Amends LDAP + STARTTLS / rename sockread_serverhello()

This commit adds parsing the success value of the STARTTLS upgrade
in LDAP. Only possible values whould be 0 or one according to RFC 2380.
All values not equal to zero will terminate the check.

Also, this PR renames sockread_serverhello() to sockread() as the word
serverhello is pretty misleading. It just reads from ANY socket. (sorry
to confuse people here, that should have gone into a separate PR).
  Also sockread() and sockread_fast() are better documented.
This commit is contained in:
Dirk Wetter 2022-01-27 18:35:40 +01:00
parent 601ff16a0a
commit 9447c8c866

View File

@ -4728,7 +4728,7 @@ client_simulation_sockets() {
socksend_clienthello "${data}" socksend_clienthello "${data}"
sleep $USLEEP_SND sleep $USLEEP_SND
sockread_serverhello 32768 sockread 32768
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}" tls_hello_ascii="${tls_hello_ascii%%[!0-9A-F]*}"
@ -4758,7 +4758,7 @@ client_simulation_sockets() {
debugme echo -n "requesting more server hello data... " debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread 32768
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
next_packet="${next_packet%%[!0-9A-F]*}" next_packet="${next_packet%%[!0-9A-F]*}"
@ -11094,10 +11094,12 @@ starttls_postgres_dialog() {
return $ret return $ret
} }
# RFC 2830 # RFC 2830
starttls_ldap_dialog() { starttls_ldap_dialog() {
local debugpad=" > " local debugpad=" > "
local -i ret=0 local -i ret=0
local result=""
local starttls_init=", local starttls_init=",
x30, x1d, x02, x01, # LDAP extendedReq x30, x1d, x02, x01, # LDAP extendedReq
x01, # messageID: 1 x01, # messageID: 1
@ -11106,15 +11108,20 @@ starttls_ldap_dialog() {
debugme echo "=== starting LDAP STARTTLS dialog ===" debugme echo "=== starting LDAP STARTTLS dialog ==="
socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" && socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
starttls_just_read 1 "read succeeded" result=$(sockread_fast 256)
[[ $DEBUG -ge 6 ]] && safe_echo "$debugpad $result\n"
# response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 # response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
# ^^ == success! That [9] should be checked also! # ^^ == success! [9] is checked below
if [[ ${result:18:2} == 00 ]]; then
ret=$? ret=0
elif [[ ${result:18:2} == 01 ]]; then
ret=1
else
ret=127
fi
debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ===" debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
return $ret return $ret
} }
starttls_mysql_dialog() { starttls_mysql_dialog() {
@ -11346,9 +11353,11 @@ socksend() {
} }
# for SSLv2 to TLS 1.2: # Reads from socket. Uses SOCK_REPLY_FILE global to save socket reply
# Not blocking, polling
# ARG1: blocksize for reading # ARG1: blocksize for reading
sockread_serverhello() { #
sockread() {
[[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2 [[ -z "$2" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7 SOCK_REPLY_FILE=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null & dd bs=$1 of=$SOCK_REPLY_FILE count=1 <&5 2>/dev/null &
@ -11356,8 +11365,10 @@ sockread_serverhello() {
return $? return $?
} }
#trying a faster version # Reads from socket. Utilises a pipe. Output is ASCII.
# Faster as previous, blocks however when socket stream is empty
# ARG1: blocksize for reading # ARG1: blocksize for reading
#
sockread_fast() { sockread_fast() {
dd bs=$1 count=1 <&5 2>/dev/null | hexdump -v -e '16/1 "%02X"' dd bs=$1 count=1 <&5 2>/dev/null | hexdump -v -e '16/1 "%02X"'
} }
@ -14743,7 +14754,7 @@ sslv2_sockets() {
debugme echo -n "sending client hello... " debugme echo -n "sending client hello... "
socksend_clienthello "$client_hello" socksend_clienthello "$client_hello"
sockread_serverhello 32768 sockread 32768
if "$parse_complete"; then if "$parse_complete"; then
if [[ -s "$SOCK_REPLY_FILE" ]]; then if [[ -s "$SOCK_REPLY_FILE" ]]; then
server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") server_hello=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -14756,7 +14767,7 @@ sslv2_sockets() {
debugme echo -n "requesting more server hello data... " debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread 32768
[[ ! -s "$SOCK_REPLY_FILE" ]] && break [[ ! -s "$SOCK_REPLY_FILE" ]] && break
cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2" cat "$SOCK_REPLY_FILE" >> "$sock_reply_file2"
@ -15476,7 +15487,7 @@ resend_if_hello_retry_request() {
done done
debugme echo -n "sending client hello... " debugme echo -n "sending client hello... "
socksend_clienthello "$data" $USLEEP_SND socksend_clienthello "$data" $USLEEP_SND
sockread_serverhello 32768 sockread 32768
return 2 return 2
} }
@ -15531,7 +15542,7 @@ tls_sockets() {
# if sending didn't succeed we don't bother # if sending didn't succeed we don't bother
if [[ $ret -eq 0 ]]; then if [[ $ret -eq 0 ]]; then
clienthello1="$TLS_CLIENT_HELLO" clienthello1="$TLS_CLIENT_HELLO"
sockread_serverhello 32768 sockread 32768
"$TLS_DIFFTIME_SET" && TLS_NOW=$(LC_ALL=C date "+%s") "$TLS_DIFFTIME_SET" && TLS_NOW=$(LC_ALL=C date "+%s")
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -15571,7 +15582,7 @@ tls_sockets() {
debugme echo -n "requesting more server hello data... " debugme echo -n "requesting more server hello data... "
socksend "" $USLEEP_SND socksend "" $USLEEP_SND
sockread_serverhello 32768 sockread 32768
next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") next_packet=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
next_packet="${next_packet%%[!0-9A-F]*}" next_packet="${next_packet%%[!0-9A-F]*}"
@ -15785,7 +15796,7 @@ receive_app_data() {
if "$FAST_SOCKET"; then if "$FAST_SOCKET"; then
res="$(sockread_fast 32768)" res="$(sockread_fast 32768)"
else else
sockread_serverhello 32768 sockread 32768
res="$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")" res="$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")"
fi fi
res="${res%%[!0-9A-F]*}" res="${res%%[!0-9A-F]*}"
@ -15878,7 +15889,7 @@ run_heartbleed(){
[[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:" [[ $DEBUG -ge 4 ]] && tmln_out "\nsending payload with TLS version $tls_hexcode:"
socksend "$heartbleed_payload" 1 socksend "$heartbleed_payload" 1
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK sockread 16384 $HEARTBLEED_MAX_WAITSOCK
if [[ $? -eq 3 ]]; then if [[ $? -eq 3 ]]; then
append=", timed out" append=", timed out"
pr_svrty_best "not vulnerable (OK)"; out "$append" pr_svrty_best "not vulnerable (OK)"; out "$append"
@ -16015,7 +16026,7 @@ run_ccs_injection(){
socksend "$client_hello" 1 socksend "$client_hello" 1
debugme echo "reading server hello... " debugme echo "reading server hello... "
sockread_serverhello 32768 sockread 32768
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
tmln_out "[...]" tmln_out "[...]"
@ -16024,7 +16035,7 @@ run_ccs_injection(){
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
# ... and then send the change cipher spec message # ... and then send the change cipher spec message
socksend "$ccs_message" 1 || ok_ids socksend "$ccs_message" 1 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK sockread 4096 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
tmln_out "\n1st reply: " tmln_out "\n1st reply: "
hexdump -C "$SOCK_REPLY_FILE" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
@ -16034,7 +16045,7 @@ run_ccs_injection(){
rm "$SOCK_REPLY_FILE" rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids socksend "$ccs_message" 2 || ok_ids
sockread_serverhello 4096 $CCS_MAX_WAITSOCK sockread 4096 $CCS_MAX_WAITSOCK
retval=$? retval=$?
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
@ -16307,7 +16318,7 @@ run_ticketbleed() {
if "$FAST_SOCKET"; then if "$FAST_SOCKET"; then
tls_hello_ascii=$(sockread_fast 32768) tls_hello_ascii=$(sockread_fast 32768)
else else
sockread_serverhello 32768 $CCS_MAX_WAITSOCK sockread 32768 $CCS_MAX_WAITSOCK
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE") tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
fi fi
[[ "$DEBUG" -ge 5 ]] && echo "$tls_hello_ascii" [[ "$DEBUG" -ge 5 ]] && echo "$tls_hello_ascii"
@ -19185,7 +19196,7 @@ run_robot() {
fi fi
debugme echo "reading server error response..." debugme echo "reading server error response..."
start_time=$(LC_ALL=C date "+%s") start_time=$(LC_ALL=C date "+%s")
sockread_serverhello 32768 $robottimeout sockread 32768 $robottimeout
subret=$? subret=$?
if [[ $subret -eq 0 ]]; then if [[ $subret -eq 0 ]]; then
end_time=$(LC_ALL=C date "+%s") end_time=$(LC_ALL=C date "+%s")