@@ -16981,6 +16981,8 @@ run_renego() {
1698116981 local jsonID=""
1698216982 local ssl_reneg_attempts=$SSL_RENEG_ATTEMPTS
1698316983 local ssl_reneg_wait=$SSL_RENEG_WAIT
16984+ local pid watcher
16985+ local tmp_result loop_reneg
1698416986 # In cases where there's no default host configured we need SNI here as openssl then would return otherwise an error and the test will fail
1698516987
1698616988 "$HAS_TLS13" && [[ -z "$proto" ]] && proto="-no_tls1_3"
@@ -17108,26 +17110,28 @@ run_renego() {
1710817110 # If we dont wait for the session to be established on slow server, we will try to re-negotiate
1710917111 # too early losing all the attempts before the session establishment as OpenSSL will not buffer them
1711017112 # (only the first will be till the establishement of the session).
17111- (while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]]; do sleep 1; done; \
17112- for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; done) | \
17113+ (while [[ $(grep -ac '^SSL-Session:' $TMPFILE) -ne 1 ]]; do sleep $ssl_reneg_wait; done; \
17114+ for ((i=0; i < ssl_reneg_attempts; i++ )); do echo R; sleep $ssl_reneg_wait; \
17115+ while [[ $(grep -ac '^RENEGOTIATING' $ERRFILE) -ne $(($i+3)) ]] && [[ ! -f $TEMPDIR/was_killed ]]; \
17116+ do sleep $ssl_reneg_wait; done; \
17117+ done) | \
1711317118 $OPENSSL s_client $(s_client_options "$proto $legacycmd $STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI") >$TMPFILE 2>>$ERRFILE &
1711417119 pid=$!
1711517120 ( sleep $(($ssl_reneg_attempts*3)) && kill $pid && touch $TEMPDIR/was_killed ) >&2 2>/dev/null &
1711617121 watcher=$!
1711717122 # Trick to get the return value of the openssl command, output redirection and a timeout. Yes, some target hang/block after some tries.
17118- wait $pid && pkill -HUP -P $watcher
17123+ wait $pid
1711917124 tmp_result=$?
17125+ pkill -HUP -P $watcher
1712017126 wait $watcher
1712117127 # If we are here, we have done two successful renegotiation (-2) and do the loop
1712217128 loop_reneg=$(($(grep -ac '^RENEGOTIATING' $ERRFILE )-2))
1712317129 if [[ -f $TEMPDIR/was_killed ]]; then
17124- tmp_result=3
17130+ tmp_result=2
17131+ sleep $ssl_reneg_wait # let the while loop see the watchdog file
17132+ sleep $ssl_reneg_wait # and
17133+ sleep $ssl_reneg_wait # avoid float arithmetic
1712517134 rm -f $TEMPDIR/was_killed
17126- else
17127- # If we got less than 2/3 successful attempts during the loop with 1s pause, we are in presence of exponential backoff.
17128- if [[ $tmp_result -eq 0 ]] && [[ $loop_reneg -le $(($ssl_reneg_attempts*2/3)) ]]; then
17129- tmp_result=2
17130- fi
1713117135 fi
1713217136 case $tmp_result in
1713317137 0) pr_svrty_high "VULNERABLE (NOT ok)"; outln ", DoS threat ($ssl_reneg_attempts attempts)"
@@ -17137,10 +17141,6 @@ run_renego() {
1713717141 fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
1713817142 ;;
1713917143 2) pr_svrty_good "not vulnerable (OK)"; \
17140- outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in ${ssl_reneg_attempts}x${ssl_reneg_wait}s)"
17141- fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
17142- ;;
17143- 3) pr_svrty_good "not vulnerable (OK)"; \
1714417144 outln " -- mitigated ($loop_reneg successful reneg within ${ssl_reneg_attempts} in $((${ssl_reneg_attempts}*3))s(timeout))"
1714517145 fileout "$jsonID" "OK" "not vulnerable, mitigated" "$cve" "$cwe"
1714617146 ;;
0 commit comments