On Tue, Dec 3, 2019 at 2:29 PM Seth Grover <[email protected]> wrote:
> ... > Back in 2013 Bart Dopheide submitted a patch to the mailing list to add LDAP > StartTLS (elevate connection to TLS after initial connection is initiated) > support to the list of supported protocols in protocol.c ( > https://www.stunnel.org/pipermail/stunnel-users/2013-November/004437.html). > It doesn't look like this patch was ever accepted into stunnel. > > I've run into a similar requirement and have updated the patch to work > against stunnel 5.56. In addition, there are a few other minor changes, the > most significant being as follows. It would appear that Windows Active > Directory servers do not implement the ldap extended response PDU in the > same way as OpenLDAP (see this thread: > https://www.openldap.org/lists/openldap-software/200401/msg00800.html). > With this patch you can specify either "protocol = winldap" or "protocol = > openldap" and have it work either way. I haven't modified the logic of > Bart's original patch as far as OpenLDAP goes, but I have split the code > path where applicable to handle the Windows case. > ... > The patch is at the end of this message. > ... > I apologize, but I had a stupid bug in the OpenLDAP portion of my patch which I hadn't been able to test as I didn't have an OpenLDAP server instance set up. On line 108 of my patch, this code: resp_len = buffer_8; > should be changed to: resp_len = buffer_8[0]; > I set up an openldap instance in docker ( https://github.com/osixia/docker-openldap) and am now getting correct results against both Active Directory and OpenLDAP. For completeness' sake, I am including the full (corrected) patch again here: diff -Nurp a/src/protocol.c b/src/protocol.c --- a/src/protocol.c 2019-05-15 13:35:16.000000000 -0600 +++ b/src/protocol.c 2019-12-03 13:54:47.536940900 -0700 @@ -64,6 +64,8 @@ NOEXPORT char *pop3_server(CLI *, SERVIC NOEXPORT char *imap_client(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *imap_server(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE); +NOEXPORT char *openldap_client(CLI *, SERVICE_OPTIONS *, const PHASE); +NOEXPORT char *winldap_client(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE); NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE); #ifndef OPENSSL_NO_MD4 @@ -113,6 +115,14 @@ char *protocol(CLI *c, SERVICE_OPTIONS * return opt->option.client ? nntp_client(c, opt, phase) : "The 'nntp' protocol is not supported in the server mode"; + if(!strcasecmp(opt->protocol, "openldap")) + return opt->option.client ? + openldap_client(c, opt, phase) : + "The 'openldap' protocol is not supported in the server mode"; + if(!strcasecmp(opt->protocol, "winldap")) + return opt->option.client ? + winldap_client(c, opt, phase) : + "The 'winldap' protocol is not supported in the server mode"; if(!strcasecmp(opt->protocol, "connect")) return opt->option.client ? connect_client(c, opt, phase) : @@ -1119,6 +1129,182 @@ NOEXPORT char *nntp_client(CLI *c, SERVI return NULL; } +/**************************************** LDAP, RFC 2830 */ +uint8_t ldap_startssl_message[0x1d + 2] = +{ + 0x30, /* tag = UNIVERSAL SEQUENCE */ + 0x1d, /* len = 29 (the remaining number of bytes in this message) */ + 0x02, /* messageID */ + 0x01, /* len = 1 */ + 0x01, /* value = 1 (this is messageID 1) */ + /* --- */ + 0x77, /* protocolOp = APPLICATION (23) (=ExtendedRequest) + * 0b01xxxxxx => APPLICATION + * 0bxx1xxxxx => ? + * 0xxxx10111 => 23 + */ + 0x18, /* len = 24 */ + 0x80, /* type = requstName? */ + 0x16, /* len = 22 */ + /* OID: 1.3.6.1.4.1.1466.20037 (=LDAP_START_TLS_OID)*/ + '1', '.', + '3', '.', + '6', '.', + '1', '.', + '4', '.', + '1', '.', + '1', '4', '6', '6', '.', + '2', '0', '0', '3', '7' + /* No requestValue, as per RFC2830 (in 2.1: "The requestValue field is absent") */ +}; + +typedef enum { + LDAP_OPENLDAP, + LDAP_WINLDAP +} LDAP_MODE; + +#define LDAP_UNIVERSAL_SEQUENCE 0x30 +#define LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG 0x84 +#define LDAP_RESPONSE_MSG_ID_TYPE_INT 0x02 +#define LDAP_RESPONSE_EXPECTED_MSG_ID_LEN 0x01 +#define LDAP_RESPONSE_EXPECTED_MSG_ID 0x01 +#define LDAP_RESPONSE_EXT_RESP 0x0a +#define LDAP_RESPONSE_EXT_RESP_APPLICATION 0x78 +#define LDAP_RESPONSE_EXPECTED_ERR_LEN 0x01 +#define LDAP_RESPONSE_SUCCESS 0x00 + +NOEXPORT char *ldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase, const LDAP_MODE ldap_mode) { + + /* thanks to these threads for help with these PDUs + https://www.stunnel.org/pipermail/stunnel-users/2013-November/004437.html + https://www.openldap.org/lists/openldap-software/200401/msg00800.html */ + + uint8_t buffer_8[1]; + uint32_t buffer_32[1]; + uint32_t resp_len; + uint8_t ldap_response[256]; + uint8_t *resp_ptr; + + (void)opt; /* squash the unused parameter warning */ + + if(phase!=PROTOCOL_MIDDLE) + return NULL; + + /* send "Start TLS" request to AD server */ + s_log(LOG_DEBUG, "Requesting LDAP Start TLS"); + s_write(c, c->remote_fd.fd, ldap_startssl_message, (size_t)ldap_startssl_message[1] + 2); + + /* LDAP_UNIVERSAL_SEQUENCE (1 byte) */ + s_read(c, c->remote_fd.fd, buffer_8, 1); + if(buffer_8[0] != LDAP_UNIVERSAL_SEQUENCE) { + s_log(LOG_ERR, "start tag is not UNIVERSAL SEQUENCE"); + throw_exception(c, 1); + } + + if(ldap_mode == LDAP_OPENLDAP) { + /* OpenLDAP - response length (1 byte) */ + s_log(LOG_DEBUG, "Reading OpenLDAP message size (1 byte)"); + s_read(c, c->remote_fd.fd, buffer_8, 1); + resp_len = buffer_8[0]; + + } else if(ldap_mode == LDAP_WINLDAP) { + + /* WinLDAP - "response length is 4 bytes" flag - LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG (1-byte) */ + s_read(c, c->remote_fd.fd, buffer_8, 1); + if(buffer_8[0] != LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG) { + s_log(LOG_ERR, "LDAP message length flag is an unexpected value"); + throw_exception(c, 1); + } + + /* WinLDAP - response length (4 bytes, network byte order) */ + s_log(LOG_DEBUG, "Reading WinLDAP message size (4 bytes)"); + s_read(c, c->remote_fd.fd, buffer_32, 4); + resp_len = ntohl(buffer_32[0]); + + } else { + s_log(LOG_ERR, "Unsupported LDAP mode"); + throw_exception(c, 1); + } + + /* LDAP response message */ + s_log(LOG_DEBUG, "Reading LDAP message (%u byte(s))", resp_len); + s_read(c, c->remote_fd.fd, ldap_response, resp_len); + + resp_ptr = &ldap_response[0]; + + /* LDAP_RESPONSE_MSG_ID_TYPE_INT - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_MSG_ID_TYPE_INT) { + s_log(LOG_ERR, "LDAP response has an incorrect message ID type"); + throw_exception(c, 1); + } + resp_ptr++; + + /* LDAP_RESPONSE_EXPECTED_MSG_ID_LEN - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_EXPECTED_MSG_ID_LEN) { + s_log(LOG_ERR, "LDAP response has an unexpected message ID length"); + throw_exception(c, 1); + } + resp_ptr++; + + /* LDAP_RESPONSE_EXPECTED_MSG_ID - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_EXPECTED_MSG_ID) { + s_log(LOG_ERR, "LDAP response has an unexpected message ID"); + throw_exception(c, 1); + } + resp_ptr++; + + /* LDAP_RESPONSE_EXT_RESP_APPLICATION - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_EXT_RESP_APPLICATION) { + s_log(LOG_ERR, "LDAP response protocolOp is not APPLICATION"); + throw_exception(c, 1); + } + resp_ptr++; + + if(ldap_mode == LDAP_WINLDAP) { + /* WinLDAP - "response length is 4 bytes" flag - LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG (1-byte) */ + if(*resp_ptr != LDAP_WINLDAP_FOUR_BYTE_LEN_FLAG) { + s_log(LOG_ERR, "LDAP extendedResp length flag is an unexpected value"); + throw_exception(c, 1); + } + /* WinLDAP - extended response message length (4-bytes) */ + resp_ptr += 5; + + } else { + /* OpenLDAP - extended response message length (1-byte) */ + resp_ptr++; + } + + /* LDAP_RESPONSE_EXT_RESP - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_EXT_RESP) { + s_log(LOG_ERR, "LDAP response type is not EXT_RESP"); + throw_exception(c, 1); + } + resp_ptr++; + + /* LDAP_RESPONSE_EXT_RESP - 1 byte */ + if(*resp_ptr != LDAP_RESPONSE_EXPECTED_ERR_LEN) { + s_log(LOG_ERR, "LDAP response has an unexpected error code length"); + throw_exception(c, 1); + } + resp_ptr++; + + if(*resp_ptr != LDAP_RESPONSE_SUCCESS) { + s_log(LOG_ERR, "LDAP response has indicated an error (%u)", *resp_ptr); + throw_exception(c, 1); + } + + return NULL; +} + + +NOEXPORT char *openldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { + return ldap_client(c, opt, phase, LDAP_OPENLDAP); +} + +NOEXPORT char *winldap_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { + return ldap_client(c, opt, phase, LDAP_WINLDAP); +} + /**************************************** connect */ NOEXPORT char *connect_server(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
