From d5205c74cfe8a66cf4fa176b86a249e5f55c8501 Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Thu, 12 Jan 2023 10:09:33 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E5=85=BC=E5=AE=B9=E7=BE=A4=E6=99=96LDAP=20?=
 =?UTF-8?q?Server=E7=9A=84=E5=81=9C=E7=94=A8=E8=B4=A6=E5=8F=B7=E5=8A=9F?=
 =?UTF-8?q?=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/userauth_ldap.go | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/server/dbdata/userauth_ldap.go b/server/dbdata/userauth_ldap.go
index 1ade05f..9d25783 100644
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"reflect"
 	"regexp"
+	"strconv"
 	"time"
 
 	"github.com/go-ldap/ldap"
@@ -117,6 +118,10 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
 		}
 		return fmt.Errorf("LDAP发现 %s 用户，存在多个账号", name)
 	}
+	err = parseEntries(sr)
+	if err != nil {
+		return fmt.Errorf("LDAP %s 用户 %s", name, err.Error())
+	}
 	userDN := sr.Entries[0].DN
 	err = l.Bind(userDN, pwd)
 	if err != nil {
@@ -125,6 +130,32 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
 	return nil
 }
 
+func parseEntries(sr *ldap.SearchResult) error {
+	for _, attr := range sr.Entries[0].Attributes {
+		switch attr.Name {
+		case "shadowExpire":
+			// -1 启用, 1 停用, >1 从1970-01-01至到期日的天数
+			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)
+			if val == -1 {
+				return nil
+			}
+			if val == 1 {
+				return fmt.Errorf("账号已停用")
+			}
+			if val > 1 {
+				expireTime := time.Unix(val*86400, 0)
+				t := time.Date(expireTime.Year(), expireTime.Month(), expireTime.Day(), 23, 59, 59, 0, time.Local)
+				if t.Before(time.Now()) {
+					return fmt.Errorf("账号已过期(过期日期: %s)", t.Format("2006-01-02"))
+				}
+				return nil
+			}
+			return fmt.Errorf("账号shadowExpire值异常: %d", val)
+		}
+	}
+	return nil
+}
+
 func ValidateDomainPort(addr string) bool {
 	re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
 	return re.MatchString(addr)

From 710cfe4244a5991f290d24b1ea4a052738865531 Mon Sep 17 00:00:00 2001
From: lanrenwo <lanrenwo@users.noreply.github.com>
Date: Thu, 12 Jan 2023 10:25:07 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=BF=AE=E5=A4=8DsniNewParser=E5=88=87?=
 =?UTF-8?q?=E7=89=87=E8=B6=8A=E7=95=8C=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_tcp_parser.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/handler/payload_tcp_parser.go b/server/handler/payload_tcp_parser.go
index cd0e581..6d3c4cc 100644
--- a/server/handler/payload_tcp_parser.go
+++ b/server/handler/payload_tcp_parser.go
@@ -56,7 +56,7 @@ func sniNewParser(b []byte) (uint8, string) {
 	sessionIDLength := int(rest[current])
 	current += 1
 	current += sessionIDLength
-	if current >= restLen {
+	if current+1 >= restLen {
 		return acc_proto_https, ""
 	}
 	cipherSuiteLength := (int(rest[current]) << 8) + int(rest[current+1])