[stunnel-users] Patch for Start TLS for LDAP clients (RFC 2830)

Bart Dopheide dopheide at fmf.nl
Tue Nov 5 15:00:50 CET 2013


Hi,

I noticed that latest/greatest stunnel does not support the Start TLS 
operation for LDAP (RFC2830). Yet, I need it in my organisation as a 
quick workaround.

After fiddling with OpenLDAP, tracing, and reading RFC 2830 a bit, I 
patched stunnel 4.56 and the patch has not failed me yet. But I must 
remark that I am no LDAP expert, nor an certified stunnel hacker. So, I 
will submit this patch as a first suggestion.

Will you consider the feature request of implementing the Start TLS 
feature as described in RFC 2830?

Cheers,
Bart Dopheide



My patch suggestion is:
dopheideb at anguish:/tmp$ diff -aur stunnel-4.56 stunnel-4.56-ldap-starttls-patch
diff -aur stunnel-4.56/src/protocol.c stunnel-4.56-ldap-starttls-patch/src/protocol.c
--- stunnel-4.56/src/protocol.c	2013-03-13 14:41:16.000000000 +0100
+++ stunnel-4.56-ldap-starttls-patch/src/protocol.c	2013-11-05 11:19:10.388365359 +0100
@@ -53,6 +53,7 @@
 static void imap_client(CLI *);
 static void imap_server(CLI *);
 static void nntp_client(CLI *);
+static void openldap_client(CLI *);
 static void connect_server(CLI *);
 static void connect_client(CLI *);
 
@@ -82,6 +83,7 @@
     {"pop3",    {{PROTOCOL_PRE_SSL,     pop3_server},       {PROTOCOL_PRE_SSL, pop3_client}}},
     {"imap",    {{PROTOCOL_PRE_SSL,     imap_server},       {PROTOCOL_PRE_SSL, imap_client}}},
     {"nntp",    {{PROTOCOL_NONE,        NULL},              {PROTOCOL_PRE_SSL, nntp_client}}},
+    {"openldap",{{PROTOCOL_NONE,        NULL},              {PROTOCOL_PRE_SSL, openldap_client}}},
     {"connect", {{PROTOCOL_PRE_CONNECT, connect_server},    {PROTOCOL_PRE_SSL, connect_client}}},
     {NULL,      {{PROTOCOL_NONE,        NULL},              {PROTOCOL_NONE,    NULL}}}
 };
@@ -513,6 +515,88 @@
     str_free(line);
 }
 
+/**************************************** LDAP, RFC 2830 */
+
+u8 ldap_startssl_message[0x1d + 2] =
+{
+  0x30,		/* tag = UNIVERSAL SEQUENCE */
+  0x1d,		/* len = 29 (the remaining number of bytes in this message) */
+  0x02,		/*   messageID */
+  0x01,		/*   len = 1 */
+  0x01,		/*   value = 1 (this is messageID 1) */
+                /*   --- */
+  0x77,		/*   protocolOp = APPLICATION (23) (=ExtendedRequest)
+                 *     0b01xxxxxx => APPLICATION
+                 *     0bxx1xxxxx => ?
+                 *     0xxxx10111 => 23
+                 */
+  0x18,		/*   len = 24 */
+  0x80,		/*   type = requstName? */
+  0x16,		/*     len = 22 */
+  /* OID: 1.3.6.1.4.1.1466.20037 (=LDAP_START_TLS_OID)*/
+  '1', '.',
+  '3', '.',
+  '6', '.',
+  '1', '.',
+  '4', '.',
+  '1', '.',
+  '1', '4', '6', '6', '.',
+  '2', '0', '0', '3', '7'
+  /* No requestValue, as per RFC2830 (in 2.1: "The requestValue field is absent") */
+};
+static void openldap_client(CLI *c) {
+    u8 buffer[1];
+    u8 ldap_response[256];
+    
+    s_log(LOG_DEBUG, "Requesting LDAP Start TLS");
+    write_blocking(c, c->remote_fd.fd, ldap_startssl_message, ldap_startssl_message[1] + 2);
+    
+    read_blocking(c, c->remote_fd.fd, buffer, 1);
+    if(buffer[0] != 0x30) {
+        s_log(LOG_ERR, "start tag is not UNIVERSAL SEQUENCE");
+        longjmp(c->err, 1);
+    }
+    
+    s_log(LOG_DEBUG, "Reading LDAP message size (1 byte).");
+    read_blocking(c, c->remote_fd.fd, buffer, 1);
+    
+    s_log(LOG_DEBUG, "Reading LDAP message (%u byte(s))", buffer[0]);
+    read_blocking(c, c->remote_fd.fd, ldap_response, buffer[0]);
+    
+    if(ldap_response[0] != 0x02) {
+        s_log(LOG_ERR, "LDAP response does not start with type messageID");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[1] != 0x01) {
+        s_log(LOG_ERR, "This is not an extendedResp(1)");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[2] != 0x01) {
+        s_log(LOG_ERR, "Non-matching messageID");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[3] != 0x78) {
+        s_log(LOG_ERR, "This is not a protocolOp for APPLICATION ExtendedResponse");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[4] != 0x07) {
+        s_log(LOG_ERR, "Expected 0x07 indicating extendedResp is 7 bytes long");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[5] != 0x0a) {
+        s_log(LOG_ERR, "This is not an extendedResp");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[6] != 0x01) {
+        s_log(LOG_ERR, "This is not an extendedResp");
+        longjmp(c->err, 1);
+    }
+    if(ldap_response[7] != 0x00) {
+        s_log(LOG_ERR, "This is not resultCode success");
+        longjmp(c->err, 1);
+    }
+}
+
 /**************************************** connect */
 
 static void connect_server(CLI *c) {
dopheideb at anguish:/tmp$ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131105/7f17d88a/attachment.sig>


More information about the stunnel-users mailing list