Since most LDAP servers do not require mTLS, for now the callback function is saved but not called.
From: Alex Henrie alexhenrie24@gmail.com
--- dlls/wldap32/init.c | 6 +++--- dlls/wldap32/option.c | 2 +- dlls/wldap32/winldap_private.h | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/dlls/wldap32/init.c b/dlls/wldap32/init.c index c5b11a4de28..47063122b04 100644 --- a/dlls/wldap32/init.c +++ b/dlls/wldap32/init.c @@ -250,7 +250,7 @@ exit: */ ULONG CDECL WLDAP32_ldap_connect( LDAP *ld, struct l_timeval *timeout ) { - VERIFYSERVERCERT *cert_callback = CERT_CALLBACK(ld); + VERIFYSERVERCERT *server_cert_callback = SERVER_CERT_CALLBACK(ld); int ret;
TRACE( "(%p, %p)\n", ld, timeout ); @@ -261,7 +261,7 @@ ULONG CDECL WLDAP32_ldap_connect( LDAP *ld, struct l_timeval *timeout ) if (timeout && (timeout->tv_sec || timeout->tv_usec)) FIXME( "ignoring timeout\n" ); if ((ret = ldap_connect( CTX(ld) ))) return map_error( ret );
- if (cert_callback) + if (server_cert_callback) { CtxtHandle *tls_context; const CERT_CONTEXT *cert; @@ -271,7 +271,7 @@ ULONG CDECL WLDAP32_ldap_connect( LDAP *ld, struct l_timeval *timeout )
if (QueryContextAttributesA( tls_context, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &cert ) == SEC_E_OK) { - if (cert_callback( ld, &cert )) + if (server_cert_callback( ld, &cert )) { TRACE( "accepted\n" ); } diff --git a/dlls/wldap32/option.c b/dlls/wldap32/option.c index cc416389276..57e74b5b2d2 100644 --- a/dlls/wldap32/option.c +++ b/dlls/wldap32/option.c @@ -499,7 +499,7 @@ ULONG CDECL ldap_set_optionW( LDAP *ld, int option, void *value ) return map_error( ldap_set_option( CTX(ld), LDAP_OPT_REFHOPLIMIT, value ) );
case WLDAP32_LDAP_OPT_SERVER_CERTIFICATE: - CERT_CALLBACK(ld) = value; + SERVER_CERT_CALLBACK(ld) = value; return WLDAP32_LDAP_SUCCESS;
case WLDAP32_LDAP_OPT_DEREF: diff --git a/dlls/wldap32/winldap_private.h b/dlls/wldap32/winldap_private.h index ce9a7cc3fa8..3393c031007 100644 --- a/dlls/wldap32/winldap_private.h +++ b/dlls/wldap32/winldap_private.h @@ -228,14 +228,14 @@ struct private_data { LDAP *ctx; struct berval **server_ctrls; - VERIFYSERVERCERT *cert_callback; + VERIFYSERVERCERT *server_cert_callback; BOOL connected; }; C_ASSERT(sizeof(struct private_data) < FIELD_OFFSET(struct ld_sb, sb_naddr) - FIELD_OFFSET(struct ld_sb, Reserved1));
#define CTX(ld) (((struct private_data *)ld->ld_sb.Reserved1)->ctx) #define SERVER_CTRLS(ld) (((struct private_data *)ld->ld_sb.Reserved1)->server_ctrls) -#define CERT_CALLBACK(ld) (((struct private_data *)ld->ld_sb.Reserved1)->cert_callback) +#define SERVER_CERT_CALLBACK(ld) (((struct private_data *)ld->ld_sb.Reserved1)->server_cert_callback) #define CONNECTED(ld) (((struct private_data *)ld->ld_sb.Reserved1)->connected)
#define MSG(entry) (entry->Request)
From: Alex Henrie alexhenrie24@gmail.com
Since most LDAP servers do not require mTLS, for now the callback function is saved but not called.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=55507 --- dlls/wldap32/init.c | 4 ++++ dlls/wldap32/option.c | 7 +++++-- dlls/wldap32/winldap_private.h | 4 ++++ include/winldap.h | 1 + 4 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/dlls/wldap32/init.c b/dlls/wldap32/init.c index 47063122b04..44fc44ee485 100644 --- a/dlls/wldap32/init.c +++ b/dlls/wldap32/init.c @@ -250,6 +250,7 @@ exit: */ ULONG CDECL WLDAP32_ldap_connect( LDAP *ld, struct l_timeval *timeout ) { + QUERYCLIENTCERT *client_cert_callback = CLIENT_CERT_CALLBACK(ld); VERIFYSERVERCERT *server_cert_callback = SERVER_CERT_CALLBACK(ld); int ret;
@@ -258,6 +259,9 @@ ULONG CDECL WLDAP32_ldap_connect( LDAP *ld, struct l_timeval *timeout ) if (!ld) return WLDAP32_LDAP_PARAM_ERROR; if (CONNECTED(ld)) return WLDAP32_LDAP_SUCCESS;
+ if (client_cert_callback) + FIXME( "mTLS is not implemented\n" ); + if (timeout && (timeout->tv_sec || timeout->tv_usec)) FIXME( "ignoring timeout\n" ); if ((ret = ldap_connect( CTX(ld) ))) return map_error( ret );
diff --git a/dlls/wldap32/option.c b/dlls/wldap32/option.c index 57e74b5b2d2..a5c8ac98f88 100644 --- a/dlls/wldap32/option.c +++ b/dlls/wldap32/option.c @@ -307,6 +307,7 @@ ULONG CDECL ldap_set_optionA( LDAP *ld, int option, void *value ) return ret; } case WLDAP32_LDAP_OPT_AUTO_RECONNECT: + case WLDAP32_LDAP_OPT_CLIENT_CERTIFICATE: case WLDAP32_LDAP_OPT_DEREF: case WLDAP32_LDAP_OPT_DESC: case WLDAP32_LDAP_OPT_ENCRYPT: @@ -337,7 +338,6 @@ ULONG CDECL ldap_set_optionA( LDAP *ld, int option, void *value ) return WLDAP32_LDAP_UNWILLING_TO_PERFORM;
case WLDAP32_LDAP_OPT_AREC_EXCLUSIVE: - case WLDAP32_LDAP_OPT_CLIENT_CERTIFICATE: case WLDAP32_LDAP_OPT_DNSDOMAIN_NAME: case WLDAP32_LDAP_OPT_ERROR_STRING: case WLDAP32_LDAP_OPT_FAST_CONCURRENT_BIND: @@ -495,6 +495,10 @@ ULONG CDECL ldap_set_optionW( LDAP *ld, int option, void *value ) return map_error( ldap_set_option( CTX(ld), LDAP_OPT_RESTART, value ) ); }
+ case WLDAP32_LDAP_OPT_CLIENT_CERTIFICATE: + CLIENT_CERT_CALLBACK(ld) = value; + return WLDAP32_LDAP_SUCCESS; + case WLDAP32_LDAP_OPT_REFERRAL_HOP_LIMIT: return map_error( ldap_set_option( CTX(ld), LDAP_OPT_REFHOPLIMIT, value ) );
@@ -561,7 +565,6 @@ ULONG CDECL ldap_set_optionW( LDAP *ld, int option, void *value ) return WLDAP32_LDAP_SUCCESS; /* fall through */ case WLDAP32_LDAP_OPT_AREC_EXCLUSIVE: - case WLDAP32_LDAP_OPT_CLIENT_CERTIFICATE: case WLDAP32_LDAP_OPT_DNSDOMAIN_NAME: case WLDAP32_LDAP_OPT_ERROR_STRING: case WLDAP32_LDAP_OPT_FAST_CONCURRENT_BIND: diff --git a/dlls/wldap32/winldap_private.h b/dlls/wldap32/winldap_private.h index 3393c031007..d75ba425774 100644 --- a/dlls/wldap32/winldap_private.h +++ b/dlls/wldap32/winldap_private.h @@ -23,6 +23,7 @@ #include "winternl.h" #include "wincrypt.h" #include "winnls.h" +#include "schannel.h"
#define LDAP_NEEDS_PROTOTYPES #include <lber.h> @@ -222,12 +223,14 @@ typedef struct ldap ULONG ld_options; } LDAP, *PLDAP;
+typedef BOOLEAN (CDECL QUERYCLIENTCERT)(LDAP *, SecPkgContext_IssuerListInfoEx *, const CERT_CONTEXT **); typedef BOOLEAN (CDECL VERIFYSERVERCERT)(LDAP *, const CERT_CONTEXT **);
struct private_data { LDAP *ctx; struct berval **server_ctrls; + QUERYCLIENTCERT *client_cert_callback; VERIFYSERVERCERT *server_cert_callback; BOOL connected; }; @@ -235,6 +238,7 @@ C_ASSERT(sizeof(struct private_data) < FIELD_OFFSET(struct ld_sb, sb_naddr) - FI
#define CTX(ld) (((struct private_data *)ld->ld_sb.Reserved1)->ctx) #define SERVER_CTRLS(ld) (((struct private_data *)ld->ld_sb.Reserved1)->server_ctrls) +#define CLIENT_CERT_CALLBACK(ld) (((struct private_data *)ld->ld_sb.Reserved1)->client_cert_callback) #define SERVER_CERT_CALLBACK(ld) (((struct private_data *)ld->ld_sb.Reserved1)->server_cert_callback) #define CONNECTED(ld) (((struct private_data *)ld->ld_sb.Reserved1)->connected)
diff --git a/include/winldap.h b/include/winldap.h index 9e91d0e653a..4f2543a05aa 100644 --- a/include/winldap.h +++ b/include/winldap.h @@ -391,6 +391,7 @@ typedef struct ldap_apifeature_infoW
DECL_WINELIB_TYPE_AW(LDAPAPIFeatureInfo)
+typedef BOOLEAN (CDECL QUERYCLIENTCERT)(LDAP*,SecPkgContext_IssuerListInfoEx*,const CERT_CONTEXT**); typedef BOOLEAN (CDECL VERIFYSERVERCERT)(LDAP*,const CERT_CONTEXT**);
This merge request was approved by Hans Leidekker.
-
Alex Henrie -
Alex Henrie (@alexhenrie)
-
Hans Leidekker (@hans)