Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add (manage)sieve protocol support when using STARTTLS

Browse Source
This commit is contained in:
Emmanuel Bouthenot 2021-12-17 12:44:39 +01:00
parent 2201a28070
commit 155b380509
1 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
testssl.sh
View File

@ -344,6 +344,7 @@ HAS_XMPP_SERVER=false
HAS_POSTGRES=false HAS_POSTGRES=false
HAS_MYSQL=false HAS_MYSQL=false
HAS_LMTP=false HAS_LMTP=false
HAS_SIEVE=false
HAS_NNTP=false HAS_NNTP=false
HAS_IRC=false HAS_IRC=false
HAS_CHACHA20=false HAS_CHACHA20=false
@ -11005,6 +11006,22 @@ starttls_imap_dialog() {
return $ret return $ret
} }
# argv1: payload for STARTTLS injection test
#
starttls_sieve_dialog() {
local -i ret=0
local starttls="STARTTLS"
[[ -n "$1" ]] && starttls="$starttls\r\n$1" # this adds a payload if supplied
debugme echo "=== starting sieve STARTTLS dialog ==="
starttls_full_read '^"' '^OK ' '"STARTTLS"' "received server capabilities and checked STARTTLS availability" &&
starttls_just_send "$starttls" "initiated STARTTLS" &&
starttls_full_read '^OK ' '^OK ' '' "received ack for STARTTLS"
ret=$?
debugme echo "=== finished sieve STARTTLS dialog with ${ret} ==="
return $ret
}
starttls_xmpp_dialog() { starttls_xmpp_dialog() {
local -i ret=0 local -i ret=0
@ -11161,6 +11178,9 @@ fd_socket() {
imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501 imap|imaps) # IMAP, https://tools.ietf.org/html/rfc2595, https://tools.ietf.org/html/rfc3501
starttls_imap_dialog "$payload" starttls_imap_dialog "$payload"
;; ;;
sieve) # MANAGESIEVE, https://tools.ietf.org/html/rfc5804
starttls_sieve_dialog "$payload"
;;
irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html irc|ircs) # IRC, https://ircv3.net/specs/extensions/tls-3.1.html, https://ircv3.net/specs/core/capability-negotiation.html
fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT fatal "FIXME: IRC+STARTTLS not yet supported" $ERR_NOSUPPORT
;; ;;
@ -19399,6 +19419,7 @@ find_openssl_binary() {
HAS_POSTGRES=false HAS_POSTGRES=false
HAS_MYSQL=false HAS_MYSQL=false
HAS_LMTP=false HAS_LMTP=false
HAS_SIEVE=false
HAS_NNTP=false HAS_NNTP=false
HAS_IRC=false HAS_IRC=false
HAS_CHACHA20=false HAS_CHACHA20=false
@ -19473,6 +19494,7 @@ find_openssl_binary() {
grep -q 'postgres' $s_client_starttls_has && HAS_POSTGRES=true grep -q 'postgres' $s_client_starttls_has && HAS_POSTGRES=true
grep -q 'mysql' $s_client_starttls_has && HAS_MYSQL=true grep -q 'mysql' $s_client_starttls_has && HAS_MYSQL=true
grep -q 'lmtp' $s_client_starttls_has && HAS_LMTP=true grep -q 'lmtp' $s_client_starttls_has && HAS_LMTP=true
grep -q 'sieve' $s_client_starttls_has && HAS_SIEVE=true
grep -q 'nntp' $s_client_starttls_has && HAS_NNTP=true grep -q 'nntp' $s_client_starttls_has && HAS_NNTP=true
grep -q 'irc' $s_client_starttls_has && HAS_IRC=true grep -q 'irc' $s_client_starttls_has && HAS_IRC=true
@ -19638,7 +19660,7 @@ help() {
and [options] is/are: and [options] is/are:
-t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap, -t, --starttls <protocol> Does a run against a STARTTLS enabled service which is one of ftp, smtp, lmtp, pop3, imap,
xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql sieve, xmpp, xmpp-server, telnet, ldap, nntp, postgres, mysql
--xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI) --xmpphost <to_domain> For STARTTLS xmpp or xmpp-server checks it supplies the domainname (like SNI)
--mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25) --mx <domain/host> Tests MX records from high to low priority (STARTTLS, port 25)
--file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>. --file/-iL <fname> Mass testing option: Reads one testssl.sh command line per line from <fname>.
@ -19824,6 +19846,7 @@ HAS_XMPP_SERVER2: $HAS_XMPP_SERVER2
HAS_POSTGRES: $HAS_POSTGRES HAS_POSTGRES: $HAS_POSTGRES
HAS_MYSQL: $HAS_MYSQL HAS_MYSQL: $HAS_MYSQL
HAS_LMTP: $HAS_LMTP HAS_LMTP: $HAS_LMTP
HAS_SIEVE: $HAS_SIEVE
HAS_NNTP: $HAS_NNTP HAS_NNTP: $HAS_NNTP
HAS_IRC: $HAS_IRC HAS_IRC: $HAS_IRC
HAS_UDS: $HAS_UDS HAS_UDS: $HAS_UDS
@ -21117,7 +21140,7 @@ determine_optimal_proto() {
} }
# arg1 (optional): ftp smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s) # arg1 (optional): ftp smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
# #
determine_service() { determine_service() {
local ua local ua
@ -21158,14 +21181,14 @@ determine_service() {
# returns always 0: # returns always 0:
service_detection $OPTIMAL_PROTO service_detection $OPTIMAL_PROTO
else # STARTTLS else # STARTTLS
if [[ "$1" == postgres ]]; then if [[ "$1" == postgres ]] || [[ "$1" == sieve ]]; then
protocol="postgres" protocol="$1"
else else
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
fi fi
case "$protocol" in case "$protocol" in
ftp|smtp|lmtp|pop3|imap|xmpp|xmpp-server|telnet|ldap|postgres|mysql|nntp) ftp|smtp|lmtp|pop3|imap|sieve|xmpp|xmpp-server|telnet|ldap|postgres|mysql|nntp)
STARTTLS="-starttls $protocol" STARTTLS="-starttls $protocol"
if [[ "$protocol" == xmpp ]] || [[ "$protocol" == xmpp-server ]]; then if [[ "$protocol" == xmpp ]] || [[ "$protocol" == xmpp-server ]]; then
if [[ -n "$XMPP_HOST" ]]; then if [[ -n "$XMPP_HOST" ]]; then
@ -21213,6 +21236,11 @@ determine_service() {
if ! "$HAS_LMTP"; then if ! "$HAS_LMTP"; then
fatal "Your $OPENSSL does not support the \"-starttls lmtp\" option" $ERR_OSSLBIN fatal "Your $OPENSSL does not support the \"-starttls lmtp\" option" $ERR_OSSLBIN
fi fi
elif [[ "$protocol" == sieve ]]; then
# Check if openssl version supports sieve.
if ! "$HAS_SIEVE"; then
fatal "Your $OPENSSL does not support the \"-starttls sieve\" option" $ERR_OSSLBIN
fi
elif [[ "$protocol" == nntp ]]; then elif [[ "$protocol" == nntp ]]; then
# Check if openssl version supports lmtp. # Check if openssl version supports lmtp.
if ! "$HAS_NNTP"; then if ! "$HAS_NNTP"; then
@ -21230,7 +21258,7 @@ determine_service() {
outln outln
;; ;;
*) outln *) outln
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE fatal "momentarily only ftp, smtp, lmtp, pop3, imap, sieve, xmpp, xmpp-server, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE
;; ;;
esac esac
# It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing # It comes handy later also for STARTTLS injection to define this global. When we do banner grabbing
@ -22418,7 +22446,7 @@ parse_cmd_line() {
STARTTLS_PROTOCOL="$(parse_opt_equal_sign "$1" "$2")" STARTTLS_PROTOCOL="$(parse_opt_equal_sign "$1" "$2")"
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
case $STARTTLS_PROTOCOL in case $STARTTLS_PROTOCOL in
ftp|smtp|lmtp|pop3|imap|xmpp|xmpp-server|telnet|ldap|irc|nntp|postgres|mysql) ;; ftp|smtp|lmtp|pop3|imap|sieve|xmpp|xmpp-server|telnet|ldap|irc|nntp|postgres|mysql) ;;
ftps|smtps|lmtps|pop3s|imaps|xmpps|telnets|ldaps|ircs|nntps|mysqls) ;; ftps|smtps|lmtps|pop3s|imaps|xmpps|telnets|ldaps|ircs|nntps|mysqls) ;;
*) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2 *) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
help 1 ;; help 1 ;;