diff --git a/testssl.sh b/testssl.sh index 9c641b8..c7039b1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -102,7 +102,7 @@ trap "cleanup" QUIT EXIT readonly VERSION="2.9dev" readonly SWCONTACT="dirk aet testssl dot sh" -egrep -q "dev|rc" <<< "$VERSION" && \ +grep -Eq "dev|rc" <<< "$VERSION" && \ SWURL="https://testssl.sh/dev/" || SWURL="https://testssl.sh/ " @@ -1263,7 +1263,7 @@ service_detection() { head $TMPFILE | grep -aq SMTP && SERVICE=SMTP head $TMPFILE | grep -aq POP && SERVICE=POP head $TMPFILE | grep -aq IMAP && SERVICE=IMAP - head $TMPFILE | egrep -aqw "Jive News|InterNetNews|NNRP|INN" && SERVICE=NNTP + head $TMPFILE | grep -Eaqw "Jive News|InterNetNews|NNRP|INN" && SERVICE=NNTP debugme head -50 $TMPFILE fi @@ -1329,7 +1329,7 @@ run_http_header() { HAD_SLEPT=0 else # GET request needed to be killed before, try, whether it succeeded: - if egrep -iaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then + if grep -Eiaq "XML|HTML|DOCTYPE|HTTP|Connection" $HEADERFILE; then NOW_TIME=$(($(date "+%s") - HAD_SLEPT)) # correct by seconds we slept HTTP_TIME=$(awk -F': ' '/^date:/ { print $2 } /^Date:/ { print $2 }' $HEADERFILE) else @@ -1434,7 +1434,7 @@ detect_ipv4() { fi # white list some headers as they are mistakenly identified as ipv4 address. Issues 158, 323,o facebook has a CSP rule for 127.0.0.1 - if egrep -vi "$whitelisted_header" $HEADERFILE | grep -iqE "$ipv4address"; then + if grep -Evi "$whitelisted_header" $HEADERFILE | grep -iqE "$ipv4address"; then pr_bold " IPv4 address in header " count=0 while read line; do @@ -1618,16 +1618,16 @@ run_hpkp() { run_http_header "$1" || return 3 fi pr_bold " Public Key Pinning " - egrep -aiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE + grep -Eaiw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE >$TMPFILE if [[ $? -eq 0 ]]; then - if egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -waq "1" ; then + if grep -Eaciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | grep -Ewaq "1" ; then : else hpkp_headers="" pr_svrty_medium "multiple HPKP headers: " # https://scotthelme.co.uk is a candidate - #FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> egrep -ai -w - for i in $(newline_to_spaces "$(egrep -ai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do + #FIXME: should display both Public-Key-Pins+Public-Key-Pins-Report-Only --> grep -Eai -w + for i in $(newline_to_spaces "$(grep -Eai '^Public-Key-Pins' $HEADERFILE | awk -F':' '/Public-Key-Pins/ { print $1 }')"); do pr_italic $i hpkp_headers="$hpkp_headers$i " out " " @@ -1957,7 +1957,7 @@ run_rp_banner() { run_http_header "$1" || return 3 fi pr_bold " Reverse Proxy banner " - egrep -ai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE + grep -Eai '^Via:|^X-Cache|^X-Squid|^X-Varnish:|^X-Server-Name:|^X-Server-Port:|^x-forwarded' $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" fileout "rp_header" "INFO" "No reverse proxy banner found" @@ -1991,7 +1991,7 @@ run_application_banner() { run_http_header "$1" || return 3 fi pr_bold " Application banner " - egrep -ai '^X-Powered-By|^X-AspNet-Version|^X-Version|^Liferay-Portal|^X-OWA-Version^|^MicrosoftSharePointTeamServices' $HEADERFILE >$TMPFILE + grep -Eai '^X-Powered-By|^X-AspNet-Version|^X-Version|^Liferay-Portal|^X-OWA-Version^|^MicrosoftSharePointTeamServices' $HEADERFILE >$TMPFILE if [[ $? -ne 0 ]]; then outln "--" fileout "app_banner" "INFO" "No Application Banners found" @@ -2023,7 +2023,7 @@ run_cookie_flags() { # ARG1: Path fi if ! grep -q 20 <<< "$HTTP_STATUS_CODE"; then - if egrep -q "301|302" <<< "$HTTP_STATUS_CODE"; then + if grep -Eq "301|302" <<< "$HTTP_STATUS_CODE"; then msg302=" -- maybe better try target URL of 30x" msg302_=" (30x detected, better try target URL of 30x)" else @@ -3651,7 +3651,7 @@ run_prototest_openssl() { $OPENSSL s_client -state $1 $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $sni >$TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE >$ERRFILE | grep -A2 "Subject Alternative Name" | \ - egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \ + grep -E "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \ sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \ -e 's/ *Registered ID://g' \ -e 's/ *othername://g' -e 's/ *X400Name://g' -e 's/ *EdiPartyName://g') @@ -5796,7 +5796,7 @@ certificate_info() { out "$indent"; pr_bold " EV cert"; out " (experimental) " # only the first one, seldom we have two policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }' | awk 'NR < 2') - if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \ + if echo "$issuer" | grep -Eq 'Extended Validation|Extended Validated|EV SSL|EV CA' || \ [[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \ [[ 2.16.840.1.114412.1.3.0.2 == "$policy_oid" ]] || \ [[ 2.16.840.1.114412.2.1 == "$policy_oid" ]] || \ @@ -6355,7 +6355,7 @@ run_pfs() { for curve in "${curves_ossl[@]}"; do ossl_supported[nr_curves]=false supported_curve[nr_curves]=false - $OPENSSL s_client -curves $curve -connect x 2>&1 | egrep -iaq "Error with command|unknown option" + $OPENSSL s_client -curves $curve -connect x 2>&1 | grep -Eiaq "Error with command|unknown option" [[ $? -ne 0 ]] && ossl_supported[nr_curves]=true && nr_ossl_curves+=1 nr_curves+=1 done @@ -6548,7 +6548,7 @@ run_spdy() { ret=1 else # now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded - if egrep -aq "h2|spdy|http" <<< $tmpstr ; then + if grep -Eaq "h2|spdy|http" <<< $tmpstr ; then out "$tmpstr" outln " (advertised)" fileout "spdy_npn" "INFO" "SPDY/NPN : $tmpstr (advertised)" @@ -6635,7 +6635,7 @@ starttls_line() { debugme echo "... received result: " debugme cat $TMPFILE if [[ -n "$2" ]]; then - if egrep -q "$2" $TMPFILE; then + if grep -Eq "$2" $TMPFILE; then debugme echo "---> reply matched \"$2\"" else # slow down for exim and friends who need a proper handshake:, see @@ -9221,7 +9221,7 @@ run_sweet32() { $OPENSSL s_client $STARTTLS $BUGS -cipher $sweet32_ciphers -connect $NODEIP:$PORT $PROXY >$TMPFILE $SNI 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE 2>$ERRFILE $TMPFILE $SNI 2>$ERRFILE /dev/null | grep ':' | egrep -v '^#|\.local' | egrep -i "[[:space:]]$1" | awk '{ print $1 }') + ip6=$(grep -wih "$1" $etchosts 2>/dev/null | grep ':' | grep -Ev '^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }') if is_ipv6addr "$ip6"; then echo "$ip6" else @@ -11125,7 +11125,7 @@ get_local_a() { local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" # for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution - ip4=$(grep -wih "$1" $etchosts 2>/dev/null | egrep -v ':|^#|\.local' | egrep -i "[[:space:]]$1" | awk '{ print $1 }') + ip4=$(grep -wih "$1" $etchosts 2>/dev/null | grep -Ev ':|^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }') if is_ipv4addr "$ip4"; then echo "$ip4" else @@ -11234,7 +11234,7 @@ get_caa_rr_record() { raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')" elif which host &> /dev/null; then raw_caa="$(host -t type257 $1)" - if egrep -wvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then + if grep -Ewvq "has no CAA|has no TYPE257" <<< "$raw_caa"; then raw_caa="$(sed -e 's/^.*has CAA record //' -e 's/^.*has TYPE257 record //' <<< "$raw_caa")" fi elif which nslookup &> /dev/null; then