mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Merge pull request #1610 from drwetter/xmpp_improvements
Fix STARTTLS pretests, improve XMPP handshakes
This commit is contained in:
Dirk Wetter
GitHub
commit
ec37a6e1bd
39
testssl.sh
39
testssl.sh
@ -5040,8 +5040,9 @@ run_prototest_openssl() {
|
|||||||
# arg1: protocol
|
# arg1: protocol
|
||||||
# arg2: available (yes) or not (no)
|
# arg2: available (yes) or not (no)
|
||||||
add_proto_offered() {
|
add_proto_offered() {
|
||||||
|
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
|
||||||
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
if [[ "$PROTOS_OFFERED" =~ $1: ]]; then
|
||||||
# the ":" is mandatory here (and @ other places), otherwise e.g. tls1 will match tls1_2
|
# we got that protcol already
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
PROTOS_OFFERED+="${1}:$2 "
|
PROTOS_OFFERED+="${1}:$2 "
|
||||||
@ -10233,12 +10234,13 @@ run_alpn() {
|
|||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
# arg1: string to send
|
# arg1: send string
|
||||||
# arg2: possible success strings a egrep pattern, needed!
|
# arg2: success string: an egrep pattern
|
||||||
# arg3: wait in seconds
|
# arg3: number of loops we should read from the buffer (optional, otherwise STARTTLS_SLEEP)
|
||||||
starttls_io() {
|
starttls_io() {
|
||||||
local waitsleep=$STARTTLS_SLEEP
|
local nr_waits=$STARTTLS_SLEEP
|
||||||
local buffer=""
|
local buffer=""
|
||||||
|
local -i i
|
||||||
|
|
||||||
[[ -n "$3" ]] && waitsleep=$3
|
[[ -n "$3" ]] && waitsleep=$3
|
||||||
[[ -z "$2" ]] && echo "FIXME $((LINENO))"
|
[[ -z "$2" ]] && echo "FIXME $((LINENO))"
|
||||||
@ -10246,27 +10248,31 @@ starttls_io() {
|
|||||||
# If there's a sending part it's IO. Postgres sends via socket and replies via
|
# If there's a sending part it's IO. Postgres sends via socket and replies via
|
||||||
# strings "S". So there's no I part of IO ;-)
|
# strings "S". So there's no I part of IO ;-)
|
||||||
if [[ -n "$1" ]]; then
|
if [[ -n "$1" ]]; then
|
||||||
debugme echo -en "C: \"$1\""
|
debugme echo -en "C: $1"
|
||||||
echo -en "$1" >&5
|
echo -en "$1" >&5
|
||||||
fi
|
fi
|
||||||
|
if [[ "$2" == JUSTSEND ]]; then
|
||||||
|
debugme echo -e "\n (only sent)\n"
|
||||||
|
dd of=/dev/null bs=512 count=1 <&5 2>/dev/null &
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
# This seems a bit dangerous but works. No blockings yet. "if=nonblock" doesn't work on BSDs
|
# This seems a bit dangerous but works. No blockings yet. "if=nonblock" doesn't work on BSDs
|
||||||
buffer="$(dd bs=512 count=1 <&5 2>/dev/null)"
|
buffer="$(dd bs=512 count=1 <&5 2>/dev/null)"
|
||||||
[[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer
|
|
||||||
|
|
||||||
for ((i=1; i < $waitsleep; i++ )); do
|
for ((i=1; i < $nr_waits; i++ )); do
|
||||||
|
[[ "$DEBUG" -ge 2 ]] && echo -en "\nS: " && echo $buffer
|
||||||
if [[ "$buffer" =~ $2 ]]; then
|
if [[ "$buffer" =~ $2 ]]; then
|
||||||
debugme echo " ---> reply matched \"$2\""
|
debugme echo " ---> reply matched \"$2\""
|
||||||
# the fd sometimes still seem to contain chars which confuses the following TLS handshake, trying to empty:
|
# the fd sometimes still seem to contain chars which confuses the following TLS handshake, trying to empty:
|
||||||
dd of=/dev/null bs=512 count=1 <&5 2>/dev/null
|
# dd of=/dev/null bs=512 count=1 <&5 2>/dev/null
|
||||||
return 0
|
return 0
|
||||||
else
|
else
|
||||||
# no match yet, more reading from fd helps.
|
# no match yet, more reading from fd helps.
|
||||||
buffer+=$(dd bs=512 count=1 <&5 2>/dev/null)
|
buffer+=$(dd bs=512 count=1 <&5 2>/dev/null)
|
||||||
fi
|
fi
|
||||||
sleep 0.5
|
|
||||||
done
|
done
|
||||||
return 0
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -10415,8 +10421,9 @@ starttls_xmpp_dialog() {
|
|||||||
namespace="jabber:client"
|
namespace="jabber:client"
|
||||||
[[ "$STARTTLS_PROTOCOL" == xmpp-server ]] && namespace="jabber:server"
|
[[ "$STARTTLS_PROTOCOL" == xmpp-server ]] && namespace="jabber:server"
|
||||||
|
|
||||||
starttls_io "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='"$namespace"' to='"$XMPP_HOST"' version='1.0'>" 'starttls(.*)features' 1 &&
|
starttls_io "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='"$namespace"' to='"$XMPP_HOST"' version='1.0'>" 'starttls(.*)features' 1 &&
|
||||||
starttls_io "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" '<proceed' 1
|
starttls_io "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>" '<proceed' 1
|
||||||
|
# starttls_io "<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='"$namespace"' to='"$XMPP_HOST"' version='1.0'>" 'JUSTSEND' 2
|
||||||
local ret=$?
|
local ret=$?
|
||||||
debugme echo "=== finished xmpp STARTTLS dialog with ${ret} ==="
|
debugme echo "=== finished xmpp STARTTLS dialog with ${ret} ==="
|
||||||
return $ret
|
return $ret
|
||||||
@ -19643,7 +19650,7 @@ determine_optimal_proto() {
|
|||||||
$OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg $STARTTLS $SNI") </dev/null >$TMPFILE 2>>$ERRFILE
|
$OPENSSL s_client $(s_client_options "$STARTTLS_OPTIMAL_PROTO $BUGS -connect "$NODEIP:$PORT" $PROXY -msg $STARTTLS $SNI") </dev/null >$TMPFILE 2>>$ERRFILE
|
||||||
if sclient_auth $? $TMPFILE; then
|
if sclient_auth $? $TMPFILE; then
|
||||||
all_failed=false
|
all_failed=false
|
||||||
add_proto_offered "${proto/-/}" yes
|
add_proto_offered "${STARTTLS_OPTIMAL_PROTO/-/}" yes
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -19750,7 +19757,7 @@ determine_optimal_proto() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# arg1 (optional): ftp smtp, lmtp, pop3, imap, xmpp, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
|
# arg1 (optional): ftp smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, postgres, mysql, irc, nntp (maybe with trailing s)
|
||||||
#
|
#
|
||||||
determine_service() {
|
determine_service() {
|
||||||
local ua
|
local ua
|
||||||
@ -19819,7 +19826,7 @@ determine_service() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then
|
if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then
|
||||||
fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN
|
fatal "Your $OPENSSL does not support the \"-starttls xmpp-server\" option" $ERR_OSSLBIN
|
||||||
fi
|
fi
|
||||||
elif [[ "$protocol" == postgres ]]; then
|
elif [[ "$protocol" == postgres ]]; then
|
||||||
# Check if openssl version supports postgres.
|
# Check if openssl version supports postgres.
|
||||||
@ -19853,7 +19860,7 @@ determine_service() {
|
|||||||
outln
|
outln
|
||||||
;;
|
;;
|
||||||
*) outln
|
*) outln
|
||||||
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE
|
fatal "momentarily only ftp, smtp, lmtp, pop3, imap, xmpp, xmpp-server, telnet, ldap, nntp, postgres and mysql allowed" $ERR_CMDLINE
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user