1 /* vc.c - LDAP Verify Credentials extop (no spec yet) */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2010 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software.
22 * LDAP Verify Credentials: suggested by Kurt Zeilenga
29 #include "ac/string.h"
31 typedef struct vc_conn_t {
32 struct vc_conn_t *conn;
34 OperationBuffer opbuf;
39 static const struct berval vc_exop_oid_bv = BER_BVC(LDAP_EXOP_VERIFY_CREDENTIALS);
40 static ldap_pvt_thread_mutex_t vc_mutex;
41 static Avlnode *vc_tree;
44 vc_conn_cmp( const void *c1, const void *c2 )
46 const vc_conn_t *vc1 = (const vc_conn_t *)c1;
47 const vc_conn_t *vc2 = (const vc_conn_t *)c2;
49 return SLAP_PTRCMP( vc1->conn, vc2->conn );
53 vc_conn_dup( void *c1, void *c2 )
55 vc_conn_t *vc1 = (vc_conn_t *)c1;
56 vc_conn_t *vc2 = (vc_conn_t *)c2;
58 if ( vc1->conn == vc2->conn ) {
68 struct berval *servercred,
69 struct berval *authzid,
72 BerElementBuffer berbuf;
73 BerElement *ber = (BerElement *)&berbuf;
77 assert( val != NULL );
79 ber_init2( ber, NULL, LBER_USE_DER );
81 ber_printf( ber, "{" /*}*/ );
86 cookie.bv_len = sizeof( conn );
87 cookie.bv_val = (char *)&conn;
88 ber_printf( ber, "tO", 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, &cookie );
92 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS, servercred );
96 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID, authzid );
99 ber_printf( ber, /*{*/ "}" );
101 rc = ber_flatten2( ber, &bv, 0 );
103 *val = ber_bvdup( &bv );
115 struct berval *sasldata = (struct berval *)op->o_callback->sc_private;
117 if ( rs->sr_tag == LDAP_REQ_BIND && sasldata != NULL && rs->sr_sasldata != NULL ) {
118 ber_dupbv( sasldata, rs->sr_sasldata );
129 int rc = LDAP_SUCCESS;
132 BerElementBuffer berbuf;
133 BerElement *ber = (BerElement *)&berbuf;
134 struct berval reqdata = BER_BVNULL;
136 struct berval cookie = BER_BVNULL;
137 struct berval bdn = BER_BVNULL;
139 struct berval cred = BER_BVNULL;
140 struct berval ndn = BER_BVNULL;
141 struct berval mechanism = BER_BVNULL;
143 vc_conn_t *conn = NULL;
144 slap_callback sc = { 0 };
145 SlapReply rs2 = { 0 };
146 struct berval sasldata = BER_BVNULL;
148 if ( op->ore_reqdata == NULL || op->ore_reqdata->bv_len == 0 ) {
149 rs->sr_text = "empty request data field in VerifyCredentials exop";
150 return LDAP_PROTOCOL_ERROR;
154 rs->sr_err = LDAP_SUCCESS;
156 ber_dupbv_x( &reqdata, op->ore_reqdata, op->o_tmpmemctx );
158 /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
159 ber_init2( ber, &reqdata, 0 );
161 tag = ber_scanf( ber, "{" /*}*/ );
162 if ( tag != LBER_SEQUENCE ) {
163 rs->sr_err = LDAP_PROTOCOL_ERROR;
167 tag = ber_peek_tag( ber, &len );
168 if ( tag == LBER_INTEGER ) {
174 tag = ber_scanf( ber, "i", &version );
175 if ( tag == LBER_ERROR || version != 3 ) {
176 rs->sr_err = LDAP_PROTOCOL_ERROR;
180 /* DN, authtag, cred */
181 tag = ber_scanf( ber, "mtm", &bdn, &authtag, &cred );
182 if ( tag == LBER_ERROR || authtag != LDAP_AUTH_SIMPLE ) {
183 rs->sr_err = LDAP_PROTOCOL_ERROR;
187 rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
188 if ( rc != LDAP_SUCCESS ) {
189 rs->sr_err = LDAP_PROTOCOL_ERROR;
195 if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ) {
197 * cookie: the pointer to the connection
201 ber_scanf( ber, "m", &cookie );
202 if ( cookie.bv_len != sizeof(Connection *) ) {
203 rs->sr_err = LDAP_PROTOCOL_ERROR;
209 tag = ber_scanf( ber, "mt{s", &bdn, &authtag, &mechanism );
210 if ( tag == LBER_ERROR || authtag != LDAP_AUTH_SASL ||
211 BER_BVISNULL( &mechanism ) || BER_BVISEMPTY( &mechanism) )
213 rs->sr_err = LDAP_PROTOCOL_ERROR;
217 tag = ber_peek_tag( ber, &len );
218 if ( tag == LBER_OCTETSTRING ) {
219 ber_scanf( ber, "m", &cred );
222 rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
223 if ( rc != LDAP_SUCCESS ) {
224 rs->sr_err = LDAP_PROTOCOL_ERROR;
229 tag = ber_skip_tag( ber, &len );
230 if ( len || tag != LBER_DEFAULT ) {
231 rs->sr_err = LDAP_PROTOCOL_ERROR;
235 if ( !BER_BVISNULL( &cookie ) ) {
236 vc_conn_t tmp = { 0 };
238 AC_MEMCPY( (char *)&tmp.conn, (const char *)cookie.bv_val, cookie.bv_len );
239 ldap_pvt_mutex_lock( &vc_mutex );
240 conn = (vc_conn_t *)avl_find( vc_tree, (caddr_t)&tmp, vc_conn_cmp );
241 if ( conn == NULL || ( conn != NULL && conn->refcnt != 0 ) ) {
242 ldap_pvt_mutex_unlock( &vc_mutex );
243 rs->sr_err = LDAP_PROTOCOL_ERROR;
247 ldap_pvt_mutex_unlock( &vc_mutex );
252 conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
255 thrctx = ldap_pvt_thread_pool_context();
256 connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 1 );
257 conn->op = &conn->opbuf.ob_op;
260 conn->op->o_tag = LDAP_REQ_BIND;
261 memset( &conn->op->oq_bind, 0, sizeof( conn->op->oq_bind ) );
262 conn->op->o_req_dn = ndn;
263 conn->op->o_req_ndn = ndn;
264 conn->op->o_protocol = LDAP_VERSION3;
265 conn->op->orb_method = authtag;
266 conn->op->o_callback = ≻
269 case LDAP_AUTH_SIMPLE:
270 sc.sc_response = slap_null_cb;
274 conn->op->orb_mech = mechanism;
275 sc.sc_response = vc_exop_sasl_cb;
276 sc.sc_private = &sasldata;
279 conn->op->orb_cred = cred;
281 conn->op->o_bd = frontendDB;
282 rs->sr_err = frontendDB->be_bind( conn->op, &rs2 );
284 if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
285 rc = vc_create_response( conn,
286 !BER_BVISEMPTY( &sasldata ) ? &sasldata : NULL,
287 NULL, &rs->sr_rspdata );
290 rc = vc_create_response( NULL, NULL,
291 &conn->op->o_conn->c_dn, &rs->sr_rspdata );
295 rs->sr_err = LDAP_OTHER;
299 if ( !BER_BVISNULL( &conn->op->o_conn->c_dn ) &&
300 conn->op->o_conn->c_dn.bv_val != conn->op->o_conn->c_ndn.bv_val )
301 ber_memfree( conn->op->o_conn->c_dn.bv_val );
302 if ( !BER_BVISNULL( &conn->op->o_conn->c_ndn ) )
303 ber_memfree( conn->op->o_conn->c_ndn.bv_val );
305 if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
306 if ( conn->conn == NULL ) {
309 ldap_pvt_mutex_lock( &vc_mutex );
310 rc = avl_insert( &vc_tree, (caddr_t)conn,
311 vc_conn_cmp, vc_conn_dup );
312 ldap_pvt_mutex_unlock( &vc_mutex );
316 ldap_pvt_mutex_lock( &vc_mutex );
318 ldap_pvt_mutex_unlock( &vc_mutex );
322 if ( conn->conn != NULL ) {
325 ldap_pvt_mutex_lock( &vc_mutex );
326 tmp = avl_delete( &vc_tree, (caddr_t)conn, vc_conn_cmp );
327 ldap_pvt_mutex_unlock( &vc_mutex );
333 if ( !BER_BVISNULL( &ndn ) ) {
334 op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
336 op->o_tmpfree( reqdata.bv_val, op->o_tmpmemctx );
342 vc_initialize( void )
346 rc = load_extop2( (struct berval *)&vc_exop_oid_bv,
347 SLAP_EXOP_HIDE, vc_exop, 0 );
348 if ( rc != LDAP_SUCCESS ) {
349 Debug( LDAP_DEBUG_ANY,
350 "vc_initialize: unable to register VerifyCredentials exop: %d.\n",
354 ldap_pvt_thread_mutex_init( &vc_mutex );
360 init_module( int argc, char *argv[] )
362 return vc_initialize();