mirror of
https://github.com/curl/curl.git
synced 2026-07-10 10:37:16 +03:00
ldap: support insecure mode for Windows native LDAP
- Bypass cert verification if verifypeer is disabled. Prior to this change libcurl lacked the ability to bypass certificate verification for Windows native LDAP (USE_WIN32_LDAP). A comment said "Win32 LDAP SDK does not support insecure mode without CA!" but I found that we can bypass the check by setting a verify callback to override Windows' internal verify check. Closes https://github.com/curl/curl/pull/22152
This commit is contained in:
parent
a1af38be09
commit
4ce309d968
1 changed files with 22 additions and 1 deletions
23
lib/ldap.c
23
lib/ldap.c
|
|
@ -251,6 +251,17 @@ static bool ldap_value_needs_base64(const char *attr, size_t attr_len,
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#ifdef USE_WIN32_LDAP
|
||||
static BOOLEAN bypass_cert_verify(PLDAP Connection,
|
||||
PCCERT_CONTEXT *ppServerCert)
|
||||
{
|
||||
(void)Connection;
|
||||
CertFreeCertificateContext(*ppServerCert);
|
||||
/* approve any certificate since the verification is set to bypass */
|
||||
return TRUE;
|
||||
}
|
||||
#endif
|
||||
|
||||
static CURLcode ldap_do(struct Curl_easy *data, bool *done)
|
||||
{
|
||||
CURLcode result = CURLE_OK;
|
||||
|
|
@ -340,8 +351,18 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
|
|||
if(ldap_ssl) {
|
||||
#ifdef HAVE_LDAP_SSL
|
||||
#ifdef USE_WIN32_LDAP
|
||||
/* Win32 LDAP SDK does not support insecure mode without CA! */
|
||||
/* Win32 LDAP uses the Windows CA store to verify certificates */
|
||||
ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON);
|
||||
if(!conn->ssl_config.verifypeer) {
|
||||
if(conn->ssl_config.verifyhost) {
|
||||
failf(data, "LDAP local: host verification cannot be enabled when "
|
||||
"peer verification is disabled for Windows native LDAP");
|
||||
result = CURLE_NOT_BUILT_IN;
|
||||
goto quit;
|
||||
}
|
||||
ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE,
|
||||
(void *)(uintptr_t)bypass_cert_verify);
|
||||
}
|
||||
#else /* !USE_WIN32_LDAP */
|
||||
int ldap_option;
|
||||
const char *ldap_ca = conn->ssl_config.CAfile;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue