First proper output for HTTPS RR

- moved function + output to the very top (still not the right place)
- raw_https now should contain the output in any case, binhex parse needs to be completed
- fixed bug that CAA records were queried when it was instructed to minimize/skip or use proxy only
This commit is contained in:
Dirk 2024-03-30 17:17:14 +01:00
parent c93f06c1c6
commit e6bdcee142

View File

@ -2329,6 +2329,7 @@ s_client_options() {
# determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS) # determines whether the port has an HTTP service running or not (plain TLS, no STARTTLS)
# arg1 could be the protocol determined as "working". IIS6 needs that. # arg1 could be the protocol determined as "working". IIS6 needs that.
# sets global $SERVICE
# #
service_detection() { service_detection() {
local -i was_killed local -i was_killed
@ -2404,7 +2405,7 @@ service_detection() {
;; ;;
esac esac
outln "\n" outln
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt
return 0 return 0
} }
@ -9776,21 +9777,6 @@ certificate_info() {
fi fi
outln outln
#FIXME: declare vars, put somewhere else
out "$indent"; pr_bold " DNS HTTPS RR"; out " (experimental) "
jsonID="DNS_HTTPS_rrecord"
https_rr_node="$NODE"
https_rr=""
while [[ -z "$https_rr" ]] && [[ -n "$https_rr_node" ]]; do
https_rr="$(get_https_rrecord $https_rr_node)"
tmp=${PIPESTATUS[@]}
[[ $DEBUG -ge 4 ]] && echo "get_https_rrecord: $tmp"
[[ $https_rr_node =~ '.'$ ]] || https_rr_node+="."
https_rr_node=${https_rr_node#*.}
done
out "$indent"; pr_bold " OCSP must staple extension "; out "$indent"; pr_bold " OCSP must staple extension ";
must_staple "$json_postfix" "$provides_stapling" "$cert_txt" must_staple "$json_postfix" "$provides_stapling" "$cert_txt"
@ -9798,6 +9784,13 @@ certificate_info() {
jsonID="DNS_CAA_rrecord" jsonID="DNS_CAA_rrecord"
caa_node="$NODE" caa_node="$NODE"
caa="" caa=""
if [[ -n "$NODNS" ]]; then
out "(instructed to minimize/skip DNS queries)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed"
elif "$DNS_VIA_PROXY"; then
out "(instructed to use the proxy for DNS only)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed (proxy)"
else
while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do while [[ -z "$caa" ]] && [[ -n "$caa_node" ]]; do
caa="$(get_caa_rrecord $caa_node)" caa="$(get_caa_rrecord $caa_node)"
tmp=${PIPESTATUS[@]} tmp=${PIPESTATUS[@]}
@ -9820,16 +9813,11 @@ certificate_info() {
all_caa=${all_caa%, } # strip trailing comma all_caa=${all_caa%, } # strip trailing comma
pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)" pr_italic "$(out_row_aligned_max_width "$all_caa" "$indent " $TERM_WIDTH)"
fileout "${jsonID}${json_postfix}" "OK" "$all_caa" fileout "${jsonID}${json_postfix}" "OK" "$all_caa"
elif [[ -n "$NODNS" ]]; then
out "(instructed to minimize/skip DNS queries)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed"
elif "$DNS_VIA_PROXY"; then
out "(instructed to use the proxy for DNS only)"
fileout "${jsonID}${json_postfix}" "INFO" "check skipped as instructed (proxy)"
else else
pr_svrty_low "not offered" pr_svrty_low "not offered"
fileout "${jsonID}${json_postfix}" "LOW" "--" fileout "${jsonID}${json_postfix}" "LOW" "--"
fi fi
fi
outln outln
out "$indent"; pr_bold " Certificate Transparency "; out "$indent"; pr_bold " Certificate Transparency ";
@ -21272,7 +21260,7 @@ get_aaaa_record() {
# RFC6844: DNS Certification Authority Authorization (CAA) Resource Record # RFC6844: DNS Certification Authority Authorization (CAA) Resource Record
# arg1: domain to check for # arg1: domain to check for
# #FIXME: should be refactored, see get_https_rrecord()
get_caa_rrecord() { get_caa_rrecord() {
local raw_caa="" local raw_caa=""
local hash len line local hash len line
@ -21349,7 +21337,7 @@ get_caa_rrecord() {
return 1 return 1
fi fi
# to do: #TODO:
# 4: check whether $1 is a CNAME and take this # 4: check whether $1 is a CNAME and take this
return 0 return 0
} }
@ -21372,47 +21360,54 @@ get_https_rrecord() {
[[ -n "$NODNS" ]] && return 2 # if minimum DNS lookup was instructed, leave here [[ -n "$NODNS" ]] && return 2 # if minimum DNS lookup was instructed, leave here
# if there's a type65 record there are two output formats here, mostly depending on age of distribution # Ff there's a type65 record there are 2x3 output formats, mostly depending on age of distribution
# roughly that's the difference between text and binary format # -- roughly that's the difference between text and binary format -- and the type of DNS client
# for host:
# 1) 'google.com has HTTPS record 1 . alpn="h2,h3" ' # 1) 'google.com has HTTPS record 1 . alpn="h2,h3" '
# 2) 'google.com has TYPE65 record \# 13 0001000001000602683202683 ' # 2) 'google.com has TYPE65 record \# 13 0001000001000602683202683 '
#FIXME \/ # for drill and dig it's like
# for dig +short the output always starts with '0 issue [..]' or '\# 19 [..]' so we normalize thereto to keep https_flag, https_property #1) google.com. 18665 IN TYPE65 \# 13 00010000010006026832026833
# https_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3 #2) google.com. 18301 IN HTTPS 1 . alpn="h2,h3"
# nslookup:
# 1) dev.testssl.sh rdata_65 = 1 . alpn="h2"
# 2) dev.testssl.sh rdata_65 = \# 10 00010000010003026832
# we normalize the output during the following so that's either 1) 1 . alpn="h2" or 2) \# 10 00010000010003026832 or empty
OPENSSL_CONF="" OPENSSL_CONF=""
# Read either answer 1) or 2) into raw_https. Should be empty if no such record
if "$HAS_DIG"; then if "$HAS_DIG"; then
raw_https="$(dig $DIG_R +search +short +timeout=3 +tries=3 $noidnout type65 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')" raw_https="$(dig $DIG_R +short +search +timeout=3 +tries=3 $noidnout type65 "$1" 2>/dev/null)"
# empty if no CAA record # emtpy if there's no such record
elif "$HAS_DRILL"; then elif "$HAS_DRILL"; then
raw_https="$(drill $1 type65 | awk '/'"^${1}"'.*HTTPS/ { print $5,$6,$7 }')" raw_https="$(drill $1 type65 | awk '/'"^${1}"'.*TYPE65/ { print substr($0,index($0,$5)) }' )" # from 5th field onwards
# emtpy if there's no such record
elif "$HAS_HOST"; then elif "$HAS_HOST"; then
raw_https="$(host -t type65 $1)" raw_https="$(host -t type65 $1)"
if grep -Ewvq "has no HTTPS|has no TYPE65" <<< "$raw_https"; then if grep -Ewq "has no HTTPS|has no TYPE65" <<< "$raw_https"; then
raw_https=""
else
raw_https="$(sed -e 's/^.*has HTTPS record //' -e 's/^.*has TYPE65 record //' <<< "$raw_https")" raw_https="$(sed -e 's/^.*has HTTPS record //' -e 's/^.*has TYPE65 record //' <<< "$raw_https")"
fi fi
elif "$HAS_NSLOOKUP"; then elif "$HAS_NSLOOKUP"; then
raw_https="$(strip_lf "$(nslookup -type=type65 $1 | grep -w rdata_65)")" raw_https="$(strip_lf "$(nslookup -type=type65 $1 | awk '/'"^${1}"'.*rdata_65/ { print substr($0,index($0,$4)) }' )")"
if [[ -n "$raw_https" ]]; then # emtpy if there's no such record
raw_https="$(sed 's/^.*rdata_65 = //' <<< "$raw_https")"
fi
else else
return 1 return 1
# No dig, drill, host, or nslookup --> complaint was elsewhere already # No dig, drill, host, or nslookup --> complaint was elsewhere already
fi fi
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134 OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
debugme echo $raw_https
if [[ -z "$raw_https" ]]; then
if [[ "$raw_https" =~ \#\ [0-9][0-9] ]]; then :
elif [[ -n "$raw_https" ]]; then
#FIXME \/ safe_echo "$raw_https"
# for posteo we get this binary format returned e.g. for old dig versions: elif [[ "$raw_https" =~ \#\ [0-9][0-9] ]]; then
# \# 19 0005697373756567656F74727573742E636F6D # now this is binary / hex encoded like \# 10 00010000010003026832
# \# 23 0009697373756577696C6467656F74727573742E636F6D #FIXME: this probably doesn't work yet and intentionally won't be reached yet
# \# 34 0005696F6465666D61696C746F3A686F73746D617374657240706F73 74656F2E6465
# # len https <more_see_below> @ p o s t e o . d e
while read hash len line ;do while read hash len line ;do
if [[ "${line:0:2}" == "00" ]]; then # probably the https flag, always 00, so we don't keep this if [[ "${line:0:2}" == "00" ]]; then # probably the https flag, always 00, so we don't keep this
len_https_property=$(printf "%0d" "$((10#${line:2:2}))") # get len and do type casting, for posteo we have 05 or 09 here as a string len_https_property=$(printf "%0d" "$((10#${line:2:2}))") # get len and do type casting, for posteo we have 05 or 09 here as a string
@ -21428,18 +21423,11 @@ get_https_rrecord() {
fi fi
done <<< "$raw_https" done <<< "$raw_https"
sort <<< "$(safe_echo "$all_https")" sort <<< "$(safe_echo "$all_https")"
return 0
elif grep -q '"' <<< "$raw_https"; then
raw_https=${raw_https//\"/} # strip all ". Now we should have flag, name, value
#https_property_name="$(awk '{ print $2 }' <<< "$raw_https")"
#https_property_value="$(awk '{ print $3 }' <<< "$raw_https)"
safe_echo "$(sort <<< "$(awk '{ print $2"="$3 }' <<< "$raw_https")")"
return 0
else else
# no https record echo "fixme"
return 1 fi
# to do: #TODO:
# 4: check whether $1 is a CNAME and take this # 4: check whether $1 is a CNAME and take this
return 0 return 0
} }
@ -22160,6 +22148,34 @@ determine_optimal_proto() {
} }
dns_https_rr () {
local jsonID="DNS_HTTPS_rrecord"
local https_rr=""
out "$indent"; pr_bold " DNS HTTPS RR"; out " (experim.) "
if [[ -n "$NODNS" ]]; then
out "(instructed to minimize/skip DNS queries)"
fileout "${jsonID}" "INFO" "check skipped as instructed"
elif "$DNS_VIA_PROXY"; then
out "(instructed to use the proxy for DNS only)"
fileout "${jsonID}" "INFO" "check skipped as instructed (proxy)"
else
https_rr="$(get_https_rrecord $NODE)"
if [[ -n "$https_rr" ]]; then
pr_svrty_good "yes" ; out " "
prln_italic "$(out_row_aligned_max_width "$https_rr" "$indent " $TERM_WIDTH)"
fileout "${jsonID}" "OK" "$https_rr"
else
outln "--"
fileout "${jsonID}" "INFO" " no resource record found"
fi
fi
}
# arg1 (optional): ftp smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s) # arg1 (optional): ftp smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
# #
determine_service() { determine_service() {
@ -22198,8 +22214,11 @@ determine_service() {
fi fi
GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${reqheader}Accept-Encoding: identity\r\nAccept: */*\r\nConnection: Close\r\n\r\n" GET_REQ11="GET $URL_PATH HTTP/1.1\r\nHost: $NODE\r\nUser-Agent: $ua\r\n${basicauth_header}${reqheader}Accept-Encoding: identity\r\nAccept: */*\r\nConnection: Close\r\n\r\n"
determine_optimal_proto determine_optimal_proto
# returns always 0: # returns always 0 and sets $SERVICE
service_detection $OPTIMAL_PROTO service_detection $OPTIMAL_PROTO
if [[ $SERVICE == HTTP ]]; then
dns_https_rr
fi
else # STARTTLS else # STARTTLS
if [[ "$1" == postgres ]] || [[ "$1" == sieve ]]; then if [[ "$1" == postgres ]] || [[ "$1" == sieve ]]; then
protocol="$1" protocol="$1"
@ -22284,7 +22303,6 @@ determine_service() {
# It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing # It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing
# or replace service_detection() we might not need that anymore # or replace service_detection() we might not need that anymore
SERVICE=$protocol SERVICE=$protocol
fi fi
tmpfile_handle ${FUNCNAME[0]}.txt tmpfile_handle ${FUNCNAME[0]}.txt