Commit Graph

3321 Commits

Author SHA1 Message Date
Dirk Wetter
e0c83b2a38
add more filters 2020-02-24 14:21:28 +01:00
Dirk Wetter
02b83cc092
Merge pull request #1516 from dcooper16/min_hsts
Fix use of HSTS_MIN
2020-02-21 09:59:32 +01:00
David Cooper
f342031844 Fix use of HSTS_MIN
This commit fixes two minor issues related to HSTS_MIN:

* If there is a misconfiguration the recommended max-age should be based on $HSTS_MIN rather than being hardcoded to 15552000 seconds = 180 days.

* If max-age is exactly $HSTS_MIN, testssl.sh shouldn't say that max-age is too short while also say that >= $HSTS_MIN seconds is recommended.
2020-02-20 14:17:49 -05:00
Dirk Wetter
64fea03f66
Merge pull request #1510 from drwetter/rDNS_fixes
Fix for non compliant DNS PTR records
2020-02-15 15:22:22 +01:00
Dirk Wetter
95b6189076
Merge pull request #1509 from drwetter/container1
remove jq and beautify last line
2020-02-15 14:08:43 +01:00
Dirk Wetter
b81c409135 Fix for non compliant DNS PTR records
This commit addresses two bugs: #1506 and #1508.

First, the variable rDNS can contain multiple lines due to multiple PTR DNS
records, though this is not recommended.  In those cases the multiple PTR DNS
were concatenated on the screen, without any blank.

Secondly - depending on the name server entries and on the output of the DNS
binaries used it can contain non-printable characters or characters which are
printable but later on interpreted on the output device (\032 was mentioned
in #1506) which on the screen was interpreted as octal 32 (decimal 26 = ▒,
try echo "\032"), so basically a terminal escape sequence was smuggled
from the DNS server to the screen of the users. In JSON pretty output we
had also this escape sequence which was fine for jsonlint but caused jq
to hiccup.

Fix: we use a loop to check for each FQDN returned. There we remove chars which
under those circumstances can show up. The blacklist is taken from RFC 1912
("Allowable characters in a label for a host name are only ASCII, letters, digits,
and the `-' character").
2020-02-15 13:43:37 +01:00
Dirk Wetter
75be8d9f38 remove jq and beautify last line 2020-02-15 12:09:33 +01:00
Dirk Wetter
f01c1196c0
Merge pull request #1505 from dcooper16/fix_1504
Fix #1504
2020-02-13 17:52:06 +01:00
David Cooper
8d3640ca20 Fix #1504 by moving the description of the test out of the section that describes vulnerability tests. 2020-02-13 10:57:48 -05:00
Dirk Wetter
d549c833c8
Merge pull request #1501 from dcooper16/cipher_order_wide
Wide output for cipher order
2020-02-13 09:34:40 +01:00
David Cooper
6c88a26861
Wide output for cipher order
Since, in cases in which the server enforces a cipher order, both run_cipher_per_proto() and run_server_preference() list every cipher supported by the server for each protocol, there was a discussion at one point about eliminating run_cipher_per_proto() and extending run_server_preference().

This PR takes a step in that direction by providing the option to present the "Cipher order" in wide mode.
2020-02-12 11:05:20 -05:00
Dirk Wetter
b0cce84a7f
Merge pull request #1500 from dcooper16/shellcheck_SC2197
Fix Shellcheck SC2197
2020-02-10 20:45:16 +01:00
David Cooper
28d65247b0
Fix Shellcheck SC2197
This PR fixes one Shellcheck issue:

      In testssl_3.1dev_20200208.sh line 2395:
                HEADERVALUE="$(fgrep -Fai "$key:" $HEADERFILE | head -1)"
                               ^-- SC2197: fgrep is non-standard and deprecated. Use grep -F instead.

The man page for grep states that fgrep is the same a grep -F and that grep is deprecated. So, fgrep -F is just redundant.
2020-02-10 13:51:08 -05:00
Dirk Wetter
6da6335e5b
Merge pull request #1498 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-02-08 10:32:46 +01:00
David Cooper
2af5fa72d1
Minor code cleanup
This PR makes some minor changes to the code in order to clean it up a little.
2020-02-07 17:21:22 -05:00
Dirk Wetter
8bdad385d5
Merge pull request #1497 from dcooper16/neat_list_export
neat_list() and export
2020-02-07 18:14:11 +01:00
David Cooper
d916f048be
neat_list() and export
Currently, the function neat_list() uses the variable "export", but does not define it. The result is that "export" variable in the calling function is used.

This PR fixes that by defining "export" as a local variable in neat_list() and by setting its value via a new parameter to the function.

This PR also removes a "FIXME" from run_rc4() since the problem has already been fixed.
2020-02-06 14:33:13 -05:00
Dirk Wetter
9a0325875e
Merge pull request #1495 from dcooper16/fix_pub_key_length_calculation
Fix public key length calculation
2020-02-04 21:45:52 +01:00
David Cooper
3025d92ebf
Fix public key length calculation
This PR fixes a minor bug in get_pub_key_size(). If the key size is being determined manually and length encoding requires 4 bytes, then the current code computes the length incorrectly. This is a very insignificant bug, since does not apply to RSA or ECC keys, and the key would have to be at least 16 megabytes long for it to require 4 bytes to encode.

This PR also cleans up get_pub_key_size() a bit by replacing `i=$i+...` with `i+=...` and by enclosing math in `$(( ... ))`.
2020-02-04 14:55:53 -05:00
Dirk Wetter
e9430bdd23
Merge pull request #1490 from drwetter/dotasurl_fix
Fix URL when hostname with trailing dot supplied
2020-02-04 16:20:23 +01:00
Dirk Wetter
77398af399
Merge pull request #1492 from dcooper16/fix_typos
Fix typos
2020-02-04 16:18:46 +01:00
David Cooper
f756080a01
Fix typos
I noticed two places that had a single "&" rather than "&&". I didn't try to do any testing, but these certainly seem like typos.
2020-02-04 09:52:44 -05:00
Dirk
c2df2f1fc0 Fix URL when hostname with trailing dot supplied
Hostnames can contain a trailing dot (and sometimes they should).
If they are supplied to testssl.sh however they will be also interpreted
as a URL PATH when the servive is HTTP.

This commit fixes that.
2020-02-03 22:26:01 +01:00
Dirk Wetter
ccafd9125b
Merge pull request #1488 from dcooper16/fix_client_simulation
Fix client simulation
2020-01-31 20:23:58 +01:00
David Cooper
46c05c6732 Fix client simulation
replace ciphers with ch_ciphers and sni with ch_sni in client simulation data file.
2020-01-31 10:52:50 -05:00
Dirk Wetter
7c85b44a9f
Merge pull request #1482 from dcooper16/shellcheck_SC2178
Suppress shellcheck issue SC2178
2020-01-31 09:23:06 +01:00
Dirk Wetter
e8b7a04e53
Merge pull request #1487 from simondeziel/dup-cipher
Remove (harmless) AESGCM dup in the strong ciphers list
2020-01-31 09:22:03 +01:00
Dirk Wetter
2f54613d6d
Merge pull request #1484 from dcooper16/tls13_post_handshake
TLS 1.3 post-handshake messages
2020-01-31 08:55:08 +01:00
Dirk Wetter
7443a532cf
Merge pull request #1486 from drwetter/fix_ids_friendly
Fix --ids-friendly
2020-01-31 08:48:01 +01:00
Dirk Wetter
89fd902b18
Merge pull request #1483 from dcooper16/minor_code_cleanup
Minor code cleanup
2020-01-31 08:41:43 +01:00
Simon Deziel
772713f497 Remove (harmless) AESGCM dup in the strong ciphers list
Signed-off-by: Simon Deziel <simon@sdeziel.info>
2020-01-30 17:29:44 -05:00
Dirk Wetter
c4920f61e4 rename query_globals() --> count_do_variables()
.. and fix one problem instroduced with last patch (testssl.sh
din't work correclty if only an URI was supplied)
2020-01-30 22:25:10 +01:00
Dirk Wetter
073d383f76 Fix switch --ids-friendly
This switch had no effect. There was probably a regression
problem as it worked before.

Besides fixing that the large case statement in parse_cmd_line()
was simplified, in a sense that banner and help functions were
moved to a separate case statement.
2020-01-30 21:49:56 +01:00
David Cooper
aba544b188
TLS 1.3 post-handshake messages
This PR adds support for post-handshake messages when using sockets with TLS 1.3 connections. If a TLS 1.3 connection is established and the connection is to remain open after tls_sockets() finishes, then after the client's Finished message is sent the master secret and the application traffic keys are computed. This PR also adds two new functions to send and receive application data over a TLS 1.3 connection.

This PR also includes two proofs-of-concept for the use of the new functions. receive_app_data() is called immediately after the client's Finished message is sent. Some server's will send new session tickets immediately after the handshake is complete. If they do, then the code will decrypt and parse the session ticket messages.

This PR also modifies service_detection() to try using sockets if the server only supports TLS 1.3 and $OPENSSL does not support TLS 1.3. After the handshake is complete, this code sends an HTTP GET request and reads the response. The code is fairly slow and it doesn't always work. However, since it is only used in cases in which $OPENSSL cannot work, it can't hurt to try using sockets.
2020-01-30 15:20:25 -05:00
David Cooper
5d2978fdbe
Minor code cleanup
This PR cleans up the code in a few places by using "case" statements in a few places where the value of a variable is checked multiple times.
2020-01-30 14:00:46 -05:00
David Cooper
19db41742f
Suppress shellcheck issue SC2178
Due to a bug, the shellcheck program will complain if a variable is defined as an array but is later used as an ordinary string, even if the two uses are locally defined variables in different contexts. The error message is:

   SC2178: Variable was used as an array but is now assigned a string.

While the warnings are not highlighting any actual problems in testssl.sh, this PR gets rid of the warnings by renaming a few variables.
2020-01-30 13:53:33 -05:00
Dirk Wetter
3a73a97b67
Merge pull request #1480 from drwetter/readme-patch1
Status update / mir rephrasing of key features
2020-01-30 18:14:43 +01:00
Dirk Wetter
16907cf77e
Status update / mir rephrasing of key features 2020-01-30 18:14:20 +01:00
Dirk Wetter
ef21f3f9bf
Merge pull request #1476 from dcooper16/tls13_finished_messages
TLS 1.3 Finished messages
2020-01-30 10:26:27 +01:00
Dirk Wetter
5e9767a17c
Merge pull request #1477 from dcooper16/faster_gcm
Speedup AES-GCM
2020-01-30 10:22:02 +01:00
David Cooper
1ea631addd Speedup AES-GCM
The implementation of AES-GCM in #1473 is much slower than the original version, even when the authentication tag is not being computed. This PR modifies the code in gcm() in order to significantly speed up the encryption/decryption time (when authentication tags are not being computed).
2020-01-29 12:12:04 -05:00
David Cooper
7516c01315
TLS 1.3 Finished messages
This PR adds processing of the Finished messages in TLS 1.3 handshakes. It also addresses some shellcheck issues.

If in debug mode, the HMAC of the transcript hash of the handshake context ($msg_transcript) is computed and compared against the Finished message sent by the server.

If the full server response is parsed and the connection with the server is not to be closed when tls_sockets() completes, then the TLS 1.3 handshake is completed by creating the client Finished message and sending it to the server.
2020-01-28 11:15:03 -05:00
Dirk Wetter
3da67437f3
Merge pull request #1475 from dcooper16/reorganize_key_derivation
Reorganize TLS 1.3 key derivation
2020-01-27 21:52:24 +01:00
David Cooper
b8d414b432
Reorganize TLS 1.3 key derivation
This PR reorganizes the code for deriving TLS 1.3 symmetric keys in order to facilitate implementing the full key schedule. For example, rather than having a single function to derive the handshake traffic keys, this PR creates one function to derive the handshake secret and a separate function to derive the handshake traffic keys. The second function has been generalized so that it can derive either client or server traffic keys. Separating into two functions also makes the handshake_secret available for later use to derive the master secret and then the application traffic secrets and the application traffic keys.

This PR also changes where there message transcript is created, a message transcript will also be needed to derive the application traffic secrets. This PR includes the code to add the messages to the initial message transcript that will be needed for the input to the application traffic secret derivation function.
2020-01-27 09:52:15 -05:00
Dirk Wetter
c3bab98b92
Merge pull request #1474 from drwetter/backport_4b573dd
Suppress displaying an error in maketempf()
2020-01-26 01:30:58 +01:00
Dirk
c63547ca7b Suppress displaying an error in maketempf() 2020-01-26 01:29:18 +01:00
Dirk
4b573dd833 Suppress displaying an error in maketempf() 2020-01-26 01:24:11 +01:00
Dirk Wetter
51ca429b48
Merge pull request #1473 from dcooper16/aead
Full AEAD cipher implementations
2020-01-25 12:37:28 +01:00
David Cooper
351bb7a4e8
Full AEAD cipher implementations
RFC 8446 specifies cipher suites that use three symmetric encryption algorithms, all of which are Authenticated Encryption with Associated Data (AEAD) algorithms. In each of these algorithms when data is encryption an authentication tag is created, which allows the recipient to verify that the data has not been modified. The authentication may also cover some additional data that was not encrypted.

The current implementations of these algorithms in testssl.sh decrypt the ciphertext, but do not check that the authentication tag is correct (which involves the recipient computing the correct tag for the received data and then comparing it to the provided tag). While testssl.sh can get away with not checking authentication tags when receiving data, the ability to compute authentication tags is needed in order to send encrypted data as TLS servers would reject any encrypted data that did not have a correct authentication tag. Being able to send encrypted data is necessary to be able to complete the TLS 1.3 handshake.

This PR replaces the current implementations of the symmetric encryption algorithms with full implementations of each of the algorithms. These full implementations include the ability to encrypt data for sending, and can also verify the authentication tag when decrypting data. Since the Bash implementations of these algorithms is very slow, the decryption code is designed to only compute and check authentication tags in debug mode.

While the implementation of the code to compute authentication tags for AES-CCM was based on NIST Special Publication 800-38C, I was not able to implement the code for AES-GCM or Poly1305 from their specifications (NIST Special Publication 800-38D and RFC 8439, respectively). So, I would very much like to thank the implementers of https://github.com/mko-x/SharedAES-GCM and https://github.com/floodyberry/poly1305-donna. The implementations of AES-GCM and Poly1305 in the PR were developed by translating the C code in https://github.com/mko-x/SharedAES-GCM and https://github.com/floodyberry/poly1305-donna into Bash. I don't understand what that code is doing, but it seems to work. :-)

I have only tested this code on a computer with a 64-bit operating system. While I have not tested it, I believe that the decryption code will work with 32-bit integers if not in debug mode (i.e., if not trying to compute the authentication tags). I also believe that the AES-CCM code for computing authentication tags will work with 32-bit integers. However, AES-GCM and Poly1305 code for computing authentication tags will definitely only work on systems that have 64-bit integers. So, on systems that do not have 64-bit integers, encryption will not work for AES-GCM or ChaCha20-Poly1305, and decryption will not work for these algorithms if in debug mode.
2020-01-24 15:26:13 -05:00
Dirk Wetter
1ad7a65adf
Merge pull request #1472 from drwetter/reorder
Reorder functions and some variables
2020-01-24 14:46:18 +01:00