Commit 648e9c40 authored by Hilko Bengen's avatar Hilko Bengen

New upstream version 2.9.5-7+dfsg1

parent 5a75801a
......@@ -39,15 +39,15 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); $tests++;
unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "expiration" ) {
$found = 1;
like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); $tests++;
is($f->{severity}, "OK", "Severity should be ok"); $tests++;
unlike($f->{finding},qr/^Certificate Expiration\s+expired\!/,"Finding doesn't read expired."); $tests++;
isnt($f->{severity}, "CRITICAL", "Severity should be OK or MEDIUM"); $tests++;
last;
}
}
......
......@@ -105,7 +105,7 @@ fi
trap "cleanup" QUIT EXIT
trap "child_error" USR1
readonly VERSION="2.9.5-4"
readonly VERSION="2.9.5-7"
readonly SWCONTACT="dirk aet testssl dot sh"
egrep -q "dev|rc" <<< "$VERSION" && \
SWURL="https://testssl.sh/dev/" ||
......@@ -814,8 +814,8 @@ fileout() {
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
[[ -e "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
"$do_csv" && \
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
"$FIRST_FINDING" && FIRST_FINDING=false
fi
......@@ -9483,18 +9483,34 @@ run_ccs_injection(){
fileout "ccs" "OK" "CCS: not vulnerable" "$cve" "$cwe"
fi
ret=0
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
# decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "ccs" "CRITICAL" "CCS: VULNERABLE" "$cve" "$cwe" "$hint"
ret=1
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
# Unexpected message / Handshake failure received
pr_warning "likely "
out "not vulnerable (OK)"
out " - alert description type: $byte6"
fileout "ccs" "WARN" "CCS: probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1
elif [[ "$byte6" == "15" ]]; then
# decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
# Unexpected message / Handshake failure received
pr_warning "likely "
out "not vulnerable (OK)"
out " - alert description type: $byte6"
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then
# bad_record_mac -- this is not "not vulnerable"
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious \"bad_record_mac\" ($byte6)"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
else
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
......@@ -10677,8 +10693,6 @@ run_beast(){
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln
pr_headlineln " Testing for BEAST vulnerability "
fi
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln
fi
pr_bold " BEAST"; out " ($cve) "
......@@ -10891,10 +10905,11 @@ run_beast(){
if "$vuln_beast"; then
if [[ -n "$higher_proto_supported" ]]; then
if "$WIDE"; then
outln
outln; out " "
# NOT ok seems too harsh for me if we have TLS >1.0
pr_svrty_low "VULNERABLE"
outln " -- but also supports higher protocols (possible mitigation):$higher_proto_supported"
outln
else
out "$spaces"
pr_svrty_low "VULNERABLE"
......@@ -10934,8 +10949,9 @@ run_lucky13() {
local cwe="CWE-310"
local hint=""
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for LUCKY13 vulnerability " && outln
if [[ $VULN_COUNT -le $VULN_THRESHLD ]] || "$WIDE"; then
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln
pr_headlineln " Testing for LUCKY13 vulnerability "
outln
fi
pr_bold " LUCKY13"; out " ($cve), experimental "
......@@ -11007,8 +11023,6 @@ run_rc4() {
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln
pr_headlineln " Checking for vulnerable RC4 Ciphers "
fi
if [[ $VULN_COUNT -le $VULN_THRESHLD ]]; then
outln
fi
pr_bold " RC4"; out " ($cve) "
......@@ -11215,7 +11229,7 @@ run_rc4() {
done
! "$WIDE" && pr_svrty_high "$(out_row_aligned_max_width "$rc4_detected" " " $TERM_WIDTH)"
outln
"$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)"
"$WIDE" && out " " && prln_svrty_high "VULNERABLE (NOT ok)"
fileout "rc4" "HIGH" "RC4: VULNERABLE, Detected ciphers: $rc4_detected" "$cve" "$cwe" "$hint"
elif [[ $nr_ciphers -eq 0 ]]; then
prln_local_problem "No RC4 Ciphers configured in $OPENSSL"
......@@ -11866,11 +11880,15 @@ initialize_engine(){
outln
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
# Avoid clashes of OpenSSL 1.1.1 config file with our openssl 1.0.2. This is for Debian 10
export OPENSSL_CONF=''
return 1
elif $OPENSSL engine gost -vvvv -t -c 2>&1 | grep -iq "No such" ; then
outln
pr_warning "No engine or GOST support via engine with your $OPENSSL"; outln
fileout_insert_warning "engine_problem" "WARN" "No engine or GOST support via engine with your $OPENSSL"
# Avoid clashes of OpenSSL 1.1.1 config file with our openssl 1.0.2. This is for Debian 10
export OPENSSL_CONF=''
return 1
else # we have engine support
if [[ -n "$OPENSSL_CONF" ]]; then
......@@ -12238,8 +12256,8 @@ determine_ip_addresses() {
if [[ -n "$CMDLINE_IP" ]]; then
# command line has supplied an IP address or "one"
if [[ "$CMDLINE_IP" == "one" ]]; then
# use first IPv4 address
if [[ "$CMDLINE_IP" == one ]]; then
# use first IPv4 or IPv6 address
CMDLINE_IP="$(head -1 <<< "$ip4")"
[[ -z "$CMDLINE_IP" ]] && CMDLINE_IP="$(head -1 <<< "$ip6")"
fi
......@@ -12270,14 +12288,19 @@ determine_ip_addresses() {
fi
fi
if [[ -z "$ip4" ]]; then # IPv6 only address
# IPv6 only address
if [[ -z "$ip4" ]]; then
if "$HAS_IPv6"; then
IPADDRs=$(newline_to_spaces "$ip6")
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
fi
else
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
if is_ipv6addr "$CMDLINE_IP"; then
IPADDRs=$(newline_to_spaces "$ip6")
else
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
fi
else
IPADDRs=$(newline_to_spaces "$ip4")
fi
......@@ -12563,8 +12586,14 @@ display_rdns_etc() {
fi
if "$LOCAL_A"; then
outln " A record via $CORRECT_SPACES /etc/hosts "
elif "$LOCAL_AAAA"; then
outln " AAAA record via $CORRECT_SPACES /etc/hosts "
elif [[ -n "$CMDLINE_IP" ]]; then
outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
if is_ipv6addr $"$CMDLINE_IP"; then
outln " AAAA record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
else
outln " A record via $CORRECT_SPACES supplied IP \"$CMDLINE_IP\""
fi
fi
if [[ -n "$rDNS" ]]; then
out "$(printf " %-23s %s" "rDNS ($nodeip):")"
......@@ -13135,7 +13164,7 @@ query_globals() {
do_freak do_logjam do_drown do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
do_std_cipherlists do_server_defaults do_server_preference do_ssl_poodle do_tls_fallback_scsv \
do_sweet32 do_client_simulation do_cipher_match do_tls_sockets do_mass_testing do_display_only; do
[[ "${!gbl}" == "true" ]] && let true_nr++
[[ "${!gbl}" == true ]] && let true_nr++
done
return $true_nr
}
......@@ -13222,7 +13251,7 @@ parse_cmd_line() {
--ip|--ip=*)
CMDLINE_IP="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift
if [[ $CMDLINE_IP == "proxy" ]]; then
if [[ "$CMDLINE_IP" == proxy ]]; then
DNS_VIA_PROXY=true
unset CMDLINE_IP
fi
......@@ -13572,7 +13601,7 @@ parse_cmd_line() {
# parameter after URI supplied:
[[ -n "$2" ]] && fatal "URI comes last" "1"
fi
[[ $CMDLINE_IP == "one" ]] && "$NODNS" && fatal "\"--ip=one\" and \"--nodns\" doesn't work together"
[[ "$CMDLINE_IP" == one ]] && "$NODNS" && fatal "\"--ip=one\" and \"--nodns\" doesn't work together"
[[ "$DEBUG" -ge 5 ]] && debug_globals
# if we have no "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified
......@@ -13736,7 +13765,7 @@ lets_roll() {
parse_cmd_line "$@"
# html_header() needs to be called early! Otherwise if html_out() is called before html_header() and the
# command line contains --htmlfile <htmlfile> or --html, it'll make problems with html output, see #692.
# json_header and csv_header can be called later but for context reasons we'll leave it here
# json_header and csv_header could be called later but for context reasons we'll leave it here
html_header
json_header
csv_header
......@@ -13774,7 +13803,7 @@ lets_roll() {
if "$do_mx_all_ips"; then
query_globals # if we have just 1x "do_*" --> we do a standard run -- otherwise just the one specified
[[ $? -eq 1 ]] && set_scanning_defaults
run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have sililar code
run_mx_all_ips "${URI}" $PORT # we should reduce run_mx_all_ips to the stuff neccessary as ~15 lines later we have similar code
exit $?
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment