diff options
Diffstat (limited to 'utils/00_unittest_baseline.sh')
| -rwxr-xr-x | utils/00_unittest_baseline.sh | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/utils/00_unittest_baseline.sh b/utils/00_unittest_baseline.sh new file mode 100755 index 0000000..f5a53a5 --- /dev/null +++ b/utils/00_unittest_baseline.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash +# +# PoC for unit tests in bash. Basic test with s_server, works under Linux only atm + +OPENSSL="bin/openssl.$(uname).$(uname -m)" +$OPENSSL version -a || exit 1 + +FILE=tmp.json + +remove_quotes() { + sed -i 's/"//g' "$FILE" +} + +# arg1: id_value +# arg2: string to check against severity_value (optional) +# arg2,3: string to check against finding_value +# return: 0 whether it contains arg2 or arg3 (0: yes, 1: matches not) +check_result() { + # id : sslv3, + # ip : localhost/127.0.0.1, + # port : 4433, + # severity : HIGH, + # finding : SSLv3 is offered + + local json_result="" + local severity_value="" + local finding_value="" + + remove_quotes + json_result="$(awk '/id.*'"${1}"'/,/finding.*$/' "$FILE")" + [[ -z $json_result ]] && exit 1 + # is4lines? + finding_value="$(awk -F':' '/finding/ { print $2" "$3" "$4 }' <<< "$json_result")" + if [[ $# -eq 2 ]]; then + [[ $finding_value =~ "$2" ]] && return 0 || return 1 + fi + severity_value="$(awk -F':' '/severity/ { print $2 }' <<< "$json_result")" + if [[ $finding_value =~ "$3" ]] && [[ $severity_value =~ "$2" ]] ; then + return 0 + else + return 1 + fi +} + +### generate self signed certificate +$OPENSSL req -new -x509 -out /tmp/server.crt -nodes -keyout /tmp/server.pem -subj '/CN=localhost' &>/dev/null || exit 2 +echo + + +### 1) test protocol SSlv2: +$OPENSSL s_server -www -ssl2 -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null & +pid=$! +rm "$FILE" 2>/dev/null +echo "Running testssl.sh SSLv2 protocol check against localhost for SSLv2: " +./testssl.sh -p -q --warnings=off --jsonfile="$FILE" localhost:4433 +check_result SSLv2 CRITICAL "vulnerable with 9 ciphers" +[[ $? -eq 0 ]] && echo "SSLv2: PASSED" || echo "FAILED" +echo +kill -9 $pid +wait $pid 2>/dev/null + +### 2) test NPN + ALPN +$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -alpn "h2" -nextprotoneg "spdy/3, http/1.1" -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null & +pid=$! +rm "$FILE" +echo "Running testssl.sh HTTP/2 protocol checks against localhost: " +./testssl.sh -q --jsonfile="$FILE" --protocols localhost:4433 +if check_result NPN "spdy/3, http/1.1"; then + echo "SPDY/NPN: PASSED" +else + echo "SPDY/NPN: FAILED" +fi + +if check_result ALPN "h2"; then + echo "HTTP2/ALPN: PASSED" +else + echo "HTTP2/ALPN: FAILED" +fi +kill -9 $pid +wait $pid 2>/dev/null +rm "$FILE" + +### 3) test almost all other stuff +$OPENSSL s_server -cipher 'ALL:COMPLEMENTOFALL' -www -key /tmp/server.pem -cert /tmp/server.crt &>/dev/null & +pid=$! +rm "$FILE" +echo "Running baseline check with testssl.sh against localhost" +./testssl.sh -q --jsonfile="$FILE" localhost:4433 +#check_result sslv2 CRITICAL "is offered" +kill -9 $pid +wait $pid 2>/dev/null + +rm "$FILE" + + +### test server defaults +# ./testssl.sh -q --jsonfile=$FILE --server-defaults localhost:4433 +# -serverpref +# -no_ticket +# -no_resumption_on_reneg +# -status + +# vim:ts=5:sw=5:expandtab + |