1 | /*************************************************************************** |
2 | * _ _ ____ _ |
3 | * Project ___| | | | _ \| | |
4 | * / __| | | | |_) | | |
5 | * | (__| |_| | _ <| |___ |
6 | * \___|\___/|_| \_\_____| |
7 | * |
8 | * Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al. |
9 | * |
10 | * This software is licensed as described in the file COPYING, which |
11 | * you should have received as part of this distribution. The terms |
12 | * are also available at https://curl.se/docs/copyright.html. |
13 | * |
14 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
15 | * copies of the Software, and permit persons to whom the Software is |
16 | * furnished to do so, under the terms of the COPYING file. |
17 | * |
18 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
19 | * KIND, either express or implied. |
20 | * |
21 | * SPDX-License-Identifier: curl |
22 | * |
23 | ***************************************************************************/ |
24 | |
25 | #include "curl_setup.h" |
26 | |
27 | #if !defined(CURL_DISABLE_LDAP) && !defined(USE_OPENLDAP) |
28 | |
29 | /* |
30 | * Notice that USE_OPENLDAP is only a source code selection switch. When |
31 | * libcurl is built with USE_OPENLDAP defined the libcurl source code that |
32 | * gets compiled is the code from openldap.c, otherwise the code that gets |
33 | * compiled is the code from ldap.c. |
34 | * |
35 | * When USE_OPENLDAP is defined a recent version of the OpenLDAP library |
36 | * might be required for compilation and runtime. In order to use ancient |
37 | * OpenLDAP library versions, USE_OPENLDAP shall not be defined. |
38 | */ |
39 | |
40 | /* Wincrypt must be included before anything that could include OpenSSL. */ |
41 | #if defined(USE_WIN32_CRYPTO) |
42 | #include <wincrypt.h> |
43 | /* Undefine wincrypt conflicting symbols for BoringSSL. */ |
44 | #undef X509_NAME |
45 | #undef X509_EXTENSIONS |
46 | #undef PKCS7_ISSUER_AND_SERIAL |
47 | #undef PKCS7_SIGNER_INFO |
48 | #undef OCSP_REQUEST |
49 | #undef OCSP_RESPONSE |
50 | #endif |
51 | |
52 | #ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */ |
53 | # include <winldap.h> |
54 | # ifndef LDAP_VENDOR_NAME |
55 | # error Your Platform SDK is NOT sufficient for LDAP support! \ |
56 | Update your Platform SDK, or disable LDAP support! |
57 | # else |
58 | # include <winber.h> |
59 | # endif |
60 | #else |
61 | # define LDAP_DEPRECATED 1 /* Be sure ldap_init() is defined. */ |
62 | # ifdef HAVE_LBER_H |
63 | # include <lber.h> |
64 | # endif |
65 | # include <ldap.h> |
66 | # if (defined(HAVE_LDAP_SSL) && defined(HAVE_LDAP_SSL_H)) |
67 | # include <ldap_ssl.h> |
68 | # endif /* HAVE_LDAP_SSL && HAVE_LDAP_SSL_H */ |
69 | #endif |
70 | |
71 | #include "urldata.h" |
72 | #include <curl/curl.h> |
73 | #include "sendf.h" |
74 | #include "escape.h" |
75 | #include "progress.h" |
76 | #include "transfer.h" |
77 | #include "strcase.h" |
78 | #include "strtok.h" |
79 | #include "curl_ldap.h" |
80 | #include "curl_multibyte.h" |
81 | #include "curl_base64.h" |
82 | #include "connect.h" |
83 | /* The last 3 #include files should be in this order */ |
84 | #include "curl_printf.h" |
85 | #include "curl_memory.h" |
86 | #include "memdebug.h" |
87 | |
88 | #ifndef HAVE_LDAP_URL_PARSE |
89 | |
90 | /* Use our own implementation. */ |
91 | |
92 | struct ldap_urldesc { |
93 | char *lud_host; |
94 | int lud_port; |
95 | #if defined(USE_WIN32_LDAP) |
96 | TCHAR *lud_dn; |
97 | TCHAR **lud_attrs; |
98 | #else |
99 | char *lud_dn; |
100 | char **lud_attrs; |
101 | #endif |
102 | int lud_scope; |
103 | #if defined(USE_WIN32_LDAP) |
104 | TCHAR *lud_filter; |
105 | #else |
106 | char *lud_filter; |
107 | #endif |
108 | char **lud_exts; |
109 | size_t lud_attrs_dups; /* how many were dup'ed, this field is not in the |
110 | "real" struct so can only be used in code |
111 | without HAVE_LDAP_URL_PARSE defined */ |
112 | }; |
113 | |
114 | #undef LDAPURLDesc |
115 | #define LDAPURLDesc struct ldap_urldesc |
116 | |
117 | static int _ldap_url_parse(struct Curl_easy *data, |
118 | const struct connectdata *conn, |
119 | LDAPURLDesc **ludp); |
120 | static void _ldap_free_urldesc(LDAPURLDesc *ludp); |
121 | |
122 | #undef ldap_free_urldesc |
123 | #define ldap_free_urldesc _ldap_free_urldesc |
124 | #endif |
125 | |
126 | #ifdef DEBUG_LDAP |
127 | #define LDAP_TRACE(x) do { \ |
128 | _ldap_trace("%u: ", __LINE__); \ |
129 | _ldap_trace x; \ |
130 | } while(0) |
131 | |
132 | static void _ldap_trace(const char *fmt, ...); |
133 | #else |
134 | #define LDAP_TRACE(x) Curl_nop_stmt |
135 | #endif |
136 | |
137 | #if defined(USE_WIN32_LDAP) && defined(ldap_err2string) |
138 | /* Use ansi error strings in UNICODE builds */ |
139 | #undef ldap_err2string |
140 | #define ldap_err2string ldap_err2stringA |
141 | #endif |
142 | |
143 | |
144 | static CURLcode ldap_do(struct Curl_easy *data, bool *done); |
145 | |
146 | /* |
147 | * LDAP protocol handler. |
148 | */ |
149 | |
150 | const struct Curl_handler Curl_handler_ldap = { |
151 | "LDAP" , /* scheme */ |
152 | ZERO_NULL, /* setup_connection */ |
153 | ldap_do, /* do_it */ |
154 | ZERO_NULL, /* done */ |
155 | ZERO_NULL, /* do_more */ |
156 | ZERO_NULL, /* connect_it */ |
157 | ZERO_NULL, /* connecting */ |
158 | ZERO_NULL, /* doing */ |
159 | ZERO_NULL, /* proto_getsock */ |
160 | ZERO_NULL, /* doing_getsock */ |
161 | ZERO_NULL, /* domore_getsock */ |
162 | ZERO_NULL, /* perform_getsock */ |
163 | ZERO_NULL, /* disconnect */ |
164 | ZERO_NULL, /* readwrite */ |
165 | ZERO_NULL, /* connection_check */ |
166 | ZERO_NULL, /* attach connection */ |
167 | PORT_LDAP, /* defport */ |
168 | CURLPROTO_LDAP, /* protocol */ |
169 | CURLPROTO_LDAP, /* family */ |
170 | PROTOPT_NONE /* flags */ |
171 | }; |
172 | |
173 | #ifdef HAVE_LDAP_SSL |
174 | /* |
175 | * LDAPS protocol handler. |
176 | */ |
177 | |
178 | const struct Curl_handler Curl_handler_ldaps = { |
179 | "LDAPS" , /* scheme */ |
180 | ZERO_NULL, /* setup_connection */ |
181 | ldap_do, /* do_it */ |
182 | ZERO_NULL, /* done */ |
183 | ZERO_NULL, /* do_more */ |
184 | ZERO_NULL, /* connect_it */ |
185 | ZERO_NULL, /* connecting */ |
186 | ZERO_NULL, /* doing */ |
187 | ZERO_NULL, /* proto_getsock */ |
188 | ZERO_NULL, /* doing_getsock */ |
189 | ZERO_NULL, /* domore_getsock */ |
190 | ZERO_NULL, /* perform_getsock */ |
191 | ZERO_NULL, /* disconnect */ |
192 | ZERO_NULL, /* readwrite */ |
193 | ZERO_NULL, /* connection_check */ |
194 | ZERO_NULL, /* attach connection */ |
195 | PORT_LDAPS, /* defport */ |
196 | CURLPROTO_LDAPS, /* protocol */ |
197 | CURLPROTO_LDAP, /* family */ |
198 | PROTOPT_SSL /* flags */ |
199 | }; |
200 | #endif |
201 | |
202 | #if defined(USE_WIN32_LDAP) |
203 | |
204 | #if defined(USE_WINDOWS_SSPI) |
205 | static int ldap_win_bind_auth(LDAP *server, const char *user, |
206 | const char *passwd, unsigned long authflags) |
207 | { |
208 | ULONG method = 0; |
209 | SEC_WINNT_AUTH_IDENTITY cred; |
210 | int rc = LDAP_AUTH_METHOD_NOT_SUPPORTED; |
211 | |
212 | memset(&cred, 0, sizeof(cred)); |
213 | |
214 | #if defined(USE_SPNEGO) |
215 | if(authflags & CURLAUTH_NEGOTIATE) { |
216 | method = LDAP_AUTH_NEGOTIATE; |
217 | } |
218 | else |
219 | #endif |
220 | #if defined(USE_NTLM) |
221 | if(authflags & CURLAUTH_NTLM) { |
222 | method = LDAP_AUTH_NTLM; |
223 | } |
224 | else |
225 | #endif |
226 | #if !defined(CURL_DISABLE_CRYPTO_AUTH) |
227 | if(authflags & CURLAUTH_DIGEST) { |
228 | method = LDAP_AUTH_DIGEST; |
229 | } |
230 | else |
231 | #endif |
232 | { |
233 | /* required anyway if one of upper preprocessor definitions enabled */ |
234 | } |
235 | |
236 | if(method && user && passwd) { |
237 | rc = Curl_create_sspi_identity(user, passwd, &cred); |
238 | if(!rc) { |
239 | rc = ldap_bind_s(server, NULL, (TCHAR *)&cred, method); |
240 | Curl_sspi_free_identity(&cred); |
241 | } |
242 | } |
243 | else { |
244 | /* proceed with current user credentials */ |
245 | method = LDAP_AUTH_NEGOTIATE; |
246 | rc = ldap_bind_s(server, NULL, NULL, method); |
247 | } |
248 | return rc; |
249 | } |
250 | #endif /* #if defined(USE_WINDOWS_SSPI) */ |
251 | |
252 | static int ldap_win_bind(struct Curl_easy *data, LDAP *server, |
253 | const char *user, const char *passwd) |
254 | { |
255 | int rc = LDAP_INVALID_CREDENTIALS; |
256 | |
257 | PTCHAR inuser = NULL; |
258 | PTCHAR inpass = NULL; |
259 | |
260 | if(user && passwd && (data->set.httpauth & CURLAUTH_BASIC)) { |
261 | inuser = curlx_convert_UTF8_to_tchar((char *) user); |
262 | inpass = curlx_convert_UTF8_to_tchar((char *) passwd); |
263 | |
264 | rc = ldap_simple_bind_s(server, inuser, inpass); |
265 | |
266 | curlx_unicodefree(inuser); |
267 | curlx_unicodefree(inpass); |
268 | } |
269 | #if defined(USE_WINDOWS_SSPI) |
270 | else { |
271 | rc = ldap_win_bind_auth(server, user, passwd, data->set.httpauth); |
272 | } |
273 | #endif |
274 | |
275 | return rc; |
276 | } |
277 | #endif /* #if defined(USE_WIN32_LDAP) */ |
278 | |
279 | #if defined(USE_WIN32_LDAP) |
280 | #define FREE_ON_WINLDAP(x) curlx_unicodefree(x) |
281 | #else |
282 | #define FREE_ON_WINLDAP(x) |
283 | #endif |
284 | |
285 | |
286 | static CURLcode ldap_do(struct Curl_easy *data, bool *done) |
287 | { |
288 | CURLcode result = CURLE_OK; |
289 | int rc = 0; |
290 | LDAP *server = NULL; |
291 | LDAPURLDesc *ludp = NULL; |
292 | LDAPMessage *ldapmsg = NULL; |
293 | LDAPMessage *entryIterator; |
294 | int num = 0; |
295 | struct connectdata *conn = data->conn; |
296 | int ldap_proto = LDAP_VERSION3; |
297 | int ldap_ssl = 0; |
298 | char *val_b64 = NULL; |
299 | size_t val_b64_sz = 0; |
300 | curl_off_t dlsize = 0; |
301 | #ifdef LDAP_OPT_NETWORK_TIMEOUT |
302 | struct timeval ldap_timeout = {10, 0}; /* 10 sec connection/search timeout */ |
303 | #endif |
304 | #if defined(USE_WIN32_LDAP) |
305 | TCHAR *host = NULL; |
306 | #else |
307 | char *host = NULL; |
308 | #endif |
309 | char *user = NULL; |
310 | char *passwd = NULL; |
311 | |
312 | *done = TRUE; /* unconditionally */ |
313 | infof(data, "LDAP local: LDAP Vendor = %s ; LDAP Version = %d" , |
314 | LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION); |
315 | infof(data, "LDAP local: %s" , data->state.url); |
316 | |
317 | #ifdef HAVE_LDAP_URL_PARSE |
318 | rc = ldap_url_parse(data->state.url, &ludp); |
319 | #else |
320 | rc = _ldap_url_parse(data, conn, &ludp); |
321 | #endif |
322 | if(rc) { |
323 | failf(data, "Bad LDAP URL: %s" , ldap_err2string(rc)); |
324 | result = CURLE_URL_MALFORMAT; |
325 | goto quit; |
326 | } |
327 | |
328 | /* Get the URL scheme (either ldap or ldaps) */ |
329 | if(conn->given->flags & PROTOPT_SSL) |
330 | ldap_ssl = 1; |
331 | infof(data, "LDAP local: trying to establish %s connection" , |
332 | ldap_ssl ? "encrypted" : "cleartext" ); |
333 | |
334 | #if defined(USE_WIN32_LDAP) |
335 | host = curlx_convert_UTF8_to_tchar(conn->host.name); |
336 | if(!host) { |
337 | result = CURLE_OUT_OF_MEMORY; |
338 | |
339 | goto quit; |
340 | } |
341 | #else |
342 | host = conn->host.name; |
343 | #endif |
344 | |
345 | if(data->state.aptr.user) { |
346 | user = conn->user; |
347 | passwd = conn->passwd; |
348 | } |
349 | |
350 | #ifdef LDAP_OPT_NETWORK_TIMEOUT |
351 | ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); |
352 | #endif |
353 | ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); |
354 | |
355 | if(ldap_ssl) { |
356 | #ifdef HAVE_LDAP_SSL |
357 | #ifdef USE_WIN32_LDAP |
358 | /* Win32 LDAP SDK doesn't support insecure mode without CA! */ |
359 | server = ldap_sslinit(host, conn->port, 1); |
360 | ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); |
361 | #else |
362 | int ldap_option; |
363 | char *ldap_ca = conn->ssl_config.CAfile; |
364 | #if defined(CURL_HAS_NOVELL_LDAPSDK) |
365 | rc = ldapssl_client_init(NULL, NULL); |
366 | if(rc != LDAP_SUCCESS) { |
367 | failf(data, "LDAP local: ldapssl_client_init %s" , ldap_err2string(rc)); |
368 | result = CURLE_SSL_CERTPROBLEM; |
369 | goto quit; |
370 | } |
371 | if(conn->ssl_config.verifypeer) { |
372 | /* Novell SDK supports DER or BASE64 files. */ |
373 | int cert_type = LDAPSSL_CERT_FILETYPE_B64; |
374 | if((data->set.ssl.cert_type) && |
375 | (strcasecompare(data->set.ssl.cert_type, "DER" ))) |
376 | cert_type = LDAPSSL_CERT_FILETYPE_DER; |
377 | if(!ldap_ca) { |
378 | failf(data, "LDAP local: ERROR %s CA cert not set" , |
379 | (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM" )); |
380 | result = CURLE_SSL_CERTPROBLEM; |
381 | goto quit; |
382 | } |
383 | infof(data, "LDAP local: using %s CA cert '%s'" , |
384 | (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM" ), |
385 | ldap_ca); |
386 | rc = ldapssl_add_trusted_cert(ldap_ca, cert_type); |
387 | if(rc != LDAP_SUCCESS) { |
388 | failf(data, "LDAP local: ERROR setting %s CA cert: %s" , |
389 | (cert_type == LDAPSSL_CERT_FILETYPE_DER ? "DER" : "PEM" ), |
390 | ldap_err2string(rc)); |
391 | result = CURLE_SSL_CERTPROBLEM; |
392 | goto quit; |
393 | } |
394 | ldap_option = LDAPSSL_VERIFY_SERVER; |
395 | } |
396 | else |
397 | ldap_option = LDAPSSL_VERIFY_NONE; |
398 | rc = ldapssl_set_verify_mode(ldap_option); |
399 | if(rc != LDAP_SUCCESS) { |
400 | failf(data, "LDAP local: ERROR setting cert verify mode: %s" , |
401 | ldap_err2string(rc)); |
402 | result = CURLE_SSL_CERTPROBLEM; |
403 | goto quit; |
404 | } |
405 | server = ldapssl_init(host, conn->port, 1); |
406 | if(!server) { |
407 | failf(data, "LDAP local: Cannot connect to %s:%u" , |
408 | conn->host.dispname, conn->port); |
409 | result = CURLE_COULDNT_CONNECT; |
410 | goto quit; |
411 | } |
412 | #elif defined(LDAP_OPT_X_TLS) |
413 | if(conn->ssl_config.verifypeer) { |
414 | /* OpenLDAP SDK supports BASE64 files. */ |
415 | if((data->set.ssl.cert_type) && |
416 | (!strcasecompare(data->set.ssl.cert_type, "PEM" ))) { |
417 | failf(data, "LDAP local: ERROR OpenLDAP only supports PEM cert-type" ); |
418 | result = CURLE_SSL_CERTPROBLEM; |
419 | goto quit; |
420 | } |
421 | if(!ldap_ca) { |
422 | failf(data, "LDAP local: ERROR PEM CA cert not set" ); |
423 | result = CURLE_SSL_CERTPROBLEM; |
424 | goto quit; |
425 | } |
426 | infof(data, "LDAP local: using PEM CA cert: %s" , ldap_ca); |
427 | rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); |
428 | if(rc != LDAP_SUCCESS) { |
429 | failf(data, "LDAP local: ERROR setting PEM CA cert: %s" , |
430 | ldap_err2string(rc)); |
431 | result = CURLE_SSL_CERTPROBLEM; |
432 | goto quit; |
433 | } |
434 | ldap_option = LDAP_OPT_X_TLS_DEMAND; |
435 | } |
436 | else |
437 | ldap_option = LDAP_OPT_X_TLS_NEVER; |
438 | |
439 | rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); |
440 | if(rc != LDAP_SUCCESS) { |
441 | failf(data, "LDAP local: ERROR setting cert verify mode: %s" , |
442 | ldap_err2string(rc)); |
443 | result = CURLE_SSL_CERTPROBLEM; |
444 | goto quit; |
445 | } |
446 | server = ldap_init(host, conn->port); |
447 | if(!server) { |
448 | failf(data, "LDAP local: Cannot connect to %s:%u" , |
449 | conn->host.dispname, conn->port); |
450 | result = CURLE_COULDNT_CONNECT; |
451 | goto quit; |
452 | } |
453 | ldap_option = LDAP_OPT_X_TLS_HARD; |
454 | rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); |
455 | if(rc != LDAP_SUCCESS) { |
456 | failf(data, "LDAP local: ERROR setting SSL/TLS mode: %s" , |
457 | ldap_err2string(rc)); |
458 | result = CURLE_SSL_CERTPROBLEM; |
459 | goto quit; |
460 | } |
461 | /* |
462 | rc = ldap_start_tls_s(server, NULL, NULL); |
463 | if(rc != LDAP_SUCCESS) { |
464 | failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", |
465 | ldap_err2string(rc)); |
466 | result = CURLE_SSL_CERTPROBLEM; |
467 | goto quit; |
468 | } |
469 | */ |
470 | #else |
471 | /* we should probably never come up to here since configure |
472 | should check in first place if we can support LDAP SSL/TLS */ |
473 | failf(data, "LDAP local: SSL/TLS not supported with this version " |
474 | "of the OpenLDAP toolkit\n" ); |
475 | result = CURLE_SSL_CERTPROBLEM; |
476 | goto quit; |
477 | #endif |
478 | #endif |
479 | #endif /* CURL_LDAP_USE_SSL */ |
480 | } |
481 | else if(data->set.use_ssl > CURLUSESSL_TRY) { |
482 | failf(data, "LDAP local: explicit TLS not supported" ); |
483 | result = CURLE_NOT_BUILT_IN; |
484 | goto quit; |
485 | } |
486 | else { |
487 | server = ldap_init(host, conn->port); |
488 | if(!server) { |
489 | failf(data, "LDAP local: Cannot connect to %s:%u" , |
490 | conn->host.dispname, conn->port); |
491 | result = CURLE_COULDNT_CONNECT; |
492 | goto quit; |
493 | } |
494 | } |
495 | #ifdef USE_WIN32_LDAP |
496 | ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); |
497 | rc = ldap_win_bind(data, server, user, passwd); |
498 | #else |
499 | rc = ldap_simple_bind_s(server, user, passwd); |
500 | #endif |
501 | if(!ldap_ssl && rc) { |
502 | ldap_proto = LDAP_VERSION2; |
503 | ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); |
504 | #ifdef USE_WIN32_LDAP |
505 | rc = ldap_win_bind(data, server, user, passwd); |
506 | #else |
507 | rc = ldap_simple_bind_s(server, user, passwd); |
508 | #endif |
509 | } |
510 | if(rc) { |
511 | #ifdef USE_WIN32_LDAP |
512 | failf(data, "LDAP local: bind via ldap_win_bind %s" , |
513 | ldap_err2string(rc)); |
514 | #else |
515 | failf(data, "LDAP local: bind via ldap_simple_bind_s %s" , |
516 | ldap_err2string(rc)); |
517 | #endif |
518 | result = CURLE_LDAP_CANNOT_BIND; |
519 | goto quit; |
520 | } |
521 | |
522 | rc = ldap_search_s(server, ludp->lud_dn, ludp->lud_scope, |
523 | ludp->lud_filter, ludp->lud_attrs, 0, &ldapmsg); |
524 | |
525 | if(rc && rc != LDAP_SIZELIMIT_EXCEEDED) { |
526 | failf(data, "LDAP remote: %s" , ldap_err2string(rc)); |
527 | result = CURLE_LDAP_SEARCH_FAILED; |
528 | goto quit; |
529 | } |
530 | |
531 | for(num = 0, entryIterator = ldap_first_entry(server, ldapmsg); |
532 | entryIterator; |
533 | entryIterator = ldap_next_entry(server, entryIterator), num++) { |
534 | BerElement *ber = NULL; |
535 | #if defined(USE_WIN32_LDAP) |
536 | TCHAR *attribute; |
537 | #else |
538 | char *attribute; |
539 | #endif |
540 | int i; |
541 | |
542 | /* Get the DN and write it to the client */ |
543 | { |
544 | char *name; |
545 | size_t name_len; |
546 | #if defined(USE_WIN32_LDAP) |
547 | TCHAR *dn = ldap_get_dn(server, entryIterator); |
548 | name = curlx_convert_tchar_to_UTF8(dn); |
549 | if(!name) { |
550 | ldap_memfree(dn); |
551 | |
552 | result = CURLE_OUT_OF_MEMORY; |
553 | |
554 | goto quit; |
555 | } |
556 | #else |
557 | char *dn = name = ldap_get_dn(server, entryIterator); |
558 | #endif |
559 | name_len = strlen(name); |
560 | |
561 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"DN: " , 4); |
562 | if(result) { |
563 | FREE_ON_WINLDAP(name); |
564 | ldap_memfree(dn); |
565 | goto quit; |
566 | } |
567 | |
568 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *) name, |
569 | name_len); |
570 | if(result) { |
571 | FREE_ON_WINLDAP(name); |
572 | ldap_memfree(dn); |
573 | goto quit; |
574 | } |
575 | |
576 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n" , 1); |
577 | if(result) { |
578 | FREE_ON_WINLDAP(name); |
579 | ldap_memfree(dn); |
580 | |
581 | goto quit; |
582 | } |
583 | |
584 | dlsize += name_len + 5; |
585 | |
586 | FREE_ON_WINLDAP(name); |
587 | ldap_memfree(dn); |
588 | } |
589 | |
590 | /* Get the attributes and write them to the client */ |
591 | for(attribute = ldap_first_attribute(server, entryIterator, &ber); |
592 | attribute; |
593 | attribute = ldap_next_attribute(server, entryIterator, ber)) { |
594 | BerValue **vals; |
595 | size_t attr_len; |
596 | #if defined(USE_WIN32_LDAP) |
597 | char *attr = curlx_convert_tchar_to_UTF8(attribute); |
598 | if(!attr) { |
599 | if(ber) |
600 | ber_free(ber, 0); |
601 | |
602 | result = CURLE_OUT_OF_MEMORY; |
603 | |
604 | goto quit; |
605 | } |
606 | #else |
607 | char *attr = attribute; |
608 | #endif |
609 | attr_len = strlen(attr); |
610 | |
611 | vals = ldap_get_values_len(server, entryIterator, attribute); |
612 | if(vals) { |
613 | for(i = 0; (vals[i] != NULL); i++) { |
614 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\t" , 1); |
615 | if(result) { |
616 | ldap_value_free_len(vals); |
617 | FREE_ON_WINLDAP(attr); |
618 | ldap_memfree(attribute); |
619 | if(ber) |
620 | ber_free(ber, 0); |
621 | |
622 | goto quit; |
623 | } |
624 | |
625 | result = Curl_client_write(data, CLIENTWRITE_BODY, |
626 | (char *) attr, attr_len); |
627 | if(result) { |
628 | ldap_value_free_len(vals); |
629 | FREE_ON_WINLDAP(attr); |
630 | ldap_memfree(attribute); |
631 | if(ber) |
632 | ber_free(ber, 0); |
633 | |
634 | goto quit; |
635 | } |
636 | |
637 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)": " , 2); |
638 | if(result) { |
639 | ldap_value_free_len(vals); |
640 | FREE_ON_WINLDAP(attr); |
641 | ldap_memfree(attribute); |
642 | if(ber) |
643 | ber_free(ber, 0); |
644 | |
645 | goto quit; |
646 | } |
647 | |
648 | dlsize += attr_len + 3; |
649 | |
650 | if((attr_len > 7) && |
651 | (strcmp(";binary" , (char *) attr + (attr_len - 7)) == 0)) { |
652 | /* Binary attribute, encode to base64. */ |
653 | result = Curl_base64_encode(vals[i]->bv_val, vals[i]->bv_len, |
654 | &val_b64, &val_b64_sz); |
655 | if(result) { |
656 | ldap_value_free_len(vals); |
657 | FREE_ON_WINLDAP(attr); |
658 | ldap_memfree(attribute); |
659 | if(ber) |
660 | ber_free(ber, 0); |
661 | |
662 | goto quit; |
663 | } |
664 | |
665 | if(val_b64_sz > 0) { |
666 | result = Curl_client_write(data, CLIENTWRITE_BODY, val_b64, |
667 | val_b64_sz); |
668 | free(val_b64); |
669 | if(result) { |
670 | ldap_value_free_len(vals); |
671 | FREE_ON_WINLDAP(attr); |
672 | ldap_memfree(attribute); |
673 | if(ber) |
674 | ber_free(ber, 0); |
675 | |
676 | goto quit; |
677 | } |
678 | |
679 | dlsize += val_b64_sz; |
680 | } |
681 | } |
682 | else { |
683 | result = Curl_client_write(data, CLIENTWRITE_BODY, vals[i]->bv_val, |
684 | vals[i]->bv_len); |
685 | if(result) { |
686 | ldap_value_free_len(vals); |
687 | FREE_ON_WINLDAP(attr); |
688 | ldap_memfree(attribute); |
689 | if(ber) |
690 | ber_free(ber, 0); |
691 | |
692 | goto quit; |
693 | } |
694 | |
695 | dlsize += vals[i]->bv_len; |
696 | } |
697 | |
698 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n" , 1); |
699 | if(result) { |
700 | ldap_value_free_len(vals); |
701 | FREE_ON_WINLDAP(attr); |
702 | ldap_memfree(attribute); |
703 | if(ber) |
704 | ber_free(ber, 0); |
705 | |
706 | goto quit; |
707 | } |
708 | |
709 | dlsize++; |
710 | } |
711 | |
712 | /* Free memory used to store values */ |
713 | ldap_value_free_len(vals); |
714 | } |
715 | |
716 | /* Free the attribute as we are done with it */ |
717 | FREE_ON_WINLDAP(attr); |
718 | ldap_memfree(attribute); |
719 | |
720 | result = Curl_client_write(data, CLIENTWRITE_BODY, (char *)"\n" , 1); |
721 | if(result) |
722 | goto quit; |
723 | dlsize++; |
724 | Curl_pgrsSetDownloadCounter(data, dlsize); |
725 | } |
726 | |
727 | if(ber) |
728 | ber_free(ber, 0); |
729 | } |
730 | |
731 | quit: |
732 | if(ldapmsg) { |
733 | ldap_msgfree(ldapmsg); |
734 | LDAP_TRACE(("Received %d entries\n" , num)); |
735 | } |
736 | if(rc == LDAP_SIZELIMIT_EXCEEDED) |
737 | infof(data, "There are more than %d entries" , num); |
738 | if(ludp) |
739 | ldap_free_urldesc(ludp); |
740 | if(server) |
741 | ldap_unbind_s(server); |
742 | #if defined(HAVE_LDAP_SSL) && defined(CURL_HAS_NOVELL_LDAPSDK) |
743 | if(ldap_ssl) |
744 | ldapssl_client_deinit(); |
745 | #endif /* HAVE_LDAP_SSL && CURL_HAS_NOVELL_LDAPSDK */ |
746 | |
747 | FREE_ON_WINLDAP(host); |
748 | |
749 | /* no data to transfer */ |
750 | Curl_setup_transfer(data, -1, -1, FALSE, -1); |
751 | connclose(conn, "LDAP connection always disable re-use" ); |
752 | |
753 | return result; |
754 | } |
755 | |
756 | #ifdef DEBUG_LDAP |
757 | static void _ldap_trace(const char *fmt, ...) |
758 | { |
759 | static int do_trace = -1; |
760 | va_list args; |
761 | |
762 | if(do_trace == -1) { |
763 | const char *env = getenv("CURL_TRACE" ); |
764 | do_trace = (env && strtol(env, NULL, 10) > 0); |
765 | } |
766 | if(!do_trace) |
767 | return; |
768 | |
769 | va_start(args, fmt); |
770 | vfprintf(stderr, fmt, args); |
771 | va_end(args); |
772 | } |
773 | #endif |
774 | |
775 | #ifndef HAVE_LDAP_URL_PARSE |
776 | |
777 | /* |
778 | * Return scope-value for a scope-string. |
779 | */ |
780 | static int str2scope(const char *p) |
781 | { |
782 | if(strcasecompare(p, "one" )) |
783 | return LDAP_SCOPE_ONELEVEL; |
784 | if(strcasecompare(p, "onetree" )) |
785 | return LDAP_SCOPE_ONELEVEL; |
786 | if(strcasecompare(p, "base" )) |
787 | return LDAP_SCOPE_BASE; |
788 | if(strcasecompare(p, "sub" )) |
789 | return LDAP_SCOPE_SUBTREE; |
790 | if(strcasecompare(p, "subtree" )) |
791 | return LDAP_SCOPE_SUBTREE; |
792 | return (-1); |
793 | } |
794 | |
795 | /* |
796 | * Split 'str' into strings separated by commas. |
797 | * Note: out[] points into 'str'. |
798 | */ |
799 | static bool split_str(char *str, char ***out, size_t *count) |
800 | { |
801 | char **res; |
802 | char *lasts; |
803 | char *s; |
804 | size_t i; |
805 | size_t items = 1; |
806 | |
807 | s = strchr(str, ','); |
808 | while(s) { |
809 | items++; |
810 | s = strchr(++s, ','); |
811 | } |
812 | |
813 | res = calloc(items, sizeof(char *)); |
814 | if(!res) |
815 | return FALSE; |
816 | |
817 | for(i = 0, s = strtok_r(str, "," , &lasts); s && i < items; |
818 | s = strtok_r(NULL, "," , &lasts), i++) |
819 | res[i] = s; |
820 | |
821 | *out = res; |
822 | *count = items; |
823 | |
824 | return TRUE; |
825 | } |
826 | |
827 | /* |
828 | * Break apart the pieces of an LDAP URL. |
829 | * Syntax: |
830 | * ldap://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>?<ext> |
831 | * |
832 | * <hostname> already known from 'conn->host.name'. |
833 | * <port> already known from 'conn->remote_port'. |
834 | * extract the rest from 'data->state.path+1'. All fields are optional. |
835 | * e.g. |
836 | * ldap://<hostname>:<port>/?<attributes>?<scope>?<filter> |
837 | * yields ludp->lud_dn = "". |
838 | * |
839 | * Defined in RFC4516 section 2. |
840 | */ |
841 | static int _ldap_url_parse2(struct Curl_easy *data, |
842 | const struct connectdata *conn, LDAPURLDesc *ludp) |
843 | { |
844 | int rc = LDAP_SUCCESS; |
845 | char *p; |
846 | char *path; |
847 | char *q = NULL; |
848 | char *query = NULL; |
849 | size_t i; |
850 | |
851 | if(!data || |
852 | !data->state.up.path || |
853 | data->state.up.path[0] != '/' || |
854 | !strncasecompare("LDAP" , data->state.up.scheme, 4)) |
855 | return LDAP_INVALID_SYNTAX; |
856 | |
857 | ludp->lud_scope = LDAP_SCOPE_BASE; |
858 | ludp->lud_port = conn->remote_port; |
859 | ludp->lud_host = conn->host.name; |
860 | |
861 | /* Duplicate the path */ |
862 | p = path = strdup(data->state.up.path + 1); |
863 | if(!path) |
864 | return LDAP_NO_MEMORY; |
865 | |
866 | /* Duplicate the query if present */ |
867 | if(data->state.up.query) { |
868 | q = query = strdup(data->state.up.query); |
869 | if(!query) { |
870 | free(path); |
871 | return LDAP_NO_MEMORY; |
872 | } |
873 | } |
874 | |
875 | /* Parse the DN (Distinguished Name) */ |
876 | if(*p) { |
877 | char *dn = p; |
878 | char *unescaped; |
879 | CURLcode result; |
880 | |
881 | LDAP_TRACE(("DN '%s'\n" , dn)); |
882 | |
883 | /* Unescape the DN */ |
884 | result = Curl_urldecode(dn, 0, &unescaped, NULL, REJECT_ZERO); |
885 | if(result) { |
886 | rc = LDAP_NO_MEMORY; |
887 | |
888 | goto quit; |
889 | } |
890 | |
891 | #if defined(USE_WIN32_LDAP) |
892 | /* Convert the unescaped string to a tchar */ |
893 | ludp->lud_dn = curlx_convert_UTF8_to_tchar(unescaped); |
894 | |
895 | /* Free the unescaped string as we are done with it */ |
896 | free(unescaped); |
897 | |
898 | if(!ludp->lud_dn) { |
899 | rc = LDAP_NO_MEMORY; |
900 | |
901 | goto quit; |
902 | } |
903 | #else |
904 | ludp->lud_dn = unescaped; |
905 | #endif |
906 | } |
907 | |
908 | p = q; |
909 | if(!p) |
910 | goto quit; |
911 | |
912 | /* Parse the attributes. skip "??" */ |
913 | q = strchr(p, '?'); |
914 | if(q) |
915 | *q++ = '\0'; |
916 | |
917 | if(*p) { |
918 | char **attributes; |
919 | size_t count = 0; |
920 | |
921 | /* Split the string into an array of attributes */ |
922 | if(!split_str(p, &attributes, &count)) { |
923 | rc = LDAP_NO_MEMORY; |
924 | |
925 | goto quit; |
926 | } |
927 | |
928 | /* Allocate our array (+1 for the NULL entry) */ |
929 | #if defined(USE_WIN32_LDAP) |
930 | ludp->lud_attrs = calloc(count + 1, sizeof(TCHAR *)); |
931 | #else |
932 | ludp->lud_attrs = calloc(count + 1, sizeof(char *)); |
933 | #endif |
934 | if(!ludp->lud_attrs) { |
935 | free(attributes); |
936 | |
937 | rc = LDAP_NO_MEMORY; |
938 | |
939 | goto quit; |
940 | } |
941 | |
942 | for(i = 0; i < count; i++) { |
943 | char *unescaped; |
944 | CURLcode result; |
945 | |
946 | LDAP_TRACE(("attr[%zu] '%s'\n" , i, attributes[i])); |
947 | |
948 | /* Unescape the attribute */ |
949 | result = Curl_urldecode(attributes[i], 0, &unescaped, NULL, |
950 | REJECT_ZERO); |
951 | if(result) { |
952 | free(attributes); |
953 | |
954 | rc = LDAP_NO_MEMORY; |
955 | |
956 | goto quit; |
957 | } |
958 | |
959 | #if defined(USE_WIN32_LDAP) |
960 | /* Convert the unescaped string to a tchar */ |
961 | ludp->lud_attrs[i] = curlx_convert_UTF8_to_tchar(unescaped); |
962 | |
963 | /* Free the unescaped string as we are done with it */ |
964 | free(unescaped); |
965 | |
966 | if(!ludp->lud_attrs[i]) { |
967 | free(attributes); |
968 | |
969 | rc = LDAP_NO_MEMORY; |
970 | |
971 | goto quit; |
972 | } |
973 | #else |
974 | ludp->lud_attrs[i] = unescaped; |
975 | #endif |
976 | |
977 | ludp->lud_attrs_dups++; |
978 | } |
979 | |
980 | free(attributes); |
981 | } |
982 | |
983 | p = q; |
984 | if(!p) |
985 | goto quit; |
986 | |
987 | /* Parse the scope. skip "??" */ |
988 | q = strchr(p, '?'); |
989 | if(q) |
990 | *q++ = '\0'; |
991 | |
992 | if(*p) { |
993 | ludp->lud_scope = str2scope(p); |
994 | if(ludp->lud_scope == -1) { |
995 | rc = LDAP_INVALID_SYNTAX; |
996 | |
997 | goto quit; |
998 | } |
999 | LDAP_TRACE(("scope %d\n" , ludp->lud_scope)); |
1000 | } |
1001 | |
1002 | p = q; |
1003 | if(!p) |
1004 | goto quit; |
1005 | |
1006 | /* Parse the filter */ |
1007 | q = strchr(p, '?'); |
1008 | if(q) |
1009 | *q++ = '\0'; |
1010 | |
1011 | if(*p) { |
1012 | char *filter = p; |
1013 | char *unescaped; |
1014 | CURLcode result; |
1015 | |
1016 | LDAP_TRACE(("filter '%s'\n" , filter)); |
1017 | |
1018 | /* Unescape the filter */ |
1019 | result = Curl_urldecode(filter, 0, &unescaped, NULL, REJECT_ZERO); |
1020 | if(result) { |
1021 | rc = LDAP_NO_MEMORY; |
1022 | |
1023 | goto quit; |
1024 | } |
1025 | |
1026 | #if defined(USE_WIN32_LDAP) |
1027 | /* Convert the unescaped string to a tchar */ |
1028 | ludp->lud_filter = curlx_convert_UTF8_to_tchar(unescaped); |
1029 | |
1030 | /* Free the unescaped string as we are done with it */ |
1031 | free(unescaped); |
1032 | |
1033 | if(!ludp->lud_filter) { |
1034 | rc = LDAP_NO_MEMORY; |
1035 | |
1036 | goto quit; |
1037 | } |
1038 | #else |
1039 | ludp->lud_filter = unescaped; |
1040 | #endif |
1041 | } |
1042 | |
1043 | p = q; |
1044 | if(p && !*p) { |
1045 | rc = LDAP_INVALID_SYNTAX; |
1046 | |
1047 | goto quit; |
1048 | } |
1049 | |
1050 | quit: |
1051 | free(path); |
1052 | free(query); |
1053 | |
1054 | return rc; |
1055 | } |
1056 | |
1057 | static int _ldap_url_parse(struct Curl_easy *data, |
1058 | const struct connectdata *conn, |
1059 | LDAPURLDesc **ludpp) |
1060 | { |
1061 | LDAPURLDesc *ludp = calloc(1, sizeof(*ludp)); |
1062 | int rc; |
1063 | |
1064 | *ludpp = NULL; |
1065 | if(!ludp) |
1066 | return LDAP_NO_MEMORY; |
1067 | |
1068 | rc = _ldap_url_parse2(data, conn, ludp); |
1069 | if(rc != LDAP_SUCCESS) { |
1070 | _ldap_free_urldesc(ludp); |
1071 | ludp = NULL; |
1072 | } |
1073 | *ludpp = ludp; |
1074 | return (rc); |
1075 | } |
1076 | |
1077 | static void _ldap_free_urldesc(LDAPURLDesc *ludp) |
1078 | { |
1079 | if(!ludp) |
1080 | return; |
1081 | |
1082 | #if defined(USE_WIN32_LDAP) |
1083 | curlx_unicodefree(ludp->lud_dn); |
1084 | curlx_unicodefree(ludp->lud_filter); |
1085 | #else |
1086 | free(ludp->lud_dn); |
1087 | free(ludp->lud_filter); |
1088 | #endif |
1089 | |
1090 | if(ludp->lud_attrs) { |
1091 | size_t i; |
1092 | for(i = 0; i < ludp->lud_attrs_dups; i++) { |
1093 | #if defined(USE_WIN32_LDAP) |
1094 | curlx_unicodefree(ludp->lud_attrs[i]); |
1095 | #else |
1096 | free(ludp->lud_attrs[i]); |
1097 | #endif |
1098 | } |
1099 | free(ludp->lud_attrs); |
1100 | } |
1101 | |
1102 | free(ludp); |
1103 | } |
1104 | #endif /* !HAVE_LDAP_URL_PARSE */ |
1105 | #endif /* !CURL_DISABLE_LDAP && !USE_OPENLDAP */ |
1106 | |