{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1749528939, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"79823c47e5cac9cb60e2cb6a0995a8d4", "commit": {"type":"commit", "time": 1488468802, "time_ofs": 60, "oid_tree": { "oid": "a506c5cdd3e33fe0eba01c78b9b7b3079b4951a8", "alias": []}, "oid":{ "oid": "398b0bbdf71d852daf2e79d842cd0d307ec9f8f6", "alias": []}, "msg": "Add LDAP support (RFC 4511) to s_client (\u0022-starttls ldap\u0022)", "sig_commit": { "git_time": { "time": 1488468802, "offset": 60 }, "name": "Andy Polyakov", "email": "appro@openssl.org", "md5": "50bd64fa2a792cbbf679fa16213a3b2a" }, "sig_author": { "git_time": { "time": 1488152654, "offset": 60 }, "name": "Robert Scheck", "email": "robert@fedoraproject.org", "md5": "de57fd7b8f5f9a500e1736cdf7889bda" }}, "body": "Add LDAP support (RFC 4511) to s_client (\u0022-starttls ldap\u0022)\n\nBased on initial patch by Alex Bergmann \u003calex@linlab.net\u003e and new function\nldap_ExtendedResponse_parse() by Andy Polyakov \u003cappro@openssl.org\u003e. Thanks\nvery much to both.\n\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\nReviewed-by: Andy Polyakov \u003cappro@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/2293)\n" , "diff": "diff --git a/apps/s_client.c b/apps/s_client.c\nindex 6e790cf..351b5b9 100644\n--- a/apps/s_client.c\n+++ b/apps/s_client.c\n@@ -96,6 +96,7 @@ static void print_stuff(BIO *berr, SSL *con, int full);\n #ifndef OPENSSL_NO_OCSP\n static int ocsp_resp_cb(SSL *s, void *arg);\n #endif\n+static int ldap_ExtendedResponse_parse(const char *buf, long rem);\n \n static int saved_errno;\n \n@@ -748,7 +749,8 @@ typedef enum PROTOCOL_choice {\n PROTO_POSTGRES,\n PROTO_LMTP,\n PROTO_NNTP,\n- PROTO_SIEVE\n+ PROTO_SIEVE,\n+ PROTO_LDAP\n } PROTOCOL_CHOICE;\n \n static const OPT_PAIR services[] \u003d {\n@@ -764,6 +766,7 @@ static const OPT_PAIR services[] \u003d {\n {\u0022lmtp\u0022, PROTO_LMTP},\n {\u0022nntp\u0022, PROTO_NNTP},\n {\u0022sieve\u0022, PROTO_SIEVE},\n+ {\u0022ldap\u0022, PROTO_LDAP},\n {NULL, 0}\n };\n \n@@ -2281,6 +2284,75 @@ int s_client_main(int argc, char **argv)\n }\n }\n break;\n+ case PROTO_LDAP:\n+ {\n+ /* StartTLS Operation according to RFC 4511 */\n+ static char ldap_tls_genconf[] \u003d \u0022asn1\u003dSEQUENCE:LDAPMessage\u005cn\u0022\n+ \u0022[LDAPMessage]\u005cn\u0022\n+ \u0022messageID\u003dINTEGER:1\u005cn\u0022\n+ \u0022extendedReq\u003dEXPLICIT:23A,IMPLICIT:0C,\u0022\n+ \u0022FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\u005cn\u0022;\n+ long errline \u003d -1;\n+ char *genstr \u003d NULL;\n+ int result \u003d -1;\n+ ASN1_TYPE *atyp \u003d NULL;\n+ BIO *ldapbio \u003d BIO_new(BIO_s_mem());\n+ CONF *cnf \u003d NCONF_new(NULL);\n+\n+ if (cnf \u003d\u003d NULL) {\n+ BIO_free(ldapbio);\n+ goto end;\n+ }\n+ BIO_puts(ldapbio, ldap_tls_genconf);\n+ if (NCONF_load_bio(cnf, ldapbio, \u0026errline) \u003c\u003d 0) {\n+ BIO_free(ldapbio);\n+ NCONF_free(cnf);\n+ if (errline \u003c\u003d 0) {\n+ BIO_printf(bio_err, \u0022NCONF_load_bio failed\u005cn\u0022);\n+ goto end;\n+ } else {\n+ BIO_printf(bio_err, \u0022Error on line %ld\u005cn\u0022, errline);\n+ goto end;\n+ }\n+ }\n+ BIO_free(ldapbio);\n+ genstr \u003d NCONF_get_string(cnf, \u0022default\u0022, \u0022asn1\u0022);\n+ if (genstr \u003d\u003d NULL) {\n+ NCONF_free(cnf);\n+ BIO_printf(bio_err, \u0022NCONF_get_string failed\u005cn\u0022);\n+ goto end;\n+ }\n+ atyp \u003d ASN1_generate_nconf(genstr, cnf);\n+ if (atyp \u003d\u003d NULL) {\n+ NCONF_free(cnf);\n+ BIO_printf(bio_err, \u0022ASN1_generate_nconf failed\u005cn\u0022);\n+ goto end;\n+ }\n+ NCONF_free(cnf);\n+\n+ /* Send SSLRequest packet */\n+ BIO_write(sbio, atyp-\u003evalue.sequence-\u003edata,\n+ atyp-\u003evalue.sequence-\u003elength);\n+ (void)BIO_flush(sbio);\n+ ASN1_TYPE_free(atyp);\n+\n+ mbuf_len \u003d BIO_read(sbio, mbuf, BUFSIZZ);\n+ if (mbuf_len \u003c 0) {\n+ BIO_printf(bio_err, \u0022BIO_read failed\u005cn\u0022);\n+ goto end;\n+ }\n+ result \u003d ldap_ExtendedResponse_parse(mbuf, mbuf_len);\n+ if (result \u003c 0) {\n+ BIO_printf(bio_err, \u0022ldap_ExtendedResponse_parse failed\u005cn\u0022);\n+ goto shut;\n+ } else if (result \u003e 0) {\n+ BIO_printf(bio_err, \u0022STARTTLS failed, LDAP Result Code: %i\u005cn\u0022,\n+ result);\n+ goto shut;\n+ }\n+ mbuf_len \u003d 0;\n+ }\n+ break;\n }\n \n for (;;) {\n@@ -2920,4 +2992,86 @@ static int ocsp_resp_cb(SSL *s, void *arg)\n }\n # endif\n \n+static int ldap_ExtendedResponse_parse(const char *buf, long rem)\n+{\n+ const unsigned char *cur, *end;\n+ long len;\n+ int tag, xclass, inf, ret \u003d -1;\n+\n+ cur \u003d (const unsigned char *)buf;\n+ end \u003d cur + rem;\n+\n+ /*\n+ * From RFC 4511:\n+ *\n+ * LDAPMessage ::\u003d SEQUENCE {\n+ * messageID MessageID,\n+ * protocolOp CHOICE {\n+ * ...\n+ * extendedResp ExtendedResponse,\n+ * ... },\n+ * controls [0] Controls OPTIONAL }\n+ *\n+ * ExtendedResponse ::\u003d [APPLICATION 24] SEQUENCE {\n+ * COMPONENTS OF LDAPResult,\n+ * responseName [10] LDAPOID OPTIONAL,\n+ * responseValue [11] OCTET STRING OPTIONAL }\n+ *\n+ * LDAPResult ::\u003d SEQUENCE {\n+ * resultCode ENUMERATED {\n+ * success (0),\n+ * ...\n+ * other (80),\n+ * ... },\n+ * matchedDN LDAPDN,\n+ * diagnosticMessage LDAPString,\n+ * referral [3] Referral OPTIONAL }\n+ */\n+\n+ /* pull SEQUENCE */\n+ inf \u003d ASN1_get_object(\u0026cur, \u0026len, \u0026tag, \u0026xclass, rem);\n+ if (inf !\u003d V_ASN1_CONSTRUCTED || tag !\u003d V_ASN1_SEQUENCE ||\n+ (rem \u003d end - cur, len \u003e rem)) {\n+ BIO_printf(bio_err, \u0022Unexpected LDAP response\u005cn\u0022);\n+ goto end;\n+ }\n+\n+ /* pull MessageID */\n+ inf \u003d ASN1_get_object(\u0026cur, \u0026len, \u0026tag, \u0026xclass, rem);\n+ if (inf !\u003d V_ASN1_UNIVERSAL || tag !\u003d V_ASN1_INTEGER ||\n+ (rem \u003d end - cur, len \u003e rem)) {\n+ BIO_printf(bio_err, \u0022No MessageID\u005cn\u0022);\n+ goto end;\n+ }\n+\n+ cur +\u003d len; /* shall we check for MessageId match or just skip? */\n+\n+ /* pull [APPLICATION 24] */\n+ rem \u003d end - cur;\n+ inf \u003d ASN1_get_object(\u0026cur, \u0026len, \u0026tag, \u0026xclass, rem);\n+ if (inf !\u003d V_ASN1_CONSTRUCTED || xclass !\u003d V_ASN1_APPLICATION ||\n+ tag !\u003d 24) {\n+ BIO_printf(bio_err, \u0022Not ExtendedResponse\u005cn\u0022);\n+ goto end;\n+ }\n+\n+ /* pull resultCode */\n+ rem \u003d end - cur;\n+ inf \u003d ASN1_get_object(\u0026cur, \u0026len, \u0026tag, \u0026xclass, rem);\n+ if (inf !\u003d V_ASN1_UNIVERSAL || tag !\u003d V_ASN1_ENUMERATED || len \u003d\u003d 0 ||\n+ (rem \u003d end - cur, len \u003e rem)) {\n+ BIO_printf(bio_err, \u0022Not LDAPResult\u005cn\u0022);\n+ goto end;\n+ }\n+\n+ /* len should always be one, but just in case... */\n+ for (ret \u003d 0, inf \u003d 0; inf \u003c len; inf++) {\n+ ret \u003c\u003c\u003d 8;\n+ ret |\u003d cur[inf];\n+ }\n+ /* There is more data, but we don't care... */\n+ end:\n+ return ret;\n+}\n+\n #endif /* OPENSSL_NO_SOCK */\ndiff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod\nindex 290b515..0c9329d 100644\n--- a/doc/man1/s_client.pod\n+++ b/doc/man1/s_client.pod\n@@ -445,7 +445,7 @@ command for more information.\n send the protocol-specific message(s) to switch to TLS for communication.\n B\u003cprotocol\u003e is a keyword for the intended protocol. Currently, the only\n supported keywords are \u0022smtp\u0022, \u0022pop3\u0022, \u0022imap\u0022, \u0022ftp\u0022, \u0022xmpp\u0022, \u0022xmpp-server\u0022,\n-\u0022irc\u0022, \u0022postgres\u0022, \u0022lmtp\u0022, \u0022nntp\u0022 and \u0022sieve\u0022.\n+\u0022irc\u0022, \u0022postgres\u0022, \u0022lmtp\u0022, \u0022nntp\u0022, \u0022sieve\u0022 and \u0022ldap\u0022.\n \n \u003ditem B\u003c-xmpphost hostname\u003e\n \n","s":{"c":1749528939,"u": 32454}} ],"g": 34713,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}