cipher list" $TMPFILE && ret=5
if grep -aq "no cipher list" $TMPFILE ; then
ret=5
fi
tmpfile_handle $FUNCNAME.txt
return $ret
}
testprotohelper() {
test_proto_helper() {
if locally_supported "$1" "$2" ; then
testversion "$1" "$2"
test_proto "$1" "$2"
return $?
# 0: offered
# 1: not offered
@ -1252,39 +1249,39 @@ testprotohelper() {
}
runprotocols() {
local using_sockets=0
run_protocols() {
local using_sockets=true
local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)"
local supported_no_ciph2="supported but couldn't detect a cipher"
pr_blue "--> Testing protocols ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
using_sockets=1
using_sockets=false
outln "(via native openssl)\n"
else
outln "(via sockets for SSLv2, SSLv3)\n"
outln "(via sockets except SPDY/NPN)\n"
fi
pr_bold " SSLv2 ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-ssl2"
if $using_sockets; then
sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native
else
test_proto_helper "-ssl2"
case $? in
0) pr_redln "offered (NOT ok)" ;;
1) pr_greenln "not offered (OK)" ;;
5) pr_litered "$supported_no_ciph2";
outln "(may need debugging)" ;; # protocol ok, but no cipher
outln " (may need further attention)" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
else
sslv2_sockets #FIXME: --> Umschreiben, Interpretation mit CASE wie native
fi
pr_bold " SSLv3 ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ]; then
testprotohelper "-ssl3"
else
if $using_sockets; then
tls_sockets "00" "$TLS_CIPHER"
else
test_proto_helper "-ssl3"
fi
case $? in
0) pr_literedln "offered (NOT ok)" ;;
@ -1296,44 +1293,49 @@ runprotocols() {
esac
pr_bold " TLS 1 ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
testprotohelper "-tls1"
else
echo -n "(socket:) "
if $using_sockets; then
tls_sockets "01" "$TLS_CIPHER"
else
test_proto_helper "-tls1"
fi
case $? in
0) outln "offered" ;; # nothing wrong with it -- per se
1) outln "not offered" ;; # neither good or bad
2) pr_magentaln "downgraded. still missing a testcase here" ;;
2) pr_brown "not offered (NOT ok)"
[ $DEBUG -eq 1 ] && out " -- downgraded"
outln ;;
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
pr_bold " TLS 1.1 ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
testprotohelper "-tls1_1"
else
echo -n "(socket:) "
if $using_sockets; then
tls_sockets "02" "$TLS_CIPHER"
else
test_proto_helper "-tls1_1"
fi
case $? in
0) outln "offered" ;; # nothing wrong with it
1) outln "not offered" ;; # neither good or bad
2) out "not offered"
[ $DEBUG -eq 1 ] && out " -- downgraded"
outln ;;
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
pr_bold " TLS 1.2 ";
if [ $SSL_NATIVE -eq 0 ] || [ -n "$STARTTLS" ] || [ "$EXPERIMENTAL" != "yes" ] ; then
testprotohelper "-tls1_2"
else
echo -n "(socket:) "
if $using_sockets; then
tls_sockets "03" "$TLS12_CIPHER"
else
test_proto_helper "-tls1_2"
fi
case $? in
0) pr_greenln "offered (OK)" ;; # GCM cipher in TLS 1.2: very good!
1) pr_brownln "not offered (NOT ok)" ;; # no GCM, penalty
2) pr_brown "not offered (NOT ok)"
[ $DEBUG -eq 1 ] && out " -- downgraded"
outln ;;
5) outln "$supported_no_ciph1" ;; # protocol ok, but no cipher
7) ;; # no local support
esac
@ -1987,16 +1989,6 @@ code2network() {
NW_STR=$(echo "$1" | sed -e 's/,/\\\x/g' | sed -e 's/# .*$//g' -e 's/ //g' -e '/^$/d' | tr -d '\n' | tr -d '\t')
}
hex2dec() {
/usr/bin/printf -- "%d" 0x"$1"
#echo $((16#$1))
}
dec2hex() {
/usr/bin/printf -- "%x" "$1"
#echo $((0x$1))
}
len2twobytes() {
len_arg1=$(echo ${#1})
[[ $len_arg1 -le 2 ]] && LEN_STR=$(printf "00, %02s \n" $1)
@ -2835,14 +2827,6 @@ EOF
return $ret
}
# trim spaces for BSD and old sed
count_lines() {
echo "$1" | wc -l | sed 's/ //g'
}
count_words() {
echo "$1" | wc -w | sed 's/ //g'
}
### two helper functions for vulnerabilities follow
count_ciphers() {
echo "$1" | sed 's/:/\n/g' | wc -l | sed 's/ //g'
@ -2852,7 +2836,6 @@ actually_supported_ciphers() {
$OPENSSL ciphers "$1"
}
# Padding Oracle On Downgraded Legacy Encryption, in a nutshell: don't use CBC Ciphers in SSLv3
ssl_poodle() {
local ret
@ -3573,11 +3556,6 @@ parse_hn_port() {
return 0 # NODE, URL_PATH, PORT is set now
}
newline_to_spaces() {
echo "$1" | tr '\n' ' ' | sed 's/ $//'
}
# now get all IP addresses
determine_ip_addresses() {
local ip4=""
@ -4097,7 +4075,7 @@ lets_roll() {
${do_tls_sockets} && { tls_sockets "$TLS_LOW_BYTE" "$HEX_CIPHER"; echo "$?" ; exit 0; }
${do_test_just_one} && test_just_one ${single_cipher}
${do_protocols} && { runprotocols; ret=$(($? + ret)); }
${do_protocols} && { run_protocols; ret=$(($? + ret)); }
${do_spdy} && { spdy; ret=$(($? + ret)); }
${do_run_std_cipherlists} && { run_std_cipherlists; ret=$(($? + ret)); }
${do_pfs} && { pfs; ret=$(($? + ret)); }
@ -4201,4 +4179,4 @@ fi
exit $ret
# $Id: testssl.sh,v 1.290 2015/06/23 10:58:39 dirkw Exp $
# $Id: testssl.sh,v 1.291 2015/06/23 19:54:46 dirkw Exp $