syntax error (invalid integer constant (error token is "16#"))

[bjmgeek]

Please make sure that you provide enough information so that we understand what your issue is about.

0. Did you check the documentation in ~/doc/ or, if it is a different problem: Did you google for it? yes

1. uname -a Linux laptop 5.5.0 #1 SMP Mon Jan 27 15:00:34 EST 2020 x86_64 GNU/Linux

2. testssl version from the banner: testssl.sh -b 2>/dev/null | head -4 | tail -2 testssl.sh 3.1dev from https://testssl.sh/dev/

3. git log | head -1 (if running from git repo) commit 7f071ddbb95b322d044535ba91c18ca73c8e8c2c

4. openssl version used by testssl.sh: testssl.sh -b 2>/dev/null | awk -F':' '/openssl/ { print $2}' /home/bminton/src/testssl.sh/bin/openssl.Linux.x86_64

5. steps to reproduce: testssl.sh or docker command line, if possible incl. host testssh.sh https://pure2.example.com (note, this is an internal host, but with a valid certificate)

6. what exactly was happening, output is needed

pops-mintonw10:~$ testssl.sh https://pure2.example.com

###########################################################
    testssl.sh       3.1dev from https://testssl.sh/dev/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers]
 on pops-mintonw10:/home/bminton/src/testssl.sh/bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")

 Start 2020-10-26 09:44:53        -->> 10.16.24.26:443 (pure2.example.com) <<--

 rDNS (10.16.24.26):     pure2.example.com.
 Service detected:       HTTP

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   http/1.1 (advertised)
 ALPN/HTTP2 not offered

 Testing cipher categories 

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
 Triple DES Ciphers / IDEA                         not offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)

 Testing server's cipher preferences 

 Has server cipher order?     no (NOT ok)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            DHE-RSA-AES256-SHA256, 2048 bit DH -- inconclusive test, matching cipher in list missing, better see below
 Cipher per protocol

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
 - 
SSLv3
 - 
TLSv1
 - 
TLSv1.1 (no server order, thus listed by strength)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                  
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                  
TLSv1.2 (no server order, thus listed by strength)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                  
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                  
TLSv1.3
 - 

 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4 

 FS is offered (OK)           ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384
                              DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256
                              ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256
                              DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA 
 Elliptic curves offered:     prime256v1 
 DH group offered:            RFC3526/Oakley Group 14 (2048 bits)

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
                              "next protocol/#13172"
 Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        XXXXXXXXXX / SHA1 XXXXXXXXXXX
                              SHA256 XXXXXXXX
 Common Name (CN)             *.example.com 
 subjectAltName (SAN)         *.example.com example.com 
 Issuer                       DigiCert SHA2 High Assurance Server CA (DigiCert Inc from US)
 Trust (hostname)             Ok via SAN wildcard and CN wildcard (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 Bad OCSP intermediate (exp.) Ok
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   198 >= 60 days (2018-02-12 19:00 --> 2021-05-12 20:00)
                              > 825 days issued after 2018/03/01 is too long
 # of certificates provided   2
 Certificate Revocation List  http://crl3.digicert.com/sha2-ha-server-g6.crl
                              http://crl4.digicert.com/sha2-ha-server-g6.crl
 OCSP URI                     http://ocsp.digicert.com
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)

 Testing HTTP header response @ "/" 

 HTTP Status Code             302 , redirecting to "http://pure2.example.com/login" -- Redirect to insecure URL (NOT ok)
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                nginx/1.4.6 (Ubuntu)
 Application banner           --
 Cookie(s)                    2 issued: 1/2 secure, 1/2 HttpOnly -- maybe better try target URL of 30x
 Security headers             X-Frame-Options DENY
                              X-XSS-Protection 1; mode=block
                              X-Content-Type-Options nosniff
                              Cache-Control no-cache, no-store, max-age=0, must-revalidate
                              Pragma no-cache
 Reverse Proxy banner         --

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), timed out
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), session IDs were returned but potential memory fragments do not differ
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     /home/bminton/bin/testssl.sh: line 762: 16#: invalid integer constant (error token is "16#")
/home/bminton/bin/testssl.sh: line 14165: 2+: syntax error: operand expected (error token is "+")

7. what did you expect instead? I expected the script to not crash.

[bjmgeek]

This appears to be related to the internal checks. If I use --ssl-native it doesn't crash.

[bjmgeek]

according to git bisect:

0676866e91d7b0499e59ed97553f22729bca7f15 is the first bad commit

[drwetter]

Hi @bjmgeek ,

thanks.

Likely internal checks have nothing to do with it, it's an internal conversion function which hiccups on the input. However I can't tell what the input is as 7f071dd is rather old and the line 14165 has no meaning to me.

Could you do a git pull and run again (--freak should suffice)?

Cheers, Dirk

PS: Can't follow you why you think 0676866 is the bad commit? That one is really old (2016 from @dcooper16 ).

[bjmgeek]

I just did a git bisect. I agree that's really old. I may have done it wrong. I'll try it with --freak.

On Mon, Oct 26, 2020 at 12:59 PM Dirk Wetter notifications@github.com wrote:

Hi @bjmgeek https://github.com/bjmgeek ,

thanks.

Likely internal checks have nothing to do with it, it's an internal conversion function which hiccups on the input. However I can't tell what the input is as 7f071dd https://github.com/drwetter/testssl.sh/commit/7f071ddbb95b322d044535ba91c18ca73c8e8c2c is rather old and the line 14165 has no meaning to me.

Could you do a git pull and run again (--freak should suffice)?

Cheers, Dirk

PS: Can't follow you why you think 0676866 https://github.com/drwetter/testssl.sh/commit/0676866e91d7b0499e59ed97553f22729bca7f15 is the bad commit? That one is really old (2016 from @dcooper16 https://github.com/dcooper16 ).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/drwetter/testssl.sh/issues/1754#issuecomment-716687299, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADQJ3NLA4BY336X3GYGZV3SMWTFZANCNFSM4S7NUGEA .

[dcooper16]

Given the date for commit https://github.com/drwetter/testssl.sh/commit/0676866e91d7b0499e59ed97553f22729bca7f15, I was able to figure out what was at line 14165. It is in `sslv2_sockets():

     sockread_serverhello 32768
     if "$parse_complete"; then
          server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
          server_hello_len=2+$(hex2dec "${server_hello:1:3}")

Presumably, hex2dec() doesn't like the input it is being provided and so it complains that "16#: invalid integer constant (error token is "16#")". Then, line 14165 complains because it can't add "2" and whatever hex2dec() returned.

However, I tried running echo $((16#$1)) with different inputs and couldn't replicate the error message.

What might be helpful would be see a debug output of the run so that we can see what $server_hello looks like when hex2dec() is called.

As https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them notes, you can set a debug output in one of two ways:

2a) For a full debug output

• (all-in-one output): run script -a mydebug.script -c "SETX=true bash -x testssl.sh "
• (separate debugging file): or run "bash -x testssl.sh " and look for last file in /tmp/testssl.s-XXXX.log

In either case, the debug output shows each line of code as it is being executed, including line numbers. So, in the debug output look for the line that begins "14165>" that shows the error occurring and then copy here that lines and enough of the lines that precede it so that the value of $server_hello can be seen.

[f380cedric]

echo $((16#$1)) exit with invalid integer constant for unset or empty $1. Indeed, on my side, echo "$server_hello" is empty, and cat "$SOCK_REPLY_FILE" is empty. From my log, I get a handshake failure

:~$ testssl --debug 6 -F fastmail.com
[...]
 FREAK (CVE-2015-0204)
sending client hello... sending client hello...
"\x16\x03\x01\x00\x8b\x01\x00\x00\x87\x03\x03\x54\x51\x1e\x7a\xde\xad\xbe\xef\x31\x33\x07\x00\x00\x00\x00\x00\xcf\xbd\x39\x04\xcc\x16\x0b\x85\x03\x90\x9f\x77\x04\x33\xd4\xde\x00\x00\x14\x00\x62\x00\x61\x00\x64\x00\x60\x00\x14\x00\x0e\x00\x08\x00\x06\x00\x03\x00\xff\x01\x00\x00\x4a\x00\x00\x00\x11\x00\x0f\x00\x00\x0c\x66\x61\x73\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x00\x23\x00\x00\x33\x74\x00\x00\x00\x0d\x00\x24\x00\x22\x06\x01\x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\x08\x07\x08\x08\x00\x0f\x00\x01\x01"
reading server hello...
00000000  15 03 03 00 02 02 28                              |......(|
00000007

15030300020228
TLS message fragments:
     protocol (rec. layer):  0x0303
     tls_content_type:       0x15 (alert)
     msg_len:                2

TLS alert messages:
     tls_err_descr_no:       0x28 / = 40 (handshake failure)
     tls_err_level:          02 (fatal)
  (2 lines returned)
sending client hello...
"\x80\x22\x01\x00\x02\x00\x09\x00\x00\x00\x10\x04\x00\x80\x02\x00\x80\x00\x00\x00\x29\x22\xbe\xb3\x5a\x01\x8b\x04\xfe\x5f\x80\x03\xa0\x13\xeb\xc4"
/usr/bin/testssl: line 1169: 16#: invalid integer constant (error token is "16#")
/usr/bin/testssl: line 12828: 2+: syntax error: operand expected (error token is "+")

[drwetter]

@f380cedric I can't reproduce that with the latest and greatest 3.1dev. Which version are you running?

In your version it seems there's a problem parsing the sslv2 response

[f380cedric]

Tried both 3.0.2 and 3.1dev.

[drwetter]

L1169 doesn't make sense in the latest 3.1dev. Could you do a git pull please?

Linux 64bit, bash5.

[f380cedric]

Yeah, sorry, I mixed 3.0.2 and 3.1dev output in my comment (everything but hello payload are from 3.0.2). Anyway, there is the full output on 3.1dev https://paste.debian.net/1168838

[drwetter]

Thanks, I see the problem in the legacy code but still I can't reproduce it.

What does the following return?

bash --version cat /etc/os-release

?

Note to self: if this is fixed sslv2_sockets should only be invoked when SSLv2 is not available or when not sure when it is a/v.

[f380cedric]

bash

GNU bash, version 5.1.0(1)-rc1 (x86_64-pc-linux-gnu)

/etc/os-release

PRETTY_NAME="Debian GNU/Linux bullseye/sid" NAME="Debian GNU/Linux" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

depinfo

Versions of packages testssl.sh depends on: bind9-dnsutils [dnsutils] 1:9.16.6-3 bsdextrautils 2.36-3+b1 bsdmainutils 12.1.7 dnsutils 1:9.16.6-3 openssl 1.1.1g-1 procps 2:3.3.16-5

[drwetter]

takes a while as I don't have that OS yet.

@bjmgeek : what OS do you run?

[drwetter]

Thanks for the input. Fixed for 3.1dev. 3.0 will follow once Travis runs ok