mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Adding LMTP as a STARTTLS protocol
This commit adds LMTP to the STARTTLS protocols supported. It requires an openssl version which supports this which is either openssl 1.1.1 or a backported version 1.0.2 (binary is in process). A check is in place whetrher the binary supports this. Furthermore some framework additions were made for further STARTTLS protocols like IRC and NNTP.
This commit is contained in:
Dirk
parent
f40f53938b
commit
b49399e7c7
57
testssl.sh
57
testssl.sh
@ -336,6 +336,9 @@ HAS_PROXY=false
|
|||||||
HAS_XMPP=false
|
HAS_XMPP=false
|
||||||
HAS_POSTGRES=false
|
HAS_POSTGRES=false
|
||||||
HAS_MYSQL=false
|
HAS_MYSQL=false
|
||||||
|
HAS_LMTP=false
|
||||||
|
HAS_NNTP=false
|
||||||
|
HAS_IRC=false
|
||||||
HAS_CHACHA20=false
|
HAS_CHACHA20=false
|
||||||
HAS_AES128_GCM=false
|
HAS_AES128_GCM=false
|
||||||
HAS_AES256_GCM=false
|
HAS_AES256_GCM=false
|
||||||
@ -7000,7 +7003,7 @@ compare_server_name_to_cert() {
|
|||||||
[[ -n "$san" ]] && [[ "$san" == "$servername" ]] && subret=1 && break
|
[[ -n "$san" ]] && [[ "$san" == "$servername" ]] && subret=1 && break
|
||||||
done <<< "$ip_sans"
|
done <<< "$ip_sans"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $subret -eq 0 ]] && [[ -n "$XMPP_HOST" ]]; then
|
if [[ $subret -eq 0 ]] && [[ -n "$XMPP_HOST" ]]; then
|
||||||
# For XMPP hosts, in addition to checking for a matching DNS name,
|
# For XMPP hosts, in addition to checking for a matching DNS name,
|
||||||
# should also check for a matching SRV-ID or XmppAddr identifier.
|
# should also check for a matching SRV-ID or XmppAddr identifier.
|
||||||
@ -7060,7 +7063,7 @@ compare_server_name_to_cert() {
|
|||||||
if [[ $len_name -gt 18 ]] && ( [[ "${dercert:i:20}" == "06082B06010505070805" ]] || \
|
if [[ $len_name -gt 18 ]] && ( [[ "${dercert:i:20}" == "06082B06010505070805" ]] || \
|
||||||
[[ "${dercert:i:20}" == "06082B06010505070807" ]] ); then
|
[[ "${dercert:i:20}" == "06082B06010505070807" ]] ); then
|
||||||
# According to the OID, this is either an SRV-ID or XmppAddr.
|
# According to the OID, this is either an SRV-ID or XmppAddr.
|
||||||
j=$i+20
|
j=$i+20
|
||||||
if [[ "${dercert:j:2}" == "A0" ]]; then
|
if [[ "${dercert:j:2}" == "A0" ]]; then
|
||||||
j+=2
|
j+=2
|
||||||
if [[ "${dercert:j:1}" == "8" ]]; then
|
if [[ "${dercert:j:1}" == "8" ]]; then
|
||||||
@ -9071,7 +9074,7 @@ starttls_full_read(){
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
starttls_ftp_dialog(){
|
starttls_ftp_dialog() {
|
||||||
debugme echo "=== starting ftp STARTTLS dialog ==="
|
debugme echo "=== starting ftp STARTTLS dialog ==="
|
||||||
local reAUTHTLS='^ AUTH TLS'
|
local reAUTHTLS='^ AUTH TLS'
|
||||||
starttls_full_read '^220-' '^220 ' && debugme echo "received server greeting" &&
|
starttls_full_read '^220-' '^220 ' && debugme echo "received server greeting" &&
|
||||||
@ -9084,16 +9087,26 @@ starttls_ftp_dialog(){
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
starttls_smtp_dialog(){
|
# argv1: empty: SMTP, "lmtp" : LMTP
|
||||||
debugme echo "=== starting smtp STARTTLS dialog ==="
|
#
|
||||||
|
starttls_smtp_dialog() {
|
||||||
|
local greet_str="EHLO"
|
||||||
|
local proto="smtp"
|
||||||
|
|
||||||
|
if [[ "$1" == lmtp ]]; then
|
||||||
|
proto="lmtp"
|
||||||
|
greet_str="LHLO"
|
||||||
|
fi
|
||||||
|
debugme echo "=== starting $proto STARTTLS dialog ==="
|
||||||
|
|
||||||
local re250STARTTLS='^250[ -]STARTTLS'
|
local re250STARTTLS='^250[ -]STARTTLS'
|
||||||
starttls_full_read '^220-' '^220 ' && debugme echo "received server greeting" &&
|
starttls_full_read '^220-' '^220 ' && debugme echo "received server greeting" &&
|
||||||
starttls_just_send 'EHLO testssl.sh' && debugme echo "sent EHLO" &&
|
starttls_just_send "$greet_str testssl.sh" && debugme echo "sent $greet_str" &&
|
||||||
starttls_full_read '^250-' '^250 ' "${re250STARTTLS}" && debugme echo "received server capabilities and checked STARTTLS availability" &&
|
starttls_full_read '^250-' '^250 ' "${re250STARTTLS}" && debugme echo "received server capabilities and checked STARTTLS availability" &&
|
||||||
starttls_just_send 'STARTTLS' && debugme echo "initiated STARTTLS" &&
|
starttls_just_send 'STARTTLS' && debugme echo "initiated STARTTLS" &&
|
||||||
starttls_full_read '^220-' '^220 ' && debugme echo "received ack for STARTTLS"
|
starttls_full_read '^220-' '^220 ' && debugme echo "received ack for STARTTLS"
|
||||||
local ret=$?
|
local ret=$?
|
||||||
debugme echo "=== finished smtp STARTTLS dialog with ${ret} ==="
|
debugme echo "=== finished $proto STARTTLS dialog with ${ret} ==="
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -9216,9 +9229,12 @@ fd_socket() {
|
|||||||
ftp|ftps) # https://tools.ietf.org/html/rfc4217, https://tools.ietf.org/html/rfc959
|
ftp|ftps) # https://tools.ietf.org/html/rfc4217, https://tools.ietf.org/html/rfc959
|
||||||
starttls_ftp_dialog
|
starttls_ftp_dialog
|
||||||
;;
|
;;
|
||||||
smtp|smtps) # SMTP, see https://tools.ietf.org/html/rfc5321, https://tools.ietf.org/html/rfc3207
|
smtp|smtps) # SMTP, see https://tools.ietf.org/html/rfc{2033,3207,5321}
|
||||||
starttls_smtp_dialog
|
starttls_smtp_dialog
|
||||||
;;
|
;;
|
||||||
|
lmtp|lmtps) # LMTP, see https://tools.ietf.org/html/rfc{2033,3207,5321}
|
||||||
|
starttls_smtp_dialog lmtp
|
||||||
|
;;
|
||||||
pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595
|
pop3|pop3s) # POP, see https://tools.ietf.org/html/rfc2595
|
||||||
starttls_pop3_dialog
|
starttls_pop3_dialog
|
||||||
;;
|
;;
|
||||||
@ -15488,6 +15504,15 @@ find_openssl_binary() {
|
|||||||
grep -q 'mysql' $s_client_starttls_has && \
|
grep -q 'mysql' $s_client_starttls_has && \
|
||||||
HAS_MYSQL=true
|
HAS_MYSQL=true
|
||||||
|
|
||||||
|
grep -q 'lmtp' $s_client_starttls_has && \
|
||||||
|
HAS_LMTP=true
|
||||||
|
|
||||||
|
grep -q 'nntp' $s_client_starttls_has && \
|
||||||
|
HAS_NNTP=true
|
||||||
|
|
||||||
|
grep -q 'irc' $s_client_starttls_has && \
|
||||||
|
HAS_IRC=true
|
||||||
|
|
||||||
$OPENSSL enc -chacha20 -K "12345678901234567890123456789012" -iv "01000000123456789012345678901234" > /dev/null 2> /dev/null <<< "test"
|
$OPENSSL enc -chacha20 -K "12345678901234567890123456789012" -iv "01000000123456789012345678901234" > /dev/null 2> /dev/null <<< "test"
|
||||||
[[ $? -eq 0 ]] && HAS_CHACHA20=true
|
[[ $? -eq 0 ]] && HAS_CHACHA20=true
|
||||||
|
|
||||||
@ -15766,6 +15791,9 @@ HAS_PROXY: $HAS_PROXY
|
|||||||
HAS_XMPP: $HAS_XMPP
|
HAS_XMPP: $HAS_XMPP
|
||||||
HAS_POSTGRES: $HAS_POSTGRES
|
HAS_POSTGRES: $HAS_POSTGRES
|
||||||
HAS_MYSQL: $HAS_MYSQL
|
HAS_MYSQL: $HAS_MYSQL
|
||||||
|
HAS_LMTP: $HAS_LMTP
|
||||||
|
HAS_NNTP: $HAS_NNTP
|
||||||
|
HAS_IRC: $HAS_IRC
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
PROG_NAME: $PROG_NAME
|
PROG_NAME: $PROG_NAME
|
||||||
@ -16617,7 +16645,7 @@ determine_service() {
|
|||||||
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
protocol=${1%s} # strip trailing 's' in ftp(s), smtp(s), pop3(s), etc
|
||||||
fi
|
fi
|
||||||
case "$protocol" in
|
case "$protocol" in
|
||||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|postgres|mysql)
|
ftp|smtp|lmtp|pop3|i16683map|xmpp|telnet|ldap|postgres|mysql)
|
||||||
STARTTLS="-starttls $protocol"
|
STARTTLS="-starttls $protocol"
|
||||||
SNI=""
|
SNI=""
|
||||||
if [[ "$protocol" == xmpp ]]; then
|
if [[ "$protocol" == xmpp ]]; then
|
||||||
@ -16652,6 +16680,11 @@ determine_service() {
|
|||||||
if ! "$HAS_MYSQL"; then
|
if ! "$HAS_MYSQL"; then
|
||||||
fatal "Your $OPENSSL does not support the \"-starttls mysql\" option" $ERR_OSSLBIN
|
fatal "Your $OPENSSL does not support the \"-starttls mysql\" option" $ERR_OSSLBIN
|
||||||
fi
|
fi
|
||||||
|
elif [[ "$protocol" == lmtp ]]; then
|
||||||
|
# Check if openssl version supports lmtp.
|
||||||
|
if ! "$HAS_LMTP"; then
|
||||||
|
fatal "Your $OPENSSL does not support the \"-starttls lmtp\" option" $ERR_OSSLBIN
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
$OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS") 2>$ERRFILE >$TMPFILE </dev/null
|
$OPENSSL s_client $(s_client_options "-connect $NODEIP:$PORT $PROXY $BUGS $STARTTLS") 2>$ERRFILE >$TMPFILE </dev/null
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
@ -17416,8 +17449,8 @@ parse_cmd_line() {
|
|||||||
STARTTLS_PROTOCOL="$(parse_opt_equal_sign "$1" "$2")"
|
STARTTLS_PROTOCOL="$(parse_opt_equal_sign "$1" "$2")"
|
||||||
[[ $? -eq 0 ]] && shift
|
[[ $? -eq 0 ]] && shift
|
||||||
case $STARTTLS_PROTOCOL in
|
case $STARTTLS_PROTOCOL in
|
||||||
ftp|smtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres|mysql) ;;
|
ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|nntp|postgres|mysql) ;;
|
||||||
ftps|smtps|pop3s|imaps|xmpps|telnets|ldaps|nntps) ;;
|
ftps|smtps|lmtp|pop3s|imaps|xmpps|telnets|ldaps|nntps) ;;
|
||||||
*) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
|
*) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
|
||||||
help 1 ;;
|
help 1 ;;
|
||||||
esac
|
esac
|
||||||
@ -18047,7 +18080,7 @@ lets_roll() {
|
|||||||
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
|
else # Just 1x ip4v to check, applies also if CMDLINE_IP was supplied
|
||||||
NODEIP="$IPADDRs"
|
NODEIP="$IPADDRs"
|
||||||
lets_roll "${STARTTLS_PROTOCOL}"
|
lets_roll "${STARTTLS_PROTOCOL}"
|
||||||
RET=$?
|
P RET=$?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit $RET
|
exit $RET
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user