1*549b59edSchristos /* $NetBSD: vc.c,v 1.2 2021/08/14 16:14:56 christos Exp $ */
2e670fd5cSchristos
3e670fd5cSchristos /* $OpenLDAP$ */
4e670fd5cSchristos /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5e670fd5cSchristos *
6e670fd5cSchristos * Copyright 1998-2021 The OpenLDAP Foundation.
7e670fd5cSchristos * All rights reserved.
8e670fd5cSchristos *
9e670fd5cSchristos * Redistribution and use in source and binary forms, with or without
10e670fd5cSchristos * modification, are permitted only as authorized by the OpenLDAP
11e670fd5cSchristos * Public License.
12e670fd5cSchristos *
13e670fd5cSchristos * A copy of this license is available in the file LICENSE in the
14e670fd5cSchristos * top-level directory of the distribution or, alternatively, at
15e670fd5cSchristos * <http://www.OpenLDAP.org/license.html>.
16e670fd5cSchristos */
17e670fd5cSchristos /* ACKNOWLEDGEMENTS:
18e670fd5cSchristos * This program was originally developed by Kurt D. Zeilenga for inclusion in
19e670fd5cSchristos * OpenLDAP Software.
20e670fd5cSchristos */
21e670fd5cSchristos
22e670fd5cSchristos #include <sys/cdefs.h>
23*549b59edSchristos __RCSID("$NetBSD: vc.c,v 1.2 2021/08/14 16:14:56 christos Exp $");
24e670fd5cSchristos
25e670fd5cSchristos #include "portable.h"
26e670fd5cSchristos
27e670fd5cSchristos #include <stdio.h>
28e670fd5cSchristos #include <ac/stdlib.h>
29e670fd5cSchristos #include <ac/string.h>
30e670fd5cSchristos #include <ac/time.h>
31e670fd5cSchristos
32e670fd5cSchristos #include "ldap-int.h"
33e670fd5cSchristos
34e670fd5cSchristos /*
35e670fd5cSchristos * LDAP Verify Credentials operation
36e670fd5cSchristos *
37e670fd5cSchristos * The request is an extended request with OID 1.3.6.1.4.1.4203.666.6.5 with value of
38e670fd5cSchristos * the BER encoding of:
39e670fd5cSchristos *
40e670fd5cSchristos * VCRequest ::= SEQUENCE {
41e670fd5cSchristos * cookie [0] OCTET STRING OPTIONAL,
42e670fd5cSchristos * name LDAPDN,
43e670fd5cSchristos * authentication AuthenticationChoice,
44e670fd5cSchristos * controls [2] Controls OPTIONAL
45e670fd5cSchristos * }
46e670fd5cSchristos *
47e670fd5cSchristos * where LDAPDN, AuthenticationChoice, and Controls are as defined in RFC 4511.
48e670fd5cSchristos *
49e670fd5cSchristos * The response is an extended response with no OID and a value of the BER encoding of
50e670fd5cSchristos *
51e670fd5cSchristos * VCResponse ::= SEQUENCE {
52e670fd5cSchristos * resultCode ResultCode,
53e670fd5cSchristos * diagnosticMessage LDAPString,
54e670fd5cSchristos * cookie [0] OCTET STRING OPTIONAL,
55e670fd5cSchristos * serverSaslCreds [1] OCTET STRING OPTIONAL,
56e670fd5cSchristos * controls [2] Controls OPTIONAL
57e670fd5cSchristos * }
58e670fd5cSchristos *
59e670fd5cSchristos * where ResultCode is the result code enumeration from RFC 4511, and LDAPString and Controls are as
60e670fd5cSchristos * defined in RFC 4511.
61e670fd5cSchristos */
62e670fd5cSchristos
ldap_parse_verify_credentials(LDAP * ld,LDAPMessage * res,int * code,char ** diagmsg,struct berval ** cookie,struct berval ** screds,LDAPControl *** ctrls)63e670fd5cSchristos int ldap_parse_verify_credentials(
64e670fd5cSchristos LDAP *ld,
65e670fd5cSchristos LDAPMessage *res,
66e670fd5cSchristos int * code,
67e670fd5cSchristos char ** diagmsg,
68e670fd5cSchristos struct berval **cookie,
69e670fd5cSchristos struct berval **screds,
70e670fd5cSchristos LDAPControl ***ctrls)
71e670fd5cSchristos {
72e670fd5cSchristos int rc;
73e670fd5cSchristos char *retoid = NULL;
74e670fd5cSchristos struct berval *retdata = NULL;
75e670fd5cSchristos
76e670fd5cSchristos assert(ld != NULL);
77e670fd5cSchristos assert(LDAP_VALID(ld));
78e670fd5cSchristos assert(res != NULL);
79e670fd5cSchristos assert(code != NULL);
80e670fd5cSchristos assert(diagmsg != NULL);
81e670fd5cSchristos
82e670fd5cSchristos rc = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
83e670fd5cSchristos
84e670fd5cSchristos if( rc != LDAP_SUCCESS ) {
85e670fd5cSchristos ldap_perror(ld, "ldap_parse_verify_credentials");
86e670fd5cSchristos return rc;
87e670fd5cSchristos }
88e670fd5cSchristos
89e670fd5cSchristos if (retdata) {
90e670fd5cSchristos ber_tag_t tag;
91e670fd5cSchristos ber_len_t len;
92e670fd5cSchristos ber_int_t i;
93e670fd5cSchristos BerElement * ber = ber_init(retdata);
94e670fd5cSchristos struct berval diagmsg_bv = BER_BVNULL;
95e670fd5cSchristos if (!ber) {
96e670fd5cSchristos rc = ld->ld_errno = LDAP_NO_MEMORY;
97e670fd5cSchristos goto done;
98e670fd5cSchristos }
99e670fd5cSchristos
100e670fd5cSchristos rc = LDAP_DECODING_ERROR;
101e670fd5cSchristos
102e670fd5cSchristos if (ber_scanf(ber, "{im" /*"}"*/, &i, &diagmsg_bv) == LBER_ERROR) {
103e670fd5cSchristos goto ber_done;
104e670fd5cSchristos }
105e670fd5cSchristos if ( diagmsg != NULL ) {
106e670fd5cSchristos *diagmsg = LDAP_MALLOC( diagmsg_bv.bv_len + 1 );
107e670fd5cSchristos AC_MEMCPY( *diagmsg, diagmsg_bv.bv_val, diagmsg_bv.bv_len );
108e670fd5cSchristos (*diagmsg)[diagmsg_bv.bv_len] = '\0';
109e670fd5cSchristos }
110e670fd5cSchristos *code = i;
111e670fd5cSchristos
112e670fd5cSchristos tag = ber_peek_tag(ber, &len);
113e670fd5cSchristos if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE) {
114e670fd5cSchristos if (ber_scanf(ber, "O", cookie) == LBER_ERROR)
115e670fd5cSchristos goto ber_done;
116e670fd5cSchristos tag = ber_peek_tag(ber, &len);
117e670fd5cSchristos }
118e670fd5cSchristos
119e670fd5cSchristos if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_SCREDS) {
120e670fd5cSchristos if (ber_scanf(ber, "O", screds) == LBER_ERROR)
121e670fd5cSchristos goto ber_done;
122e670fd5cSchristos tag = ber_peek_tag(ber, &len);
123e670fd5cSchristos }
124e670fd5cSchristos
125e670fd5cSchristos if (tag == LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS) {
126e670fd5cSchristos int nctrls = 0;
127e670fd5cSchristos char * opaque;
128e670fd5cSchristos
129e670fd5cSchristos *ctrls = LDAP_MALLOC(1 * sizeof(LDAPControl *));
130e670fd5cSchristos
131e670fd5cSchristos if (!*ctrls) {
132e670fd5cSchristos rc = LDAP_NO_MEMORY;
133e670fd5cSchristos goto ber_done;
134e670fd5cSchristos }
135e670fd5cSchristos
136e670fd5cSchristos *ctrls[nctrls] = NULL;
137e670fd5cSchristos
138e670fd5cSchristos for(tag = ber_first_element(ber, &len, &opaque);
139e670fd5cSchristos tag != LBER_ERROR;
140e670fd5cSchristos tag = ber_next_element(ber, &len, opaque))
141e670fd5cSchristos {
142e670fd5cSchristos LDAPControl *tctrl;
143e670fd5cSchristos LDAPControl **tctrls;
144e670fd5cSchristos
145e670fd5cSchristos tctrl = LDAP_CALLOC(1, sizeof(LDAPControl));
146e670fd5cSchristos
147e670fd5cSchristos /* allocate pointer space for current controls (nctrls)
148e670fd5cSchristos * + this control + extra NULL
149e670fd5cSchristos */
150e670fd5cSchristos tctrls = !tctrl ? NULL : LDAP_REALLOC(*ctrls, (nctrls+2) * sizeof(LDAPControl *));
151e670fd5cSchristos
152e670fd5cSchristos if (!tctrls) {
153e670fd5cSchristos /* allocation failure */
154e670fd5cSchristos if (tctrl) LDAP_FREE(tctrl);
155e670fd5cSchristos ldap_controls_free(*ctrls);
156e670fd5cSchristos *ctrls = NULL;
157e670fd5cSchristos rc = LDAP_NO_MEMORY;
158e670fd5cSchristos goto ber_done;
159e670fd5cSchristos }
160e670fd5cSchristos
161e670fd5cSchristos tctrls[nctrls++] = tctrl;
162e670fd5cSchristos tctrls[nctrls] = NULL;
163e670fd5cSchristos
164e670fd5cSchristos tag = ber_scanf(ber, "{a" /*"}"*/, &tctrl->ldctl_oid);
165e670fd5cSchristos if (tag == LBER_ERROR) {
166e670fd5cSchristos *ctrls = NULL;
167e670fd5cSchristos ldap_controls_free(tctrls);
168e670fd5cSchristos goto ber_done;
169e670fd5cSchristos }
170e670fd5cSchristos
171e670fd5cSchristos tag = ber_peek_tag(ber, &len);
172e670fd5cSchristos if (tag == LBER_BOOLEAN) {
173e670fd5cSchristos ber_int_t crit;
174e670fd5cSchristos tag = ber_scanf(ber, "b", &crit);
175e670fd5cSchristos tctrl->ldctl_iscritical = crit ? (char) 0 : (char) ~0;
176e670fd5cSchristos tag = ber_peek_tag(ber, &len);
177e670fd5cSchristos }
178e670fd5cSchristos
179e670fd5cSchristos if (tag == LBER_OCTETSTRING) {
180e670fd5cSchristos tag = ber_scanf( ber, "o", &tctrl->ldctl_value );
181e670fd5cSchristos } else {
182e670fd5cSchristos BER_BVZERO( &tctrl->ldctl_value );
183e670fd5cSchristos }
184e670fd5cSchristos
185e670fd5cSchristos *ctrls = tctrls;
186e670fd5cSchristos }
187e670fd5cSchristos }
188e670fd5cSchristos
189e670fd5cSchristos rc = LDAP_SUCCESS;
190e670fd5cSchristos
191e670fd5cSchristos ber_done:
192e670fd5cSchristos ber_free(ber, 1);
193e670fd5cSchristos }
194e670fd5cSchristos
195e670fd5cSchristos done:
196e670fd5cSchristos ber_bvfree(retdata);
197e670fd5cSchristos ber_memfree(retoid);
198e670fd5cSchristos return rc;
199e670fd5cSchristos }
200e670fd5cSchristos
201e670fd5cSchristos int
ldap_verify_credentials(LDAP * ld,struct berval * cookie,LDAP_CONST char * dn,LDAP_CONST char * mechanism,struct berval * cred,LDAPControl ** vcctrls,LDAPControl ** sctrls,LDAPControl ** cctrls,int * msgidp)202e670fd5cSchristos ldap_verify_credentials(LDAP *ld,
203e670fd5cSchristos struct berval *cookie,
204e670fd5cSchristos LDAP_CONST char *dn,
205e670fd5cSchristos LDAP_CONST char *mechanism,
206e670fd5cSchristos struct berval *cred,
207e670fd5cSchristos LDAPControl **vcctrls,
208e670fd5cSchristos LDAPControl **sctrls,
209e670fd5cSchristos LDAPControl **cctrls,
210e670fd5cSchristos int *msgidp)
211e670fd5cSchristos {
212e670fd5cSchristos int rc;
213e670fd5cSchristos BerElement *ber;
214e670fd5cSchristos struct berval reqdata;
215e670fd5cSchristos
216e670fd5cSchristos assert(ld != NULL);
217e670fd5cSchristos assert(LDAP_VALID(ld));
218e670fd5cSchristos assert(msgidp != NULL);
219e670fd5cSchristos
220e670fd5cSchristos ber = ber_alloc_t(LBER_USE_DER);
221e670fd5cSchristos if (dn == NULL) dn = "";
222e670fd5cSchristos
223e670fd5cSchristos if (mechanism == LDAP_SASL_SIMPLE) {
224e670fd5cSchristos assert(!cookie);
225e670fd5cSchristos
226e670fd5cSchristos rc = ber_printf(ber, "{stO" /*"}"*/,
227e670fd5cSchristos dn, LDAP_AUTH_SIMPLE, cred);
228e670fd5cSchristos
229e670fd5cSchristos } else {
230e670fd5cSchristos if (!cred || BER_BVISNULL(cred)) {
231e670fd5cSchristos if (cookie) {
232e670fd5cSchristos rc = ber_printf(ber, "{tOst{sN}" /*"}"*/,
233e670fd5cSchristos LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
234e670fd5cSchristos dn, LDAP_AUTH_SASL, mechanism);
235e670fd5cSchristos } else {
236e670fd5cSchristos rc = ber_printf(ber, "{st{sN}N" /*"}"*/,
237e670fd5cSchristos dn, LDAP_AUTH_SASL, mechanism);
238e670fd5cSchristos }
239e670fd5cSchristos } else {
240e670fd5cSchristos if (cookie) {
241e670fd5cSchristos rc = ber_printf(ber, "{tOst{sON}" /*"}"*/,
242e670fd5cSchristos LDAP_TAG_EXOP_VERIFY_CREDENTIALS_COOKIE, cookie,
243e670fd5cSchristos dn, LDAP_AUTH_SASL, mechanism, cred);
244e670fd5cSchristos } else {
245e670fd5cSchristos rc = ber_printf(ber, "{st{sON}" /*"}"*/,
246e670fd5cSchristos dn, LDAP_AUTH_SASL, mechanism, cred);
247e670fd5cSchristos }
248e670fd5cSchristos }
249e670fd5cSchristos }
250e670fd5cSchristos
251e670fd5cSchristos if (rc < 0) {
252e670fd5cSchristos rc = ld->ld_errno = LDAP_ENCODING_ERROR;
253e670fd5cSchristos goto done;
254e670fd5cSchristos }
255e670fd5cSchristos
256e670fd5cSchristos if (vcctrls && *vcctrls) {
257e670fd5cSchristos LDAPControl *const *c;
258e670fd5cSchristos
259e670fd5cSchristos rc = ber_printf(ber, "t{" /*"}"*/, LDAP_TAG_EXOP_VERIFY_CREDENTIALS_CONTROLS);
260e670fd5cSchristos
261e670fd5cSchristos for (c=vcctrls; *c; c++) {
262e670fd5cSchristos rc = ldap_pvt_put_control(*c, ber);
263e670fd5cSchristos if (rc != LDAP_SUCCESS) {
264e670fd5cSchristos rc = ld->ld_errno = LDAP_ENCODING_ERROR;
265e670fd5cSchristos goto done;
266e670fd5cSchristos }
267e670fd5cSchristos }
268e670fd5cSchristos
269e670fd5cSchristos rc = ber_printf(ber, /*"{{"*/ "}N}");
270e670fd5cSchristos
271e670fd5cSchristos } else {
272e670fd5cSchristos rc = ber_printf(ber, /*"{"*/ "N}");
273e670fd5cSchristos }
274e670fd5cSchristos
275e670fd5cSchristos if (rc < 0) {
276e670fd5cSchristos rc = ld->ld_errno = LDAP_ENCODING_ERROR;
277e670fd5cSchristos goto done;
278e670fd5cSchristos }
279e670fd5cSchristos
280e670fd5cSchristos
281e670fd5cSchristos rc = ber_flatten2(ber, &reqdata, 0);
282e670fd5cSchristos if (rc < 0) {
283e670fd5cSchristos rc = ld->ld_errno = LDAP_ENCODING_ERROR;
284e670fd5cSchristos goto done;
285e670fd5cSchristos }
286e670fd5cSchristos
287e670fd5cSchristos rc = ldap_extended_operation(ld, LDAP_EXOP_VERIFY_CREDENTIALS,
288e670fd5cSchristos &reqdata, sctrls, cctrls, msgidp);
289e670fd5cSchristos
290e670fd5cSchristos done:
291e670fd5cSchristos ber_free(ber, 1);
292e670fd5cSchristos return rc;
293e670fd5cSchristos }
294e670fd5cSchristos
295e670fd5cSchristos int
ldap_verify_credentials_s(LDAP * ld,struct berval * cookie,LDAP_CONST char * dn,LDAP_CONST char * mechanism,struct berval * cred,LDAPControl ** vcictrls,LDAPControl ** sctrls,LDAPControl ** cctrls,int * rcode,char ** diagmsg,struct berval ** scookie,struct berval ** scred,LDAPControl *** vcoctrls)296e670fd5cSchristos ldap_verify_credentials_s(
297e670fd5cSchristos LDAP *ld,
298e670fd5cSchristos struct berval *cookie,
299e670fd5cSchristos LDAP_CONST char *dn,
300e670fd5cSchristos LDAP_CONST char *mechanism,
301e670fd5cSchristos struct berval *cred,
302e670fd5cSchristos LDAPControl **vcictrls,
303e670fd5cSchristos LDAPControl **sctrls,
304e670fd5cSchristos LDAPControl **cctrls,
305e670fd5cSchristos int *rcode,
306e670fd5cSchristos char **diagmsg,
307e670fd5cSchristos struct berval **scookie,
308e670fd5cSchristos struct berval **scred,
309e670fd5cSchristos LDAPControl ***vcoctrls)
310e670fd5cSchristos {
311e670fd5cSchristos int rc;
312e670fd5cSchristos int msgid;
313e670fd5cSchristos LDAPMessage *res;
314e670fd5cSchristos
315e670fd5cSchristos rc = ldap_verify_credentials(ld, cookie, dn, mechanism, cred, vcictrls, sctrls, cctrls, &msgid);
316e670fd5cSchristos if (rc != LDAP_SUCCESS) return rc;
317e670fd5cSchristos
318e670fd5cSchristos if (ldap_result(ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, &res) == -1 || !res) {
319e670fd5cSchristos return ld->ld_errno;
320e670fd5cSchristos }
321e670fd5cSchristos
322e670fd5cSchristos rc = ldap_parse_verify_credentials(ld, res, rcode, diagmsg, scookie, scred, vcoctrls);
323e670fd5cSchristos if (rc != LDAP_SUCCESS) {
324e670fd5cSchristos ldap_msgfree(res);
325e670fd5cSchristos return rc;
326e670fd5cSchristos }
327e670fd5cSchristos
328e670fd5cSchristos return( ldap_result2error(ld, res, 1));
329e670fd5cSchristos }
330e670fd5cSchristos
331e670fd5cSchristos #ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
332e670fd5cSchristos int
ldap_verify_credentials_interactive(LDAP * ld,LDAP_CONST char * dn,LDAP_CONST char * mech,LDAPControl ** vcControls,LDAPControl ** serverControls,LDAPControl ** clientControls,unsigned flags,LDAP_SASL_INTERACT_PROC * proc,void * defaults,void * context;LDAPMessage * result,const char ** rmech,int * msgid)333e670fd5cSchristos ldap_verify_credentials_interactive (
334e670fd5cSchristos LDAP *ld,
335e670fd5cSchristos LDAP_CONST char *dn, /* usually NULL */
336e670fd5cSchristos LDAP_CONST char *mech,
337e670fd5cSchristos LDAPControl **vcControls,
338e670fd5cSchristos LDAPControl **serverControls,
339e670fd5cSchristos LDAPControl **clientControls,
340e670fd5cSchristos
341e670fd5cSchristos /* should be client controls */
342e670fd5cSchristos unsigned flags,
343e670fd5cSchristos LDAP_SASL_INTERACT_PROC *proc,
344e670fd5cSchristos void *defaults,
345e670fd5cSchristos void *context;
346e670fd5cSchristos
347e670fd5cSchristos /* as obtained from ldap_result() */
348e670fd5cSchristos LDAPMessage *result,
349e670fd5cSchristos
350e670fd5cSchristos /* returned during bind processing */
351e670fd5cSchristos const char **rmech,
352e670fd5cSchristos int *msgid )
353e670fd5cSchristos {
354e670fd5cSchristos if (!ld && context) {
355e670fd5cSchristos assert(!dn);
356e670fd5cSchristos assert(!mech);
357e670fd5cSchristos assert(!vcControls);
358e670fd5cSchristos assert(!serverControls);
359e670fd5cSchristos assert(!defaults);
360e670fd5cSchristos assert(!result);
361e670fd5cSchristos assert(!rmech);
362e670fd5cSchristos assert(!msgid);
363e670fd5cSchristos
364e670fd5cSchristos /* special case to avoid having to expose a separate dispose context API */
365e670fd5cSchristos sasl_dispose((sasl_conn_t)context);
366e670fd5cSchristos return LDAP_SUCCESS;
367e670fd5cSchristos }
368e670fd5cSchristos
369e670fd5cSchristos ld->ld_errno = LDAP_NOT_SUPPORTED;
370e670fd5cSchristos return ld->ld_errno;
371e670fd5cSchristos }
372e670fd5cSchristos #endif
373