[stunnel-users] updated patch for Start TLS for LDAP clients (RFC 2830)
Seth Grover
Seth.D.Grover at gmail.com
Tue Dec 10 23:09:00 CET 2019
On Tue, Dec 3, 2019 at 2:29 PM Seth Grover <Seth.D.Grover at gmail.com> wrote:
> ...
>
Back in 2013 Bart Dopheide submitted a patch to the mailing list to add LDAP
> StartTLS (elevate connection to TLS after initial connection is initiated)
> support to the list of supported protocols in protocol.c (
> https://www.stunnel.org/pipermail/stunnel-users/2013-November/004437.html).
> It doesn't look like this patch was ever accepted into stunnel.
>
> I've run into a similar requirement and have updated the patch to work
> against stunnel 5.56. In addition, there are a few other minor changes, the
> most significant being as follows. It would appear that Windows Active
> Directory servers do not implement the ldap extended response PDU in the
> same way as OpenLDAP (see this thread:
> https://www.openldap.org/lists/openldap-software/200401/msg00800.html).
> With this patch you can specify either "protocol = winldap" or "protocol =
> openldap" and have it work either way. I haven't modified the logic of
> Bart's original patch as far as OpenLDAP goes, but I have split the code
> path where applicable to handle the Windows case.
> ...
>
The patch is at the end of this message.
> ...
>
I apologize, but I had a stupid bug in the OpenLDAP portion of my patch
which I hadn't been able to test as I didn't have an OpenLDAP server
instance set up. On line 108 of my patch, this code:
resp_len = buffer_8;
>
should be changed to:
resp_len = buffer_8[0];
>
I set up an openldap instance in docker (
https://github.com/osixia/docker-openldap) and am now getting correct
results against both Active Directory and OpenLDAP. For completeness' sake,
I am including the full (corrected) patch again here:
diff -Nurp a/src/protocol.c b/src/protocol.c
--- a/src/protocol.c 2019-05-15 13:35:16.000000000 -0600
+++ b/src/protocol.c 2019-12-03 13:54:47.536940900 -0700
@@ -64,6 +64,8 @@ NOEXPORT char *pop3_server(CLI *, SERVIC
NOEXPORT char *imap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *imap_server(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+NOEXPORT char *openldap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+NOEXPORT char *winldap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
#ifndef OPENSSL_NO_MD4
@@ -113,6 +115,14 @@ char *protocol(CLI *c, SERVICE_OPTIONS *
return opt->option.client ?
nntp_client(c, opt, phase) :
"The 'nntp' protocol is not supported in the server mode";
+ if(!strcasecmp(opt->protocol, "openldap"))
+ return opt->option.client ?
+ openldap_client(c, opt, phase) :
+ "The 'openldap' protocol is not supported in the server mode";
+ if(!strcasecmp(opt->protocol, "winldap"))
+ return opt->option.client ?
+ winldap_client(c, opt, phase) :
+ "The 'winldap' protocol is not supported in the server mode";
if(!strcasecmp(opt->protocol, "connect"))
return opt->option.client ?
connect_client(c, opt, phase) :
@@ -1119,6 +1129,182 @@ NOEXPORT char *nntp_client(CLI *c, SERVI
return NULL;
}
+/**************************************** LDAP, RFC 2830 */
+uint8_t ldap_startssl_message[0x1d + 2] =
+{
+ 0x30, /* tag = UNIVERSAL SEQUENCE */
+ 0x1d, /* len = 29 (the remaining number of bytes in this message)
*/
+ 0x02, /* messageID */
+ 0x01, /* len = 1 */
+ 0x01, /* value = 1 (this is messageID 1) */
+ /* --- */
+ 0x77, /* protocolOp = APPLICATION (23) (=ExtendedRequest)
+ * 0b01xxxxxx => APPLICATION
+ * 0bxx1xxxxx => ?
+ * 0xxxx10111 => 23
+ */
+ 0x18, /* len = 24 */
+ 0x80, /* type = requstName? */
+ 0x16, /* len = 22 */
+ /* OID: 1.3.6.1.4.1.1466.20037 (=LDAP_START_TLS_OID)*/
+ '1', '.',
+ '3', '.',
+ '6', '.',
+ '1', '.',
+ '4', '.',
+ '1', '.',
+ '1', '4', '6', '6', '.',
+ '2', '0', '0', '3', '7'
+ /* No requestValue, as per RFC2830 (in 2.1: "The requestValue field is
absent") */
+};
+
+typedef enum {
+ LDAP_OPENLDAP,
+ LDAP_WINLDAP
+} LDAP_MODE;
+
+#define LDAP_UNIVERSAL_SEQUENCE 0x30
+#define LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG 0x84
+#define LDAP_RESPONSE_MSG_ID_TYPE_INT 0x02
+#define LDAP_RESPONSE_EXPECTED_MSG_ID_LEN 0x01
+#define LDAP_RESPONSE_EXPECTED_MSG_ID 0x01
+#define LDAP_RESPONSE_EXT_RESP 0x0a
+#define LDAP_RESPONSE_EXT_RESP_APPLICATION 0x78
+#define LDAP_RESPONSE_EXPECTED_ERR_LEN 0x01
+#define LDAP_RESPONSE_SUCCESS 0x00
+
+NOEXPORT char *ldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE
phase, const LDAP_MODE ldap_mode) {
+
+ /* thanks to these threads for help with these PDUs
+
https://www.stunnel.org/pipermail/stunnel-users/2013-November/004437.html
+
https://www.openldap.org/lists/openldap-software/200401/msg00800.html */
+
+ uint8_t buffer_8[1];
+ uint32_t buffer_32[1];
+ uint32_t resp_len;
+ uint8_t ldap_response[256];
+ uint8_t *resp_ptr;
+
+ (void)opt; /* squash the unused parameter warning */
+
+ if(phase!=PROTOCOL_MIDDLE)
+ return NULL;
+
+ /* send "Start TLS" request to AD server */
+ s_log(LOG_DEBUG, "Requesting LDAP Start TLS");
+ s_write(c, c->remote_fd.fd, ldap_startssl_message,
(size_t)ldap_startssl_message[1] + 2);
+
+ /* LDAP_UNIVERSAL_SEQUENCE (1 byte) */
+ s_read(c, c->remote_fd.fd, buffer_8, 1);
+ if(buffer_8[0] != LDAP_UNIVERSAL_SEQUENCE) {
+ s_log(LOG_ERR, "start tag is not UNIVERSAL SEQUENCE");
+ throw_exception(c, 1);
+ }
+
+ if(ldap_mode == LDAP_OPENLDAP) {
+ /* OpenLDAP - response length (1 byte) */
+ s_log(LOG_DEBUG, "Reading OpenLDAP message size (1 byte)");
+ s_read(c, c->remote_fd.fd, buffer_8, 1);
+ resp_len = buffer_8[0];
+
+ } else if(ldap_mode == LDAP_WINLDAP) {
+
+ /* WinLDAP - "response length is 4 bytes" flag -
LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG (1-byte) */
+ s_read(c, c->remote_fd.fd, buffer_8, 1);
+ if(buffer_8[0] != LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG) {
+ s_log(LOG_ERR, "LDAP message length flag is an unexpected
value");
+ throw_exception(c, 1);
+ }
+
+ /* WinLDAP - response length (4 bytes, network byte order) */
+ s_log(LOG_DEBUG, "Reading WinLDAP message size (4 bytes)");
+ s_read(c, c->remote_fd.fd, buffer_32, 4);
+ resp_len = ntohl(buffer_32[0]);
+
+ } else {
+ s_log(LOG_ERR, "Unsupported LDAP mode");
+ throw_exception(c, 1);
+ }
+
+ /* LDAP response message */
+ s_log(LOG_DEBUG, "Reading LDAP message (%u byte(s))", resp_len);
+ s_read(c, c->remote_fd.fd, ldap_response, resp_len);
+
+ resp_ptr = &ldap_response[0];
+
+ /* LDAP_RESPONSE_MSG_ID_TYPE_INT - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_MSG_ID_TYPE_INT) {
+ s_log(LOG_ERR, "LDAP response has an incorrect message ID type");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ /* LDAP_RESPONSE_EXPECTED_MSG_ID_LEN - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_EXPECTED_MSG_ID_LEN) {
+ s_log(LOG_ERR, "LDAP response has an unexpected message ID
length");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ /* LDAP_RESPONSE_EXPECTED_MSG_ID - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_EXPECTED_MSG_ID) {
+ s_log(LOG_ERR, "LDAP response has an unexpected message ID");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ /* LDAP_RESPONSE_EXT_RESP_APPLICATION - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_EXT_RESP_APPLICATION) {
+ s_log(LOG_ERR, "LDAP response protocolOp is not APPLICATION");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ if(ldap_mode == LDAP_WINLDAP) {
+ /* WinLDAP - "response length is 4 bytes" flag -
LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG (1-byte) */
+ if(*resp_ptr != LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG) {
+ s_log(LOG_ERR, "LDAP extendedResp length flag is an unexpected
value");
+ throw_exception(c, 1);
+ }
+ /* WinLDAP - extended response message length (4-bytes) */
+ resp_ptr += 5;
+
+ } else {
+ /* OpenLDAP - extended response message length (1-byte) */
+ resp_ptr++;
+ }
+
+ /* LDAP_RESPONSE_EXT_RESP - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_EXT_RESP) {
+ s_log(LOG_ERR, "LDAP response type is not EXT_RESP");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ /* LDAP_RESPONSE_EXT_RESP - 1 byte */
+ if(*resp_ptr != LDAP_RESPONSE_EXPECTED_ERR_LEN) {
+ s_log(LOG_ERR, "LDAP response has an unexpected error code
length");
+ throw_exception(c, 1);
+ }
+ resp_ptr++;
+
+ if(*resp_ptr != LDAP_RESPONSE_SUCCESS) {
+ s_log(LOG_ERR, "LDAP response has indicated an error (%u)",
*resp_ptr);
+ throw_exception(c, 1);
+ }
+
+ return NULL;
+}
+
+
+NOEXPORT char *openldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE
phase) {
+ return ldap_client(c, opt, phase, LDAP_OPENLDAP);
+}
+
+NOEXPORT char *winldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE
phase) {
+ return ldap_client(c, opt, phase, LDAP_WINLDAP);
+}
+
/**************************************** connect */
NOEXPORT char *connect_server(CLI *c, SERVICE_OPTIONS *opt, const PHASE
phase) {
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20191210/59b63c17/attachment-0001.htm>
More information about the stunnel-users
mailing list