From 8d66786e42cc296937ba6b9bbdfe73d9be8209e2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 25 Feb 2017 16:31:30 +0100 Subject: [PATCH] Just saving my workJust saving my work ... This branch is for getting the HTML patch from @dcooper16 into 2.9dev Change to David's PR: * removed HTMLHEADER. We always want that (in fact for flat JSON this is missing and needs to be added) * not sure what this change does to --file * changing of names They were redundant sometimes (pr_*_term ) * some formatting for readbility Open points: * there's a loop and a segfault --> tm_done_best * HTMLHEADER: --file * the former sed statement aroung L1900 for the header was way more readable. The combined html+terminal version is just too much. Maybe a switch whether HTML is requested is better so that this can be separated. * Then e.g. "/\>/g' -e 's/"/\"/g' -e "s/'/\'/g" + sed -e 's/\&/\&/g' -e 's//\>/g' -e 's/"/\"/g' -e "s/'/\'/g" <<< "$1" } -# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest. -out_html() { - "$do_html" && [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "${1//%/%%}" >> "$HTMLFILE" +html_out() { + "$do_html" || return + [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "${1//%/%%}" >> "$HTMLFILE" + # here and other printf's: a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%'. '--' and %b do the rest. } out() { -# if [[ "$BASH_VERSINFO" -eq 4 ]]; then - printf -- "%b" "${1//%/%%}" - out_html "$1" -# else -# /usr/bin/printf -- "${1//%/%%}" -# fi + printf -- "%b" "${1//%/%%}" + html_out "$1" } outln() { out "$1\n"; } -out_term(){ -# if [[ "$BASH_VERSINFO" -eq 4 ]]; then - printf -- "%b" "${1//%/%%}" -# else -# /usr/bin/printf -- "${1//%/%%}" -# fi -} -outln_term() { out_term "$1\n"; } - -retstring(){ - printf -- "%b" "${1//%/%%}" +tm_out(){ + printf -- "%b" "${1//%/%%}" } +tmln_out() { tm_out "$1\n"; } #TODO: Still no shell injection safe but if just run it from the cmd line: that's fine # color print functions, see also http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html -pr_liteblue_term() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_term "\033[0;32m$1" || out_term "\033[0;34m$1" ) || out_term "$1"; pr_off; } # not yet used -pr_liteblue() { pr_liteblue_term "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ) || out_html "$(html_reserved "$1")"; } -pr_liteblueln_term() { pr_liteblue_term "$1"; outln_term; } -pr_liteblueln() { pr_liteblue "$1"; outln; } -pr_blue_term() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_term "\033[1;32m$1" || out_term "\033[1;34m$1" ) || out_term "$1"; pr_off; } # used for head lines of single tests -pr_blue() { pr_blue_term "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ) || out_html "$(html_reserved "$1")"; } -pr_blueln_term() { pr_blue_term "$1"; outln_term; } -pr_blueln() { pr_blue "$1"; outln; } +tm_liteblue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && tm_out "\033[0;32m$1" || tm_out "\033[0;34m$1" ) || tm_out "$1"; tm_off; } # not yet used +pr_liteblue() { tm_liteblue "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ) || html_out "$(html_reserved "$1")"; } +tmln_liteblue() { tm_liteblue "$1"; tmln_out; } +prln_liteblue() { pr_liteblue "$1"; outln; } -pr_warning_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[0;35m$1" || pr_underline_term "$1"; pr_off; } # some local problem: one test cannot be done -pr_warning() { pr_warning_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ); } -pr_warningln_term() { pr_warning_term "$1"; outln_term; } # litemagenta -pr_warningln() { pr_warning "$1"; outln; } -pr_magenta_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[1;35m$1" || pr_underline_term "$1"; pr_off; } # fatal error: quitting because of this! -pr_magenta() { pr_magenta_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ); } -pr_magentaln_term() { pr_magenta_term "$1"; outln_term; } -pr_magentaln() { pr_magenta "$1"; outln; } +tm_blue() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && tm_out "\033[1;32m$1" || tm_out "\033[1;34m$1" ) || tm_out "$1"; tm_off; } # used for head lines of single tests +pr_blue() { tm_blue "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ) || html_out "$(html_reserved "$1")"; } +tmln_blue() { tm_blue "$1"; tmln_out; } +prln_blue() { pr_blue "$1"; outln; } -pr_litecyan_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[0;36m$1" || out_term "$1"; pr_off; } # not yet used -pr_litecyan() { pr_litecyan_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_litecyanln_term() { pr_litecyan_term "$1"; outln_term; } -pr_litecyanln() { pr_litecyan "$1"; outln; } -pr_cyan_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[1;36m$1" || out_term "$1"; pr_off; } # additional hint -pr_cyan() { pr_cyan_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_cyanln_term() { pr_cyan_term "$1"; outln_term; } -pr_cyanln() { pr_cyan "$1"; outln; } +# we should be able to use aliases here +tm_warning() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[0;35m$1" || tm_underline "$1"; tm_off; } # some local problem: one test cannot be done +tmln_warning() { tm_warning "$1"; tmln_out; } # litemagenta +pr_warning() { tm_warning "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ); } +prln_warning() { pr_warning "$1"; outln; } -pr_litegreyln_term() { pr_litegrey_term "$1"; outln_term; } # not really usable on a black background, see .. -pr_litegreyln() { pr_litegrey "$1"; outln; } -pr_litegrey_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[0;37m$1" || out_term "$1"; pr_off; } # ... https://github.com/drwetter/testssl.sh/pull/600#issuecomment-276129876 -pr_litegrey() { pr_litegrey_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_grey_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[1;30m$1" || out_term "$1"; pr_off; } -pr_grey() { pr_grey_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_greyln_term() { pr_grey_term "$1"; outln_term; } -pr_greyln() { pr_grey "$1"; outln; } +tm_magenta() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[1;35m$1" || tm_underline "$1"; tm_off; } # fatal error: quitting because of this! +tmln_magenta() { tm_magenta "$1"; tmln_out; } +# different as warning above? +pr_magenta() { tm_magenta "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ); } +prln_magenta() { pr_magenta "$1"; outln; } -pr_done_good_term() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_term "\033[0;34m$1" || out_term "\033[0;32m$1" ) || out_term "$1"; pr_off; } # litegreen (liteblue), This is good -pr_done_good() { pr_done_good_term "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ) || out_html "$(html_reserved "$1")"; } -pr_done_goodln_term() { pr_done_good_term "$1"; outln_term; } -pr_done_goodln() { pr_done_good "$1"; outln; } -pr_done_best_term() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_term "\033[1;34m$1" || out_term "\033[1;32m$1" ) || out_term "$1"; pr_off; } # green (blue), This is the best -pr_done_best() { pr_done_best_term "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ) || out_html "$(html_reserved "$1")"; } -pr_done_bestln_term() { pr_done_best_term "$1"; outln_term; } -pr_done_bestln() { pr_done_best "$1"; outln; } +tm_litecyan() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[0;36m$1" || tm_out "$1"; tm_off; } # not yet used +tmln_litecyan() { tm_litecyan "$1"; tmln_out; } +pr_litecyan() { tm_litecyan "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_litecyan() { pr_litecyan "$1"; outln; } -pr_svrty_low_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[1;33m$1" || out_term "$1"; pr_off; } # yellow brown | academic or minor problem -pr_svrty_low() { pr_svrty_low_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_svrty_lowln_term() { pr_svrty_low_term "$1"; outln_term; } -pr_svrty_lowln() { pr_svrty_low "$1"; outln; } -pr_svrty_medium_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[0;33m$1" || out_term "$1"; pr_off; } # brown | it is not a bad problem but you shouldn't do this -pr_svrty_medium() { pr_svrty_medium_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_svrty_mediumln_term() { pr_svrty_medium_term "$1"; outln_term; } -pr_svrty_mediumln() { pr_svrty_medium "$1"; outln; } +tm_cyan() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[1;36m$1" || tm_out "$1"; tm_off; } # additional hint +tmln_cyan() { tm_cyan "$1"; tmln_out; } +pr_cyan() { tm_cyan "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_cyan() { pr_cyan "$1"; outln; } -pr_svrty_high_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[0;31m$1" || pr_bold_term "$1"; pr_off; } # litered -pr_svrty_high() { pr_svrty_high_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ); } -pr_svrty_highln_term() { pr_svrty_high_term "$1"; outln_term; } -pr_svrty_highln() { pr_svrty_high "$1"; outln; } -pr_svrty_critical_term() { [[ "$COLOR" -eq 2 ]] && out_term "\033[1;31m$1" || pr_bold_term "$1"; pr_off; } # red -pr_svrty_critical() { pr_svrty_critical_term "$1"; [[ "$COLOR" -eq 2 ]] && out_html "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")" ); } -pr_svrty_criticalln_term() { pr_svrty_critical_term "$1"; outln_term; } -pr_svrty_criticalln(){ pr_svrty_critical "$1"; outln; } +tm_litegrey() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[0;37m$1" || tm_out "$1"; tm_off; } # ... https://github.com/drwetter/testssl.sh/pull/600#issuecomment-276129876 +tmln_litegrey() { tm_litegrey "$1"; tmln_out; } # not really usable on a black background, see .. +prln_litegrey() { pr_litegrey "$1"; outln; } +pr_litegrey() { tm_litegrey "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } -pr_deemphasize_term() { out_term "$1"; } # hook for a weakened screen output, see #600 -pr_deemphasize() { pr_deemphasize_term "$1"; out_html "$(html_reserved "$1")"; } -pr_deemphasizeln_term() { pr_deemphasize_term "$1"; outln_term; } -pr_deemphasizeln() { pr_deemphasize "$1"; outln; } +tm_grey() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[1;30m$1" || tm_out "$1"; tm_off; } +pr_grey() { tm_grey "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +tmln_grey() { tm_grey "$1"; tmln_out; } +prln_grey() { pr_grey "$1"; outln; } + +tm_done_good() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && tm_out "\033[0;34m$1" || tm_out "\033[0;32m$1" ) || tm_out "$1"; tm_off; } # litegreen (liteblue), This is good +tmln_done_good() { tm_done_good "$1"; tmln_out; } +pr_done_good() { tm_done_good "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ) || html_out "$(html_reserved "$1")"; } +prln_done_good() { pr_done_good "$1"; outln; } + +tm_done_best() { [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && tm_out "\033[1;34m$1" || tm_out "\033[1;32m$1" ) || tm_out "$1"; tm_off; } # green (blue), This is the best +pr_done_best() { tm_done_best "$1"; [[ "$COLOR" -eq 2 ]] && ( "$COLORBLIND" && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ) || html_out "$(html_reserved "$1")"; } +tm_done_best() { tm_done_best "$1"; tmln_out; } +prln_done_best() { pr_done_best "$1"; outln; } + +tm_svrty_low() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[1;33m$1" || tm_out "$1"; tm_off; } # yellow brown | academic or minor problem +tmln_svrty_low() { tm_svrty_low "$1"; tmln_out; } +pr_svrty_low() { tm_svrty_low "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_svrty_low() { pr_svrty_low "$1"; outln; } + +tm_svrty_medium() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[0;33m$1" || tm_out "$1"; tm_off; } # brown | it is not a bad problem but you shouldn't do this +pr_svrty_medium() { tm_svrty_medium "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +tmln_svrty_medium(){ tm_svrty_medium "$1"; tmln_out; } +prln_svrty_medium(){ pr_svrty_medium "$1"; outln; } + +tm_svrty_high() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[0;31m$1" || tm_bold "$1"; tm_off; } # litered +pr_svrty_high() { tm_svrty_high "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ); } +tmln_svrty_high() { tm_svrty_high "$1"; tmln_out; } +prln_svrty_high() { pr_svrty_high "$1"; outln; } + +tm_svrty_critical() { [[ "$COLOR" -eq 2 ]] && tm_out "\033[1;31m$1" || tm_bold "$1"; tm_off; } # red +pr_svrty_critical() { tm_svrty_critical "$1"; [[ "$COLOR" -eq 2 ]] && html_out "$(html_reserved "$1")" || ( [[ "$COLOR" -eq 1 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")" ); } +tmln_svrty_critical() { tm_svrty_critical "$1"; tmln_out; } +prln_svrty_critical() { pr_svrty_critical "$1"; outln; } + +tm_deemphasize() { tm_out "$1"; } # hook for a weakened screen output, see #600 +pr_deemphasize() { tm_deemphasize "$1"; html_out "$(html_reserved "$1")"; } +tmln_deemphasize() { tm_deemphasize "$1"; tmln_out; } +prln_deemphasize() { pr_deemphasize "$1"; outln; } # color=1 functions -pr_off() { [[ "$COLOR" -ne 0 ]] && out_term "\033[m"; } -pr_bold_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[1m$1" || out_term "$1"; pr_off; } -pr_bold() { pr_bold_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_boldln_term() { pr_bold_term "$1"; outln_term; } -pr_boldln() { pr_bold "$1" ; outln; } -pr_italic_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[3m$1" || out_term "$1"; pr_off; } -pr_italic() { pr_italic_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_italicln_term() { pr_italic_term "$1"; outln_term; } -pr_italicln() { pr_italic "$1" ; outln; } -pr_strikethru_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[9m$1" || out_term "$1"; pr_off; } # ugly! -pr_strikethru() { pr_strikethru_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_strikethruln_term() { pr_strikethru_term "$1"; outln_term; } -pr_strikethruln() { pr_strikethru "$1" ; outln; } -pr_underline_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[4m$1" || out_term "$1"; pr_off; } -pr_underline() { pr_underline_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_underlineln_term() { pr_underline_term "$1"; outln_term; } -pr_underlineln() { pr_underline "$1"; outln; } -pr_reverse_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[7m$1" || out_term "$1"; pr_off; } -pr_reverse() { pr_reverse_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_reverse_bold_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[7m\033[1m$1" || out_term "$1"; pr_off; } -pr_reverse_bold() { pr_reverse_bold_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } +tm_off() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[m"; } + +tm_bold() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[1m$1" || tm_out "$1"; tm_off; } +tmln_bold() { tm_bold "$1"; tmln_out; } +pr_bold() { tm_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_bold() { pr_bold "$1" ; outln; } + +tm_italic() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[3m$1" || tm_out "$1"; tm_off; } +tm_italic() { pr_italic "$1" ; outln; } +pr_italic() { tm_italic "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +tmln_italic() { tm_italic "$1"; tmln_out; } + +tm_strikethru() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[9m$1" || tm_out "$1"; tm_off; } # ugly! +tmln_strikethru() { tm_strikethru "$1"; tmln_out; } +pr_strikethru() { tm_strikethru "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_strikethru() { pr_strikethru "$1" ; outln; } + +tm_underline() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[4m$1" || tm_out "$1"; tm_off; } +tmln_underline() { tm_underline "$1"; tmln_out; } +pr_underline() { tm_underline "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +prln_underline() { pr_underline "$1"; outln; } + +tm_reverse() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[7m$1" || tm_out "$1"; tm_off; } +tm_reverse_bold() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[7m\033[1m$1" || tm_out "$1"; tm_off; } +pr_reverse() { tm_reverse "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } +pr_reverse_bold() { tm_reverse_bold "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } #pr_headline() { pr_blue "$1"; } #http://misc.flogisoft.com/bash/tip_colors_and_formatting -#pr_headline() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m\033[47m$1" || out "$1"; pr_off; } -pr_headline_term() { [[ "$COLOR" -ne 0 ]] && out_term "\033[1m\033[4m$1" || out_term "$1"; pr_off; } -pr_headline() { pr_headline_term "$1"; [[ "$COLOR" -ne 0 ]] && out_html "$(html_reserved "$1")" || out_html "$(html_reserved "$1")"; } -pr_headlineln_term() { pr_headline_term "$1"; outln_term; } +#pr_headline() { [[ "$COLOR" -eq 2 ]] && out "\033[1;30m\033[47m$1" || out "$1"; tm_off; } +tm_headline() { [[ "$COLOR" -ne 0 ]] && tm_out "\033[1m\033[4m$1" || tm_out "$1"; tm_off; } +tmln_headline() { tm_headline "$1"; tmln_out; } +pr_headline() { tm_headline "$1"; [[ "$COLOR" -ne 0 ]] && html_out "$(html_reserved "$1")" || html_out "$(html_reserved "$1")"; } pr_headlineln() { pr_headline "$1" ; outln; } -pr_squoted_term() { out_term "'$1'"; } +tm_squoted() { tm_out "'$1'"; } pr_squoted() { out "'$1'"; } -pr_dquoted_term() { out_term "\"$1\""; } +tm_dquoted() { tm_out "\"$1\""; } pr_dquoted() { out "\"$1\""; } -local_problem_term() { pr_warning_term "Local problem: $1"; } -local_problem() { pr_warning "Local problem: $1"; } -local_problem_ln_term() { pr_warningln_term "Local problem: $1"; } -local_problem_ln() { pr_warningln "Local problem: $1"; } +tm_local_problem() { tm_warning "Local problem: $1"; } +tmln_local_problem() { tmln_warning "Local problem: $1"; } +pr_local_problem() { pr_warning "Local problem: $1"; } +prln_local_problem() { prln_warning "Local problem: $1"; } -fixme_term() { pr_warning_term "fixme: $1"; } -fixme() { pr_warning "fixme: $1"; } -fixmeln_term() { pr_warningln_term "fixme: $1"; } -fixmeln() { pr_warningln "fixme: $1"; } +tm_fixme() { tm_warning "pr_fixme: $1"; } +tmln_fixme() { tmln_warning "pr_fixme: $1"; } +pr_fixme() { pr_warning "pr_fixme: $1"; } +prln_fixme() { prln_warning "pr_fixme: $1"; } -pr_url() { out_term "$1"; out_html "$1"; } -pr_boldurl() { pr_bold_term "$1"; out_html "$1"; } +pr_url() { tm_out "$1"; html_out "$1"; } +pr_boldurl() { tm_bold "$1"; html_out "$1"; } ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html @@ -979,34 +981,30 @@ html_header() { else HTMLFILE=$HTMLFILE/$fname_prefix-$(date +"%Y%m%d-%H%M".html) fi - out_html "\n" - out_html "\n" - out_html "\n" - out_html "\n" - out_html "\n" - out_html "\n" - out_html "testssl.sh\n" - out_html "\n" - out_html "\n" - out_html "
\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "testssl.sh\n"
+     html_out "\n"
+     html_out "\n"
+     html_out "
\n"
      return 0
 }
 
 html_banner() {
-     if "$QUIET" && "$HTMLHEADER"; then
-          out_html "## Scan started as: \"$PROG_NAME $CMDLINE\"\n"
-          out_html "## at $HNAME:$OPENSSL_LOCATION\n"
-          out_html "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\n"
-          out_html "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n\n"
-     fi
+     html_out "## Scan started as: \"$PROG_NAME $CMDLINE\"\n"
+     html_out "## at $HNAME:$OPENSSL_LOCATION\n"
+     html_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE\n"
+     html_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n\n"
 }
 
 html_footer() {
-     if "$HTMLHEADER"; then
-          out_html "
\n"
-          out_html "\n"
-          out_html "\n"
-     fi
+     html_out "
\n" + html_out "\n" + html_out "\n" return 0 } @@ -1296,7 +1294,7 @@ string_to_asciihex() { output+="$(printf "%02x," "'${string:i:1}")" done [[ -n "$string" ]] && output+="$(printf "%02x" "'${string:eos:1}")" - retstring "$output" + tm_out "$output" return 0 } @@ -1536,7 +1534,7 @@ run_http_date() { out "Got no HTTP time, maybe try different URL?"; fileout "http_clock_skew" "INFO" "HTTP clock skew not measured. Got no HTTP time, maybe try different URL?" fi - debugme out_term ", epoch: $HTTP_TIME" + debugme tm_out ", epoch: $HTTP_TIME" fi outln detect_ipv4 @@ -1570,7 +1568,7 @@ detect_header() { out "\n$spaces" # first awk matches the key, second extracts the from the first line the value, be careful with quotes here! HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | sed 's/^.*://' | head -1) - [[ $DEBUG -ge 2 ]] && pr_italic_term "$HEADERVALUE" && out_term "\n$spaces" + [[ $DEBUG -ge 2 ]] && tm_italic "$HEADERVALUE" && tm_out "\n$spaces" fileout "$2""_multiple" "WARN" "Multiple $2 headers. Using first header: $HEADERVALUE" return $nr fi @@ -1735,7 +1733,7 @@ run_hpkp() { # Get the SPKIs first spki=$(tr ';' '\n' < $TMPFILE | tr -d ' ' | tr -d '\"' | awk -F'=' '/pin.*=/ { print $2 }') - debugme outln_term "\n$spki" + debugme tmln_out "\n$spki" # Look at the host certificate first # get the key fingerprint from the host certificate @@ -1785,7 +1783,7 @@ run_hpkp() { pr_done_good "$hpkp_spki" fileout "hpkp_$hpkp_spki" "OK" "SPKI $hpkp_spki matches the host certificate" fi - debugme out_term "\n $hpkp_spki | $hpkp_spki_hostcert" + debugme tm_out "\n $hpkp_spki | $hpkp_spki_hostcert" # Check for intermediate match if ! "$certificate_found"; then @@ -1851,7 +1849,7 @@ run_hpkp() { if [[ -n "${backup_spki_str[0]}" ]]; then pr_done_good "${backup_spki[0]}" #out " Root CA: " - pr_italicln " ${backup_spki_str[0]}" + tm_italic " ${backup_spki_str[0]}" else outln "${backup_spki[0]}" fi @@ -1861,26 +1859,26 @@ run_hpkp() { # it's a Root CA outside the chain pr_done_good "$spaces_indented ${backup_spki[i]}" #out " Root CA: " - pr_italicln " ${backup_spki_str[i]}" + tm_italic " ${backup_spki_str[i]}" else outln "$spaces_indented ${backup_spki[i]}" fi done if [[ ! -f "$ca_hashes" ]] && "$spki_match"; then out "$spaces " - pr_warningln "Attribution of further hashes couldn't be done as $ca_hashes could not be found" + prln_warning "Attribution of further hashes couldn't be done as $ca_hashes could not be found" fileout "hpkp_spkimatch" "WARN" "Attribution of further hashes couldn't be done as $ca_hashes could not be found" fi # If all else fails... if ! "$spki_match"; then "$has_backup_spki" && out "$spaces" # we had a few lines with backup SPKIs already - pr_svrty_highln " No matching key for SPKI found " + prln_svrty_high " No matching key for SPKI found " fileout "hpkp_spkimatch" "HIGH" "None of the SPKI match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi if ! "$has_backup_spki"; then - pr_svrty_highln " No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " + prln_svrty_high " No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " fileout "hpkp_backup" "HIGH" "No backup keys found. Loss/compromise of the currently pinned key(s) will lead to bricked site." fi else @@ -1903,87 +1901,87 @@ emphasize_stuff_in_headers(){ len=${#text} while [[ $len -gt 0 ]]; do if [[ -z "$(tr -d '0-9' <<< "${text:0:1}")" ]]; then - out_term "${brown}${text:0:1}${off}" - out_html "${text:0:1}" + tm_out "${brown}${text:0:1}${off}" + html_out "${text:0:1}" text="${text:1}" len=$len-1 elif [[ $len -ge 31 ]] && [[ "${text:0:31}" == "MicrosoftSharePointTeamServices" ]]; then - out_term "${yellow}${text:0:31}${off}" - out_html "${text:0:31}" + tm_out "${yellow}${text:0:31}${off}" + html_out "${text:0:31}" text="${text:31}" len=$len-31 elif [[ $len -ge 24 ]] && [[ "${text:0:24}" == "Red Hat Enterprise Linux" ]]; then - out_term "${yellow}${text:0:24}${off}" - out_html "${text:0:24}" + tm_out "${yellow}${text:0:24}${off}" + html_out "${text:0:24}" text="${text:24}" len=$len-24 elif [[ $len -ge 16 ]] && [[ "${text:0:16}" == "X-AspNet-Version" ]]; then - out_term "${yellow}${text:0:16}${off}" - out_html "${text:0:16}" + tm_out "${yellow}${text:0:16}${off}" + html_out "${text:0:16}" text="${text:16}" len=$len-16 elif [[ $len -ge 15 ]] && [[ "${text:0:15}" == "X-UA-Compatible" ]]; then - out_term "${yellow}${text:0:15}${off}" - out_html "${text:0:15}" + tm_out "${yellow}${text:0:15}${off}" + html_out "${text:0:15}" text="${text:15}" len=$len-15 elif [[ $len -ge 14 ]] && ( [[ "${text:0:14}" == "Liferay-Portal" ]] || [[ "${text:0:14}" == "X-Cache-Lookup" ]] || \ [[ "${text:0:14}" == "X-Cache-Status" ]] ) ; then - out_term "${yellow}${text:0:14}${off}" - out_html "${text:0:14}" + tm_out "${yellow}${text:0:14}${off}" + html_out "${text:0:14}" text="${text:14}" len=$len-14 elif [[ $len -ge 13 ]] && [[ "${text:0:13}" == "X-OWA-Version" ]]; then - out_term "${yellow}${text:0:13}${off}" - out_html "${text:0:13}" + tm_out "${yellow}${text:0:13}${off}" + html_out "${text:0:13}" text="${text:13}" len=$len-13 elif [[ $len -ge 12 ]] && [[ "${text:0:12}" == "X-Powered-By" ]]; then - out_term "${yellow}${text:0:12}${off}" - out_html "${text:0:12}" + tm_out "${yellow}${text:0:12}${off}" + html_out "${text:0:12}" text="${text:12}" len=$len-12 elif [[ $len -ge 11 ]] && [[ "${text:0:11}" == "X-Forwarded" ]]; then - out_term "${yellow}${text:0:11}${off}" - out_html "${text:0:11}" + tm_out "${yellow}${text:0:11}${off}" + html_out "${text:0:11}" text="${text:11}" len=$len-11 elif [[ $len -ge 9 ]] && ( [[ "${text:0:9}" == "X-Varnish" ]] || [[ "${text:0:9}" == "X-Version" ]] ); then - out_term "${yellow}${text:0:9}${off}" - out_html "${text:0:9}" + tm_out "${yellow}${text:0:9}${off}" + html_out "${text:0:9}" text="${text:9}" len=$len-9 elif [[ $len -ge 8 ]] && [[ "${text:0:8}" == "X-Server" ]]; then - out_term "${yellow}${text:0:8}${off}" - out_html "${text:0:8}" + tm_out "${yellow}${text:0:8}${off}" + html_out "${text:0:8}" text="${text:8}" len=$len-8 elif [[ $len -ge 7 ]] && ( [[ "${text:0:7}" == "squeeze" ]] || [[ "${text:0:7}" == "Red Hat" ]] || \ [[ "${text:0:7}" == "X-Cache" ]] || [[ "${text:0:7}" == "X-Squid" ]] ) ; then - out_term "${yellow}${text:0:7}${off}" - out_html "${text:0:7}" + tm_out "${yellow}${text:0:7}${off}" + html_out "${text:0:7}" text="${text:7}" len=$len-7 elif [[ $len -ge 6 ]] && ( [[ "${text:0:6}" == "Debian" ]] || [[ "${text:0:6}" == "Ubuntu" ]] || \ [[ "${text:0:6}" == "ubuntu" ]] || [[ "${text:0:6}" == "jessie" ]] || \ [[ "${text:0:6}" == "wheezy" ]] || [[ "${text:0:6}" == "CentOS" ]] ) ; then - out_term "${yellow}${text:0:6}${off}" - out_html "${text:0:6}" + tm_out "${yellow}${text:0:6}${off}" + html_out "${text:0:6}" text="${text:6}" len=$len-6 elif [[ $len -ge 5 ]] && ( [[ "${text:0:5}" == "Win32" ]] || [[ "${text:0:5}" == "Win64" ]] || [[ "${text:0:5}" == "lenny" ]] ); then - out_term "${yellow}${text:0:5}${off}" - out_html "${text:0:5}" + tm_out "${yellow}${text:0:5}${off}" + html_out "${text:0:5}" text="${text:5}" len=$len-5 elif [[ $len -ge 4 ]] && [[ "${text:0:4}" == "SUSE" ]]; then - out_term "${yellow}${text:0:4}${off}" - out_html "${text:0:4}" + tm_out "${yellow}${text:0:4}${off}" + html_out "${text:0:4}" text="${text:4}" len=$len-4 elif [[ $len -ge 3 ]] && [[ "${text:0:3}" == "Via" ]]; then - out_term "${yellow}${text:0:3}${off}" - out_html "${text:0:3}" + tm_out "${yellow}${text:0:3}${off}" + html_out "${text:0:3}" text="${text:3}" len=$len-3 else @@ -2012,7 +2010,7 @@ run_server_banner() { emphasize_stuff_in_headers "$serverbanner" fileout "serverbanner" "INFO" "Server banner identified: $serverbanner" if [[ "$serverbanner" = *Microsoft-IIS/6.* ]] && [[ $OSSL_VER == 1.0.2* ]]; then - pr_warningln " It's recommended to run another test w/ OpenSSL 1.0.1 !" + prln_warning " It's recommended to run another test w/ OpenSSL 1.0.1 !" # see https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892 fileout "IIS6_openssl_mismatch" "WARN" "It is recommended to rerun this test w/ OpenSSL 1.0.1. See https://github.com/PeterMosmans/openssl/issues/19#issuecomment-100897892" fi @@ -2200,7 +2198,7 @@ run_more_flags() { #TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" or Access-Control-Allow-Origin: * if "$first"; then - pr_svrty_mediumln "--" + prln_svrty_medium "--" fileout "sec_headers" "MEDIUM" "No security (or other interesting) headers detected" ret=1 else @@ -2384,9 +2382,9 @@ std_cipherlists() { else singlespaces=$(echo "$2" | sed -e 's/ \+/ /g' -e 's/^ //' -e 's/ $//g' -e 's/ //g') if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then - local_problem_ln "No $singlespaces for SSLv2 configured in $OPENSSL" + prln_local_problem "No $singlespaces for SSLv2 configured in $OPENSSL" else - local_problem_ln "No $singlespaces configured in $OPENSSL" + prln_local_problem "No $singlespaces configured in $OPENSSL" fi fileout "std_$4" "WARN" "Cipher $2 ($1) not supported by local OpenSSL ($OPENSSL)" fi @@ -2419,7 +2417,7 @@ openssl2rfc() { [[ "$1" == "${TLS_CIPHER_OSSL_NAME[i]}" ]] && rfcname="${TLS_CIPHER_RFC_NAME[i]}" && break done [[ "$rfcname" == "-" ]] && rfcname="" - [[ -n "$rfcname" ]] && retstring "$rfcname" + [[ -n "$rfcname" ]] && tm_out "$rfcname" return 0 } @@ -2431,7 +2429,7 @@ rfc2openssl() { [[ "$1" == "${TLS_CIPHER_RFC_NAME[i]}" ]] && ossl_name="${TLS_CIPHER_OSSL_NAME[i]}" && break done [[ "$ossl_name" == "-" ]] && ossl_name="" - [[ -n "$ossl_name" ]] && retstring "$ossl_name" + [[ -n "$ossl_name" ]] && tm_out "$ossl_name" return 0 } @@ -2451,7 +2449,7 @@ show_rfc_style(){ [[ "$hexcode" == "${TLS_CIPHER_HEXCODE[i]}" ]] && rfcname="${TLS_CIPHER_RFC_NAME[i]}" && break done [[ "$rfcname" == "-" ]] && rfcname="" - [[ -n "$rfcname" ]] && retstring "$rfcname" + [[ -n "$rfcname" ]] && tm_out "$rfcname" return 0 } @@ -2488,7 +2486,7 @@ neat_list(){ [[ -n "$ADD_RFC_STR" ]] && tls_cipher="$(show_rfc_style "$hexcode")" if [[ -z "$5" ]]; then - retstring "$(printf -- " %-7s %-33s %-10s %-12s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$tls_cipher")" + tm_out "$(printf -- " %-7s %-33s %-10s %-12s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$tls_cipher")" return 0 elif [[ "$5" == "false" ]]; then line="$(printf -- " %-7s %-33s %-10s %-12s%-8s${ADD_RFC_STR:+ %-49s}${SHOW_EACH_C:+ %-0s}" "$hexcode" "$ossl_cipher" "$kx" "$enc" "$strength" "$tls_cipher")" @@ -2542,7 +2540,7 @@ test_just_one(){ [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." - pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" + prln_warning " (Your $OPENSSL cannot show DH/ECDH bits)" fi fi outln @@ -2884,7 +2882,7 @@ run_allciphers() { outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." - pr_warningln " Your $OPENSSL cannot show DH/ECDH bits" + prln_warning " Your $OPENSSL cannot show DH/ECDH bits" fi fi outln @@ -3061,12 +3059,12 @@ run_cipher_per_proto() { outln if ! "$HAS_DH_BITS"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && out "." - pr_warningln " (Your $OPENSSL cannot show DH/ECDH bits)" + prln_warning " (Your $OPENSSL cannot show DH/ECDH bits)" fi fi outln neat_header - retstring " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n" | while read proto proto_hex proto_text; do + tm_out " -ssl2 22 SSLv2\n -ssl3 00 SSLv3\n -tls1 01 TLS 1\n -tls1_1 02 TLS 1.1\n -tls1_2 03 TLS 1.2\n" | while read proto proto_hex proto_text; do "$using_sockets" || locally_supported "$proto" "$proto_text" || continue "$using_sockets" && out "$proto_text " outln @@ -3365,7 +3363,7 @@ create_client_simulation_tls_clienthello() { if [[ $offset -ge $tls_handshake_ascii_len ]]; then # No extensions - retstring "$tls_handshake_ascii" + tm_out "$tls_handshake_ascii" return 0 fi @@ -3398,7 +3396,7 @@ create_client_simulation_tls_clienthello() { done if ! $sni_extension_found; then - retstring "$tls_handshake_ascii" + tm_out "$tls_handshake_ascii" return 0 fi @@ -3417,7 +3415,7 @@ create_client_simulation_tls_clienthello() { tls_handshake_ascii_len_hex=$(printf "%02x\n" $tls_handshake_ascii_len) len2twobytes "$tls_handshake_ascii_len_hex" tls_handshake_ascii="${tls_content_type}${tls_version_reclayer}${LEN_STR:0:2}${LEN_STR:4:2}${tls_handshake_ascii}" - retstring "$tls_handshake_ascii" + tm_out "$tls_handshake_ascii" return 0 } @@ -3486,7 +3484,7 @@ client_simulation_sockets() { fi done - debugme outln_term "reading server hello..." + debugme tmln_out "reading server hello..." if [[ "$DEBUG" -ge 4 ]]; then hexdump -C $SOCK_REPLY_FILE | head -6 echo @@ -3506,7 +3504,7 @@ client_simulation_sockets() { # see https://secure.wand.net.nz/trac/libprotoident/wiki/SSL lines=$(count_lines "$(hexdump -C "$SOCK_REPLY_FILE" 2>$ERRFILE)") - debugme out_term " (returned $lines lines) " + debugme tm_out " (returned $lines lines) " # determine the return value for higher level, so that they can tell what the result is if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then @@ -3514,7 +3512,7 @@ client_simulation_sockets() { else ret=0 fi - debugme outln_term + debugme tmln_out close_socket TMPFILE=$SOCK_REPLY_FILE @@ -4302,7 +4300,7 @@ run_client_simulation() { fi outln - debugme outln_term + debugme tmln_out for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here out " ${names[i]} " @@ -4399,7 +4397,7 @@ run_client_simulation() { locally_supported() { [[ -n "$2" ]] && out "$2 " if $OPENSSL s_client "$1" -connect x 2>&1 | grep -aq "unknown option"; then - local_problem_ln "$OPENSSL doesn't support \"s_client $1\"" + prln_local_problem "$OPENSSL doesn't support \"s_client $1\"" return 7 fi return 0 @@ -4471,13 +4469,13 @@ run_protocols() { if "$SSL_NATIVE"; then using_sockets=false - pr_underlineln "via native openssl" + prln_underline "via native openssl" else using_sockets=true if [[ -n "$STARTTLS" ]]; then - pr_underlineln "via sockets " + prln_underline "via sockets " else - pr_underlineln "via sockets except SPDY+HTTP2 " + prln_underline "via sockets except SPDY+HTTP2 " fi fi outln @@ -4493,21 +4491,21 @@ run_protocols() { fileout "sslv2" "WARN" "SSLv2: received a strange SSLv2 reply (rerun with DEBUG>=2)" ;; 1) # no sslv2 server hello returned, like in openlitespeed which returns HTTP! - pr_done_bestln "not offered (OK)" + prln_done_best "not offered (OK)" fileout "sslv2" "OK" "SSLv2 is not offered" ;; 0) # reset - pr_done_bestln "not offered (OK)" + prln_done_best "not offered (OK)" fileout "sslv2" "OK" "SSLv2 is not offered" ;; 3) # everything else lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") - [[ "$DEBUG" -ge 2 ]] && out_term " ($lines lines) " + [[ "$DEBUG" -ge 2 ]] && tm_out " ($lines lines) " if [[ "$lines" -gt 1 ]]; then nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) add_tls_offered "ssl2" if [[ 0 -eq "$nr_ciphers_detected" ]]; then - pr_svrty_highln "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; + prln_svrty_high "supported but couldn't detect a cipher and vulnerable to CVE-2015-3197 "; fileout "sslv2" "HIGH" "SSLv2 is offered, vulnerable to CVE-2015-3197" else pr_svrty_critical "offered (NOT ok), also VULNERABLE to DROWN attack"; @@ -4516,17 +4514,17 @@ run_protocols() { fi fi ;; esac - debugme outln_term + debugme tmln_out else run_prototest_openssl "-ssl2" case $? in 0) - pr_svrty_criticalln "offered (NOT ok)" + prln_svrty_critical "offered (NOT ok)" fileout "sslv2" "CRITICAL" "SSLv2 is offered" add_tls_offered "ssl2" ;; 1) - pr_done_bestln "not offered (OK)" + prln_done_best "not offered (OK)" fileout "sslv2" "OK" "SSLv2 is not offered" ;; 5) @@ -4548,23 +4546,23 @@ run_protocols() { fi case $? in 0) - pr_svrty_highln "offered (NOT ok)" + prln_svrty_high "offered (NOT ok)" fileout "sslv3" "HIGH" "SSLv3 is offered" latest_supported="0300" latest_supported_string="SSLv3" add_tls_offered "ssl3" ;; 1) - pr_done_bestln "not offered (OK)" + prln_done_best "not offered (OK)" fileout "sslv3" "OK" "SSLv3 is not offered" ;; 2) if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" - pr_svrty_criticalln "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + prln_svrty_critical "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client" else - pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi ;; @@ -4599,22 +4597,22 @@ run_protocols() { outln fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad else - pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" + prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" fileout "tls1" "CRITICAL" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string" fi ;; 2) pr_svrty_medium "not offered" if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then - [[ $DEBUG -eq 1 ]] && out_term " -- downgraded" + [[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" outln fileout "tls1" "MEDIUM" "TLSv1.0 is not offered, and downgraded to SSL" elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" - pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" + prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" fileout "tls1" "CRITICAL" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client" else - pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" + prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi ;; @@ -4648,25 +4646,25 @@ run_protocols() { outln fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad else - pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" + prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string" fileout "tls1_1" "CRITICAL" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string" fi ;; 2) out "not offered" if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then - [[ $DEBUG -eq 1 ]] && out_term " -- downgraded" + [[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" outln fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to a weaker protocol" elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then - pr_svrty_criticalln " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)" + prln_svrty_critical " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)" fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0302 ]]; then detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" - pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client" else - pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" fileout "tls1_1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi ;; @@ -4688,7 +4686,7 @@ run_protocols() { fi case $? in 0) - pr_done_bestln "offered (OK)" + prln_done_best "offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered" latest_supported="0303" latest_supported_string="TLSv1.2" @@ -4700,7 +4698,7 @@ run_protocols() { outln fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty else - pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" + prln_svrty_critical " -- connection failed rather than downgrading to $latest_supported_string" fileout "tls1_2" "CRITICAL" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" fi ;; @@ -4712,17 +4710,17 @@ run_protocols() { detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" fi if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then - [[ $DEBUG -eq 1 ]] && out_term " -- downgraded" + [[ $DEBUG -eq 1 ]] && tm_out " -- downgraded" outln fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered and downgraded to a weaker protocol" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then - pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string" + prln_svrty_critical " -- server supports $latest_supported_string, but downgraded to $detected_version_string" fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string" elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0303 ]]; then - pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" + prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client" else - pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" + prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1_2" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fi ;; @@ -4877,14 +4875,14 @@ pr_ecdh_curve_quality() { # The return value is an indicator of the quality of the cipher in $1: # 0 = $1 is empty # 1 = pr_svrty_critical, 2 = pr_svrty_high, 3 = pr_svrty_medium, 4 = pr_svrty_low -# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best +# 5 = neither good nor bad, 6 = pr_done_good, 7 = pr_done_best pr_cipher_quality() { local cipher="$1" local text="$2" [[ -z "$1" ]] && return 0 [[ -z "$text" ]] && text="$cipher" - + if [[ "$cipher" != TLS_* ]] && [[ "$cipher" != SSL_* ]]; then # This must be the OpenSSL name for a cipher if [[ $TLS_NR_CIPHERS -eq 0 ]]; then @@ -4981,7 +4979,7 @@ read_dhbits_from_file() { [[ -n "$what_dh" ]] && HAS_DH_BITS=true # FIX 190 if [[ -z "$what_dh" ]] && ! "$HAS_DH_BITS"; then if [[ "$2" == "string" ]]; then - retstring "$old_fart" + tm_out "$old_fart" elif [[ -z "$2" ]]; then pr_warning "$old_fart" fi @@ -4989,7 +4987,7 @@ read_dhbits_from_file() { fi if [[ "$2" == "quiet" ]]; then - retstring "$bits" + tm_out "$bits" return 0 fi @@ -4998,7 +4996,7 @@ read_dhbits_from_file() { add="bit DH" [[ -n "$curve" ]] && add+=" ($curve)" if [[ "$2" == "string" ]]; then - retstring ", $bits $add" + tm_out ", $bits $add" else pr_dh_quality "$bits" "$bits $add" fi @@ -5007,7 +5005,7 @@ read_dhbits_from_file() { add="bit ECDH" [[ -n "$curve" ]] && add+=" ($curve)" if [[ "$2" == "string" ]]; then - retstring ", $bits $add" + tm_out ", $bits $add" else pr_ecdh_quality "$bits" "$bits $add" fi @@ -5058,7 +5056,7 @@ run_server_preference() { elif [[ -n "$STARTTLS_PROTOCOL" ]]; then # now it still could be that we hit this bug: https://github.com/drwetter/testssl.sh/issues/188 # workaround is to connect with a protocol - debugme out_term "(workaround #188) " + debugme tm_out "(workaround #188) " determine_optimal_proto $STARTTLS_PROTOCOL $OPENSSL s_client $STARTTLS $STARTTLS_OPTIMAL_PROTO -cipher $list_fwd $BUGS -connect $NODEIP:$PORT $PROXY $addcmd2 $ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then @@ -5097,7 +5095,7 @@ run_server_preference() { remark4default_cipher="" fileout "order" "OK" "Server sets a cipher order" fi - debugme out_term " $cipher1 | $cipher2" + debugme tm_out " $cipher1 | $cipher2" outln pr_bold " Negotiated protocol " @@ -5110,11 +5108,11 @@ run_server_preference() { default_proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') case "$default_proto" in *TLSv1.2) - pr_done_bestln $default_proto + prln_done_best $default_proto fileout "order_proto" "OK" "Default protocol TLS1.2" ;; *TLSv1.1) - pr_done_goodln $default_proto + prln_done_good $default_proto fileout "order_proto" "OK" "Default protocol TLS1.1" ;; *TLSv1) @@ -5122,11 +5120,11 @@ run_server_preference() { fileout "order_proto" "INFO" "Default protocol TLS1.0" ;; *SSLv2) - pr_svrty_criticalln $default_proto + prln_svrty_critical $default_proto fileout "order_proto" "CRITICAL" "Default protocol SSLv2" ;; *SSLv3) - pr_svrty_criticalln $default_proto + prln_svrty_critical $default_proto fileout "order_proto" "CRITICAL" "Default protocol SSLv3" ;; "") @@ -5192,7 +5190,7 @@ run_server_preference() { for p in ssl2 ssl3 tls1 tls1_1 tls1_2; do if [[ $p == ssl2 ]] && ! "$HAS_SSL2"; then if ! "$using_sockets" || [[ $TLS_NR_CIPHERS -eq 0 ]]; then - out " (SSLv2: "; local_problem "$OPENSSL doesn't support \"s_client -ssl2\""; outln ")"; + out " (SSLv2: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""; outln ")"; continue else sslv2_sockets "" "true" @@ -5214,7 +5212,7 @@ run_server_preference() { fi fi done - [[ $DEBUG -ge 2 ]] && outln_term "Default cipher for ${proto[i]}: ${cipher[i]}" + [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" else proto[i]="" cipher[i]="" @@ -5222,7 +5220,7 @@ run_server_preference() { fi elif [[ $p == ssl3 ]] && ! "$HAS_SSL3"; then if ! "$using_sockets"; then - out " (SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")"; + out " (SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\"" ; outln ")"; continue else tls_sockets "00" "$TLS_CIPHER" @@ -5234,7 +5232,7 @@ run_server_preference() { cipher[i]="$(rfc2openssl "$cipher1")" [[ -z "${cipher[i]}" ]] && cipher[i]="$cipher1" fi - [[ $DEBUG -ge 2 ]] && outln_term "Default cipher for ${proto[i]}: ${cipher[i]}" + [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" else proto[i]="" cipher[i]="" @@ -5251,7 +5249,7 @@ run_server_preference() { cipher[i]="$(openssl2rfc "${cipher[i]}")" [[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') fi - [[ $DEBUG -ge 2 ]] && outln_term "Default cipher for ${proto[i]}: ${cipher[i]}" + [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" else proto[i]="" cipher[i]="" @@ -5275,7 +5273,7 @@ run_server_preference() { cipher[i]="$(openssl2rfc "${cipher[i]}")" [[ -z "${cipher[i]}" ]] && cipher[i]=$(grep -aw "Cipher" $TMPFILE | egrep -avw "New|is" | sed -e 's/^.*Cipher.*://' -e 's/ //g') fi - [[ $DEBUG -ge 2 ]] && outln_term "Default cipher for ${proto[i]}: ${cipher[i]}" + [[ $DEBUG -ge 2 ]] && tmln_out "Default cipher for ${proto[i]}: ${cipher[i]}" fi fi else @@ -5335,7 +5333,7 @@ check_tls12_pref() { nr_ciphers_found_r1+=1 "$FAST" && break else - debugme outln_term "A: $tested_cipher" + debugme tmln_out "A: $tested_cipher" break fi done @@ -5350,10 +5348,10 @@ check_tls12_pref() { order+=" $cipher" batchremoved="$batchremoved:-$cipher" nr_ciphers_found_r1+=1 - debugme outln_term "B1: $batchremoved" + debugme tmln_out "B1: $batchremoved" "$FAST" && break else - debugme outln_term "B2: $batchremoved" + debugme tmln_out "B2: $batchremoved" break # nothing left with batchremoved ciphers, we need to put everything together fi @@ -5378,14 +5376,14 @@ check_tls12_pref() { fi done if "$FAST" && [[ $nr_ciphers_found_r2 -ne 1 ]]; then - fixmeln "something weird happened around line $((LINENO - 14))" + prln_fixme "something weird happened around line $((LINENO - 14))" return 1 elif ! "$FAST" && [[ $nr_ciphers_found_r2 -ne $nr_ciphers_found_r1 ]]; then - fixmeln "something weird happened around line $((LINENO - 16))" + prln_fixme "something weird happened around line $((LINENO - 16))" return 1 fi fi - retstring "$order" + tm_out "$order" tmpfile_handle $FUNCNAME.txt return 0 @@ -5408,10 +5406,10 @@ cipher_pref_check() { pr_bold " Cipher order" - retstring " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do + tm_out " ssl3 00 SSLv3\n tls1 01 TLSv1\n tls1_1 02 TLSv1.1\n tls1_2 03 TLSv1.2\n" | while read p proto_hex proto; do order=""; ciphers_found_with_sockets=false if [[ $p == ssl3 ]] && ! "$HAS_SSL3" && ! "$using_sockets"; then - out "\n SSLv3: "; local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; + out "\n SSLv3: "; pr_local_problem "$OPENSSL doesn't support \"s_client -ssl3\""; continue fi has_server_protocol "$p" || continue @@ -5639,7 +5637,7 @@ get_host_cert() { awk '/-----BEGIN/,/-----END/ { print $0 }' $tmpvar >$HOSTCERT return 0 else - [[ -z "$1" ]] && pr_warningln "could not retrieve host certificate!" + [[ -z "$1" ]] && prln_warning "could not retrieve host certificate!" #fileout "host_certificate" "WARN" "Could not retrieve host certificate!" return 1 fi @@ -5653,17 +5651,17 @@ verify_retcode_helper() { case $retcode in # codes from ./doc/apps/verify.pod | verify(1ssl) - 26) retstring "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE - 24) retstring "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA - 23) retstring "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED - 21) retstring "(chain incomplete, only 1 cert provided)" ;; # X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - 20) retstring "(chain incomplete)" ;; # X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY - 19) retstring "(self signed CA in chain)" ;; # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN - 18) retstring "(self signed)" ;; # X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - 10) retstring "(expired)" ;; # X509_V_ERR_CERT_HAS_EXPIRED - 9) retstring "(not yet valid)" ;; # X509_V_ERR_CERT_NOT_YET_VALID - 2) retstring "(issuer cert missing)" ;; # X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT - *) ret=1 ; retstring " (unknown, pls report) $1" ;; + 26) tm_out "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE + 24) tm_out "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA + 23) tm_out "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED + 21) tm_out "(chain incomplete, only 1 cert provided)" ;; # X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + 20) tm_out "(chain incomplete)" ;; # X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + 19) tm_out "(self signed CA in chain)" ;; # X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + 18) tm_out "(self signed)" ;; # X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + 10) tm_out "(expired)" ;; # X509_V_ERR_CERT_HAS_EXPIRED + 9) tm_out "(not yet valid)" ;; # X509_V_ERR_CERT_NOT_YET_VALID + 2) tm_out "(issuer cert missing)" ;; # X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + *) ret=1 ; tm_out " (unknown, pls report) $1" ;; esac return $ret } @@ -5695,7 +5693,7 @@ determine_trust() { addtl_warning="(Your $OPENSSL <= 1.0.2 might be too unreliable to determine trust)" fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning" fi - debugme outln_term + debugme tmln_out # if you run testssl.sh from a different path /you can set either TESTSSL_INSTALL_DIR or CA_BUNDLES_PATH to find the CA BUNDLES if [[ -z $CA_BUNDLES_PATH ]]; then @@ -5706,7 +5704,7 @@ determine_trust() { for bundle_fname in $ca_bundles; do certificate_file[i]=$(basename ${bundle_fname//.pem}) if [[ ! -r $bundle_fname ]]; then - pr_warningln "\"$bundle_fname\" cannot be found / not readable" + prln_warning "\"$bundle_fname\" cannot be found / not readable" return 7 fi debugme printf -- " %-12s" "${certificate_file[i]}" @@ -5722,18 +5720,18 @@ determine_trust() { if [[ ${verify_retcode[i]} -eq 0 ]]; then trust[i]=true some_ok=true - debugme pr_done_good_term "Ok " - debugme outln_term "${verify_retcode[i]}" + debugme tm_done_good "Ok " + debugme tmln_out "${verify_retcode[i]}" else trust[i]=false all_ok=false - debugme pr_svrty_high_term "not trusted " - debugme outln_term "${verify_retcode[i]}" + debugme tm_svrty_high "not trusted " + debugme tmln_out "${verify_retcode[i]}" fi i=$((i + 1)) done num_ca_bundles=$((i - 1)) - debugme out_term " " + debugme tm_out " " if $all_ok; then # all stores ok pr_done_good "Ok "; pr_warning "$addtl_warning" @@ -5776,7 +5774,7 @@ determine_trust() { #outln "$code" outln # lf + green ones - [[ "$DEBUG" -eq 0 ]] && out_term "$spaces" + [[ "$DEBUG" -eq 0 ]] && tm_out "$spaces" pr_done_good "OK: $ok_was" fi fileout "${json_prefix}chain_of_trust" "CRITICAL" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" @@ -5810,10 +5808,10 @@ tls_time() { out "$difftime"; out " sec from localtime"; fileout "tls_time" "INFO" "Your TLS time is skewed from your localtime by $difftime seconds" fi - debugme out_term "$TLS_TIME" + debugme tm_out "$TLS_TIME" outln else - pr_warningln "SSLv3 through TLS 1.2 didn't return a timestamp" + prln_warning "SSLv3 through TLS 1.2 didn't return a timestamp" fileout "tls_time" "INFO" "No TLS timestamp returned by SSLv3 through TLSv1.2" fi return 0 @@ -5991,7 +5989,7 @@ get_server_certificate() { $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY $addcmd -$proto -tlsextdebug >$ERRFILE >$TMPFILE if ! sclient_connect_successful $? $TMPFILE; then if [ -z "$1" ]; then - pr_warningln "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))" + prln_warning "Strange, no SSL/TLS protocol seems to be supported (error around line $((LINENO - 6)))" fi tmpfile_handle $FUNCNAME.txt return 7 # this is ugly, I know @@ -6191,11 +6189,11 @@ must_staple() { local cert extn local -i extn_len local supported=false - + # Note this function is only looking for status_request (5) and not # status_request_v2 (17), since OpenSSL seems to only include status_request (5) # in its ClientHello when the "-status" option is used. - + # OpenSSL 1.1.0 supports pretty-printing the "TLS Feature extension." For any # previous versions of OpenSSL, OpenSSL can only show if the extension OID is present. if $OPENSSL x509 -in "$HOSTCERT" -noout -text 2>>$ERRFILE | grep -A 1 "TLS Feature:" | grep -q "status_request"; then @@ -6220,7 +6218,7 @@ must_staple() { fi if "$supported"; then - pr_done_bestln "Supported" + prln_done_best "Supported" fileout "${json_prefix}ocsp_must_staple" "OK" "OCSP must staple : supported" return 0 else @@ -6287,19 +6285,19 @@ certificate_info() { fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: SHA224 with RSA" ;; sha256WithRSAEncryption) - pr_done_goodln "SHA256 with RSA" + prln_done_good "SHA256 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA" ;; sha384WithRSAEncryption) - pr_done_goodln "SHA384 with RSA" + prln_done_good "SHA384 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA" ;; sha512WithRSAEncryption) - pr_done_goodln "SHA512 with RSA" + prln_done_good "SHA512 with RSA" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA" ;; ecdsa-with-SHA1) - pr_svrty_mediumln "ECDSA with SHA1" + prln_svrty_medium "ECDSA with SHA1" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: ECDSA with SHA1" ;; ecdsa-with-SHA224) @@ -6307,19 +6305,19 @@ certificate_info() { fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: ECDSA with SHA224" ;; ecdsa-with-SHA256) - pr_done_goodln "ECDSA with SHA256" + prln_done_good "ECDSA with SHA256" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256" ;; ecdsa-with-SHA384) - pr_done_goodln "ECDSA with SHA384" + prln_done_good "ECDSA with SHA384" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA384" ;; ecdsa-with-SHA512) - pr_done_goodln "ECDSA with SHA512" + prln_done_good "ECDSA with SHA512" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA512" ;; dsaWithSHA1) - pr_svrty_mediumln "DSA with SHA1" + prln_svrty_medium "DSA with SHA1" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: DSA with SHA1" ;; dsa_with_SHA224) @@ -6327,14 +6325,14 @@ certificate_info() { fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: DSA with SHA224" ;; dsa_with_SHA256) - pr_done_goodln "DSA with SHA256" + prln_done_good "DSA with SHA256" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: DSA with SHA256" ;; rsassaPss) cert_sig_hash_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 1 "Signature Algorithm" | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')" case $cert_sig_hash_algo in sha1) - pr_svrty_mediumln "RSASSA-PSS with SHA1" + prln_svrty_medium "RSASSA-PSS with SHA1" fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: RSASSA-PSS with SHA1" ;; sha224) @@ -6342,33 +6340,33 @@ certificate_info() { fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: RSASSA-PSS with SHA224" ;; sha256) - pr_done_goodln "RSASSA-PSS with SHA256" + prln_done_good "RSASSA-PSS with SHA256" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA256" ;; sha384) - pr_done_goodln "RSASSA-PSS with SHA384" + prln_done_good "RSASSA-PSS with SHA384" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA384" ;; sha512) - pr_done_goodln "RSASSA-PSS with SHA512" + prln_done_good "RSASSA-PSS with SHA512" fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: RSASSA-PSS with SHA512" ;; *) out "RSASSA-PSS with $cert_sig_hash_algo" - pr_warningln " (Unknown hash algorithm)" + prln_warning " (Unknown hash algorithm)" fileout "${json_prefix}algorithm" "DEBUG" "Signature Algorithm: RSASSA-PSS with $cert_sig_hash_algo" esac ;; md2*) - pr_svrty_criticalln "MD2" + prln_svrty_critical "MD2" fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD2" ;; md4*) - pr_svrty_criticalln "MD4" + prln_svrty_critical "MD4" fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD4" ;; md5*) - pr_svrty_criticalln "MD5" + prln_svrty_critical "MD5" fileout "${json_prefix}algorithm" "CRITICAL" "Signature Algorithm: MD5" ;; *) @@ -6391,7 +6389,7 @@ certificate_info() { *ecdsa*|*ecPublicKey) out "ECDSA ";; *GOST*|*gost*) out "GOST ";; *dh*|*DH*) out "DH " ;; - *) pr_warning "fixme: $cert_key_algo " ;; + *) pr_warning "pr_fixme: $cert_key_algo " ;; esac # https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/ # http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf @@ -6485,9 +6483,9 @@ certificate_info() { cn_nosni="$(get_cn_from_cert "$HOSTCERT.nosni")" [[ -z "$cn_nosni" ]] && cn_nosni="no CN field in subject" fi - debugme out_term "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" + debugme tm_out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" else - debugme out_term "\"$NODE\" | \"$cn\"" + debugme tm_out "\"$NODE\" | \"$cn\"" fi #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) @@ -6539,7 +6537,7 @@ certificate_info() { issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")" if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then - pr_svrty_criticalln "self-signed (NOT ok)" + prln_svrty_critical "self-signed (NOT ok)" fileout "${json_prefix}issuer" "CRITICAL" "Issuer: selfsigned" else issuerfinding="$issuer_CN" @@ -6645,7 +6643,7 @@ certificate_info() { trustfinding_nosni="" fi if "$has_dns_sans" && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then - pr_svrty_mediumln "$trustfinding_nosni" + prln_svrty_medium "$trustfinding_nosni" else outln "$trustfinding_nosni" fi @@ -6978,7 +6976,7 @@ run_server_defaults() { lifetime=$(echo $sessticket_str | grep -a lifetime | sed 's/[A-Za-z:() ]//g') unit=$(echo $sessticket_str | grep -a lifetime | sed -e 's/^.*'"$lifetime"'//' -e 's/[ ()]//g') out "$lifetime $unit " - pr_svrty_lowln "(PFS requires session ticket keys to be rotated <= daily)" + prln_svrty_low "(PFS requires session ticket keys to be rotated <= daily)" fileout "session_ticket" "LOW" "TLS session tickes RFC 5077 valid for $lifetime $unit (PFS requires session ticket keys to be rotated at least daily)" fi @@ -7028,7 +7026,7 @@ run_pfs() { [[ $TLS_NR_CIPHERS == 0 ]] && using_sockets=false outln - pr_headline " Testing robust (perfect) forward secrecy"; pr_underlineln ", (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 " + pr_headline " Testing robust (perfect) forward secrecy"; prln_underline ", (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 " if ! "$using_sockets"; then [[ $TLS_NR_CIPHERS == 0 ]] && ! "$SSL_NATIVE" && ! "$FAST" && pr_warning " Cipher mapping not available, doing a fallback to openssl" if ! "$HAS_DH_BITS" && "$WIDE"; then @@ -7087,7 +7085,7 @@ run_pfs() { debugme echo $(actually_supported_ciphers $pfs_cipher_list) if [[ "$nr_supported_ciphers" -le "$CLIENT_MIN_PFS" ]]; then outln - local_problem_ln "You only have $nr_supported_ciphers PFS ciphers on the client side " + prln_local_problem "You only have $nr_supported_ciphers PFS ciphers on the client side " fileout "pfs" "WARN" "(Perfect) Forward Secrecy tests: Skipped. You only have $nr_supported_ciphers PFS ciphers on the client site. ($CLIENT_MIN_PFS are required)" return 1 fi @@ -7099,7 +7097,7 @@ run_pfs() { if [[ $sclient_success -ne 0 ]]; then outln - pr_svrty_mediumln " No ciphers supporting Forward Secrecy offered" + prln_svrty_medium " No ciphers supporting Forward Secrecy offered" fileout "pfs" "MEDIUM" "(Perfect) Forward Secrecy : No ciphers supporting Forward Secrecy offered" else outln @@ -7352,7 +7350,7 @@ spdy_pre(){ return 1 fi if ! "$HAS_SPDY"; then - local_problem "$OPENSSL doesn't support SPDY/NPN"; + pr_local_problem "$OPENSSL doesn't support SPDY/NPN"; fileout "spdy_npn" "WARN" "SPDY/NPN : not tested $OPENSSL doesn't support SPDY/NPN" return 7 fi @@ -7373,7 +7371,7 @@ http2_pre(){ return 1 fi if ! "$HAS_ALPN" && "$SSL_NATIVE"; then - local_problem_ln "$OPENSSL doesn't support HTTP2/ALPN"; + prln_local_problem "$OPENSSL doesn't support HTTP2/ALPN"; fileout "https_alpn" "WARN" "HTTP2/ALPN : HTTP/2 was not tested as $OPENSSL does not support it" return 7 fi @@ -7403,7 +7401,7 @@ run_spdy() { fileout "spdy_npn" "INFO" "SPDY/NPN : $tmpstr (advertised)" ret=0 else - pr_cyanln "please check manually, server response was ambiguous ..." + prln_cyan "please check manually, server response was ambiguous ..." fileout "spdy_npn" "INFO" "SPDY/NPN : please check manually, server response was ambiguous ..." ret=10 fi @@ -7661,7 +7659,7 @@ fd_socket() { proyxline=${proyxline#* } if [[ "${proyxline%% *}" != "200" ]]; then pr_magenta "Unable to CONNECT via proxy. " - [[ "$PORT" != 443 ]] && pr_magentaln "Check whether your proxy supports port $PORT and the underlying protocol." + [[ "$PORT" != 443 ]] && prln_magenta "Check whether your proxy supports port $PORT and the underlying protocol." return 6 fi fi @@ -8022,7 +8020,7 @@ get_dh_ephemeralkey() { key_bitstring="$($OPENSSL pkey -pubin -in $tmp_der_key_file -inform DER 2> $ERRFILE)" rm $tmp_der_key_file [[ -z "$key_bitstring" ]] && return 1 - retstring "$key_bitstring" + tm_out "$key_bitstring" return 0 } @@ -8262,7 +8260,7 @@ parse_tls_serverhello() { if [[ $tls_hello_ascii_len-$i -lt 10 ]]; then if [[ "$process_full" == "all" ]]; then # The entire server response should have been retrieved. - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 else # This could just be a result of the server's response being @@ -8279,28 +8277,28 @@ parse_tls_serverhello() { if [[ $DEBUG -ge 2 ]]; then echo " tls_protocol (reclyr): 0x$tls_protocol" - out_term " tls_content_type: 0x$tls_content_type" + tm_out " tls_content_type: 0x$tls_content_type" case $tls_content_type in - 15) outln_term " (alert)" ;; - 16) outln_term " (handshake)" ;; - 17) outln_term " (application data)" ;; - *) outln_term ;; + 15) tmln_out " (alert)" ;; + 16) tmln_out " (handshake)" ;; + 17) tmln_out " (application data)" ;; + *) tmln_out ;; esac echo " msg_len: $((msg_len/2))" - outln_term + tmln_out fi if [[ $tls_content_type != "15" ]] && [[ $tls_content_type != "16" ]] && [[ $tls_content_type != "17" ]]; then - debugme pr_warningln_term "Content type other than alert, handshake, or application data detected." + debugme tmln_warning "Content type other than alert, handshake, or application data detected." return 1 elif [[ "${tls_protocol:0:2}" != "03" ]]; then - debugme pr_warningln_term "Protocol record_version.major is not 03." + debugme tmln_warning "Protocol record_version.major is not 03." return 1 fi DETECTED_TLS_VERSION=$tls_protocol if [[ $msg_len -gt $tls_hello_ascii_len-$i ]]; then if [[ "$process_full" == "all" ]]; then - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 else # This could just be a result of the server's response being @@ -8320,7 +8318,7 @@ parse_tls_serverhello() { # Now check the alert messages. tls_alert_ascii_len=${#tls_alert_ascii} if [[ "$process_full" == "all" ]] && [[ $tls_alert_ascii_len%4 -ne 0 ]]; then - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 fi if [[ $tls_alert_ascii_len -gt 0 ]]; then @@ -8331,7 +8329,7 @@ parse_tls_serverhello() { tls_err_descr=${tls_alert_ascii:j:2} # 112/0x70: Unrecognized name, 111/0x6F: certificate_unobtainable, # 113/0x71: bad_certificate_status_response, #114/0x72: bad_certificate_hash_value - debugme out_term " tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})" + debugme tm_out " tls_err_descr: 0x${tls_err_descr} / = $(hex2dec ${tls_err_descr})" case $tls_err_descr in 00) tls_alert_descrip="close notify" ;; 01) tls_alert_descrip="end of early data" ;; @@ -8377,17 +8375,17 @@ parse_tls_serverhello() { echo "alert $tls_alert_descrip" >> $TMPFILE echo "===============================================================================" >> $TMPFILE if [[ $DEBUG -ge 2 ]]; then - outln_term " ($tls_alert_descrip)" - out_term " tls_err_level: ${tls_err_level}" + tmln_out " ($tls_alert_descrip)" + tm_out " tls_err_level: ${tls_err_level}" case $tls_err_level in - 01) outln_term " (warning)" ;; - 02) outln_term " (fatal)" ;; - *) outln_term ;; + 01) tmln_out " (warning)" ;; + 02) tmln_out " (fatal)" ;; + *) tmln_out ;; esac - outln_term + tmln_out fi if [[ "$tls_err_level" != "01" ]] && [[ "$tls_err_level" != "02" ]]; then - debugme pr_warningln_term "Unexpected AlertLevel (0x$tls_err_level)." + debugme tmln_warning "Unexpected AlertLevel (0x$tls_err_level)." return 1 elif [[ "$tls_err_level" == "02" ]]; then # Fatal alert @@ -8407,7 +8405,7 @@ parse_tls_serverhello() { if [[ $tls_handshake_ascii_len-$i -lt 8 ]]; then if [[ "$process_full" == "all" ]]; then # The entire server response should have been retrieved. - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 else # This could just be a result of the server's response being @@ -8421,34 +8419,34 @@ parse_tls_serverhello() { i=$i+6 if [[ $DEBUG -ge 2 ]]; then - out_term " handshake type: 0x${tls_msg_type}" + tm_out " handshake type: 0x${tls_msg_type}" case $tls_msg_type in - 00) outln_term " (hello_request)" ;; - 01) outln_term " (client_hello)" ;; - 02) outln_term " (server_hello)" ;; - 03) outln_term " (hello_verify_request)" ;; - 04) outln_term " (NewSessionTicket)" ;; - 06) outln_term " (hello_retry_request)" ;; - 08) outln_term " (encrypted_extensions)" ;; - 0B) outln_term " (certificate)" ;; - 0C) outln_term " (server_key_exchange)" ;; - 0D) outln_term " (certificate_request)" ;; - 0E) outln_term " (server_hello_done)" ;; - 0F) outln_term " (certificate_verify)" ;; - 10) outln_term " (client_key_exchange)" ;; - 14) outln_term " (finished)" ;; - 15) outln_term " (certificate_url)" ;; - 16) outln_term " (certificate_status)" ;; - 17) outln_term " (supplemental_data)" ;; - 18) outln_term " (key_update)" ;; - *) outln_term ;; + 00) tmln_out " (hello_request)" ;; + 01) tmln_out " (client_hello)" ;; + 02) tmln_out " (server_hello)" ;; + 03) tmln_out " (hello_verify_request)" ;; + 04) tmln_out " (NewSessionTicket)" ;; + 06) tmln_out " (hello_retry_request)" ;; + 08) tmln_out " (encrypted_extensions)" ;; + 0B) tmln_out " (certificate)" ;; + 0C) tmln_out " (server_key_exchange)" ;; + 0D) tmln_out " (certificate_request)" ;; + 0E) tmln_out " (server_hello_done)" ;; + 0F) tmln_out " (certificate_verify)" ;; + 10) tmln_out " (client_key_exchange)" ;; + 14) tmln_out " (finished)" ;; + 15) tmln_out " (certificate_url)" ;; + 16) tmln_out " (certificate_status)" ;; + 17) tmln_out " (supplemental_data)" ;; + 18) tmln_out " (key_update)" ;; + *) tmln_out ;; esac echo " msg_len: $((msg_len/2))" - outln_term + tmln_out fi if [[ $msg_len -gt $tls_handshake_ascii_len-$i ]]; then if [[ "$process_full" == "all" ]]; then - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 else # This could just be a result of the server's response being @@ -8460,28 +8458,28 @@ parse_tls_serverhello() { if [[ "$tls_msg_type" == "02" ]]; then if [[ -n "$tls_serverhello_ascii" ]]; then - debugme pr_warningln_term "Response contained more than one ServerHello handshake message." + debugme tmln_warning "Response contained more than one ServerHello handshake message." return 1 fi tls_serverhello_ascii="${tls_handshake_ascii:i:msg_len}" tls_serverhello_ascii_len=$msg_len elif [[ "$process_full" == "all" ]] && [[ "$tls_msg_type" == "0B" ]]; then if [[ -n "$tls_certificate_ascii" ]]; then - debugme pr_warningln_term "Response contained more than one Certificate handshake message." + debugme tmln_warning "Response contained more than one Certificate handshake message." return 1 fi tls_certificate_ascii="${tls_handshake_ascii:i:msg_len}" tls_certificate_ascii_len=$msg_len elif ( [[ "$process_full" == "all" ]] || [[ "$process_full" == "ephemeralkey" ]] ) && [[ "$tls_msg_type" == "0C" ]]; then if [[ -n "$tls_serverkeyexchange_ascii" ]]; then - debugme pr_warningln_term "Response contained more than one ServerKeyExchange handshake message." + debugme tmln_warning "Response contained more than one ServerKeyExchange handshake message." return 1 fi tls_serverkeyexchange_ascii="${tls_handshake_ascii:i:msg_len}" tls_serverkeyexchange_ascii_len=$msg_len elif [[ "$process_full" == "all" ]] && [[ "$tls_msg_type" == "16" ]]; then if [[ -n "$tls_certificate_status_ascii" ]]; then - debugme pr_warningln_term "Response contained more than one certificate_status handshake message." + debugme tmln_warning "Response contained more than one certificate_status handshake message." return 1 fi tls_certificate_status_ascii="${tls_handshake_ascii:i:msg_len}" @@ -8498,7 +8496,7 @@ parse_tls_serverhello() { return 1 elif [[ "${tls_handshake_ascii:0:2}" != "02" ]]; then # the ServerHello MUST be the first handshake message - debugme pr_warningln_term "The first handshake protocol message is not a ServerHello." + debugme tmln_warning "The first handshake protocol message is not a ServerHello." return 1 fi @@ -8512,7 +8510,7 @@ parse_tls_serverhello() { # byte 38+39+sid-len: extension length tls_protocol2="${tls_serverhello_ascii:0:4}" if [[ "${tls_protocol2:0:2}" != "03" ]]; then - debugme pr_warningln_term "server_version.major in ServerHello is not 03." + debugme tmln_warning "server_version.major in ServerHello is not 03." return 1 fi DETECTED_TLS_VERSION="$tls_protocol2" @@ -8549,7 +8547,7 @@ parse_tls_serverhello() { fi tls_extensions_len=$(hex2dec "${tls_serverhello_ascii:extns_offset:4}")*2 if [[ $tls_extensions_len -ne $tls_serverhello_ascii_len-$extns_offset-4 ]]; then - debugme pr_warningln_term "Malformed message." + debugme tmln_warning "Malformed message." return 1 fi for (( i=0; i$ERRFILE)") - debugme out_term " (returned $lines lines) " + debugme tm_out " (returned $lines lines) " # determine the return value for higher level, so that they can tell what the result is if [[ $save -eq 1 ]] || [[ $lines -eq 1 ]]; then @@ -9441,7 +9439,7 @@ tls_sockets() { ret=2 # protocol NOT available, server downgraded to $DETECTED_TLS_VERSION fi fi - debugme outln_term + debugme tmln_out else debugme echo "stuck on sending: $ret" fi @@ -9547,16 +9545,16 @@ run_heartbleed(){ x00, x0f, x00, x01, x01" fd_socket 5 || return 6 - debugme out_term "\nsending client hello (TLS version $tls_hexcode)" - debugme outln_term " ($n of $hb_rounds)" + debugme tm_out "\nsending client hello (TLS version $tls_hexcode)" + debugme tmln_out " ($n of $hb_rounds)" socksend "$client_hello" 1 - debugme outln_term "\nreading server hello" + debugme tmln_out "\nreading server hello" sockread_serverhello 32768 if [[ $DEBUG -ge 4 ]]; then hexdump -C "$SOCK_REPLY_FILE" | head -20 - outln_term "[...]" - outln_term "\nsending payload with TLS version $tls_hexcode:" + tmln_out "[...]" + tmln_out "\nsending payload with TLS version $tls_hexcode:" fi rm "$SOCK_REPLY_FILE" @@ -9578,10 +9576,10 @@ run_heartbleed(){ debugme echo "lines HB reply: $lines_returned" if [[ $DEBUG -ge 3 ]]; then - outln_term "\nheartbleed reply: " + tmln_out "\nheartbleed reply: " hexdump -C "$SOCK_REPLY_FILE" | head -20 - [[ $lines_returned -gt 20 ]] && outln_term "[...]" - outln_term + [[ $lines_returned -gt 20 ]] && tmln_out "[...]" + tmln_out fi if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == "1803" ]]; then @@ -9620,7 +9618,7 @@ run_heartbleed(){ # helper function ok_ids(){ - pr_done_bestln "\n ok -- something resetted our ccs packets" + prln_done_best "\n ok -- something resetted our ccs packets" return 0 } @@ -9688,25 +9686,25 @@ run_ccs_injection(){ fd_socket 5 || return 6 # we now make a standard handshake ... - debugme out_term "\nsending client hello, " + debugme tm_out "\nsending client hello, " socksend "$client_hello" 1 - debugme outln_term "\nreading server hello" + debugme tmln_out "\nreading server hello" sockread_serverhello 32768 if [[ $DEBUG -ge 4 ]]; then hexdump -C "$SOCK_REPLY_FILE" | head -20 - outln_term "[...]" - out_term "\nsending payload #1 with TLS version $tls_hexcode: " + tmln_out "[...]" + tm_out "\nsending payload #1 with TLS version $tls_hexcode: " fi rm "$SOCK_REPLY_FILE" # ... and then send the a change cipher spec message socksend "$ccs_message" 1 || ok_ids sockread_serverhello 4096 $CCS_MAX_WAITSOCK if [[ $DEBUG -ge 3 ]]; then - outln_term "\n1st reply: " + tmln_out "\n1st reply: " hexdump -C "$SOCK_REPLY_FILE" | head -20 - outln_term - out_term "sending payload #2 with TLS version $tls_hexcode: " + tmln_out + tm_out "sending payload #2 with TLS version $tls_hexcode: " fi rm "$SOCK_REPLY_FILE" @@ -9719,9 +9717,9 @@ run_ccs_injection(){ debugme echo "tls_content_type: ${tls_hello_ascii:0:2} | tls_protocol: ${tls_hello_ascii:2:4} | byte6: $byte6" if [[ $DEBUG -ge 3 ]]; then - outln_term "\n2nd reply: " + tmln_out "\n2nd reply: " hexdump -C "$SOCK_REPLY_FILE" - outln_term + tmln_out fi # in general, see https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol @@ -9796,20 +9794,20 @@ run_renego() { #FIXME: didn't occur to me yet but why not also to check on "Secure Renegotiation IS supported" case $sec_renego in 0) - pr_svrty_criticalln "VULNERABLE (NOT ok)" + prln_svrty_critical "VULNERABLE (NOT ok)" fileout "secure_renego" "CRITICAL" "Secure Renegotiation: VULNERABLE" "$cve" "$cwe" "$hint" ;; 1) - pr_done_bestln "not vulnerable (OK)" + prln_done_best "not vulnerable (OK)" fileout "secure_renego" "OK" "Secure Renegotiation: not vulnerable" "$cve" "$cwe" ;; *) - pr_warningln "FIXME (bug): $sec_renego" + prln_warning "FIXME (bug): $sec_renego" fileout "secure_renego" "WARN" "Secure Renegotiation: FIXME (bug) $sec_renego" "$cve" "$cwe" ;; esac else - pr_warningln "handshake didn't succeed" + prln_warning "handshake didn't succeed" fileout "secure_renego" "WARN" "Secure Renegotiation: handshake didn't succeed" "$cve" "$cwe" fi @@ -9820,7 +9818,7 @@ run_renego() { 0.9.8*) # we need this for Mac OSX unfortunately case "$OSSL_VER_APPENDIX" in [a-l]) - local_problem_ln "$OPENSSL cannot test this secure renegotiation vulnerability" + prln_local_problem "$OPENSSL cannot test this secure renegotiation vulnerability" fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : $OPENSSL cannot test this secure renegotiation vulnerability" "$cve" "$cwe" return 3 ;; @@ -9836,7 +9834,7 @@ run_renego() { esac if "$CLIENT_AUTH"; then - pr_warningln "client authentication prevents this from being tested" + prln_warning "client authentication prevents this from being tested" fileout "sec_client_renego" "WARN" "Secure Client-Initiated Renegotiation : client authentication prevents this from being tested" sec_client_renego=1 else @@ -9862,11 +9860,11 @@ run_renego() { fi ;; 1) - pr_done_goodln "not vulnerable (OK)" + prln_done_good "not vulnerable (OK)" fileout "sec_client_renego" "OK" "Secure Client-Initiated Renegotiation : not vulnerable" "$cve" "$cwe" ;; *) - pr_warningln "FIXME (bug): $sec_client_renego" + prln_warning "FIXME (bug): $sec_client_renego" fileout "sec_client_renego" "DEBUG" "Secure Client-Initiated Renegotiation : FIXME (bug) $sec_client_renego - Please report" "$cve" "$cwe" ;; esac @@ -9900,7 +9898,7 @@ run_crime() { $OPENSSL zlib -e -a -in /dev/stdin &>/dev/stdout $TEMPDIR/dh_p.txt if [[ ! -s "$common_primes_file" ]]; then - local_problem_ln "couldn't read common primes file $common_primes_file" + prln_local_problem "couldn't read common primes file $common_primes_file" out "${spaces}" fileout "LOGJAM_common primes" "WARN" "couldn't read common primes file $common_primes_file" ret=7 @@ -10561,7 +10559,7 @@ run_drown() { case $? in 7) # strange reply, couldn't convert the cipher spec length to a hex number - fixme "strange v2 reply " + pr_fixme "strange v2 reply " outln " (rerun with DEBUG >=2)" [[ $DEBUG -ge 3 ]] && hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" | head -1 ret=7 @@ -10569,20 +10567,20 @@ run_drown() { ;; 3) # vulnerable lines=$(count_lines "$(hexdump -C "$TEMPDIR/$NODEIP.sslv2_sockets.dd" 2>/dev/null)") - debugme out_term " ($lines lines) " + debugme tm_out " ($lines lines) " if [[ "$lines" -gt 1 ]]; then nr_ciphers_detected=$((V2_HELLO_CIPHERSPEC_LENGTH / 3)) if [[ 0 -eq "$nr_ciphers_detected" ]]; then - pr_svrty_highln "SSLv2 is supported but couldn't detect a cipher (NOT ok)"; + prln_svrty_high "SSLv2 is supported but couldn't detect a cipher (NOT ok)"; fileout "drown" "HIGH" "SSLv2 is offered, but could not detect a cipher" "$cve" "$cwe" "$hint" else - pr_svrty_criticalln "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; + prln_svrty_critical "VULNERABLE (NOT ok), SSLv2 offered with $nr_ciphers_detected ciphers"; fileout "drown" "CRITICAL" "VULNERABLE, SSLv2 offered with $nr_ciphers_detected ciphers" "$cve" "$cwe" "$hint" fi fi ret=1 ;; - *) pr_done_bestln "not vulnerable on this port (OK)" + *) prln_done_best "not vulnerable on this port (OK)" fileout "drown" "OK" "not vulnerable to DROWN" "$cve" "$cwe" # Any fingerprint that is placed in $RSA_CERT_FINGERPRINT_SHA2 is # also added to $CERT_FINGERPRINT_SHA2, so if $CERT_FINGERPRINT_SHA2 @@ -10713,10 +10711,10 @@ run_beast(){ if [[ $? -ne 0 ]]; then # protocol supported? if "$continued"; then # second round: we hit TLS1 if "$HAS_SSL3" || "$using_sockets"; then - pr_done_goodln "no SSL3 or TLS1 (OK)" + prln_done_good "no SSL3 or TLS1 (OK)" fileout "beast" "OK" "BEAST: not vulnerable, no SSL3 or TLS1" "$cve" "$cwe" else - pr_done_goodln "no TLS1 (OK)" + prln_done_good "no TLS1 (OK)" fileout "beast" "OK" "BEAST: not vulnerable, no TLS1" "$cve" "$cwe" fi return 0 @@ -10843,12 +10841,12 @@ run_beast(){ first=false else [[ $proto == "tls1" ]] && ! $first && echo -n "$spaces " - pr_done_goodln "no CBC ciphers for $(toupper $proto) (OK)" + prln_done_good "no CBC ciphers for $(toupper $proto) (OK)" first=false fi else if ! "$vuln_beast" ; then - pr_done_goodln " no CBC ciphers for $(toupper $proto) (OK)" + prln_done_good " no CBC ciphers for $(toupper $proto) (OK)" fileout "cbc_$proto" "OK" "BEAST: No CBC ciphers for $(toupper $proto)" "$cve" "$cwe" fi fi @@ -10878,7 +10876,7 @@ run_beast(){ fileout "beast" "MEDIUM" "BEAST: VULNERABLE -- and no higher protocols as mitigation supported" "$cve" "$cwe" "$hint" fi fi - "$first" && ! "$vuln_beast" && pr_done_goodln "no CBC ciphers found for any protocol (OK)" + "$first" && ! "$vuln_beast" && prln_done_good "no CBC ciphers found for any protocol (OK)" "$using_sockets" && HAS_DH_BITS="$has_dh_bits" tmpfile_handle $FUNCNAME.txt @@ -11179,10 +11177,10 @@ run_rc4() { "$WIDE" && pr_svrty_high "VULNERABLE (NOT ok)" fileout "rc4" "HIGH" "RC4: VULNERABLE, Detected ciphers: $rc4_detected" "$cve" "$cwe" "$hint" elif [[ $nr_ciphers -eq 0 ]]; then - local_problem_ln "No RC4 Ciphers configured in $OPENSSL" + prln_local_problem "No RC4 Ciphers configured in $OPENSSL" fileout "rc4" "WARN" "RC4 ciphers not supported by local OpenSSL ($OPENSSL)" else - pr_done_goodln "no RC4 ciphers detected (OK)" + prln_done_good "no RC4 ciphers detected (OK)" fileout "rc4" "OK" "RC4: not vulnerable" "$cve" "$cwe" fi outln @@ -11228,7 +11226,7 @@ get_install_dir() { CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/etc/cipher-mapping.txt" [[ -z "$TESTSSL_INSTALL_DIR" ]] && TESTSSL_INSTALL_DIR="$RUN_DIR" # probably TESTSSL_INSTALL_DIR fi - + [[ -r "$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$TESTSSL_INSTALL_DIR/etc/cipher-mapping.txt" if [[ ! -r "$CIPHERS_BY_STRENGTH_FILE" ]]; then [[ -r "$RUN_DIR/cipher-mapping.txt" ]] && CIPHERS_BY_STRENGTH_FILE="$RUN_DIR/cipher-mapping.txt" @@ -11267,7 +11265,7 @@ get_install_dir() { unset ADD_RFC_STR unset SHOW_RFC debugme echo "$CIPHERS_BY_STRENGTH_FILE" - pr_warningln "\nATTENTION: No cipher mapping file found!" + prln_warning "\nATTENTION: No cipher mapping file found!" outln "Please note from 2.9dev on $PROG_NAME needs files in \"\$TESTSSL_INSTALL_DIR/etc/\" to function correctly." outln ignore_no_or_lame "Type \"yes\" to ignore this warning and proceed at your own risk" "yes" @@ -11305,8 +11303,8 @@ find_openssl_binary() { # 0. check environment variable whether it's executable if [[ -n "$OPENSSL" ]] && [[ ! -x "$OPENSSL" ]]; then - pr_warningln "\ncannot find specified (\$OPENSSL=$OPENSSL) binary." - outln_term " Looking some place else ..." + prln_warning "\ncannot find specified (\$OPENSSL=$OPENSSL) binary." + tmln_out " Looking some place else ..." elif [[ -x "$OPENSSL" ]]; then : # 1. all ok supplied $OPENSSL was found and has excutable bit set -- testrun comes below elif [[ -e "/mnt/c/Windows/System32/bash.exe" ]] && test_openssl_suffix "$(dirname "$(which openssl)")"; then @@ -11413,7 +11411,7 @@ check4openssl_oldfarts() { ;; esac if [[ $OSSL_VER_MAJOR -lt 1 ]]; then ## mm: Patch for libressl - pr_warningln " Your \"$OPENSSL\" is way too old (&2 + prln_magenta "Fatal error: $1" >&2 exit $2 # 1: cmd line error # 2: secondary/other cmd line error @@ -11769,7 +11767,7 @@ initialize_engine(){ return 1 else # we have engine support if [[ -n "$OPENSSL_CONF" ]]; then - pr_warningln "For now I am providing the config file to have GOST support" + prln_warning "For now I am providing the config file to have GOST support" else OPENSSL_CONF=$TEMPDIR/gost.conf || exit -6 # see https://www.mail-archive.com/openssl-users@openssl.org/msg65395.html @@ -11804,7 +11802,7 @@ ignore_no_or_lame() { [[ "$WARNINGS" == off ]] && return 0 [[ "$WARNINGS" == false ]] && return 0 [[ "$WARNINGS" == batch ]] && return 1 - pr_warning_term "$1 --> " + tm_warning "$1 --> " read a if [[ "$a" == "$(tolower "$2")" ]]; then return 0 @@ -11875,10 +11873,10 @@ prepare_logging() { : # just for clarity: a log file was specified, no need to do anything else fi >$LOGFILE - outln_term "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE} - outln_term "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE} - outln_term "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE" >>${LOGFILE} - outln_term "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n" >>${LOGFILE} + tmln_out "## Scan started as: \"$PROG_NAME $CMDLINE\"" >>${LOGFILE} + tmln_out "## at $HNAME:$OPENSSL_LOCATION" >>${LOGFILE} + tmln_out "## version testssl: $VERSION ${GIT_REL_SHORT:-$CVS_REL_SHORT} from $REL_DATE" >>${LOGFILE} + tmln_out "## version openssl: \"$OSSL_VER\" from \"$OSSL_BUILD_DATE\")\n" >>${LOGFILE} exec > >(tee -a ${LOGFILE}) # not decided yet. Maybe good to have a separate file or none at all #exec 2> >(tee -a ${LOGFILE} >&2) @@ -12226,7 +12224,7 @@ check_proxy() { fatal "Your $OPENSSL is too old to support the \"-proxy\" option" -5 fi if [[ "$PROXY" == "auto" ]]; then - # get $ENV + # get $ENV PROXY=${https_proxy#*\/\/} [[ -z "$PROXY" ]] && PROXY=${http_proxy#*\/\/} [[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" 2 @@ -12310,7 +12308,7 @@ determine_optimal_proto() { [[ $all_failed -eq 0 ]] && OPTIMAL_PROTO="" debugme echo "OPTIMAL_PROTO: $OPTIMAL_PROTO" if [[ "$OPTIMAL_PROTO" == "-ssl2" ]]; then - pr_magentaln "$NODEIP:$PORT appears to only support SSLv2." + prln_magenta "$NODEIP:$PORT appears to only support SSLv2." ignore_no_or_lame " Type \"yes\" to proceed and accept false negatives or positives" "yes" [[ $? -ne 0 ]] && exit -2 fi @@ -12325,7 +12323,7 @@ determine_optimal_proto() { pr_bold " $NODEIP:$PORT " fi tmpfile_handle $FUNCNAME.txt - pr_boldln "doesn't seem to be a TLS/SSL enabled server"; + prln_bold "doesn't seem to be a TLS/SSL enabled server"; ignore_no_or_lame " The results might look ok but they could be nonsense. Really proceed ? (\"yes\" to continue)" "yes" [[ $? -ne 0 ]] && exit -2 fi @@ -12497,7 +12495,7 @@ run_mx_all_ips() { outln pr_bold "Done testing now all MX records (on port $mxport): "; outln "$mxs" else - pr_boldln " $1 has no MX records(s)" + prln_bold " $1 has no MX records(s)" fi return $ret } @@ -12726,7 +12724,7 @@ parse_cmd_line() { case $STARTTLS_PROTOCOL in ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres) ;; ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps|postgress) ;; - *) pr_magentaln_term "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2 + *) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2 help 1 ;; esac ;; @@ -12885,7 +12883,7 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift case "$WARNINGS" in batch|off|false) ;; - *) pr_magentaln_term "\nwarnings can be either \"batch\", \"off\" or \"false\"" + *) tmln_magenta "\nwarnings can be either \"batch\", \"off\" or \"false\"" help 1 esac ;; @@ -12903,7 +12901,7 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift case $DEBUG in [0-6]) ;; - *) pr_magentaln_term_term "\nunrecognized debug value \"$1\", must be between 0..6" 1>&2 + *) tmln_magenta_term "\nunrecognized debug value \"$1\", must be between 0..6" 1>&2 help 1 esac ;; @@ -12913,7 +12911,7 @@ parse_cmd_line() { case $COLOR in [0-2]) ;; *) COLOR=2 - pr_magentaln_term "\nunrecognized color: \"$1\", must be between 0..2" 1>&2 + tmln_magenta "\nunrecognized color: \"$1\", must be between 0..2" 1>&2 help 1 esac ;; @@ -12971,9 +12969,6 @@ parse_cmd_line() { [[ $? -eq 0 ]] && shift do_html=true ;; - --no-html-header) - HTMLHEADER=false - ;; --append) APPEND=true ;; @@ -12992,7 +12987,7 @@ parse_cmd_line() { case "$cipher_mapping" in no-rfc) unset ADD_RFC_STR; unset SHOW_RFC;; rfc) SHOW_RFC="rfc" ;; - *) pr_magentaln_term "\nmapping can only be \"rfc\" or \"no-rfc\"" + *) tmln_magenta "\nmapping can only be \"rfc\" or \"no-rfc\"" help 1 ;; esac ;; @@ -13012,7 +13007,7 @@ parse_cmd_line() { (--) shift break ;; - (-*) pr_warningln_term "0: unrecognized option \"$1\"" 1>&2; + (-*) tmln_warning "0: unrecognized option \"$1\"" 1>&2; help 1 ;; (*) break @@ -13157,8 +13152,8 @@ lets_roll() { initialize_globals parse_cmd_line "$@" -! "$do_html" && HTMLHEADER=false -if "$HTMLHEADER" && ( ! "$do_mass_testing" || ( [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] ) ); then + +if ( ! "$do_mass_testing" || ( [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] ) ); then if "$do_display_only"; then html_header "local-ciphers" elif "$do_mass_testing"; then @@ -13170,6 +13165,7 @@ if "$HTMLHEADER" && ( ! "$do_mass_testing" || ( [[ -n "$HTMLFILE" ]] && [[ ! -d html_header fi fi + get_install_dir set_color_functions maketempf