ldap.c 29 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if !defined(CURL_DISABLE_LDAP) && !defined(USE_OPENLDAP)
  26. /*
  27. * Notice that USE_OPENLDAP is only a source code selection switch. When
  28. * libcurl is built with USE_OPENLDAP defined the libcurl source code that
  29. * gets compiled is the code from openldap.c, otherwise the code that gets
  30. * compiled is the code from ldap.c.
  31. *
  32. * When USE_OPENLDAP is defined a recent version of the OpenLDAP library
  33. * might be required for compilation and runtime. In order to use ancient
  34. * OpenLDAP library versions, USE_OPENLDAP shall not be defined.
  35. */
  36. /* Wincrypt must be included before anything that could include OpenSSL. */
  37. #if defined(USE_WIN32_CRYPTO)
  38. #include <wincrypt.h>
  39. /* Undefine wincrypt conflicting symbols for BoringSSL. */
  40. #undef X509_NAME
  41. #undef X509_EXTENSIONS
  42. #undef PKCS7_ISSUER_AND_SERIAL
  43. #undef PKCS7_SIGNER_INFO
  44. #undef OCSP_REQUEST
  45. #undef OCSP_RESPONSE
  46. #endif
  47. #ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */
  48. # ifdef _MSC_VER
  49. # pragma warning(push)
  50. # pragma warning(disable: 4201)
  51. # endif
  52. # include <subauth.h> /* for [P]UNICODE_STRING */
  53. # ifdef _MSC_VER
  54. # pragma warning(pop)
  55. # endif
  56. # include <winldap.h>
  57. # ifndef LDAP_VENDOR_NAME
  58. # error Your Platform SDK is NOT sufficient for LDAP support! \
  59. Update your Platform SDK, or disable LDAP support!
  60. # else
  61. # include <winber.h>
  62. # endif
  63. #else
  64. # define LDAP_DEPRECATED 1 /* Be sure ldap_init() is defined. */
  65. # ifdef HAVE_LBER_H
  66. # include <lber.h>
  67. # endif
  68. # include <ldap.h>
  69. # if (defined(HAVE_LDAP_SSL) && defined(HAVE_LDAP_SSL_H))
  70. # include <ldap_ssl.h>
  71. # endif /* HAVE_LDAP_SSL && HAVE_LDAP_SSL_H */
  72. #endif
  73. #include "urldata.h"
  74. #include <curl/curl.h>
  75. #include "sendf.h"
  76. #include "escape.h"
  77. #include "progress.h"
  78. #include "transfer.h"
  79. #include "strcase.h"
  80. #include "strtok.h"
  81. #include "curl_ldap.h"
  82. #include "curl_multibyte.h"
  83. #include "curl_base64.h"
  84. #include "connect.h"
  85. /* The last 3 #include files should be in this order */
  86. #include "curl_printf.h"
  87. #include "curl_memory.h"
  88. #include "memdebug.h"
  89. #ifndef HAVE_LDAP_URL_PARSE
  90. /* Use our own implementation. */
  91. struct ldap_urldesc {
  92. char *lud_host;
  93. int lud_port;
  94. #if defined(USE_WIN32_LDAP)
  95. TCHAR *lud_dn;
  96. TCHAR **lud_attrs;
  97. #else
  98. char *lud_dn;
  99. char **lud_attrs;
  100. #endif
  101. int lud_scope;
  102. #if defined(USE_WIN32_LDAP)
  103. TCHAR *lud_filter;
  104. #else
  105. char *lud_filter;
  106. #endif
  107. char **lud_exts;
  108. size_t lud_attrs_dups; /* how many were dup'ed, this field is not in the
  109. "real" struct so can only be used in code
  110. without HAVE_LDAP_URL_PARSE defined */
  111. };
  112. #undef LDAPURLDesc
  113. #define LDAPURLDesc struct ldap_urldesc
  114. static int _ldap_url_parse(struct Curl_easy *data,
  115. const struct connectdata *conn,
  116. LDAPURLDesc **ludp);
  117. static void _ldap_free_urldesc(LDAPURLDesc *ludp);
  118. #undef ldap_free_urldesc
  119. #define ldap_free_urldesc _ldap_free_urldesc
  120. #endif
  121. #ifdef DEBUG_LDAP
  122. #define LDAP_TRACE(x) do { \
  123. _ldap_trace("%u: ", __LINE__); \
  124. _ldap_trace x; \
  125. } while(0)
  126. static void _ldap_trace(const char *fmt, ...) CURL_PRINTF(1, 2);
  127. #else
  128. #define LDAP_TRACE(x) Curl_nop_stmt
  129. #endif
  130. #if defined(USE_WIN32_LDAP) && defined(ldap_err2string)
  131. /* Use ansi error strings in UNICODE builds */
  132. #undef ldap_err2string
  133. #define ldap_err2string ldap_err2stringA
  134. #endif
  135. #if defined(USE_WIN32_LDAP) && defined(_MSC_VER) && (_MSC_VER <= 1600)
  136. /* Workaround for warning:
  137. 'type cast' : conversion from 'int' to 'void *' of greater size */
  138. #undef LDAP_OPT_ON
  139. #undef LDAP_OPT_OFF
  140. #define LDAP_OPT_ON ((void *)(size_t)1)
  141. #define LDAP_OPT_OFF ((void *)(size_t)0)
  142. #endif
  143. static CURLcode ldap_do(struct Curl_easy *data, bool *done);
  144. /*
  145. * LDAP protocol handler.
  146. */
  147. const struct Curl_handler Curl_handler_ldap = {
  148. "ldap", /* scheme */
  149. ZERO_NULL, /* setup_connection */
  150. ldap_do, /* do_it */
  151. ZERO_NULL, /* done */
  152. ZERO_NULL, /* do_more */
  153. ZERO_NULL, /* connect_it */
  154. ZERO_NULL, /* connecting */
  155. ZERO_NULL, /* doing */
  156. ZERO_NULL, /* proto_getsock */
  157. ZERO_NULL, /* doing_getsock */
  158. ZERO_NULL, /* domore_getsock */
  159. ZERO_NULL, /* perform_getsock */
  160. ZERO_NULL, /* disconnect */
  161. ZERO_NULL, /* write_resp */
  162. ZERO_NULL, /* write_resp_hd */
  163. ZERO_NULL, /* connection_check */
  164. ZERO_NULL, /* attach connection */
  165. PORT_LDAP, /* defport */
  166. CURLPROTO_LDAP, /* protocol */
  167. CURLPROTO_LDAP, /* family */
  168. PROTOPT_NONE /* flags */
  169. };
  170. #ifdef HAVE_LDAP_SSL
  171. /*
  172. * LDAPS protocol handler.
  173. */
  174. const struct Curl_handler Curl_handler_ldaps = {
  175. "ldaps", /* scheme */
  176. ZERO_NULL, /* setup_connection */
  177. ldap_do, /* do_it */
  178. ZERO_NULL, /* done */
  179. ZERO_NULL, /* do_more */
  180. ZERO_NULL, /* connect_it */
  181. ZERO_NULL, /* connecting */
  182. ZERO_NULL, /* doing */
  183. ZERO_NULL, /* proto_getsock */
  184. ZERO_NULL, /* doing_getsock */
  185. ZERO_NULL, /* domore_getsock */
  186. ZERO_NULL, /* perform_getsock */
  187. ZERO_NULL, /* disconnect */
  188. ZERO_NULL, /* write_resp */
  189. ZERO_NULL, /* write_resp_hd */
  190. ZERO_NULL, /* connection_check */
  191. ZERO_NULL, /* attach connection */
  192. PORT_LDAPS, /* defport */
  193. CURLPROTO_LDAPS, /* protocol */
  194. CURLPROTO_LDAP, /* family */
  195. PROTOPT_SSL /* flags */
  196. };
  197. #endif
  198. #if defined(USE_WIN32_LDAP)
  199. #if defined(USE_WINDOWS_SSPI)
  200. static int ldap_win_bind_auth(LDAP *server, const char *user,
  201. const char *passwd, unsigned long authflags)
  202. {
  203. ULONG method = 0;
  204. SEC_WINNT_AUTH_IDENTITY cred;
  205. int rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
  206. memset(&cred, 0, sizeof(cred));
  207. #if defined(USE_SPNEGO)
  208. if(authflags & CURLAUTH_NEGOTIATE) {
  209. method = LDAP_AUTH_NEGOTIATE;
  210. }
  211. else
  212. #endif
  213. #if defined(USE_NTLM)
  214. if(authflags & CURLAUTH_NTLM) {
  215. method = LDAP_AUTH_NTLM;
  216. }
  217. else
  218. #endif
  219. #if !defined(CURL_DISABLE_DIGEST_AUTH)
  220. if(authflags & CURLAUTH_DIGEST) {
  221. method = LDAP_AUTH_DIGEST;
  222. }
  223. else
  224. #endif
  225. {
  226. /* required anyway if one of upper preprocessor definitions enabled */
  227. }
  228. if(method && user && passwd) {
  229. rc = Curl_create_sspi_identity(user, passwd, &cred);
  230. if(!rc) {
  231. rc = ldap_bind_s(server, NULL, (TCHAR *)&cred, method);
  232. Curl_sspi_free_identity(&cred);
  233. }
  234. }
  235. else {
  236. /* proceed with current user credentials */
  237. method = LDAP_AUTH_NEGOTIATE;
  238. rc = ldap_bind_s(server, NULL, NULL, method);
  239. }
  240. return rc;
  241. }
  242. #endif /* #if defined(USE_WINDOWS_SSPI) */
  243. static int ldap_win_bind(struct Curl_easy *data, LDAP *server,
  244. const char *user, const char *passwd)
  245. {
  246. int rc = LDAP_INVALID_CREDENTIALS;
  247. PTCHAR inuser = NULL;
  248. PTCHAR inpass = NULL;
  249. if(user && passwd && (data->set.httpauth & CURLAUTH_BASIC)) {
  250. inuser = curlx_convert_UTF8_to_tchar((char *) user);
  251. inpass = curlx_convert_UTF8_to_tchar((char *) passwd);
  252. rc = ldap_simple_bind_s(server, inuser, inpass);
  253. curlx_unicodefree(inuser);
  254. curlx_unicodefree(inpass);
  255. }
  256. #if defined(USE_WINDOWS_SSPI)
  257. else {
  258. rc = ldap_win_bind_auth(server, user, passwd, data->set.httpauth);
  259. }
  260. #endif
  261. return rc;
  262. }
  263. #endif /* #if defined(USE_WIN32_LDAP) */
  264. #if defined(USE_WIN32_LDAP)
  265. #define FREE_ON_WINLDAP(x) curlx_unicodefree(x)
  266. #else
  267. #define FREE_ON_WINLDAP(x)
  268. #endif
  269. static CURLcode ldap_do(struct Curl_easy *data, bool *done)
  270. {
  271. CURLcode result = CURLE_OK;
  272. int rc = 0;
  273. LDAP *server = NULL;
  274. LDAPURLDesc *ludp = NULL;
  275. LDAPMessage *ldapmsg = NULL;
  276. LDAPMessage *entryIterator;
  277. int num = 0;
  278. struct connectdata *conn = data->conn;
  279. int ldap_proto = LDAP_VERSION3;
  280. int ldap_ssl = 0;
  281. char *val_b64 = NULL;
  282. size_t val_b64_sz = 0;
  283. #ifdef LDAP_OPT_NETWORK_TIMEOUT
  284. struct timeval ldap_timeout = {10, 0}; /* 10 sec connection/search timeout */
  285. #endif
  286. #if defined(USE_WIN32_LDAP)
  287. TCHAR *host = NULL;
  288. #else
  289. char *host = NULL;
  290. #endif
  291. char *user = NULL;
  292. char *passwd = NULL;
  293. *done = TRUE; /* unconditionally */
  294. infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d",
  295. LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION);
  296. infof(data, "LDAP local: %s", data->state.url);
  297. #ifdef HAVE_LDAP_URL_PARSE
  298. rc = ldap_url_parse(data->state.url, &ludp);
  299. #else
  300. rc = _ldap_url_parse(data, conn, &ludp);
  301. #endif
  302. if(rc) {
  303. failf(data, "Bad LDAP URL: %s", ldap_err2string(rc));
  304. result = CURLE_URL_MALFORMAT;
  305. goto quit;
  306. }
  307. /* Get the URL scheme (either ldap or ldaps) */
  308. if(conn->given->flags & PROTOPT_SSL)
  309. ldap_ssl = 1;
  310. infof(data, "LDAP local: trying to establish %s connection",
  311. ldap_ssl ? "encrypted" : "cleartext");
  312. #if defined(USE_WIN32_LDAP)
  313. host = curlx_convert_UTF8_to_tchar(conn->host.name);
  314. if(!host) {
  315. result = CURLE_OUT_OF_MEMORY;
  316. goto quit;
  317. }
  318. #else
  319. host = conn->host.name;
  320. #endif
  321. if(data->state.aptr.user) {
  322. user = conn->user;
  323. passwd = conn->passwd;
  324. }
  325. #ifdef LDAP_OPT_NETWORK_TIMEOUT
  326. ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout);
  327. #endif
  328. ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
  329. if(ldap_ssl) {
  330. #ifdef HAVE_LDAP_SSL
  331. #ifdef USE_WIN32_LDAP
  332. /* Win32 LDAP SDK doesn't support insecure mode without CA! */
  333. server = ldap_sslinit(host, conn->primary.remote_port, 1);
  334. ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
  335. #else
  336. int ldap_option;
  337. char *ldap_ca = conn->ssl_config.CAfile;
  338. #if defined(CURL_HAS_NOVELL_LDAPSDK)
  339. rc = ldapssl_client_init(NULL, NULL);
  340. if(rc != LDAP_SUCCESS) {
  341. failf(data, "LDAP local: ldapssl_client_init %s", ldap_err2string(rc));
  342. result = CURLE_SSL_CERTPROBLEM;
  343. goto quit;
  344. }
  345. if(conn->ssl_config.verifypeer) {
  346. /* Novell SDK supports DER or BASE64 files. */
  347. int cert_type = LDAPSSL_CERT_FILETYPE_B64;
  348. if((data->set.ssl.cert_type) &&
  349. (strcasecompare(data->set.ssl.cert_type, "DER")))
  350. cert_type = LDAPSSL_CERT_FILETYPE_DER;
  351. if(!ldap_ca) {
  352. failf(data, "LDAP local: ERROR %s CA cert not set",
  353. (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"));
  354. result = CURLE_SSL_CERTPROBLEM;
  355. goto quit;
  356. }
  357. infof(data, "LDAP local: using %s CA cert '%s'",
  358. (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
  359. ldap_ca);
  360. rc = ldapssl_add_trusted_cert(ldap_ca, cert_type);
  361. if(rc != LDAP_SUCCESS) {
  362. failf(data, "LDAP local: ERROR setting %s CA cert: %s",
  363. (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM"),
  364. ldap_err2string(rc));
  365. result = CURLE_SSL_CERTPROBLEM;
  366. goto quit;
  367. }
  368. ldap_option = LDAPSSL_VERIFY_SERVER;
  369. }
  370. else
  371. ldap_option = LDAPSSL_VERIFY_NONE;
  372. rc = ldapssl_set_verify_mode(ldap_option);
  373. if(rc != LDAP_SUCCESS) {
  374. failf(data, "LDAP local: ERROR setting cert verify mode: %s",
  375. ldap_err2string(rc));
  376. result = CURLE_SSL_CERTPROBLEM;
  377. goto quit;
  378. }
  379. server = ldapssl_init(host, conn->primary.remote_port, 1);
  380. if(!server) {
  381. failf(data, "LDAP local: Cannot connect to %s:%u",
  382. conn->host.dispname, conn->primary.remote_port);
  383. result = CURLE_COULDNT_CONNECT;
  384. goto quit;
  385. }
  386. #elif defined(LDAP_OPT_X_TLS)
  387. if(conn->ssl_config.verifypeer) {
  388. /* OpenLDAP SDK supports BASE64 files. */
  389. if((data->set.ssl.cert_type) &&
  390. (!strcasecompare(data->set.ssl.cert_type, "PEM"))) {
  391. failf(data, "LDAP local: ERROR OpenLDAP only supports PEM cert-type");
  392. result = CURLE_SSL_CERTPROBLEM;
  393. goto quit;
  394. }
  395. if(!ldap_ca) {
  396. failf(data, "LDAP local: ERROR PEM CA cert not set");
  397. result = CURLE_SSL_CERTPROBLEM;
  398. goto quit;
  399. }
  400. infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca);
  401. rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca);
  402. if(rc != LDAP_SUCCESS) {
  403. failf(data, "LDAP local: ERROR setting PEM CA cert: %s",
  404. ldap_err2string(rc));
  405. result = CURLE_SSL_CERTPROBLEM;
  406. goto quit;
  407. }
  408. ldap_option = LDAP_OPT_X_TLS_DEMAND;
  409. }
  410. else
  411. ldap_option = LDAP_OPT_X_TLS_NEVER;
  412. rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option);
  413. if(rc != LDAP_SUCCESS) {
  414. failf(data, "LDAP local: ERROR setting cert verify mode: %s",
  415. ldap_err2string(rc));
  416. result = CURLE_SSL_CERTPROBLEM;
  417. goto quit;
  418. }
  419. server = ldap_init(host, conn->primary.remote_port);
  420. if(!server) {
  421. failf(data, "LDAP local: Cannot connect to %s:%u",
  422. conn->host.dispname, conn->primary.remote_port);
  423. result = CURLE_COULDNT_CONNECT;
  424. goto quit;
  425. }
  426. ldap_option = LDAP_OPT_X_TLS_HARD;
  427. rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option);
  428. if(rc != LDAP_SUCCESS) {
  429. failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s",
  430. ldap_err2string(rc));
  431. result = CURLE_SSL_CERTPROBLEM;
  432. goto quit;
  433. }
  434. /*
  435. rc = ldap_start_tls_s(server, NULL, NULL);
  436. if(rc != LDAP_SUCCESS) {
  437. failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s",
  438. ldap_err2string(rc));
  439. result = CURLE_SSL_CERTPROBLEM;
  440. goto quit;
  441. }
  442. */
  443. #else
  444. (void)ldap_option;
  445. (void)ldap_ca;
  446. /* we should probably never come up to here since configure
  447. should check in first place if we can support LDAP SSL/TLS */
  448. failf(data, "LDAP local: SSL/TLS not supported with this version "
  449. "of the OpenLDAP toolkit\n");
  450. result = CURLE_SSL_CERTPROBLEM;
  451. goto quit;
  452. #endif
  453. #endif
  454. #endif /* CURL_LDAP_USE_SSL */
  455. }
  456. else if(data->set.use_ssl > CURLUSESSL_TRY) {
  457. failf(data, "LDAP local: explicit TLS not supported");
  458. result = CURLE_NOT_BUILT_IN;
  459. goto quit;
  460. }
  461. else {
  462. server = ldap_init(host, conn->primary.remote_port);
  463. if(!server) {
  464. failf(data, "LDAP local: Cannot connect to %s:%u",
  465. conn->host.dispname, conn->primary.remote_port);
  466. result = CURLE_COULDNT_CONNECT;
  467. goto quit;
  468. }
  469. }
  470. #ifdef USE_WIN32_LDAP
  471. ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
  472. rc = ldap_win_bind(data, server, user, passwd);
  473. #else
  474. rc = ldap_simple_bind_s(server, user, passwd);
  475. #endif
  476. if(!ldap_ssl && rc) {
  477. ldap_proto = LDAP_VERSION2;
  478. ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto);
  479. #ifdef USE_WIN32_LDAP
  480. rc = ldap_win_bind(data, server, user, passwd);
  481. #else
  482. rc = ldap_simple_bind_s(server, user, passwd);
  483. #endif
  484. }
  485. if(rc) {
  486. #ifdef USE_WIN32_LDAP
  487. failf(data, "LDAP local: bind via ldap_win_bind %s",
  488. ldap_err2string(rc));
  489. #else
  490. failf(data, "LDAP local: bind via ldap_simple_bind_s %s",
  491. ldap_err2string(rc));
  492. #endif
  493. result = CURLE_LDAP_CANNOT_BIND;
  494. goto quit;
  495. }
  496. Curl_pgrsSetDownloadCounter(data, 0);
  497. rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope,
  498. ludp->lud_filter, ludp->lud_attrs, 0, &ldapmsg);
  499. if(rc && rc != LDAP_SIZELIMIT_EXCEEDED) {
  500. failf(data, "LDAP remote: %s", ldap_err2string(rc));
  501. result = CURLE_LDAP_SEARCH_FAILED;
  502. goto quit;
  503. }
  504. num = 0;
  505. for(entryIterator = ldap_first_entry(server, ldapmsg);
  506. entryIterator;
  507. entryIterator = ldap_next_entry(server, entryIterator), num++) {
  508. BerElement *ber = NULL;
  509. #if defined(USE_WIN32_LDAP)
  510. TCHAR *attribute;
  511. #else
  512. char *attribute;
  513. #endif
  514. int i;
  515. /* Get the DN and write it to the client */
  516. {
  517. char *name;
  518. size_t name_len;
  519. #if defined(USE_WIN32_LDAP)
  520. TCHAR *dn = ldap_get_dn(server, entryIterator);
  521. name = curlx_convert_tchar_to_UTF8(dn);
  522. if(!name) {
  523. ldap_memfree(dn);
  524. result = CURLE_OUT_OF_MEMORY;
  525. goto quit;
  526. }
  527. #else
  528. char *dn = name = ldap_get_dn(server, entryIterator);
  529. #endif
  530. name_len = strlen(name);
  531. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"DN: ", 4);
  532. if(result) {
  533. FREE_ON_WINLDAP(name);
  534. ldap_memfree(dn);
  535. goto quit;
  536. }
  537. result = Curl_client_write(data, CLIENTWRITE_BODY, name, name_len);
  538. if(result) {
  539. FREE_ON_WINLDAP(name);
  540. ldap_memfree(dn);
  541. goto quit;
  542. }
  543. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 1);
  544. if(result) {
  545. FREE_ON_WINLDAP(name);
  546. ldap_memfree(dn);
  547. goto quit;
  548. }
  549. FREE_ON_WINLDAP(name);
  550. ldap_memfree(dn);
  551. }
  552. /* Get the attributes and write them to the client */
  553. for(attribute = ldap_first_attribute(server, entryIterator, &ber);
  554. attribute;
  555. attribute = ldap_next_attribute(server, entryIterator, ber)) {
  556. BerValue **vals;
  557. size_t attr_len;
  558. #if defined(USE_WIN32_LDAP)
  559. char *attr = curlx_convert_tchar_to_UTF8(attribute);
  560. if(!attr) {
  561. if(ber)
  562. ber_free(ber, 0);
  563. result = CURLE_OUT_OF_MEMORY;
  564. goto quit;
  565. }
  566. #else
  567. char *attr = attribute;
  568. #endif
  569. attr_len = strlen(attr);
  570. vals = ldap_get_values_len(server, entryIterator, attribute);
  571. if(vals) {
  572. for(i = 0; (vals[i] != NULL); i++) {
  573. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\t", 1);
  574. if(result) {
  575. ldap_value_free_len(vals);
  576. FREE_ON_WINLDAP(attr);
  577. ldap_memfree(attribute);
  578. if(ber)
  579. ber_free(ber, 0);
  580. goto quit;
  581. }
  582. result = Curl_client_write(data, CLIENTWRITE_BODY, attr, attr_len);
  583. if(result) {
  584. ldap_value_free_len(vals);
  585. FREE_ON_WINLDAP(attr);
  586. ldap_memfree(attribute);
  587. if(ber)
  588. ber_free(ber, 0);
  589. goto quit;
  590. }
  591. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)": ", 2);
  592. if(result) {
  593. ldap_value_free_len(vals);
  594. FREE_ON_WINLDAP(attr);
  595. ldap_memfree(attribute);
  596. if(ber)
  597. ber_free(ber, 0);
  598. goto quit;
  599. }
  600. if((attr_len > 7) &&
  601. (strcmp(";binary", attr + (attr_len - 7)) == 0)) {
  602. /* Binary attribute, encode to base64. */
  603. result = Curl_base64_encode(vals[i]->bv_val, vals[i]->bv_len,
  604. &val_b64, &val_b64_sz);
  605. if(result) {
  606. ldap_value_free_len(vals);
  607. FREE_ON_WINLDAP(attr);
  608. ldap_memfree(attribute);
  609. if(ber)
  610. ber_free(ber, 0);
  611. goto quit;
  612. }
  613. if(val_b64_sz > 0) {
  614. result = Curl_client_write(data, CLIENTWRITE_BODY, val_b64,
  615. val_b64_sz);
  616. free(val_b64);
  617. if(result) {
  618. ldap_value_free_len(vals);
  619. FREE_ON_WINLDAP(attr);
  620. ldap_memfree(attribute);
  621. if(ber)
  622. ber_free(ber, 0);
  623. goto quit;
  624. }
  625. }
  626. }
  627. else {
  628. result = Curl_client_write(data, CLIENTWRITE_BODY, vals[i]->bv_val,
  629. vals[i]->bv_len);
  630. if(result) {
  631. ldap_value_free_len(vals);
  632. FREE_ON_WINLDAP(attr);
  633. ldap_memfree(attribute);
  634. if(ber)
  635. ber_free(ber, 0);
  636. goto quit;
  637. }
  638. }
  639. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 1);
  640. if(result) {
  641. ldap_value_free_len(vals);
  642. FREE_ON_WINLDAP(attr);
  643. ldap_memfree(attribute);
  644. if(ber)
  645. ber_free(ber, 0);
  646. goto quit;
  647. }
  648. }
  649. /* Free memory used to store values */
  650. ldap_value_free_len(vals);
  651. }
  652. /* Free the attribute as we are done with it */
  653. FREE_ON_WINLDAP(attr);
  654. ldap_memfree(attribute);
  655. result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n", 1);
  656. if(result)
  657. goto quit;
  658. }
  659. if(ber)
  660. ber_free(ber, 0);
  661. }
  662. quit:
  663. if(ldapmsg) {
  664. ldap_msgfree(ldapmsg);
  665. LDAP_TRACE(("Received %d entries\n", num));
  666. }
  667. if(rc == LDAP_SIZELIMIT_EXCEEDED)
  668. infof(data, "There are more than %d entries", num);
  669. if(ludp)
  670. ldap_free_urldesc(ludp);
  671. if(server)
  672. ldap_unbind_s(server);
  673. #if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK)
  674. if(ldap_ssl)
  675. ldapssl_client_deinit();
  676. #endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */
  677. FREE_ON_WINLDAP(host);
  678. /* no data to transfer */
  679. Curl_xfer_setup(data, -1, -1, FALSE, -1);
  680. connclose(conn, "LDAP connection always disable reuse");
  681. return result;
  682. }
  683. #ifdef DEBUG_LDAP
  684. static void _ldap_trace(const char *fmt, ...)
  685. {
  686. static int do_trace = -1;
  687. va_list args;
  688. if(do_trace == -1) {
  689. const char *env = getenv("CURL_TRACE");
  690. do_trace = (env && strtol(env, NULL, 10) > 0);
  691. }
  692. if(!do_trace)
  693. return;
  694. va_start(args, fmt);
  695. vfprintf(stderr, fmt, args);
  696. va_end(args);
  697. }
  698. #endif
  699. #ifndef HAVE_LDAP_URL_PARSE
  700. /*
  701. * Return scope-value for a scope-string.
  702. */
  703. static int str2scope(const char *p)
  704. {
  705. if(strcasecompare(p, "one"))
  706. return LDAP_SCOPE_ONELEVEL;
  707. if(strcasecompare(p, "onetree"))
  708. return LDAP_SCOPE_ONELEVEL;
  709. if(strcasecompare(p, "base"))
  710. return LDAP_SCOPE_BASE;
  711. if(strcasecompare(p, "sub"))
  712. return LDAP_SCOPE_SUBTREE;
  713. if(strcasecompare(p, "subtree"))
  714. return LDAP_SCOPE_SUBTREE;
  715. return (-1);
  716. }
  717. /*
  718. * Split 'str' into strings separated by commas.
  719. * Note: out[] points into 'str'.
  720. */
  721. static bool split_str(char *str, char ***out, size_t *count)
  722. {
  723. char **res;
  724. char *lasts;
  725. char *s;
  726. size_t i;
  727. size_t items = 1;
  728. s = strchr(str, ',');
  729. while(s) {
  730. items++;
  731. s = strchr(++s, ',');
  732. }
  733. res = calloc(items, sizeof(char *));
  734. if(!res)
  735. return FALSE;
  736. for(i = 0, s = strtok_r(str, ",", &lasts); s && i < items;
  737. s = strtok_r(NULL, ",", &lasts), i++)
  738. res[i] = s;
  739. *out = res;
  740. *count = items;
  741. return TRUE;
  742. }
  743. /*
  744. * Break apart the pieces of an LDAP URL.
  745. * Syntax:
  746. * ldap://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>?<ext>
  747. *
  748. * <hostname> already known from 'conn->host.name'.
  749. * <port> already known from 'conn->remote_port'.
  750. * extract the rest from 'data->state.path+1'. All fields are optional.
  751. * e.g.
  752. * ldap://<hostname>:<port>/?<attributes>?<scope>?<filter>
  753. * yields ludp->lud_dn = "".
  754. *
  755. * Defined in RFC4516 section 2.
  756. */
  757. static int _ldap_url_parse2(struct Curl_easy *data,
  758. const struct connectdata *conn, LDAPURLDesc *ludp)
  759. {
  760. int rc = LDAP_SUCCESS;
  761. char *p;
  762. char *path;
  763. char *q = NULL;
  764. char *query = NULL;
  765. size_t i;
  766. if(!data ||
  767. !data->state.up.path ||
  768. data->state.up.path[0] != '/' ||
  769. !strncasecompare("LDAP", data->state.up.scheme, 4))
  770. return LDAP_INVALID_SYNTAX;
  771. ludp->lud_scope = LDAP_SCOPE_BASE;
  772. ludp->lud_port = conn->remote_port;
  773. ludp->lud_host = conn->host.name;
  774. /* Duplicate the path */
  775. p = path = strdup(data->state.up.path + 1);
  776. if(!path)
  777. return LDAP_NO_MEMORY;
  778. /* Duplicate the query if present */
  779. if(data->state.up.query) {
  780. q = query = strdup(data->state.up.query);
  781. if(!query) {
  782. free(path);
  783. return LDAP_NO_MEMORY;
  784. }
  785. }
  786. /* Parse the DN (Distinguished Name) */
  787. if(*p) {
  788. char *dn = p;
  789. char *unescaped;
  790. CURLcode result;
  791. LDAP_TRACE(("DN '%s'\n", dn));
  792. /* Unescape the DN */
  793. result = Curl_urldecode(dn, 0, &unescaped, NULL, REJECT_ZERO);
  794. if(result) {
  795. rc = LDAP_NO_MEMORY;
  796. goto quit;
  797. }
  798. #if defined(USE_WIN32_LDAP)
  799. /* Convert the unescaped string to a tchar */
  800. ludp->lud_dn = curlx_convert_UTF8_to_tchar(unescaped);
  801. /* Free the unescaped string as we are done with it */
  802. free(unescaped);
  803. if(!ludp->lud_dn) {
  804. rc = LDAP_NO_MEMORY;
  805. goto quit;
  806. }
  807. #else
  808. ludp->lud_dn = unescaped;
  809. #endif
  810. }
  811. p = q;
  812. if(!p)
  813. goto quit;
  814. /* Parse the attributes. skip "??" */
  815. q = strchr(p, '?');
  816. if(q)
  817. *q++ = '\0';
  818. if(*p) {
  819. char **attributes;
  820. size_t count = 0;
  821. /* Split the string into an array of attributes */
  822. if(!split_str(p, &attributes, &count)) {
  823. rc = LDAP_NO_MEMORY;
  824. goto quit;
  825. }
  826. /* Allocate our array (+1 for the NULL entry) */
  827. #if defined(USE_WIN32_LDAP)
  828. ludp->lud_attrs = calloc(count + 1, sizeof(TCHAR *));
  829. #else
  830. ludp->lud_attrs = calloc(count + 1, sizeof(char *));
  831. #endif
  832. if(!ludp->lud_attrs) {
  833. free(attributes);
  834. rc = LDAP_NO_MEMORY;
  835. goto quit;
  836. }
  837. for(i = 0; i < count; i++) {
  838. char *unescaped;
  839. CURLcode result;
  840. LDAP_TRACE(("attr[%zu] '%s'\n", i, attributes[i]));
  841. /* Unescape the attribute */
  842. result = Curl_urldecode(attributes[i], 0, &unescaped, NULL,
  843. REJECT_ZERO);
  844. if(result) {
  845. free(attributes);
  846. rc = LDAP_NO_MEMORY;
  847. goto quit;
  848. }
  849. #if defined(USE_WIN32_LDAP)
  850. /* Convert the unescaped string to a tchar */
  851. ludp->lud_attrs[i] = curlx_convert_UTF8_to_tchar(unescaped);
  852. /* Free the unescaped string as we are done with it */
  853. free(unescaped);
  854. if(!ludp->lud_attrs[i]) {
  855. free(attributes);
  856. rc = LDAP_NO_MEMORY;
  857. goto quit;
  858. }
  859. #else
  860. ludp->lud_attrs[i] = unescaped;
  861. #endif
  862. ludp->lud_attrs_dups++;
  863. }
  864. free(attributes);
  865. }
  866. p = q;
  867. if(!p)
  868. goto quit;
  869. /* Parse the scope. skip "??" */
  870. q = strchr(p, '?');
  871. if(q)
  872. *q++ = '\0';
  873. if(*p) {
  874. ludp->lud_scope = str2scope(p);
  875. if(ludp->lud_scope == -1) {
  876. rc = LDAP_INVALID_SYNTAX;
  877. goto quit;
  878. }
  879. LDAP_TRACE(("scope %d\n", ludp->lud_scope));
  880. }
  881. p = q;
  882. if(!p)
  883. goto quit;
  884. /* Parse the filter */
  885. q = strchr(p, '?');
  886. if(q)
  887. *q++ = '\0';
  888. if(*p) {
  889. char *filter = p;
  890. char *unescaped;
  891. CURLcode result;
  892. LDAP_TRACE(("filter '%s'\n", filter));
  893. /* Unescape the filter */
  894. result = Curl_urldecode(filter, 0, &unescaped, NULL, REJECT_ZERO);
  895. if(result) {
  896. rc = LDAP_NO_MEMORY;
  897. goto quit;
  898. }
  899. #if defined(USE_WIN32_LDAP)
  900. /* Convert the unescaped string to a tchar */
  901. ludp->lud_filter = curlx_convert_UTF8_to_tchar(unescaped);
  902. /* Free the unescaped string as we are done with it */
  903. free(unescaped);
  904. if(!ludp->lud_filter) {
  905. rc = LDAP_NO_MEMORY;
  906. goto quit;
  907. }
  908. #else
  909. ludp->lud_filter = unescaped;
  910. #endif
  911. }
  912. p = q;
  913. if(p && !*p) {
  914. rc = LDAP_INVALID_SYNTAX;
  915. goto quit;
  916. }
  917. quit:
  918. free(path);
  919. free(query);
  920. return rc;
  921. }
  922. static int _ldap_url_parse(struct Curl_easy *data,
  923. const struct connectdata *conn,
  924. LDAPURLDesc **ludpp)
  925. {
  926. LDAPURLDesc *ludp = calloc(1, sizeof(*ludp));
  927. int rc;
  928. *ludpp = NULL;
  929. if(!ludp)
  930. return LDAP_NO_MEMORY;
  931. rc = _ldap_url_parse2(data, conn, ludp);
  932. if(rc != LDAP_SUCCESS) {
  933. _ldap_free_urldesc(ludp);
  934. ludp = NULL;
  935. }
  936. *ludpp = ludp;
  937. return (rc);
  938. }
  939. static void _ldap_free_urldesc(LDAPURLDesc *ludp)
  940. {
  941. if(!ludp)
  942. return;
  943. #if defined(USE_WIN32_LDAP)
  944. curlx_unicodefree(ludp->lud_dn);
  945. curlx_unicodefree(ludp->lud_filter);
  946. #else
  947. free(ludp->lud_dn);
  948. free(ludp->lud_filter);
  949. #endif
  950. if(ludp->lud_attrs) {
  951. size_t i;
  952. for(i = 0; i < ludp->lud_attrs_dups; i++) {
  953. #if defined(USE_WIN32_LDAP)
  954. curlx_unicodefree(ludp->lud_attrs[i]);
  955. #else
  956. free(ludp->lud_attrs[i]);
  957. #endif
  958. }
  959. free(ludp->lud_attrs);
  960. }
  961. free(ludp);
  962. }
  963. #endif /* !HAVE_LDAP_URL_PARSE */
  964. #endif /* !CURL_DISABLE_LDAP && !USE_OPENLDAP */