Re: STARTTLS patch for imap and ftp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Lutz, Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: Lutz Jaenicke wrote: [...] Do you want something like the attached patch ? (untested, I'm off to bed...) Ok, I have reworked this section as discussed by using a buffering BIO and have committed everything to CVS. I would be most pleased if somebody would also cross-test it (the part with the multi-line IMAP response may require some more digging as the termination should be the . at the beginning of the response line, not the number of chars being less than 3!?) Testet against cyrus imapd 2.1.18 and exim 4.50: OK. You may drop the test for mbuf_len3 in the while() for the IMAP . CAPABILITY response. Has anyone seen a SMTP server return more than one line in the SMTP opening message ? Bye Goetz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFF3twx2iGqZUF3qPYRAscBAJ9/JrYHEqPOcLfgDShP8onKeRLYFgCffg7+ YqGeshjiakpwo4f9gDtPJa0= =HzVN -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
Goetz Babin-Ebell wrote: Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: [...] * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Do you want something like the attached patch ? (untested, I'm off to bed...) Ok, I have reworked this section as discussed by using a buffering BIO and have committed everything to CVS. I would be most pleased if somebody would also cross-test it (the part with the multi-line IMAP response may require some more digging as the termination should be the . at the beginning of the response line, not the number of chars being less than 3!?) Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
Goetz Babin-Ebell wrote: Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: [...] * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Do you want something like the attached patch ? (untested, I'm off to bed...) Yes, something like this. I have applied your patch to 0.9.8 and -dev... and was just going to write thank you when I discovered that it does not work. As I just noted BIO_read() does not work line by line but on the message coming in. This message is the complete multi-line response and it has to be parsed in a different way as attached as a crude hack. No: BIO_gets() does not work on here (not supported on connect BIO. Yes: all other appearances of multi-line handling are broken as well. The multi-line handling in the SMTP greeting would fail on the first host with a multi-line greeting and the other protocol handlers are as buggy. I have thus left your patch in and we have to decide how to tackle the other occurances... Best regards, Lutz Index: s_client.c === RCS file: /e/openssl/cvs/openssl/apps/s_client.c,v retrieving revision 1.76.2.7 diff -u -r1.76.2.7 s_client.c --- s_client.c 21 Feb 2007 18:20:33 - 1.76.2.7 +++ s_client.c 21 Feb 2007 18:53:00 - @@ -735,7 +735,7 @@ /* This is an ugly hack that does a lot of assumptions */ if (starttls_proto == PROTO_SMTP) { - int foundit=0; + int foundit=0, response_done = 0; /* wait for multi-line response to end from SMTP */ do { @@ -747,11 +747,15 @@ /* wait for multi-line response to end EHLO SMTP response */ do { + int ll; mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); if (strstr(mbuf,STARTTLS)) foundit=1; + for (ll = 0; !response_done ll mbuf_len - 4; ll++) +if (mbuf[ll] == '\n' mbuf[ll + 3] != '-') + response_done = 1; } - while (mbuf_len3 mbuf[3]=='-'); + while (mbuf_len3 mbuf[3]=='-' !response_done); if (!foundit) BIO_printf(bio_err, didn't found starttls in server response,
Re: STARTTLS patch for imap and ftp
On Wed, Feb 21, 2007, Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: [...] * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Do you want something like the attached patch ? (untested, I'm off to bed...) Yes, something like this. I have applied your patch to 0.9.8 and -dev... and was just going to write thank you when I discovered that it does not work. As I just noted BIO_read() does not work line by line but on the message coming in. This message is the complete multi-line response and it has to be parsed in a different way as attached as a crude hack. No: BIO_gets() does not work on here (not supported on connect BIO. Note that adding a buffering BIO to the chain is a simple way to fix this. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
Dr. Stephen Henson wrote: On Wed, Feb 21, 2007, Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: [...] * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Do you want something like the attached patch ? (untested, I'm off to bed...) Yes, something like this. I have applied your patch to 0.9.8 and -dev... and was just going to write thank you when I discovered that it does not work. As I just noted BIO_read() does not work line by line but on the message coming in. This message is the complete multi-line response and it has to be parsed in a different way as attached as a crude hack. No: BIO_gets() does not work on here (not supported on connect BIO. Note that adding a buffering BIO to the chain is a simple way to fix this. Yes. I get your point :-) Best regards, Lutz Index: apps/s_client.c === RCS file: /e/openssl/cvs/openssl/apps/s_client.c,v retrieving revision 1.76.2.7 diff -u -r1.76.2.7 s_client.c --- apps/s_client.c 21 Feb 2007 18:20:33 - 1.76.2.7 +++ apps/s_client.c 21 Feb 2007 19:55:21 - @@ -736,22 +736,28 @@ if (starttls_proto == PROTO_SMTP) { int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); /* wait for multi-line response to end from SMTP */ do { - mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); } while (mbuf_len3 mbuf[3]=='-'); /* STARTTLS command requires EHLO... */ - BIO_printf(sbio,EHLO openssl.client.net\r\n); + BIO_printf(fbio,EHLO openssl.client.net\r\n); + BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { - mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); if (strstr(mbuf,STARTTLS)) foundit=1; } while (mbuf_len3 mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); if (!foundit) BIO_printf(bio_err, didn't found starttls in server response,
Re: STARTTLS patch for imap and ftp
Goetz Babin-Ebell wrote: Hello Richard, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Thu, 15 Feb 2007 10:34:23 -0800, Kees Cook [EMAIL PROTECTED] said: kees 3 years ago, I wrote a patch[1] (and did the TSU[2]) for adding kees these features to s_client. Can this please be applied to CVS? Yes. Done. Thank you, and sorry you had to wait 3 years for this to happen. The problem (not only I have) with the patch is that at least in SMTP and IMAP it is illegal to start TLS before an initial protocol handshake is done: * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lutz Jaenicke wrote: Goetz Babin-Ebell wrote: [...] * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... This statement is technically correct. As the s_client tool is however intended for testing purposes only (you remember that a capital R at the beginning of the line will start a renegotiation instead of being transferred to the server :-) adding the EHLO and .CAPABILITY should be sufficient and the more complex parsing of the response might be omitted... Do you want something like the attached patch ? (untested, I'm off to bed...) Bye Goetz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFF2lTq2iGqZUF3qPYRAirhAJ9+e7H1qRzUH7RZAuHKBGpqUDrVfwCfb2A2 B7Z713+mhzGcIx5/VZHtBNA= =ABXa -END PGP SIGNATURE- Index: apps/s_client.c === RCS file: /home/gbe/data/cvs/openssl/openssl/apps/s_client.c,v retrieving revision 1.100 diff -u -r1.100 s_client.c --- apps/s_client.c 18 Feb 2007 18:21:57 - 1.100 +++ apps/s_client.c 20 Feb 2007 01:47:50 - @@ -914,12 +914,27 @@ /* This is an ugly hack that does a lot of assumptions */ if (starttls_proto == PROTO_SMTP) { + int foundit=0; /* wait for multi-line response to end from SMTP */ do { mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); } while (mbuf_len3 mbuf[3]=='-'); + /* STARTTLS command requires EHLO... */ + BIO_printf(sbio,EHLO openssl.client.net\r\n); + /* wait for multi-line response to end EHLO SMTP response */ + do + { + mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); + if (strstr(mbuf,STARTTLS)) +foundit=1; + } + while (mbuf_len3 mbuf[3]=='-'); + if (!foundit) + BIO_printf(bio_err, + didn't found starttls in server response, +try anyway...\n); BIO_printf(sbio,STARTTLS\r\n); BIO_read(sbio,sbuf,BUFSIZZ); } @@ -931,8 +946,23 @@ } else if (starttls_proto == PROTO_IMAP) { + int foundit=0; BIO_read(sbio,mbuf,BUFSIZZ); - BIO_printf(sbio,0 STARTTLS\r\n); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(sbio,. CAPABILITY\r\n); + /* wait for multi-line CAPABILITY response */ + do + { + mbuf_len = BIO_read(sbio,mbuf,BUFSIZZ); + if (strstr(mbuf,STARTTLS)) +foundit=1; + } + while (mbuf_len3); + if (!foundit) + BIO_printf(bio_err, + didn't found STARTTLS in server response, +try anyway...\n); + BIO_printf(sbio,. STARTTLS\r\n); BIO_read(sbio,sbuf,BUFSIZZ); } else if (starttls_proto == PROTO_FTP)
Re: STARTTLS patch for imap and ftp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Richard, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Thu, 15 Feb 2007 10:34:23 -0800, Kees Cook [EMAIL PROTECTED] said: kees 3 years ago, I wrote a patch[1] (and did the TSU[2]) for adding kees these features to s_client. Can this please be applied to CVS? Yes. Done. Thank you, and sorry you had to wait 3 years for this to happen. The problem (not only I have) with the patch is that at least in SMTP and IMAP it is illegal to start TLS before an initial protocol handshake is done: * in SMTP doing a STARTTLS without previous EHLO will return a 503 STARTTLS command used when not advertised * in IMAP doing a STARTLS requires a . CAPABILITY first. In both cases the server response should be parsed for the string STARTTLS... Bye Goetz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFF1xsY2iGqZUF3qPYRAreLAJ9MF6ht6pP2nnzx5pL5x7kTwuOsuACeLyZb QAA8Z0W0Wd6biFEb0K4D0SA= =72Vc -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
In message [EMAIL PROTECTED] on Thu, 15 Feb 2007 10:34:23 -0800, Kees Cook [EMAIL PROTECTED] said: kees 3 years ago, I wrote a patch[1] (and did the TSU[2]) for adding kees these features to s_client. Can this please be applied to CVS? Yes. Done. Thank you, and sorry you had to wait 3 years for this to happen. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]