@@ -11422,10 +11422,13 @@ starttls_postgres_dialog() {
1142211422}
1142311423
1142411424
11425- # RFC 2830
11425+ # RFC 2251, 2830, RFC 4511
11426+ #
1142611427starttls_ldap_dialog() {
1142711428 local debugpad=" > "
1142811429 local -i ret=0
11430+ local msg_lenstr=""
11431+ local -i msg_len=0
1142911432 local result=""
1143011433 local starttls_init=",
1143111434 x30, x1d, x02, x01, # LDAP extendedReq
@@ -11436,17 +11439,32 @@ starttls_ldap_dialog() {
1143611439 debugme echo "=== starting LDAP STARTTLS dialog ==="
1143711440 socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
1143811441 result=$(sockread_fast 256)
11439- [[ $DEBUG -ge 6 ]] && safe_echo "$debugpad $result\n"
11442+ [[ $DEBUG -ge 4 ]] && safe_echo "$debugpad $result\n"
1144011443
1144111444 # response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
11442- # ^^ == success! [9] is checked below
11443- if [[ ${result:18:2} == 00 ]]; then
11444- ret=0
11445- elif [[ ${result:18:2} == 01 ]]; then
11446- ret=1
11447- else
11448- ret=127
11449- fi
11445+ # ^^ 0 would be success in 9th byte
11446+ #
11447+ # return values in https://www.rfc-editor.org/rfc/rfc2251#page-45 and e.g.
11448+ # https://git.openldap.org/openldap/openldap/-/blob/master/include/ldap.h
11449+
11450+ case "${result:18:2}" in
11451+ 00) ret=0 ;;
11452+ # success
11453+ 01) ret=1 ;;
11454+ # operationsError
11455+ 02) ret=2
11456+ # protocolError (text msg: "unsupported extended operation") e.g. when STARTTLS not supported
11457+ if [[ $DEBUG -ge 2 ]]; then
11458+ msg_lenstr=$(hex2dec ${result:26:02})
11459+ msg_len=$((2 * msg_lenstr))
11460+ safe_echo "$debugpad $(hex2binary "${result:28:$msg_len}")"
11461+ fi ;;
11462+ *)
11463+ ret=127
11464+ if [[ $DEBUG -ge 2 ]]; then
11465+ safe_echo "$debugpad $(hex2dec "${result:28:2}")"
11466+ fi ;;
11467+ esac
1145011468 debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
1145111469 return $ret
1145211470}
0 commit comments