On Thu, Oct 24, 2019 at 02:06:47PM +0200, Martijn van Duren wrote:
> On 10/24/19 1:50 PM, Robert Klein wrote:
> > Hi,
> >
> >
> >
> > On Thu, 24 Oct 2019 05:26:49 +0200,
> > Predrag Punosevac wrote:
> >>
> >> Kapetanakis Giannis wrote:
> >>
> >>> On 23/10/2019 19:14, Predrag Punosevac wrote:
> >>>> Hi Misc,
> >>>>
> >>>> I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
> >>>> authentication services for a 100 some member university research group.
> >>>> It appears TLS handshake is broken. This worked perfectly on 6.5 and
> >>>> earlier.
> >>>>
> >
> > [ rest deleted ]
> >
> >> I am out of fuel to look more this tonight but I am 99% sure something
> >> have changed on 6.6 which broke the things. Maybe my configuration was
> >> wrong all along and in 6.6 few screws got tighten up which bit me for my
> >> rear end. I would appreciate any further commend or suggestions how to
> >> debug this. I would also appreciate any reports of fully working ldapd
> >> on 6.6 release
> >>
> >> Best,
> >> Predrag
> >>
> >
> > This is related to commit “Make sure that ber in ber_scanf_elements is
> > not NULL before parsing format” (martijn@) and caused by the scan string
> > used by ber_scanf_elements on line 310 in ldape.c
>
> Thanks for looking into this. I didn't found the time yet.
> >
> > Regarding the commit, see also emails with subject “ber.c: Don't
> > continue on nonexistent ber” to tech@ on August, 13.
> >
> > When you set scan string for ber_scanf_elements in line 310 of ldape.c
> > from "{se" to "{s" it works again. Patch below.
> >
> > When you look at the ldap_extended function on ldape.c, you see ext_val
> > is assigned to req_op in line 314. The only use could happen in the
> > extended_ops[i]fn(req) call in line 318. This currently can only be a
> > call to ldap_starttls (beginning at line 285, same file) which doesn't
> > use req_op either. So it the `e' shouldn't matter.
> >
> > At a guess, this also conforms to RFC4511, section 4.14.1.
>
> Glancing over the RFC seems that you are correct.
> >
> > If ldap_extended is extended to handle other operations than starttls,
> > care must be taken for an optional additional octet string in the
> > request (see definition of extended request in RFC4511, section 4.12).
>
> Diff below should handle this. Also, you forgot to remove the ext_val.
> >
> >
> > Best regards
> > Robert
> >
> martijn@
>
> Index: ldape.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
> retrieving revision 1.31
> diff -u -p -r1.31 ldape.c
> --- ldape.c 28 Jun 2019 13:32:48 -0000 1.31
> +++ ldape.c 24 Oct 2019 12:05:19 -0000
> @@ -298,7 +298,6 @@ ldap_extended(struct request *req)
> {
> int i, rc = LDAP_PROTOCOL_ERROR;
> char *oid = NULL;
> - struct ber_element *ext_val = NULL;
> struct {
> const char *oid;
> int (*fn)(struct request *);
> @@ -307,11 +306,11 @@ ldap_extended(struct request *req)
> { NULL }
> };
>
> - if (ber_scanf_elements(req->op, "{se", &oid, &ext_val) != 0)
> + if (ber_scanf_elements(req->op, "{s", &oid) != 0)
> goto done;
>
> log_debug("got extended operation %s", oid);
> - req->op = ext_val;
> + req->op = req->op->be_sub->be_next;
>
> for (i = 0; extended_ops[i].oid != NULL; i++) {
> if (strcmp(oid, extended_ops[i].oid) == 0) {
OK claudio@
--
:wq Claudio
