openldap/libraries/libldap/vc.c

368 lines
8.2 KiB
C
Raw Normal View History

/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
2021-01-12 03:25:53 +08:00
* Copyright 1998-2021 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* ACKNOWLEDGEMENTS:
ITS#8605 - spelling fixes * javascript * kernel * ldap * length * macros * maintained * manager * matching * maximum * mechanism * memory * method * mimic * minimum * modifiable * modifiers * modifying * multiple * necessary * normalized * objectclass * occurrence * occurring * offered * operation * original * overridden * parameter * permanent * preemptively * printable * protocol * provider * really * redistribution * referenced * refresh * regardless * registered * request * reserved * resource * response * sanity * separated * setconcurrency * should * specially * specifies * structure * structures * subordinates * substitution * succeed * successful * successfully * sudoers * sufficient * superiors * supported * synchronization * terminated * they're * through * traffic * transparent * unsigned * unsupported * version * absence * achieves * adamson * additional * address * against * appropriate * architecture * associated * async * attribute * authentication * authorized * auxiliary * available * begin * beginning * buffered * canonical * certificate * charray * check * class * compatibility * compilation * component * configurable * configuration * configure * conjunction * constraints * constructor * contained * containing * continued * control * convenience * correspond * credentials * cyrillic * database * definitions * deloldrdn * dereferencing * destroy * distinguish * documentation * emmanuel * enabled * entry * enumerated * everything * exhaustive * existence * existing * explicitly * extract * fallthru * fashion * february * finally * function * generically * groupname * happened * implementation * including * initialization * initializes * insensitive * instantiated * instantiation * integral * internal * iterate
2017-02-26 15:49:31 +08:00
* This program was originally developed by Kurt D. Zeilenga for inclusion in
* OpenLDAP Software.
*/
#include "portable.h"
#include <stdio.h>
#include <ac/stdlib.h>
#include <ac/string.h>
#include <ac/time.h>
#include "ldap-int.h"
/*
* LDAP Verify Credentials operation
*
* The request is an extended request with OID 1.3.6.1.4.1.4203.666.6.5 with value of
* the BER encoding of:
*
* VCRequest ::= SEQUENCE {
* cookie [0] OCTET STRING OPTIONAL,
* name LDAPDN,
2011-01-05 00:01:07 +08:00
* authentication AuthenticationChoice,
* controls [2] Controls OPTIONAL
* }
*
* where LDAPDN, AuthenticationChoice, and Controls are as defined in RFC 4511.
*
* The response is an extended response with no OID and a value of the BER encoding of
*
2010-12-30 22:12:26 +08:00
* VCResponse ::= SEQUENCE {
* resultCode ResultCode,
* diagnosticMessage LDAPString,
* cookie [0] OCTET STRING OPTIONAL,
2011-01-05 00:01:07 +08:00
* serverSaslCreds [1] OCTET STRING OPTIONAL,
* controls [2] Controls OPTIONAL
* }
*
* where ResultCode is the result code enumeration from RFC 4511, and LDAPString and Controls are as
* defined in RFC 4511.
*/
int ldap_parse_verify_credentials(
LDAP *ld,
LDAPMessage *res,
int * code,
char ** diagmsg,
2010-12-15 08:59:42 +08:00
struct berval **cookie,
struct berval **screds,
LDAPControl ***ctrls)
{
int rc;
char *retoid = NULL;
2010-12-15 08:59:42 +08:00
struct berval *retdata = NULL;
2010-12-15 05:14:31 +08:00
assert(ld != NULL);
assert(LDAP_VALID(ld));
assert(res != NULL);
assert(code != NULL);
assert(diagmsg != NULL);
2010-12-15 08:59:42 +08:00
rc = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
if( rc != LDAP_SUCCESS ) {
ldap_perror(ld, "ldap_parse_verify_credentials");
return rc;
}
2011-01-04 07:40:02 +08:00
if (retdata) {
ber_tag_t tag;
2010-12-15 08:59:42 +08:00
ber_len_t len;
ber_int_t i;
2011-01-04 07:40:02 +08:00
BerElement * ber = ber_init(retdata);
struct berval diagmsg_bv = BER_BVNULL;
2010-12-15 08:59:42 +08:00
if (!ber) {
rc = ld->ld_errno = LDAP_NO_MEMORY;
goto done;
}
rc = LDAP_DECODING_ERROR;
if (ber_scanf(ber, "{im" /*"}"*/, &i, &diagmsg_bv) == LBER_ERROR) {
goto ber_done;
}
2011-01-04 07:40:02 +08:00
if ( diagmsg != NULL ) {
*diagmsg = LDAP_MALLOC( diagmsg_bv.bv_len + 1 );
AC_MEMCPY( *diagmsg, diagmsg_bv.bv_val, diagmsg_bv.bv_len );
(*diagmsg)[diagmsg_bv.bv_len] = '\0';
}
*code = i;
2010-12-15 08:59:42 +08:00
tag = ber_peek_tag(ber, &len);
if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE) {
if (ber_scanf(ber, "O", cookie) == LBER_ERROR)
goto ber_done;
tag = ber_peek_tag(ber, &len);
2010-12-15 08:59:42 +08:00
}
if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS) {
if (ber_scanf(ber, "O", screds) == LBER_ERROR)
goto ber_done;
tag = ber_peek_tag(ber, &len);
2010-12-15 08:59:42 +08:00
}
if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS) {
int nctrls = 0;
char * opaque;
*ctrls = LDAP_MALLOC(1 * sizeof(LDAPControl *));
2011-01-04 09:02:12 +08:00
if (!*ctrls) {
rc = LDAP_NO_MEMORY;
goto ber_done;
}
*ctrls[nctrls] = NULL;
for(tag = ber_first_element(ber, &len, &opaque);
tag != LBER_ERROR;
tag = ber_next_element(ber, &len, opaque))
{
LDAPControl *tctrl;
LDAPControl **tctrls;
tctrl = LDAP_CALLOC(1, sizeof(LDAPControl));
/* allocate pointer space for current controls (nctrls)
* + this control + extra NULL
*/
tctrls = !tctrl ? NULL : LDAP_REALLOC(*ctrls, (nctrls+2) * sizeof(LDAPControl *));
if (!tctrls) {
/* allocation failure */
if (tctrl) LDAP_FREE(tctrl);
ldap_controls_free(*ctrls);
*ctrls = NULL;
rc = LDAP_NO_MEMORY;
goto ber_done;
}
tctrls[nctrls++] = tctrl;
tctrls[nctrls] = NULL;
tag = ber_scanf(ber, "{a" /*"}"*/, &tctrl->ldctl_oid);
if (tag == LBER_ERROR) {
*ctrls = NULL;
ldap_controls_free(tctrls);
goto ber_done;
}
tag = ber_peek_tag(ber, &len);
if (tag == LBER_BOOLEAN) {
ber_int_t crit;
tag = ber_scanf(ber, "b", &crit);
tctrl->ldctl_iscritical = crit ? (char) 0 : (char) ~0;
tag = ber_peek_tag(ber, &len);
}
if (tag == LBER_OCTETSTRING) {
tag = ber_scanf( ber, "o", &tctrl->ldctl_value );
} else {
BER_BVZERO( &tctrl->ldctl_value );
}
*ctrls = tctrls;
}
}
rc = LDAP_SUCCESS;
ber_done:
2010-12-15 08:59:42 +08:00
ber_free(ber, 1);
}
done:
ber_bvfree(retdata);
2010-12-15 05:14:31 +08:00
ber_memfree(retoid);
return rc;
}
int
2010-12-15 05:14:31 +08:00
ldap_verify_credentials(LDAP *ld,
struct berval *cookie,
LDAP_CONST char *dn,
LDAP_CONST char *mechanism,
struct berval *cred,
LDAPControl **vcctrls,
2010-12-15 05:14:31 +08:00
LDAPControl **sctrls,
LDAPControl **cctrls,
int *msgidp)
{
int rc;
BerElement *ber;
2011-01-08 20:51:43 +08:00
struct berval reqdata;
assert(ld != NULL);
assert(LDAP_VALID(ld));
assert(msgidp != NULL);
ber = ber_alloc_t(LBER_USE_DER);
if (dn == NULL) dn = "";
if (mechanism == LDAP_SASL_SIMPLE) {
2010-12-15 05:14:31 +08:00
assert(!cookie);
rc = ber_printf(ber, "{stO" /*"}"*/,
dn, LDAP_AUTH_SIMPLE, cred);
} else {
2010-12-15 05:14:31 +08:00
if (!cred || BER_BVISNULL(cred)) {
if (cookie) {
rc = ber_printf(ber, "{tOst{sN}" /*"}"*/,
2010-12-15 05:14:31 +08:00
LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
dn, LDAP_AUTH_SASL, mechanism);
2010-12-15 05:14:31 +08:00
} else {
rc = ber_printf(ber, "{st{sN}N" /*"}"*/,
dn, LDAP_AUTH_SASL, mechanism);
2010-12-15 05:14:31 +08:00
}
} else {
2010-12-15 05:14:31 +08:00
if (cookie) {
rc = ber_printf(ber, "{tOst{sON}" /*"}"*/,
2010-12-15 05:14:31 +08:00
LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
dn, LDAP_AUTH_SASL, mechanism, cred);
2010-12-15 05:14:31 +08:00
} else {
rc = ber_printf(ber, "{st{sON}" /*"}"*/,
dn, LDAP_AUTH_SASL, mechanism, cred);
2010-12-15 05:14:31 +08:00
}
}
}
if (rc < 0) {
2011-01-04 07:40:02 +08:00
rc = ld->ld_errno = LDAP_ENCODING_ERROR;
goto done;
}
2011-01-04 07:40:02 +08:00
if (vcctrls && *vcctrls) {
LDAPControl *const *c;
rc = ber_printf(ber, "t{" /*"}"*/, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS);
2011-01-04 07:40:02 +08:00
for (c=vcctrls; *c; c++) {
rc = ldap_pvt_put_control(*c, ber);
if (rc != LDAP_SUCCESS) {
2011-01-04 07:40:02 +08:00
rc = ld->ld_errno = LDAP_ENCODING_ERROR;
goto done;
}
}
rc = ber_printf(ber, /*"{{"*/ "}N}");
2011-01-04 07:40:02 +08:00
} else {
rc = ber_printf(ber, /*"{"*/ "N}");
}
if (rc < 0) {
2011-01-04 07:40:02 +08:00
rc = ld->ld_errno = LDAP_ENCODING_ERROR;
goto done;
}
2011-01-08 20:51:43 +08:00
rc = ber_flatten2(ber, &reqdata, 0);
if (rc < 0) {
2011-01-04 07:40:02 +08:00
rc = ld->ld_errno = LDAP_ENCODING_ERROR;
goto done;
}
rc = ldap_extended_operation(ld, LDAP_EXOP_VERIFY_CREDENTIALS,
2011-01-08 20:51:43 +08:00
&reqdata, sctrls, cctrls, msgidp);
done:
ber_free(ber, 1);
return rc;
}
int
ldap_verify_credentials_s(
LDAP *ld,
2010-12-15 05:14:31 +08:00
struct berval *cookie,
LDAP_CONST char *dn,
LDAP_CONST char *mechanism,
struct berval *cred,
LDAPControl **vcictrls,
2010-12-15 05:14:31 +08:00
LDAPControl **sctrls,
LDAPControl **cctrls,
int *rcode,
char **diagmsg,
2010-12-15 08:59:42 +08:00
struct berval **scookie,
struct berval **scred,
LDAPControl ***vcoctrls)
{
2010-12-15 05:14:31 +08:00
int rc;
int msgid;
LDAPMessage *res;
rc = ldap_verify_credentials(ld, cookie, dn, mechanism, cred, vcictrls, sctrls, cctrls, &msgid);
if (rc != LDAP_SUCCESS) return rc;
if (ldap_result(ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, &res) == -1 || !res) {
return ld->ld_errno;
}
rc = ldap_parse_verify_credentials(ld, res, rcode, diagmsg, scookie, scred, vcoctrls);
if (rc != LDAP_SUCCESS) {
ldap_msgfree(res);
return rc;
}
return( ldap_result2error(ld, res, 1));
}
2011-01-07 02:37:23 +08:00
#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
int
ldap_verify_credentials_interactive (
LDAP *ld,
LDAP_CONST char *dn, /* usually NULL */
LDAP_CONST char *mech,
LDAPControl **vcControls,
LDAPControl **serverControls,
LDAPControl **clientControls,
/* should be client controls */
unsigned flags,
LDAP_SASL_INTERACT_PROC *proc,
void *defaults,
void *context;
/* as obtained from ldap_result() */
LDAPMessage *result,
/* returned during bind processing */
const char **rmech,
int *msgid )
{
if (!ld && context) {
assert(!dn);
assert(!mech);
assert(!vcControls);
assert(!serverControls);
assert(!defaults);
assert(!result);
assert(!rmech);
assert(!msgid);
/* special case to avoid having to expose a separate dispose context API */
sasl_dispose((sasl_conn_t)context);
return LDAP_SUCCESS;
}
ld->ld_errno = LDAP_NOT_SUPPORTED;
return ld->ld_errno;
}
#endif