From 326a65e7ad43485b1955aad5321299f10f171aac Mon Sep 17 00:00:00 2001
From: Tomasz Kramkowski <tomasz@kramkow.ski>
Date: Mon, 23 May 2022 13:53:38 +0100
Subject: [PATCH 1/4] Fix CRIME test on servers only supporting TLS 1.3

As jsonID is not set by run_crime, make the fileout invocation for
servers supporting only TLS 1.3 use the literal "CRIME_TLS" instead.

Previously running testssl with CSV or JSON output would produce an item
with the wrong ID.
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index 2c1900f..5990201 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -16710,7 +16710,7 @@ run_crime() {
           pr_svrty_best "not vulnerable (OK)"
           [[ $DEBUG -ge 1 ]] && out ", no compression in TLS 1.3 only servers"
           outln
-          fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
+          fileout "CRIME_TLS" "OK" "TLS 1.3 only server" "$cve" "$cwe"
           return 0
      fi
 

From fc0cc67d4794c6d3a3d5463dc9cd03d9c8d70df1 Mon Sep 17 00:00:00 2001
From: Tomasz Kramkowski <tomasz@kramkow.ski>
Date: Mon, 23 May 2022 13:57:31 +0100
Subject: [PATCH 2/4] Make run_crime use $jsonID instead of repeating

This also seems more consistent across the code.
---
 testssl.sh | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 5990201..88583f5 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -16705,19 +16705,20 @@ run_crime() {
 
      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CRIME vulnerability " && outln
      pr_bold " CRIME, TLS " ; out "($cve)                "
+     jsonID="CRIME_TLS"
 
      if "$TLS13_ONLY"; then
           pr_svrty_best "not vulnerable (OK)"
           [[ $DEBUG -ge 1 ]] && out ", no compression in TLS 1.3 only servers"
           outln
-          fileout "CRIME_TLS" "OK" "TLS 1.3 only server" "$cve" "$cwe"
+          fileout "$jsonID" "OK" "TLS 1.3 only server" "$cve" "$cwe"
           return 0
      fi
 
      if ! "$HAS_ZLIB"; then
           if "$SSL_NATIVE"; then
                prln_local_problem "$OPENSSL lacks zlib support"
-               fileout "CRIME_TLS" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
+               fileout "$jsonID" "WARN" "CRIME, TLS: Not tested. $OPENSSL lacks zlib support" "$cve" "$cwe"
                return 1
           else
                tls_sockets "03" "$TLS12_CIPHER" "" "" "true"
@@ -16735,23 +16736,23 @@ run_crime() {
 
      if [[ $sclient_success -ne 0 ]]; then
           pr_warning "test failed (couldn't connect)"
-          fileout "CRIME_TLS" "WARN" "Check failed, couldn't connect" "$cve" "$cwe"
+          fileout "$jsonID" "WARN" "Check failed, couldn't connect" "$cve" "$cwe"
           ret=1
      elif grep -a Compression $TMPFILE | grep -aq NONE >/dev/null; then
           pr_svrty_good "not vulnerable (OK)"
           if [[ $SERVICE != HTTP ]] && [[ "$CLIENT_AUTH" != required ]];  then
                out " (not using HTTP anyway)"
-               fileout "CRIME_TLS" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe"
+               fileout "$jsonID" "OK" "not vulnerable (not using HTTP anyway)" "$cve" "$cwe"
           else
-               fileout "CRIME_TLS" "OK" "not vulnerable" "$cve" "$cwe"
+               fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
           fi
      else
           if [[ $SERVICE == HTTP ]] || [[ "$CLIENT_AUTH" == required ]]; then
                pr_svrty_high "VULNERABLE (NOT ok)"
-               fileout "CRIME_TLS" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint"
+               fileout "$jsonID" "HIGH" "VULNERABLE" "$cve" "$cwe" "$hint"
           else
                pr_svrty_medium "VULNERABLE but not using HTTP: probably no exploit known"
-               fileout "CRIME_TLS" "MEDIUM" "VULNERABLE, but not using HTTP. Probably no exploit known" "$cve" "$cwe" "$hint"
+               fileout "$jsonID" "MEDIUM" "VULNERABLE, but not using HTTP. Probably no exploit known" "$cve" "$cwe" "$hint"
                # not clear whether a protocol != HTTP offers the ability to repeatedly modify the input
                # which is done e.g. via javascript in the context of HTTP
           fi

From 8d817e1dcf5c86eb8514c972d383ef1ab467f4cd Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 25 May 2022 18:46:08 +0200
Subject: [PATCH 3/4] PR to merge #2189

added: changes in CI so that it goes through
---
 t/61_diff_testsslsh.t                   | 3 +--
 t/baseline_data/default_testssl.csvfile | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/t/61_diff_testsslsh.t b/t/61_diff_testsslsh.t
index 910b95e..7f0cf89 100755
--- a/t/61_diff_testsslsh.t
+++ b/t/61_diff_testsslsh.t
@@ -37,8 +37,6 @@ printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
 `$prg $check2run $uri 2>&1`;
 
 
-$diff = diff $socket_csv, $master_socket_csv;
-
 $socket_csv=`cat tmp.csv`;
 $master_socket_csv=`cat $master_socket_csv`;
 
@@ -54,6 +52,7 @@ $master_socket_csv=~ s/censys.io.*\n//g;
 $socket_csv=~ s/HTTP_headerTime.*\n//g;
 $master_socket_csv=~ s/HTTP_headerTime.*\n//g;
 
+$diff = diff $socket_csv, $master_socket_csv;
 
 # Compare the differences to the master file -- and print differences if there were detected.
 #
diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
index 86c7bbe..66ebda1 100644
--- a/t/baseline_data/default_testssl.csvfile
+++ b/t/baseline_data/default_testssl.csvfile
@@ -66,7 +66,7 @@
 "DH_groups","testssl.sh/81.169.166.184","443","OK","Unknown DH group (2048 bits)","",""
 "HTTP_status_code","testssl.sh/81.169.166.184","443","INFO","200 OK ('/')","",""
 "HTTP_clock_skew","testssl.sh/81.169.166.184","443","INFO","0 seconds from localtime","",""
-"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1639146981","",""
+"HTTP_headerTime","testssl.sh/81.169.166.184","443","INFO","1653487014","",""
 "HSTS_time","testssl.sh/81.169.166.184","443","OK","362 days (=31337000 seconds) > 15552000 seconds","",""
 "HSTS_subdomains","testssl.sh/81.169.166.184","443","INFO","only for this domain","",""
 "HSTS_preload","testssl.sh/81.169.166.184","443","INFO","domain is NOT marked for preloading","",""
@@ -76,7 +76,7 @@
 "cookie_count","testssl.sh/81.169.166.184","443","INFO","0 at '/'","",""
 "X-Frame-Options","testssl.sh/81.169.166.184","443","OK","DENY","",""
 "X-Content-Type-Options","testssl.sh/81.169.166.184","443","OK","nosniff","",""
-"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; default-src 'self' ; child-src 'none'; object-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests","",""
+"Content-Security-Policy","testssl.sh/81.169.166.184","443","OK","script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'; object-src 'self'; base-uri 'none'; form-action 'none'; img-src 'self' ; default-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;","",""
 "banner_reverseproxy","testssl.sh/81.169.166.184","443","INFO","--","","CWE-200"
 "heartbleed","testssl.sh/81.169.166.184","443","OK","not vulnerable, no heartbeat extension","CVE-2014-0160","CWE-119"
 "CCS","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2014-0224","CWE-310"
@@ -91,7 +91,7 @@
 "SWEET32","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2016-2183 CVE-2016-6329","CWE-327"
 "FREAK","testssl.sh/81.169.166.184","443","OK","not vulnerable","CVE-2015-0204","CWE-310"
 "DROWN","testssl.sh/81.169.166.184","443","OK","not vulnerable on this host and port","CVE-2016-0800 CVE-2016-0703","CWE-310"
-"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&sort=RELEVANCE&virtual_hosts=INCLUDE&?q=31B44391529821C6A77F3C78B02D716A07F99B8FDB342BF5A78F263C25375968","CVE-2016-0800 CVE-2016-0703","CWE-310"
+"DROWN_hint","testssl.sh/81.169.166.184","443","INFO","Make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=31B44391529821C6A77F3C78B02D716A07F99B8FDB342BF5A78F263C25375968","CVE-2016-0800 CVE-2016-0703","CWE-310"
 "LOGJAM","testssl.sh/81.169.166.184","443","OK","not vulnerable, no DH EXPORT ciphers,","CVE-2015-4000","CWE-310"
 "LOGJAM-common_primes","testssl.sh/81.169.166.184","443","OK","--","CVE-2015-4000","CWE-310"
 "BEAST_CBC_TLS1","testssl.sh/81.169.166.184","443","MEDIUM","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA","CVE-2011-3389","CWE-20"

From dfbb9f81221e3993e903e49d2c77cce53e75b88c Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Mon, 30 May 2022 13:37:07 +0200
Subject: [PATCH 4/4] Fix Actions

this one works locally...
---
 t/61_diff_testsslsh.t | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/t/61_diff_testsslsh.t b/t/61_diff_testsslsh.t
index 7f0cf89..f4070b1 100755
--- a/t/61_diff_testsslsh.t
+++ b/t/61_diff_testsslsh.t
@@ -36,6 +36,7 @@ printf "\n%s\n", "Diff unit test IPv4 against \"$uri\"";
 #1 run
 `$prg $check2run $uri 2>&1`;
 
+$diff = diff $socket_csv, $master_socket_csv;
 
 $socket_csv=`cat tmp.csv`;
 $master_socket_csv=`cat $master_socket_csv`;
@@ -52,8 +53,6 @@ $master_socket_csv=~ s/censys.io.*\n//g;
 $socket_csv=~ s/HTTP_headerTime.*\n//g;
 $master_socket_csv=~ s/HTTP_headerTime.*\n//g;
 
-$diff = diff $socket_csv, $master_socket_csv;
-
 # Compare the differences to the master file -- and print differences if there were detected.
 #
 cmp_ok($socket_csv, "eq", $master_socket_csv, "Check whether CSV output matches master file from $uri") or