From f4224c483b1f6a0c648fa842d25ecb47995d82fb Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert@fedoraproject.org>
Date: Sun, 19 Feb 2017 22:50:30 +0100
Subject: Add LMTP, POP3, NNTP, Sieve and PostgreSQL support to gnutls-cli

Add LMTP (RFC 2033), POP3 (RFC 2595), NNTP (RFC 4642), Sieve (RFC 5804) and PostgreSQL support to gnutls-cli ("--starttls-proto").

Signed-off-by: Robert Scheck <robert@fedoraproject.org>
---
 src/cli-args.def         |  2 +-
 src/cli-debug-args.def   |  2 +-
 src/danetool-args.def    |  2 +-
 src/socket.c             | 38 +++++++++++++++++++++++++++++++++++
 tests/Makefile.am        |  1 +
 tests/starttls-lmtp.txt  |  4 ++++
 tests/starttls-nntp.txt  |  3 +++
 tests/starttls-pop3.txt  |  3 +++
 tests/starttls-sieve.txt |  3 +++
 tests/starttls.sh        | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 107 insertions(+), 3 deletions(-)
 create mode 100644 tests/starttls-lmtp.txt
 create mode 100644 tests/starttls-nntp.txt
 create mode 100644 tests/starttls-pop3.txt
 create mode 100644 tests/starttls-sieve.txt

diff --git a/src/cli-args.def b/src/cli-args.def
index 451f80f293..202afcd9a0 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -94,7 +94,7 @@ flag = {
 
 flag = {
     name      = starttls-proto;
-    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp)";
+    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)";
     arg-type  = string;
     doc       = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
     flags-cant = starttls;
diff --git a/src/cli-debug-args.def b/src/cli-debug-args.def
index 56e289ce9a..4524b0189c 100644
--- a/src/cli-debug-args.def
+++ b/src/cli-debug-args.def
@@ -34,7 +34,7 @@ flag = {
 flag = {
     name      = starttls-proto;
     arg-type  = string;
-    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp)";
+    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)";
     doc      = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.";
 };
 
diff --git a/src/danetool-args.def b/src/danetool-args.def
index 80cd5a0e05..61d11a3fff 100644
--- a/src/danetool-args.def
+++ b/src/danetool-args.def
@@ -97,7 +97,7 @@ flag = {
 
 flag = {
     name      = starttls-proto;
-    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp)";
+    descrip   = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)";
     arg-type  = string;
     doc = "When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake.";
 };
diff --git a/src/socket.c b/src/socket.c
index a8fd3652b9..9c5ca8b685 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -272,6 +272,44 @@ socket_starttls(socket_st * socket)
 		wait_for_text(socket, "211 ", 4);
 		send_line(socket, "AUTH TLS\r\n");
 		wait_for_text(socket, "234", 3);
+	} else if (strcasecmp(socket->app_proto, "lmtp") == 0) {
+		if (socket->verbose)
+			printf("Negotiating LMTP STARTTLS\n");
+
+		wait_for_text(socket, "220 ", 4);
+		snprintf(buf, sizeof(buf), "LHLO %s\r\n", socket->hostname);
+		send_line(socket, buf);
+		wait_for_text(socket, "250 ", 4);
+		send_line(socket, "STARTTLS\r\n");
+		wait_for_text(socket, "220 ", 4);
+	} else if (strcasecmp(socket->app_proto, "pop3") == 0) {
+		if (socket->verbose)
+			printf("Negotiating POP3 STARTTLS\n");
+
+		wait_for_text(socket, "+OK", 3);
+		send_line(socket, "STLS\r\n");
+		wait_for_text(socket, "+OK", 3);
+	} else if (strcasecmp(socket->app_proto, "nntp") == 0) {
+		if (socket->verbose)
+			printf("Negotiating NNTP STARTTLS\n");
+
+		wait_for_text(socket, "200 ", 4);
+		send_line(socket, "STARTTLS\r\n");
+		wait_for_text(socket, "382 ", 4);
+	} else if (strcasecmp(socket->app_proto, "sieve") == 0) {
+		if (socket->verbose)
+			printf("Negotiating Sieve STARTTLS\n");
+
+		wait_for_text(socket, "OK ", 3);
+		send_line(socket, "STARTTLS\r\n");
+		wait_for_text(socket, "OK ", 3);
+	} else if (strcasecmp(socket->app_proto, "postgres") == 0 || strcasecmp(socket->app_proto, "postgresql") == 0) {
+		if (socket->verbose)
+			printf("Negotiating PostgreSQL STARTTLS\n");
+
+#define POSTGRES_STR "\x00\x00\x00\x08\x04\xD2\x16\x2F"
+		send(socket->fd, POSTGRES_STR, sizeof(POSTGRES_STR)-1, 0);
+		wait_for_text(socket, NULL, 0);
 	} else {
 		if (!c_isdigit(socket->app_proto[0])) {
 			static int warned = 0;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c2fe470839..b83695417d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -32,6 +32,7 @@ EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
 	certs/ecc521.pem certs/rsa-2432.pem x509cert-dir/ca.pem psk.passwd \
 	system.prio pkcs11/softhsm.h pkcs11/pkcs11-pubkey-import.c gnutls-asan.supp \
 	rsa-md5-collision/README safe-renegotiation/README starttls-smtp.txt starttls-ftp.txt \
+	starttls-lmtp.txt starttls-pop3.txt starttls-nntp.txt starttls-sieve.txt \
 	rsa-md5-collision/colliding-chain-md5-2.pem rsa-md5-collision/colliding-chain-md5-1.pem \
 	certs-interesting/README.md certs-interesting/cert1.der certs-interesting/cert1.der.err \
 	certs-interesting/cert2.der certs-interesting/cert2.der.err certs-interesting/cert3.der \
diff --git a/tests/starttls-lmtp.txt b/tests/starttls-lmtp.txt
new file mode 100644
index 0000000000..c6425a9b95
--- /dev/null
+++ b/tests/starttls-lmtp.txt
@@ -0,0 +1,4 @@
+TIMEOUT 120
+'' '220 mail.example.net Dovecot ready.\r\n'
+LHLO '250-mail.example.net\r\n250-8BITMIME\r\n250-ENHANCEDSTATUSCODES\r\n250-STARTTLS\r\n250 PIPELINING\r\n'
+STARTTLS '220 2.0.0 Ready to start TLS\r\n'
diff --git a/tests/starttls-nntp.txt b/tests/starttls-nntp.txt
new file mode 100644
index 0000000000..0bb123c076
--- /dev/null
+++ b/tests/starttls-nntp.txt
@@ -0,0 +1,3 @@
+TIMEOUT 120
+'' '200 nntp.example.net InterNetNews NNRP server INN 2.5.4 ready (posting ok)\r\n'
+STARTTLS '382 Begin TLS negotiation now\r\n'
diff --git a/tests/starttls-pop3.txt b/tests/starttls-pop3.txt
new file mode 100644
index 0000000000..1a99ebb1d7
--- /dev/null
+++ b/tests/starttls-pop3.txt
@@ -0,0 +1,3 @@
+TIMEOUT 120
+'' '+OK Dovecot ready.\r\n'
+STLS '+OK Begin TLS negotiation now.\r\n'
diff --git a/tests/starttls-sieve.txt b/tests/starttls-sieve.txt
new file mode 100644
index 0000000000..eaae93cb7b
--- /dev/null
+++ b/tests/starttls-sieve.txt
@@ -0,0 +1,3 @@
+TIMEOUT 120
+'' '"IMPLEMENTATION" "Dovecot Pigeonhole"\r\n"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date"\r\n"NOTIFY" "mailto"\r\n"SASL" "PLAIN LOGIN"\r\n"STARTTLS"\r\n"VERSION" "1.0"r\nOK "Dovecot ready."\r\n'
+STARTTLS 'OK "Begin TLS negotiation now."\r\n'
diff --git a/tests/starttls.sh b/tests/starttls.sh
index 522c6765b1..c0e5a6750e 100755
--- a/tests/starttls.sh
+++ b/tests/starttls.sh
@@ -108,4 +108,56 @@ fi
 kill ${PID}
 wait
 
+eval "${GETPORT}"
+socat TCP-LISTEN:${PORT} EXEC:"$CHAT -e -S -v -f ${srcdir}/starttls-lmtp.txt",pty &
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-ECDH --insecure --starttls-proto lmtp --verbose </dev/null >/dev/null
+if test $? != 1;then
+	fail ${PID} "connect should have failed with error code 1"
+fi
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+socat TCP-LISTEN:${PORT} EXEC:"$CHAT -e -S -v -f ${srcdir}/starttls-pop3.txt",pty &
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-ECDH --insecure --starttls-proto pop3 --verbose </dev/null >/dev/null
+if test $? != 1;then
+	fail ${PID} "connect should have failed with error code 1"
+fi
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+socat TCP-LISTEN:${PORT} EXEC:"$CHAT -e -S -v -f ${srcdir}/starttls-nntp.txt",pty &
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-ECDH --insecure --starttls-proto nntp --verbose </dev/null >/dev/null
+if test $? != 1;then
+	fail ${PID} "connect should have failed with error code 1"
+fi
+
+kill ${PID}
+wait
+
+eval "${GETPORT}"
+socat TCP-LISTEN:${PORT} EXEC:"$CHAT -e -S -v -f ${srcdir}/starttls-sieve.txt",pty &
+PID=$!
+wait_server ${PID}
+
+${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:+ANON-ECDH --insecure --starttls-proto sieve --verbose </dev/null >/dev/null
+if test $? != 1;then
+	fail ${PID} "connect should have failed with error code 1"
+fi
+
+kill ${PID}
+wait
+
 exit 0
-- 
cgit v1.2.1