Implementing WinLDAP support.

Perry Werneck
1 parent b455df4f
Showing 4 changed files with 139 additions and 22 deletions Show diff stats
configure.ac
src/ssl/windows/getcrl.c
src/ssl/windows/ldap.c
src/ssl/windows/private.h
@@ -79,7 +79,7 @@ case &quot;$host&quot; in
 	*-mingw32|*-pc-msys)
 		app_cv_osname="windows"
 		CFLAGS="$CFLAGS -pthread -D_WIN32_WINNT=0x0600"
-		LIBS="$LIBS -lws2_32 -lwtsapi32 -lcomdlg32 -lwldap32"
+		LIBS="$LIBS -lws2_32 -lwtsapi32 -lcomdlg32"
 		LDFLAGS="$LDFLAGS -pthread"
 		DLL_LDFLAGS="-shared -Wl,--output-def,\$(@D)/\$(LIBNAME).def"
 		DLLEXT=".dll"
@@ -521,24 +521,36 @@ AC_ARG_ENABLE([ldap],
 if test "x${have_ldap}" != xno ; then
-        AC_CHECK_HEADERS(
-                [ldap.h],
-                [have_ldap=yes],
-                [if test "x$have_ldap" = xyes ; then
-                        AC_MSG_ERROR([LDAP headers not found.])
-                fi])
-        if test "x$have_ldap" = xyes ; then
+	case "$host" in
+		*-mingw32|*-pc-msys)
+			LDAP_LIBS="-lwldap32"
+		     	AC_DEFINE(HAVE_LDAP,1,[LDAP is available])
+			;;
+
+	 	*)
+
+			AC_CHECK_HEADERS(
+				[ldap.h],
+				[have_ldap=yes],
+				[if test "x$have_ldap" = xyes ; then
+				        AC_MSG_ERROR([LDAP headers not found.])
+				fi])
+
+			if test "x$have_ldap" = xyes ; then
-                LDAP_LIBS="-lldap -llber"
-             	AC_DEFINE(HAVE_LDAP,1,[LDAP is available])
-                M4_DEFINES="$M4_DEFINES -DHAVE_LDAP"
+				LDAP_LIBS="-lldap -llber"
+			     	AC_DEFINE(HAVE_LDAP,1,[LDAP is available])
+				M4_DEFINES="$M4_DEFINES -DHAVE_LDAP"
-        else
+			else
-                have_ldap=no
+				have_ldap=no
-        fi
+			fi
+
+
+	esac
 else
         LDAP_LIBS=
@@ -98,13 +98,13 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE *
 	}
-#ifdef DEBUG
+#ifdef HAVE_LDAP
 	else if(strncasecmp(consturl,"ldap://",7) == 0 && strlen(consturl) > 8)
 	{
-		return get_crl_using_winldap(hSession, message, consturl);
+		return get_crl_using_ldap(hSession, message, consturl);
 	}
-#endif // DEBUG
+#endif // HAVE_LDAP
 	else
 	{
 #ifdef HAVE_LIBCURL
@@ -27,6 +27,7 @@
  *
  * References:
  *
+ * https://docs.microsoft.com/en-us/windows/win32/api/winldap/
  * https://github.com/curl/curl/blob/curl-7_62_0/lib/ldap.c
  * http://forums.codeguru.com/showthread.php?313123-Elementary-problems-using-winldap
  * https://stackoverflow.com/questions/21501002/how-to-use-ldap-sasl-bind-in-winldap
@@ -35,7 +36,7 @@
 #include <config.h>
-#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
+#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LDAP)
 #include "private.h"
 #include <winldap.h>
@@ -59,7 +60,32 @@ static inline void lib3270_autoptr_cleanup_LDAP(LDAP **ptr)
 }
-X509_CRL * get_crl_using_winldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
+static inline void lib3270_autoptr_cleanup_LDAPMessage(LDAPMessage **message)
+{
+	debug("%s(%p)",__FUNCTION__,*message);
+	if(message)
+		ldap_msgfree(*message);
+	*message = NULL;
+}
+
+static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
+{
+	debug("%s(%p)",__FUNCTION__,*ptr);
+	if(*ptr)
+		ldap_memfree(*ptr);
+	*ptr = NULL;
+}
+
+static inline void lib3270_autoptr_cleanup_BerElement(BerElement **ber)
+{
+	debug("%s(%p)",__FUNCTION__,*ber);
+	if(*ber)
+		ber_free(*ber, 0);
+	*ber = NULL;
+}
+
+
+X509_CRL * get_crl_using_ldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
 {
 	debug("********************************************************* %s",__FUNCTION__);
@@ -146,7 +172,7 @@ X509_CRL * get_crl_using_winldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, c
 		return NULL;
 	}
-	rc = ldap_simple_bind(ld, "", "");
+	rc = ldap_simple_bind_s(ld, NULL, NULL);
 	if(rc != LDAP_SUCCESS)
 	{
 		message->error = hSession->ssl.error = 0;
@@ -161,6 +187,81 @@ X509_CRL * get_crl_using_winldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, c
 		return NULL;
 	}
+	lib3270_autoptr(LDAPMessage) results = NULL;
+	rc = ldap_search_ext_s(
+				ld,						// Specifies the LDAP pointer returned by a previous call to ldap_init(), ldap_ssl_init(), or ldap_open().
+				base,					// Specifies the DN of the entry at which to start the search.
+				LDAP_SCOPE_BASE,		// Specifies the scope of the search.
+				NULL,					// Specifies a string representation of the filter to apply in the search.
+				(char **)  &attrs,		// Specifies a null-terminated array of character string attribute types to return from entries that match filter.
+				0,						// Should be set to 1 to request attribute types only. Set to 0 to request both attributes types and attribute values.
+				NULL,
+				NULL,
+				NULL,
+				0,
+				&results
+			);
+
+
+	if(rc != LDAP_SUCCESS)
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't search LDAP server" );
+		message->description = ldap_err2string(rc);
+		lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
+		return NULL;
+	}
+
+	lib3270_autoptr(BerElement) ber = NULL;
+	char __attribute__ ((__cleanup__(lib3270_autoptr_cleanup_LDAPPTR))) *attr = ldap_first_attribute(ld, results, &ber);
+	if(!attr)
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't get LDAP attribute" );
+		message->description = _("Search did not produce any attributes.");
+		lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
+		errno = ENOENT;
+		return NULL;
+	}
+
+	struct berval ** value = ldap_get_values_len(ld, results, attr);
+	if(!value)
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't get LDAP attribute" );
+		message->description = _("Search did not produce any values.");
+		lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
+		errno = ENOENT;
+		return NULL;
+	}
+
+	if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
+	{
+		lib3270_trace_data(
+			hSession,
+			"CRL Data received from LDAP server",
+			(const char *) value[0]->bv_val,
+			value[0]->bv_len
+		);
+	}
+
+	// Precisa salvar uma cópia porque d2i_X509_CRL modifica o ponteiro.
+	const unsigned char *crl_data = (const unsigned char *) value[0]->bv_val;
+
+	if(!d2i_X509_CRL(&x509_crl, &crl_data, value[0]->bv_len))
+	{
+		message->error = hSession->ssl.error = ERR_get_error();
+		message->title = _( "Security error" );
+		message->text = _( "Can't decode certificate revocation list" );
+		lib3270_write_log(hSession,"ssl","%s: %s",url, message->text);
+		ldap_value_free_len(value);
+		return NULL;
+	}
+
+	ldap_value_free_len(value);
 	debug("********************************************************* %s",__FUNCTION__);
@@ -168,4 +269,4 @@ X509_CRL * get_crl_using_winldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, c
 }
-#endif // defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
+#endif //  defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LDAP)
@@ -57,7 +57,11 @@
 	#endif // HAVE_LIBCURL
-	LIB3270_INTERNAL X509_CRL * get_crl_using_winldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl);
+	#ifdef HAVE_LDAP
+		/// @brief Use winldap to get CRL.
+		LIB3270_INTERNAL X509_CRL * get_crl_using_ldap(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl);
+
+	#endif // HAVE_LDAP
 #endif // !LIB3270_WIN32_SSL_PRIVATE_H_INCLUDED
	@@ -98,13 +98,13 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE		@@ -98,13 +98,13 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE
98		98
99		99
100	}	100	}
101	-#ifdef DEBUG	101	+#ifdef HAVE_LDAP
102	else if(strncasecmp(consturl,"ldap://",7) == 0 && strlen(consturl) > 8)	102	else if(strncasecmp(consturl,"ldap://",7) == 0 && strlen(consturl) > 8)
103	{	103	{
104	- return get_crl_using_winldap(hSession, message, consturl);	104	+ return get_crl_using_ldap(hSession, message, consturl);
105		105
106	}	106	}
107	-#endif // DEBUG	107	+#endif // HAVE_LDAP
108	else	108	else
109	{	109	{
110	#ifdef HAVE_LIBCURL	110	#ifdef HAVE_LIBCURL
	@@ -27,6 +27,7 @@		@@ -27,6 +27,7 @@
27	*	27	*
28	* References:	28	* References:
29	*	29	*
		30	+ * https://docs.microsoft.com/en-us/windows/win32/api/winldap/
30	* https://github.com/curl/curl/blob/curl-7_62_0/lib/ldap.c	31	* https://github.com/curl/curl/blob/curl-7_62_0/lib/ldap.c
31	* http://forums.codeguru.com/showthread.php?313123-Elementary-problems-using-winldap	32	* http://forums.codeguru.com/showthread.php?313123-Elementary-problems-using-winldap
32	* https://stackoverflow.com/questions/21501002/how-to-use-ldap-sasl-bind-in-winldap	33	* https://stackoverflow.com/questions/21501002/how-to-use-ldap-sasl-bind-in-winldap
	@@ -35,7 +36,7 @@		@@ -35,7 +36,7 @@
35		36
36	#include <config.h>	37	#include <config.h>
37		38
38	-#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)	39	+#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LDAP)
39		40
40	#include "private.h"	41	#include "private.h"
41	#include <winldap.h>	42	#include <winldap.h>
	@@ -59,7 +60,32 @@ static inline void lib3270_autoptr_cleanup_LDAP(LDAP **ptr)		@@ -59,7 +60,32 @@ static inline void lib3270_autoptr_cleanup_LDAP(LDAP **ptr)
59		60
60	}	61	}
61		62
62	-X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, const char *consturl)	63	+static inline void lib3270_autoptr_cleanup_LDAPMessage(LDAPMessage **message)
		64	+{
		65	+ debug("%s(%p)",__FUNCTION__,*message);
		66	+ if(message)
		67	+ ldap_msgfree(*message);
		68	+ *message = NULL;
		69	+}
		70	+
		71	+static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
		72	+{
		73	+ debug("%s(%p)",__FUNCTION__,*ptr);
		74	+ if(*ptr)
		75	+ ldap_memfree(*ptr);
		76	+ *ptr = NULL;
		77	+}
		78	+
		79	+static inline void lib3270_autoptr_cleanup_BerElement(BerElement **ber)
		80	+{
		81	+ debug("%s(%p)",__FUNCTION__,*ber);
		82	+ if(*ber)
		83	+ ber_free(*ber, 0);
		84	+ *ber = NULL;
		85	+}
		86	+
		87	+
		88	+X509_CRL * get_crl_using_ldap(H3270 hSession, SSL_ERROR_MESSAGE message, const char *consturl)
63	{	89	{
64	debug("********************************************************* %s",__FUNCTION__);	90	debug("********************************************************* %s",__FUNCTION__);
65		91
	@@ -146,7 +172,7 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c		@@ -146,7 +172,7 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c
146	return NULL;	172	return NULL;
147	}	173	}
148		174
149	- rc = ldap_simple_bind(ld, "", "");	175	+ rc = ldap_simple_bind_s(ld, NULL, NULL);
150	if(rc != LDAP_SUCCESS)	176	if(rc != LDAP_SUCCESS)
151	{	177	{
152	message->error = hSession->ssl.error = 0;	178	message->error = hSession->ssl.error = 0;
	@@ -161,6 +187,81 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c		@@ -161,6 +187,81 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c
161	return NULL;	187	return NULL;
162	}	188	}
163		189
		190	+ lib3270_autoptr(LDAPMessage) results = NULL;
		191	+ rc = ldap_search_ext_s(
		192	+ ld, // Specifies the LDAP pointer returned by a previous call to ldap_init(), ldap_ssl_init(), or ldap_open().
		193	+ base, // Specifies the DN of the entry at which to start the search.
		194	+ LDAP_SCOPE_BASE, // Specifies the scope of the search.
		195	+ NULL, // Specifies a string representation of the filter to apply in the search.
		196	+ (char **) &attrs, // Specifies a null-terminated array of character string attribute types to return from entries that match filter.
		197	+ 0, // Should be set to 1 to request attribute types only. Set to 0 to request both attributes types and attribute values.
		198	+ NULL,
		199	+ NULL,
		200	+ NULL,
		201	+ 0,
		202	+ &results
		203	+ );
		204	+
		205	+
		206	+ if(rc != LDAP_SUCCESS)
		207	+ {
		208	+ message->error = hSession->ssl.error = 0;
		209	+ message->title = _( "Security error" );
		210	+ message->text = _( "Can't search LDAP server" );
		211	+ message->description = ldap_err2string(rc);
		212	+ lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
		213	+ return NULL;
		214	+ }
		215	+
		216	+ lib3270_autoptr(BerElement) ber = NULL;
		217	+ char __attribute__ ((__cleanup__(lib3270_autoptr_cleanup_LDAPPTR))) *attr = ldap_first_attribute(ld, results, &ber);
		218	+ if(!attr)
		219	+ {
		220	+ message->error = hSession->ssl.error = 0;
		221	+ message->title = _( "Security error" );
		222	+ message->text = _( "Can't get LDAP attribute" );
		223	+ message->description = _("Search did not produce any attributes.");
		224	+ lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
		225	+ errno = ENOENT;
		226	+ return NULL;
		227	+ }
		228	+
		229	+ struct berval ** value = ldap_get_values_len(ld, results, attr);
		230	+ if(!value)
		231	+ {
		232	+ message->error = hSession->ssl.error = 0;
		233	+ message->title = _( "Security error" );
		234	+ message->text = _( "Can't get LDAP attribute" );
		235	+ message->description = _("Search did not produce any values.");
		236	+ lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
		237	+ errno = ENOENT;
		238	+ return NULL;
		239	+ }
		240	+
		241	+ if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
		242	+ {
		243	+ lib3270_trace_data(
		244	+ hSession,
		245	+ "CRL Data received from LDAP server",
		246	+ (const char *) value[0]->bv_val,
		247	+ value[0]->bv_len
		248	+ );
		249	+ }
		250	+
		251	+ // Precisa salvar uma cópia porque d2i_X509_CRL modifica o ponteiro.
		252	+ const unsigned char crl_data = (const unsigned char ) value[0]->bv_val;
		253	+
		254	+ if(!d2i_X509_CRL(&x509_crl, &crl_data, value[0]->bv_len))
		255	+ {
		256	+ message->error = hSession->ssl.error = ERR_get_error();
		257	+ message->title = _( "Security error" );
		258	+ message->text = _( "Can't decode certificate revocation list" );
		259	+ lib3270_write_log(hSession,"ssl","%s: %s",url, message->text);
		260	+ ldap_value_free_len(value);
		261	+ return NULL;
		262	+ }
		263	+
		264	+ ldap_value_free_len(value);
164		265
165	debug("********************************************************* %s",__FUNCTION__);	266	debug("********************************************************* %s",__FUNCTION__);
166		267
	@@ -168,4 +269,4 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c		@@ -168,4 +269,4 @@ X509_CRL * get_crl_using_winldap(H3270 hSession, SSL_ERROR_MESSAGE message, c
168		269
169	}	270	}
170		271
171	-#endif // defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)	272	+#endif // defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LDAP)