Commit Graph

3876 Commits

Author SHA1 Message Date
Dirk Wetter 3fea4e01e1
Update feature_request.md 2021-05-16 15:24:06 +02:00
Dirk Wetter 46ad8801de
Merge pull request #1892 from drwetter/drwetter-patch-1
Update bug_report.md
2021-05-16 15:07:19 +02:00
Dirk Wetter 188003ea97
Update bug_report.md 2021-05-16 15:07:08 +02:00
Dirk Wetter 15ace79a4c
Merge pull request #1722 from vitaliytv/patch-1
upd alpine to 3.12
2021-05-15 12:27:41 +02:00
Dirk Wetter 325e7380b9
Merge pull request #1888 from dcooper16/send_to_stderr
Print errors to stderr
2021-05-15 12:22:34 +02:00
Dirk Wetter e4807a7c9a
Merge pull request #1890 from dcooper16/specify_err_code
Specify an error code in all calls to fatal()
2021-05-13 18:46:05 +02:00
David Cooper 265c85a44f Specify an error code in all calls to fatal()
This commit fix a few places in which calls to fatal() do not specify an error code.
2021-05-13 11:32:56 -04:00
David Cooper 0552fdadb8 Print errors to stderr
In parse_cmd_line() error messages are usually printed to stderr, but in three places the messages are printed to stdout. This commit modifies those three lines so that they also print to stderr.

The commit also replaces a call to a non-existant function, tmln_magenta_term, with a call to tmln_magenta.
2021-05-13 11:10:01 -04:00
Dirk Wetter 17ad3d70a4
Merge pull request #1882 from drwetter/epoch_180hsts_1879
Fix "off by one" error in HSTS
2021-05-10 12:12:39 +02:00
Dirk Wetter a6f8aa61de Fix travis
Respect changed HSTS epoch time of 180 days.

(DROWN output is changed too as the certificated changed but doesn't matter
as the travis check filters that)
2021-05-10 11:28:25 +02:00
Dirk Wetter 2c3589742b
Merge pull request #1884 from definity/3.1dev
fixed minor bug with json output for TLS1.1
2021-05-09 10:56:56 +02:00
Chad Brigance 6b9d8bbc51 fixed minor bug with json output for TLS1.1 2021-05-08 19:24:56 +00:00
Dirk Wetter 9121c7a3c9 Fix "off by one" error in HSTS
There was by mistake a 179 days threshold and also the error message
was wrong when HSTS was exactly set to 179 days.

This commit sets it to 180 days and corrects the error messages on
both screen and JSON.
2021-05-08 14:45:38 +02:00
Dirk Wetter 37a6b905a5
Merge pull request #1868 from dcooper16/improve_ossl30_support
Improve compatibility with OpenSSL 3.0
2021-04-08 15:00:28 +02:00
David Cooper 944eb1bcd9 Improve compatibility with OpenSSL 3.0
This commit addresses a few issued related to the use of testssl.sh with OpenSSL 3.0.0-alpha14.

First, when pkey is used to print a DH key that uses an unknown group, OpenSSL 3.0.0-alpha14 labels the prime and generator using "P:" and "G:" rather than "prime:" and "generator:". (In PR #1586 it was noted that OpenSSL 3.0.0-alpha1 used "prime P:" and "generator G:". The x509 command in OpenSSL 3.0.0-alpha14 still uses "prime P:" and "generator G:" when printing a DH public key in a certificate, but the pkey command just uses "P:" and "G:").

Second, when the pkey command is used to print a DH key that uses certain common primes (e.g., groups from RFC 3526 or RFC 7919), OpenSSL 3.0.0-alpha14 simply prints "GROUP: " followed by a short name for the group rather than printing the value of the prime and generator.

Finally, the "-text" option no longer works if the input is a public key. Fortunately, the "-text_pub" option provides the expected results with all versions of OpenSSL and LibreSSL.
2021-04-07 13:28:34 -04:00
Dirk Wetter ac39aa5832
Merge pull request #1865 from drwetter/fix1860_svSE_etc_charset
Ensure certain regex patterns work as expected and aren't localized
2021-04-04 17:46:50 +02:00
Dirk 30bafe6d4f Ensure certain regex patterns work as expected and aren't localized
see #1860 .

This PR is trying to address an issue where probably newer bash versions
is treated differently as in other locales, W is just a variant of V
see also e.g.

https://collation-charts.org/opensolaris/opensolaris.2008.05.sv_SE.UTF-8.html
https://www.sqlservercentral.com/forums/topic/order-by-name-not-works#post-1644177
2021-04-04 11:55:29 +02:00
Dirk Wetter 1569bded44
Merge pull request #1864 from drwetter/rhs_quotes_fix
Fix redundant quotes at RHS of ==
2021-04-02 18:13:57 +02:00
Dirk 2101425c59 Fix redundant quotes at RHS of ==
While looking at #1860 there were two instances where
the right hand side of expressions in a double square
bracket had quotes.
2021-04-02 17:01:36 +02:00
Dirk Wetter 269f92dea1
Merge pull request #1863 from drwetter/fix_unittest_61_diff
Adjust master template for t/61_diff_testsslsh.t
2021-04-02 16:59:47 +02:00
Dirk e71ebfea4a Adjust master template for t/61_diff_testsslsh.t
... so that Travis CI works again
2021-04-02 16:57:20 +02:00
Dirk Wetter 88f9e07ac6
Merge pull request #1862 from vin01/3.1dev
Add xxd to docker image
2021-04-01 09:39:55 +02:00
vin01 5e062087f9
Add xxd to docker image
xxd is not a strict requirement and a fallback logic exists to handle its absence. However it is in general more performant and helpful in debugging as well which is desirable in many situations like ci/cd pipelines. See commit 3756cdc for details
2021-04-01 09:07:44 +02:00
Dirk Wetter f3e00738f3
Merge pull request #1861 from vin01/3.1dev
Use locally scoped counter in hex2binary
2021-03-31 15:43:19 +02:00
vin01 09ce15ebe9
Use locally scoped counter in hex2binary 2021-03-31 14:09:38 +02:00
Dirk Wetter b468071d72
Merge pull request #1859 from jschauma/3.1dev
whitespace alignment
2021-03-25 22:13:31 +01:00
Jan Schaumann e282dbcd1a whitespace alignment 2021-03-25 16:39:36 -04:00
Dirk Wetter d07b6bcd2b
Merge pull request #1857 from jschauma/3.1dev
add codepoints for RFC7905, ChaCha20-Poly1305
2021-03-25 20:58:41 +01:00
Jan Schaumann 8f13f4d45c add codepoints for RFC7905, ChaCha20-Poly1305 2021-03-25 11:27:25 -04:00
Dirk Wetter 2a6eb51e1d
Merge pull request #1853 from dcooper16/cleanup_hex2binary
Cleanup conversion from ASCII-HEX to binary
2021-03-24 13:51:45 +01:00
David Cooper d8bec390be Reintroduce hex2ascii()
Add hex2ascii() as a function that just calls hex2binary().
2021-03-22 11:56:46 -04:00
David Cooper 3756cdcb38 Cleanup conversion from ASCII-HEX to binary
This commit makes some minor improvements to code that converts ASCII-HEX to binary.

First, testssl.sh currently has two functions that do the same thing: asciihex_to_binary() and hex2ascii(). This commit all calls to either of these functions with calls to hex2binary(), which is based on the current asciihex_to_binary().

This commit also changes direct use of printf to calls to hex2ascii() in generate-ccm-counter-blocks(), ccm-compute-tag(), and generate_gcm_counter().

Finally, this commit cleans up the implemention of hex2binary() a bit and introduces the option to use xxd, if that program is available. Using xxd rather than multiple calls to printf has a couple of advantages. xxd is a bit faster. However, the primary advantage is that when debugging (i.e., using bash -x), each call to hex2binary() only includes a few steps, regardless of how long the string is, whereas using printf the call to hex2binary() could take hundreds of steps.
2021-03-22 11:55:30 -04:00
Dirk Wetter 016ab0673a
Merge pull request #1856 from caillou/patch-1
Fix typo
2021-03-21 13:24:29 +01:00
Pierre Spring 93408b8776
Fix typo 2021-03-21 08:33:25 +01:00
Dirk Wetter 895a6b975d
Merge pull request #1851 from mbogh/patch-1
Added GitHub Action to External/related projects
2021-03-11 10:42:52 +01:00
Morten Bøgh 45cde49a03
Added GitHub Action to External/related projects 2021-03-11 10:11:44 +01:00
Dirk Wetter 9f0e4763d3
Merge pull request #1849 from johannesschaefer/patch-1
Add web net tools to web frontend
2021-03-03 12:16:47 +01:00
Johannes Schäfer c0b1b18dcc
Add web net tools to web frontend 2021-03-02 21:12:16 +01:00
Dirk Wetter 8b5bcd4769
Merge pull request #1847 from elfranne/patch-1
IANA <-> Openssl mapping issue
2021-02-25 13:46:15 +01:00
Elfranne 62d827e43b
remove unintentional change 2021-02-25 13:37:59 +01:00
Elfranne 440190f156
mapping issue
Seems Camellia got its last digit cut off.
2021-02-25 13:33:47 +01:00
Dirk Wetter e9f73ffffd
Merge pull request #1714 from dcooper16/clientauth
Print information about certificate-based client authentication
2021-02-08 09:22:31 +01:00
David Cooper f829c8ebf0 Add more comments to print_dn()
This commit adds some more explanatory comments to the code in print_dn()
2021-02-05 13:35:54 -05:00
David Cooper 9dbb629154 Add printing of information about client authentication to run_server_defaults(). Minor cleanup of code to extract information about client authentication. 2021-02-05 13:11:38 -05:00
David Cooper e8a3dce5ad sclient_auth() improvements
Modify sclient_auth() to use checks similar to sclient_connect_successful() to determine whether the connection attempt was successful. Replace uses of awk and grep with Bash internals string comparisons.
2021-02-05 13:11:38 -05:00
David Cooper 44787d6bcb Extract Client Auth CA list
This commit is a first step towards addressing #1709. It attempts to determime whether certificate-based client authentication is (1) not requested, (2) optional, or (3) required. If it is either optional or required, then it extracts the list of CA names (DNs) that the server sends in its CertificateRequest message.

The code for extracting the CA list from the CertificateRequest message seems to be working correctly. However, this commit is incomplete for a couple of reasons. First, it does not produce any new output, it just collects the information. Second, sclient_auth() needs some work.

The current sclient_auth() simply returns 0 if $OPENSSL returned 0. This may be okay if only trying to determine whether certificate-based client authentication is required. However, if it is optional, then the output will include "CertificateRequest", but $OPENSSL will return 0, since the connection was successful even though the client did not provide a certificates.

If $OPENSSL does not return 0, then sclient_auth() checks whether Master-Key is present. This works for TLS 1.2 and earlier, but not for TLS 1.3. So, sclient_auth() needs to be updated to work correctly with TLS 1.3.

The modified version of sclient_auth() will set CLIENT_AUTH and CLIENT_AUTH_CA_LIST for any version of TLS, but the remaining part of the code needs work. As I am not clear on the reason for this code, I need some help with it. Why does the code only look for "CertificateRequest" if "Master-Key" is present? Why is there a check for Session-ID in a function that is supposed to just be checking for client authentication. Why is CLIENT_AUTH set to false if SESSION-ID is absent (this is a no-op since CLIENT_AUTH would already have been false)?
2021-02-05 13:11:38 -05:00
Dirk Wetter bf24c80174
Merge pull request #1837 from dcooper16/files_in_mass_testing_file
Mass testing with CSV, HTML, JSON, and/or LOG file names in mass test…
2021-02-04 21:00:12 +01:00
Dirk Wetter 53fc1c2a18
Merge pull request #1838 from fogs/3.1dev
Fixed typos
2021-01-30 10:46:17 +01:00
fogs 9c794ea4bd Fixed typos 2021-01-30 09:13:16 +01:00
David Cooper 1de8def49f Mass testing with CSV, HTML, JSON, and/or LOG file names in mass testing file
See #1148 and #1805.

As noted in #1148, testssl.sh is not current designed to handle a mass testing file in which CSV, HTML, LOG, and/or JSON file names are provided in the mass testing file. If a child process receives a command line with one of the files, it assumes the same command-line option was provided to the parent so that the output of every test is being written to this one file. If this assumption is wrong, then either the file will not be created at all or it will be malformed since it will be missing header and/or footer information.

This PR partially addresses the problem by introducing new command-line arguments that are for internal use only. These command line arguments allow a child process to distinguish between a CSV, HTML, LOG, or JSON file that it is supposed to create itself versus one that is to be shared by all of the child processes.

There is one major limitation to this PR. The code for handle command-line arguments in the mass testing file is very simple and cannot handle whitespace characters, whether they are enclosed in quotes or are escaped. So, any file names included in the mass testing file cannot have whitespace characters.
2021-01-26 16:46:35 -05:00