@@ -11429,7 +11429,8 @@ starttls_ldap_dialog() {
1142911429 local -i ret=0
1143011430 local msg_lenstr=""
1143111431 local -i msg_len=0
11432- local result=""
11432+ local buffer="" buffsize=""
11433+ local result_code="00"
1143311434 local starttls_init=",
1143411435 x30, x1d, x02, x01, # LDAP extendedReq
1143511436 x01, # messageID: 1
@@ -11438,33 +11439,57 @@ starttls_ldap_dialog() {
1143811439
1143911440 debugme echo "=== starting LDAP STARTTLS dialog ==="
1144011441 socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" &&
11441- result =$(sockread_fast 256)
11442- [[ $DEBUG -ge 4 ]] && safe_echo "$debugpad $result \n"
11442+ buffer =$(sockread_fast 256)
11443+ [[ $DEBUG -ge 4 ]] && safe_echo "$debugpad $buffer \n"
1144311444
11444- # response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
11445- # ^^ 0 would be success in 9th byte
11445+ # We have two different scenarios: AD and OpenLDAP. And maybe more we don't more of yet.
11446+ # OpenLDAP-like reply is
11447+ # 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
11448+ # ^^ buffsize ^^ LDAP result code (0 -> success)
1144611449 #
11450+ # see https://git.openldap.org/openldap/openldap/-/blob/master/include/ldap.h
1144711451 # return values in https://www.rfc-editor.org/rfc/rfc2251#page-45 and e.g.
11448- # https://git.openldap.org/openldap/openldap/-/blob/master/include/ldap.h
1144911452
11450- case "${result:18:2}" in
11453+ # AD-like is
11454+ # error: 30 84 00 00 00 7d 02 01 01 78 84 00 00 00 74 0a 01 34 04 00 04 55 30 30 [.. LdapErr, string, OID.. ]
11455+ # success 30 84 00 00 00 28 02 01 01 78 84 00 00 00 1F 0A 01 00 04 00 04 00 8A 16 [ .. OID .. ]
11456+ # ^^ buffsize ^^ LDAP result code (0 -> success)
11457+
11458+ # We assume that AD servers probably all have x84. It was deducted from a number of hosts.
11459+ # It maybe needs to be amended for other implementations.
11460+ # Basically using ldap_ExtendedResponse_parse() in apps/s_client.c of openssl would be
11461+ # more robust but it is kind of hard to understand.
11462+ #
11463+ # Bottom line: We'll look at the 9th or the 17th byte when retrieving the result code
11464+ # depending what the buffsize is.
11465+
11466+ buffsize="${buffer:2:2}"
11467+
11468+ case $buffsize in
11469+ 0C) result_code="${buffer:18:2}" ;;
11470+ 84) result_code="${buffer:34:2}" ;;
11471+ esac
11472+ [[ $DEBUG -ge 2 ]] && safe_echo "$debugpad buffsize: $buffsize / LDAP result code: $result_code \n"
11473+
11474+ case $result_code in
1145111475 00) ret=0 ;;
1145211476 # success
1145311477 01) ret=1 ;;
11454- # operationsError
11478+ # OpenLDAP: operationsError
1145511479 02) ret=2
11456- # protocolError (text msg: "unsupported extended operation") e.g. when STARTTLS not supported
11480+ # OpenLDAP: protocolError (text msg: "unsupported extended operation") e.g. when STARTTLS not supported
1145711481 if [[ $DEBUG -ge 2 ]]; then
11458- msg_lenstr=$(hex2dec ${result :26:02})
11482+ msg_lenstr=$(hex2dec ${buffer :26:02})
1145911483 msg_len=$((2 * msg_lenstr))
11460- safe_echo "$debugpad $(hex2binary "${result:28:$msg_len}")"
11461- fi ;;
11462- *)
11463- ret=127
11464- if [[ $DEBUG -ge 2 ]]; then
11465- safe_echo "$debugpad $(hex2dec "${result:28:2}")"
11484+ safe_echo "$debugpad $(hex2binary "${buffer:28:$msg_len}")"
1146611485 fi ;;
11486+ 34) # This (52 in dec) seems to be the error code for AD when there's no STARTTLS
11487+ [[ $DEBUG -ge 2 ]] && safe_echo " seems AD server with no STARTTLS\n"
11488+ ret=52 ;;
11489+ *) [[ $DEBUG -ge 2 ]] && safe_echo "$debugpad $(hex2dec "${buffer:28:2}")"
11490+ ret=127 ;;
1146711491 esac
11492+
1146811493 debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ==="
1146911494 return $ret
1147011495}
0 commit comments