From b633efae696b25a44a92be30f591d1e4f511512e Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 26 Dec 2022 16:10:31 +0100 Subject: [PATCH] make starttls_ldap_dialog() more readable... ... add references + better debugging output --- testssl.sh | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index d0a952c..003a7e2 100755 --- a/testssl.sh +++ b/testssl.sh @@ -11422,10 +11422,13 @@ starttls_postgres_dialog() { } -# RFC 2830 +# RFC 2830, RFC 4511 +# starttls_ldap_dialog() { local debugpad=" > " local -i ret=0 + local msg_lenstr="" + local -i msg_len=0 local result="" local starttls_init=", x30, x1d, x02, x01, # LDAP extendedReq @@ -11436,17 +11439,31 @@ starttls_ldap_dialog() { debugme echo "=== starting LDAP STARTTLS dialog ===" socksend "${starttls_init}" 0 && debugme echo "${debugpad}initiated STARTTLS" && result=$(sockread_fast 256) - [[ $DEBUG -ge 6 ]] && safe_echo "$debugpad $result\n" + [[ $DEBUG -ge 4 ]] && safe_echo "$debugpad $result\n" # response is typically 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 # ^^ == success! [9] is checked below - if [[ ${result:18:2} == 00 ]]; then - ret=0 - elif [[ ${result:18:2} == 01 ]]; then - ret=1 - else - ret=127 - fi + # + # definitions in https://git.openldap.org/openldap/openldap/-/blob/master/include/ldap.h + + case "${result:18:2}" in + 00) ret=0 ;; + # "success" + 01) ret=1 + ;; + 02) ret=2 + # normally: unsupported extended operation (~ STARTTLS not supported) + if [[ $DEBUG -ge 2 ]]; then + msg_lenstr=$(hex2dec ${result:26:02}) + msg_len=$((2 * msg_lenstr)) + echo "$debugpad $(hex2binary "${result:28:$msg_len}")" + fi ;; + *) + ret=127 + if [[ $DEBUG -ge 2 ]]; then + echo "$debugpad $(hex2dec "${result:28:2}")" + fi ;; + esac debugme echo "=== finished LDAP STARTTLS dialog with ${ret} ===" return $ret }