git.sur5r.net Git - openldap/blob - contrib/slapd-modules/vc/vc.c

   1 /* vc.c - LDAP Verify Credentials extop (no spec yet) */
   2 /* $OpenLDAP$ */
   3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   4  *
   5  * Copyright 2010 The OpenLDAP Foundation.
   6  * All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted only as authorized by the OpenLDAP
  10  * Public License.
  11  *
  12  * A copy of this license is available in the file LICENSE in the
  13  * top-level directory of the distribution or, alternatively, at
  14  * <http://www.OpenLDAP.org/license.html>.
  15  */
  16 /* ACKNOWLEDGEMENTS:
  17  * This work was initially developed by Pierangelo Masarati for inclusion
  18  * in OpenLDAP Software.
  19  */
  20
  21 /*
  22  * LDAP Verify Credentials: suggested by Kurt Zeilenga
  23  * no spec yet
  24  */
  25
  26 #include "portable.h"
  27
  28 #include "slap.h"
  29 #include "ac/string.h"
  30
  31 typedef struct vc_conn_t {
  32         struct vc_conn_t *conn;
  33         Connection connbuf;
  34         OperationBuffer opbuf;
  35         Operation *op;
  36         int refcnt;
  37 } vc_conn_t;
  38
  39 static const struct berval vc_exop_oid_bv = BER_BVC(LDAP_EXOP_VERIFY_CREDENTIALS);
  40 static ldap_pvt_thread_mutex_t vc_mutex;
  41 static Avlnode *vc_tree;
  42
  43 static int
  44 vc_conn_cmp( const void *c1, const void *c2 )
  45 {
  46         const vc_conn_t *vc1 = (const vc_conn_t *)c1;
  47         const vc_conn_t *vc2 = (const vc_conn_t *)c2;
  48
  49         return SLAP_PTRCMP( vc1->conn, vc2->conn );
  50 }
  51
  52 static int
  53 vc_conn_dup( void *c1, void *c2 )
  54 {
  55         vc_conn_t *vc1 = (vc_conn_t *)c1;
  56         vc_conn_t *vc2 = (vc_conn_t *)c2;
  57
  58         if ( vc1->conn == vc2->conn ) {
  59                 return -1;
  60         }
  61
  62         return 0;
  63 }
  64
  65 static int
  66 vc_create_response(
  67         void *conn,
  68         struct berval *servercred,
  69         struct berval *authzid,
  70         struct berval **val )
  71 {
  72         BerElementBuffer berbuf;
  73         BerElement *ber = (BerElement *)&berbuf;
  74         struct berval bv;
  75         int rc;
  76
  77         assert( val != NULL );
  78
  79         ber_init2( ber, NULL, LBER_USE_DER );
  80
  81         ber_printf( ber, "{" /*}*/ );
  82
  83         if ( conn ) {
  84                 struct berval cookie;
  85
  86                 cookie.bv_len = sizeof( conn );
  87                 cookie.bv_val = (char *)&conn;
  88                 ber_printf( ber, "tO", 0, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, &cookie );
  89         }
  90
  91         if ( servercred ) {
  92                 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS, servercred );
  93         }
  94
  95         if ( authzid ) {
  96                 ber_printf( ber, "tO", LDAP_TAG_EXOP_VERIFY_CREDENTIALS_AUTHZID, authzid );
  97         }
  98
  99         ber_printf( ber, /*{*/ "}" );
 100
 101         rc = ber_flatten2( ber, &bv, 0 );
 102
 103         *val = ber_bvdup( &bv );
 104
 105         ber_free_buf( ber );
 106
 107         return rc;
 108 }
 109
 110 static int
 111 vc_exop_sasl_cb(
 112         Operation       *op,
 113         SlapReply       *rs )
 114 {
 115         struct berval *sasldata = (struct berval *)op->o_callback->sc_private;
 116
 117         if ( rs->sr_tag == LDAP_REQ_BIND && sasldata != NULL && rs->sr_sasldata != NULL ) {
 118                 ber_dupbv( sasldata, rs->sr_sasldata );
 119         }
 120
 121         return 0;
 122 }
 123
 124 static int
 125 vc_exop(
 126         Operation       *op,
 127         SlapReply       *rs )
 128 {
 129         int rc = LDAP_SUCCESS;
 130         ber_tag_t tag;
 131         ber_len_t len = -1;
 132         BerElementBuffer berbuf;
 133         BerElement *ber = (BerElement *)&berbuf;
 134         struct berval reqdata = BER_BVNULL;
 135
 136         struct berval cookie = BER_BVNULL;
 137         struct berval bdn = BER_BVNULL;
 138         ber_tag_t authtag;
 139         struct berval cred = BER_BVNULL;
 140         struct berval ndn = BER_BVNULL;
 141         struct berval mechanism = BER_BVNULL;
 142
 143         vc_conn_t *conn = NULL;
 144         slap_callback sc = { 0 };
 145         SlapReply rs2 = { 0 };
 146         struct berval sasldata = BER_BVNULL;
 147
 148         if ( op->ore_reqdata == NULL || op->ore_reqdata->bv_len == 0 ) {
 149                 rs->sr_text = "empty request data field in VerifyCredentials exop";
 150                 return LDAP_PROTOCOL_ERROR;
 151         }
 152
 153         /* optimistic */
 154         rs->sr_err = LDAP_SUCCESS;
 155
 156         ber_dupbv_x( &reqdata, op->ore_reqdata, op->o_tmpmemctx );
 157
 158         /* ber_init2 uses reqdata directly, doesn't allocate new buffers */
 159         ber_init2( ber, &reqdata, 0 );
 160
 161         tag = ber_scanf( ber, "{" /*}*/ );
 162         if ( tag != LBER_SEQUENCE ) {
 163                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 164                 goto done;
 165         }
 166
 167         tag = ber_peek_tag( ber, &len );
 168         if ( tag == LBER_INTEGER ) {
 169                 ber_int_t version;
 170
 171                 /* simple */
 172
 173                 /* version */
 174                 tag = ber_scanf( ber, "i", &version );
 175                 if ( tag == LBER_ERROR || version != 3 ) {
 176                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 177                         goto done;
 178                 }
 179
 180                 /* DN, authtag, cred */
 181                 tag = ber_scanf( ber, "mtm", &bdn, &authtag, &cred );
 182                 if ( tag == LBER_ERROR || authtag != LDAP_AUTH_SIMPLE ) {
 183                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 184                         goto done;
 185                 }
 186
 187                 rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
 188                 if ( rc != LDAP_SUCCESS ) {
 189                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 190                         goto done;
 191                 }
 192
 193         } else {
 194                 /* SASL */
 195                 if ( tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE ) {
 196                         /*
 197                          * cookie: the pointer to the connection
 198                          * of this operation
 199                          */
 200
 201                         ber_scanf( ber, "m", &cookie );
 202                         if ( cookie.bv_len != sizeof(Connection *) ) {
 203                                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 204                                 goto done;
 205                         }
 206
 207                 }
 208
 209                 tag = ber_scanf( ber, "mt{s", &bdn, &authtag, &mechanism );
 210                 if ( tag == LBER_ERROR || authtag != LDAP_AUTH_SASL ||
 211                         BER_BVISNULL( &mechanism ) || BER_BVISEMPTY( &mechanism) )
 212                 {
 213                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 214                         goto done;
 215                 }
 216
 217                 tag = ber_peek_tag( ber, &len );
 218                 if ( tag == LBER_OCTETSTRING ) {
 219                         ber_scanf( ber, "m", &cred );
 220                 }
 221
 222                 rc = dnNormalize( 0, NULL, NULL, &bdn, &ndn, op->o_tmpmemctx );
 223                 if ( rc != LDAP_SUCCESS ) {
 224                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 225                         goto done;
 226                 }
 227         }
 228
 229         tag = ber_skip_tag( ber, &len );
 230         if ( len || tag != LBER_DEFAULT ) {
 231                 rs->sr_err = LDAP_PROTOCOL_ERROR;
 232                 goto done;
 233         }
 234
 235         if ( !BER_BVISNULL( &cookie ) ) {
 236                 vc_conn_t tmp = { 0 };
 237
 238                 AC_MEMCPY( (char *)&tmp.conn, (const char *)cookie.bv_val, cookie.bv_len );
 239                 ldap_pvt_mutex_lock( &vc_mutex );
 240                 conn = (vc_conn_t *)avl_find( vc_tree, (caddr_t)&tmp, vc_conn_cmp );
 241                 if ( conn == NULL || ( conn != NULL && conn->refcnt != 0 ) ) {
 242                         ldap_pvt_mutex_unlock( &vc_mutex );
 243                         rs->sr_err = LDAP_PROTOCOL_ERROR;
 244                         goto done;
 245                 }
 246                 conn->refcnt++;
 247                 ldap_pvt_mutex_unlock( &vc_mutex );
 248
 249         } else {
 250                 void *thrctx;
 251
 252                 conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
 253                 conn->refcnt = 1;
 254
 255                 thrctx = ldap_pvt_thread_pool_context();
 256                 connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 1 );
 257                 conn->op = &conn->opbuf.ob_op;
 258         }
 259
 260         conn->op->o_tag = LDAP_REQ_BIND;
 261         memset( &conn->op->oq_bind, 0, sizeof( conn->op->oq_bind ) );
 262         conn->op->o_req_dn = ndn;
 263         conn->op->o_req_ndn = ndn;
 264         conn->op->o_protocol = LDAP_VERSION3;
 265         conn->op->orb_method = authtag;
 266         conn->op->o_callback = &sc;
 267
 268         switch ( authtag ) {
 269         case LDAP_AUTH_SIMPLE:
 270                 sc.sc_response = slap_null_cb;
 271                 break;
 272
 273         case LDAP_AUTH_SASL:
 274                 conn->op->orb_mech = mechanism;
 275                 sc.sc_response = vc_exop_sasl_cb;
 276                 sc.sc_private = &sasldata;
 277                 break;
 278         }
 279         conn->op->orb_cred = cred;
 280
 281         conn->op->o_bd = frontendDB;
 282         rs->sr_err = frontendDB->be_bind( conn->op, &rs2 );
 283
 284         if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
 285                 rc = vc_create_response( conn,
 286                         !BER_BVISEMPTY( &sasldata ) ? &sasldata : NULL,
 287                         NULL, &rs->sr_rspdata );
 288
 289         } else {
 290                 rc = vc_create_response( NULL, NULL,
 291                         &conn->op->o_conn->c_dn, &rs->sr_rspdata );
 292         }
 293
 294         if ( rc != 0 ) {
 295                 rs->sr_err = LDAP_OTHER;
 296                 goto done;
 297         }
 298
 299         if ( !BER_BVISNULL( &conn->op->o_conn->c_dn ) &&
 300                 conn->op->o_conn->c_dn.bv_val != conn->op->o_conn->c_ndn.bv_val )
 301                 ber_memfree( conn->op->o_conn->c_dn.bv_val );
 302         if ( !BER_BVISNULL( &conn->op->o_conn->c_ndn ) )
 303                 ber_memfree( conn->op->o_conn->c_ndn.bv_val );
 304
 305         if ( conn->op->o_conn->c_sasl_bind_in_progress ) {
 306                 if ( conn->conn == NULL ) {
 307                         conn->conn = conn;
 308                         conn->refcnt--;
 309                         ldap_pvt_mutex_lock( &vc_mutex );
 310                         rc = avl_insert( &vc_tree, (caddr_t)conn,
 311                                 vc_conn_cmp, vc_conn_dup );
 312                         ldap_pvt_mutex_unlock( &vc_mutex );
 313                         assert( rc == 0 );
 314
 315                 } else {
 316                         ldap_pvt_mutex_lock( &vc_mutex );
 317                         conn->refcnt--;
 318                         ldap_pvt_mutex_unlock( &vc_mutex );
 319                 }
 320
 321         } else {
 322                 if ( conn->conn != NULL ) {
 323                         vc_conn_t *tmp;
 324
 325                         ldap_pvt_mutex_lock( &vc_mutex );
 326                         tmp = avl_delete( &vc_tree, (caddr_t)conn, vc_conn_cmp );
 327                         ldap_pvt_mutex_unlock( &vc_mutex );
 328                 }
 329                 SLAP_FREE( conn );
 330         }
 331
 332 done:;
 333         if ( !BER_BVISNULL( &ndn ) ) {
 334                 op->o_tmpfree( ndn.bv_val, op->o_tmpmemctx );
 335         }
 336         op->o_tmpfree( reqdata.bv_val, op->o_tmpmemctx );
 337
 338         return rs->sr_err;
 339 }
 340
 341 static int
 342 vc_initialize( void )
 343 {
 344         int rc;
 345
 346         rc = load_extop2( (struct berval *)&vc_exop_oid_bv,
 347                 SLAP_EXOP_HIDE, vc_exop, 0 );
 348         if ( rc != LDAP_SUCCESS ) {
 349                 Debug( LDAP_DEBUG_ANY,
 350                         "vc_initialize: unable to register VerifyCredentials exop: %d.\n",
 351                         rc, 0, 0 );
 352         }
 353
 354         ldap_pvt_thread_mutex_init( &vc_mutex );
 355
 356         return rc;
 357 }
 358
 359 int
 360 init_module( int argc, char *argv[] )
 361 {
 362         return vc_initialize();
 363 }
 364