From eaf3264184abb3eff83dd11f8b6546af6cffcf90 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sun, 6 Jan 2002 00:36:55 +0000 Subject: [PATCH] Add some critical control checks. --- servers/slapd/bind.c | 9 +++++ servers/slapd/controls.c | 34 ++++++++-------- servers/slapd/extended.c | 80 ++++++++++++++++++++++---------------- servers/slapd/proto-slap.h | 4 ++ 4 files changed, 77 insertions(+), 50 deletions(-) diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index b98683cf8f..cafc4d286a 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -221,6 +221,15 @@ do_bind( conn->c_protocol = version; ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + /* check for inappropriate controls */ + if( get_manageDSAit( op ) == SLAP_CRITICAL_CONTROL ) { + send_ldap_result( conn, op, + rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION, + NULL, "manageDSAit control inappropriate", + NULL, NULL ); + goto cleanup; + } + if ( method == LDAP_AUTH_SASL ) { char *edn; slap_ssf_t ssf = 0; diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index e722b4c6c2..b5e5b9db5d 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -57,7 +57,7 @@ int get_ctrls( #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, - "get_ctrls: conn %d\n", conn->c_connid )); + "get_ctrls: conn %d\n", conn->c_connid )); #else Debug( LDAP_DEBUG_TRACE, "=> get_ctrls\n", 0, 0, 0 ); #endif @@ -122,8 +122,8 @@ int get_ctrls( if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_INFO, - "get_ctrls: conn %d get OID failed.\n", - conn->c_connid )); + "get_ctrls: conn %d get OID failed.\n", + conn->c_connid )); #else Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get oid failed.\n", 0, 0, 0 ); @@ -144,8 +144,8 @@ int get_ctrls( if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_INFO, - "get_ctrls: conn %d get crit failed.\n", - conn->c_connid )); + "get_ctrls: conn %d get crit failed.\n", + conn->c_connid )); #else Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get crit failed.\n", 0, 0, 0 ); @@ -163,9 +163,9 @@ int get_ctrls( #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_INFO, - "get_ctrls: conn %d oid=\"%s\" (%scritical)\n", - conn->c_connid, tctrl->ldctl_oid, - tctrl->ldctl_iscritical ? "" : "non" )); + "get_ctrls: conn %d oid=\"%s\" (%scritical)\n", + conn->c_connid, tctrl->ldctl_oid, + tctrl->ldctl_iscritical ? "" : "non" )); #else Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: oid=\"%s\" (%scritical)\n", tctrl->ldctl_oid, @@ -178,7 +178,7 @@ int get_ctrls( if( tag == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_INFO, - "get_ctrls: conn %d get value failed.\n", conn->c_connid )); + "get_ctrls: conn %d get value failed.\n", conn->c_connid )); #else Debug( LDAP_DEBUG_TRACE, "=> get_ctrls: get value failed.\n", 0, 0, 0 ); @@ -205,8 +205,8 @@ int get_ctrls( return_results: #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_RESULTS, - "get_ctrls: conn %d %d %d %s\n", - conn->c_connid, nctrls, rc, errmsg ? errmsg : "" )); + "get_ctrls: conn %d %d %d %s\n", + conn->c_connid, nctrls, rc, errmsg ? errmsg : "" )); #else Debug( LDAP_DEBUG_TRACE, "<= get_ctrls: %d %d %s\n", nctrls, rc, errmsg ? errmsg : ""); @@ -229,16 +229,18 @@ int get_manageDSAit( Operation *op ) { int i; if( op == NULL || op->o_ctrls == NULL ) { - return 0; + return SLAP_NO_CONTROL; } for( i=0; op->o_ctrls[i] != NULL; i++ ) { - if( strcmp( LDAP_CONTROL_MANAGEDSAIT, op->o_ctrls[i]->ldctl_oid ) - == 0 ) + if( strcmp( LDAP_CONTROL_MANAGEDSAIT, + op->o_ctrls[i]->ldctl_oid ) == 0 ) { - return 1; + return op->o_ctrls[i]->ldctl_iscritical + ? SLAP_CRITICAL_CONTROL + : SLAP_NONCRITICAL_CONTROL; } } - return 0; + return SLAP_NO_CONTROL; } diff --git a/servers/slapd/extended.c b/servers/slapd/extended.c index dc468c046a..65a639251c 100644 --- a/servers/slapd/extended.c +++ b/servers/slapd/extended.c @@ -32,47 +32,47 @@ #include "slap.h" -#define MAX_OID_LENGTH 128 - -typedef struct extop_list_t { - struct extop_list_t *next; +static struct extop_list { + struct extop_list *next; char *oid; SLAP_EXTOP_MAIN_FN *ext_main; -} extop_list_t; - -extop_list_t *supp_ext_list = NULL; +} *supp_ext_list = NULL; /* this list of built-in extops is for extops that are not part * of backends or in external modules. essentially, this is * just a way to get built-in extops onto the extop list without * having a separate init routine for each built-in extop. */ -struct { +static struct { char *oid; SLAP_EXTOP_MAIN_FN *ext_main; } builtin_extops[] = { #ifdef HAVE_TLS - { LDAP_EXOP_START_TLS, starttls_extop }, + { LDAP_EXOP_START_TLS, starttls_extop }, #endif - { LDAP_EXOP_X_MODIFY_PASSWD, passwd_extop }, - { NULL, NULL } - }; + { LDAP_EXOP_X_MODIFY_PASSWD, passwd_extop }, + { NULL, NULL } +}; -static extop_list_t *find_extop( extop_list_t *list, char *oid ); +static struct extop_list *find_extop( + struct extop_list *list, char *oid ); char * get_supported_extop (int index) { - extop_list_t *ext; + struct extop_list *ext; /* linear scan is slow, but this way doesn't force a * big change on root_dse.c, where this routine is used. */ - for (ext = supp_ext_list; ext != NULL && --index >= 0; ext = ext->next) ; - if (ext == NULL) - return(NULL); - return(ext->oid); + for (ext = supp_ext_list; ext != NULL && --index >= 0; ext = ext->next) { + ; /* empty */ + } + + if (ext == NULL) return NULL; + + return ext->oid ; } int @@ -86,7 +86,7 @@ do_extended( struct berval *reqdata; ber_tag_t tag; ber_len_t len; - extop_list_t *ext; + struct extop_list *ext; const char *text; BVarray refs; char *rspoid; @@ -95,7 +95,7 @@ do_extended( #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ENTRY, - "do_extended: conn %d\n", conn->c_connid )); + "do_extended: conn %d\n", conn->c_connid )); #else Debug( LDAP_DEBUG_TRACE, "do_extended\n", 0, 0, 0 ); #endif @@ -105,9 +105,11 @@ do_extended( if( op->o_protocol < LDAP_VERSION3 ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "do_extended: protocol version (%d) too low.\n", op->o_protocol )); + "do_extended: protocol version (%d) too low.\n", + op->o_protocol )); #else - Debug( LDAP_DEBUG_ANY, "do_extended: protocol version (%d) too low\n", + Debug( LDAP_DEBUG_ANY, + "do_extended: protocol version (%d) too low\n", op->o_protocol, 0 ,0 ); #endif send_ldap_disconnect( conn, op, @@ -119,7 +121,7 @@ do_extended( if ( ber_scanf( op->o_ber, "{a" /*}*/, &reqoid ) == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "do_extended: conn %d ber_scanf failed\n", conn->c_connid )); + "do_extended: conn %d ber_scanf failed\n", conn->c_connid )); #else Debug( LDAP_DEBUG_ANY, "do_extended: ber_scanf failed\n", 0, 0 ,0 ); #endif @@ -132,8 +134,8 @@ do_extended( if( !(ext = find_extop(supp_ext_list, reqoid)) ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "do_extended: conn %d unsupported operation \"%s\"\n", - conn->c_connid, reqoid )); + "do_extended: conn %d unsupported operation \"%s\"\n", + conn->c_connid, reqoid )); #else Debug( LDAP_DEBUG_ANY, "do_extended: unsupported operation \"%s\"\n", reqoid, 0 ,0 ); @@ -149,7 +151,7 @@ do_extended( if( ber_scanf( op->o_ber, "O", &reqdata ) == LBER_ERROR ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "do_extended: conn %d ber_scanf failed\n", conn->c_connid )); + "do_extended: conn %d ber_scanf failed\n", conn->c_connid )); #else Debug( LDAP_DEBUG_ANY, "do_extended: ber_scanf failed\n", 0, 0 ,0 ); #endif @@ -163,19 +165,29 @@ do_extended( if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_ERR, - "do_extended: conn %d get_ctrls failed\n", conn->c_connid )); + "do_extended: conn %d get_ctrls failed\n", conn->c_connid )); #else Debug( LDAP_DEBUG_ANY, "do_extended: get_ctrls failed\n", 0, 0 ,0 ); #endif return rc; } + /* check for controls inappropriate for all extended operations */ + if( get_manageDSAit( op ) == SLAP_CRITICAL_CONTROL ) { + send_ldap_result( conn, op, + rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION, + NULL, "manageDSAit control inappropriate", + NULL, NULL ); + goto done; + } + #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_DETAIL1, - "do_extended: conn %d oid=%d\n.", conn->c_connid, reqoid )); + "do_extended: conn %d oid=%d\n.", conn->c_connid, reqoid )); #else Debug( LDAP_DEBUG_ARGS, "do_extended: oid=%s\n", reqoid, 0 ,0 ); #endif + rspoid = NULL; rspdata = NULL; rspctrls = NULL; @@ -221,12 +233,12 @@ load_extop( const char *ext_oid, SLAP_EXTOP_MAIN_FN *ext_main ) { - extop_list_t *ext; + struct extop_list *ext; if( ext_oid == NULL || *ext_oid == '\0' ) return -1; if(!ext_main) return -1; - ext = ch_calloc(1, sizeof(extop_list_t)); + ext = ch_calloc(1, sizeof(struct extop_list)); if (ext == NULL) return(-1); @@ -258,7 +270,7 @@ extops_init (void) int extops_kill (void) { - extop_list_t *ext; + struct extop_list *ext; /* we allocated the memory, so we have to free it, too. */ while ((ext = supp_ext_list) != NULL) { @@ -270,10 +282,10 @@ extops_kill (void) return(0); } -static extop_list_t * -find_extop( extop_list_t *list, char *oid ) +static struct extop_list * +find_extop( struct extop_list *list, char *oid ) { - extop_list_t *ext; + struct extop_list *ext; for (ext = list; ext; ext = ext->next) { if (strcmp(ext->oid, oid) == 0) diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index b5bc64d572..35d31fc2d0 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -287,6 +287,10 @@ LDAP_SLAPD_F (char *) slap_strcopy LDAP_P(( /* * controls.c */ +#define SLAP_NO_CONTROL 0 +#define SLAP_NONCRITICAL_CONTROL 1 +#define SLAP_CRITICAL_CONTROL 2 + LDAP_SLAPD_F (int) get_ctrls LDAP_P(( Connection *co, Operation *op, -- 2.39.5