git.sur5r.net Git - openldap/blob - contrib/slapd-modules/vc/vc.c

   1 /* vc.c - LDAP Verify Credentials extop (no spec yet) */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 2010 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16 /* ACKNOWLEDGEMENTS:
  17  * This work was initially developed by Pierangelo Masarati for inclusion
  18  * in OpenLDAP Software.
  19  */
  20
  21 /*
  22  * LDAP Verify Credentials: suggested by Kurt Zeilenga
  23  * no spec yet
  24  */
  25
  26 #include "portable.h"
  27
  28 #include "slap.h"
  29 #include "ac/string.h"
  30
  31 typedef struct vc_conn_t {
  32         struct vc_conn_t *conn;
  33         Connection connbuf;
  34         OperationBuffer opbuf;
  35         Operation *op;
  36         int refcnt;
  37 } vc_conn_t;
  38
  39 static const struct berval vc_exop_oid_bv = BER_BVC(LDAP_EXOP_VERIFY_CREDENTIALS);
  40 static ldap_pvt_thread_mutex_t vc_mutex;
  41 static Avlnode *vc_tree;
  42
  43 static int
  44 vc_conn_cmp( const void *c1, const void *c2 )
  45 {
  46         const vc_conn_t *vc1 = (const vc_conn_t *)c1;
  47         const vc_conn_t *vc2 = (const vc_conn_t *)c2;
  48
  49         return SLAP_PTRCMP( vc1->conn, vc2->conn );
  50 }
  51
  52 static int
  53 vc_conn_dup( void *c1, void *c2 )
  54 {
  55         vc_conn_t *vc1 = (vc_conn_t *)c1;
  56         vc_conn_t *vc2 = (vc_conn_t *)c2;
  57
  58         if ( vc1->conn == vc2->conn ) {
  59                 return -1;
  60         }
  61
  62         return 0;
  63 }
  64
  65 static int
  66 vc_create_response(
  67         void *conn,
  68         int resultCode,
  69         const char *diagnosticMessage,
  70         struct berval *servercred,
  71         struct berval *authzid,
  72         LDAPControl **ctrls,
  73         struct berval **val )
  74 {
  75         BerElementBuffer berbuf;
  76         BerElement *ber = (BerElement *)&berbuf;
  77         struct berval bv;
  78         int rc;
  79
  80         assert( val != NULL );
  81
  82         *val = NULL;
  83
  84         ber_init2( ber, NULL, LBER_USE_DER );
  85
  86         (void)ber_printf( ber, "{is" /*}*/ , resultCode, diagnosticMessage ? diagnosticMessage : "" );
  87
  88         if ( conn ) {
  89                 struct berval cookie;
  90
  91                 cookie.bv_len = sizeof( conn );
  92                 cookie.bv_val = (char *)&conn;
  93                 (void)ber_printf( ber, "tO", 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, &cookie );
  94         }
  95
  96         if ( servercred ) {
  97                 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS, servercred );
  98         }
  99
 100 #if 0
 101         if ( authzid ) {
 102                 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID, authzid );
 103         }
 104 #endif
 105
 106         if ( ctrls ) {
 107                 int c;
 108
 109                 rc = ber_printf( ber, "t{"/*}*/, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS );
 110                 if ( rc == -1 ) goto done;
 111
 112                 for ( c = 0; ctrls[c] != NULL; c++ ) {
 113                         rc = ber_printf( ber, "{s" /*}*/, ctrls[c]->ldctl_oid );
 114
 115                         if ( ctrls[c]->ldctl_iscritical ) {
 116                                 rc = ber_printf( ber, "b", (ber_int_t)ctrls[c]->ldctl_iscritical ) ;
 117                                 if ( rc == -1 ) goto done;
 118                         }
 119
 120                         if ( ctrls[c]->ldctl_value.bv_val != NULL ) {
 121                                 rc = ber_printf( ber, "O", &ctrls[c]->ldctl_value );
 122                                 if( rc == -1 ) goto done;
 123                         }
 124
 125                         rc = ber_printf( ber, /*{*/"N}" );
 126                         if ( rc == -1 ) goto done;
 127                 }
 128
 129                 rc = ber_printf( ber, /*{*/"N}" );
 130                 if ( rc == -1 ) goto done;
 131         }
 132
 133         ber_printf( ber, /*{*/ "}" );
 134
 135         rc = ber_flatten2( ber, &bv, 0 );
 136
 137         *val = ber_bvdup( &bv );
 138
 139 done:;
 140         ber_free_buf( ber );
 141
 142         return rc;
 143 }
 144
 145 typedef struct vc_cb_t {
 146         struct berval sasldata;
 147         LDAPControl **ctrls;
 148 } vc_cb_t;
 149
 150 static int
 151 vc_cb(
 152         Operation       *op,
 153         SlapReply       *rs )
 154 {
 155         vc_cb_t *vc = (vc_cb_t *)op->o_callback->sc_private;
 156
 157         if ( rs->sr_tag == LDAP_RES_BIND ) {
 158                 if ( rs->sr_sasldata != NULL ) {
 159                         ber_dupbv( &vc->sasldata, rs->sr_sasldata );
 160                 }
 161
 162                 if ( rs->sr_ctrls != NULL ) {
 163                         vc->ctrls = ldap_controls_dup( rs->sr_ctrls );
 164                 }
 165         }
 166
 167         return 0;
 168 }
 169
 170 static int
 171 vc_exop(
 172         Operation       *op,
 173         SlapReply       *rs )
 174 {
 175         int rc = LDAP_SUCCESS;
 176         ber_tag_t tag;
 177         ber_len_t len = -1;
 178         BerElementBuffer berbuf;
 179         BerElement *ber = (BerElement *)&berbuf;
 180         struct berval reqdata = BER_BVNULL;
 181
 182         struct berval cookie = BER_BVNULL;
 183         struct berval bdn = BER_BVNULL;
 184         ber_tag_t authtag;
 185         struct berval cred = BER_BVNULL;
 186         struct berval ndn = BER_BVNULL;
 187         struct berval mechanism = BER_BVNULL;
 188
 189         vc_conn_t *conn = NULL;
 190         vc_cb_t vc = { 0 };
 191         slap_callback sc = { 0 };
 192         SlapReply rs2 = { 0 };
 193
 194         if ( op->ore_reqdata == NULL || op->ore_reqdata->bv_len == 0 ) {
 195                 rs->sr_text = "empty request data field in VerifyCredentials exop";
 196                 return LDAP_PROTOCOL_ERROR;
 197         }
 198
 199         /* optimistic */
 200         rs->sr_err = LDAP_SUCCESS;
 201
 202         ber_dupbv_x( &reqdata, op->ore_reqdata, op->o_tmpmemctx );
 203
 204         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 205         ber_init2( ber, &reqdata, 0 );
 206
 207         tag = ber_scanf( ber, "{" /*}*/ );
 208         if ( tag != LBER_SEQUENCE ) {
 209                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 210                 goto done;
 211         }
 212
 213         tag = ber_peek_tag( ber, &len );
 214         if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ) {
 215                 /*
 216                  * cookie: the pointer to the connection
 217                  * of this operation
 218                  */
 219
 220                 ber_scanf( ber, "m", &cookie );
 221                 if ( cookie.bv_len != sizeof(Connection *) ) {
 222                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 223                         goto done;
 224                 }
 225         }
 226
 227         /* DN, authtag */
 228         tag = ber_scanf( ber, "mt", &bdn, &authtag );
 229         if ( tag == LBER_ERROR ) {
 230                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 231                 goto done;
 232         }
 233
 234         rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
 235         if ( rc != LDAP_SUCCESS ) {
 236                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 237                 goto done;
 238         }
 239
 240         switch ( authtag ) {
 241         case LDAP_AUTH_SIMPLE:
 242                 /* cookie only makes sense for SASL bind (so far) */
 243                 if ( !BER_BVISNULL( &cookie ) ) {
 244                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 245                         goto done;
 246                 }
 247
 248                 tag = ber_scanf( ber, "m", &cred );
 249                 if ( tag == LBER_ERROR ) {
 250                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 251                         goto done;
 252                 }
 253                 break;
 254
 255         case LDAP_AUTH_SASL:
 256                 tag = ber_scanf( ber, "{s" /*}*/ , &mechanism );
 257                 if ( tag == LBER_ERROR ||
 258                         BER_BVISNULL( &mechanism ) || BER_BVISEMPTY( &mechanism ) )
 259                 {
 260                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 261                         goto done;
 262                 }
 263
 264                 tag = ber_peek_tag( ber, &len );
 265                 if ( tag == LBER_OCTETSTRING ) {
 266                         ber_scanf( ber, "m", &cred );
 267                 }
 268
 269                 tag = ber_scanf( ber, /*{*/ "}" );
 270                 break;
 271
 272         default:
 273                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 274                 goto done;
 275         }
 276
 277         if ( !BER_BVISNULL( &cookie ) ) {
 278                 vc_conn_t tmp = { 0 };
 279
 280                 AC_MEMCPY( (char *)&tmp.conn, (const char *)cookie.bv_val, cookie.bv_len );
 281                 ldap_pvt_mutex_lock( &vc_mutex );
 282                 conn = (vc_conn_t *)avl_find( vc_tree, (caddr_t)&tmp, vc_conn_cmp );
 283                 if ( conn == NULL || ( conn != NULL && conn->refcnt != 0 ) ) {
 284                         conn = NULL;
 285                         ldap_pvt_mutex_unlock( &vc_mutex );
 286                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 287                         goto done;
 288                 }
 289                 conn->refcnt++;
 290                 ldap_pvt_mutex_unlock( &vc_mutex );
 291
 292         } else {
 293                 void *thrctx;
 294
 295                 conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
 296                 conn->refcnt = 1;
 297
 298                 thrctx = ldap_pvt_thread_pool_context();
 299                 connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 0 );
 300                 conn->op = &conn->opbuf.ob_op;
 301                 snprintf( conn->op->o_log_prefix, sizeof( conn->op->o_log_prefix ),
 302                         "%s VERIFYCREDENTIALS", op->o_log_prefix );
 303         }
 304
 305         conn->op->o_tag = LDAP_REQ_BIND;
 306         memset( &conn->op->oq_bind, 0, sizeof( conn->op->oq_bind ) );
 307         conn->op->o_req_dn = ndn;
 308         conn->op->o_req_ndn = ndn;
 309         conn->op->o_protocol = LDAP_VERSION3;
 310         conn->op->orb_method = authtag;
 311         conn->op->o_callback = &sc;
 312
 313         /* TODO: controls */
 314         tag = ber_peek_tag( ber, &len );
 315         if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS ) {
 316                 conn->op->o_ber = ber;
 317                 rc = get_ctrls2( conn->op, &rs2, 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS );
 318                 if ( rc != LDAP_SUCCESS ) {
 319                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 320                         goto done;
 321                 }
 322         }
 323
 324         tag = ber_skip_tag( ber, &len );
 325         if ( len || tag != LBER_DEFAULT ) {
 326                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 327                 goto done;
 328         }
 329
 330         switch ( authtag ) {
 331         case LDAP_AUTH_SIMPLE:
 332                 break;
 333
 334         case LDAP_AUTH_SASL:
 335                 conn->op->orb_mech = mechanism;
 336                 break;
 337         }
 338
 339         conn->op->orb_cred = cred;
 340         sc.sc_response = vc_cb;
 341         sc.sc_private = &vc;
 342
 343         conn->op->o_bd = frontendDB;
 344         rs->sr_err = frontendDB->be_bind( conn->op, &rs2 );
 345
 346         if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
 347                 rc = vc_create_response( conn, rs2.sr_err, rs2.sr_text,
 348                         !BER_BVISEMPTY( &vc.sasldata ) ? &vc.sasldata : NULL,
 349                         NULL,
 350                         vc.ctrls, &rs->sr_rspdata );
 351
 352         } else {
 353                 rc = vc_create_response( NULL, rs2.sr_err, rs2.sr_text,
 354                         NULL,
 355                         &conn->op->o_conn->c_dn,
 356                         vc.ctrls, &rs->sr_rspdata );
 357         }
 358
 359         if ( rc != 0 ) {
 360                 rs->sr_err = LDAP_OTHER;
 361                 goto done;
 362         }
 363
 364         if ( !BER_BVISNULL( &conn->op->o_conn->c_dn ) &&
 365                 conn->op->o_conn->c_dn.bv_val != conn->op->o_conn->c_ndn.bv_val )
 366                 ber_memfree( conn->op->o_conn->c_dn.bv_val );
 367         if ( !BER_BVISNULL( &conn->op->o_conn->c_ndn ) )
 368                 ber_memfree( conn->op->o_conn->c_ndn.bv_val );
 369
 370 done:;
 371         if ( conn ) {
 372                 if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
 373                         if ( conn->conn == NULL ) {
 374                                 conn->conn = conn;
 375                                 conn->refcnt--;
 376                                 ldap_pvt_mutex_lock( &vc_mutex );
 377                                 rc = avl_insert( &vc_tree, (caddr_t)conn,
 378                                         vc_conn_cmp, vc_conn_dup );
 379                                 ldap_pvt_mutex_unlock( &vc_mutex );
 380                                 assert( rc == 0 );
 381
 382                         } else {
 383                                 ldap_pvt_mutex_lock( &vc_mutex );
 384                                 conn->refcnt--;
 385                                 ldap_pvt_mutex_unlock( &vc_mutex );
 386                         }
 387
 388                 } else {
 389                         if ( conn->conn != NULL ) {
 390                                 vc_conn_t *tmp;
 391
 392                                 ldap_pvt_mutex_lock( &vc_mutex );
 393                                 tmp = avl_delete( &vc_tree, (caddr_t)conn, vc_conn_cmp );
 394                                 ldap_pvt_mutex_unlock( &vc_mutex );
 395                         }
 396                         SLAP_FREE( conn );
 397                 }
 398         }
 399
 400         if ( !BER_BVISNULL( &ndn ) ) {
 401                 op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
 402         }
 403         op->o_tmpfree( reqdata.bv_val, op->o_tmpmemctx );
 404
 405         return rs->sr_err;
 406 }
 407
 408 static int
 409 vc_initialize( void )
 410 {
 411         int rc;
 412
 413         rc = load_extop2( (struct berval *)&vc_exop_oid_bv,
 414                 SLAP_EXOP_HIDE, vc_exop, 0 );
 415         if ( rc != LDAP_SUCCESS ) {
 416                 Debug( LDAP_DEBUG_ANY,
 417                         "vc_initialize: unable to register VerifyCredentials exop: %d.\n",
 418                         rc, 0, 0 );
 419         }
 420
 421         ldap_pvt_thread_mutex_init( &vc_mutex );
 422
 423         return rc;
 424 }
 425
 426 int
 427 init_module( int argc, char *argv[] )
 428 {
 429         return vc_initialize();
 430 }
 431