1 /* vc.c - LDAP Verify Credentials extop (no spec yet) */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2010-2013 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software.
22 * LDAP Verify Credentials: suggested by Kurt Zeilenga
29 #include "ac/string.h"
31 typedef struct vc_conn_t {
32 struct vc_conn_t *conn;
34 OperationBuffer opbuf;
39 static const struct berval vc_exop_oid_bv = BER_BVC(LDAP_EXOP_VERIFY_CREDENTIALS);
40 static ldap_pvt_thread_mutex_t vc_mutex;
41 static Avlnode *vc_tree;
44 vc_conn_cmp( const void *c1, const void *c2 )
46 const vc_conn_t *vc1 = (const vc_conn_t *)c1;
47 const vc_conn_t *vc2 = (const vc_conn_t *)c2;
49 return SLAP_PTRCMP( vc1->conn, vc2->conn );
53 vc_conn_dup( void *c1, void *c2 )
55 vc_conn_t *vc1 = (vc_conn_t *)c1;
56 vc_conn_t *vc2 = (vc_conn_t *)c2;
58 if ( vc1->conn == vc2->conn ) {
69 const char *diagnosticMessage,
70 struct berval *servercred,
71 struct berval *authzid,
75 BerElementBuffer berbuf;
76 BerElement *ber = (BerElement *)&berbuf;
80 assert( val != NULL );
84 ber_init2( ber, NULL, LBER_USE_DER );
86 (void)ber_printf( ber, "{is" /*}*/ , resultCode, diagnosticMessage ? diagnosticMessage : "" );
91 cookie.bv_len = sizeof( conn );
92 cookie.bv_val = (char *)&conn;
93 (void)ber_printf( ber, "tO", 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, &cookie );
97 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS, servercred );
102 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID, authzid );
109 rc = ber_printf( ber, "t{"/*}*/, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS );
110 if ( rc == -1 ) goto done;
112 for ( c = 0; ctrls[c] != NULL; c++ ) {
113 rc = ber_printf( ber, "{s" /*}*/, ctrls[c]->ldctl_oid );
115 if ( ctrls[c]->ldctl_iscritical ) {
116 rc = ber_printf( ber, "b", (ber_int_t)ctrls[c]->ldctl_iscritical ) ;
117 if ( rc == -1 ) goto done;
120 if ( ctrls[c]->ldctl_value.bv_val != NULL ) {
121 rc = ber_printf( ber, "O", &ctrls[c]->ldctl_value );
122 if( rc == -1 ) goto done;
125 rc = ber_printf( ber, /*{*/"N}" );
126 if ( rc == -1 ) goto done;
129 rc = ber_printf( ber, /*{*/"N}" );
130 if ( rc == -1 ) goto done;
133 rc = ber_printf( ber, /*{*/ "}" );
134 if ( rc == -1 ) goto done;
136 rc = ber_flatten2( ber, &bv, 0 );
138 *val = ber_bvdup( &bv );
147 typedef struct vc_cb_t {
148 struct berval sasldata;
157 vc_cb_t *vc = (vc_cb_t *)op->o_callback->sc_private;
159 if ( rs->sr_tag == LDAP_RES_BIND ) {
160 if ( rs->sr_sasldata != NULL ) {
161 ber_dupbv( &vc->sasldata, rs->sr_sasldata );
164 if ( rs->sr_ctrls != NULL ) {
165 vc->ctrls = ldap_controls_dup( rs->sr_ctrls );
177 int rc = LDAP_SUCCESS;
180 BerElementBuffer berbuf;
181 BerElement *ber = (BerElement *)&berbuf;
182 struct berval reqdata = BER_BVNULL;
184 struct berval cookie = BER_BVNULL;
185 struct berval bdn = BER_BVNULL;
187 struct berval cred = BER_BVNULL;
188 struct berval ndn = BER_BVNULL;
189 struct berval mechanism = BER_BVNULL;
191 vc_conn_t *conn = NULL;
193 slap_callback sc = { 0 };
194 SlapReply rs2 = { 0 };
196 if ( op->ore_reqdata == NULL || op->ore_reqdata->bv_len == 0 ) {
197 rs->sr_text = "empty request data field in VerifyCredentials exop";
198 return LDAP_PROTOCOL_ERROR;
202 rs->sr_err = LDAP_SUCCESS;
204 ber_dupbv_x( &reqdata, op->ore_reqdata, op->o_tmpmemctx );
206 /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
207 ber_init2( ber, &reqdata, 0 );
209 tag = ber_scanf( ber, "{" /*}*/ );
210 if ( tag != LBER_SEQUENCE ) {
211 rs->sr_err = LDAP_PROTOCOL_ERROR;
215 tag = ber_peek_tag( ber, &len );
216 if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ) {
218 * cookie: the pointer to the connection
222 ber_scanf( ber, "m", &cookie );
223 if ( cookie.bv_len != sizeof(Connection *) ) {
224 rs->sr_err = LDAP_PROTOCOL_ERROR;
230 tag = ber_scanf( ber, "mt", &bdn, &authtag );
231 if ( tag == LBER_ERROR ) {
232 rs->sr_err = LDAP_PROTOCOL_ERROR;
236 rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
237 if ( rc != LDAP_SUCCESS ) {
238 rs->sr_err = LDAP_PROTOCOL_ERROR;
243 case LDAP_AUTH_SIMPLE:
244 /* cookie only makes sense for SASL bind (so far) */
245 if ( !BER_BVISNULL( &cookie ) ) {
246 rs->sr_err = LDAP_PROTOCOL_ERROR;
250 tag = ber_scanf( ber, "m", &cred );
251 if ( tag == LBER_ERROR ) {
252 rs->sr_err = LDAP_PROTOCOL_ERROR;
258 tag = ber_scanf( ber, "{s" /*}*/ , &mechanism );
259 if ( tag == LBER_ERROR ||
260 BER_BVISNULL( &mechanism ) || BER_BVISEMPTY( &mechanism ) )
262 rs->sr_err = LDAP_PROTOCOL_ERROR;
266 tag = ber_peek_tag( ber, &len );
267 if ( tag == LBER_OCTETSTRING ) {
268 ber_scanf( ber, "m", &cred );
271 tag = ber_scanf( ber, /*{*/ "}" );
275 rs->sr_err = LDAP_PROTOCOL_ERROR;
279 if ( !BER_BVISNULL( &cookie ) ) {
280 vc_conn_t tmp = { 0 };
282 AC_MEMCPY( (char *)&tmp.conn, (const char *)cookie.bv_val, cookie.bv_len );
283 ldap_pvt_thread_mutex_lock( &vc_mutex );
284 conn = (vc_conn_t *)avl_find( vc_tree, (caddr_t)&tmp, vc_conn_cmp );
285 if ( conn == NULL || ( conn != NULL && conn->refcnt != 0 ) ) {
287 ldap_pvt_thread_mutex_unlock( &vc_mutex );
288 rs->sr_err = LDAP_PROTOCOL_ERROR;
292 ldap_pvt_thread_mutex_unlock( &vc_mutex );
297 conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
300 thrctx = ldap_pvt_thread_pool_context();
301 connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 0 );
302 conn->op = &conn->opbuf.ob_op;
303 snprintf( conn->op->o_log_prefix, sizeof( conn->op->o_log_prefix ),
304 "%s VERIFYCREDENTIALS", op->o_log_prefix );
307 conn->op->o_tag = LDAP_REQ_BIND;
308 memset( &conn->op->oq_bind, 0, sizeof( conn->op->oq_bind ) );
309 conn->op->o_req_dn = ndn;
310 conn->op->o_req_ndn = ndn;
311 conn->op->o_protocol = LDAP_VERSION3;
312 conn->op->orb_method = authtag;
313 conn->op->o_callback = ≻
316 tag = ber_peek_tag( ber, &len );
317 if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS ) {
318 conn->op->o_ber = ber;
319 rc = get_ctrls2( conn->op, &rs2, 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS );
320 if ( rc != LDAP_SUCCESS ) {
321 rs->sr_err = LDAP_PROTOCOL_ERROR;
326 tag = ber_skip_tag( ber, &len );
327 if ( len || tag != LBER_DEFAULT ) {
328 rs->sr_err = LDAP_PROTOCOL_ERROR;
333 case LDAP_AUTH_SIMPLE:
337 conn->op->orb_mech = mechanism;
341 conn->op->orb_cred = cred;
342 sc.sc_response = vc_cb;
345 conn->op->o_bd = frontendDB;
346 rs->sr_err = frontendDB->be_bind( conn->op, &rs2 );
348 if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
349 rc = vc_create_response( conn, rs2.sr_err, rs2.sr_text,
350 !BER_BVISEMPTY( &vc.sasldata ) ? &vc.sasldata : NULL,
352 vc.ctrls, &rs->sr_rspdata );
355 rc = vc_create_response( NULL, rs2.sr_err, rs2.sr_text,
357 &conn->op->o_conn->c_dn,
358 vc.ctrls, &rs->sr_rspdata );
362 rs->sr_err = LDAP_OTHER;
366 if ( !BER_BVISNULL( &conn->op->o_conn->c_dn ) &&
367 conn->op->o_conn->c_dn.bv_val != conn->op->o_conn->c_ndn.bv_val )
368 ber_memfree( conn->op->o_conn->c_dn.bv_val );
369 if ( !BER_BVISNULL( &conn->op->o_conn->c_ndn ) )
370 ber_memfree( conn->op->o_conn->c_ndn.bv_val );
374 if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
375 if ( conn->conn == NULL ) {
378 ldap_pvt_thread_mutex_lock( &vc_mutex );
379 rc = avl_insert( &vc_tree, (caddr_t)conn,
380 vc_conn_cmp, vc_conn_dup );
381 ldap_pvt_thread_mutex_unlock( &vc_mutex );
385 ldap_pvt_thread_mutex_lock( &vc_mutex );
387 ldap_pvt_thread_mutex_unlock( &vc_mutex );
391 if ( conn->conn != NULL ) {
394 ldap_pvt_thread_mutex_lock( &vc_mutex );
395 tmp = avl_delete( &vc_tree, (caddr_t)conn, vc_conn_cmp );
396 ldap_pvt_thread_mutex_unlock( &vc_mutex );
403 ldap_controls_free( vc.ctrls );
407 if ( !BER_BVISNULL( &ndn ) ) {
408 op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
412 op->o_tmpfree( reqdata.bv_val, op->o_tmpmemctx );
413 BER_BVZERO( &reqdata );
419 vc_initialize( void )
423 rc = load_extop2( (struct berval *)&vc_exop_oid_bv,
424 SLAP_EXOP_HIDE, vc_exop, 0 );
425 if ( rc != LDAP_SUCCESS ) {
426 Debug( LDAP_DEBUG_ANY,
427 "vc_initialize: unable to register VerifyCredentials exop: %d.\n",
431 ldap_pvt_thread_mutex_init( &vc_mutex );
437 init_module( int argc, char *argv[] )
439 return vc_initialize();