@@ -16971,6 +16971,8 @@ run_renego() {
1697116971 local jsonID=""
1697216972 local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
1697316973 local ssl_reneg_wait=$SSL_RENEG_WAIT
16974+ local pid watcher
16975+ local tmp_result loop_reneg
1697416976 # In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail
1697516977
1697616978 "$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@@ -17095,29 +17097,32 @@ run_renego() {
1709517097 else
1709617098 # Clear the log to not get the content of previous run before the execution of the new one.
1709717099 echo -n > $TMPFILE
17100+ #RENEGOTIATING wait loop watchdog file
17101+ touch $TEMPDIR/allowed_to_loop
1709817102 # If we dont wait for the session to be established on slow server, we will try to re-negotiate
1709917103 # too early losing all the attempts before the session establishment as OpenSSL will not buffer them
1710017104 # (only the first will be till the establishement of the session).
17101- (while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]]; do sleep 1; done; \
17102- for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
17105+ (j=0; while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]] && [[ $j -lt 30 ]]; do sleep $ssl_reneg_wait; ((j++)); done; \
17106+ for ((i=0; i < ssl_reneg_attempts; i++ )); do sleep $ssl_reneg_wait; echo R; k=0; \
17107+ while [[ $(grep -ac '^RENEGOTIATING' $ERRFILE) -ne $((i+3)) ]] && [[ -f $TEMPDIR/allowed_to_loop ]] \
17108+ && [[ $(tail -n1 $ERRFILE |grep -acE '^(RENEGOTIATING|depth|verify)') -eq 1 ]] && [[ $k -lt 120 ]]; \
17109+ do sleep $ssl_reneg_wait; ((k++)); done; \
17110+ done) | \
1710317111 $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
1710417112 pid=$!
17105- ( sleep $(($ ssl_reneg_attempts*3)) && pkill -HUP -P $pid && wait $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
17113+ ( sleep $((ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
1710617114 watcher=$!
1710717115 # Trick to get the return value of the openssl command, output redirection and a timeout. Yes, some target hang/block after some tries.
17108- wait $pid && pkill -HUP -P $watcher
17116+ wait $pid
1710917117 tmp_result=$?
17118+ pkill -HUP -P $watcher
1711017119 wait $watcher
17120+ rm -f $TEMPDIR/allowed_to_loop
1711117121 # If we are here, we have done two successful renegotiation (-2) and do the loop
17112- loop_reneg=$(($(grep -ac '^RENEGOTIATING' $ERRFILE )-2))
17122+ loop_reneg=$(($(grep -ac '^RENEGOTIATING' $ERRFILE)-2))
1711317123 if [[ -f $TEMPDIR/was_killed ]]; then
17114- tmp_result=3
17124+ tmp_result=2
1711517125 rm -f $TEMPDIR/was_killed
17116- else
17117- # If we got less than 2/3 successful attempts during the loop with 1s pause, we are in presence of exponential backoff.
17118- if [[ $tmp_result -eq 0 ]] && [[ $loop_reneg -le $(($ssl_reneg_attempts*2/3)) ]]; then
17119- tmp_result=2
17120- fi
1712117126 fi
1712217127 case $tmp_result in
1712317128 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)"
@@ -17127,10 +17132,6 @@ run_renego() {
1712717132 fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
1712817133 ;;
1712917134 2) pr_svrty_good "not vulnerable (OK)"; \
17130- outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}x${ssl_reneg_wait}s)"
17131- fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
17132- ;;
17133- 3) pr_svrty_good "not vulnerable (OK)"; \
1713417135 outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in $((${ssl_reneg_attempts}*3))s(timeout))"
1713517136 fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
1713617137 ;;
0 commit comments