Amends LDAP + STARTTLS / rename sockread_serverhello()

This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
This commit is contained in:
Dirk Wetter 2022-01-27 18:35:40 +01:00
parent 601ff16a0a
commit 9447c8c866

View File

@ -4728,7 +4728,7 @@ client_simulation_sockets() {
socksend_clienthello "${data}"
sleep $USLEEP_SND
sockread_serverhello 32768
sockread 32768
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
@ -4758,7 +4758,7 @@ client_simulation_sockets() {
debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND
sockread_serverhello 32768
sockread 32768
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
next_packet="${next_packet%%[!0-9A-F]*}"
@ -11094,10 +11094,12 @@ starttls_postgres_dialog() {
return $ret
}
# RFC 2830
starttls_ldap_dialog() {
local debugpad=" > "
local -i ret=0
local result=""
local starttls_init=",
x30, x1d, x02, x01, # LDAP extendedReq
x01, # messageID: 1
@ -11106,15 +11108,20 @@ starttls_ldap_dialog() {
debugme echo "=== starting LDAP STARTTLS dialog ==="
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
starttls_just_read 1 "read succeeded"
result=$(sockread_fast 256)
[[ $DEBUG -ge 6 ]] && safe_echo "$debugpad $result\n"
# response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
# ^^ == success! That [9] should be checked also!
ret=$?
# ^^ == success! [9] is checked below
if [[ ${result:18:2} == 00 ]]; then
ret=0
elif [[ ${result:18:2} == 01 ]]; then
ret=1
else
ret=127
fi
debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
return $ret
}
starttls_mysql_dialog() {
@ -11346,9 +11353,11 @@ socksend() {
}
# for SSLv2 to TLS 1.2:
# Reads from socket. Uses SOCK_REPLY_FILE global to save socket reply
# Not blocking, polling
# ARG1: blocksize for reading
sockread_serverhello() {
#
sockread() {
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
@ -11356,8 +11365,10 @@ sockread_serverhello() {
return $?
}
#trying a faster version
# Reads from socket. Utilises a pipe. Output is ASCII.
# Faster as previous, blocks however when socket stream is empty
# ARG1: blocksize for reading
#
sockread_fast() {
dd bs=$1 count=1 <&5 2>/dev/null | hexdump -v -e '16/1 "%02X"'
}
@ -14743,7 +14754,7 @@ sslv2_sockets() {
debugme echo -n "sending client hello... "
socksend_clienthello "$client_hello"
sockread_serverhello 32768
sockread 32768
if "$parse_complete"; then
if [[ -s "$SOCK_REPLY_FILE" ]]; then
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -14756,7 +14767,7 @@ sslv2_sockets() {
debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND
sockread_serverhello 32768
sockread 32768
[[ ! -s "$SOCK_REPLY_FILE" ]] && break
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
@ -15476,7 +15487,7 @@ resend_if_hello_retry_request() {
done
debugme echo -n "sending client hello... "
socksend_clienthello "$data" $USLEEP_SND
sockread_serverhello 32768
sockread 32768
return 2
}
@ -15531,7 +15542,7 @@ tls_sockets() {
# if sending didn't succeed we don't bother
if [[ $ret -eq 0 ]]; then
clienthello1="$TLS_CLIENT_HELLO"
sockread_serverhello 32768
sockread 32768
"$TLS_DIFFTIME_SET" && TLS_NOW=$(LC_ALL=C date "+%s")
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -15571,7 +15582,7 @@ tls_sockets() {
debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND
sockread_serverhello 32768
sockread 32768
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
next_packet="${next_packet%%[!0-9A-F]*}"
@ -15785,7 +15796,7 @@ receive_app_data() {
if "$FAST_SOCKET"; then
res="$(sockread_fast 32768)"
else
sockread_serverhello 32768
sockread 32768
res="$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")"
fi
res="${res%%[!0-9A-F]*}"
@ -15878,7 +15889,7 @@ run_heartbleed(){
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
socksend "$heartbleed_payload" 1
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
sockread 16384 $HEARTBLEED_MAX_WAITSOCK
if [[ $? -eq 3 ]]; then
append=", timed out"
pr_svrty_best "not vulnerable (OK)"; out "$append"
@ -16015,7 +16026,7 @@ run_ccs_injection(){
socksend "$client_hello" 1
debugme echo "reading server hello... "
sockread_serverhello 32768
sockread 32768
if [[ $DEBUG -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20
tmln_out "[...]"
@ -16024,7 +16035,7 @@ run_ccs_injection(){
rm "$SOCK_REPLY_FILE"
# ... and then send the change cipher spec message
socksend "$ccs_message" 1 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
sockread 4096 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then
tmln_out "\n1st reply: "
hexdump -C "$SOCK_REPLY_FILE" | head -20
@ -16034,7 +16045,7 @@ run_ccs_injection(){
rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK
sockread 4096 $CCS_MAX_WAITSOCK
retval=$?
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -16307,7 +16318,7 @@ run_ticketbleed() {
if "$FAST_SOCKET"; then
tls_hello_ascii=$(sockread_fast 32768)
else
sockread_serverhello 32768 $CCS_MAX_WAITSOCK
sockread 32768 $CCS_MAX_WAITSOCK
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
fi
[[ "$DEBUG" -ge 5 ]] && echo "$tls_hello_ascii"
@ -19185,7 +19196,7 @@ run_robot() {
fi
debugme echo "reading server error response..."
start_time=$(LC_ALL=C date "+%s")
sockread_serverhello 32768 $robottimeout
sockread 32768 $robottimeout
subret=$?
if [[ $subret -eq 0 ]]; then
end_time=$(LC_ALL=C date "+%s")