From 452fd6762a1bcc6a7cad97e6ca74dd97ab80fc66 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Sun, 31 May 2015 14:40:12 +0200
Subject: [PATCH] - local dns matches don't need lookup anymore over net -->
 saves timeouts+time - further banner tuning + funtion mybanner, 2 addtl
 global vars for debugging - cosmetic improvements

---
 testssl.sh | 108 +++++++++++++++++++++++++++++------------------------
 1 file changed, 59 insertions(+), 49 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 6468116..293a8a2 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -10,7 +10,7 @@
 # Please file bugs at github!        https://github.com/drwetter/testssl.sh/issues
 
 VERSION="2.5dev"
-SWURL="https://testssl.sh"
+SWURL="http://dev.testssl.sh"
 SWCONTACT="dirk aet testssl dot sh"
 
 # Main author: Dirk Wetter, copyleft: 2007-2015, contributions so far see CREDIT.md
@@ -61,6 +61,10 @@ readonly PROG_NAME=$(basename "$0")
 readonly RUN_DIR=$(dirname $0)
 readonly PROG_DIR=$(readlink "$BASH_SOURCE") 2>/dev/null
 
+which git &>/dev/null && readonly GIT_REL=$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')
+readonly CVS_REL=$(tail -5 $0 | awk '/dirkw Exp/ { print $4" "$5" "$6}')
+readonly CVS_REL_SHORT=$(tail -5 $0 | awk '/dirkw Exp/ { print $4 }')
+
 # following variables make use of $ENV, e.g. OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <host>
 # 0 means (normally) true here. Some of the variables are also accessible with a command line switch
 
@@ -2721,7 +2725,7 @@ logjam() {
 	$OPENSSL s_client $STARTTLS -cipher $exportdhe_cipher_list -connect $NODEIP:$PORT $SNI &>$TMPFILE </dev/null
 	ret=$?
 	[ "$VERBERR" -eq 0 ] && egrep -a "error|failure" $TMPFILE | egrep -av "unable to get local|verify error"
-	addtl_warning="$addtl_warning, precomputed primes not checked yet. \"$PROG_NAME -E\" spots candidates"
+	addtl_warning="$addtl_warning, precomputable primes not checked yet. \"$PROG_NAME -E\" spots candidates"
 	if [ $ret -eq 0 ]; then
 		pr_red "VULNERABLE (NOT ok)"; out ", uses DHE EXPORT ciphers"
 	else
@@ -3069,20 +3073,20 @@ EOF
 
 
 mybanner() {
-	me=$(basename "$0")
-	osslver=$($OPENSSL version)
-	osslpath=$(which $OPENSSL)
+	local nr_ciphers
+	local idtag
+	local bb
+
 	nr_ciphers=$($OPENSSL ciphers  'ALL:COMPLEMENTOFALL:@STRENGTH' | sed 's/:/ /g' | wc -w | sed 's/ //g')
-	hn=$(hostname)
-	#poor man's ident (nowadays ident not neccessarily installed)
-	idtag=$(grep -a '\$Id' $0 | grep -aw "[E]xp" | sed -e 's/^#  //' -e 's/\$ $/\$/')
-	which git &>/dev/null && idtag="$(git log --format='%h %ci' -1 2>/dev/null)"
+	[ -z "$GIT_REL" ] && \
+		idtag="$CVS_REL" || \
+		idtag="$GIT_REL -- $CVS_REL_SHORT"
 	[ "$COLOR" -ne 0 ] && idtag="\033[1;30m$idtag\033[m\033[1m"
 	bb=$(cat <<EOF
 
 #########################################################
-$me v$VERSION  ($SWURL)
-($idtag)
+  $PROG_NAME $VERSION               $SWURL
+  ($idtag)
 
    This program is free software. Redistribution +
    modification under GPLv2 is permitted.
@@ -3093,12 +3097,11 @@ $me v$VERSION  ($SWURL)
 #########################################################
 EOF
 )
-pr_bold "$bb"
-outln "\n"
-outln " Using \"$osslver\" [~$nr_ciphers ciphers] on
- $hn:$osslpath
- (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
-
+	pr_bold "$bb"
+	outln "\n"
+	outln " Using \"$($OPENSSL version)\" [~$nr_ciphers ciphers] on"
+	outln " $(hostname):$(which $OPENSSL)"
+	outln " (built: \"$OSSL_BUILD_DATE\", platform: \"$OSSL_VER_PLATFORM\")\n"
 }
 
 
@@ -3112,7 +3115,8 @@ maketempf() {
 	if [ $DEBUG -ne 0 ]; then
 		cat >$TEMPDIR/environment.txt << EOF
 
-$idtag
+CVS_REL: $CVS_REL
+GIT_REL: $GIT_REL
 
 PID: $$
 bash version: ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}.${BASH_VERSINFO[2]}
@@ -3325,7 +3329,7 @@ parse_hn_port() {
 		esac
 	fi
 
-	${do_mx_allentries} || initialize_engine
+	${do_mx_all_ips} || initialize_engine
 	outln
 
 	return 0
@@ -3340,32 +3344,34 @@ get_dns_entries() {
 	else
 		# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
 		IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' |  egrep  "[[:space:]]$NODE" | awk '{ print $1 }')
-		if which host &> /dev/null && [ -z "$IP4" ] ; then
-			IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
-			if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
-				return 1
+		if [ -z "$IP4" ]; then
+			if which host &> /dev/null && [ -z "$IP4" ] ; then
+				IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
+				if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
+					return 1
+				fi
+			fi
+			if [ -z "$IP4" ] ; then
+				# MSYS2 has no host or getent, so we need nslookup
+				IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
+				[ -z "$IP4" ] && return 2
 			fi
 		fi
-		# MSYS2 has no host or getent, so we do this
-		if [ -z "$IP4" ] ; then
-			IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
-			[ -z "$IP4" ] && return 2
-		fi
 
-		# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
-		#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
+		IP6=$(grep -w "$NODE" /etc/hosts | grep ':' | grep -v '^#' |  egrep  "[[:space:]]$NODE" | awk '{ print $1 }')
 		if [ -z "$IP6" ] ; then
+			# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
+			#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
 			if host -t aaaa $NODE &>/dev/null ; then
 				IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
 			else
 				IP6=""
 			fi
+			# MSYS2 has no host or getent, so we need nslookup
+			if [ -z "$IP6" ] ; then
+				IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
+			fi
 		fi
-		# MSYS2 has no host or getent, so we do this
-          if [ -z "$IP6" ] ; then
-               IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
-          fi
-
 	fi # test4iponly
 
 	IPADDRs="$IP4"
@@ -3412,10 +3418,15 @@ datebanner() {
 	outln
 }
 
+draw_dotted_line() {
+	printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
+}
 
-mx_allentries() {
+
+mx_all_ips() {
 	local mxs mx
 	local mxport
+	local ret=0
 
 	if which host &> /dev/null; then
 		mxs=$(host -t MX "$1" | grep 'handled by' | sed -e 's/^.*by //g' -e 's/\.$//')
@@ -3448,10 +3459,6 @@ mx_allentries() {
 	fi
 }
 
-draw_dotted_line() {
-	printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
-}
-
 
 # This initializes boolean global do_* variables, meant primarily to keep track of what to do
 initialize_globals() {
@@ -3466,7 +3473,7 @@ initialize_globals() {
 	do_logjam=false
 	do_header=false
 	do_heartbleed=false
-	do_mx_allentries=false
+	do_mx_all_ips=false
 	do_pfs=false
 	do_protocols=false
 	do_rc4=false
@@ -3510,7 +3517,7 @@ query_globals() {
 	local true_nr=0
 
 	for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
-     		do_freak do_logjam do_header do_heartbleed do_mx_allentries do_pfs do_protocols do_rc4 do_renego \
+     		do_freak do_logjam do_header do_heartbleed do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
      		do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
      		do_test_just_one do_tls_sockets; do
 				[ "${!gbl}" == "true" ] && let true_nr++
@@ -3523,7 +3530,7 @@ debug_globals() {
 	local gbl
 
 	for gbl in do_allciphers do_vulnerabilities do_beast do_breach do_ccs_injection do_cipher_per_proto do_crime \
-     		do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_allentries do_pfs do_protocols do_rc4 do_renego \
+     		do_freak do_logjam do_header do_heartbleed do_rc4 do_mx_all_ips do_pfs do_protocols do_rc4 do_renego \
      		do_run_std_cipherlists do_server_defaults do_server_preference do_spdy do_ssl_poodle \
      		do_test_just_one do_tls_sockets; do
 		printf "%-22s = %s\n" $gbl "${!gbl}"
@@ -3545,13 +3552,16 @@ startup() {
 				mybanner
 			exit 0;;
 			--mx)
-				do_mx_allentries=true;;
+				do_mx_all_ips=true;;
 			--mx465)  # doesn't work with major ISPs
-				do_mx_allentries=true
+				do_mx_all_ips=true
 				PORT=465 ;;
 			--mx587) # doesn't work with major ISPs
-				do_mx_allentries=true
+				do_mx_all_ips=true
 				PORT=587 ;;
+			--ip)
+				CMDLINE_IP=$2
+				shift ;;
 			-V|--local)	# this is only displaying local, thus we don't put it in the loop
 				find_openssl_binary
 				mybanner
@@ -3758,12 +3768,12 @@ mybanner
 openssl_age
 maketempf
 
-if ${do_mx_allentries} ; then
+if ${do_mx_all_ips} ; then
      query_globals
      # if we have just one "do_*" set here --> query_globals: we do a standard run -- otherwise just the one specified
 	[ $? -eq 1 ] && set_scanning_defaults
 	initialize_engine
-	mx_allentries "${URI}" $PORT
+	mx_all_ips "${URI}" $PORT
 	ret=$?
 else
      parse_hn_port "${URI}" "${STARTTLS_PROTOCOL}"
@@ -3773,6 +3783,6 @@ fi
 
 exit $ret
 
-#  $Id: testssl.sh,v 1.265 2015/05/29 12:12:21 dirkw Exp $
+#  $Id: testssl.sh,v 1.267 2015/05/31 12:40:11 dirkw Exp $
 # vim:ts=5:sw=5
 # ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab