Complete $PROTOS_OFFERED / has_server_protocol(), FIX #759

The logic is complete now, so that if a protocol has been detected as
    supported or not supported it will save a few cycles not to test
    this protocol again.

    There's probably -- also besides #839 space for improvements. The
    advantage of this solution is that ``has_server_protocol()`` also
    marks a protocol as tested if the result of the test is negative.
This commit is contained in:
Dirk 2017-10-02 13:48:55 +02:00
parent 36236b6def
commit f3dc53f554

View File

@ -251,7 +251,7 @@ HOSTCERT=""
HEADERFILE="" HEADERFILE=""
HEADERVALUE="" HEADERVALUE=""
HTTP_STATUS_CODE="" HTTP_STATUS_CODE=""
PROTOS_OFFERED="" PROTOS_OFFERED="" # this is a global to keep the info which protocol is being offered. See has_server_protocol()
TLS_EXTENSIONS="" TLS_EXTENSIONS=""
BAD_SERVER_HELLO_CIPHER=false # reserved for cases where a ServerHello doesn't contain a cipher offered in the ClientHello BAD_SERVER_HELLO_CIPHER=false # reserved for cases where a ServerHello doesn't contain a cipher offered in the ClientHello
GOST_STATUS_PROBLEM=false GOST_STATUS_PROBLEM=false
@ -2418,8 +2418,7 @@ std_cipherlists() {
sclient_success=$? sclient_success=$?
[[ $sclient_success -eq 2 ]] && sclient_success=0 [[ $sclient_success -eq 2 ]] && sclient_success=0
fi fi
# FIXME #759 if [[ $sclient_success -ne 0 ]] && && has_server_protocol "ssl2"; then if [[ $sclient_success -ne 0 ]] && [[ 0 -eq $(has_server_protocol ssl2) ]]; then
if [[ $sclient_success -ne 0 ]]; then
if ( [[ -z "$6" ]] || "$FAST" ) && "$HAS_SSL2" && listciphers "$1" -ssl2; then if ( [[ -z "$6" ]] || "$FAST" ) && "$HAS_SSL2" && listciphers "$1" -ssl2; then
$OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY -ssl2 2>$ERRFILE >$TMPFILE </dev/null $OPENSSL s_client -cipher "$1" $BUGS $STARTTLS -connect $NODEIP:$PORT $PROXY -ssl2 2>$ERRFILE >$TMPFILE </dev/null
sclient_connect_successful $? $TMPFILE sclient_connect_successful $? $TMPFILE
@ -3238,8 +3237,8 @@ run_cipher_per_proto() {
continue continue
fi fi
outln outln
#FIXME: see #759
#has_server_protocol "${proto:1}" || continue [[ $(has_server_protocol "${proto:1}") -eq 1 ]] && continue
# get a list of all the cipher suites to test # get a list of all the cipher suites to test
nr_ciphers=0 nr_ciphers=0
@ -3965,19 +3964,43 @@ run_prototest_openssl() {
# 7: no local support # 7: no local support
} }
# idempotent function to add SSL/TLS protocols. It should ease testing # idempotent function to add SSL/TLS protocols. It should accelerate testing.
# PROTOS_OFFERED's content is in openssl terminology # PROTOS_OFFERED can be e.g. "ssl2:no ssl3:no tls1_2:yes" which means tha
# SSLv2 and SSLv3 was tested but not available, TLS 1.2 was tested and available
# TLS 1.0 and TLS 1.2 not tested yet
#
# arg1: protocol
# arg2: available (yes) or not (no)
add_tls_offered() { add_tls_offered() {
grep -qw "$1" <<< "$PROTOS_OFFERED" || PROTOS_OFFERED+="$1 " if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
# the ":" is mandatory here (and @ other palces), otherwise e.g. tls1 will match tls1_2
:
else
PROTOS_OFFERED+="${1}:$2 "
fi
} }
# function which checks whether SSLv2 - TLS 1.2 is being offereed # function which checks whether SSLv2 - TLS 1.2 is being offereed, see add_tls_offered()
has_server_protocol() { has_server_protocol() {
[[ -z "$PROTOS_OFFERED" ]] && return 1 # if empty return 1, hinting to the caller to check at additional cost/connect local proto_val_pair
if grep -qw "$1" <<< "$PROTOS_OFFERED"; then
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
for proto_val_pair in $PROTOS_OFFERED; do
if [[ $proto_val_pair =~ $1: ]]; then
if [[ ${proto_val_pair#*:} == "yes" ]]; then
echo 0
return 0
else
echo 1
return 0
fi
fi
done
else
# if empty echo 2, hinting to the caller to check at additional cost/connect
echo 2
return 0 return 0
fi fi
return 1
} }
@ -4019,17 +4042,19 @@ run_protocols() {
1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP!
prln_done_best "not offered (OK)" prln_done_best "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 is not offered" fileout "sslv2" "OK" "SSLv2 is not offered"
add_tls_offered ssl2 no
;; ;;
0) # reset 0) # reset
prln_done_best "not offered (OK)" prln_done_best "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 is not offered" fileout "sslv2" "OK" "SSLv2 is not offered"
add_tls_offered ssl2 no
;; ;;
3) # everything else 3) # everything else
lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)")
[[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) " [[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) "
if [[ "$lines" -gt 1 ]]; then if [[ "$lines" -gt 1 ]]; then
nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3))
add_tls_offered "ssl2" add_tls_offered ssl2 yes
if [[ 0 -eq "$nr_ciphers_detected" ]]; then if [[ 0 -eq "$nr_ciphers_detected" ]]; then
prln_svrty_high "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; prln_svrty_high "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 ";
fileout "sslv2" "HIGH" "SSLv2 is offered, vulnerable to CVE-2015-3197" fileout "sslv2" "HIGH" "SSLv2 is offered, vulnerable to CVE-2015-3197"
@ -4046,14 +4071,15 @@ run_protocols() {
case $? in case $? in
0) prln_svrty_critical "offered (NOT ok)" 0) prln_svrty_critical "offered (NOT ok)"
fileout "sslv2" "CRITICAL" "SSLv2 is offered" fileout "sslv2" "CRITICAL" "SSLv2 is offered"
add_tls_offered "ssl2" add_tls_offered ssl2 yes
;; ;;
1) prln_done_best "not offered (OK)" 1) prln_done_best "not offered (OK)"
fileout "sslv2" "OK" "SSLv2 is not offered" fileout "sslv2" "OK" "SSLv2 is not offered"
add_tls_offered ssl2 no
;; ;;
5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2"; 5) pr_svrty_high "CVE-2015-3197: $supported_no_ciph2";
fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2" fileout "sslv2" "HIGH" "CVE-2015-3197: SSLv2 is $supported_no_ciph2"
add_tls_offered "ssl2" add_tls_offered ssl2 yes
;; ;;
7) fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support" 7) fileout "sslv2" "INFO" "SSLv2 is not tested due to lack of local support"
;; # no local support ;; # no local support
@ -4071,10 +4097,11 @@ run_protocols() {
fileout "sslv3" "HIGH" "SSLv3 is offered" fileout "sslv3" "HIGH" "SSLv3 is offered"
latest_supported="0300" latest_supported="0300"
latest_supported_string="SSLv3" latest_supported_string="SSLv3"
add_tls_offered "ssl3" add_tls_offered ssl3 yes
;; ;;
1) prln_done_best "not offered (OK)" 1) prln_done_best "not offered (OK)"
fileout "sslv3" "OK" "SSLv3 is not offered" fileout "sslv3" "OK" "SSLv3 is not offered"
add_tls_offered ssl3 no
;; ;;
2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then 2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))"
@ -4093,7 +4120,7 @@ run_protocols() {
5) pr_svrty_high "$supported_no_ciph2" 5) pr_svrty_high "$supported_no_ciph2"
fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1" fileout "sslv3" "HIGH" "SSLv3 is $supported_no_ciph1"
outln "(may need debugging)" outln "(may need debugging)"
add_tls_offered "ssl3" add_tls_offered ssl3 yes
;; ;;
7) prln_warning "SSLv3 seems locally not supported" 7) prln_warning "SSLv3 seems locally not supported"
fileout "sslv3" "WARN" "SSLv3 is not tested due to lack of local support" fileout "sslv3" "WARN" "SSLv3 is not tested due to lack of local support"
@ -4111,9 +4138,10 @@ run_protocols() {
fileout "tls1" "INFO" "TLSv1.0 is offered" fileout "tls1" "INFO" "TLSv1.0 is offered"
latest_supported="0301" latest_supported="0301"
latest_supported_string="TLSv1.0" latest_supported_string="TLSv1.0"
add_tls_offered "tls1" add_tls_offered tls1 yes
;; # nothing wrong with it -- per se ;; # nothing wrong with it -- per se
1) out "not offered" 1) out "not offered"
add_tls_offered tls1 no
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad
@ -4123,6 +4151,7 @@ run_protocols() {
fi fi
;; ;;
2) pr_svrty_medium "not offered" 2) pr_svrty_medium "not offered"
add_tls_offered tls1 no
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
[[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
@ -4143,7 +4172,7 @@ run_protocols() {
;; ;;
5) outln "$supported_no_ciph1" # protocol ok, but no cipher 5) outln "$supported_no_ciph1" # protocol ok, but no cipher
fileout "tls1" "INFO" "TLSv1.0 is $supported_no_ciph1" fileout "tls1" "INFO" "TLSv1.0 is $supported_no_ciph1"
add_tls_offered "tls1" add_tls_offered tls1 yes
;; ;;
7) prln_warning "TLSv1.0 seems locally not supported" 7) prln_warning "TLSv1.0 seems locally not supported"
fileout "tlsv1" "WARN" "TLSv1.0 is not tested due to lack of local support" fileout "tlsv1" "WARN" "TLSv1.0 is not tested due to lack of local support"
@ -4161,9 +4190,10 @@ run_protocols() {
fileout "tls1_1" "INFO" "TLSv1.1 is offered" fileout "tls1_1" "INFO" "TLSv1.1 is offered"
latest_supported="0302" latest_supported="0302"
latest_supported_string="TLSv1.1" latest_supported_string="TLSv1.1"
add_tls_offered "tls1_1" add_tls_offered tls1_1 yes
;; # nothing wrong with it ;; # nothing wrong with it
1) out "not offered" 1) out "not offered"
add_tls_offered tls1_1 no
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad
@ -4173,6 +4203,7 @@ run_protocols() {
fi fi
;; ;;
2) out "not offered" 2) out "not offered"
add_tls_offered tls1_1 no
if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then
[[ $DEBUG -ge 1 ]] && tm_out " -- downgraded" [[ $DEBUG -ge 1 ]] && tm_out " -- downgraded"
outln outln
@ -4196,7 +4227,7 @@ run_protocols() {
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_1" "INFO" "TLSv1.1 is $supported_no_ciph1" fileout "tls1_1" "INFO" "TLSv1.1 is $supported_no_ciph1"
add_tls_offered "tls1_1" add_tls_offered tls1_1 yes
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) prln_warning "TLSv1.1 seems locally not supported" 7) prln_warning "TLSv1.1 seems locally not supported"
fileout "tls1_1" "WARN" "TLSv1.1 is not tested due to lack of local support" fileout "tls1_1" "WARN" "TLSv1.1 is not tested due to lack of local support"
@ -4221,9 +4252,10 @@ run_protocols() {
fileout "tls1_2" "OK" "TLSv1.2 is offered" fileout "tls1_2" "OK" "TLSv1.2 is offered"
latest_supported="0303" latest_supported="0303"
latest_supported_string="TLSv1.2" latest_supported_string="TLSv1.2"
add_tls_offered "tls1_2" add_tls_offered tls1_2 yes
;; # GCM cipher in TLS 1.2: very good! ;; # GCM cipher in TLS 1.2: very good!
1) pr_svrty_medium "not offered" 1) pr_svrty_medium "not offered"
add_tls_offered tls1_2 no
if ! "$using_sockets" || [[ -z $latest_supported ]]; then if ! "$using_sockets" || [[ -z $latest_supported ]]; then
outln outln
fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty
@ -4233,6 +4265,7 @@ run_protocols() {
fi fi
;; ;;
2) pr_svrty_medium "not offered" 2) pr_svrty_medium "not offered"
add_tls_offered tls1_2 no
if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then
detected_version_string="SSLv3" detected_version_string="SSLv3"
elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then
@ -4260,7 +4293,7 @@ run_protocols() {
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
fileout "tls1_2" "INFO" "TLSv1.2 is $supported_no_ciph1" fileout "tls1_2" "INFO" "TLSv1.2 is $supported_no_ciph1"
add_tls_offered "tls1_2" add_tls_offered tls1_2 yes
;; # protocol ok, but no cipher ;; # protocol ok, but no cipher
7) prln_warning "TLSv1.2 seems locally not supported" 7) prln_warning "TLSv1.2 seems locally not supported"
fileout "tls1_2" "WARN" "TLSv1.2 is not tested due to lack of local support" fileout "tls1_2" "WARN" "TLSv1.2 is not tested due to lack of local support"
@ -4970,8 +5003,8 @@ cipher_pref_check() {
out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"";
continue continue
fi fi
# FIXME: #759
# has_server_protocol "$p" || continue [[ $(has_server_protocol "$p") -eq 1 ]] && continue
if [[ $p != ssl3 ]] || "$HAS_SSL3"; then if [[ $p != ssl3 ]] || "$HAS_SSL3"; then
# with the supplied binaries SNI works also for SSLv3 # with the supplied binaries SNI works also for SSLv3
@ -9265,21 +9298,21 @@ run_heartbleed(){
return 0 return 0
fi fi
if $(has_server_protocol "tls1"); then if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01" tls_hexcode="x03, x01"
elif $(has_server_protocol "tls1_1"); then elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02" tls_hexcode="x03, x02"
elif $(has_server_protocol "tls1_2"); then elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03" tls_hexcode="x03, x03"
elif $(has_server_protocol "ssl3"); then elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00" tls_hexcode="x03, x00"
else # no protcol for some reason defined, determine TLS versions offered with a new handshake else # no protcol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ;; *1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ;; *1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ;; TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ;; SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -9423,21 +9456,21 @@ run_ccs_injection(){
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
pr_bold " CCS"; out " ($cve) " pr_bold " CCS"; out " ($cve) "
if $(has_server_protocol "tls1"); then if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01" tls_hexcode="x03, x01"
elif $(has_server_protocol "tls1_1"); then elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02" tls_hexcode="x03, x02"
elif $(has_server_protocol "tls1_2"); then elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03" tls_hexcode="x03, x03"
elif $(has_server_protocol "ssl3"); then elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00" tls_hexcode="x03, x00"
else # no protocol defined for some reason, determine TLS versions offered with a new handshake else # no protcol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ;; *1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ;; *1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ;; TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ;; SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -9619,21 +9652,21 @@ run_ticketbleed() {
return 0 return 0
fi fi
if $(has_server_protocol "tls1"); then if [[ 0 -eq $(has_server_protocol tls1) ]]; then
tls_hexcode="x03, x01" tls_hexcode="x03, x01"
elif $(has_server_protocol "tls1_1"); then elif [[ 0 -eq $(has_server_protocol tls1_1) ]]; then
tls_hexcode="x03, x02" tls_hexcode="x03, x02"
elif $(has_server_protocol "tls1_2"); then elif [[ 0 -eq $(has_server_protocol tls1_2) ]]; then
tls_hexcode="x03, x03" tls_hexcode="x03, x03"
elif $(has_server_protocol "ssl3"); then elif [[ 0 -eq $(has_server_protocol ssl3) ]]; then
tls_hexcode="x03, x00" tls_hexcode="x03, x00"
else # no protocol for some reason defined, determine TLS versions offered with a new handshake else # no protcol for some reason defined, determine TLS versions offered with a new handshake
$OPENSSL s_client $BUGS $OPTIMAL_PROTO -connect $NODEIP:$PORT $PROXY $SNI >$TMPFILE 2>$ERRFILE </dev/null $OPENSSL s_client $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY >$TMPFILE 2>$ERRFILE </dev/null
case "$(get_protocol $TMPFILE)" in case "$(get_protocol $TMPFILE)" in
*1.2) tls_hexcode="x03, x03" ;; *1.2) tls_hexcode="x03, x03" ; add_tls_offered tls1_2 yes ;;
*1.1) tls_hexcode="x03, x02" ;; *1.1) tls_hexcode="x03, x02" ; add_tls_offered tls1_1 yes ;;
TLSv1) tls_hexcode="x03, x01" ;; TLSv1) tls_hexcode="x03, x01" ; add_tls_offered tls1 yes ;;
SSLv3) tls_hexcode="x03, x00" ;; SSLv3) tls_hexcode="x03, x00" ; add_tls_offered ssl3 yes ;;
esac esac
fi fi
debugme echo "using protocol $tls_hexcode" debugme echo "using protocol $tls_hexcode"
@ -12797,9 +12830,9 @@ determine_optimal_proto() {
tmp=${tmp/\./_} tmp=${tmp/\./_}
tmp=${tmp/v/} tmp=${tmp/v/}
tmp="$(tolower $tmp)" tmp="$(tolower $tmp)"
add_tls_offered "$tmp" add_tls_offered "${tmp}" yes
else else
add_tls_offered "${OPTIMAL_PROTO/-/}" add_tls_offered "${OPTIMAL_PROTO/-/}" yes
fi fi
debugme echo "one proto determined: $tmp" debugme echo "one proto determined: $tmp"
all_failed=false all_failed=false