mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-01 06:19:44 +01:00
sclient_auth() improvements
Modify sclient_auth() to use checks similar to sclient_connect_successful() to determine whether the connection attempt was successful. Replace uses of awk and grep with Bash internals string comparisons.
This commit is contained in:
parent
44787d6bcb
commit
e8a3dce5ad
50
testssl.sh
50
testssl.sh
@ -20357,6 +20357,8 @@ check_proxy() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Given the ASCII-HEX of a DER-encoded distinguished name, return the string
|
||||||
|
# representation of the name.
|
||||||
print_dn() {
|
print_dn() {
|
||||||
local dn="$1"
|
local dn="$1"
|
||||||
local cert name
|
local cert name
|
||||||
@ -20389,6 +20391,9 @@ print_dn() {
|
|||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Given the OpenSSL output of a response from a TLS server (with the -msg option)
|
||||||
|
# in which the response includes a CertificateRequest message, return the list of
|
||||||
|
# distinguished names that are in the CA list.
|
||||||
extract_calist() {
|
extract_calist() {
|
||||||
local response="$1"
|
local response="$1"
|
||||||
local is_tls13=false
|
local is_tls13=false
|
||||||
@ -20396,15 +20401,18 @@ extract_calist() {
|
|||||||
local calist_string=""
|
local calist_string=""
|
||||||
local -i len type
|
local -i len type
|
||||||
|
|
||||||
[[ "$response" =~ CertificateRequest ]] || return 0
|
# Determine whether this is a TLS 1.3 response, since the information
|
||||||
[[ "$response" =~ TLS\ 1.3[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]] && is_tls13=true
|
# is encoded in a different place for TLS 1.3.
|
||||||
|
[[ "$response" =~ \<\<\<\ TLS\ 1.3[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]] && is_tls13=true
|
||||||
|
|
||||||
|
# Extract just the CertificateRequest message as an ASCII-HEX string.
|
||||||
certreq="${response##*CertificateRequest}"
|
certreq="${response##*CertificateRequest}"
|
||||||
certreq="0d${certreq#*0d}"
|
certreq="0d${certreq#*0d}"
|
||||||
certreq="${certreq%%<<<*}"
|
certreq="${certreq%%<<<*}"
|
||||||
certreq="$(strip_spaces "$(newline_to_spaces "$certreq")")"
|
certreq="$(strip_spaces "$(newline_to_spaces "$certreq")")"
|
||||||
certreq="${certreq:8}"
|
certreq="${certreq:8}"
|
||||||
|
|
||||||
|
# Get the list of DNs from the CertificateRequest message.
|
||||||
if "$is_tls13"; then
|
if "$is_tls13"; then
|
||||||
# struct {
|
# struct {
|
||||||
# opaque certificate_request_context<0..2^8-1>;
|
# opaque certificate_request_context<0..2^8-1>;
|
||||||
@ -20443,6 +20451,7 @@ extract_calist() {
|
|||||||
len=2*$(hex2dec "${certreq:0:4}")
|
len=2*$(hex2dec "${certreq:0:4}")
|
||||||
calist="${certreq:4}"
|
calist="${certreq:4}"
|
||||||
fi
|
fi
|
||||||
|
# Convert each DN to a string.
|
||||||
while true; do
|
while true; do
|
||||||
[[ -z "$calist" ]] && break
|
[[ -z "$calist" ]] && break
|
||||||
len=2*$(hex2dec "${calist:0:4}")
|
len=2*$(hex2dec "${calist:0:4}")
|
||||||
@ -20459,23 +20468,36 @@ extract_calist() {
|
|||||||
# with client authentication, a server with no SSL session ID switched off
|
# with client authentication, a server with no SSL session ID switched off
|
||||||
#
|
#
|
||||||
sclient_auth() {
|
sclient_auth() {
|
||||||
if grep -q '^<<< .*CertificateRequest' "$2"; then # CertificateRequest message in -msg
|
local server_hello="$(cat -v "$2")"
|
||||||
CLIENT_AUTH="require"
|
local re='Master-Key: ([^\
|
||||||
[[ $1 -eq 0 ]] && CLIENT_AUTH="optional"
|
]*)'
|
||||||
CLIENT_AUTH_CA_LIST="$(extract_calist "$(< "$2")")"
|
local connect_success=false
|
||||||
return 0
|
|
||||||
fi
|
[[ $1 -eq 0 ]] && connect_success=true
|
||||||
[[ $1 -eq 0 ]] && return 0
|
! "$connect_success" && [[ "$server_hello" =~ $re ]] && \
|
||||||
if [[ -n $(awk '/Master-Key: / { print $2 }' "$2") ]]; then # connect succeeded
|
[[ -n "${BASH_REMATCH[1]}" ]] && connect_success=true
|
||||||
if [[ -z $(awk '/Session-ID: / { print $2 }' "$2") ]]; then # probably no SSL session
|
! "$connect_success" && \
|
||||||
if [[ 2 -eq $(grep -c CERTIFICATE "$2") ]]; then # do another sanity check to be sure
|
[[ "$server_hello" =~ (New|Reused)\,\ (SSLv[23]|TLSv1(\.[0-3])?(\/SSLv3)?)\,\ Cipher\ is\ ([A-Z0-9]+-[A-Za-z0-9\-]+|TLS_[A-Za-z0-9_]+) ]] && \
|
||||||
|
connect_success=true
|
||||||
|
if "$connect_success"; then
|
||||||
|
if [[ "$server_hello" =~ \<\<\<\ (SSL\ [23]|TLS\ 1)(\.[0-3])?[\,]?\ Handshake\ \[length\ [0-9a-fA-F]*\]\,\ CertificateRequest ]]; then
|
||||||
|
# CertificateRequest message in -msg
|
||||||
|
CLIENT_AUTH="require"
|
||||||
|
[[ $1 -eq 0 ]] && CLIENT_AUTH="optional"
|
||||||
|
CLIENT_AUTH_CA_LIST="$(extract_calist "$server_hello")"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
[[ $1 -eq 0 ]] && return 0
|
||||||
|
if [[ ! "$server_hello" =~ Session-ID:\ [a-fA-F0-9]{2,64} ]]; then # probably no SSL session
|
||||||
|
# do another sanity check to be sure
|
||||||
|
if [[ "$server_hello" =~ \-\-\-BEGIN\ CERTIFICATE\-\-\-.*\-\-\-END\ CERTIFICATE\-\-\- ]]; then
|
||||||
CLIENT_AUTH="none"
|
CLIENT_AUTH="none"
|
||||||
NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally to false for all other cases
|
NO_SSL_SESSIONID=true # NO_SSL_SESSIONID is preset globally to false for all other cases
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# what's left now is: master key empty, handshake returned not successful, session ID empty --> not successful
|
# what's left now is: no protocol and ciphersuite specified, handshake returned not successful, session ID empty --> not successful
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user